HP 2600-PWR Manuale Utente

ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series

viiiConfiguring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-151. Enable 802.1X Authentication on Selected Ports . .

4-26TACACS+ AuthenticationConfiguring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ se

5-15RADIUS Authentication and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5-2RADIUS Authentication and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one

5-3RADIUS Authentication and AccountingTerminologyTerminologyCHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p

5-4RADIUS Authentication and AccountingSwitch Operating Rules for RADIUSSwitch Operating Rules for RADIUS You must have at least one RADIUS server ac

5-5RADIUS Authentication and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to three RADIUS server

5-6RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authentication• Determine an

5-7RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS AuthenticationThere

5-8RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication• Server Dead-Time: The period during which the switch will not

5-9RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have already configured local password

ixMAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17Differences Between MAC Lockdown an

5-10RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication2. Configure the Switch To Access a RADIUS ServerThis section

5-11RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the switch as shown i

5-12RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication3. Configure the Switch’s Global RADIUS ParametersYou can conf

5-13RADIUS Authentication and AccountingConfiguring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS servers configured

5-14RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose that your switch is configured to use thr

5-15RADIUS Authentication and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-6. Listings of Global RADIUS Parameters Configured In

5-16RADIUS Authentication and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use RADIUS, it revert

5-17RADIUS Authentication and AccountingControlling Web Browser Interface Access When Using RADIUS AuthenticationControlling Web Browser Interface Acc

5-18RADIUS Authentication and AccountingConfiguring RADIUS AccountingNote This section assumes you have already: Configured RADIUS authentication on

5-19RADIUS Authentication and AccountingConfiguring RADIUS AccountingThe switch forwards the accounting information it collects to the designated RADI

xDefining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4Overview of IP Mask Operation . . . . . . . . . . . .

5-20RADIUS Authentication and AccountingConfiguring RADIUS Accounting– Optional—if you are also configuring the switch for RADIUS authentication, and

5-21RADIUS Authentication and AccountingConfiguring RADIUS Accounting(For a more complete description of the radius-server command and its options, tu

5-22RADIUS Authentication and AccountingConfiguring RADIUS AccountingFigure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Account

5-23RADIUS Authentication and AccountingConfiguring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the acc

5-24RADIUS Authentication and AccountingConfiguring RADIUS Accounting3. (Optional) Configure Session Blocking and Interim Updating OptionsThese option

5-25RADIUS Authentication and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 5-10. Example of General RAD

5-26RADIUS Authentication and AccountingViewing RADIUS StatisticsTable 5-2. Values for Show Radius Host Output (Figure 5-11)Term DefinitionRound Trip

5-27RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 5-12. Example of Login Attempt and Primary/Sec

5-28RADIUS Authentication and AccountingViewing RADIUS StatisticsRADIUS Accounting StatisticsFigure 5-14. Listing the Accounting Configuration in the

5-29RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderFigure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Sw

xiProduct DocumentationAbout Your Switch Manual SetThe switch manual set includes the following: Read Me First - a printed guide shipped with your sw

5-30RADIUS Authentication and AccountingChanging RADIUS-Server Access OrderTo exchange the positions of the addresses so that the server at 10.10.10.0

5-31RADIUS Authentication and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t reach RADIUS serv

5-32RADIUS Authentication and AccountingMessages Related to RADIUS Operation— This page is intentionally unused. —

6-16Configuring Secure Shell (SSH)ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6-2Configuring Secure Shell (SSH)OverviewOverviewThe ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provi

6-3Configuring Secure Shell (SSH)OverviewNote SSH in the ProCurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit htt

6-4Configuring Secure Shell (SSH)TerminologyTerminology SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the sw

6-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ

6-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSH for Switc

6-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera

xiiProduct DocumentationFeature IndexFor the manual set supporting your switch model, the following feature index indicates which manual to consult fo

6-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex

6-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH Operation1. Assign Local Login (Operator) and

6-10Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-5. Example of Configuring Local Passwords2. Generate the Switch’s P

6-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes When you generate a host key pair on the switch, the switch places the

6-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 6-6. Example of Genera

6-13Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationdistribution to clients is to use a direct, serial connection between the sw

6-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation4. Add any data required by your SSH client application. For example Before

6-15Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the

6-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationSSH Client Contact Behavior. At the first contact between the switch and an

6-17Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationThe ip ssh key-size command affects only a per-session, internal server key

xiiiProduct DocumentationLACP X --Link X - -LLDP X --MAC Address Management X - -MAC Lockdown - - XMAC Lockout - - XMAC-based Authentication - - XM

6-18Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationCaution Protect your private key file from access by anyone other than yours

6-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.

6-20Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys

6-21Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFigure 6-13 shows how to check the results of the above c

6-22Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationWhen configured for SSH operation, the switch automatical

6-23Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authenticationa. Combines the decrypted byte sequence with specific ses

6-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication1. Use your SSH client application to create a public/pri

6-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi

6-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationEnabling Client Public-Key Authentication. After you TFT

6-27Configuring Secure Shell (SSH)Messages Related to SSH OperationMessages Related to SSH OperationMessage Meaning00000K Peer unreachable.Indicates a

xivProduct DocumentationSource-Port Filters - - XSpanning Tree (STP, RSTP, MSTP) - X -SSH (Secure Shell) Encryption - - XSSL (Secure Socket Layer) -

6-28Configuring Secure Shell (SSH)Messages Related to SSH OperationGenerating new RSA host key. If the cache is depleted, this could take up to two m

7-17Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe ProCurve switches covered by this manual use Secure Socket Layer Version 3 (SSLv3) and sup

7-3Configuring Secure Socket Layer (SSL)TerminologyFigure 7-1. Switch/User AuthenticationSSL on the ProCurve switches supports these data encryption m

7-4Configuring Secure Socket Layer (SSL)Terminology Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA).

7-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install

7-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi

7-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assign Local Login (Operato

7-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the web browser interface To Configure Local Passwords. You can

7-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation2. Generate the Switch’s Server Host Certificate You must generate a s

1-11Getting StartedContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2Ov

7-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo Generate or Erase the Switch’s Server Certificate with the CLIBeca

7-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationComments on Certificate Fields. There are a number arguments used in

7-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNotes “Zeroizing” the switch’s server host certificate or key automat

7-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationGenerate a Self-Signed Host Certificate with the Web browser interfac

7-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers

7-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-6. Web browser Interface showing current SSL Host Certificat

7-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with

7-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-7. Example of a Certificate Request and Reply3. Enable SSL

7-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s

7-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI interface to enable SSLTo enable SSL on the switch1. Ge

1-2Getting StartedIntroductionIntroductionThis Access Security Guide describes how to use ProCurve’s switch security features to protect access to you

7-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-8. Using the web browser interface to enable SSL and select

7-21Configuring Secure Socket Layer (SSL)Common Errors in SSL SetupCommon Errors in SSL SetupError During Possible CauseGenerating host certificate on

7-22Configuring Secure Socket Layer (SSL)Common Errors in SSL Setup— This page is intentionally unused. —

8-18Configuring Port-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8-2Configuring Port-Based Access Control (802.1X)ContentsConfiguring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches

8-3Configuring Port-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based Access Control?Local area networks are often deployed in a way tha

8-4Configuring Port-Based Access Control (802.1X)Overview Local authentication of 802.1X clients using the switch’s local user-name and password (as

8-5Configuring Port-Based Access Control (802.1X)Overview Figure 8-1. Example of an 802.1X ApplicationAccounting . The switch also provides RADIUS Ne

8-6Configuring Port-Based Access Control (802.1X)How 802.1X OperatesHow 802.1X OperatesAuthenticator OperationThis operation provides security on a di

8-7Configuring Port-Based Access Control (802.1X)How 802.1X OperatesSwitch-Port Supplicant OperationThis operation provides security on links between

1-3Getting StartedOverview of Access Security Features Secure Socket Layer (SSL) (page 7-1): Provides remote web access to the switch via encrypted a

8-8Configuring Port-Based Access Control (802.1X)Terminology• A “failure” response continues the block on port B5 and causes port A1 to wait for the “

8-9Configuring Port-Based Access Control (802.1X)TerminologyEAP (Extensible Authentication Protocol): EAP enables network access that supports multipl

8-10Configuring Port-Based Access Control (802.1X)General Operating Rules and Notesmember of that VLAN as long as at least one other port on the switc

8-11Configuring Port-Based Access Control (802.1X)General Operating Rules and Notes If a client already has access to a switch port when you configur

8-12Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)General Setup Procedure for Port-Based

8-13Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)Overview: Configuring 802.1X Authentic

8-14Configuring Port-Based Access Control (802.1X)General Setup Procedure for Port-Based Access Control (802.1X)7. If you are using Port Security on t

8-15Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsConfiguring Switch Ports as 802.1X Authenticators1.

8-16Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsSyntax: aaa port-access authenticator < port-lis

8-17Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsSets the period of time the switch waits for a supp

1-4Getting StartedOverview of Access Security FeaturesTable 1-1. Management Access Security ProtectionGeneral Switch Traffic Security GuidelinesWhere

8-18Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators Configures an existing, static VLAN to be the Aut

8-19Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authentication MethodThis t

8-20Configuring Port-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators4. Enter the RADIUS Host IP Address(es)If you selec

8-21Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode802.1X Open VLAN ModeThis section describes how to use the 802.1X Open VLAN mod

8-22Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIU

8-23Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeTable 8-1. 802.1X Open VLAN Mode Options802.1X Per-Port Configuration Port Resp

8-24Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured:• When the port

8-25Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client and Unauthorized-Client VLANsCondition Ru

8-26Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeNote: If you use the same VLAN as the Unauthorized-Client VLAN for all authenti

8-27Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. This section assum

1-5Getting StartedConventionsConventionsThis guide uses the following conventions for command syntax and displayed information.Feature Descriptions by

8-28Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode Ensure that the switch is connected to a RADIUS server configured to support

8-29Configuring Port-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2, use the radius

8-30Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actually configure Ope

8-31Configuring Port-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information and an example on

8-32Configuring Port-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If an authenti

8-33Configuring Port-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X DevicesNote on Blocking

8-34Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other SwitchesConfiguri

8-35Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches1. When p

8-36Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other SwitchesConfiguri

8-37Configuring Port-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switchesaaa port-

1-6Getting StartedConventionsCommand PromptsIn the default configuration, your switch displays one of the following CLI prompts:ProCurve Switch 4104#P

8-38Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configuration, Statistics

8-39Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Countersshow port-access authenticator (Syntax Cont

8-40Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mode StatusYou can

8-41Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and

8-42Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 8-6. Example of Showing a VLAN with

8-43Configuring Port-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Access SupplicantNot

8-44Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another without clearing t

8-45Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a RADIUS-authentica

8-46Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 8-8. The Active Configuration for VLAN

8-47Configuring Port-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s session on port A2 e

1-7Getting StartedSources for More InformationSources for More InformationFor additional information about switch operation and features not covered i

8-48Configuring Port-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 8-3. 802.1X Operating

9-19Configuring and Monitoring Port SecurityContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-2Configuring and Monitoring Port SecurityOverviewOverviewUsing Port Security, you can configure each switch port with a unique list of the MAC addre

9-3Configuring and Monitoring Port SecurityOverviewGeneral Operation for Port Security. On a per-port basis, you can configure security measures to bl

9-4Configuring and Monitoring Port SecurityOverviewFigure 9-1. Example of How Port Security Controls AccessNote Broadcast and Multicast traffic is not

9-5Configuring and Monitoring Port SecurityPlanning Port SecurityPlanning Port Security1. Plan your port security configuration and monitoring accordi

9-6Configuring and Monitoring Port SecurityPort Security Command Options and OperationPort Security Command Options and OperationPort Security Command

9-7Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list >learn-mode < con

9-8Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)lea

9-9Configuring and Monitoring Port SecurityPort Security Command Options and OperationSyntax: port-security [e] < port-list > (- Continued -)act

1-8Getting StartedNeed Only a Quick Start?Figure 1-3. Getting Help in the CLI For information on specific features in the Web browser interface, use

9-10Configuring and Monitoring Port SecurityPort Security Command Options and OperationRetention of Static MAC AddressesLearned MAC AddressesIn the fo

9-11Configuring and Monitoring Port SecurityPort Security Command Options and OperationUsing the CLI To Display Port Security Settings. Syntax:show po

9-12Configuring and Monitoring Port SecurityPort Security Command Options and OperationThe following command example shows the option for entering a r

9-13Configuring and Monitoring Port SecurityPort Security Command Options and OperationProCurve(config)# port-security a1 learn-mode static mac-addres

9-14Configuring and Monitoring Port SecurityPort Security Command Options and OperationFigure 9-4. Example of Adding an Authorized Device to a PortWit

9-15Configuring and Monitoring Port SecurityPort Security Command Options and OperationIf you are adding a device (MAC address) to a port on which the

9-16Configuring and Monitoring Port SecurityPort Security Command Options and OperationTo remove a device (MAC address) from the “Authorized” list and

9-17Configuring and Monitoring Port SecurityMAC LockdownFigure 9-8. Example of Port A1 After Removing One MAC AddressMAC LockdownMAC Lockdown is avail

9-18Configuring and Monitoring Port SecurityMAC LockdownHow It Works. When a device’s MAC address is locked down to a port (typically in a pair with a

9-19Configuring and Monitoring Port SecurityMAC LockdownYou cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC

1-9Getting StartedNeed Only a Quick Start?To Set Up and Install the Switch in Your NetworkImportant! Use the Installation and Getting Started Guide sh

9-20Configuring and Monitoring Port SecurityMAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safel

9-21Configuring and Monitoring Port SecurityMAC LockdownDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it within

9-22Configuring and Monitoring Port SecurityMAC LockdownFigure 9-9. MAC Lockdown Deployed At the Network Edge Provides SecurityBasic MAC Lockdown Depl

9-23Configuring and Monitoring Port SecurityMAC LockdownThe key points for this Model Topology are:• The Core Network is separated from the edge by th

9-24Configuring and Monitoring Port SecurityMAC LockdownFigure 9-10. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connec

9-25Configuring and Monitoring Port SecurityMAC LockoutDisplaying status. Locked down ports are listed in the output of the show running-config comman

9-26Configuring and Monitoring Port SecurityMAC LockoutLockout command (lockout-mac <mac-address>). When the wireless clients then attempt to us

9-27Configuring and Monitoring Port SecurityMAC LockoutFigure 9-12. Listing Locked Out PortsPort Security and MAC LockoutMAC Lockout is independent of

9-28Configuring and Monitoring Port SecurityIP LockdownIP LockdownIP lockdown is available on the Series 2600 and 2800 switches only.The “IP lockdown”

9-29Configuring and Monitoring Port SecurityWeb: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security Featur

1-10Getting StartedNeed Only a Quick Start?— This page is intentionally unused. —

9-30Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags• In the menu interface:– The Port Status screen include

9-31Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsKeeping the Intrusion Log Current by Resetting Alert Fla

9-32Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 9-14. Example of Port Status Screen with Intrusio

9-33Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags(The intrusion log holds up to 20 intrusion records and

9-34Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsCLI: Checking for Intrusions, Listing Intrusion Alerts,

9-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 9-17. Example of the Intrusion Log with Multiple

9-36Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsUsing the Event Log To Find Intrusion AlertsThe Event Lo

9-37Configuring and Monitoring Port SecurityOperating Notes for Port Securitya. Click on the Security tab.b. Click on [Intrusion Log]. “Ports with Int

9-38Configuring and Monitoring Port SecurityOperating Notes for Port SecurityLACP Not Available on Ports Configured for Port Security. To main-tain s

10-110Traffic/Security Filters(ProCurve Series 2600/2600-PWR and 2800 Switches)ContentsContents . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10-2Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)OverviewOverviewThis chapter describes the use of source-port filters o

10-3Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Overviewfrom receiving traffic from workstation "X", you woul

10-4Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing Source-Port FiltersThis feature is avail

10-5Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersConfiguring a Source-Port FilterThe source-por

10-6Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersConfiguring a Filter on a Port Trunk. This op

10-7Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersViewing a Source-Port FilterYou can list all s

10-8Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersIf you wanted to determine the index number fo

10-9Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersEditing a Source-Port FilterThe switch include

10-10Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing Named Source-Port FiltersThis feature i

10-11Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersA named source-port filter must first be defi

2-2Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons

10-12Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersViewing a Named Source-Port FilterYou can lis

10-13Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersDefining and Configuring Example Named Source

10-14Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersProCurve(config)# show filter Traffic/Securit

10-15Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersUsing the IDX value in the show filter comman

10-16Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersThe same command, using IDX 26, shows how tra

10-17Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port FiltersThe following revisions to the named source-p

10-18Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)Using Source-Port Filters— This page is intentionally unused. —

11-111Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter

11-3Using Authorized IP ManagersAccess LevelsConfiguration OptionsYou can configure: Up to 10 authorized manager addresses, where each address applie

2-3Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if

11-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table

11-5Using Authorized IP ManagersDefining Authorized Management Stations255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to

11-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 11-2. Example of How To Add an Authorized Manager Entry (Continued)Editi

11-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 11-3. Example of the Show IP Authorized-Manager DisplayThe above example

11-8Using Authorized IP ManagersDefining Authorized Management StationsSimilarly, the next command authorizes manager-level access for any station hav

11-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con

11-10Using Authorized IP ManagersBuilding IP MasksConfiguring Multiple Stations Per Authorized Manager IP EntryThe mask determines whether the IP addr

11-11Using Authorized IP ManagersBuilding IP MasksFigure 11-6. Example of How the Bitmap in the IP Mask Defines Authorized Manager AddressesAdditional

11-12Using Authorized IP ManagersOperating NotesOperating Notes Network Security Precautions: You can enhance your network’s security by keeping phys

Index – 1IndexNumerics3DES … 6-3, 7-3802.1XSee port-based access control. …8-1Aaaa authentication … 4-8aaa port-accessSee Web or MAC Authentication.ac

ProCurveSwitch 2600 SeriesSwitch 2600-PWR SeriesSwitch 2800 SeriesSwitch 4100gl SeriesSwitch 6108Access Security GuideDecember 2008

2-4Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear

2 – IndexIinconsistent value, message … 9-14intrusion alarmsentries dropped from log … 9-37event log … 9-36prior to … 9-37Intrusion Logprior to … 9-33

Index – 3prior to … 9-37proxy web server … 9-37port-based access controlauthenticate switch … 8-4authenticate users … 8-4authenticator backend state …

4 – Indexaccounting, system … 5-18, 5-22authentication options … 5-2authentication, local … 5-16authorized IP managers, precedence … 11-2bypass RADIUS

Index – 5zeroing a key … 6-11zeroize … 6-11SSLCA-signed … 7-4, 7-15CA-signed certificate … 7-4, 7-15CLI commands … 7-7client behavior … 7-17, 7-18cryp

6 – IndexSee also LACP.Uuser namecleared … 2-5Vvalue, inconsistent … 9-14VLAN802.1X … 8-44802.1X, ID changes … 8-47802.1X, suspend untagged VLAN … 8-4

— This page is intentionally unused. —

© 2000 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.December 2008Manual Part N

2-5Configuring Username and Password SecurityConfiguring Local Password SecurityIf you have physical access to the switch, press and hold the Clear bu

2-6Configuring Username and Password SecurityConfiguring Local Password SecurityTo Remove Password Protection. Removing password protection means to

2-7Configuring Username and Password SecurityFront-Panel SecurityFront-Panel SecurityThe front-panel security features provide the ability to independ

2-8Configuring Username and Password SecurityFront-Panel SecurityAs a result of increased security concerns, customers now have the ability to stop so

2-9Configuring Username and Password SecurityFront-Panel SecurityReset ButtonPressing the Reset button alone for one second causes the switch to reboo

2-10Configuring Username and Password SecurityFront-Panel Security3. Release the Reset button and wait for about one second for the Self-Test LED to s

2-11Configuring Username and Password SecurityFront-Panel Security• Modify the operation of the Reset+Clear combination (page 2-9) so that the switch

2-12Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch

2-13Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button on the Switch’s Front Panel andSetting or Changing the

Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551http://www.procurve.com© Copyright 2001-2008 Hewlett-Packard

2-14Configuring Username and Password SecurityFront-Panel SecurityFigure 2-9. Example of Re-Enabling the Clear Button’s Default OperationChanging the

2-15Configuring Username and Password SecurityFront-Panel SecurityFigure 2-10. Example of Disabling the Factory Reset OptionPassword RecoveryThe passw

2-16Configuring Username and Password SecurityFront-Panel SecuritySteps for Disabling Password-Recovery. 1. Set the CLI to the global interface conte

2-17Configuring Username and Password SecurityFront-Panel SecurityFigure 2-11. Example of the Steps for Disabling Password-RecoveryPassword Recovery P

2-18Configuring Username and Password SecurityFront-Panel Security— This page is intentionally unused. —

3-13Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-2Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewOverviewApplicable Switch Models. Web and MAC Authentication are

3-3Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewMAC Authentication (MAC-Auth). This method grants access to a sec

3-4Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOverviewGeneral FeaturesWeb and MAC Authentication on the ProCurve Series

3-5Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication OperateHow Web and MAC Authentication Opera

iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiFeature Index

3-6Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication OperateFigure 3-2. Progress Message During

3-7Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication Operatemoves have not been enabled (client-

3-8Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesHow Web and MAC Authentication Operate4. If neither 1, 2, or 3, above, app

3-9Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client

3-10Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOperating Rules and NotesOperating Rules and Notes You can configure one

3-11Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesOperating Rules and Notes2. If there is no RADIUS-assigned VLAN, then, fo

3-12Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC AuthenticationNote on Web/MAC Authent

3-13Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC Authenticationa. If you configure the

3-14Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesGeneral Setup Procedure for Web/MAC AuthenticationAdditional Information

3-15Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring the Switch To Access a RADIUS ServerConfiguring the Switch To

ivFront-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7When Security Is Important . . .

3-16Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring the Switch To Access a RADIUS ServerFor example, to configure

3-17Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationConfiguring Web AuthenticationThis feature

3-18Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationConfigure the Switch for Web-Based Authenti

3-19Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax: [no] aaa port-access web-based [e]

3-20Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax:aaa port-access web-based [e] < p

3-21Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring Web AuthenticationSyntax: aaa port-access web-based [e] <

3-22Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchConfiguring MAC Authenticatio

3-23Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchConfigure the Switch for MAC-

3-24Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-b

3-25Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesConfiguring MAC Authentication on the SwitchSyntax: aaa port-access mac-b

v4 TACACS+ AuthenticationContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Ov

3-26Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of Web-Based AuthenticationShow Status and

3-27Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of MAC-Based AuthenticationShow Status and

3-28Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Status and Configuration of MAC-Based AuthenticationSyntax: show por

3-29Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Client StatusShow Client StatusThe table below shows the possible cl

3-30Web and MAC Authentication for the Series 2600/2600-PWR and 2800 SwitchesShow Client Status— This page is intentionally unused. —

4-14TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-2TACACS+ AuthenticationConfiguring TACACS+ on the SwitchOverviewTACACS+ authentication enables you to use a central server to allow or deny access t

4-3TACACS+ AuthenticationConfiguring TACACS+ on the Switchtion services. If the switch fails to connect to any TACACS+ server, it defaults to its own

4-4TACACS+ AuthenticationConfiguring TACACS+ on the Switch• Local Authentication: This method uses username/password pairs configured locally on the s

4-5TACACS+ AuthenticationConfiguring TACACS+ on the SwitchGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+

vi1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-6TACACS+ AuthenticationConfiguring TACACS+ on the Switchother access type (console, in this case) open in case the Telnet access fails due to a conf

4-7TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a switch,

4-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha

4-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat

4-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim

4-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures th

4-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-1. AAA Authentication ParametersAs shown in the next table, login and enable access

4-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log

4-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th

4-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa

vii6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21Further Information on SSH Client Public-Key Authenticatio

4-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr

4-17TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-3. Details on Configuring TACACS Servers and KeysName Default Rangetacacs-server

4-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was

4-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-5. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov

4-20TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTo delete a per-server encryption key in the switch, re-enter the tacacs-server host comman

4-21TACACS+ AuthenticationConfiguring TACACS+ on the SwitchUsing figure 4-6, above, after either switch detects an operator’s logon request from a rem

4-22TACACS+ AuthenticationConfiguring TACACS+ on the SwitchLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to loc

4-23TACACS+ AuthenticationConfiguring TACACS+ on the SwitchUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “k

4-24TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, you would use the next command to configure a global encryp-tion key in the sw

4-25TACACS+ AuthenticationConfiguring TACACS+ on the SwitchMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below. Ho