Manuel d'utilisation / d'entretien du produit Q.11. (2510-24) du fabricant HP (Hewlett-Packard)
Aller à la page of 294
Access Security Guide 251 0 www .pr ocurv e.com Pr oCurv e Switches Q. 1 1. (25 1 0-2 4) U. 1 1. (25 1 0-48) XX XX.
.
ProCurve Series 251 0 Switches Access Security Guide Janu ary 200 8.
Hewle tt-Pa ckard Comp any 8000 Fo othills Boulevard, m/s 5551 Roseville, Ca lifornia 957 47-5551 http://ww w.p rocurve.c om © Co pyri ght 2 008 Hewl ett- Pack ard Comp any , L.P . The informa tion contai ned herein i s subject to change witho ut notice.
iii Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 When Secu rity I s Import ant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Front-Panel Button Functions ‘ .
v 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi Config uring the Switch for RADIUS Aut hentica tion . . . . . . . . . . . . . . . . . . 5-6 Outl ine of th e Ste ps fo r Config urin g RA DIUS Authentication . . . . . . 5-7 1. Conf igur e Authe ntica tion for the A cces s Metho ds You Want RADIUS To Protect .
vii 4. Enable SSH on the Switc h and Anticip ate SSH Client Contact Be havior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 5. Configur e the Swit ch for SSH Authe ntica tion . . . . . . . . . . . . . . . . . 6-18 6. Use an SSH Client To Access the Sw itch .
viii General Setup Procedure for 802 .1X Access Control . . . . . . . . . . . . . . . . 8-14 Do Th ese St eps Before You Confi gure 8 0 2.1X Operation . . . . . . . . . 8-14 Over view : Confi gurin g 802 .1X Au then tica tion on the Swi tch . . . . . .
ix 9 Configuring a nd Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Configuring One Station Per Authorized Manager IP Entry . . . . . . . 10-9 Configurin g Multiple Sta tions Per Authorize d Manager IP Entry .
xi Product Documentation About Y our Sw itch Manual Set The switch ma nual set incl udes the foll owing: ■ Read M e First - a p rinted guid e shipped wit h your swit ch. Provides software up date infor mation, pro duct notes , and other inform ation.
xii Prod uct Doc umentatio n Feature Index For the manua l set supportin g your switc h model, the follow ing feature inde x indicat es which manu al to consult fo r informa tion on a given softw are feat ure. Feat ure Mana geme nt and Con figura tio n Advanced T raffic Manageme nt Acces s Secu rity Guide 802.
xiii Prod uct Doc umentat ion LLDP X - - MAC Addr ess Manag ement X -- Mon itorin g and An aly si s X - - Mul ticas t Filte rin g - X - Netw ork Manage ment App licatio ns (LLDP , SNMP) X - - Passwo r.
xiv Prod uct Doc umentatio n T elnet Acces s X - - TF TP X -- T ime Protocol s (T ime P , S NTP) X - - T roubl eshoot ing X -- VLANs - X - Xmodem X -- Feat ure Mana geme nt and Con figura tio n Advanc.
1-1 1 Getting St arted Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Acc ess Security Feat u res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Securit y Protection .
1-2 Getting Started Intr oducti on Introduction This Access Security Guide describ es how to use ProCur ve’ s swit ch secu rity featur es to prot ect ac cess to your switch.
1-3 Getting Sta rted Overv iew o f Acces s Se curity Feat ures ■ Port-Bas ed Access Control (8 02.1X) (page 8-1): O n point-t o-poin t connec tions, enab les the switch t o allow or de ny traffic be tween a port and an 802.1X-aware devi ce (suppli cant) att empting to acc ess the switch .
1-4 Getting Started Overv iew of Acce ss Secur ity Featur es T able 1-1. Manage ment Acce ss Security Protect ion General S witch T ra ffic Sec urity Guid elin es Where the switc h is running multiple.
1-5 Getting Sta rted Conven tion s Conventi ons This guid e uses t he followin g conv entions for comman d syntax and displa yed informati on. Command Syntax Statements Syntax : aaa port -access au th.
1-6 Getting Started Conv ention s Command Prompts In the defa ult conf iguration, y our switch display s the fol lowing CLI pr ompt: ProCurve Switch 2510-24# T o si mplify r ecogniti on, th is guide uses ProCurve to repr esent comman d prompts for a ll models.
1-7 Getting Sta rted Source s for Mor e Informat ion Sources for More Information For addi tional infor mation abou t switch opera tion and feat ures not covered in this guide, consul t the following .
1-8 Getting Started Need Only a Quick Start ? ■ For i nforma tion o n a spe cific comma nd in the C LI, ty pe th e comma nd name follow ed by “help” . For example: Figure 1-3. Getting Help in the CLI ■ For in format ion on spec ific featur es in the W eb br owser inte rface, use the o nline he lp.
1-9 Getting Sta rted Need On ly a Quic k Start? T o Set Up and Install the Switch in Y our Network Important! Use the Installation and Getting Started Guide shipp ed with y our switch for the follo wi.
1-10 Getting Started Need Only a Quick Start ?.
2-1 2 Configuri ng Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . .
2-2 Confi guri ng User name and Pa sswor d Securi ty Overv iew Overview Console a ccess incl udes both the menu interf ace and the CLI. The re are tw o levels o f conso le access: M anager a nd Operato r . For se curity , you can set a password p air (usernam e and passw ord) on each of these l evels.
2-3 Config uring Userna me and Passw ord Sec urity Overvi ew T o configure password secu rity: 1. Set a Manage r password pa ir (and an Opera tor password pa ir , if applica- ble for your system). 2. Exit from the curr ent console session. A Manage r password pair will now be need ed for f ull acce ss to the co nsole.
2-4 Confi guri ng User name and Pa sswor d Securi ty Confi gurin g Local Pa ssword Se curit y Configuring Local Password Security Menu: Setting Passwords As noted earlie r in this section, use rnames are option al. Configuring a user- name re quire s eithe r the CL I or t he web br owser interf ace.
2-5 Config uring Userna me and Passw ord Sec urity Configu ring Loc al Passwo rd Security If you h ave physi cal acc ess to the switch , press and h old the Clea r button (on the front of the swit ch) for a mini mum of one second to cle ar all passwor d protect ion, then ent er new password s as described e arlier in this chapter .
2-6 Confi guri ng User name and Pa sswor d Securi ty Confi gurin g Local Pa ssword Se curit y T o Remo ve Password P rotecti on. Removi ng passwo rd prote ction mea ns to elimin ate passwor d security . This com mand promp ts you to verif y that yo u want to remo ve one or bot h passwords, then c lears the ind icated passwo rd(s).
2-7 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Front-Panel Security The front -panel sec urity fea tures prov ide the ability to independ ently enab le or disable so me of t.
2-8 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y As a result of i ncrease d security co ncerns, cust omers now ha ve the abil ity to stop someone from removing passwords by disabl ing the C lear and/or Re set but tons on the fron t of the swit ch.
2-9 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Rese t Button Pressing the R eset button alone for one sec ond causes the swit ch to reboot.
2-10 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y 3. Release the Re set but ton and wait for a bout one second for th e Self- T e st LED to star t flashing. 4. Wh en the Self-T est LED be gins flashin g, rele ase the Cl ear bu tton .
2-11 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity • Modify th e oper ation of the Reset+Clea r combinati on (page 2-9) so that the switch still reboots, but does not restore the switch’ s fac tory default conf iguratio n settings.
2-12 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y For ex ample , show front-panel-secur ity produces th e following output when the switch is confi gured with the de fault fro nt-panel secu rity se ttings.
2-13 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Re-Enablin g the Clear Button on the Switch’ s Front Panel and Setting or Chan ging the “Reset-On-Clear” Operation For .
2-14 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Figure 2-9. E xample of Re-Enablin g the Clear But ton’ s Default Operation Changing the Operation of the Reset+Clear Co.
2-15 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Figure 2-10. Example of Disabling the Factor y Reset Option Password Recovery The password re covery fe ature is ena bled by .
2-16 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Steps for Disabli ng Passw ord-Re covery . 1. S et the C LI to the g lobal interfa ce context. 2. Use show front -panel-s ecurit y to dete rmine wheth er the fac tory-reset paramet er is enabled.
2-17 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Figure 2-11. Exam ple of the Steps for Disabl ing Password -Recovery Password Recove ry Process If you have lost the switch .
2-18 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Note The alternate p assword provi ded by the Pro Curve Custome r Care Center is valid only f or a single login att empt. Y ou cannot use th e same “one-time-use” password if you lose the password a second tim e.
3-1 3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-2 Web an d MAC Auth entic ation Overv iew Overview W eb an d MAC Authent icatio n are desig ned for emp loyment on th e “edge” of a network to provid e port-ba sed secur ity measure s for prot ecting pr ivate networks and t he switch itself from unauth orized ac cess.
3-3 Web and MA C Auth entic ation Overvi ew password , and grants or den ies network access in the same way tha t it does for clients ca pable of int eractive lo gons. (The pro cess does not use eithe r a client d evice config uration or a logon session .
3-4 Web an d MAC Auth entic ation Overv iew General Features W eb and MAC Au thenti cation i nclu des the f ollowi ng: ■ On a port conf igured for W eb or MAC Authen tication, t he switch operate s as a por t-access authenti cator u sing a R ADIUS serve r and the CHA P protoco l.
3-5 Web and MA C Auth entic ation How Web an d MAC Authen ticat ion Operat e How W eb and MAC Authe ntication Operate Authenticator Operation Before g a ining access t o the net work clien ts firs t present thei r authent ication creden tials to the switch.
3-6 Web an d MAC Auth entic ation How Web an d MAC Auth enti catio n Operat e Figure 3-2. Pro gress Messa ge During Authentica tion If the clie nt is au thenti cated a nd the maximum n umber of clients a llowed on the po rt ( clie nt-limit ) has not been r eached, th e port is assigned t o a static, untagged V LAN for networ k access.
3-7 Web and MA C Auth entic ation How Web an d MAC Authen ticat ion Operat e moves have n ot bee n enab led ( clie nt-m oves ) on the po rts, the ses sion ends and the cli ent must reau thentica te for n etwork ac cess. At th e end of the session the port return s to its pre- authentic a tion st ate.
3-8 Web an d MAC Auth entic ation How Web an d MAC Auth enti catio n Operat e 4. If neither 1, 2, or 3, abov e, apply , then the c lient session does not have access to any stati cally co nfigure d, untag ged VLA Ns and clie nt acc ess is bloc ked. The assigned port VLAN remai ns in place until the sessi on ends.
3-9 Web and MA C Auth entic ation Termin olog y T erminology Author ized-Cli ent VLAN: Like the Unauthori zed-Client VLAN, this is a conven tional, static, un tagged, por t-based VL AN previou sly configur ed on the switch by the System A dministrator .
3-10 Web an d MAC Auth entic ation Opera ting Ru les and N otes Operating Rules and Notes ■ Y ou can config ure on e type of authen ticatio n on a p ort. Th at is, the follo wing auth entica tion typ es are mutually exclusive on a give n port: • W eb Authentic ation • MAC Authen ticatio n • 802.
3-1 1 Web and MA C Auth entic ation Oper ating Rul es and Not es 2. If there is no RADI US-assigned VLA N, then, for th e duration of the cli ent session , the po rt belong s to the Authori zed VLAN ( if config ured) and t emporarily drops al l other VL AN membersh ips.
3-12 Web an d MAC Auth entic ation Gener al Setu p Proce dur e for We b/MAC Au then ticat ion Note on Web/ MAC Authentication and LACP The switch do es not allo w W eb or M AC Authen tication a nd LACP to both be enabled at th e same time o n the same port.
3-1 3 Web and MA C Auth entic ation General Setup Procedure for Web/MAC Au thentic ation c. If there is neithe r a RADIUS-a ssigned VLAN or an “Authorize d VLAN” for an authe nticated clie nt session on a po rt, then the port’ s VLAN membersh ip remai ns unchange d during au thenticat ed client ses- sions.
3-14 Web an d MAC Auth entic ation Gener al Setu p Proce dur e for We b/MAC Au then ticat ion Addit ional Informat ion for Configuri ng the RADI US Server T o Support MAC Authenti cation On the R ADIU.
3-1 5 Web and MA C Auth entic ation Configu ring the Switch To Acce ss a RADIUS Se rver Configuring the Switch T o Access a RADIUS Server This section describes th e minimal comm ands for c onfiguring a RADIUS server to supp ort W eb-A uth and MAC Auth.
3-16 Web an d MAC Auth entic ation Confi gurin g the Sw itch To Acces s a RADIUS Server For exam ple, to configur e the swit ch to acce ss a RADI US server at IP a ddress 192.168 .32.11 u sing a ser ver -spe cific shared secret k ey of ‘2Pzo22’ Figure 3-4.
3-1 7 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Configuring W eb Authenticat ion Overview 1. If yo u have not already done so , conf igure a lo cal user name a nd password pair on the sw itch. 2. Iden tify or crea te a red irec t URL for u se by au then tica ted cli ents.
3-18 Web an d MAC Auth entic ation Confi gurin g Web A uthent ica tion Configure the Swit ch for W eb-Bas ed Authentication Command Page Config uration Level aaa por t-access web-base d dhcp- addr 3-1.
3-1 9 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Syntax : [no] aaa por t-access web-based [e ] < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports.
3-20 Web an d MAC Auth entic ation Confi gurin g Web A uthent ica tion Syntax : aaa port -access web- based [e] < port-l ist > [logoff -period] <60-9999 999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff.
3-2 1 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Syntax : aaa port -access web- based [e] < port-l ist > [ redirec t-url < url >] no aaa port-a ccess web-ba sed [e] < port-l ist > [redi rect-ur l] Specifies the URL that a user is redirected to after a successful login.
3-22 Web an d MAC Auth entic ation Confi gurin g MAC Aut henti catio n on th e Switch Configuring MAC Authenticat ion on the Switch Overview 1. If yo u have not already done so , conf igure a lo cal user name a nd password pair on the sw itch.
3-2 3 Web and MA C Auth entic ation Confi gurin g MAC Aut hen ticat ion on th e Swit ch Configur e the Swit ch for MAC- Based Auth enticat ion Command Page Config uration Level aaa por t-access mac-ba.
3-24 Web an d MAC Auth entic ation Confi gurin g MAC Aut henti catio n on th e Switch Syntax : aaa port -access mac- based [e] < port-l ist > [addr -lim it <1-2> ] Specifies the maximum number of authenticated MACs to allo w on the port.
3-2 5 Web and MA C Auth entic ation Confi gurin g MAC Aut hen ticat ion on th e Swit ch Syntax : aaa port -access mac- based [e] < port-l ist > [quiet-pe riod <1 - 65535>] Specifies the time peri od, in seconds, the switch should wait before attempting an authentication request for a MAC address tha t failed authentication.
3-26 Web an d MAC Auth entic ation Show Status and Co nfig uratio n of We b-Based A uthenticatio n Show Status and Configuration of W eb-Based Authentication Command Page show port- access [ port-l is.
3-2 7 Web and MA C Auth entic ation Show Sta tus and Co nfigurat ion of Web-Based Authentic ation Syntax : show port -access [ port-list ] web-b ased [conf ig [a uth-serve r]] Shows Web Authentication.
3-28 Web an d MAC Auth entic ation Show Status and Co nfig uratio n of MA C-Based Auth enticat ion Show Status and Configuration of MAC-Based Authentication Command Page show port- access [ port-list .
3-2 9 Web and MA C Auth entic ation Show Sta tus and C onfigu ration of MAC-B ased Aut henti cation Syntax : show port -access [ port-list ] mac-b ased [conf ig [a uth-serve r]] Shows MAC Authenticati.
3-30 Web an d MAC Auth entic ation Show Cli ent St atus Show Client Statu s The table below shows the possib le client status infor mation that may be reported by a W eb-based or MAC-based ‘ show .
4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Ap plications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Require ments .
4-2 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Overview T ACA CS+ au then ticat ion en ables you t o use a cent ral se rver t o allo w or de ny acce ss to the switch (a nd other T ACA CS-awa re devi ces) in your network .
4-3 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch tion se rvice s. If t he swit ch fa ils to co nnect to any T ACA CS+ se rver , it defa ults to its own locally assig ned password s for authenti cation contro l if it has been config ured to do so.
4-4 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch • Local Authe nticatio n: This metho d uses username /password pairs con figured l ocally on the switch ; one pair e ach for mana ger - level an d opera tor -level acc ess to the switch.
4-5 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch General System Requirements T o u se T ACA CS+ authen ticati on, you need th e foll owing: ■ A T ACA CS+ se rver appl icat ion i nsta lled and config ured on on e or more servers o r mana gement st ations in your network.
4-6 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch other ac cess type ( console , in thi s case) op en in ca se the T elnet access f ails due to a conf iguratio n problem. T he following procedure outlines a general set up pr ocedur e.
4-7 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Note on Privilege L evels When a T ACAC S+ server au thenticat es an acces s request fr om a switch, it include s a privile ge level c ode for the switch to use in determin ing which privile ge leve l to gran t to the ter minal req uesting a ccess.
4-8 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch configuration in your T ACACS+ server application for mi s-configura- tions or missing data t hat could affect the server’ s inte roperation with the switch.
4-9 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch CLI C omma nds D esc ribed in th is Sect ion V iewing the Switch’ s Current Authentication Configuratio n This command list s the n.
4-10 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Vi ewing the Switch’ s Current T ACACS + Server Contact Confi guration This comma nd lists the t imeout perio d, encry ption key , and the I P addresse s of the f irst-choice and backup T AC ACS+ server s the switch can contact .
4-11 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Configuring the Switch’ s Authenticati on Methods The aaa au thent ication command c onfigures t he access cont rol for consol e port an d T elnet access to the switch.
4-12 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch T able 4-1. AAA Au thenticat ion Pa rameters As shown in the next ta ble, login and en able ac cess is alwa ys availab le locall y throug h a direct t erminal conn ection to t he switch’ s console po rt.
4-13 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch T able 4-2. Primary/Sec ondary Auth enticatio n T abl e Caution Reg arding the Use of Loca l for Login P r imary Access During loc a.
4-14 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch For examp le, here i s a set of access opti ons and th e corres ponding c o mman ds to co nfigu re them : Console Lo gin (Operator or Rea d-Only) Acc ess: Prim ary usin g T ACACS+ server .
4-15 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Configuring the Switch’ s T A CACS+ Server Access The tacacs- serve r command configu res these para meters: ■ The host IP add ress(es) for up to thr ee T ACACS+ ser vers; one first- choice and up to two backups.
4-16 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Note on Encryption Key s Encr ypti on keys conf igur ed in the sw itch mus t exac tly mat ch the en cryp tion keys configur ed in T ACACS + servers the switch w ill attempt to use fo r auth enti cati on.
4-17 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch T able 4-3. Details on Configuring T ACACS Ser vers and Key s Name Defaul t Rang e tacacs -serve r host < ip- addr > none n/a This command spec ifies the IP addr ess of a devi ce runnin g a T ACACS + server ap plicat ion.
4-18 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Adding, Removing, or C hanging the Pr iority o f a T ACACS+ Se rver . Suppos e that the sw itch wa s already c onfig ured to u se T ACACS + servers a t 10.2 8.227 .10 a nd 10.28. 227.
4-19 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Figure 4-5. Exam ple of the Switch Af ter Assi gning a Differen t “Firs t-Choice ” Serv er T o r emove t he 10.28 .227.15 d evice as a T ACACS+ se rver , you would use this comm and: ProCurve(config)# no tacacs-server host 10.
4-20 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch To delete a per-serv er encryption k ey in the swi tch, re-en ter the t acacs-ser ver host comm and with out the key pa rameter . For exam ple, if you h ave no rth01 configu red as the e ncrypti on key f or a TACACS + server with an IP addr ess of 10.
4-21 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Figure 4-6. Usin g a T ACACS+ Server for Au thentic ation Using fi gure 4-6, abov e, afte r either switch d etects an operato r’ s log on reque st from a r emote o r direct ly connected ter minal, the foll owing events o ccur: 1.
4-22 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Local A uthentication Pro cess When the switch is co nfigured to use T ACAC S+, it reve rts to loc al authe nti- cation o nly if one o f these t wo cond itions e xists: ■ “Loc al” is the au thenticat ion option for t he access me thod be ing used.
4-23 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Using the Encryption Key General Operation When us ed, the en crypti on key ( sometimes termed “key”, “secret k ey”, or “s.
4-24 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch For ex ample, you would u se the next comma nd to confi gure a global encry p - tion k ey in the switch to m atch a k ey ente red as north 40c ampus in two target TACACS+ servers. (That is, both server s use t he same key for your switch.
4-25 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Messages Related to T ACACS+ Operation The swi tch gene rates th e CLI me ssages listed below .
4-26 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch ■ When T AC ACS+ is not enabl ed on t he sw itch —or when the sw itc h’ s only de signated T ACACS + servers are n ot accessi .
5-1 5 RADIUS Authenticatio n and Accounti ng Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2 RADIUS Au thentic ation a nd Accou nting Overv iew Overview RADIUS ( Remote Authentication Dial-In User Service ) en ables you t o use up to thre e server s (one pr imary se rver and one or tw o backu ps) and m aintain separa te authenticati on and accoun ting f or each RA DIUS ser ver empl oyed.
5-3 RADIUS Aut hentica tion and Acc ountin g Termin olog y T erminology CHAP (C hall enge- Hands hake A uthenticat ion P rotoc ol): A chall enge- response authenti cation prot ocol t hat uses t he Messag e Diges t 5 (MD 5) hashing scheme to encrypt a respon se to a ch allenge from a RA DIUS server .
5-4 RADIUS Au thentic ation a nd Accou nting Switc h Operatin g Rules for RADI US Switch Operating Rules for RADIUS ■ Y ou must have at least one RADIU S serv er accessib le to the switch. ■ The swit ch sup ports au thenti cation and ac counting using u p to thre e RADI US se rvers .
5-5 RADIUS Aut hentica tion and Acc ountin g General RAD IUS Setup Proced ure General RADIUS Setup Procedur e Preparat ion: 1. Configure one to three R ADIUS servers to supp ort the switch. (T hat is, one prim ary server an d one or two ba ckups.) Refer t o the documen tation provided with t he RADIUS server a pplicat ion.
5-6 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n Configurin g the S witch for RADIUS Authentication • Dete rmine w hether you can use on e, global encr yptio n key for all RAD IUS servers or if un ique key s will be requi red for spe cific s ervers.
5-7 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Outli ne of the Steps for Confi g uri ng RADIU S Authenticati on There a re three m ain steps to confi guring RADI US authen ticatio n: 1.
5-8 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n out on a serv er that is unav ailable. If you wa nt to use this fe ature, select a dead-ti me peri od of 1 to 1440 minutes. (Defau lt: 0—disab led; range: 1 - 1440 min utes.
5-9 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on For examp le, suppose you have alread y configur ed local pa sswords on t he switch, but want to us.
5-10 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n 2. Configure the Switch T o Access a RADIUS Se rver This section desc ribes how to c onfigure the sw itch to interac t with a RADIUS server for both authent ication an d accoun ting services.
5-11 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on For examp le, suppos e you have con figure d the switch as shown in figure 5-3 and you no w need to ma ke the follo wing chang es: 1. C hange the encryp tion key for the server at 10.
5-12 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n 3. Configure the Switch’ s Global RADIUS Parameters Y ou can config ure th e switch for the followi.
5-13 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Note Where the sw itch has mul tiple RADIU S serv ers co nfigu red to s upport au then - ticatio n requests, if the first ser ver fails to respon d, then th e switch tries the next serv er in the list, and so-on.
5-14 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n For exam ple, su ppose t hat your switch is c o nfigur ed to us e three RA DIUS servers for authenticat i ng acc ess throug h T elnet and SS H. T wo of these serve rs use t he sa me encr ypt ion key .
5-15 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Figure 5-6. Listing s of Gl obal RADI US Paramet ers Confi gured In Figure 5-5 ProCurve# show auth.
5-16 RADIUS Au thentic ation a nd Accou nting Loca l Authen ticatio n Pro cess Local Authentication Process When the switch is conf igured to use R ADIUS, it reverts to local authe nticat ion only if one of these two condition s exists: ■ “Loc al” is the au thenticat ion option for t he access me thod be ing used.
5-17 RADIUS Aut hentica tion and Acc ountin g Contr ollin g Web Br owser In terf ace Acce ss Whe n Using RA DIU S Authe ntica tion Controlling W eb Browser Interface Access When Using RADIUS Authentic.
5-18 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g Note This sec tion a ssumes you ha ve alre ady: ■ Configu red RA DIUS auth entica tion on the swit ch for one or more.
5-19 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting The swit ch forwa rds the accounti ng info rmation it coll ects to t he design ated RADIUS ser ver , w here the informa tion is f ormatted , stored, a nd mana ged by the ser ver .
5-20 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g – Opt ional—if yo u are also configur ing the switch fo r RADIUS authe nticatio n, and need a unique encryp tion key fo r use duri ng auth entica tion se ssion s with th e RADI US serv er yo u are des ig- nating, configure a se rver -specif ic key .
5-21 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting (For a mo re complet e descripti on of the ra dius- serv er co mmand a nd its options, t urn to p age 5-10.) For exam ple, su ppose y ou want to th e switch to use the RADIU S server describe d below for both authen ticat ion and acco unting pu rposes.
5-22 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g Figur e 5-7 . Exam ple of Config uring f or a RAD IUS Server wi th a Non -De faul t Accou nting UDP Port Num ber The radius-serv er comman d as shown in fig ure 5- 7, abov e, confi gures t he switch to use a R ADIUS ser ver at I P address 10 .
5-23 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting ■ Start- Stop: • Send a s tart rec ord ac countin g noti ce at th e begi nning o f the accoun t- ing session and a stop record notice at the end of the se ssion.
5-24 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g 3. (Optional ) Configure Session Blocking and I nterim Updat ing Opti ons These op tional pa rameter s give you additiona l control ov er acco unting da ta.
5-25 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-10. Example of Genera l RADIUS Info rmation from Sh ow Radius Command Syntax: sh ow radius [host < ip-addr >] Shows general RADIUS configuration , i ncluding the server IP addresses.
5-26 RADIUS Au thentic ation a nd Accou nting View ing RAD IUS St atis tics Figure 5-11. RADIUS Server Inf ormation From the Show Ra dius Host Com mand.
5-27 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics T able 5-2. V alues for Sho w Radi us Host O utput ( Figure 5- 11) Te r m Definition Round T ri p T ime The time int erval be twee n the most re cent Ac coun ting-Re spon se and the Account ing- Reques t that matche d it from thi s RADIUS acc ounting se rver .
5-28 RADIUS Au thentic ation a nd Accou nting View ing RAD IUS St atis tics RADIUS Authenticati on Statistics Figure 5-12. Examp l e of Login Att empt an d Prima ry/Seco ndary Aut henticat ion Info rmation from the Show Auth entication Co mmand Figur e 5-13 .
5-29 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics RADIUS A ccounting Statisti cs Figure 5-14. Listing the Accounting Configuration in the Switch Figure 5-15.
5-30 RADIUS Au thentic ation a nd Accou nting Changin g RADIUS-Serve r Access Order Figure 5-16. Example Listing of Active RADI US Account ing Sessions on t he Switch Changing RADIUS-Server Access Order The switch tries t o access RADIUS serv ers a ccording t o the ord er in whi ch their IP addresses are listed by the show r adiu s comm and.
5-31 RADIUS Aut hentica tion and Acc ountin g Changin g RADIUS-Serv er Access Orde r T o exchange the position s of the a ddresses so that the serv er at 10.10.1 0.003 will be t he first c hoice and the server a t 10.10.10.001 wil l be the last, you wou ld do the follow ing: 1.
5-32 RADIUS Au thentic ation a nd Accou nting Messa ges Rela ted to RA DIUS O perat ion Messages Related to RADIUS Operation Message Me anin g Can’t reach RADIUS server < x.x.x.x >. A desi gnate d RADI US serv er is not re spondin g to an authen ticat ion re quest.
6-1 6 Configuri ng Secure Sh ell (S SH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2 Config uring Secu re Shell (SSH) Overv iew Overview The ProCur ve switch es covered in thi s guide u se Secur e Shell ve rsion 1 or 2 (SSH v1 or SSHv2 ) to pr ovide remote acce ss to manag ement func tions on th e switch es via en crypte d paths be tween the switc h and managem ent stati on clie nts capa ble of SSH opera tion.
6-3 Configu ring Se cure Shell (SS H) Overvi ew Note SSH in the Pro Curve is based on the OpenSSH software toolkit. For mor e information on OpenSSH, visit www .openssh. com . Switch S SH and Us er Passwor d Authenti cation . This option is a subset of the client pu blic-key authenti cation sho w in figu re 6-1.
6-4 Config uring Secu re Shell (SSH) Termin olog y T erminology ■ SSH S erver: A ProCu rve switch wi th SSH enabled. ■ Key Pair: A pair of k eys gener ated b y the switch or an S SH client appli cation. Each pai r inc ludes a p ublic k ey , that can be re ad by anyone and a private key , that is held int ernally in the switch or by a clien t.
6-5 Configu ring Se cure Shell (SS H) Prere quisi te for Us ing S SH Prerequisite for Using SSH Before usin g the switch as an SSH server , you must install a publ icly or commercia lly availabl e SSH client application on the co mputer(s) you use for manageme nt access to the switch.
6-6 Config uring Secu re Shell (SSH) Steps f or Conf igur ing an d Using S SH for Switch and Cli ent Au thent icati on Steps for Configuring and Using SSH for Switch and Client Authentication For two -way authen ticatio n betwee n the switc h and an SSH client, yo u must use t he logi n (Op erator ) level.
6-7 Configu ring Se cure Shell (SS H) Steps for Co nfigurin g and Usin g SSH for Swit ch and Cli ent Authentic a tio n B. Swit ch Prepar ation 1. A ssign a lo gin (Oper ator) and en able (Ma nager) pa ssword on the switch (page 6 -9). 2. Gene rate a p ublic/p rivat e key pa ir on th e switc h (pag e 6-10) .
6-8 Config uring Secu re Shell (SSH) Gener al Oper ating Rule s and Notes General Operating Rules and Notes ■ Public key s generat ed on an SSH clie nt must be ex portable to th e switch.
6-9 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Configuring the Switch for SSH Operation 1. Assign Local Login (Operator) and Enable ( Manager) Password At a mi nimum , ProCur ve recom mends that you alwa ys assign at least a Manager p assword to the sw itch.
6-10 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on Figur e 6-5 . Exampl e of Config uring L ocal Pas swo rds 2. Generate the Sw itch’ s Public and Pri vate Key Pa ir Y ou must generate a public and private host key pair on the sw itch.
6-11 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Notes When you genera te a host key pair o n the switc h, the sw itch place s the key pair in flas h memory (a nd not in the ru nning-conf ig file). Al so, the switch maintains the key pair across rebo ots, includin g power cycles.
6-12 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on For ex ample, to gen erate an d disp lay a new key: Figure 6-6. Example of Generating a P ublic/Private Host Key Pa .
6-13 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion distribut ion to clients is to use a direct , serial con nection between the switch and a managem ent de vice (lap top, PC , or UNIX workst ation), a s descri bed below .
6-14 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on 4. Add an y data re quire d by you r SSH clie nt appli cation . For exa mple B efore saving the key t o an SSH c lient ’ s "known hosts" fi le you ma y have to i nsert the switch’ s IP address: Figure 6-9.
6-15 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Figure 6-10. Examp l es o f Vi sual Pho netic and Hexa decimal C onversion s of the Switch’ s Public Key The two c.
6-16 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on SSH Client Contact Behavior . At the fir st contac t betwee n the swit ch and an SSH client , if you have not copie .
6-17 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Note on Port Number ProCur ve rec ommen ds using the de fault TC P port num ber (22 ). However , you can use i p ssh por t to speci fy any TCP port for SSH conn ections exc ept those reserve d for o ther pu rposes.
6-18 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on Caution Pro tect you r privat e key file fro m access b y anyone other tha n yoursel f. If someone can acc ess your private key file, the y can then pene trate SSH secu rity on the swi tch by appear ing to b e you.
6-19 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Option B: Configur ing the Swit ch for Cli ent Public-Key SSH Auth entic ation.
6-20 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on W ith steps 1 - 3 , above, c ompleted a nd SSH prop erly co nfigured on the swit ch, if an SSH client contac ts the switch , log in auth enti cati on auto matica lly o ccurs first, using the swit ch and client public -keys.
6-21 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Figure 6-12. Con figuring f or SSH Access Requ iring a Clie nt Publ ic-Key Ma tch and Manage r Passwords Figure 6-1 3 shows how t o check the re sults of the abov e command s.
6-22 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on 6. Use an SSH Client T o Ac cess the Switch T e st the SSH configur ation on the swit ch to ensure that you hav e achie ved the level of S SH oper ation you w ant for th e switch .
6-23 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion Further Informatio n on SSH Client Public-Key Authentication The section t itled “5. Con figure the Switch fo r SSH Authe ntication” on page 6-18 lists the st eps f or co nfiguri ng SSH au thenti cati on on t he sw itch.
6-24 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on 3. If ther e is not a match, a nd yo u have not configur ed the switch to acce pt a log in pass word as a sec ondary authe nticat ion metho d, the sw itch d enies SSH acc ess to the cli ent.
6-25 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion Notes Comments in p ublic key files, suc h as smith@support.cairn s.com in fi gure 6-14 , may appea r in a SSH client a pplication’ s g enerated pub lic key .
6-26 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on Copying a client-public -key into the switch requires th e following: ■ One or mor e client-g enerat ed public keys. Re fer to the docume ntatio n provide d with your SS H client appli cation.
6-27 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion For example , if you wanted to copy a client public -key file na med clientkey s.txt from a TF TP server at 10.3 8.252. 195 and th en display th e file co ntents: Figur e 6- 15.
6-28 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on Caution T o enable client pu blic-key a uthentic ation to bloc k SSH clie nts whose public keys are not in t he clien t-public- key file copie d into the switch, yo u must config ure the L ogin Seco ndary a s non e .
6-29 Configu ring Se cure Shell (SS H) Messa ges Rela ted to SS H Oper ation Messages Related to SSH Operation Message Me anin g 00000K Peer unreachable. Indica tes an error in co mmunicati ng with the tftp server or not f inding the fi le to downlo ad.
6-30 Config uring Secu re Shell (SSH) Messages Rela ted to SS H Operat ion Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key gene rate ssh [rsa] command , the switch d isplay s thi s mess age while it is gene rating the key .
7-1 7 Configuri ng Secure So cket Layer ( SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2 Config uring Se cure Sock et Laye r (SSL) Overv iew Overview The ProCur ve switch es covered by this manual u se Secur e Socket Layer V ersio n 3 (SSLv3) and sup port for T r ansport La yer Securi.
7-3 Conf igur ing Secu re Sock et Lay er (SSL) Termin olog y Figure 7-1. Switch/User Auth entication SSL on the ProC urve swit ches support s these data enc ryption metho ds: ■ 3DES (1 68-bit, 1 12 Effective) ■ DES ( 56-bit ) ■ RC4 (40- bit, 128-bit) Note: ProCurve switche s use RSA public key algorithms and Diffie-Hellman .
7-4 Config uring Se cure Sock et Laye r (SSL) Termin olog y ■ Self -Sign ed C erti fica te: A certificat e not verifie d by a thir d-par ty certifica te authority (CA ). Self-signed ce rtificates provide a reduced level o f securi ty compa red to a C A -sign ed cert ificate .
7-5 Conf igur ing Secu re Sock et Lay er (SSL) Prer equisit e fo r Usi ng SS L Prerequisite for Using SSL Before usin g the switch a s an SSL server , you must in stall a publicl y or comm ercially av ailable SSL enabled w eb browser applicat ion on the co m- puter (s) you u se for m anageme nt access to the swi tch.
7-6 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes General Operating Rules and Notes ■ Once yo u gener ate a certifica te on th e switch you sho uld avoi d re- gener ating the certific ate with out a co mpellin g reaso n.
7-7 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Configuring the Switch for SSL Operation 1. Assig n Local Login (Operator) and Enable (M anager) Password At a mi nimum , ProCur ve recom mends that you alwa ys assign at least a Manager p assword to the sw itch.
7-8 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Using the web browser interface T o Configure Local Passwords. Yo u can config ure bot h the Oper ator an d Manager p assword on o ne scree n.
7-9 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes to conn ect via SSL to th e switch . (The se ssion key pair men tione d abov e is not visi ble on the swi tch. It is a tem porary , intern ally gene rated pair used for a particul ar switch/clie nt session, an d then discar ded.
7-10 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes CLI command s used to gene rate a Se rver Host C ertificat e. T o g enerate a host cer tificat e from th e CLI: i. Ge nerate a c ertificat e key pair . This is done w ith the crypto key generat e cert com mand.
7-11 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes T a ble 7-1. Certificate Field Descriptions For exam ple, to gener ate a key and a new host certifica te: Figure 7-3. Example of Gener ating a Self-Signed Serv er Host certificate on the CLI for the Switc h.
7-12 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes CLI Co mmand to vie w host ce rtifica tes. T o v iew the current h ost cer tifica te from th e CLI yo u use the show crypto host-c ert comma nd. For exam ple, to displa y the new serve r host c ertifica te: Figur e 7-4 .
7-13 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes i. Se lect the Security tab then the [SSL ] button. Th e SSL conf iguration screen is div ided into tw o halv es. The left half i s used for creati ng a new ce rtificate k ey pa ir and ( self-sign ed / C A-signed ) ce rtificate .
7-14 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes For exa mple, to gene rate a new host certif icate via the w eb brow sers i nter- face: Figure 7-5. Self-Signed C ertificate g eneration via SSL Web Browser Inte rface Scre en T o v iew the current h ost cer tifica te in the web browse r inter face: 1.
7-15 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Figure 7-6. We b browser Interface showin g current SSL Host Certific ate Generate a CA-Signed server host certificate with the W eb Brow ser Interface This section desc ribes how to install a CA -Signed ser ver host certifica te from the web browse r interface.
7-16 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes that in volves havin g the cert ificat e author ity ver ify the c ertifi cate requ est and then di gitally signing t he requ est to gener ate a ce rtific ate respo nse (th e usable server host certificate) .
7-17 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Figure 7-7. Example of a Certific ate Req uest and Re ply 3. Enable SSL on the Switch and An ticipate SSL Browser .
7-18 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Note Before en ablin g SSL on th e switch yo u must generat e the switch ’ s host certi ficate an d key . If you hav e not already d one so, refe r to “2. Gen erate t he Switc h’ s Serv er Host Certifi cate” on page 7-8.
7-19 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Using the CLI inter face to enable SSL T o enab le SSL on the swi tch 1. Gene rate a Host cer tifi cate i f you have n ot al read y done so. ( Ref er to “2 . Generat e the Sw itch’ s Ser ver Host C ertificat e” on pag e 7-8.
7-20 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Figure 7-8. Usin g the web browser interface to enable SSL an d selec t TCP p ort numbe r Note on Port Number ProCu rve reco mmend s using th e defaul t IP port nu mber (443) .
7-21 Conf igur ing Secu re Sock et Lay er (SSL) Common Errors in SSL Setu p Common Errors in SSL Setup Error Durin g P ossible Cau se Gene rating host cer tificat e on C LI Y ou have no t gene rated a certif icate key. (Refer to “CLI command s used to genera te a Serv er Host Certif icate” o n page 7-1 0.
7-22 Config uring Se cure Sock et Laye r (SSL) Common Errors in SSL Setup.
8-1 8 Configu ring Port-B ased and Client -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Why Use Po rt-Based o r Client -Based A cce ss Control? .
8-2 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Conte nts Sett ing Up and Co nfigur ing 80 2.1X Op en VLAN Mode . . . . . . . . . . . . 8-33 802.1X Op en VLAN Oper ating Notes . . . . . . . . . . . . . . . . . . . . . . . . .
8-3 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Overvi ew Overview Why Use Port-Based or C lient-Based Access C ontrol? Local Area Networks a re often deploye d in a way that a llows unauth orized clients to a ttach to netw ork devi ces, or allows un authorized use rs to get access to u nattended clie nts on a net work.
8-4 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Overv iew Port-Base d acce ss control op tion allo wing au thentic ation by a single clie nt to open t he port.
8-5 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Overvi ew 802.1X Port-Based Access Contro l 802.1X po rt-ba sed access con trol prov ides port- level security that all ows LAN access o nly on p orts where a single 802.1X- capable c lient ( supplic ant) has ente red au thori zed RA DIU S user cred enti als.
8-6 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Overv iew access fr om a ma ster databa se in a sin gle server ( although y ou can use up to three RAD IUS server s to provide back ups in case access to the primary server fail s).
8-7 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Termin olog y T erminology 802.1X-A ware: Refe rs to a device t hat i s runn ing e ither 8 02.1X authen ticator software or 802.1X cli ent softw are and is ca pable of intera cting with other device s on the basis of the I EEE 802.
8-8 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Termin olog y EAPOL: Extensible A uthenticatio n Protocol Over LA N, as defined in the 802.1X standard . Friendly Cl ient: A cli ent that does not po se a securi ty risk if given ac cess to the switc h and your network.
8-9 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Termin olog y designa te as th e Unauth orized- Client VLAN.) A p ort co nfigure d to use a given Una uthorize d-Client VL .
8-10 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General 802.1X Authen ticator Ope ration General 802.1X Authen ticator Operation This operation pro vides security on a direct, point -to-point link between a single c lient and the swit ch, where both devi ces are 802.
8-11 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Gener al 802. 1X Auth enticator O peratio n ii. If the clie nt is su ccessfully authenti cated a nd authorize d to co n- nect to the ne twork, then the switch allows acc ess to the client.
8-12 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Gener al Oper ating Rule s and Notes 3. Port A1 repl ies with an MD5 ha sh response base d on its username and password or other u nique crede ntials. Switc h “B” forwa rds this respo nse to the RADIUS server .
8-13 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Gener al Ope rating R ules an d Notes port. If anothe r client us es an 802.1 X supplican t applic ation to ac cess the op ened po rt, th en a re -authe ntication o ccurs using th e RADIU S config uration re sponse for the late st client t o authent icate.
8-14 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General Se tup Proce dure for 802.1X Access Contro l General Setup Procedure for 802.
8-15 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Genera l Setup Pr ocedur e for 802 .1X Ac cess Con trol Overview : Configuri ng 802.1X A uthenticati on on the Switch This sec tion ou tlines th e steps fo r conf iguring 8 02.
8-16 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General Se tup Proce dure for 802.1X Access Contro l 7. If you are using P ort Sec urity on the switc h, conf igure t he switch to allo w only 80 2.1X access on ports co nfigure d for 8 02.
8-17 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators Configuring Switch Ports as 802.1X Authenticators 1. Enable 80 2.1X Authentication on Se lected Ports This ta sk conf igures the indi vidual ports yo u want to operate as 802.
8-18 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators A. Enable the S elected Port s as Authenticators and Enable the (Default) Port-B ased Authentication B. Specify Clien t-Based or Return to Port-B ased 802.
8-19 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators Port-Base d 802.1X Auth entication.
8-20 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators 2. Reconfi gure Settings for Por t-Access The comm ands in thi s section are init ially set by defau lt and can be recon fig- ured as needed .
8-21 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators [quiet-peri od < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authoriz ed by the max-reque sts parameter fails (next page).
8-22 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators [reauth-per iod < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated.
8-23 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators 3. Configure the 802.1 X Authentication Method This ta sk specifie s how th e switch w i ll au thenticat e the credentia ls provi ded by a supp licant connec ted to a switch port confi gured as an 8 02.
8-24 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators 4. Enter the R ADIUS Host IP Addre ss(es) If you se lected either eap-r adius or chap- radius for the a uthent ication method , configu re the swi tch to use 1 to 3 RADIUS ser vers for au thentica tion.
8-25 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators 6. Optionally Resetting Authentica tor Operation After au thenti cation has be gun oper ating, t hese comm ands can be used to reset auth enticati on and rel ated sta tistics on sp ecific p orts.
8-26 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode 802.1X Open VLAN Mode Introduction This secti on describes how to use the 802.1X Ope n VLAN m ode to co nfigure unautho rized-client an d author ized-clien t VLANs on por ts configured as 802 .
8-27 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Note On ports configure d to allow multiple sessions using 802.
8-28 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Note After c lient authenti cation, the port resumes m embershi p in an y tagged VLANs for which it is configur ed.
8-29 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode T able 8-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mod e : The port au tomatical l y blocks a cli ent that canno t initi ate an authen tication session.
8-30 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Open VLAN Mo de with Only an Un auth orized -Clie nt VL AN Configure d: • When the port detects a client , it automat ically become s an untagged memb er of this VLAN.
8-31 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Operating Ru les for Authorized-Cli ent and Unauthorized-Client VLANs Open VLAN Mo de with Only an Authorize d-Client VLAN Configur ed: • Port automa ticall y blocks a client that cannot initi ate an authen tication session.
8-32 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode T emporary VLAN Mem bership Duri ng a Client Sessi on • Port membersh ip i n a VLAN assigned to op.
8-33 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode IP Addr essing for a Cli ent Conn ected to a Port Co nfigured for 802. x Open VLAN Mode A client can either acq uire an IP ad dress fro m a DHCP server or have a preconf igured, manual IP add ress befor e connect ing to the swit ch.
8-34 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Note If you use th e same VL AN as the U nautho rized-Cli ent VLAN for all authenti - cator ports, una uthentica ted cl ients on d ifferent po rts can co mmunic ate with each othe r .
8-35 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode ■ A clien t must eit h er hav e a valid IP addr ess conf i gured befor e connec ting to the switch, or downloa d one thr ough th e Unauthor ized- Client VLAN from a DHCP server .
8-36 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode 2. Con figure the 802.1X authentication type. Options include: 3. If you selected either eap-r adius or chap -rad ius for step 2, use the radiu s host c ommand to configure up to three RADIUS server IP address(es) on the switch.
8-37 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Note If you want to implement th e optiona l port securi ty feature on the switch, you should fi rst ensure that the ports you have conf igured as 8 02.
8-38 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Inspecting 802.1 X Open VLAN Mode Operation. For informat ion and an ex ample on viewing c urren t Open VLA N mode ope ration, r efer to “ Viewing 802.
8-39 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode RADIUS- assigned VLA N, then a n auth enticated clien t without tagged VLAN cap ability c a n access o nly a staticall y config ured, un tagged VLAN on that port.
8-40 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Option For Auth enticator Port s: Configure P ort-Security T o Allow Only 802.
8-41 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Option For A uthen ticator Por ts: Con figure Port -Secur ity T o Allow Only 802.
8-42 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches Configur e the port a ccess ty pe. Configuring Switch Ports T o Operate As Supplicants for 802.
8-43 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Confi guring Sw itch Port s To Opera te As Suppli cant s for 802 .1X Conn ection s to Other Swi tches ■ Switch “A” has port A 1 configur ed for 802 .1X suppl icant ope ration ■ Y ou want to connec t port A1 on switch “A” to po rt B5 on switch “B”.
8-44 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches • A “failure.
8-45 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Confi guring Sw itch Port s To Opera te As Suppli cant s for 802 .1X Conn ection s to Other Swi tches [identit y < user.
8-46 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches [start-period < 1 - 300 >] Sets the time period between Start packet retransmis- sions.
8-47 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authent i cator 802.1 X Authenticat ion Commands page 8-17 802.
8-48 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters show po rt-access au thent icator (Syntax Co ntinu ed) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.
8-49 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Figure 8-7.
8-50 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters Vi ewing 80 2.
8-51 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s ■ When the Unau th VLAN ID is config ured an d matche s the Current VLAN ID in the above c ommand out put, an unauthe nticated clie nt is connect ed to the p ort.
8-52 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters Figure 8-9.
8-53 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Show Commands for Port -Access Suppli cant Note on Su pplicant S tatistic s.
8-54 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) How RADIU S/802.1X Au thentic ation Affe cts VLAN Op eration supplican t port to an other with out cleari ng the statist ics data from t he first port, the authent icator ’ s MAC add ress will app ear in the supp licant sta tistics for both por ts.
8-55 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) How RAD IUS/802.1X Authen tication Affec ts VLAN Operation For exam ple, su ppose t hat a RA DIUS-auth entic ated, 802.
8-56 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) How RADIU S/802.1X Au thentic ation Affe cts VLAN Op eration Figure 8-11. The Active Config uration for VLAN 22 T emporarily Change s for the 802.
8-57 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) How RAD IUS/802.1X Authen tication Affec ts VLAN Operation When the 802 .1X cl ient’ s sessi on on po rt A2 e nds, the po rt discar ds the tempora ry untagg ed VLAN m embership.
8-58 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Messages Rela ted to 802 .1X Op eratio n Messages Related to 802.1X Operation T able 8-4. 802.1X Operating Messa ges Message Me anin g Port < port-list > is not an authenticator.
9-1 9 Configuri ng and M onitoring Po rt Securit y Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2 Config uring an d Mon itoring P ort Security Overv iew Overview Note Port secu rity is not avai lable on por ts running at 10 Mbps or the 1000 Mbps uplinks.
9-3 Config uring and Monitoring Port Se curity Overvi ew General O peration for Port Securit y . On a per -po rt basis, you ca n config ure securit y measu res to block unautho rized devic es, and to sen d notice of securit y violations.
9-4 Config uring an d Mon itoring P ort Security Overv iew Figure 9-1. Examp l e of How Port Security Cont rols Ac cess Note Broa dcas t and Multi cast t raffi c is no t “u naut horize d” traff ic, an d can be rea d by int ruders c onnecte d to a port on whi ch you h ave c onfigured port securit y .
9-5 Config uring and Monitoring Port Se curity Planni ng Port Se curity Planning Port Security 1. Plan your port security configurat ion and mon itoring according to the foll owin g: a.
9-6 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Port Security Co mmand Options and Operation Port Secu rity Comman ds Used in This Se ction This section describe s the CLI port se curity com mand and h ow the switch acquire s and ma intain s authori zed addre sses.
9-7 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Syntax : port-sec urity [e ] < por t-list > learn-m ode < continu ous | static | configu red | port-ac cess > Conti nuous (Default) : Appears in the factory-default setting or when you execute no port -secu rity.
9-8 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Syntax : port-sec urity [e] < port-list > (- Cont inued -) learn-m ode < c ontinuous | static .
9-9 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Syntax : port-sec urity [e] < port-list > (- C ontinued -) action < none | send-alarm | send -disabl e > Speci fies whet her an SNMP trap is sent to a network man - agement station.
9-10 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Retention of Stati c MAC Addresses Learned MAC Ad dresses In the foll owing two ca ses, a port in Sta .
9-11 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Using t he CLI T o Displa y Port Se curi ty Setti ngs. Syntax : show por t-securi ty show por t-securi ty [e] <por t numbe r> show po rt-sec urity [ e] [< port n umber >- < port n umber ].
9-12 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion The follow ing comm and exam ple shows t he option f or enterin g a range of ports, inclu ding a seri es of non-cont iguous ports.
9-13 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example c onfigures por t A5 to: ■ Allow t wo MAC addresses, 00c10 0-7fec0 0 and 0 060b0-8 89e00, as the auth oriz ed d evic es.
9-14 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion mine d by the c u rr ent ad dress-lim it value) . For ex ample, suppose p ort A1 allows two authorized dev ices, but has only one device in its Authori zed Address list: Figure 9-4.
9-15 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Note The message Inconsiste nt value appears if the new MA C addr ess excee ds the curr ent Addr ess Li mit or sp ecif ies a de vice th at is alread y on th e list .
9-16 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Caution The add ress-limit setting contro ls how many MAC addresse s are allowe d in the Au thorized A ddresses list for a given p ort.
9-17 Config uring and Monitoring Port Se curity Web: Di spla ying and C onfig uring Por t Secu rity Fe atures The fo llowing command serve s this purpos e by re movin g 0c0090 -123456 and reducin g th.
9-18 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags When a security v iolatio n occur s on a por t config ured for Port Se curity , t he switch respond s in the following ways to notify you: ■ The switch sets an al ert flag for th at port.
9-19 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s (by re settin g the alert f lag) . The othe r entri es gi ve you a h isto ry of pas t intrusions d etected on p ort A1.
9-20 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags Menu: Checking for Intrusio ns, Listing Intrusion Alerts, and Resetting Alert Flags The menu i.
9-21 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s The above e xample shows t wo intrusions f or port A3 and on e intrusio n for po rt A1. In this case, only t he most r ecent intrus ion at port A3 ha s not been ac knowled ged (re set).
9-22 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags CLI: Chec king fo r Intrusio ns, Listing I ntrusion A lerts, and Resetting Alert Flags The fol.
9-23 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s Figure 9-12. Example of the Intrusio n Log with Multiple Entries for th e Same P ort The ab ove ex ample sho ws three i ntrusions f or port A1.
9-24 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags Using the Event Log T o Find Int rusion Alerts The Event Log lists port security intrusions as.
9-25 Config uring and Monitoring Port Se curity Operating Notes for Port Se curity W eb: Checking for Intrusions, Listing Intr usion Alerts, and Resetting Alert Flags 1. Check the Alert Log by cli cking on the Status t ab and the [ Overview] button. If there is a “Security Violation” entry , do the following: a.
9-26 Config uring an d Mon itoring P ort Security Opera ting Notes for Port Secu rity the aler t flag status for t he port refe renced in the dropped en try . This means that, even i f an entr y is forced off of the Intr usion L og, no ne w int rusions ca n be logg ed on the port ref erenced in that entr y until you reset t h e aler t flags.
9-27 Config uring and Monitoring Port Se curity Confi gurin g Pro tecte d Port s Configuring Protected Ports There a re situatio ns where y ou want to provid e internet access to users but preven t them from accessing ea ch othe r . T o achieve th is control , you can use the pro tected-po rts comm and.
9-28 Config uring an d Mon itoring P ort Security Confi gur ing Pro tecte d Por ts Figure 9-16. Example Showing P rotected P orts and Unpro tected Ports If you displa y the runnin g config fil e ( show runni ng-conf ig ) you will see the ports that have been selected as protected po rts.
10-1 10 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10-2 Using Au thorized IP Mana gers Overv iew Overview Authoriz ed IP Manage r Featur es The Au thorized IP Mana gers featu re uses IP add resses and m asks to dete r- mine which stati ons (PCs or workstations) ca n acce ss the switch t hrough th e network.
10-3 Using A uthorized IP Man agers Acces s Levels Configuratio n O ptions Y o u can configur e: ■ Up to 10 authorized manager addresses , where eac h addr ess appli es to either a single mana gemen.
10-4 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Defining Authorized Management Stations ■ Auth oriz ing Sing le Sta tio ns: The table entr y author izes a singl e managemen t station t o have IP ac cess to the swi tch.
10-5 Using A uthorized IP Man agers Defi ning Aut hori zed M anageme nt Stat ions 255.255.255.252 uses th e 4th octet of a given A uthorized Manag er IP addr ess to authorize f our IP addresse s for managem ent station acce ss. The details on how to use IP m asks are provide d under “Bu ilding IP Masks” o n page 10-9 .
10-6 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Figure 10-2. Examp l e of How T o Add an Au t horiz ed Manager Entry (Contin ued) Editing or Deleting an Author ized Mana ger Ent ry .
10-7 Using A uthorized IP Man agers Defi ning Aut hori zed M anageme nt Stat ions Figure 10-3. Examp l e of the Show IP Authorized -Manager Display The above e xample sho ws an Autho rized IP Man ager List that allow s stations to acce ss the switch as shown b elow: Configuring IP A uthorized Managers for the Switch T o Autho rize Ma nager Ac cess.
10-8 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Simil arly , the nex t comman d author izes man ager -lev el access for any sta tion having an IP addre ss of 10.28. 227.10 1 through 1 03: ProCurve(config)# ip authorized-managers 10.
10-9 Using A uthorized IP Man agers Web: Co nfigu rin g IP Autho rized Ma nage rs W eb: Configuring IP Authorized Managers In the we b browser i nterface you c an configu re IP Author ized Manage rs as describe d below . T o Add, Modify , or Delete an IP Authorized Manager a ddress: 1.
10-1 0 Using Au thorized IP Mana gers Buildi ng IP Masks T able 10-1. Anal y sis of IP Mask for Single-Sta tion Ent ries Configuri ng Multipl e Stations Per Auth orized Manager IP Entry The mask de termines wh ether the IP addr ess of a station on the net work meets the cr iteria yo u specif y .
10-1 1 Using A uthorized IP Man agers Buildin g IP Masks T a ble 10-2. Analy sis of IP Mask for Multiple-Station Entries Figure 10-5. Examp l e of How the Bi tmap i n the IP Mask Defines Au thorized M.
10-1 2 Using Au thorized IP Mana gers Opera ting Not es Additional Examples for Authorizi ng Multiple Stations Operating Notes ■ Network S ecurity Pr ecaution s: Y ou can enha nce your netw ork’ s.
10-1 3 Using A uthorized IP Man agers Oper ating N otes • Even if you n eed prox y server acc ess enabled in order t o use other ap plicatio ns, you can still eli minate prox y servic e for web access to the switch .
10-1 4 Using Au thorized IP Mana gers Opera ting Not es.
Index – 1 Index Numerics 3DES … 6-3, 7 -3 802.1X See p ort-based acce ss con trol. …8 - 1 802.1X access co ntrol authentica tion methods … 8-4 authent ication , client-b ased … 8-4 auth enti.
2 – In dex VLAN use, m ultiple c lients … 8 -7 A aaa aut hentic ation … 4-8 aaa port -acce ss See Web or MAC Authenticat ion. access levels , auth orized IP mana gers … 10-3 accoun ting See RADIUS. addres s authorized for port security … 9-3 auth entica tion See TACACS.
Inde x – 3 M MAC Authentic ation authen ticato r operat ion … 3 -5 blocke d traffic … 3 -4 CHAP defi ned … 3- 9 usag e … 3- 4 client sta tus … 3-30 config urat ion co mmands … 3-23 conf .
4 – In dex LACP n ot allowed … 8-58 local … 8-23 local u sername and password … 8-4 messages … 8-58 ope n VLAN authoriz ed clien t … 8-2 8 confi gurat ion … 8- 35, 8-3 7 general operat i.
Inde x – 5 SNMP ac cess secu rity not supported … 5-2 statist ics, v iewin g … 5- 25 terminology … 5-3 TLS … 5-4 Web br owser aut hentication … 5-7 web-br owser acces s contr ols … 5- 17 web-bro wser sec urity not s upported … 5-2 , 5-1 7 RADIUS ac counting See RADIUS.
6 – In dex prere quisites … 7-5 remove self-sign ed certific ate … 7-9 remove serve r host certificate … 7-9 reserved TCP port numbe rs … 7-20 root … 7-4 root certificate … 7-4 self-sign.
Inde x – 7 client sta tus … 3-30 config urat ion co mmands … 3-18 conf iguring on the s witch … 3-1 7 switch for RADIUS access … 3-15 featu res … 3-4 gener al setu p … 3- 12 LACP n ot al.
8 – In dex.
.
T echnical information in this docum ent is subject to change without notice. © Copyri ght 2008 Hewlett- Packard Devel opment Company , L.P . All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibit ed except as allowed under the copyright laws.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté HP (Hewlett-Packard) Q.11. (2510-24) c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du HP (Hewlett-Packard) Q.11. (2510-24) - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation HP (Hewlett-Packard) Q.11. (2510-24), vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le HP (Hewlett-Packard) Q.11. (2510-24) va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le HP (Hewlett-Packard) Q.11. (2510-24), mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du HP (Hewlett-Packard) Q.11. (2510-24).
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le HP (Hewlett-Packard) Q.11. (2510-24). Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei HP (Hewlett-Packard) Q.11. (2510-24) ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.