HP procurve switch 2600, procurve switch 2800, procurve switch 4100, procurve switch 6108 Access Security Manual
hp procurve
switch 2600 series
switch 2800 series
switch 4100 series
switch 6108
access security guide
www.hp.com/go/hpprocurve
HP ProCurve
Switch 2600 Series
Switch 2800 Series
Switch 4100GL Series
Switch 6108
Access Security Guide
August 2003
© Copyright 2001-2003 Hewlett-Packard Company, L..P. The information contained herein is subject to change without notice.
Publication Number
5990-6024
August 2003
Edition 1
Applicable Products
HP ProCurve Switch 2626 (J4900A)
HP ProCurve Switch 2650 (J4899A)
HP ProCurve Switch 2824 (J4903A)
HP ProCurve Switch 2848 (J4904A)
HP ProCurve Switch 4104GL (J4887A)
HP ProCurve Switch 4108GL (J4865A)
HP ProCurve Switch 6108 (J4902A)
Trademark Credits
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information is provided "as is" without warranty of any kind
and is subject to change without notice. The warranties for
Hewlett-Packard Company products are set forth in the
express limited warranty statements for such products.
Nothing herein should be construed as constituting an
additional warranty.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Software Credits
SSH on HP ProCurve Switches is based on the OpenSSH
software toolkit. This product includes software developed
by the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on HP ProCurve Switches is based on the OpenSSL
software toolkit. This product includes software developed
by the OpenSSL Project for use in the OpenSSL Toolkit. For
more information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company€
8000 Foothills Boulevard, m/s 5551€
Roseville, California 95747-5551€
http://www.hp.com/go/hpprocurve
ii€
Contents
1 Getting Started
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1€
Introduction and Applicable Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2€
About the Feature Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2€
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3€
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
Port Identity Convention for Examples . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8€
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9€
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10€
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . 1-10€
2 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2€
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4€
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4€
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5€
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6€
iii
3 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2€
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 3-3€
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5€
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 3-5€
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8€
BeforeYou Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8€
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 3-9€
Viewing the Switch’s Current Authentication Configuration . . . . . . . 3-9€
Viewing the Switch’s Current TACACS+ Server Contact €
Configuration
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 3-11€
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 3-15€
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20€
General Authentication Process Using a TACACS+ Server . . . . . . . . 3-20€
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22€
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23€
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10€
Controlling Web Browser Interface Access When Using
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24€
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 3-25€
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25€
4 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2€
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3€
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4€
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5€
iv
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 4-6€
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 4-6€
1. Configure Authentication for the Access Methods You Want €
RADIUS To Protect
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8€
2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 4-10€
3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 4-12€
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16€
Controlling Web Browser Interface Access When Using
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17€
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17€
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 4-19€
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 4-19€
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25€
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25€
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27€
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28€
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 4-29€
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 4-31€
5 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2€
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4€
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5€
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5€
Steps for Configuring and Using SSH for Switch and Client
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6€
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8€
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 5-9€
1. Assigning a Local Login (Operator) and Enable (Manager) €
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9€
2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 5-10€
3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 5-12€
v
4. Enabling SSH on the Switch and Anticipating SSH Client€
Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15€
5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 5-18€
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 5-21€
Further Information on SSH Client Public-Key Authentication . 5-21€
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27€
6 Configuring Secure Socket Layer (SSL)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2€
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3€
Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5€
Steps for Configuring and Using SSL for Switch and Client
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5€
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6€
Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 6-7€
1. Assigning a Local Login (Operator) and Enable (Manager)€
Password
2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 6-9€
3. Enabling SSL on the Switch and Anticipating SSL Browser€
Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17€
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7€
vi
Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21€
7 Configuring Port-Based Access Control (802.1x)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2€
Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2€
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2€
How 802.1x Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5€
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5€
Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6€
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7€
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9€
General Setup Procedure for Port-Based Access Control
(802.1x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11€
Do These Steps Before You Configure 802.1x Operation . . . . . . . . . 7-11€
Overview: Configuring 802.1x Authentication on the Switch . . . . . . 7-12€
Configuring Switch Ports as 802.1x Authenticators . . . . . . . . . . . . 7-14€
1. Enable 802.1x Authentication on Selected Ports . . . . . . . . . . . . . . 7-14€
3. Configure the 802.1x Authentication Method . . . . . . . . . . . . . . . . . 7-18€
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 7-19€
5. Enable 802.1x Authentication on the Switch . . . . . . . . . . . . . . . . . . 7-19€
802.1x Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20€
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20€
Use Models for 802.1x Open VLAN Modes . . . . . . . . . . . . . . . . . . . . . 7-21€
Operating Rules for Authorized-Client and Unauthorized-Client€
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24€
Setting Up and Configuring 802.1x Open VLAN Mode . . . . . . . . . . . . 7-26€
802.1x Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-30€
Option For Authenticator Ports: Configure Port-Security To
Allow Only 802.1x Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31€
Configuring Switch Ports To Operate As Supplicants for 802.1x
Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33€
Displaying 802.1x Configuration, Statistics, and Counters . . . . . . 7-37€
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 7-37€
Viewing 802.1x Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . . 7-39€
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 7-42€
How RADIUS/802.1x Authentication Affects VLAN Operation . . 7-43€
Messages Related to 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . 7-47€
8 Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2€
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2€
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3€
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4€
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5€
vii
Port Security Command Options and Operation . . . . . . . . . . . . . . . . . 8-6€
Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10€
Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . . 8-10€
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12€
Web: Displaying and Configuring Port Security Features . . . . . . . 8-17€
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . 8-17€
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17€
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18€
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . . 8-19€
Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . . 8-24€
Web: Checking for Intrusions, Listing Intrusion Alerts, and €
Resetting Alert Flags
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25€
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24€
9 Traffic/Security Filters (HP ProCurve Switch 2824 and
2848)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2€
Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4€
Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 9-4€
Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5€
Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7€
Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8€
Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9€
10 Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1€
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2€
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3€
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3€
viii
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 10-4€
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4€
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 10-5€
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 10-6€
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 10-8€
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9€
Configuring One Station Per Authorized Manager IP Entry . . . . . . . 10-9€
Configuring Multiple Stations Per Authorized Manager IP Entry . . 10-10€
Additional Examples for Authorizing Multiple Stations . . . . . . . . . 10-12€
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12€
Index
ix
— This page is intentionally unused. —
x€
Getting Started€
Contents
Introduction and Applicable Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2€
About the Feature Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2€
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3€
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5€
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
1
Port Identity Convention for Examples . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6€
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8€
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9€
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10€
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . 1-10€
1-1
Getting Started
Introduction and Applicable Switches
Introduction and Applicable Switches
This guide describes how to use HP’s switch security features to protect
access to your HP ProCurveProCurve switch. This guide is intended for these
switch models:
■ HP ProCurve Switch 4100GL Series (4104GL, 4108GL)
■ HP ProCurve Switch 2800 Series (2824, 2848)
■ HP ProCurve Switch 2600 Series (2626, 2650)
■ HP ProCurve Switch 6108
The Product Documentation CD-ROM shipped with the switch includes this
guide. You can also download the latest version from the HP ProCurve
website. (Refer to
About the Feature Descriptions
“Getting Documentation From the Web” on page 1-8.)
In cases where a software feature is not available in all of the switch products
covered by this guide, the text specifically indicates which devices offer the
feature.
1-2
Getting Started
Overview of Access Security Features
Overview of Access Security Features
■ Local Manager and Operator Passwords (page 2-1): Control
access and privileges for the CLI, menu, and web browser interfaces.
■ TACACS+ Authentication (page 3-1): Uses an authentication appli
cation on a server to allow or deny access to a switch.
■ RADIUS Authentication and Accounting (page 4-1): Like
TACACS+, uses an authentication application on a central server to
allow or deny access to the switch. RADIUS also provides accounting
services for sending data about user activity and system events to a
RADIUS server.
■ Secure Shell (SSH) Authentication (page 5-1): Provides
encrypted paths for remote access to switch management functions.
■ Secure Socket Layer (SSL) (page 6-1): Provides remote web access
to the switch via encrypted authentication paths between the switch
and management station clients capable of SSL/TLS operation.
■ Port-Based Access Control (802.1x) (page 7-1): On point-to-point
connections, enables the switch to allow or deny traffic between a
port and an 802.1x-aware device (supplicant) attempting to access the
switch. Also enables the switch to operate as a supplicant for connec
tions to other 802.1x-aware switches.
■ Port Security (page 8-1): Enables a switch port to maintain a unique
list of MAC addresses defining which specific devices are allowed to
access the network through that port. Also enables a port to detect,
prevent, and log access attempts by unauthorized devices.
■ Traffic/Security Filters (page 9-1 ): Source-Port filtering enhances
in-band security by enabling outbound destination ports on the switch
to forward or drop traffic from designated source ports (within the
same VLAN).
■ Authorized IP Managers (page 10-1): Allows access to the switch
by a networked device having an IP address previously configured in
the switch as "authorized".
HP recommends that you use local passwords together with your switch’s
other security features to provide a more comprehensive security fabric than
if you use only local passwords. For an overview, refer to
Table 1-1.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature Offers Protection Against Unauthorized Client Access to
Local Manager and Operator
Usernames and Passwords
TACACS+
1
1
Switch Management Features
Connection Telnet SNMP
(Net Mgmt)
Web
Browser
SSH
Client
PtP: Yes No Yes Yes No
Remote: Yes No Yes Yes No
PtP: Yes No No Yes No
Offers Protection
Against
Unauthorized Client
Access to the
Network
Remote: Yes No No Yes No
RADIUS
1
PtP: Yes No No Yes No
Remote: Yes No No Yes No
SSH
Ptp: Yes No No Yes No
Remote: Yes No No Yes No
SSL
Ptp: No No Yes No No
Remote: No No Yes No No
Port-Based Access Control (802.1x)
PtP: Yes Yes Yes Yes Ye s
Remote: No No No No No
Port Security (MAC address)
PtP: Yes Yes Yes Yes Ye s
Remote: Yes Yes Yes Yes Ye s
Authorized IP Managers
PtP: Yes Yes Yes Yes No
Remote: Yes Yes Yes Yes No
1
The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection
for serial port access.
There are two security areas to protect: access to the switch management
features and access to the network through the switch. The preceeding table
shows the type of protection each switch security feature offers.
1-4
Getting Started
Command Syntax Conventions
Command Syntax Conventions
This guide uses the following conventions for command syntax and displays.
Syntax: aaa port-access authenticator < port-list >
[ control < authorized | auto | unauthorized >]
■ Vertical bars ( | ) separate alternative, mutually exclusive elements.
■ Square brackets ( [ ] ) indicate optional elements.
■ Braces ( < > ) enclose required elements.
■ Braces within square brackets ( [ < > ] ) indicate a required element
within an optional choice.
■ Boldface indicates use of a CLI command, part of a CLI command
syntax, or other displayed element in general text. For example:
“Use the copy tftp command to download the key from a TFTP server.”
■ Italics indicate variables for which you must supply a value when
executing the command. For example, in this command syntax, you
must provide one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
Simulating Display Output
Command Prompts
In the default configuration, your switch’s CLI prompt includes the switch
model number, and appears similar to the following examples:
HP ProCurve Switch 4108#
HP ProCurve Switch 2650#
HP ProCurve Switch 6108#
To simplify recognition, this guide uses HPswitch to represent command
prompts for all models. That is:
HPswitch#
(You can use the hostname command to change the text in the CLI prompt.)
Commands or command output positioned to simulate displays of switch
information in a computer screen are printed in a monospace font, as shown
above.
1-5
Getting Started
Port Identity Convention for Examples
Screen Simulations
Figures containing simulated screen text and command output appear similar
to this:
Figure 1-1.Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear without figure iden
tification. For example:
HPswitch(config)# clear public-key
HPswitch(config)# show ip client-public-key
show_client_public_key: cannot stat keyfile
Port Identity Convention for Examples
This guide describes software applicable to both chassis-based and stackable
HP ProCurve switches. Where port identities are needed in an example, this
guide uses the chassis-based port identity system, such as "A1", "B3 - B5", "C7",
etc. However, unless otherwise noted, such examples apply equally to the
stackable switches, which typically use only numbers, such as "1", "3-5", "15",
etc. for port identities.
Related Publications
Product Notes and General Software Update Information. The
printed Read Me First shipped with your switch provides software update
information, product notes, and other information. For the latest version, refer
to
“Getting Documentation From the Web” on page 1-8.
Physical Installation and Initial Network Access. Use the Installation
and Getting Started Guide shipped with your switch to prepare for and
perform the physical installation. This guide also steps you through connect
ing the switch to your network and assigning IP addressing, as well as
describing the LED indications for correct operation and trouble analysis. A
1-6
Getting Started
Related Publications
PDF version of this guide is also provided on the Product Documentation CDROM shipped with the switch. And you can download a copy from the HP
ProCurve website. (See
“Getting Documentation From the Web” on page 1-8.)
General Switch Management and Configuration. Use the Management
and Configuration Guide for information on:
■ Using the command line interface (CLI), Menu interface, and web
browser interface
■ Learning the operation and configuration of all switch software
features other than the access security features included in this guide
■ Troubleshooting software operation
HP provides a PDF version of this guide on the Product Documentation CDROM shipped with the switch. You can also download the latest copy from the
HP ProCurve website. (See
“Getting Documentation From the Web” on page
1-8.)
Release Notes. Release notes are posted on the HP ProCurve website and
provide information on new software updates:
■ New features and how to configure and use them
■ Software management, including downloading software to the switch
■ Software fixes addressed in current and previous releases
To view and download a copy of the latest release notes for your switch, see
“Getting Documentation From the Web” on page 1-8.
1-7
Getting Started
Getting Documentation From the Web
Getting Documentation From the Web
1. Go to the HP ProCurve website at http://www.hp.com/go/hpprocurve.
2. Click on technical support.
3. Click on manuals.
4. Click on the product for which you want to view or download a manual.
2
3
4
1-8
Getting Started
Sources for More Information
Sources for More Information
■ If you need information on specific parameters in the menu interface,
refer to the online help provided in the interface.
Online Help
for Menu
Figure 1-2. Where To Find Help in the Menu Interface
■ If you need information on a specific command in the CLI, type the
command name followed by “help”. For example:
Figure 1-3. How To Find Help in the CLI
■ If you need information on specific features in the HP Web Browser
Interface (hereafter referred to as the “web browser interface”), use
the online help available for the web browser interface. For more
information on web browser Help options, refer to the Management
and Configuration Guide for your switch.
1-9
Getting Started
Need Only a Quick Start?
■ If you need further information on Hewlett-Packard switch tech
nology, visit the HP ProCurve website at:
http://www.hp.com/go/hpprocurve
Need Only a Quick Start?
IP Addressing. If you just want to give the switch an IP address, or if you
are not using VLANs, HP recommends that you use the Switch Setup screen
to quickly configure IP addressing. To do so, do one of the following:
■ Enter setup at the CLI Manager level prompt.
HPswitch# setup
■ In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, refer to the Installation and
Getting Started Guide you received with the switch.
To Set Up and Install the Switch in Your
Network
Use the Installation and Getting Started Guide for your switch model
(shipped with the switch) for the following:
■ Notes, cautions, and warnings related to installing and using the
switch and its related modules
■ Instructions for physically installing the switch in your network
■ Quickly assigning an IP address and subnet mask, set a Manager
password, and (optionally) configure other basic features.
1-10
Configuring Username and Password Security
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2€
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4€
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4€
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5€
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6€
2
2-1
Configuring Username and Password Security
Overview
Overview€
Feature Default Menu CLI Web
Set Usernames no user names set — — page 2-6
Set a Password no passwords set page 2-4 page 2-5 page 2-6
Delete Password n/a page 2-4 page 2-6 page 2-6
Protection
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
Note Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
2-2
Configuring Username and Password Security
Overview
If you do steps 1 and 2, above, then the next time a console session is started€
for either the menu interface or the CLI, a prompt appears for a password.€
Assuming you have protected both the Manager and Operator levels, the level€
of access to the console interface will be determined by which password is €
entered in response to the prompt.€
If you set a Manager password, you may also want to configure the €
Inactivity Time parameter. (Refer to the Management and Configuration
Guide for your switch.) This causes the console session to end after the €
specified period of inactivity, thus giving you added security against unautho€
rized console access.€
Note The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.
Passwords are case-sensitive.
Caution If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this section covers how to:
■ Set passwords
■ Delete passwords
■ Recover from a lost password
2-3
Configuring Username and Password Security
Configuring Local Password Security
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
Figure 2-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press
[Enter]. (Remember that passwords are case-sensitive.)
c. When prompted with Enter new password again, retype the new pass-
word and press
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
[Enter].
2-4
Configuring Username and Password Security
Configuring Local Password Security
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
4. Press the Space bar to select Ye s, then press
5. Press
[Enter] to clear the Password Protection message.
[Enter].
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the web browser interface.
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Syntax:
[ no ] password <manager | operator > [ user-name ASCII-STR ]
[ no ] password < all >
Figure 2-2. Example of Configuring Manager and Operator Passwords
• Password entries appear
as asterisks.
• You must type the
password entry twice.
2-5
Configuring Username and Password Security
Configuring Local Password Security
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
Press [Y] (for yes) and press [Enter].
Figure 2-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
1. Click on the Security tab.
Click on
2. Do one of the following:
3. Implement the usernames and passwords by clicking on
To access the web-based help provided for the switch, click on
browser screen.
[Device Passwords].
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
• To remove username and password protection, leave the fields blank.
[Apply Changes].
[?] in the web
2-6
TACACS+ Authentication
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2€
Terminology Used in TACACS Applications . . . . . . . . . . . . . . . . . . . . . 3-3€
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5€
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 3-5€
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8€
BeforeYou Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8€
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 3-9€
Viewing the Switch’s Current Authentication Configuration . . . . . . . 3-9€
Viewing the Switch’s Current TACACS+ Server Contact €
Configuration
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 3-11€
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 3-15€
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10€
3
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20€
General Authentication Process Using a TACACS+ Server . . . . . . . . 3-20€
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22€
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23€
Controlling Web Browser Interface Access When Using
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24€
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 3-25€
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25€
3-1
TACACS+ Authentication
Overview
Overview€
Feature Default Menu CLI Web
view the switch’s authentication configuration n/a — page 3-9 —
view the switch’s TACACS+ server contact n/a — page —
configuration 3-10
configure the switch’s authentication methods disabled — page
3-11
configure the switch to contact TACACS+ server(s) disabled — page
3-15
TACACS+ authentication enables you to use a central server to allow or deny
access to the switch (and other TACACS-aware devices) in your network. This
means that you can use a central database to create multiple unique username/
password sets with associated privilege levels for use by individuals who have
reason to access the switch from either the switch’s console port (local
access) or Telnet (remote access).
—
—
A3 or
B3
A2 or
Primary
TA CACS+
Server
B2
B4
B1
The switch passes the login
requests from terminals A and B
to the TACACS+ server for
authentication. The TACACS+
server determines whether to
allow access to the switch and
what privilege level to allow for
a given access request.
Access Request A1 - A4: Path for Request from
TACACS Server B1 - B4: Path for Request from
Response Terminal B (Through Telnet)
Figure 3-1. Example of TACACS+ Operation
TACACS+ in the switch manages authentication of logon attempts through
either the Console port or Telnet. TACACS+ uses an authentication hierarchy
consisting of (1) remote passwords assigned in a TACACS+ server and (2)
local passwords configured on the switch. That is, with TACACS+ configured,
the switch first tries to contact a designated TACACS+ server for authentica-
HP ProCurve Switch
Configured for
TACACS+ Operation
B
Terminal “B” Remotely Accessing The Switch Via Telnet
A1
A4
A
Terminal “A” Directly
Accessing the Switch
Via Switch’s Console
Port
Terminal A (Through Console Port)
3-2
Loading...