HP ProCurve Switch 2626 (J4900A)
HP ProCurve Switch 2626-PWR (J8164A)
HP ProCurve Switch 2650 (J4899A)
HP ProCurve Switch 2650-PWR (J8165A)
HP ProCurve Switch 2824 (J4903A)
HP ProCurve Switch 2848 (J4904A)
HP ProCurve Switch 4104gl (J4887A)
HP ProCurve Switch 4108gl (J4865A)
HP ProCurve Switch 6108 (J4902A)
Trademark Credits
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Software Credits
SSH on HP ProCurve Switches is based on the OpenSSH
software toolkit. This product includes software developed
by the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on HP ProCurve Switches is based on the OpenSSL
software toolkit. This product includes software developed
by the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information is provided "as is" without warranty of any kind
and is subject to change without notice. The warranties for
Hewlett-Packard Company products are set forth in the
express limited warranty statements for such products.
Nothing herein should be construed as constituting an
additional warranty.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.hp.com/go/hpprocurve
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . . . 1-11
1-1
Getting Started
Introduction and Applicable Switches
Introduction and Applicable Switches
This guide describes how to use HP’s switch security features to protect
access to your HP ProCurveProCurve switch. This guide is intended for these
switch models:
■ HP ProCurve Switch 4100GL Series (4104GL, 4108GL)
■ HP ProCurve Switch 2800 Series (2824, 2848)
■ HP ProCurve Switch 2600 Series (2626, 2650)
■ HP ProCurve Switch 6108
The Product Documentation CD-ROM shipped with the switch includes this
guide. You can also download the latest version from the HP ProCurve
website. (Refer to
About the Feature Descriptions
In cases where a software feature is not available in all of the switch products
covered by this guide, the text specifically indicates which devices offer the
feature.
“Getting Documentation From the Web” on page 1-9.)
1-2
Overview of Access Security Features
Getting Started
Overview of Access Security Features
■ Local Manager and Operator Passwords (page 2-1): Control
access and privileges for the CLI, menu, and web browser interfaces.
■ TACACS+ Authentication (page 4-1): Uses an authentication appli-
cation on a server to allow or deny access to a switch.
■ RADIUS Authentication and Accounting (page 5-1): Like
TACACS+, uses an authentication application on a central server to
allow or deny access to the switch. RADIUS also provides accounting
services for sending data about user activity and system events to a
RADIUS server.
to the switch via encrypted authentication paths between the switch
and management station clients capable of SSL/TLS operation.
■ Port-Based Access Control (802.1X) (page 8-1): On point-to-point
connections, enables the switch to allow or deny traffic between a
port and an 802.1X-aware device (supplicant) attempting to access
the switch. Also enables the switch to operate as a supplicant for
connections to other 802.1X-aware switches.
■ Port Security (page 9-1): Enables a switch port to maintain a unique
list of MAC addresses defining which specific devices are allowed to
access the network through that port. Also enables a port to detect,
prevent, and log access attempts by unauthorized devices.
in-band security by enabling outbound destination ports on the switch
to forward or drop traffic from designated source ports (within the
same VLAN).
■ Authorized IP Managers (page 11-1): Allows access to the switch
by a networked device having an IP address previously configured in
the switch as "authorized".
HP recommends that you use local passwords together with your switch’s
other security features to provide a more comprehensive security fabric than
if you use only local passwords. For an overview, refer to
Table 1-1.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature Offers Protection Against Unauthorized Client Access to
Switch Management Features
Connection Telnet SNMP
Local Manager and Operator
Usernames and Passwords
TACACS+
1
(Net Mgmt)
1
PtP: Yes No Yes Yes No
Remote: Yes No Yes Yes No
PtP: Yes No No Yes No
Browser
Web
SSH
Client
Offers Protection
Against
Unauthorized Client
Access to the
Network
Remote: Yes No No Yes No
RADIUS
1
PtP: Yes No No Yes No
Remote: Yes No No Yes No
SSH
Ptp: Yes No No Yes No
Remote: Yes No No Yes No
SSL
Ptp: No No Yes No No
Remote: No No Yes No No
Port-Based Access Control (802.1X)
PtP: Yes Yes Yes Yes Ye s
Remote: No No No No No
Port Security (MAC address)
PtP: Yes Yes Yes Yes Ye s
Remote: Yes Yes Ye s Yes Ye s
Authorized IP Managers
PtP: Yes Yes Yes Yes No
Remote: Yes Yes Ye s Yes No
1
The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection
for serial port access.
1-4
There are two security areas to protect: access to the switch management
features and access to the network through the switch. The preceeding table
shows the type of protection each switch security feature offers.
General Switch Traffic Security Guideline
Getting Started
General Switch Traffic Security
Guideline
Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. MAC lockout (Applies to all ports on the switch.)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
1-5
Getting Started
Command Syntax Conventions
Command Syntax Conventions
This guide uses the following conventions for command syntax and displays.
In the default configuration, your switch’s CLI prompt includes the switch
model number, and appears similar to the following examples:
HP ProCurve Switch 4108#
HP ProCurve Switch 2650#
HP ProCurve Switch 6108#
To simplify recognition, this guide uses HPswitch to represent command
prompts for all models. That is:
HPswitch#
(You can use the hostname command to change the text in the CLI prompt.)
Commands or command output positioned to simulate displays of switch
information in a computer screen are printed in a monospace font, as shown
above.
1-6
Port Identity Convention for Examples
Getting Started
Screen Simulations
Figures containing simulated screen text and command output appear similar
to this:
Figure 1-1.Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear without figure identification. For example:
HPswitch(config)# clear public-key
HPswitch(config)# show ip client-public-key
show_client_public_key: cannot stat keyfile
Port Identity Convention for Examples
This guide describes software applicable to both chassis-based and stackable
HP ProCurve switches. Where port identities are needed in an example, this
guide uses the chassis-based port identity system, such as "A1", "B3 - B5", "C7",
etc. However, unless otherwise noted, such examples apply equally to the
stackable switches, which typically use only numbers, such as "1", "3-5", "15",
etc. for port identities.
Related Publications
Product Notes and General Software Update Information. The
printed Read Me First shipped with your switch provides software update
information, product notes, and other information. For the latest version, refer
to
“Getting Documentation From the Web” on page 1-9.
Physical Installation and Initial Network Access. Use the Installation
and Getting Started Guide shipped with your switch to prepare for and
perform the physical installation. This guide also steps you through connecting the switch to your network and assigning IP addressing, as well as
describing the LED indications for correct operation and trouble analysis. A
1-7
Getting Started
Related Publications
PDF version of this guide is also provided on the Product Documentation CDROM shipped with the switch. And you can download a copy from the HP
ProCurve website. (See
“Getting Documentation From the Web” on page 1-9.)
General Switch Management and Configuration. Use the Management
and Configuration Guide for information on:
■ Using the command line interface (CLI), Menu interface, and web
browser interface
■ Learning the operation and configuration of all switch software
features other than the access security features included in this guide
■ Troubleshooting software operation
HP provides a PDF version of this guide on the Product Documentation CDROM shipped with the switch. You can also download the latest copy from the
HP ProCurve website. (See
“Getting Documentation From the Web” on page
1-9.)
Release Notes. Release notes are posted on the HP ProCurve website and
provide information on new software updates:
■ New features and how to configure and use them
1-8
■ Software management, including downloading software to the switch
■ Software fixes addressed in current and previous releases
To view and download a copy of the latest release notes for your switch, see
“Getting Documentation From the Web” on page 1-9.
2
Getting Documentation From the Web
Getting Started
Getting Documentation From the Web
1. Go to the HP ProCurve website at http://www.hp.com/go/hpprocurve.
2. Click on technical support.
3. Click on manuals.
4. Click on the product for which you want to view or download a manual.
3
4
1-9
Getting Started
Sources for More Information
Sources for More Information
■ If you need information on specific parameters in the menu interface,
Figure 1-2. Where To Find Help in the Menu Interface
refer to the online help provided in the interface.
Online Help
for Menu
■ If you need information on a specific command in the CLI, type the
command name followed by “help”. For example:
Figure 1-3. How To Find Help in the CLI
■ If you need information on specific features in the HP Web Browser
Interface (hereafter referred to as the “web browser interface”), use
the online help available for the web browser interface. For more
information on web browser Help options, refer to the Management and Configuration Guide for your switch.
1-10
Need Only a Quick Start?
■ If you need further information on Hewlett-Packard switch tech-
nology, visit the HP ProCurve website at:
http://www.hp.com/go/hpprocurve
Getting Started
Need Only a Quick Start?
IP Addressing. If you just want to give the switch an IP address, or if you
are not using VLANs, HP recommends that you use the Switch Setup screen
to quickly configure IP addressing. To do so, do one of the following:
■ Enter setup at the CLI Manager level prompt.
HPswitch# setup
■ In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, refer to the Installation and
Getting Started Guide you received with the switch.
To Set Up and Install the Switch in Your
Network
Use the Installation and Getting Started Guide for your switch model
(shipped with the switch) for the following:
■ Notes, cautions, and warnings related to installing and using the
switch and its related modules
■ Instructions for physically installing the switch in your network
■ Quickly assigning an IP address and subnet mask, set a Manager
password, and (optionally) configure other basic features.
The following features apply only to the Series 2600, 2600-PWR, and 2800 Switches.
show front-panel-security
front-panel-security
password-clear
reset-on-clear
factory-reset
password-recovery
n/a — page 1-13 —
— page 1-13 —
enabled — page 1-13 —
disabled — page 1-14 —
enabled — page 1-15 —
enabled — page 1-15 —
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
Note-Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator:-Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
2-2
Configuring Username and Password Security
Overview
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.
If you set a Manager password, you may also want to configure the
Inactivity Time parameter. (Refer to the Management and Configuration
Guide for your switch.) This causes the console session to end after the
specified period of inactivity, thus giving you added security against unauthorized console access.
Note-The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.
Passwords are case-sensitive.
Caution-If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this section covers how to:
■ Set passwords
2-3
Configuring Username and Password Security
Configuring Local Password Security
■ Delete passwords
■ Recover from a lost password
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
2-4
Figure 2-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press
[Enter]. (Remember that passwords are case-sensitive.)
c. When prompted with Enter new password again, retype the new pass-
word and press
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
[Enter].
Configuring Username and Password Security
Configuring Local Password Security
To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
4. Press the Space bar to select Ye s, then press
5. Press
[Enter] to clear the Password Protection message.
[Enter].
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the web browser interface.
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Syntax:
[ no ] password <manager | operator > [ user-name ASCII-STR ]
[ no ] password < all >
2-5
Configuring Username and Password Security
Configuring Local Password Security
Figure 2-2. Example of Configuring Manager and Operator Passwords
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
• Password entries appear
as asterisks.
• You must type the
password entry twice.
Press [Y] (for yes) and press [Enter].
Figure 2-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
2-6
1. Click on the
Click on
[Device Passwords].
2. Do one of the following:
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
Security tab.
Configuring Username and Password Security
Front-Panel Security
• To remove username and password protection, leave the fields blank.
3. Implement the usernames and passwords by clicking on
To access the web-based help provided for the switch, click on
[Apply Changes].
[?] in the web
browser screen.
Front-Panel Security
The front-panel security features provide the ability to independently enable
or disable some of the functions of the two buttons located on the front of the
switch for clearing the password (Clear button) or restoring the switch to its
factory default configuration (Reset+Clear buttons together). The ability to
disable Password Recovery is also provided for situations which require a
higher level of switch security.
The front-panel Security features are designed to prevent malicious users
from:
■ Resetting the password(s) by pressing the Clear button
■ Restoring the factory default configuration by using the Reset+Clear
button combination.
■ Gaining management access to the switch by having physical access to
the switch itself
When Security Is Important
Some customers require a high level of security for information. Also, the
Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires
that systems handling and transmitting confidential medical records must be
secure.
It used to be assumed that only system and network administrators would be
able to get access to a network switch because switches were typically placed
in secure locations under lock and key. For some customers this is no longer
true. Others simply want the added assurance that even if someone did
manage to get to the switch that data would still remain secure.
If you do not invoke front-panel security on the switch, user-defined passwords can be deleted by pushing the Clear button on the front panel. This
function exists so that if customers forget the defined passwords they can still
get back into the switch and reset the passwords. This does, however, leave
2-7
Configuring Username and Password Security
Front-Panel Security
the switch vulnerable when it is located in an area where non-authorized
people have access to it. Passwords could easily be cleared by pressing the
Clear button. Someone who has physical access to the switch may be able to
erase the passwords (and possibly configure new passwords) and take control
of the switch.
As a result of increased security concerns, customers now have the ability to
stop someone from removing passwords by disabling the Clear and/or Reset
buttons on the front of the switch.
2-8
Configuring Username and Password Security
1
Front-Panel Security
Front-Panel Button Functions
The front panel of the switch includes the Reset button and the Clear button.
6
5
8
7
10
9
12
11
13
Power
Fault
hp procurve
switch
2650
J4899A
Self
Test
Port
LED
View
Fan
Status
Reset
2
1
1
Lnk
Act
FDx
Spd
Spd mode: off = 10 Mbps, flash = 100 Mbps, on = 1000 Mbps
Clear
4
3
Clear ButtonReset Button
Figure 2-4. Example Front-Panel Button Locations
Clear Button
Pressing the Clear button alone for one second resets the password(s) configured on the switch.
Reset Clear
Figure 2-5. Press the Clear Button for One Second To Reset the Password(s)
2-9
Configuring Username and Password Security
Front-Panel Security
Reset Button
Pressing the Reset button alone for one second causes the switch to reboot.
Reset Clear
Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch
Restoring the Factory Default Configuration
You can also use the Reset button together with the Clear button (Reset+Clear)
to restore the factory default configuration for the switch. To do this:
1. Press and hold the Reset button.
2-10
Reset Clear
2. While holding the Reset button, press and hold the Clear button.
Reset Clear
Configuring Username and Password Security
Front-Panel Security
3. Release the Reset button and wait for about one second for the Self-Test
LED to start flashing.
Reset Clear
Self
Te st
4. When the Self-Test LED begins flashing, release the Clear button
.
Reset Clear
Self
Te st
This process restores the switch configuration to the factory default settings.
2-11
Configuring Username and Password Security
Front-Panel Security
Configuring Front-Panel Security
Using the front-panel-security command from the global configuration context
in the CLI you can:
• Disable or re-enable the password-clearing function of the Clear
button. Disabling the Clear button means that pressing it does not
remove local password protection from the switch. (This action
affects the Clear button when used alone, but does not affect the
operation of the Reset+Clear combination described under
ing the Factory Default Configuration” on page 2-10.)
• Configure the Clear button to reboot the switch after clearing any
local usernames and passwords. This provides an immediate, visual
means (plus an Event Log message) for verifying that any usernames
and passwords in the switch have been cleared.
• Modify the operation of the Reset+Clear combination (page 2-10) so
that the switch still reboots, but does not restore the switch’s factory
default configuration settings. (Use of the Reset button alone, to
simply reboot the switch, is not affected.)
• Disable or re-enable Password Recovery.
“Restor-
Syntax: show front-panel-security
Displays the current front-panel-security settings:
Clear Password: Shows the status of the Clear button on the front
panel of the switch. Enabled means that pressing the Clear
button erases the local usernames and passwords configured
on the switch (and thus removes local password protection
from the switch). Disabled means that pressing the Clear
button does not remove the local usernames and passwords
configured on the switch. (Default: Enabled.)
Reset-on-clear: Shows the status of the reset-on-clear option
(Enabled or Disabled). When reset-on-clear is disabled and
Clear Password is enabled, then pressing the Clear button
erases the local usernames and passwords from the switch.
When reset-on-clear is enabled, pressing the Clear button
erases the local usernames and passwords from the switch
and reboots the switch. (Enabling reset-on-clear
automatically enables clear-password.) (Default: Disabled.)
Factory Reset: Shows the status of the Reset button on the front
panel of the switch. Enabled means that pressing the Reset
button reboots the switch and also enables the Reset button to
be used with the Clear button (page
to its factory-default configuration. (Default: Enabled.)
2-10) to reset the switch
2-12
Configuring Username and Password Security
Password Recovery: Shows whether the switch is configured
with the ability to recover a lost password. (Refer to
“Password Recovery Process” on page 2-19.) (Default:
Enabled.)
CAUTION: Disabling this option removes the ability to
recover a password on the switch. Disabling this option is
an extreme measure and is not recommended unless you
have the most urgent need for high security. If you disable
password-recovery and then lose the password, you will
have to use the Reset and Clear buttons (page
the switch to its factory-default configuration and create a
new password.
For example, show front-panel-security produces the following output when
the switch is configured with the default front-panel security settings.
Figure 2-7. The Default Front-Panel Security Settings
Front-Panel Security
2-10) to reset
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel
Syntax: no front-panel-security password-clear
In the factory-default configuration, pressing the Clear button
on the switch’s front panel erases any local usernames and
passwords configured on the switch. This command disables
the password clear function of the Clear button, so that
pressing it has no effect on any local usernames and
passwords. (Default: Enabled.)
Note: Although the Clear button does not erase passwords
when disabled, you can still use it with the Reset button
(Reset+Clear) to restore the switch to its factory default
configuration, as described under
Default Configuration” on page 2-10 .
This command displays a Caution message in the CLI. If you want to proceed
with disabling the Clear button, type
[Y]; otherwise type [N]. For example:
“Restoring the Factory
2-13
Configuring Username and Password Security
Front-Panel Security
Indicates the command has disabled the Clear
button on the switch’s front panel. In this case
the Show command does not include the reset-on-clear status because it is inoperable while
the Clear Password functionality is disabled, and
must be reconfigured whenever Clear Password
is re-enabled .
Figure 2-8. Example of Disabling the Clear Button and Displaying the New Configuration
2-14
Configuring Username and Password Security
Front-Panel Security
Re-Enabling the Clear Button on the Switch’s Front Panel and
Setting or Changing the “Reset-On-Clear” Operation
Note: If you disable password-clear and also disable the
password-recovery option, you can still recover from a lost
password by using the Reset+Clear button combination at
reboot as described on
does not erase passwords when disabled, you can still use
it with the Reset button (Reset+Clear) to restore the switch
to its factory default configuration. You can then get access
to the switch to set a new password.
For example, suppose that password-clear is disabled and you want to restore
it to its default configuration (enabled, with reset-on-clear disabled).
page 2-10. Although the Clear button
2-15
Configuring Username and Password Security
Front-Panel Security
Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation
Changing the Operation of the Reset+Clear Combination
In their default configuration, using the Reset+Clear buttons in the combination described under “Restoring the Factory Default Configuration” on page
2-10 replaces the switch’s current startup-config file with the factory-default
startup-config file, then reboots the switch, and removes local password
protection. This means that anyone who has physical access to the switch
could use this button combination to replace the switch’s current configuration with the factory-default configuration, and render the switch accessible without the need to input a username or password. You can use the
factory-reset command to prevent the Reset+Clear combination from being
used for this purpose.
Shows password-clear disabled.
Enables password-clear, with reset-on-clear disabled by the “no” statement at
the beginning of the command.
Shows password-clear enabled, with
reset-on-clear disabled.
2-16
Syntax: [no] front-panel-security factory-reset
Disables or re-enables the following functions associated with
using the Reset+Clear buttons in the combination described
under “Restoring the Factory Default Configuration” on page
2-10:
• Replacing the current startup-config file with the factorydefault startup-config file
• Clearing any local usernames and passwords configured on
the switch
(Default: Both functions enabled.)
Notes: The Reset+Clear button combination always reboots
the switch, regardless of whether the “no” form of the
command has been used to disable the above two functions.
Also, if you disable factory-reset, you cannot disable the
password-recovery option, and the reverse.
The command to disable the factory-reset operation produces this caution.
To complete the command, press [Y]. To abort the command, press [N].
Figure 2-10. Example of Disabling the Factory Reset Option
Password Recovery
The password recovery feature is enabled by default and provides a method
for regaining management access to the switch (without resetting the switch
to its factory default configuration) in the event that the system administrator
loses the local manager username (if configured) or password. Using Password Recovery requires:
■ password-recovery enabled (the default) on the switch prior to an attempt
to recover from a lost username/password situation
■ Contacting your HP Customer Care Center to acquire a one-time-use
password
Configuring Username and Password Security
Front-Panel Security
Completes the command to
disable the factory reset option.
Displays the current frontpanel-security configuration,
with Factory Reset disabled.
Disabling or Re-Enabling the Password Recovery Process
Disabling the password recovery process means that the only method for
recovering from a lost manager username (if configured) and password is to
reset the switch to its factory-default configuration, which removes any
nondefault configuration settings.
Caution-Disabling password-recovery requires that factory-reset be enabled, and locks
out the ability to recover a lost manager username (if configured) and password on the switch. In this event, there is no way to recover from a lost
manager username/password situation without resetting the switch to its
factory-default configuration. This can disrupt network operation and make
it necessary to temporarily disconnect the switch from the network to prevent
unauthorized access and other problems while it is being reconfigured. Also,
with factory-reset enabled, unauthorized users can use the Reset+Clear button
combination to reset the switch to factory-default configuration and gain
management access to the switch.
Enables or (using the “no” form of the command) disables the
ability to recover a lost password.
When this feature is enabled, the switch allows management
access through the password recovery process described below.
This provides a method for recovering from a lost manager
username (if configured) and password. When this feature is
disabled, the password recovery process is disabled and the
only way to regain management access to the switch is to use
the Reset+Clear button combination (page 2-10) to restore the
switch to its factory default configuration.
(Default: Enabled.)
Steps for Disabling Password-Recovery.
1. Set the CLI to the global interface context.
Note: To disable password-recovery:
– You must have physical access to the front panel of the switch.
– The factory-reset parameter must be enabled (the default).
2. Use show front-panel-security to determine whether the factory-reset
parameter is enabled. If it is disabled, use the front-panel-security factory-reset command to enable it.
3. Press and release the Clear button on the front panel of the switch.
4. Within 60-seconds of pressing the Clear button, enter the following command:
no front-panel-security password-recovery
5. Do one of the following after the “CAUTION” message appears:
• If you want to complete the command, press
• If you want to abort the command, press
[Y] (for “Yes”).
[N] (for “No”)
Figure 2-11 shows an example of disabling the password-recovery parameter.
2-18
Configuring Username and Password Security
Figure 2-11. Example of the Steps for Disabling Password-Recovery
Front-Panel Security
Password Recovery Process
If you have lost the switch’s manager username/password, but password-recovery is enabled, then you can use the Password Recovery Process to gain
management access to the switch with an alternate password supplied by HP.
Note-If you have disabled password-recovery, which locks out the ability to recover a
manager username/password pair on the switch, then the only way to recover
from a lost manager username/password pair is to use the Reset+Clear button
combination described under
on page 2-10. This can disrupt network operation and make it necessary to
temporarily disconnect the switch from the network to prevent unauthorized
access and other problems while it is being reconfigured.
“Restoring the Factory Default Configuration”
To use the password-recovery option to recover a lost password:
1. Note the switch’s base MAC address. It is shown on the label located on
the upper right front corner of the switch.
2. Contact your HP Customer Care Center for further assistance. Using the
switch’s MAC address, the HP Customer Care Center will generate and
provide a “one-time use” alternate password you can use with the to gain
management access to the switch. Once you gain access, you can configure a new, known password.
Note-The alternate password provided by the HP Customer Care Center is valid
only for a single login attempt.
You cannot use the same “one-time-use” password if you lose the password
a second time. Because the password algorithm is randomized based upon
your switch's MAC address, the password will change as soon as you use the
“one-time-use” password provided to you by the HP Customer Care Center.
2-19
Configuring Username and Password Security
Front-Panel Security
— This page is intentionally unused. —
2-20
Web and MAC Authentication for the Series
2600/2600-PWR and 2800 Switches
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Overview
Overview
Feature Default Menu CLI Web
Configure Web Authentication n/a — 3-17 —
Configure MAC Authentication n/a — 3-22 —
Display Web Authentication Status and Configuration n/a — 3-26 —
Display MAC Authentication Status and Configuration n/a — 3-28 —
Applicable Switch Models. Web and MAC Authentication are available on
these current HP ProCurve switch models:
■ HP ProCurve Series 2600 and 2600-PWR Switches
■ HP ProCurve Series 2800 Switches
Web and MAC Authentication are designed for employment on the “edge” of
a network to provide port-based security measures for protecting private
networks and the switch itself from unauthorized access. Because neither
method requires clients to run any special supplicant software, both are
suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using
a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single
server. (You can use up to three RADIUS servers to provide backups in case
access to the primary server fails.) It also means the same credentials can be
used for authentication, regardless of which switch or switch port is the
current access point into the LAN.
Web Authentication (Web-Auth). This method uses a web page login to
authenticate users for access to the network. When a user connects to the
switch and opens a web browser the switch automatically presents a login
page. The user then enters a username and password, which the switch
forwards to a RADIUS server for authentication. After authentication, the
switch grants access to the secured network. Other than a web browser, the
client needs no special supplicant software.
Note Client web browsers may not use a proxy server to access the network.
3-2
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
MAC Authentication (MAC-Auth). This method grants access to a secure
network by authenticating devices for access to the network. When a device
connects to the switch, either by direct link or through the network, the switch
forwards the device’s MAC address to the RADIUS server for authentication.
The RADIUS server uses the device MAC address as the username and
password, and grants or denies network access in the same way that it does
for clients capable of interactive logons. (The process does not use either a
client device configuration or a logon session.) MAC authentication is wellsuited for clients that are not capable of providing interactive logons, such as
telephones, printers, and wireless access points. Also, because most RADIUS
servers allow for authentication to depend on the source switch and port
through which the client connects to the network, you can use MAC-Auth to
“lock” a particular device to a specific switch and port.
Overview
Note-You can configure only one authentication type on a port. This means that Web
authentication, MAC authentication, 802.1X, MAC lockdown, MAC lockout,
and port-security are mutually exclusive on a given port. Also, LACP must be
disabled on ports configured for any of these authentication methods.
Client Options
Web-Auth and MAC-Auth provide a port-based solution in which a port can
belong to one, untagged VLAN at a time. However, where all clients can
operate in the same VLAN, the switch allows up to 32 simultaneous clients per
port. (In applications where you want the switch to simultaneously support
multiple client sessions in different VLANs, design your system so that such
clients will use different switch ports.)
In the default configuration, the switch blocks access to clients that the
RADIUS server does not authenticate. However, you can configure an individual port to provide limited services to unauthorized clients by joining a
specified “unauthorized” VLAN during sessions with such clients. The unauthorized VLAN assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients.
Access to an optional, unauthorized VID is configured in the switch when Web
and MAC Authentication are configured on a port.
3-3
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Overview
General Features
Web and MAC Authentication on the Series 5300XL switches include the
following:
■ On a port configured for Web or MAC Authentication, the switch
operates as a port-access authenticator using a RADIUS server and
the CHAP protocol. Inbound traffic is processed by the switch alone,
until authentication occurs. Some traffic from the switch is available
to an unauthorized client (for example, broadcast or unknown destination packets) before authentication occurs.
■ Proxy servers may not be used by browsers accessing the switch
through ports using Web Authentication.
■ You can optionally configure the switch to temporarily assign “autho-
rized” and “unauthorized” VLAN memberships on a per-port basis to
provide different services and access to authenticated and unauthenticated clients.
■ Web pages for username and password entry and the display of
authorization status are provided when using Web Authentication.
■ You can use the RADIUS server to temporarily assign a port to a static
VLAN to support an authenticated client. When a RADIUS server
authenticates a client, the switch-port membership during the client’s
connection is determined according to the following hierarchy:
1. A RADIUS-assigned VLAN
2. An authorized VLAN specified in the Web- or MAC-Auth configuration
for the subject port.
3. A static, port-based, untagged VLAN to which the port is configured.
A RADIUS-assigned VLAN has priority over switch-port membership
in any VLAN.
3-4
■ You can allow wireless clients to move between switch ports under
Web/MAC Authentication control. Clients may move from one Web
authorized port to another or from one MAC authorized port to
another. This capability allows wireless clients to move from one
access point to another without having to reauthenticate.
■ Unlike 802.1X operation, clients do not need supplicant software for
Web or MAC Authentication; only a web browser (for Web Authentication) or a MAC address (for MAC Authentication).
■ You can use “Show” commands to display session status and port-
access configuration settings.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
How Web and MAC Authentication Operate
How Web and MAC Authentication
Operate
Authenticator Operation
Before gaining access to the network clients first present their authentication
credentials to the switch. The switch then verifies the supplied credentials
with a RADIUS authentication server. Successfully authenticated clients
receive access to the network, as defined by the System Administrator. Clients
who fail to authenticate successfully receive no network access or limited
network access as defined by the System Administrator.
Web-based Authentication
When a client connects to a Web-Auth enabled port communication is redirected to the switch. A temporary IP address is assigned by the switch and a
login screen is presented for the client to enter their credentials.
Figure 3-1. Example of User Login Screen
The temporary IP address pool can be specified using the dhcp-addr and
dhcp-lease options of the aaa port-access web-based command. If SSL is
enabled on the switch and ssl-login is enabled on the port the client is
redirected to a secure login page (https://...).
The switch passes the supplied username and password to the RADIUS server
for authentication.
3-5
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
How Web and MAC Authentication Operate
Figure 3-2. Progress Message During Authentication
If the client is authenticated and the maximum number of clients allowed on
the port (client-limit) has not been reached, the port is assigned to a static,
untagged VLAN for network access. If specified, the client is redirected to a
specific URL (redirect-url).
Figure 3-3. Authentication Completed
3-6
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
moves have not been enabled (client-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authorized port take affect at the end of the
session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The max-retries parameter specifies how many times a client
may enter their credentials before authentication fails. The server-timeout
parameter sets how long the switch waits to receive a response from the
RADIUS server before timing out. The max-requests parameter specifies how
many authentication attempts may result in a RADIUS server timeout before
authentication fails. The switch waits a specified amount of time (quiet-period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
is blocked and no network access is available. Should another client successfully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port.
How Web and MAC Authentication Operate
MAC-based Authentication
When a client connects to a MAC-Auth enabled port traffic is blocked. The
switch immediately submits the client’s MAC address (in the format specified
by the addr-format) as its certification credentials to the RADIUS server for
authentication.
If the client is authenticated and the maximum number of MAC addresses
allowed on the port (addr-limit) has not been reached, the port is assigned to
a static, untagged VLAN for network access.
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the Authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
3-7
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
How Web and MAC Authentication Operate
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
moves have not been enabled (addr-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authenticated port take affect at the end of
the session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The server-timeout parameter sets how long the switch waits
to receive a response from the RADIUS server before timing out. The max requests parameter specifies how many authentication attempts may result in
a RADIUS server timeout before authentication fails. The switch waits a
specified amount of time (quiet-period) before processing any new authentication requests from the client.
3-8
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
remains in its original VLAN configuration. Should another client successfully
authenticate through that port any unauthenticated clients are dropped from
the port.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Terminology
Terminology
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static, untagged, port-based VLAN previously configured on
the switch by the System Administrator. The intent in using this VLAN is
to provide authenticated clients with network access and services. When
the client connection terminates, the port drops its membership in this
VLAN.
Authentication Server: The entity providing an authentication service to
the switch. In the case of a Series 5300XL switch running Web/MACAuthentication, this is a RADIUS server.
Authenticator: In HP ProCurve switch applications, a device such as a Series
5300XL switch that requires a client or device to provide the proper
credentials (MAC address, or username and password) before being
allowed access to the network.
CHAP: Challenge Handshake Authentication Protocol. Also known as
“CHAP-RADIUS”.
Client: In this application, an end-node device such as a management station,
workstation, or mobile PC linked to the switch through a point-to-point
LAN link.
Redirect URL: A System Administrator-specified web page presented to an
authorized client following Web Authentication. HP recommends specifying this URL when configuring Web Authentication on a switch. Refer
to aaa port-access web-based [e] < port-list > [redirect-url < url >] on page
Static VLAN: A VLAN that has been configured as “permanent” on the switch
by using the CLI vlan < vid > command or the Menu interface.
Unauthorized-Client VLAN: A conventional, static, untagged, port-based
VLAN previously configured on the switch by the System Administrator.
It is used to provide limited network access and services to clients who
are not authenticated.
3-21.
3-9
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Operating Rules and Notes
Operating Rules and Notes
■ You can configure one type of authentication on a port. That is, the
following authentication types are mutually exclusive on a given
port:
• Web Authentication
• MAC Authentication
• 802.1X
■ Order of Precedence for Port Access Management (highest to lowest):
• MAC lockout
• MAC lockdown or Port Security
• Port-based Access Control (802.1X) or Web Authentication or MAC
Authentication
Note on Port When configuring a port for Web or MAC Authentication, be sure that a higher
Access
Management
precedent port access management feature is not enabled on the port. For
example, be sure that Port Security is disabled on a port before configuring it
for Web or MAC Authentication. If Port Security is enabled on the port this
misconfiguration does not allow Web or MAC Authentication to occur.
3-10
■ VLANs: If your LAN does not use multiple VLANs, then you do not
need to configure VLAN assignments in your RADIUS server or
consider using either Authorized or Unauthorized VLANs. If your LAN
does use multiple VLANs, then some of the following factors may
apply to your use of Web-Auth and MAC-Auth.
• Web-Auth and MAC-Auth operate only with port-based VLANs. Oper-
ation with protocol VLANs is not supported, and clients do not have
access to protocol VLANs during Web-Auth and MAC-Auth sessions.
• A port can belong to one, untagged VLAN during any client session.
Where multiple authenticated clients may simultaneously use the
same port, they must all be capable of operating on the same VLAN.
• During an authenticated client session, the following hierarchy deter-
mines a port’s VLAN membership:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Operating Rules and Notes
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
• After an authorized client session begins on a given port, the port’s
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
• The optional “authorized” VLAN (auth-vid) and “unauthorized” VLAN
(unauth-vid) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
■ Where a given port’s configuration includes an unauthorized client
VLAN assignment, the port will allow an unauthenticated client
session only while there are no requests for an authenticated client
session on that port. In this case, if there is a successful request for
authentication from an authorized client, the switch terminates the
unauthorized-client session and begins the authorized-client session.
■ When a port on the switch is configured for Web or MAC Authentica-
tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.
■ When a port on the switch is configured as a Web- or MAC-based
authenticator, it blocks access to a client that does not provide the
proper authentication credentials. If the port configuration includes
an optional, unauthorized VLAN (unauth-vid), the port is temporarily
placed in the unauthorized VLAN if there are no other authorized
clients currently using the port with a different VLAN assignment. If
an authorized client is using the port with a different VLAN or if there
is no unauthorized VLAN configured, the unauthorized client does not
receive access to the network.
■ Web- or MAC-based authentication and LACP cannot both be enabled
on the same port.
3-11
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
General Setup Procedure for Web/MAC Authentication
Note on Web/ The switch does not allow Web or MAC Authentication and LACP to both be
MAC
Authentication
enabled at the same time on the same port. The switch automatically disables
LACP on ports configured for Web or MAC Authentication.
and LACP
General Setup Procedure for Web/MAC
Authentication
Note-Web and MAC Authentication are available on these current HP ProCurve
switch models:
■ HP ProCurve Series 2600 and 2600-PWR Switches
■ HP ProCurve Series 2800 Switches
3-12
Do These Steps Before You Configure Web/MAC
Authentication
1. Configure a local username and password on the switch for both the
Operator (login) and Manager (enable) access levels. (While this is not
required for a Web- or MAC-based configuration, HP recommends that
you use a local user name and password pair, at least until your other
security measures are in place, to protect the switch configuration from
unauthorized access.)
2. Determine which ports on the switch you want to operate as authenticators. Note that before you configure Web- or MAC-based authentication
on a port operating in an LACP trunk, you must remove the port from the
trunk. (refer to the
page 3-12.)
3. Determine whether any VLAN assignments are needed for authenticated
clients.
“Note on Web/MAC Authentication and LACP” on
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
General Setup Procedure for Web/MAC Authentication
a. If you configure the RADIUS server to assign a VLAN for an authen-
ticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains
active. Note that the VLAN must be statically configured on the
switch.
b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized
VLAN” for the duration of the client session, if you choose to configure
one. This must be a port-based, statically configured VLAN on the
switch.
c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”
for an authenticated client session on a port, then the port’s VLAN
membership remains unchanged during authenticated client sessions. In this case, configure the port for the VLAN in which you want
it to operate during client sessions.
Note that when configuring a RADIUS server to assign a VLAN, you can
use either the VLAN’s name or VID. For example, if a VLAN configured in
the switch has a VID of 100 and is named vlan100, you could configure the
RADIUS server to use either “100” or “vlan100” to specify the VLAN.
4. Determine whether to use the optional “Unauthorized VLAN” mode for
clients that the RADIUS server does not authenticate. This VLAN must be
statically configured on the switch. If you do not configure an “Unauthorized VLAN”, the switch simply blocks access to unauthenticated clients
trying to use the port.
5. Determine the authentication policy you want on the RADIUS server and
configure the server. Refer to the documentation provided with your
RADIUS application and include the following in the policy for each client
or client device:
• The CHAP-RADIUS authentication method.
• An encryption key
• One of the following:
– If you are configuring Web-based authentication, include the user
name and password for each authorized client.
– If you are configuring MAC-based authentication, enter the
device MAC address in both the username and password fields of
the RADIUS policy configuration for that device. Also, if you want
to allow a particular device to receive authentication only
through a designated port and switch, include this in your policy.
6. Determine the IP address of the RADIUS server(s) you will use to support
Web- or MAC-based authentication. (For information on configuring the
switch to access RADIUS servers, refer to
“Configuring the Switch To
Access a RADIUS Server” on page 3-15.)
3-13
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
General Setup Procedure for Web/MAC Authentication
Additional Information for Configuring the RADIUS
Server To Support MAC Authentication
On the RADIUS server, configure the client device authentication in the same
way that you would any other client, except:
■ Configure the client device’s (hexadecimal) MAC address as both
username and password. Be careful to configure the switch to use the
same format that the RADIUS server uses. Otherwise, the server will
deny access. The switch provides four format options:
aabbccddeeff (the default format)
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
Note on MAC Letters in MAC addresses must be in lowercase.
Addresses
■ If the device is a switch or other VLAN-capable device, use the base
MAC address assigned to the device, and not the MAC address
assigned to the VLAN through which the device communicates with
the authenticator switch. Note that each switch covered by this guide
applies a single MAC address to all VLANs configured in the switch.
Thus, for a given switch, the MAC address is the same for all VLANs
configured on the switch. (Refer to the chapter titled “Static Virtual
LANs (VLANs)” in the Advanced Traffic Management Guide for your
switch.)
3-14
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring the Switch To Access a RADIUS Server
Configuring the Switch To Access a
RADIUS Server
RADIUS Server Configuration Commands
radius-server
ip-address>] below
[host <
[key < global-key-string
radius-server host <
This section describes the minimal commands for configuring a RADIUS
server to support Web-Auth and MAC Auth. For information on other RADIUS
command options, refer to
ing” .
Adds a server to the RADIUS configuration or (with no)
deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses
the first server it successfully accesses. (Refer to
“RADIUS Authentication and Accounting” on page 5-1.)
Specifies the global encryption key the switch uses with
servers for which the switch does not have a serverspecific key assignment (below). This key is optional if
all RADIUS server addresses configured in the switch
include a server-specific encryption key. (Default: Null.)
3-15
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring the Switch To Access a RADIUS Server
Optional. Specifies an encryption key for use during
authentication (or accounting) sessions with the specified server. This key must match the encryption key used
on the RADIUS server. Use this command only if the
specified server requires a different encryption key than
configured for the global encryption key, above.
The no form of the command removes the key configured
for a specific server.
For example, to configure the switch to access a RADIUS server at IP address
192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’
HPswitch(config)# radius-server host 192.168.32.11 key 2Pzo22
HPswitch(config)# show radius
Figure 3-4. Example of Configuring a Switch To Access a RADIUS Server
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring Web Authentication on the Switch
Configuring Web Authentication on the
Switch
This feature is available only on the Series 2600, 2600-PWR, and 2800
Switches.
Overview
1. If you have not already done so, configure a local username and password
pair on the switch.
2. Identify or create a redirect URL for use by authenticated clients. HP
recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following
authentication may not be acceptable.
3. If you plan to use multiple VLANs with Web Authentication, ensure that
these VLANs are configured on the switch and that the appropriate port
assignments have been made. Also, confirm that the VLAN used by
authorized clients can access the redirect URL.
4. Use the ping command in the switch console interface to ensure that the
switch can communicate with the RADIUS server you have configured to
support Web-Auth on the switch.
5. Configure the switch with the correct IP address and encryption key to
access the RADIUS server.
6. Configure the switch for Web-Auth:
a. Configure Web Authentication on the switch ports you want to use.
b. If the necessary to avoid address conflicts with the secure network,
specify the base IP address and mask to be used by the switch for
temporary DHCP addresses.The lease length for these temporary IP
addresses may also be set.
c. If you plan to use SSL for logins configure and enable SSL on the
switch before you specify it for use with Web-Auth.
d. Configure the switch to use the redirect URL for authorized clients.
7. Test both authorized and unauthorized access to your system to ensure
that Web Authentication works properly on the ports you have configured
for port-access using Web Authentication.
3-17
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring Web Authentication on the Switch
Note Client web browsers may not use a proxy server to access the network.
Specifies the base address/mask for the temporary IP
pool used by DHCP. The base address can be any valid
ip address (not a multicast address). Valid mask range
value is <255.255.240.0 - 255.255.255.0>.
(Default: 192.168.0.0/255.255.255.0)
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
no aaa port-access web-based [e] < port-list> [auth-vid]
Specifies the VLAN to use for an authorized client. The
Radius server can override the value (accept-response
includes a vid). If auth-vid is 0, no VLAN changes occur
unless the RADIUS server supplies one.
Use the no form of the command to set the auth-vid to 0.
(Default: 0).
Allows client moves between the specified ports under
Web Auth control. When enabled, the switch allows
clients to move without requiring a re-authentication.
When disabled, the switch does not allow moves and
when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to
port(s)) must be specified.
Use the no form of the command to disable client moves
between ports under Web Auth control.
(Default: disabled – no moves allowed)
Syntax:
aaa port-access web-based [e] < port-list >
[logoff-period] <60-9999999>]
Specifies the period, in seconds, that the switch
enforces for an implicit logoff. This parameter is
equivalent to the MAC age interval in a traditional
switch sense. If the switch does not see activity after a
logoff-period interval, the client is returned to its preauthentication state. (Default: 300 seconds)
Specifies the number of the number of times a client
can enter their user name and password before authentication fails. This allows the reentry of the user name
and password if necessary.
(Default: 3)
3-20
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Specifies the time period, in seconds, the switch should
wait before attempting an authentication request for
a client that failed authentication.
(Default: 60 seconds)
Specifies the time period, in seconds, the switch
enforces on a client to re-authenticate. When set to 0,
reauthentication is disabled. (Default: 300 seconds)
no aaa port-access web-based [e] < port-list > [redirect-url]
Specifies the URL that a user is redirected to after a
successful login. Any valid, fully-formed URL may be
used, for example, http://welcome-server/welcome.htm
or http://192.22.17.5. HP recommends that you provide
a redirect URL when using Web Authentication.
Use the no form of the command to remove a specified
redirect URL.
(Default: There is no default URL. Browser behavior
for authenticated clients may not be acceptable.)
Specifies the period, in seconds, the switch waits for a
server response to an authentication request. Depending on the current max-requests value, the switch sends
a new attempt or ends the authentication session.
(Default: 30 seconds)
3-21
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Enables or disables SSL login (https on port 443). SSL
must be enabled on the switch.
If SSL login is enabled, a user is redirected to a secure
page, where they enter their username and password.
If SSL login is disabled, a user is not redirected to a
secure page to enter their credentials.
Use the no form of the command to disable SSL login.
(Default: disabled)
no aaa port-access web-based [e] < port-list > [unauth-vid]
Specifies the VLAN to use for a client that fails authentication. If unauth-vid is 0, no VLAN changes occur.
Use the no form of the command to set the unauth-vid to 0.
(Default: 0)
3-22
Configuring MAC Authentication on the
Switch
This feature is available only on the Series 2600, 2600-PWR, and 2800
Switches.
Overview
1. If you have not already done so, configure a local username and password
pair on the switch.
2. If you plan to use multiple VLANs with MAC Authentication, ensure that
these VLANs are configured on the switch and that the appropriate port
assignments have been made.
3. Use the ping command in the switch console interface to ensure that the
switch can communicate with the RADIUS server you have configured to
support MAC-Auth on the switch.
4. Configure the switch with the correct IP address and encryption key to
access the RADIUS server.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring MAC Authentication on the Switch
5. Configure the switch for MAC-Auth:
a. Configure MAC Authentication on the switch ports you want to use.
6. Test both the authorized and unauthorized access to your system to
ensure that MAC Authentication works properly on the ports you have
configured for port-access.
Specifies the MAC address format to be used in the
RADIUS request message. This format must match the
format used to store the MAC addresses in the RADIUS
server. (Default: no-delimiter)
no-delimiter — specifies an aabbccddeeff format.
single-dash — specifies an aabbcc-ddeeff format.
multi-dash — specifies an aa-bb-cc-dd-ee-ff format.
multi-colon — specifies an aa:bb:cc:dd:ee:ff format.
3-23
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Allows client moves between the specified ports under
MAC Auth control. When enabled, the switch allows
addresses to move without requiring a re-authentication. When disabled, the switch does not allow moves
and when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to
port(s)) must be specified.
Use the no form of the command to disable MAC address
moves between ports under MAC Auth control.
(Default: disabled – no moves allowed)
no aaa port-access mac-based [e] < port-list > [auth-vid]
Specifies the VLAN to use for an authorized client. The
Radius server can override the value (accept-response
includes a vid). If auth-vid is 0, no VLAN changes occur
unless the RADIUS server supplies one.
Use the no form of the command to set the auth-vid to 0.
(Default: 0).
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Configuring MAC Authentication on the Switch
Specifies the period, in seconds, that the switch
enforces for an implicit logoff. This parameter is
equivalent to the MAC age interval in a traditional
switch sense. If the switch does not see activity after a
logoff-period interval, the client is returned to its preauthentication state. (Default: 300 seconds)
Specifies the time period, in seconds, the switch should
wait before attempting an authentication request for
a MAC address that failed authentication.
(Default: 60 seconds)
Specifies the time period, in seconds, the switch
enforces on a client to re-authenticate. When set to 0,
reauthentication is disabled. (Default: 300 seconds)
Specifies the period, in seconds, the switch waits for a
server response to an authentication request. Depending on the current max-requests value, the switch sends
a new attempt or ends the authentication session.
(Default: 30seconds)
no aaa port-access mac-based [e] < port-list > [unauth-vid]
3-25
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Show Status and Configuration of Web-Based Authentication
Specifies the VLAN to use for a client that fails authentication. If unauth-vid is 0, no VLAN changes occur.
Use the no form of the command to set the unauth-vid to 0.
(Default: 0)
Show Status and Configuration of WebBased Authentication
Command Page
show port-access [
[clients] 3-26
[config] 3-26
[config [auth-server]] 3-27
[config [web-server]] 3-27
show port-access
port-list] web-based 3-26
port-list web-based config detail 3-27
3-26
Syntax: show port-access [port-list] web-based
Shows the status of all Web-Authentication enabled
ports or the specified ports. The number of authorized
and unauthorized clients is listed for each port, as well
as its current VLAN ID. Ports without Web Authentication enabled are not listed.
Syntax: show port-access [port-list] web-based [clients]]
Shows the port address, Web address, session status,
and elapsed session time for attached clients on all
ports or the specified ports. Ports with multiple clients
have an entry for each attached client. Ports without
any attached clients are not listed.
Syntax: show port-access [port-list] web-based [config]
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Show Status and Configuration of Web-Based Authentication
Shows Web Authentication settings for all ports or the
specified ports, including the temporary DHCP base
address and mask. The authorized and unauthorized
VLAN IDs are shown. If the authorized or unauthorized VLAN ID is 0 then no VLAN change is made,
unless the RADIUS server supplies one.
Syntax: show port-access [port-list] web-based [config [auth-server]]
Shows Web Authentication settings for all ports or the
specified ports, along with the RADIUS server specific
settings for the timeout wait, the number of timeout
failures before authentication fails, and the length of
time between authentication requests.
Syntax: show port-access [port-list] web-based [config [web-server]]
Shows Web Authentication settings for all ports or the
specified ports, along with the web specific settings for
password retries, SSL login status, and a redirect URL,
if specified.
Syntax: show port-access port-list web-based config detail
Shows all Web Authentication settings, including the
Radius server specific settings for the specified ports.
3-27
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Show Status and Configuration of MAC-Based Authentication
Show Status and Configuration of MACBased Authentication
Command Page
show port-access [
[clients] 3-28
[config] 3-28
[config [auth-server]] 3-28
show port-access
Syntax: show port-access [port-list] mac-based
Syntax: show port-access [port-list] mac-based [clients]]
port-list] mac-based 3-28
port-list mac-based config detail 3-29
Shows the status of all MAC-Authentication enabled
ports or the specified ports. The number of authorized
and unauthorized clients is listed for each port, as well
as its current VLAN ID. Ports without MAC Authentication enabled are not listed.
Shows the port address, MAC address, session status,
and elapsed session time for attached clients on all
ports or the specified ports. Ports with multiple clients
have an entry for each attached client. Ports without
any attached clients are not listed.
3-28
Syntax: show port-access [port-list] mac-based [config]
Shows MAC Authentication settings for all ports or the
specified ports, including the MAC address format
being used. The authorized and unauthorized VLAN
IDs are shown. If the authorized or unauthorized
VLAN ID is 0 then no VLAN change is made, unless the
RADIUS server supplies one.
Syntax: show port-access [port-list] mac-based [config [auth-server]]
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Show Status and Configuration of MAC-Based Authentication
Shows MAC Authentication settings for all ports or the
specified ports, along with the Radius server specific
settings for the timeout wait, the number of timeout
failures before authentication fails, and the length of
time between authentication requests.
Syntax: show port-access port-list mac-based config detail
Shows all MAC Authentication settings, including the
Radius server specific settings for the specified ports.
3-29
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches
Client Status
Client Status
The table below shows the possible client status information that may be
reported by a Web-based or MAC-based ‘show... clients’ command.
authenticating Switch only Pending RADIUS request.
rejected-no vlan No network access 1. Invalid credentials supplied.
rejected-unauth vlan Unauthorized VLAN only 1. Invalid credentials supplied.
timed out-no vlan No network access RADIUS request timed out. If unauth-
timed out-unauth vlan Unauthorized VLAN only RADIUS request timed out. After the
unauthenticated Switch only Waiting for user credentials.
Possible Explanations
connected until logoff-period or
reauth-period expires.
2. RADIUS Server difficulties. See log
file.
3. If unauth-vid is specified it cannot be
successfully applied to the port. An
authorized client on the port has
precedence.
2. RADIUS Server difficulties. See log
file.
vid is specified it cannot be
successfully applied to the port. An
authorized client on the port has
precedence. Credentials resubmitted
after quiet-period expires.
quiet-period expires credentials are
resubmitted when client generates
traffic.
view the switch’s authentication configuration n/a — page 4-9 —
view the switch’s TACACS+ server contact n/a — page —
configuration 4-10
configure the switch’s authentication methods disabled — page
4-11
configure the switch to contact TACACS+ server(s) disabled — page
4-15
TACACS+ authentication enables you to use a central server to allow or deny
access to the switch (and other TACACS-aware devices) in your network. This
means that you can use a central database to create multiple unique username/
password sets with associated privilege levels for use by individuals who have
reason to access the switch from either the switch’s console port (local
access) or Telnet (remote access).
—
—
A3 or
B3
A2 or
Primary
TA CACS+
Server
B2
B4
B1
The switch passes the login
requests from terminals A and B
to the TACACS+ server for
authentication. The TACACS+
server determines whether to
allow access to the switch and
what privilege level to allow for
a given access request.
Access Request A1 - A4: Path for Request from
TACACS Server B1 - B4: Path for Request from
Response Terminal B (Through Telnet)
Figure 4-1. Example of TACACS+ Operation
TACACS+ in the switch manages authentication of logon attempts through
either the Console port or Telnet. TACACS+ uses an authentication hierarchy
consisting of (1) remote passwords assigned in a TACACS+ server and (2)
local passwords configured on the switch. That is, with TACACS+ configured,
the switch first tries to contact a designated TACACS+ server for authentica-
HP ProCurve Switch
Configured for
TACACS+ Operation
B
Terminal “B” Remotely Accessing The Switch Via Telnet
A1
A4
Terminal “A” Directly
A
Accessing the Switch
Via Switch’s Console
Port
Terminal A (Through Console Port)
4-2
Terminology Used in TACACS Applications:
tion services. If the switch fails to connect to any TACACS+ server, it defaults
to its own locally assigned passwords for authentication control if it has been
configured to do so. For both Console and Telnet access you can configure a
login (read-only) and an enable (read/write) privilege level access.
TACACS+ Authentication
Notes -The software does not support TACACS+ authorization or accounting
services.
TACACS+ does not affect web browser interface access. See “Controlling Web
Browser Interface Access” on page
4-24.
Terminology Used in TACACS
Applications:
■ NAS (Network Access Server): This is an industry term for a
TACACS-aware device that communicates with a TACACS server for
authentication services. Some other terms you may see in literature
describing TACACS operation are communication server, remote access server, or terminal server. These terms apply when TACACS+
is enabled on the switch (that is, when the switch is TACACS-aware).
■ TACACS+ Server: The server or management station configured as
an access control server for TACACS-enabled devices. To use
TACACS+ with the switch and any other TACACS-capable devices in
your network, you must purchase, install, and configure a TACACS+
server application on a networked server or management station in
the network. The TACACS+ server application you install will provide
various options for access control and access notifications. For more
on the TACACS+ services available to you, see the documentation
provided with the TACACS+ server application you will use.
■ Authentication: The process for granting user access to a device
through entry of a user name and password and comparison of this
username/password pair with previously stored username/password
data. Authentication also grants levels of access, depending on the
privileges assigned to a user name and password pair by a system
administrator.
4-3
TACACS+ Authentication
Terminology Used in TACACS Applications:
• Local Authentication: This method uses username/password
pairs configured locally on the switch; one pair each for managerlevel and operator-level access to the switch. You can assign local
usernames and passwords through the CLI or web browser interface. (Using the menu interface you can assign a local password,
but not a username.) Because this method assigns passwords to
the switch instead of to individuals who access the switch, you
must distribute the password information on each switch to
everyone who needs to access the switch, and you must configure
and manage password protection on a per-switch basis. (For
more on local authentication, refer to
and Password Security” on page 2-1.)
• TACACS+ Authentication: This method enables you to use a
TACACS+ server in your network to assign a unique password,
user name, and privilege level to each individual or group who
needs access to one or more switches or other TACACS-aware
devices. This allows you to administer primary authentication
from a central server, and to do so with more options than you
have when using only local authentication. (You will still need to
use local authentication as a backup if your TACACS+ servers
become unavailable.) This means, for example, that you can use
a central TACACS+ server to grant, change, or deny access to a
specific individual on a specific switch instead of having to
change local user name and password assignments on the switch
itself, and then have to notify other users of the change.
“Configuring Username
4-4
TACACS+ Authentication
General System Requirements
General System Requirements
To use TACACS+ authentication, you need the following:
■ A TACACS+ server application installed and configured on one or
more servers or management stations in your network. (There are
several TACACS+ software packages available.)
■ A switch configured for TACACS+ authentication, with access to one
or more TACACS+ servers.
Notes-The effectiveness of TACACS+ security depends on correctly using your
TACACS+ server application. For this reason, HP recommends that you
thoroughly test all TACACS+ configurations used in your network.
TACACS-aware HP switches include the capability of configuring multiple
backup TACACS+ servers. HP recommends that you use a TACACS+ server
application that supports a redundant backup installation. This allows you to
configure the switch to use a backup TACACS+ server if it loses access to the
first-choice TACACS+ server.
TACACS+ does not affect web browser interface access. Refer to “Controlling
Web Browser Interface Access When Using TACACS+ Authentication” on
page 4-24.
General Authentication Setup Procedure
It is important to test the TACACS+ service before fully implementing it.
Depending on the process and parameter settings you use to set up and test
TACACS+ authentication in your network, you could accidentally lock all
users, including yourself, out of access to a switch. While recovery is simple,
it may pose an inconvenience that can be avoided.To prevent an unintentional
lockout on a switch, use a procedure that configures and tests TACACS+
protection for one access type (for example, Telnet access), while keeping the
4-5
TACACS+ Authentication
General Authentication Setup Procedure
other access type (console, in this case) open in case the Telnet access fails
due to a configuration problem. The following procedure outlines a general
setup procedure.
Note-If a complete access lockout occurs on the switch as a result of a TACACS+
configuration, see “Troubleshooting TACACS+ Operation” in the Troubleshooting chapter of the Management and Configuration Guide for your
switch.
1. Familiarize yourself with the requirements for configuring your
TACACS+ server application to respond to requests from a switch. (Refer
to the documentation provided with the TACACS+ server software.) This
includes knowing whether you need to configure an encryption key. (See
“Using the Encryption Key” on page 4-23.)
2. Determine the following:
• The IP address(es) of the TACACS+
server(s) you want the switch to use
for authentication. If you will use
more than one server, determine
which server is your first-choice for
authentication services.
• The encryption key, if any, for
allowing the switch to communicate
with the server. You can use either a
global key or a server-specific key,
depending on the encryption
configuration in the TACACS+
server(s).
• The number of log-in attempts you
will allow before closing a log-in
session. (Default: 3)
• The period you want the switch to
wait for a reply to an authentication
request before trying another
server.
• The username/password pairs you
want the TACACS+ server to use for
controlling access to the switch.
• The privilege level you want for
each username/password pair
administered by the TACACS+
server for controlling access to the
switch.
• The username/password pairs you
want to use for local authentication
(one pair each for Operator and
Manager levels).
3. Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.
4-6
General Authentication Setup Procedure
TACACS+ Authentication
Note on
Privilege Levels
Caution
When a TACACS+ server authenticates an access request from a switch,
it includes a privilege level code for the switch to use in determining which
privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of “15” as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/password pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.
If you are a first-time user of the TACACS+ service, HP recommends that
you configure only the minimum feature set required by the TACACS+
application to provide service in your network environment. After you
have success with the minimum feature set, you may then want to try
additional features that the application offers.
4. Ensure that the switch has the correct local username and password for
Manager access. (If the switch cannot find any designated TACACS+
servers, the local manager and operator username/password pairs are
always used as the secondary access control method.)
You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason,
then unauthorized access will be available through the console port or
Telnet.
5. Using a terminal device connected to the switch’s console port, configure
the switch for TACACS+ authentication only for telnet login access and
telnet enable access. At this stage, do not configure TACACS+ authentication for console access to the switch, as you may need to use the
console for access if the configuration for the Telnet method needs
debugging.
6. Ensure that the switch is configured to operate on your network and can
communicate with your first-choice TACACS+ server. (At a minimum,
this requires IP addressing and a successful ping test from the switch to
the server.)
7. On a remote terminal device, use Telnet to attempt to access the switch.
If the attempt fails, use the console access to check the TACACS+
configuration on the switch. If you make changes in the switch configuration, check Telnet access again. If Telnet access still fails, check the
4-7
TACACS+ Authentication
Configuring TACACS+ on the Switch
configuration in your TACACS+ server application for mis-configurations or missing data that could affect the server’s interoperation with
the switch.
8. After your testing shows that Telnet access using the TACACS+ server is
working properly, configure your TACACS+ server application for
console access. Then test the console access. If access problems occur,
check for and correct any problems in the switch configuration, and then
test console access again. If problems persist, check your TACACS+
server application for mis-configurations or missing data that could
affect the console access.
9. When you are confident that TACACS+ access through both Telnet and
the switch’s console operates properly, use the write memory command
to save the switch’s running-config file to flash memory.
Configuring TACACS+ on the Switch
BeforeYou Begin
4-8
If you are new to TACACS+ authentication, HP recommends that you read the
“General Authentication Setup Procedure” on page 4-5 and configure your
TACACS+ server(s) before configuring authentication on the switch.
The switch offers three command areas for TACACS+ operation:
■ show authentication and show tacacs: Displays the switch’s TACACS+
configuration and status.
■ aaa authentication: A command for configuring the switch’s authenti-
cation methods
■ tacacs-server: A command for configuring the switch’s contact with
TACACS+ servers
Configuring TACACS+ on the Switch
TACACS+ Authentication
CLI Commands Described in this Section
Command Page
show authentication
show tacacs
aaa authentication
console
Telnet
num-attempts <1-10 >
tacacs-server
host < ip-addr >
key
timeout < 1-255 >
4-9
4-10
pages 4-11 through 4-14
pages 4-15
pages 4-15
4-19
4-20
Viewing the Switch’s Current Authentication
Configuration
This command lists the number of login attempts the switch allows in a single
login session, and the primary/secondary access methods configured for each
type of access.
Syntax:
show authentication
This example shows the default authentication configuration.
Figure 4-2. Example Listing of the Switch’s Authentication Configuration
Configuration for login and enable access
to the switch through the switch console
port.
Configuration for login and enable access
to the switch through Telnet.
4-9
TACACS+ Authentication
Configuring TACACS+ on the Switch
Viewing the Switch’s Current TACACS+ Server Contact
Configuration
This command lists the timeout period, encryption key, and the IP addresses
of the first-choice and backup TACACS+ servers the switch can contact.
Syntax: show tacacs
For example, if the switch was configured for a first-choice and two backup
TACACS+ server addresses, the default timeout period, and paris-1 for a
(global) encryption key, show tacacs would produce a listing similar to the
following:
First-Choice
TACACS+ Server
Second-Choice
TACACS+ Server
Third-Choice
TACACS+ Server
Figure 4-3. Example of the Switch’s TACACS+ Configuration Listing
4-10
Configuring TACACS+ on the Switch
TACACS+ Authentication
Configuring the Switch’s Authentication Methods
The aaa authentication command configures the access control for console
port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local
authentication, or (for some secondary scenarios) no authentication (meaning
that if the primary method fails, authentication is denied). This command also
reconfigures the number of access attempts to allow in a session if the first
attempt uses an incorrect username/password pair.
Syntax: aaa authentication
< console | telnet >
Selects either console (serial port) or Telnet access for
configuration.
< enable | login >
Selects either the Manager (enable) or Operator (login)
access level.
< local | tacacs | radius >
Selects the type of security access:
local — Authenticates with the Manager and Operator
password you configure in the switch.
tacacs — Authenticates with a password and other
data configured on a TACACS+ server.
radius — Authenticates with a password and other
data configured on a RADIUS server. (Refer to
“RADIUS Authentication and Accounting” on page
5-1.)
[< local | none >]
If the primary authentication method fails, determines
whether to use the local password as a secondary method
or to disallow access.
aaa authentication num-attempts < 1-10 >
Specifies the maximum number of login attempts allowed in
the current session. Default: 3
4-11
TACACS+ Authentication
Configuring TACACS+ on the Switch
Table 4-1. AAA Authentication Parameters
Name Default Range Function
console n/a n/a Specifies whether the command is configuring authentication for the console port
- or -or Telnet access method for the switch.
telnet
enable
- or login
local local n/a Specifies the primary method of authentication for the access method being
- or -configured.
tacacs local: Use the username/password pair configured locally in the switch for
local
- or -
none
num-attempts 3 1 - 10 In a given session, specifies how many tries at entering the correct username/
n/a n/a Specifies the privilege level for the access method being configured.
none n/a Specifies the secondary (backup) type of authentication being configured.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is
• If the primary method is
password pair are allowed before access is denied and the session terminated.
tacacs, the only secondary method is local.
local, the default secondary method is none.
4-12
As shown in the next table, login and enable access is always available locally
through a direct terminal connection to the switch’s console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+
server goes down or otherwise becomes unavailable to the switch.
Table 4-2. Primary/Secondary Authentication Table
Configuring TACACS+ on the Switch
TACACS+ Authentication
Access Method and
Privilege Level
Console — Login local none* Local username/password access only.
Console — Enable local none* Local username/password access only.
Telnet — Login local none* Local username/password access only.
Telnet — Enable local none* Local username/password access only.
*When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a
secondary “local” is meaningless because the switch has only one local level of username/password protection.
Caution Regarding
the Use of Local for
Login Primary
Access
Authentication Options Effect on Access Attempts
Primary Secondary
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs none If Tacacs+ server unavailable, denies access.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs none If Tacacs+ server unavailable, denies access.
During local authentication (which uses passwords configured in the switch
instead of in a TACACS+ server), the switch grants read-only access if you
enter the Operator password, and read-write access if you enter the Manager
password. For example, if you configure authentication on the switch with
Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you
attempt to Telnet to the switch, you will be prompted for a local password. If
you enter the switch’s local Manager password (or, if there is no local Manager
password configured in the switch) you can bypass the TACACS+ server
authentication for Telnet Enable Primary and go directly to read-write (Manager) access. Thus, for either the Telnet or console access method, configuring
Login Primary for Local authentication while configuring Enable Primary for
TACACS+ authentication is not recommended, as it defeats the purpose of
using the TACACS+ authentication. If you want Enable Primary log-in
attempts to go to a TACACS+ server, then you should configure both Login
Primary and Enable Primary for Tacacs authentication instead of configuring
Login Primary to Local authentication.
4-13
TACACS+ Authentication
Configuring TACACS+ on the Switch
For example, here is a set of access options and the corresponding commands
to configure them:
Console Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
HPswitch (config)# aaa authentication console login tacacs local
Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
Secondary using Local.
HPswitch (config)# aaa authentication console enable tacacs local
Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Secondary using Local.
HPswitch (config)# aaa authentication Telnet login tacacs local
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.
Secondary using Local.
HPswitch (config)# aaa authentication telnet enable tacacs local
Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:
The tacacs-server command configures these parameters:
■ The host IP address(es) for up to three TACACS+ servers; one first-
choice and up to two backups. Designating backup servers provides
for a continuation of authentication services in case the switch is
unable to contact the first-choice server.
■ An optional encryption key. This key helps to improve security, and
must match the encryption key used in your TACACS+ server application. In some applications, the term “secret key” or “secret” may be
used instead of “encryption key”. If you need only one encryption key
for the switch to use in all attempts to authenticate through a
TACACS+ server, configure a global key. However, if the switch is
configured to access multiple TACACS+ servers having different
encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
■ The timeout value in seconds for attempts to contact a TACACS+
server. If the switch sends an authentication request, but does not
receive a response within the period specified by the timeout value,
the switch resends the request to the next server in its Server IP Addr
list, if any. If the switch still fails to receive a response from any
TACACS+ server, it reverts to whatever secondary authentication
method was configured using the aaa authentication command (local
or none; see
page 4-11.)
“Configuring the Switch’s Authentication Methods” on
Note-As described under “General Authentication Setup Procedure” on page 4-5,
HP recommends that you configure, test, and troubleshoot authentication via
Telnet access before you configure authentication via console port access.
This helps to prevent accidentally locking yourself out of switch access due
to errors or problems in setting up authentication in either the switch or your
TACACS+ server.
4-15
TACACS+ Authentication
Configuring TACACS+ on the Switch
Note on
Encryption Keys
Syntax: tacacs-server host < ip-addr >
Adds a TACACS+ server and optionally assigns a server-specific
encryption key
[no] tacacs-server host < ip-addr >
Removes a TACACS+ server assignment (including its serverspecific encryption key, if any).
tacacs-server key <key-string>
Enters the optional global encryption key.
[no] tacacs-server key
Removes the optional global encryption key. (Does not affect any
server-specific encryption key assignments.)
tacacs-server timeout < 1-255 >
Changes the wait period for a TACACS server response. (Default:
5 seconds.)
.
[key < key-string >]
Encryption keys configured in the switch must exactly match the encryption
keys configured in TACACS+ servers the switch will attempt to use for
authentication.
If you configure a global encryption key, the switch uses it only with servers
for which you have not also configured a server-specific key. Thus, a global
key is more useful where the TACACS+ servers you are using all have an
identical key, and server-specific keys are necessary where different
TACACS+ servers have different keys.
4-16
If TACACS+ server “X” does not have an encryption key assigned for the
switch, then configuring either a global encryption key or a server-specific key
in the switch for server “X” will block authentication support from server “X”.
Configuring TACACS+ on the Switch
TACACS+ Authentication
Table 4-3. Details on Configuring TACACS Servers and Keys
Name Default Range
tacacs-server host <ip-addr> none n/a
This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify
the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the
encryption key, see “Using the Encryption Key” on page 4-23 and the documentation provided with your TACACS+ server
application.
You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one thirdchoice).
Use show tacacs to view the current IP address list.
If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show
tacacs list. If the second address also fails, then the switch tries the third address, if any.
(See figure 4-3, “Example of the Switch’s TACACS+ Configuration Listing” on 4-10.)
The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch’s TACACS+ configuration
depends on the order in which you enter the server IP addresses:
1.When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice
TACACS+ server.
2.When there is one TACACS+ serves already configured, entering another server IP address makes that server the
second-choice (backup) TACACS+ server.
3.When there are two TACACS+ servers already configured, entering another server IP address makes that server
the third-choice (backup) TACACS+ server.
• The above position assignments are fixed. Thus, if you remove one server and replace it with another, the new server
assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B,
and C, configured in order:
First-Choice:A
Second-Choice:B
Third-Choice: C
• If you removed server B and then entered server X, the TACACS+ server order of priority would be:
First-Choice:A
Second-Choice:X
Third-Choice: C
• If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new
address will take the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1)
remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C.
• The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in
the list and then re-enter them in order, with the new first-choice server address first, and so on.
To add a new address to the list when there are already three addresses present, you must first remove one of the currently
listed addresses.
See also “General Authentication Process Using a TACACS+ Server” on page 4-20.
4-17
TACACS+ Authentication
Configuring TACACS+ on the Switch
Name Default Range
[ key <key-string> ] none (null) n/a
Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access
for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to
accessing TACACS+ servers for which you have not given the switch a “per-server” key. (See the host <ip-addr> [key <key-string> entry at the beginning of this table.)
For more on the encryption key, see “Using the Encryption Key” on page 4-23 and the documentation provided with your
TACACS+ server application.
timeout <1 - 255> 5 sec 1 - 255 sec
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does
not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all
TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if
configured) or denies access (if none configured for local authentication).
Adding, Removing, or Changing the Priority of a TACACS+ Server.
Suppose that the switch was already configured to use TACACS+ servers at
10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and
so is listed as the first-choice server:
First-Choice TACACS+ Server
Figure 4-4. Example of the Switch with Two TACACS+ Server Addresses Configured
To move the “first-choice” status from the “15” server to the “10” server, use
the
no tacacs-server host <ip-addr> command to delete both servers, then use
tacacs-server host <ip-addr> to re-enter the “10” server first, then the “15” server.
The servers would then be listed with the new “first-choice” server, that is:
4-18
Configuring TACACS+ on the Switch
The “10” server is now the “first-choice” TACACS+ authentication device.
TACACS+ Authentication
Figure 4-5. Example of the Switch After Assigning a Different “First-Choice” Server
To remove the 10.28.227.15 device as a TACACS+ server, you would use this
command:
HPswitch(config)# no tacacs-server host 10.28.227.15
Configuring an Encryption Key. Use an encryption key in the switch if the
switch will be requesting authentication from a TACACS+ server that also uses
an encryption key. (If the server expects a key, but the switch either does not
provide one, or provides an incorrect key, then the authentication attempt will
fail.) Use a global encryption key if the same key applies to all TACACS+
servers the switch may use for authentication attempts. Use a per-server encryption key if different servers the switch may use will have different keys.
(For more details on encryption keys, see
Note-The show tacacs command lists the global encryption key, if configured.
However, to view any configured per-server encryption keys, you must use
show config or show config running (if you have made TACACS+ configuration
changes without executing
Configuring the Timeout Period. The timeout period specifies how long
the switch waits for a response to an authentication request from a TACACS+
server before either sending a new request to the next server in the switch’s
Server IP Address list or using the local authentication option. For example,
to change the timeout period from 5 seconds (the default) to 3 seconds:
HPswitch(config)# tacacs-server timeout 3
write mem).
How Authentication Operates
General Authentication Process Using a TACACS+
Server
Authentication through a TACACS+ server operates generally as described
below. For specific operating details, refer to the documentation you received
with your TACACS+ server application.
First-Choice
TACACS+ Server
HP Switch
Configured for
Second-Choice
TACACS+ Server
(Optional)
Third-Choice
TACACS+ Server
(Optional)
Figure 4-6. Using a TACACS+ Server for Authentication
TACACS+ Operation
HP Switch Configured
for TACACS+ Operation
Terminal “A” Directly Accessing This
Switch Via Switch’s Console Port
A
Terminal “B” Remotely
Accessing This Switch Via Telnet
B
4-20
TACACS+ Authentication
How Authentication Operates
Using figure 4-6, above, after either switch detects an operator’s logon request
from a remote or directly connected terminal, the following events occur:
1. The switch queries the first-choice TACACS+ server for authentication
of the request.
• If the switch does not receive a response from the first-choice
TACACS+ server, it attempts to query a secondary server. If the
switch does not receive a response from any TACACS+ server,
then it uses its own local username/password pairs to authenticate the logon request. (See
“Local Authentication Process” on
page 4-22.)
• If a TACACS+ server recognizes the switch, it forwards a user-
name prompt to the requesting terminal via the switch.
2. When the requesting terminal responds to the prompt with a username,
the switch forwards it to the TACACS+ server.
3. After the server receives the username input, the requesting terminal
receives a password prompt from the server via the switch.
4. When the requesting terminal responds to the prompt with a password,
the switch forwards it to the TACACS+ server and one of the following
actions occurs:
• If the username/password pair received from the requesting
terminal matches a username/password pair previously stored in
the server, then the server passes access permission through the
switch to the terminal.
• If the username/password pair entered at the requesting terminal
does not match a username/password pair previously stored in
the server, access is denied. In this case, the terminal is again
prompted to enter a username and repeat steps
2 through 4. In
the default configuration, the switch allows up to three attempts
to authenticate a login session. If the requesting terminal
exhausts the attempt limit without a successful TACACS+
authentication, the login session is terminated and the operator
at the requesting terminal must initiate a new session before
trying again.
4-21
TACACS+ Authentication
How Authentication Operates
Local Authentication Process
When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists:
■ “Local” is the authentication option for the access method being used.
■■ TACACS+ is the primary authentication mode for the access method
(For a listing of authentication options, see table 4-2, “Primary/Secondary
Authentication Table” on 4-13.)
For local authentication, the switch uses the operator-level and manager-level
username/password set(s) previously configured locally on the switch. (These
are the usernames and passwords you can configure using the CLI password
command, the web browser interface, or the menu interface—which enables
only local password configuration).
■■ If the operator at the requesting terminal correctly enters the user-
being used. However, the switch was unable to connect to any
TACACS+ servers (or no servers were configured) and Local is the
secondary authentication mode being used.
name/password pair for either access level, access is granted.
■■ If the username/password pair entered at the requesting terminal does
not match either username/password pair previously configured
locally in the switch, access is denied. In this case, the terminal is
again prompted to enter a username/password pair. In the default
configuration, the switch allows up to three attempts. If the requesting
terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting
terminal must initiate a new session before trying again.
Note-The switch’s menu allows you to configure only the local Operator and
Manager passwords, and not any usernames. In this case, all prompts for local
authentication will request only a local password. However, if you use the CLI
or the web browser interface to configure usernames for local access, you will
see a prompt for both a local username and a local password during local
authentication.
4-22
TACACS+ Authentication
How Authentication Operates
Using the Encryption Key
General Operation
When used, the encryption key (sometimes termed “key”, “secret key”, or
“secret”) helps to prevent unauthorized intruders on the network from reading
username and password information in TACACS+ packets moving between
the switch and a TACACS+ server. At the TACACS+ server, a key may include
both of the following:
■■ Global key: A general key assignment in the TACACS+ server appli-
cation that applies to all TACACS-aware devices for which an individual key has not been configured.
■■ Server-Specific key: A unique key assignment in the TACACS+
server application that applies to a specific TACACS-aware device.
Note-Configure a key in the switch only if the TACACS+ server application has this
exact same key configured for the switch. That is, if the key parameter in
switch “X” does not exactly match the key setting for switch “X” in the
TACACS+ server application, then communication between the switch and
the TACACS+ server will fail.
Thus, on the TACACS+ server side, you have a choice as to how to implement
a key. On the switch side, it is necessary only to enter the key parameter so
that it exactly matches its counterpart in the server. For information on how
to configure a general or individual key in the TACACS+ server, refer to the
documentation you received with the application.
Encryption Options in the Switch
When configured, the encryption key causes the switch to encrypt the
TACACS+ packets it sends to the server. When left at “null”, the TACACS+
packets are sent in clear text. The encryption key (or just “key”) you configure
in the switch must be identical to the encryption key configured in the
corresponding TACACS+ server. If the key is the same for all TACACS+
servers the switch will use for authentication, then configure a global key in
the switch. If the key is different for one or more of these servers, use “serverspecific” keys in the switch. (If you configure both a global key and one or
more per-server keys, the per-server keys will override the global key for the
specified servers.)
4-23
TACACS+ Authentication
Controlling Web Browser Interface Access When Using TACACS+ Authentication
For example, you would use the next command to configure a global encryption key in the switch to match a key entered as
TACACS+ servers. (That is, both servers use the same key for your switch.)
Note that you do not need the server IP addresses to configure a global key in
the switch:
HPswitch(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP
address of 10.28.227.87) that has
this key is different than the one used for the two servers in the previous
example, you will need to assign a server-specific key in the switch that applies
only to the designated server:
With both of the above keys configured in the switch, the
overrides the
TACACS+ server having the 10.28.227.87 address.
north40campus key only when the switch tries to access the
south10campus for an encryption key. Because
north40campus in two target
south10campus key
4-24
Controlling Web Browser Interface
Access When Using TACACS+
Authentication
Configuring the switch for TACACS+ authentication does not affect web
browser interface access. To prevent unauthorized access through the web
browser interface, do one or more of the following:
■■ Configure local authentication (a Manager user name and password
and, optionally, an Operator user name and password) on the switch.
■■ Configure the switch’s Authorized IP Manager feature to allow web
browser access only from authorized management stations. (The
Authorized IP Manager feature does not interfere with TACACS+
operation.)
■■ Disable web browser access to the switch by going to the System
Information screen in the Menu interface and configuring the
Agent Enabled
parameter to No.
Web
Messages Related to TACACS+
Operation
The switch generates the CLI messages listed below. However, you may see
other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the
application.
CLI Message Meaning
Messages Related to TACACS+ Operation
TACACS+ Authentication
Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch’s tacacs
Connecting to secondary The switch was not able to contact the first-choice TACACS+ server, and is now
Tacacs server attempting to contact the next (secondary) TACACS+ server identified in the switch’s
Invalid password The system does not recognize the username or the password or both. Depending on the
No Tacacs servers The switch has not been able to contact any designated TACACS+ servers. If this message
Not legal combination of
authentication methods
Record already exists When resulting from a
server
configuration as the first-choice (or only) TACACS+ server.
tacacs-server configuration.
authentication method (tacacs or local), either the TACACS+ server application did not
recognize the username/password pair or the username/password pair did not match the
username/password pair configured in the switch.
is followed by the Username prompt, the switch is attempting local authentication.responding
For console access, if you select tacacs as the primary authentication method, you must
select local as the secondary authentication method. This prevents you from being locked
out of the switch if all designated TACACS+ servers are inaccessible to the switch.
enter a duplicate TACACS+ server IP address.
tacacs-server host <ip addr> command, indicates an attempt to
Operating Notes
■■ If you configure Authorized IP Managers on the switch, it is not
necessary to include any devices used as TACACS+ servers in the
authorized manager list. That is, authentication traffic between a
TACACS+ server and the switch is not subject to Authorized IP
Manager controls configured on the switch. Also, the switch does not
attempt TACACS+ authentication for a management station that the
Authorized IP Manager list excludes because, independent of
TACACS+, the switch already denies access to such stations.
4-25
TACACS+ Authentication
Operating Notes
■■ When TACACS+ is not enabled on the switch—or when the switch’s
only designated TACACS+ servers are not accessible— setting a local
Operator password without also setting a local Manager password
does not protect the switch from manager-level access by unauthorized persons.)
4-26
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.