HP 2800 User Manual
Access Security Guide
Switch 2600 Series
Switch 2600-PWR Series
Switch 2800 Series
Switch 4100 Series
Switch 6108
www.hp.com/go/hpprocurve
HP ProCurve
Switch 2600 Series
Switch 2600-PWR Series
Switch 2800 Series
Switch 4100gl Series
Switch 6108
Access Security Guide
October 2004
© Copyright 2001-2004 Hewlett-Packard Company, L..P. The information contained herein is subject to change without notice.
Publication Number
5990-6024
October 2004
Applicable Products
HP ProCurve Switch 2626 (J4900A)
HP ProCurve Switch 2626-PWR (J8164A)
HP ProCurve Switch 2650 (J4899A)
HP ProCurve Switch 2650-PWR (J8165A)
HP ProCurve Switch 2824 (J4903A)
HP ProCurve Switch 2848 (J4904A)
HP ProCurve Switch 4104gl (J4887A)
HP ProCurve Switch 4108gl (J4865A)
HP ProCurve Switch 6108 (J4902A)
Trademark Credits
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Software Credits
SSH on HP ProCurve Switches is based on the OpenSSH
software toolkit. This product includes software developed
by the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on HP ProCurve Switches is based on the OpenSSL
software toolkit. This product includes software developed
by the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information is provided "as is" without warranty of any kind
and is subject to change without notice. The warranties for
Hewlett-Packard Company products are set forth in the
express limited warranty statements for such products.
Nothing herein should be construed as constituting an
additional warranty.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.hp.com/go/hpprocurve
Contents
1 Getting Started
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction and Applicable Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
About the Feature Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Switch Traffic Security Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Port Identity Convention for Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . . . 1-11
2 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
iii
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
3 Web and MAC Authentication for the Series 2600/
2600-PWR and 2800 Switches
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12
Do These Steps Before You Configure Web/MAC Authentication . . 3-12
Additional Information for Configuring the RADIUS Server To Support
MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15
iv
Configuring Web Authentication on the Switch . . . . . . . . . . . . . . . . . . . . . 3-17
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-18
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-22
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-23
Show Status and Configuration of Web-Based Authentication . . . . . . . . 3-26
Show Status and Configuration of MAC-Based Authentication . . . . . . . . 3-28
Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
4 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
BeforeYou Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9
Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9
Viewing the Switch’s Current TACACS+ Server
Contact Configuration
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-11
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-15
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
General Authentication Process Using a TACACS+ Server . . . . . . . . 4-20
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Controlling Web Browser Interface Access When Using TACACS+
Authentication
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
5 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-6
1. Configure Authentication for the Access Methods You Want RADIUS
To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-10
3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-12
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
v
Controlling Web Browser Interface Access When Using RADIUS
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-19
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-19
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31
6 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
vi
Steps for Configuring and Using SSH for Switch and
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
1. Assigning a Local Login (Operator) and
Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 6-10
3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 6-12
4. Enabling SSH on the Switch and Anticipating SSH Client Contact
Behavior
5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 6-18
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21
Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
7 Configuring Secure Socket Layer (SSL)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Steps for Configuring and Using SSL for Switch and
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
1. Assigning a Local Login (Operator) and
Enable (Manager)Password
2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 7-9
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact
Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
8 Configuring Port-Based Access Control (802.1X)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
How 802.1X Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10
General Setup Procedure for Port-Based Access Control (802.1X) . . . . . 8-12
Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 8-12
Overview: Configuring 802.1X Authentication on the Switch . . . . . . 8-13
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15
1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15
3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20
vii
5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20
802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . . 8-22
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs
Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . . 8-27
802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
Option For Authenticator Ports: Configure Port-Security To Allow Only
802.1X Devices
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections
to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . . 8-38
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 8-38
Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 8-40
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 8-43
How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . 8-44
Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
viii
9 Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Port Security Command Options and Operation . . . . . . . . . . . . . . . . . . . . . 9-6
Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . . 9-10
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Differences Between MAC Lockdown and Port Security . . . . . . . . . 9-19
Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
Web: Displaying and Configuring Port Security Features . . . . . . . . . . . . . 9-27
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . . . . . . . 9-28
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . . 9-29
Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . . 9-35
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting
Alert Flags
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35
10 Traffic/Security Filters
(HP ProCurve Series 2600/2600-PWR and 2800 Switches)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
11 Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
ix
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Configuring One Station Per Authorized Manager IP Entry . . . . . . . 11-9
Configuring Multiple Stations Per Authorized Manager IP Entry . . 11-11
Additional Examples for Authorizing Multiple Stations . . . . . . . . . 11-13
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Index
x
Getting Started
Contents
Introduction and Applicable Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
About the Feature Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Switch Traffic Security Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Port Identity Convention for Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
1
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . . . 1-11
1-1
Getting Started
Introduction and Applicable Switches
Introduction and Applicable Switches
This guide describes how to use HP’s switch security features to protect
access to your HP ProCurveProCurve switch. This guide is intended for these
switch models:
■ HP ProCurve Switch 4100GL Series (4104GL, 4108GL)
■ HP ProCurve Switch 2800 Series (2824, 2848)
■ HP ProCurve Switch 2600 Series (2626, 2650)
■ HP ProCurve Switch 6108
The Product Documentation CD-ROM shipped with the switch includes this
guide. You can also download the latest version from the HP ProCurve
website. (Refer to
About the Feature Descriptions
In cases where a software feature is not available in all of the switch products
covered by this guide, the text specifically indicates which devices offer the
feature.
“Getting Documentation From the Web” on page 1-9.)
1-2
Overview of Access Security Features
Getting Started
Overview of Access Security Features
■ Local Manager and Operator Passwords (page 2-1): Control
access and privileges for the CLI, menu, and web browser interfaces.
■ TACACS+ Authentication (page 4-1): Uses an authentication appli-
cation on a server to allow or deny access to a switch.
■ RADIUS Authentication and Accounting (page 5-1): Like
TACACS+, uses an authentication application on a central server to
allow or deny access to the switch. RADIUS also provides accounting
services for sending data about user activity and system events to a
RADIUS server.
■ Secure Shell (SSH) Authentication (page 6-1): Provides
encrypted paths for remote access to switch management functions.
■ Secure Socket Layer (SSL) (page 7-1): Provides remote web access
to the switch via encrypted authentication paths between the switch
and management station clients capable of SSL/TLS operation.
■ Port-Based Access Control (802.1X) (page 8-1): On point-to-point
connections, enables the switch to allow or deny traffic between a
port and an 802.1X-aware device (supplicant) attempting to access
the switch. Also enables the switch to operate as a supplicant for
connections to other 802.1X-aware switches.
■ Port Security (page 9-1): Enables a switch port to maintain a unique
list of MAC addresses defining which specific devices are allowed to
access the network through that port. Also enables a port to detect,
prevent, and log access attempts by unauthorized devices.
■ Traffic/Security Filters (page 10-1 ): Source-Port filtering enhances
in-band security by enabling outbound destination ports on the switch
to forward or drop traffic from designated source ports (within the
same VLAN).
■ Authorized IP Managers (page 11-1): Allows access to the switch
by a networked device having an IP address previously configured in
the switch as "authorized".
HP recommends that you use local passwords together with your switch’s
other security features to provide a more comprehensive security fabric than
if you use only local passwords. For an overview, refer to
Table 1-1.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature Offers Protection Against Unauthorized Client Access to
Switch Management Features
Connection Telnet SNMP
Local Manager and Operator
Usernames and Passwords
TACACS+
1
(Net Mgmt)
1
PtP: Yes No Yes Yes No
Remote: Yes No Yes Yes No
PtP: Yes No No Yes No
Browser
Web
SSH
Client
Offers Protection
Against
Unauthorized Client
Access to the
Network
Remote: Yes No No Yes No
RADIUS
1
PtP: Yes No No Yes No
Remote: Yes No No Yes No
SSH
Ptp: Yes No No Yes No
Remote: Yes No No Yes No
SSL
Ptp: No No Yes No No
Remote: No No Yes No No
Port-Based Access Control (802.1X)
PtP: Yes Yes Yes Yes Ye s
Remote: No No No No No
Port Security (MAC address)
PtP: Yes Yes Yes Yes Ye s
Remote: Yes Yes Ye s Yes Ye s
Authorized IP Managers
PtP: Yes Yes Yes Yes No
Remote: Yes Yes Ye s Yes No
1
The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection
for serial port access.
1-4
There are two security areas to protect: access to the switch management
features and access to the network through the switch. The preceeding table
shows the type of protection each switch security feature offers.
General Switch Traffic Security Guideline
Getting Started
General Switch Traffic Security
Guideline
Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. MAC lockout (Applies to all ports on the switch.)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
1-5
Getting Started
Command Syntax Conventions
Command Syntax Conventions
This guide uses the following conventions for command syntax and displays.
Syntax: aaa port-access authenticator < port-list >
■ Vertical bars ( | ) separate alternative, mutually exclusive elements.
■ Square brackets ( [ ] ) indicate optional elements.
■ Braces ( < > ) enclose required elements.
■ Braces within square brackets ( [ < > ] ) indicate a required element
■ Boldface indicates use of a CLI command, part of a CLI command
■ Italics indicate variables for which you must supply a value when
[ control < authorized | auto | unauthorized >]
within an optional choice.
syntax, or other displayed element in general text. For example:
“Use the copy tftp command to download the key from a TFTP server.”
executing the command. For example, in this command syntax, you
must provide one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
Simulating Display Output
Command Prompts
In the default configuration, your switch’s CLI prompt includes the switch
model number, and appears similar to the following examples:
HP ProCurve Switch 4108#
HP ProCurve Switch 2650#
HP ProCurve Switch 6108#
To simplify recognition, this guide uses HPswitch to represent command
prompts for all models. That is:
HPswitch#
(You can use the hostname command to change the text in the CLI prompt.)
Commands or command output positioned to simulate displays of switch
information in a computer screen are printed in a monospace font, as shown
above.
1-6
Port Identity Convention for Examples
Getting Started
Screen Simulations
Figures containing simulated screen text and command output appear similar
to this:
Figure 1-1.Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear without figure identification. For example:
HPswitch(config)# clear public-key
HPswitch(config)# show ip client-public-key
show_client_public_key: cannot stat keyfile
Port Identity Convention for Examples
This guide describes software applicable to both chassis-based and stackable
HP ProCurve switches. Where port identities are needed in an example, this
guide uses the chassis-based port identity system, such as "A1", "B3 - B5", "C7",
etc. However, unless otherwise noted, such examples apply equally to the
stackable switches, which typically use only numbers, such as "1", "3-5", "15",
etc. for port identities.
Related Publications
Product Notes and General Software Update Information. The
printed Read Me First shipped with your switch provides software update
information, product notes, and other information. For the latest version, refer
to
“Getting Documentation From the Web” on page 1-9.
Physical Installation and Initial Network Access. Use the Installation
and Getting Started Guide shipped with your switch to prepare for and
perform the physical installation. This guide also steps you through connecting the switch to your network and assigning IP addressing, as well as
describing the LED indications for correct operation and trouble analysis. A
1-7
Getting Started
Related Publications
PDF version of this guide is also provided on the Product Documentation CDROM shipped with the switch. And you can download a copy from the HP
ProCurve website. (See
“Getting Documentation From the Web” on page 1-9.)
General Switch Management and Configuration. Use the Management
and Configuration Guide for information on:
■ Using the command line interface (CLI), Menu interface, and web
browser interface
■ Learning the operation and configuration of all switch software
features other than the access security features included in this guide
■ Troubleshooting software operation
HP provides a PDF version of this guide on the Product Documentation CDROM shipped with the switch. You can also download the latest copy from the
HP ProCurve website. (See
“Getting Documentation From the Web” on page
1-9.)
Release Notes. Release notes are posted on the HP ProCurve website and
provide information on new software updates:
■ New features and how to configure and use them
1-8
■ Software management, including downloading software to the switch
■ Software fixes addressed in current and previous releases
To view and download a copy of the latest release notes for your switch, see
“Getting Documentation From the Web” on page 1-9.
2
Getting Documentation From the Web
Getting Started
Getting Documentation From the Web
1. Go to the HP ProCurve website at http://www.hp.com/go/hpprocurve.
2. Click on technical support.
3. Click on manuals.
4. Click on the product for which you want to view or download a manual.
3
4
1-9
Getting Started
Sources for More Information
Sources for More Information
■ If you need information on specific parameters in the menu interface,
Figure 1-2. Where To Find Help in the Menu Interface
refer to the online help provided in the interface.
Online Help
for Menu
■ If you need information on a specific command in the CLI, type the
command name followed by “help”. For example:
Figure 1-3. How To Find Help in the CLI
■ If you need information on specific features in the HP Web Browser
Interface (hereafter referred to as the “web browser interface”), use
the online help available for the web browser interface. For more
information on web browser Help options, refer to the Management
and Configuration Guide for your switch.
1-10
Need Only a Quick Start?
■ If you need further information on Hewlett-Packard switch tech-
nology, visit the HP ProCurve website at:
http://www.hp.com/go/hpprocurve
Getting Started
Need Only a Quick Start?
IP Addressing. If you just want to give the switch an IP address, or if you
are not using VLANs, HP recommends that you use the Switch Setup screen
to quickly configure IP addressing. To do so, do one of the following:
■ Enter setup at the CLI Manager level prompt.
HPswitch# setup
■ In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, refer to the Installation and
Getting Started Guide you received with the switch.
To Set Up and Install the Switch in Your Network
Use the Installation and Getting Started Guide for your switch model
(shipped with the switch) for the following:
■ Notes, cautions, and warnings related to installing and using the
switch and its related modules
■ Instructions for physically installing the switch in your network
■ Quickly assigning an IP address and subnet mask, set a Manager
password, and (optionally) configure other basic features.
1-11
Getting Started
To Set Up and Install the Switch in Your Network
— This page is intentionally unused. —
1-12
Configuring Username and Password Security
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
2
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
2-1
Configuring Username and Password Security
Overview
Overview
Feature Default Menu CLI Web
Set Usernames none — — page 2-6
Set a Password none page 2-4 page 2-5 page 2-6
Delete Password Protection n/a page 2-5 page 2-6 page 2-6
The following features apply only to the Series 2600, 2600-PWR, and 2800 Switches.
show front-panel-security
front-panel-security
password-clear
reset-on-clear
factory-reset
password-recovery
n/a — page 1-13 —
— page 1-13 —
enabled — page 1-13 —
disabled — page 1-14 —
enabled — page 1-15 —
enabled — page 1-15 —
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
Note- Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator:- Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
2-2
Configuring Username and Password Security
Overview
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.
If you set a Manager password, you may also want to configure the
Inactivity Time parameter. (Refer to the Management and Configuration
Guide for your switch.) This causes the console session to end after the
specified period of inactivity, thus giving you added security against unauthorized console access.
Note- The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.
Passwords are case-sensitive.
Caution- If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this section covers how to:
■ Set passwords
2-3
Configuring Username and Password Security
Configuring Local Password Security
■ Delete passwords
■ Recover from a lost password
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
2-4
Figure 2-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press
[Enter]. (Remember that passwords are case-sensitive.)
c. When prompted with Enter new password again, retype the new pass-
word and press
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
[Enter].
Configuring Username and Password Security
Configuring Local Password Security
To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
4. Press the Space bar to select Ye s, then press
5. Press
[Enter] to clear the Password Protection message.
[Enter].
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you can clear the password by getting physical access to the switch and pressing and holding the Clear button for a minimum of one second. This action deletes all passwords and usernames (Manager and Operator) used by both the console and the web browser interface.
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Syntax:
[ no ] password <manager | operator > [ user-name ASCII-STR ]
[ no ] password < all >
2-5
Configuring Username and Password Security
Configuring Local Password Security
Figure 2-2. Example of Configuring Manager and Operator Passwords
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
• Password entries appear
as asterisks.
• You must type the
password entry twice.
Press [Y] (for yes) and press [Enter].
Figure 2-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
2-6
1. Click on the
Click on
[Device Passwords].
2. Do one of the following:
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
Security tab.