ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series
viiiConfiguring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-151. Enable 802.1X Authentication on Selected Ports . .
4-26TACACS+ AuthenticationConfiguring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ se
5-15RADIUS Authentication and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2RADIUS Authentication and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one
5-3RADIUS Authentication and AccountingTerminologyTerminologyCHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p
5-4RADIUS Authentication and AccountingSwitch Operating Rules for RADIUSSwitch Operating Rules for RADIUS You must have at least one RADIUS server ac
5-5RADIUS Authentication and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to three RADIUS server
5-6RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authentication• Determine an
5-7RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS AuthenticationThere
5-8RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication• Server Dead-Time: The period during which the switch will not
5-9RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have already configured local password
ixMAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17Differences Between MAC Lockdown an
5-10RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication2. Configure the Switch To Access a RADIUS ServerThis section
5-11RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the switch as shown i
5-12RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication3. Configure the Switch’s Global RADIUS ParametersYou can conf
5-13RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS servers configured
5-14RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose that your switch is configured to use thr
5-15RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-6. Listings of Global RADIUS Parameters Configured In
5-16RADIUS Authentication and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use RADIUS, it revert
5-17RADIUS Authentication and AccountingControlling Web Browser Interface Access When Using RADIUS AuthenticationControlling Web Browser Interface Acc
5-18RADIUS Authentication and AccountingConfiguring RADIUS AccountingNote This section assumes you have already: Configured RADIUS authentication on
5-19RADIUS Authentication and AccountingConfiguring RADIUS AccountingThe switch forwards the accounting information it collects to the designated RADI
xDefining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4Overview of IP Mask Operation . . . . . . . . . . . .
5-20RADIUS Authentication and AccountingConfiguring RADIUS Accounting– Optional—if you are also configuring the switch for RADIUS authentication, and
5-21RADIUS Authentication and AccountingConfiguring RADIUS Accounting(For a more complete description of the radius-server command and its options, tu
5-22RADIUS Authentication and AccountingConfiguring RADIUS AccountingFigure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Account
5-23RADIUS Authentication and AccountingConfiguring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the acc
5-24RADIUS Authentication and AccountingConfiguring RADIUS Accounting3. (Optional) Configure Session Blocking and Interim Updating OptionsThese option
5-25RADIUS Authentication and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 5-10. Example of General RAD
5-26RADIUS Authentication and AccountingViewing RADIUS StatisticsTable 5-2. Values for Show Radius Host Output (Figure 5-11)Term DefinitionRound Trip
5-27RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 5-12. Example of Login Attempt and Primary/Sec
5-28RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Accounting StatisticsFigure 5-14. Listing the Accounting Configuration in the
5-29RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Sw
xiProduct DocumentationAbout Your Switch Manual SetThe switch manual set includes the following: Read Me First - a printed guide shipped with your sw
5-30RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderTo exchange the positions of the addresses so that the server at 10.10.10.0
5-31RADIUS Authentication and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t reach RADIUS serv
5-32RADIUS Authentication and AccountingMessages Related to RADIUS Operation— This page is intentionally unused. —
6-16Configuring Secure Shell (SSH)ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2Configuring Secure Shell (SSH)OverviewOverviewThe ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provi
6-3Configuring Secure Shell (SSH)OverviewNote SSH in the ProCurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit htt
6-4Configuring Secure Shell (SSH)TerminologyTerminology SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the sw
6-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ
6-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSH for Switc
6-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera
xiiProduct DocumentationFeature IndexFor the manual set supporting your switch model, the following feature index indicates which manual to consult fo
6-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex
6-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH Operation1. Assign Local Login (Operator) and
6-10Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-5. Example of Configuring Local Passwords2. Generate the Switch’s P
6-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes When you generate a host key pair on the switch, the switch places the
6-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 6-6. Example of Genera
6-13Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationdistribution to clients is to use a direct, serial connection between the sw
6-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation4. Add any data required by your SSH client application. For example Before
6-15Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the
6-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationSSH Client Contact Behavior. At the first contact between the switch and an
6-17Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationThe ip ssh key-size command affects only a per-session, internal server key
xiiiProduct DocumentationLACP X --Link X - -LLDP X --MAC Address Management X - -MAC Lockdown - - XMAC Lockout - - XMAC-based Authentication - - XM
6-18Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationCaution Protect your private key file from access by anyone other than yours
6-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.
6-20Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys
6-21Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFigure 6-13 shows how to check the results of the above c
6-22Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationWhen configured for SSH operation, the switch automatical
6-23Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authenticationa. Combines the decrypted byte sequence with specific ses
6-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication1. Use your SSH client application to create a public/pri
6-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi
6-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationEnabling Client Public-Key Authentication. After you TFT
6-27Configuring Secure Shell (SSH)Messages Related to SSH OperationMessages Related to SSH OperationMessage Meaning00000K Peer unreachable.Indicates a
xivProduct DocumentationSource-Port Filters - - XSpanning Tree (STP, RSTP, MSTP) - X -SSH (Secure Shell) Encryption - - XSSL (Secure Socket Layer) -
6-28Configuring Secure Shell (SSH)Messages Related to SSH OperationGenerating new RSA host key. If the cache is depleted, this could take up to two m
7-17Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe ProCurve switches covered by this manual use Secure Socket Layer Version 3 (SSLv3) and sup
7-3Configuring Secure Socket Layer (SSL)TerminologyFigure 7-1. Switch/User AuthenticationSSL on the ProCurve switches supports these data encryption m
7-4Configuring Secure Socket Layer (SSL)Terminology Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA).
7-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install
7-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi
7-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assign Local Login (Operato
7-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the web browser interface To Configure Local Passwords. You can
7-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation2. Generate the Switch’s Server Host Certificate You must generate a s
1-11Getting StartedContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Ov
7-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo Generate or Erase the Switch’s Server Certificate with the CLIBeca
7-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationComments on Certificate Fields. There are a number arguments used in
7-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNotes “Zeroizing” the switch’s server host certificate or key automat
7-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationGenerate a Self-Signed Host Certificate with the Web browser interfac
7-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers
7-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-6. Web browser Interface showing current SSL Host Certificat
7-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with
7-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-7. Example of a Certificate Request and Reply3. Enable SSL
7-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s
7-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI interface to enable SSLTo enable SSL on the switch1. Ge
1-2Getting StartedIntroductionIntroductionThis Access Security Guide describes how to use ProCurve’s switch security features to protect access to you
7-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-8. Using the web browser interface to enable SSL and select
7-21Configuring Secure Socket Layer (SSL)Common Errors in SSL SetupCommon Errors in SSL SetupError During Possible CauseGenerating host certificate on
7-22Configuring Secure Socket Layer (SSL)Common Errors in SSL Setup— This page is intentionally unused. —
8-18Configuring Port-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-2Configuring Port-Based Access Control (802.1X)ContentsConfiguring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches
8-3Configuring Port-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based Access Control?Local area networks are often deployed in a way tha
8-4Configuring Port-Based Access Control (802.1X)Overview Local authentication of 802.1X clients using the switch’s local user-name and password (as
8-5Configuring Port-Based Access Control (802.1X)Overview Figure 8-1. Example of an 802.1X ApplicationAccounting . The switch also provides RADIUS Ne
8-6Configuring Port-Based Access Control (802.1X)How 802.1X OperatesHow 802.1X OperatesAuthenticator OperationThis operation provides security on a di
8-7Configuring Port-Based Access Control (802.1X)How 802.1X OperatesSwitch-Port Supplicant OperationThis operation provides security on links between
1-3Getting StartedOverview of Access Security Features Secure Socket Layer (SSL) (page 7-1): Provides remote web access to the switch via encrypted a
8-8Configuring Port-Based Access Control (802.1X)Terminology• A “failure” response continues the block on port B5 and causes port A1 to wait for the “
8-9Configuring Port-Based Access Control (802.1X)TerminologyEAP (Extensible Authentication Protocol): EAP enables network access that supports multipl
8-10Configuring Port-Based Access Control (802.1X)General Operating Rules and Notesmember of that VLAN as long as at least one other port on the switc
8-11Configuring Port-Based Access Control (802.1X)General Operating Rules and Notes If a client already has access to a switch port when you configur
8-12Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)General Setup Procedure for Port-Based
8-13Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)Overview: Configuring 802.1X Authentic
8-14Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)7. If you are using Port Security on t
8-15Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsConfiguring Switch Ports as 802.1X Authenticators1.
8-16Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsSyntax: aaa port-access authenticator < port-lis
8-17Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsSets the period of time the switch waits for a supp
1-4Getting StartedOverview of Access Security FeaturesTable 1-1. Management Access Security ProtectionGeneral Switch Traffic Security GuidelinesWhere
8-18Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators Configures an existing, static VLAN to be the Aut
8-19Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authentication MethodThis t
8-20Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators4. Enter the RADIUS Host IP Address(es)If you selec
8-21Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode802.1X Open VLAN ModeThis section describes how to use the 802.1X Open VLAN mod
8-22Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIU
8-23Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeTable 8-1. 802.1X Open VLAN Mode Options802.1X Per-Port Configuration Port Resp
8-24Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured:• When the port
8-25Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client and Unauthorized-Client VLANsCondition Ru
8-26Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeNote: If you use the same VLAN as the Unauthorized-Client VLAN for all authenti
8-27Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. This section assum
1-5Getting StartedConventionsConventionsThis guide uses the following conventions for command syntax and displayed information.Feature Descriptions by
8-28Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode Ensure that the switch is connected to a RADIUS server configured to support
8-29Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2, use the radius
8-30Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actually configure Ope
8-31Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information and an example on
8-32Configuring Port-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If an authenti
8-33Configuring Port-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X DevicesNote on Blocking
8-34Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other SwitchesConfiguri
8-35Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches1. When p
8-36Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other SwitchesConfiguri
8-37Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switchesaaa port-
1-6Getting StartedConventionsCommand PromptsIn the default configuration, your switch displays one of the following CLI prompts:ProCurve Switch 4104#P
8-38Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configuration, Statistics
8-39Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Countersshow port-access authenticator (Syntax Cont
8-40Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mode StatusYou can
8-41Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and
8-42Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 8-6. Example of Showing a VLAN with
8-43Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Access SupplicantNot
8-44Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another without clearing t
8-45Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a RADIUS-authentica
8-46Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 8-8. The Active Configuration for VLAN
8-47Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s session on port A2 e
1-7Getting StartedSources for More InformationSources for More InformationFor additional information about switch operation and features not covered i
8-48Configuring Port-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 8-3. 802.1X Operating
9-19Configuring and Monitoring Port SecurityContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2Configuring and Monitoring Port SecurityOverviewOverviewUsing Port Security, you can configure each switch port with a unique list of the MAC addre
9-3Configuring and Monitoring Port SecurityOverviewGeneral Operation for Port Security. On a per-port basis, you can configure security measures to bl
9-4Configuring and Monitoring Port SecurityOverviewFigure 9-1. Example of How Port Security Controls AccessNote Broadcast and Multicast traffic is not
9-5Configuring and Monitoring Port SecurityPlanning Port SecurityPlanning Port Security1. Plan your port security configuration and monitoring accordi
9-6Configuring and Monitoring Port SecurityPort Security Command Options and OperationPort Security Command Options and OperationPort Security Command
9-7Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list >learn-mode < con
9-8Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)lea
9-9Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)act
1-8Getting StartedNeed Only a Quick Start?Figure 1-3. Getting Help in the CLI For information on specific features in the Web browser interface, use
9-10Configuring and Monitoring Port SecurityPort Security Command Options and OperationRetention of Static MAC AddressesLearned MAC AddressesIn the fo
9-11Configuring and Monitoring Port SecurityPort Security Command Options and OperationUsing the CLI To Display Port Security Settings. Syntax:show po
9-12Configuring and Monitoring Port SecurityPort Security Command Options and OperationThe following command example shows the option for entering a r
9-13Configuring and Monitoring Port SecurityPort Security Command Options and OperationProCurve(config)# port-security a1 learn-mode static mac-addres
9-14Configuring and Monitoring Port SecurityPort Security Command Options and OperationFigure 9-4. Example of Adding an Authorized Device to a PortWit
9-15Configuring and Monitoring Port SecurityPort Security Command Options and OperationIf you are adding a device (MAC address) to a port on which the
9-16Configuring and Monitoring Port SecurityPort Security Command Options and OperationTo remove a device (MAC address) from the “Authorized” list and
9-17Configuring and Monitoring Port SecurityMAC LockdownFigure 9-8. Example of Port A1 After Removing One MAC AddressMAC LockdownMAC Lockdown is avail
9-18Configuring and Monitoring Port SecurityMAC LockdownHow It Works. When a device’s MAC address is locked down to a port (typically in a pair with a
9-19Configuring and Monitoring Port SecurityMAC LockdownYou cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC
1-9Getting StartedNeed Only a Quick Start?To Set Up and Install the Switch in Your NetworkImportant! Use the Installation and Getting Started Guide sh
9-20Configuring and Monitoring Port SecurityMAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safel
9-21Configuring and Monitoring Port SecurityMAC LockdownDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it within
9-22Configuring and Monitoring Port SecurityMAC LockdownFigure 9-9. MAC Lockdown Deployed At the Network Edge Provides SecurityBasic MAC Lockdown Depl
9-23Configuring and Monitoring Port SecurityMAC LockdownThe key points for this Model Topology are:• The Core Network is separated from the edge by th
9-24Configuring and Monitoring Port SecurityMAC LockdownFigure 9-10. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connec
9-25Configuring and Monitoring Port SecurityMAC LockoutDisplaying status. Locked down ports are listed in the output of the show running-config comman
9-26Configuring and Monitoring Port SecurityMAC LockoutLockout command (lockout-mac <mac-address>). When the wireless clients then attempt to us
9-27Configuring and Monitoring Port SecurityMAC LockoutFigure 9-12. Listing Locked Out PortsPort Security and MAC LockoutMAC Lockout is independent of
9-28Configuring and Monitoring Port SecurityIP LockdownIP LockdownIP lockdown is available on the Series 2600 and 2800 switches only.The “IP lockdown”
9-29Configuring and Monitoring Port SecurityWeb: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security Featur
1-10Getting StartedNeed Only a Quick Start?— This page is intentionally unused. —
9-30Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags• In the menu interface:– The Port Status screen include
9-31Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsKeeping the Intrusion Log Current by Resetting Alert Fla
9-32Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 9-14. Example of Port Status Screen with Intrusio
9-33Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags(The intrusion log holds up to 20 intrusion records and
9-34Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsCLI: Checking for Intrusions, Listing Intrusion Alerts,
9-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 9-17. Example of the Intrusion Log with Multiple
9-36Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsUsing the Event Log To Find Intrusion AlertsThe Event Lo
9-37Configuring and Monitoring Port SecurityOperating Notes for Port Securitya. Click on the Security tab.b. Click on [Intrusion Log]. “Ports with Int
9-38Configuring and Monitoring Port SecurityOperating Notes for Port SecurityLACP Not Available on Ports Configured for Port Security. To main-tain s
10-110Traffic/Security Filters(ProCurve Series 2600/2600-PWR and 2800 Switches)ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10-2Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)OverviewOverviewThis chapter describes the use of source-port filters o
10-3Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Overviewfrom receiving traffic from workstation "X", you woul
10-4Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing Source-Port FiltersThis feature is avail
10-5Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersConfiguring a Source-Port FilterThe source-por
10-6Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersConfiguring a Filter on a Port Trunk. This op
10-7Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersViewing a Source-Port FilterYou can list all s
10-8Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersIf you wanted to determine the index number fo
10-9Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersEditing a Source-Port FilterThe switch include
10-10Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing Named Source-Port FiltersThis feature i
10-11Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersA named source-port filter must first be defi
2-2Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons
10-12Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersViewing a Named Source-Port FilterYou can lis
10-13Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersDefining and Configuring Example Named Source
10-14Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersProCurve(config)# show filter Traffic/Securit
10-15Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing the IDX value in the show filter comman
10-16Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersThe same command, using IDX 26, shows how tra
10-17Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersThe following revisions to the named source-p
10-18Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port Filters— This page is intentionally unused. —
11-111Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter
11-3Using Authorized IP ManagersAccess LevelsConfiguration OptionsYou can configure: Up to 10 authorized manager addresses, where each address applie
2-3Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if
11-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table
11-5Using Authorized IP ManagersDefining Authorized Management Stations255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to
11-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 11-2. Example of How To Add an Authorized Manager Entry (Continued)Editi
11-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 11-3. Example of the Show IP Authorized-Manager DisplayThe above example
11-8Using Authorized IP ManagersDefining Authorized Management StationsSimilarly, the next command authorizes manager-level access for any station hav
11-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con
11-10Using Authorized IP ManagersBuilding IP MasksConfiguring Multiple Stations Per Authorized Manager IP EntryThe mask determines whether the IP addr
11-11Using Authorized IP ManagersBuilding IP MasksFigure 11-6. Example of How the Bitmap in the IP Mask Defines Authorized Manager AddressesAdditional
11-12Using Authorized IP ManagersOperating NotesOperating Notes Network Security Precautions: You can enhance your network’s security by keeping phys
Index – 1IndexNumerics3DES … 6-3, 7-3802.1XSee port-based access control. …8-1Aaaa authentication … 4-8aaa port-accessSee Web or MAC Authentication.ac
ProCurveSwitch 2600 SeriesSwitch 2600-PWR SeriesSwitch 2800 SeriesSwitch 4100gl SeriesSwitch 6108Access Security GuideDecember 2008
2-4Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear
2 – IndexIinconsistent value, message … 9-14intrusion alarmsentries dropped from log … 9-37event log … 9-36prior to … 9-37Intrusion Logprior to … 9-33
Index – 3prior to … 9-37proxy web server … 9-37port-based access controlauthenticate switch … 8-4authenticate users … 8-4authenticator backend state …
4 – Indexaccounting, system … 5-18, 5-22authentication options … 5-2authentication, local … 5-16authorized IP managers, precedence … 11-2bypass RADIUS
Index – 5zeroing a key … 6-11zeroize … 6-11SSLCA-signed … 7-4, 7-15CA-signed certificate … 7-4, 7-15CLI commands … 7-7client behavior … 7-17, 7-18cryp
6 – IndexSee also LACP.Uuser namecleared … 2-5Vvalue, inconsistent … 9-14VLAN802.1X … 8-44802.1X, ID changes … 8-47802.1X, suspend untagged VLAN … 8-4
— This page is intentionally unused. —
© 2000 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.December 2008Manual Part N
2-5Configuring Username and Password SecurityConfiguring Local Password SecurityIf you have physical access to the switch, press and hold the Clear bu
2-6Configuring Username and Password SecurityConfiguring Local Password SecurityTo Remove Password Protection. Removing password protection means to
2-7Configuring Username and Password SecurityFront-Panel SecurityFront-Panel SecurityThe front-panel security features provide the ability to independ
2-8Configuring Username and Password SecurityFront-Panel SecurityAs a result of increased security concerns, customers now have the ability to stop so
2-9Configuring Username and Password SecurityFront-Panel SecurityReset ButtonPressing the Reset button alone for one second causes the switch to reboo
2-10Configuring Username and Password SecurityFront-Panel Security3. Release the Reset button and wait for about one second for the Self-Test LED to s
2-11Configuring Username and Password SecurityFront-Panel Security• Modify the operation of the Reset+Clear combination (page 2-9) so that the switch
2-12Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch
2-13Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button on the Switch’s Front Panel andSetting or Changing the
Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551http://www.procurve.com© Copyright 2001-2008 Hewlett-Packard
2-14Configuring Username and Password SecurityFront-Panel SecurityFigure 2-9. Example of Re-Enabling the Clear Button’s Default OperationChanging the
2-15Configuring Username and Password SecurityFront-Panel SecurityFigure 2-10. Example of Disabling the Factory Reset OptionPassword RecoveryThe passw
2-16Configuring Username and Password SecurityFront-Panel SecuritySteps for Disabling Password-Recovery. 1. Set the CLI to the global interface conte
2-17Configuring Username and Password SecurityFront-Panel SecurityFigure 2-11. Example of the Steps for Disabling Password-RecoveryPassword Recovery P
2-18Configuring Username and Password SecurityFront-Panel Security— This page is intentionally unused. —
3-13Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-2Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewOverviewApplicable Switch Models. Web and MAC Authentication are
3-3Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewMAC Authentication (MAC-Auth). This method grants access to a sec
3-4Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewGeneral FeaturesWeb and MAC Authentication on the ProCurve Series
3-5Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication OperateHow Web and MAC Authentication Opera
iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiFeature Index
3-6Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication OperateFigure 3-2. Progress Message During
3-7Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication Operatemoves have not been enabled (client-
3-8Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication Operate4. If neither 1, 2, or 3, above, app
3-9Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client
3-10Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOperating Rules and NotesOperating Rules and Notes You can configure one
3-11Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOperating Rules and Notes2. If there is no RADIUS-assigned VLAN, then, fo
3-12Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC AuthenticationNote on Web/MAC Authent
3-13Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC Authenticationa. If you configure the
3-14Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC AuthenticationAdditional Information
3-15Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring the Switch To Access a RADIUS ServerConfiguring the Switch To
ivFront-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7When Security Is Important . . .
3-16Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring the Switch To Access a RADIUS ServerFor example, to configure
3-17Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationConfiguring Web AuthenticationThis feature
3-18Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationConfigure the Switch for Web-Based Authenti
3-19Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax: [no] aaa port-access web-based [e]
3-20Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax:aaa port-access web-based [e] < p
3-21Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax: aaa port-access web-based [e] <
3-22Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchConfiguring MAC Authenticatio
3-23Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchConfigure the Switch for MAC-
3-24Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-b
3-25Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-b
v4 TACACS+ AuthenticationContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Ov
3-26Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of Web-Based AuthenticationShow Status and
3-27Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of MAC-Based AuthenticationShow Status and
3-28Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of MAC-Based AuthenticationSyntax: show por
3-29Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Client StatusShow Client StatusThe table below shows the possible cl
3-30Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Client Status— This page is intentionally unused. —
4-14TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2TACACS+ AuthenticationConfiguring TACACS+ on the SwitchOverviewTACACS+ authentication enables you to use a central server to allow or deny access t
4-3TACACS+ AuthenticationConfiguring TACACS+ on the Switchtion services. If the switch fails to connect to any TACACS+ server, it defaults to its own
4-4TACACS+ AuthenticationConfiguring TACACS+ on the Switch• Local Authentication: This method uses username/password pairs configured locally on the s
4-5TACACS+ AuthenticationConfiguring TACACS+ on the SwitchGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+
vi1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-6TACACS+ AuthenticationConfiguring TACACS+ on the Switchother access type (console, in this case) open in case the Telnet access fails due to a conf
4-7TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a switch,
4-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha
4-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat
4-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim
4-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures th
4-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-1. AAA Authentication ParametersAs shown in the next table, login and enable access
4-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log
4-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th
4-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa
vii6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21Further Information on SSH Client Public-Key Authenticatio
4-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr
4-17TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-3. Details on Configuring TACACS Servers and KeysName Default Rangetacacs-server
4-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was
4-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-5. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov
4-20TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTo delete a per-server encryption key in the switch, re-enter the tacacs-server host comman
4-21TACACS+ AuthenticationConfiguring TACACS+ on the SwitchUsing figure 4-6, above, after either switch detects an operator’s logon request from a rem
4-22TACACS+ AuthenticationConfiguring TACACS+ on the SwitchLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to loc
4-23TACACS+ AuthenticationConfiguring TACACS+ on the SwitchUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “k
4-24TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, you would use the next command to configure a global encryp-tion key in the sw
4-25TACACS+ AuthenticationConfiguring TACACS+ on the SwitchMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below. Ho
Commenti su questo manuale