HP Q.11. (2510-24) Manual do Utilizador

Access Security Guide2510www.procurve.comProCurve SwitchesQ.11. (2510-24)U.11. (2510-48)XXXX

viiiGeneral Setup Procedure for 802.1X Access Control . . . . . . . . . . . . . . . . 8-14Do These Steps Before You Configure 802.1X Operation . .

4-26TACACS+ AuthenticationConfiguring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ se

5-15RADIUS Authentication and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5-2RADIUS Authentication and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one

5-3RADIUS Authentication and AccountingTerminologyTerminologyCHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p

5-4RADIUS Authentication and AccountingSwitch Operating Rules for RADIUSSwitch Operating Rules for RADIUS You must have at least one RADIUS server ac

5-5RADIUS Authentication and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to three RADIUS server

5-6RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authentication• Determine whe

5-7RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS AuthenticationThere

5-8RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authenticationout on a server that is unavailable. If you want to use this fe

5-9RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have already configured local password

ix9 Configuring and Monitoring Port SecurityContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5-10RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication2. Configure the Switch To Access a RADIUS ServerThis section

5-11RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the switch as shown i

5-12RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication3. Configure the Switch’s Global RADIUS ParametersYou can conf

5-13RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS servers configured

5-14RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose that your switch is configured to use thr

5-15RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-6. Listings of Global RADIUS Parameters Configured In

5-16RADIUS Authentication and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use RADIUS, it revert

5-17RADIUS Authentication and AccountingControlling Web Browser Interface Access When Using RADIUS AuthenticationControlling Web Browser Interface Acc

5-18RADIUS Authentication and AccountingConfiguring RADIUS AccountingNote This section assumes you have already: Configured RADIUS authentication on

5-19RADIUS Authentication and AccountingConfiguring RADIUS AccountingThe switch forwards the accounting information it collects to the designated RADI

xBuilding IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9Configuring One Station Per Author

5-20RADIUS Authentication and AccountingConfiguring RADIUS Accounting– Optional—if you are also configuring the switch for RADIUS authentication, and

5-21RADIUS Authentication and AccountingConfiguring RADIUS Accounting(For a more complete description of the radius-server command and its options, tu

5-22RADIUS Authentication and AccountingConfiguring RADIUS AccountingFigure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Account

5-23RADIUS Authentication and AccountingConfiguring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the acc

5-24RADIUS Authentication and AccountingConfiguring RADIUS Accounting3. (Optional) Configure Session Blocking and Interim Updating OptionsThese option

5-25RADIUS Authentication and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 5-10. Example of General RAD

5-26RADIUS Authentication and AccountingViewing RADIUS StatisticsFigure 5-11. RADIUS Server Information From the Show Radius Host Command

5-27RADIUS Authentication and AccountingViewing RADIUS StatisticsTable 5-2. Values for Show Radius Host Output (Figure 5-11)Term DefinitionRound Trip

5-28RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 5-12. Example of Login Attempt and Primary/Sec

5-29RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Accounting StatisticsFigure 5-14. Listing the Accounting Configuration in the

xiProduct DocumentationAbout Your Switch Manual SetThe switch manual set includes the following: Read Me First - a printed guide shipped with your sw

5-30RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Sw

5-31RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderTo exchange the positions of the addresses so that the server at 10.10.10.0

5-32RADIUS Authentication and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t reach RADIUS serv

6-16Configuring Secure Shell (SSH)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6-2Configuring Secure Shell (SSH)OverviewOverviewThe ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provi

6-3Configuring Secure Shell (SSH)OverviewNote SSH in the ProCurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www

6-4Configuring Secure Shell (SSH)TerminologyTerminology SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the sw

6-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ

6-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSHfor Switch

6-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera

xiiProduct DocumentationFeature IndexFor the manual set supporting your switch model, the following feature index indicates which manual to consult fo

6-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex

6-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH Operation1. Assign Local Login (Operator) and

6-10Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-5. Example of Configuring Local Passwords2. Generate the Switch’s P

6-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes When you generate a host key pair on the switch, the switch places the

6-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 6-6. Example of Genera

6-13Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationdistribution to clients is to use a direct, serial connection between the sw

6-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation4. Add any data required by your SSH client application. For example Before

6-15Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the

6-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationSSH Client Contact Behavior. At the first contact between the switch and an

6-17Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote on Port NumberProCurve recommends using the default TCP port number (22

xiiiProduct DocumentationLLDP X - -MAC Address Management X --Monitoring and Analysis X - -Multicast Filtering - X -Network Management Applications (L

6-18Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationCaution Protect your private key file from access by anyone other than yours

6-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.

6-20Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationWith steps 1 - 3, above, completed and SSH properly configured on the switch

6-21Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-12. Configuring for SSH Access Requiring a Client Public-Key Match

6-22Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation6. Use an SSH Client To Access the SwitchTest the SSH configuration on the s

6-23Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFurther Information on SSH Client Public-Key Authenticati

6-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication3. If there is not a match, and you have not configured t

6-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNotes Comments in public key files, such as smith@support

6-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationCopying a client-public-key into the switch requires the

6-27Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi

xivProduct DocumentationTelnet Access X - -TFTP X --Time Protocols (TimeP, SNTP) X - -Troubleshooting X --VLANs - X -Xmodem X --Feature Management and

6-28Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationCaution To enable client public-key authentication to blo

6-29Configuring Secure Shell (SSH)Messages Related to SSH OperationMessages Related to SSH OperationMessage Meaning00000K Peer unreachable.Indicates a

6-30Configuring Secure Shell (SSH)Messages Related to SSH OperationGenerating new RSA host key. If the cache is depleted, this could take up to two m

7-17Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe ProCurve switches covered by this manual use Secure Socket Layer Version 3 (SSLv3) and sup

7-3Configuring Secure Socket Layer (SSL)TerminologyFigure 7-1. Switch/User AuthenticationSSL on the ProCurve switches supports these data encryption m

7-4Configuring Secure Socket Layer (SSL)Terminology Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA).

7-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install

7-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi

7-7Configuring Secure Socket Layer (SSL)General Operating Rules and NotesConfiguring the Switch for SSL Operation1. Assign Local Login (Operator) and

1-11Getting StartedContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Ov

7-8Configuring Secure Socket Layer (SSL)General Operating Rules and NotesUsing the web browser interface To Configure Local Passwords. You can config

7-9Configuring Secure Socket Layer (SSL)General Operating Rules and Notesto connect via SSL to the switch. (The session key pair mentioned above is no

7-10Configuring Secure Socket Layer (SSL)General Operating Rules and NotesCLI commands used to generate a Server Host Certificate. To generate a host

7-11Configuring Secure Socket Layer (SSL)General Operating Rules and NotesTable 7-1. Certificate Field Descriptions For example, to generate a key and

7-12Configuring Secure Socket Layer (SSL)General Operating Rules and NotesCLI Command to view host certificates. To view the current host certificate

7-13Configuring Secure Socket Layer (SSL)General Operating Rules and Notesi. Select the Security tab then the [SSL] button. The SSL configuration scre

7-14Configuring Secure Socket Layer (SSL)General Operating Rules and NotesFor example, to generate a new host certificate via the web browsers inter-f

7-15Configuring Secure Socket Layer (SSL)General Operating Rules and NotesFigure 7-6. Web browser Interface showing current SSL Host CertificateGenera

7-16Configuring Secure Socket Layer (SSL)General Operating Rules and Notesthat involves having the certificate authority verify the certificate reques

7-17Configuring Secure Socket Layer (SSL)General Operating Rules and Notes Figure 7-7. Example of a Certificate Request and Reply3. Enable SSL on the

1-2Getting StartedIntroductionIntroductionThis Access Security Guide describes how to use ProCurve’s switch security features to protect access to you

7-18Configuring Secure Socket Layer (SSL)General Operating Rules and NotesNote Before enabling SSL on the switch you must generate the switch’s host c

7-19Configuring Secure Socket Layer (SSL)General Operating Rules and NotesUsing the CLI interface to enable SSLTo enable SSL on the switch1. Generate

7-20Configuring Secure Socket Layer (SSL)General Operating Rules and NotesFigure 7-8. Using the web browser interface to enable SSL and select TCP por

7-21Configuring Secure Socket Layer (SSL)Common Errors in SSL SetupCommon Errors in SSL SetupError During Possible CauseGenerating host certificate on

7-22Configuring Secure Socket Layer (SSL)Common Errors in SSL Setup

8-18Configuring Port-Based and Client-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8-2Configuring Port-Based and Client-Based Access Control (802.1X)ContentsSetting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . . 8-

8-3Configuring Port-Based and Client-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based or Client-Based Access Control?Local Area Network

8-4Configuring Port-Based and Client-Based Access Control (802.1X)OverviewPort-Based access control option allowing authentication by a single client

8-5Configuring Port-Based and Client-Based Access Control (802.1X)Overview802.1X Port-Based Access Control802.1X port-based access control provides po

1-3Getting StartedOverview of Access Security Features Port-Based Access Control (802.1X) (page 8-1): On point-to-point connections, enables the swit

8-6Configuring Port-Based and Client-Based Access Control (802.1X)Overviewaccess from a master database in a single server (although you can use up to

8-7Configuring Port-Based and Client-Based Access Control (802.1X)TerminologyTerminology802.1X-Aware: Refers to a device that is running either 802.1X

8-8Configuring Port-Based and Client-Based Access Control (802.1X)TerminologyEAPOL: Extensible Authentication Protocol Over LAN, as defined in the 802

8-9Configuring Port-Based and Client-Based Access Control (802.1X)Terminologydesignate as the Unauthorized-Client VLAN.) A port configured to use a gi

8-10Configuring Port-Based and Client-Based Access Control (802.1X)General 802.1X Authenticator OperationGeneral 802.1X Authenticator OperationThis op

8-11Configuring Port-Based and Client-Based Access Control (802.1X)General 802.1X Authenticator Operationii. If the client is successfully authenticat

8-12Configuring Port-Based and Client-Based Access Control (802.1X)General Operating Rules and Notes3. Port A1 replies with an MD5 hash response based

8-13Configuring Port-Based and Client-Based Access Control (802.1X)General Operating Rules and Notesport. If another client uses an 802.1X supplicant

8-14Configuring Port-Based and Client-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlGeneral Setup Procedure for 802.1X

8-15Configuring Port-Based and Client-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlOverview: Configuring 802.1X Authe

1-4Getting StartedOverview of Access Security FeaturesTable 1-1. Management Access Security ProtectionGeneral Switch Traffic Security GuidelinesWhere

8-16Configuring Port-Based and Client-Based Access Control (802.1X)General Setup Procedure for 802.1X Access Control7. If you are using Port Security

8-17Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsConfiguring Switch Ports as 802.1X

8-18Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsA. Enable the Selected Ports as Au

8-19Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsPort-Based 802.1X Authentication.

8-20Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators2. Reconfigure Settings for Port-A

8-21Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[quiet-period < 0 - 65535 >]

8-22Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[reauth-period < 0 - 9999999 &g

8-23Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authentica

8-24Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators4. Enter the RADIUS Host IP Addres

8-25Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators6. Optionally Resetting Authentica

1-5Getting StartedConventionsConventionsThis guide uses the following conventions for command syntax and displayed information.Command Syntax Statemen

8-26Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN Mode802.1X Open VLAN ModeIntroductionThis section describes how to

8-27Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeNote On ports configured to allow multiple sessions using 802.

8-28Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeNote After client authentication, the port resumes membership

8-29Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeTable 8-1. 802.1X Open VLAN Mode Options802.1X Per-Port Config

8-30Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configure

8-31Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client andUnauthorized-Client V

8-32Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeTemporary VLAN Membership During a Client Session• Port member

8-33Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeIP Addressing for a Client Connected to a Port Configured for

8-34Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeNote If you use the same VLAN as the Unauthorized-Client VLAN

8-35Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN Mode A client must either have a valid IP address configured befo

1-6Getting StartedConventionsCommand PromptsIn the default configuration, your switch displays the following CLI prompt:ProCurve Switch 2510-24#To sim

8-36Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN Mode2. Configure the 802.1X authentication type. Options include:3

8-37Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeNote If you want to implement the optional port security featu

8-38Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information a

8-39Configuring Port-Based and Client-Based Access Control (802.1X)802.1X Open VLAN ModeRADIUS-assigned VLAN, then an authenticated client without tag

8-40Configuring Port-Based and Client-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Device

8-41Configuring Port-Based and Client-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Device

8-42Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other

8-43Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other

8-44Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other

8-45Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other

1-7Getting StartedSources for More InformationSources for More InformationFor additional information about switch operation and features not covered i

8-46Configuring Port-Based and Client-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other

8-47Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configur

8-48Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Countersshow port-access authentic

8-49Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 8-7. Example of sho

8-50Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN M

8-51Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Counters When the Unauth VLAN ID

8-52Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 8-9. Example of Sho

8-53Configuring Port-Based and Client-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Acc

8-54Configuring Port-Based and Client-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another w

8-55Configuring Port-Based and Client-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a

1-8Getting StartedNeed Only a Quick Start? For information on a specific command in the CLI, type the command name followed by “help”. For example:Fi

8-56Configuring Port-Based and Client-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 8-11. The Active Conf

8-57Configuring Port-Based and Client-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s ses

8-58Configuring Port-Based and Client-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 8-4.

9-19Configuring and Monitoring Port SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-2Configuring and Monitoring Port SecurityOverviewOverviewNote Port security is not available on ports running at 10 Mbps or the 1000 Mbps uplinks. I

9-3Configuring and Monitoring Port SecurityOverviewGeneral Operation for Port Security. On a per-port basis, you can configure security measures to bl

9-4Configuring and Monitoring Port SecurityOverviewFigure 9-1. Example of How Port Security Controls AccessNote Broadcast and Multicast traffic is not

9-5Configuring and Monitoring Port SecurityPlanning Port SecurityPlanning Port Security1. Plan your port security configuration and monitoring accordi

9-6Configuring and Monitoring Port SecurityPort Security Command Options and OperationPort Security Command Options and OperationPort Security Command

9-7Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list >learn-mode < con

1-9Getting StartedNeed Only a Quick Start?To Set Up and Install the Switch in Your NetworkImportant! Use the Installation and Getting Started Guide sh

9-8Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)lea

9-9Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)act

9-10Configuring and Monitoring Port SecurityPort Security Command Options and OperationRetention of Static MAC AddressesLearned MAC AddressesIn the fo

9-11Configuring and Monitoring Port SecurityPort Security Command Options and OperationUsing the CLI To Display Port Security Settings. Syntax:show po

9-12Configuring and Monitoring Port SecurityPort Security Command Options and OperationThe following command example shows the option for entering a r

9-13Configuring and Monitoring Port SecurityPort Security Command Options and OperationProCurve(config)# port-security a1 learn-mode static mac-addres

9-14Configuring and Monitoring Port SecurityPort Security Command Options and Operationmined by the current address-limit value). For example, suppose

9-15Configuring and Monitoring Port SecurityPort Security Command Options and OperationNote The message Inconsistent value appears if the new MAC addr

9-16Configuring and Monitoring Port SecurityPort Security Command Options and OperationCaution The address-limit setting controls how many MAC address

9-17Configuring and Monitoring Port SecurityWeb: Displaying and Configuring Port Security FeaturesThe following command serves this purpose by removin

1-10Getting StartedNeed Only a Quick Start?

9-18Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsWhen a security violation occurs on a port configured fo

9-19Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags(by resetting the alert flag). The other entries give yo

9-20Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsMenu: Checking for Intrusions, Listing Intrusion Alerts,

9-21Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsThe above example shows two intrusions for port A3 and o

9-22Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsCLI: Checking for Intrusions, Listing Intrusion Alerts,

9-23Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 9-12. Example of the Intrusion Log with Multiple

9-24Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsUsing the Event Log To Find Intrusion AlertsThe Event Lo

9-25Configuring and Monitoring Port SecurityOperating Notes for Port SecurityWeb: Checking for Intrusions, Listing Intrusion Alerts,and Resetting Aler

9-26Configuring and Monitoring Port SecurityOperating Notes for Port Securitythe alert flag status for the port referenced in the dropped entry. This

9-27Configuring and Monitoring Port SecurityConfiguring Protected PortsConfiguring Protected PortsThere are situations where you want to provide inter

2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-28Configuring and Monitoring Port SecurityConfiguring Protected PortsFigure 9-16. Example Showing Protected Ports and Unprotected PortsIf you displa

10-110Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter

10-3Using Authorized IP ManagersAccess LevelsConfiguration OptionsYou can configure: Up to 10 authorized manager addresses, where each address applie

10-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table

10-5Using Authorized IP ManagersDefining Authorized Management Stations255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to

10-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 10-2. Example of How To Add an Authorized Manager Entry (Continued)Editi

10-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 10-3. Example of the Show IP Authorized-Manager DisplayThe above example

10-8Using Authorized IP ManagersDefining Authorized Management StationsSimilarly, the next command authorizes manager-level access for any station hav

10-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con

2-2Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons

10-10Using Authorized IP ManagersBuilding IP MasksTable 10-1. Analysis of IP Mask for Single-Station EntriesConfiguring Multiple Stations Per Authoriz

10-11Using Authorized IP ManagersBuilding IP MasksTable 10-2. Analysis of IP Mask for Multiple-Station Entries Figure 10-5. Example of How the Bitmap

10-12Using Authorized IP ManagersOperating NotesAdditional Examples for Authorizing Multiple StationsOperating Notes Network Security Precautions: Yo

10-13Using Authorized IP ManagersOperating Notes• Even if you need proxy server access enabled in order to use other applications, you can still elimi

10-14Using Authorized IP ManagersOperating Notes

Index – 1IndexNumerics3DES … 6-3, 7-3802.1XSee port-based access control. …8-1802.1X access controlauthentication methods … 8-4authentication, client-

2 – IndexVLAN use, multiple clients … 8-7Aaaa authentication … 4-8aaa port-accessSee Web or MAC Authentication.access levels, authorized IP managers …

Index – 3MMAC Authenticationauthenticator operation … 3-5blocked traffic … 3-4CHAPdefined … 3-9usage … 3-4client status … 3-30configuration commands …

4 – IndexLACP not allowed … 8-58local … 8-23local username and password … 8-4messages … 8-58open VLANauthorized client … 8-28configuration … 8-35, 8-3

Index – 5SNMP access security not supported … 5-2statistics, viewing … 5-25terminology … 5-3TLS … 5-4Web browser authentication … 5-7web-browser acces

2-3Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if

6 – Indexprerequisites … 7-5remove self-signed certificate … 7-9remove server host certificate … 7-9reserved TCP port numbers … 7-20root … 7-4root cer

Index – 7client status … 3-30configuration commands … 3-18configuringon the switch … 3-17switch for RADIUS access … 3-15features … 3-4general setup …

8 – Index

Technical information in this document is subject to change without notice.© Copyright 2008 Hewlett-Packard Development Company, L.P. All rights reser

ProCurve Series 2510 SwitchesAccess Security GuideJanuary 2008

2-4Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear

2-5Configuring Username and Password SecurityConfiguring Local Password SecurityIf you have physical access to the switch, press and hold the Clear bu

2-6Configuring Username and Password SecurityConfiguring Local Password SecurityTo Remove Password Protection. Removing password protection means to

2-7Configuring Username and Password SecurityFront-Panel SecurityFront-Panel SecurityThe front-panel security features provide the ability to independ

2-8Configuring Username and Password SecurityFront-Panel SecurityAs a result of increased security concerns, customers now have the ability to stop so

2-9Configuring Username and Password SecurityFront-Panel SecurityReset ButtonPressing the Reset button alone for one second causes the switch to reboo

2-10Configuring Username and Password SecurityFront-Panel Security3. Release the Reset button and wait for about one second for the Self-Test LED to s

2-11Configuring Username and Password SecurityFront-Panel Security• Modify the operation of the Reset+Clear combination (page 2-9) so that the switch

2-12Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch

2-13Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button on the Switch’s Front Panel andSetting or Changing the

Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551http://www.procurve.com© Copyright 2008 Hewlett-Packard Compa

2-14Configuring Username and Password SecurityFront-Panel SecurityFigure 2-9. Example of Re-Enabling the Clear Button’s Default OperationChanging the

2-15Configuring Username and Password SecurityFront-Panel SecurityFigure 2-10. Example of Disabling the Factory Reset OptionPassword RecoveryThe passw

2-16Configuring Username and Password SecurityFront-Panel SecuritySteps for Disabling Password-Recovery. 1. Set the CLI to the global interface conte

2-17Configuring Username and Password SecurityFront-Panel SecurityFigure 2-11. Example of the Steps for Disabling Password-RecoveryPassword Recovery P

2-18Configuring Username and Password SecurityFront-Panel SecurityNote The alternate password provided by the ProCurve Customer Care Center is valid o

3-13Web and MAC AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-2Web and MAC AuthenticationOverviewOverviewWeb and MAC Authentication are designed for employment on the “edge” of a network to provide port-based s

3-3Web and MAC AuthenticationOverviewpassword, and grants or denies network access in the same way that it does for clients capable of interactive log

3-4Web and MAC AuthenticationOverviewGeneral FeaturesWeb and MAC Authentication includes the following: On a port configured for Web or MAC Authentic

3-5Web and MAC AuthenticationHow Web and MAC Authentication OperateHow Web and MAC Authentication OperateAuthenticator OperationBefore gaining access

iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiFeature Index

3-6Web and MAC AuthenticationHow Web and MAC Authentication OperateFigure 3-2. Progress Message During AuthenticationIf the client is authenticated an

3-7Web and MAC AuthenticationHow Web and MAC Authentication Operatemoves have not been enabled (client-moves) on the ports, the session ends and the c

3-8Web and MAC AuthenticationHow Web and MAC Authentication Operate4. If neither 1, 2, or 3, above, apply, then the client session does not have acces

3-9Web and MAC AuthenticationTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged

3-10Web and MAC AuthenticationOperating Rules and NotesOperating Rules and Notes You can configure one type of authentication on a port. That is, the

3-11Web and MAC AuthenticationOperating Rules and Notes2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port

3-12Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC AuthenticationNote on Web/MAC Authentication and LACPThe switch does not allow Web o

3-13Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC Authenticationc. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”

3-14Web and MAC AuthenticationGeneral Setup Procedure for Web/MAC AuthenticationAdditional Information for Configuring the RADIUSServer To Support MAC

3-15Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerConfiguring the Switch To Access a RADIUS ServerThis section describes t

ivFront-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7When Security Is Important . . .

3-16Web and MAC AuthenticationConfiguring the Switch To Access a RADIUS ServerFor example, to configure the switch to access a RADIUS server at IP add

3-17Web and MAC AuthenticationConfiguring Web AuthenticationConfiguring Web AuthenticationOverview1. If you have not already done so, configure a loca

3-18Web and MAC AuthenticationConfiguring Web AuthenticationConfigure the Switch for Web-Based AuthenticationCommand PageConfiguration Levelaaa port-a

3-19Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: [no] aaa port-access web-based [e] < port-list>Enables web-based authenticat

3-20Web and MAC AuthenticationConfiguring Web AuthenticationSyntax:aaa port-access web-based [e] < port-list > [logoff-period] <60-9999999>

3-21Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access web-based [e] < port-list > [redirect-url <url>]no aaa

3-22Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguring MAC Authentication on the SwitchOverview1. If you have not alrea

3-23Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfigure the Switch for MAC-Based AuthenticationCommand PageConfiguration L

3-24Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-

3-25Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-based [e] < port-list > [quiet-period <

v4 TACACS+ AuthenticationContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Ov

3-26Web and MAC AuthenticationShow Status and Configuration of Web-Based AuthenticationShow Status and Configuration of Web-Based AuthenticationComman

3-27Web and MAC AuthenticationShow Status and Configuration of Web-Based AuthenticationSyntax: show port-access [port-list] web-based [config [auth-se

3-28Web and MAC AuthenticationShow Status and Configuration of MAC-Based AuthenticationShow Status and Configuration of MAC-Based AuthenticationComman

3-29Web and MAC AuthenticationShow Status and Configuration of MAC-Based AuthenticationSyntax: show port-access [port-list] mac-based [config [auth-se

3-30Web and MAC AuthenticationShow Client StatusShow Client StatusThe table below shows the possible client status information that may be reported by

4-14TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-2TACACS+ AuthenticationConfiguring TACACS+ on the SwitchOverviewTACACS+ authentication enables you to use a central server to allow or deny access t

4-3TACACS+ AuthenticationConfiguring TACACS+ on the Switchtion services. If the switch fails to connect to any TACACS+ server, it defaults to its own

4-4TACACS+ AuthenticationConfiguring TACACS+ on the Switch• Local Authentication: This method uses username/password pairs configured locally on the s

4-5TACACS+ AuthenticationConfiguring TACACS+ on the SwitchGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+

viConfiguring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6Outline of the Steps for Configuring RADIUS Authentication

4-6TACACS+ AuthenticationConfiguring TACACS+ on the Switchother access type (console, in this case) open in case the Telnet access fails due to a conf

4-7TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a switch,

4-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha

4-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat

4-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ ServerContact ConfigurationThis command lists the time

4-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures th

4-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-1. AAA Authentication ParametersAs shown in the next table, login and enable access

4-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log

4-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th

4-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa

vii4. Enable SSH on the Switch and Anticipate SSHClient Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-

4-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr

4-17TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-3. Details on Configuring TACACS Servers and KeysName Default Rangetacacs-server

4-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was

4-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-5. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov

4-20TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTo delete a per-server encryption key in the switch, re-enter the tacacs-server host comman

4-21TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-6. Using a TACACS+ Server for AuthenticationUsing figure 4-6, above, after either

4-22TACACS+ AuthenticationConfiguring TACACS+ on the SwitchLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to loc

4-23TACACS+ AuthenticationConfiguring TACACS+ on the SwitchUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “k

4-24TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, you would use the next command to configure a global encryp-tion key in the sw

4-25TACACS+ AuthenticationConfiguring TACACS+ on the SwitchMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below. Ho