HP procurve switch 2650, procurve switch 6108 Access Security Manual
access security guide
hp procurve
switch 2650 and switch 6108
www.hp.com/go/hpprocurve
!FishSecurity.book Page i Thursday, October 10, 2002 9:19 PM
HP Procurve Switches 2650 and
6108
Access Security Guide
Software Release H.07.01 or Greater
!FishSecurity.book Page ii Thursday, October 10, 2002 9:19 PM
© Copyright 2001-2002 Hewlett-Packard Company
All Rights Reserved.
This document contains information which is protected by
copyright. Reproduction, adaptation, or translation without
prior permission is prohibited, except as allowed under the
copyright laws.
Publication Number
5990-3063
October 2002
Edition 1
Applicable Product
HP Procurve Switch 2650 (J4899A)
HP Procurve Switch 6108 (J4902A)
Trademark Credits
Microsoft, Windows, Windows 95, and Microsoft Windows
NT are registered trademarks of Microsoft Corporation.
Internet Explorer is a trademark of Microsoft Corporation.
Ethernet is a registered trademark of Xerox Corporation.
Netscape is a regist ered trademark of Netscape Corporation.
Cisco® is a trademark of Cisco Systems, Inc.
Disclaimer
The information contained in this document is subject to
change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.hp.com/go/hpprocurve
!FishSecurity.book Page iii Thursday, October 10, 2002 9:19 PM
Contents
Getting Started
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . xvii
1 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 1-6
iii
!FishSecurity.book Page iv Thursday, October 10, 2002 9:19 PM
2 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 2-4
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 2-6
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 2-9
Viewing the Switch’s Current Authentication Configuration . . . . . . 2-10
Viewing the Switch’s Current TACACS+ Configuration . . . . . . . . . . 2-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 2-11
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 2-15
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
General Authentication Process Using a TACACS+ Server . . . . . . . . 2-20
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Controlling Web Browser Interface Access When Using TACACS+
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 2-25
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
3 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
iv
Preparation: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
!FishSecurity.book Page v Thursday, October 10, 2002 9:19 PM
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 3-6
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 3-6
1. Configure Authentication for the Access Methods You Want RADIUS
To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-10
3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 3-12
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Controlling Web Browser Interface Access When Using RADIUS
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 3-17
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 3-18
1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 3-19
2. Configure Accounting Types and the Controls for Sending
Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
3. (Optional) Configure Session Blocking and Interim
Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 3-27
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 3-29
4 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Public Key Format Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Steps for Configuring and Using SSH for Switch and Client
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 4-9
v
!FishSecurity.book Page vi Thursday, October 10, 2002 9:19 PM
1. Assigning Local Operator and Manager Passwords . . . . . . . . . . . . . 4-9
2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 4-10
3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12
4. Enabling SSH on the Switch and Anticipating SSH
Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 4-18
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 4-21
MoreInformation on SSH Client Public-Key Authentication . . . . 4-21
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
5 Configuring Port-Based Access Control (802.1x)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
How 802.1x Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Setup Procedure for Port-Based Access Control (802.1x) . . . . . . . 5-8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Overview: Configuring 802.1x Authentication on the Switch . . . . . . . 5-9
Configuring Switch Ports as 802.1x Authenticators . . . . . . . . . . . . 5-10
1. Disable LACP on the Ports Selected for 802.1x Access . . . . . . . . . 5-10
2. Enable 802.1x Authentication on Selected Ports . . . . . . . . . . . . . . 5-11
3. Configure the 802.1x Authentication Method . . . . . . . . . . . . . . . . . 5-13
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 5-14
5. Optional: For Authenticator Ports, Configure Port-
Security To Allow Only 802.1x Devices . . . . . . . . . . . . . . . . . . . . . . 5-15
6. Enable 802.1x Authentication on the Switch . . . . . . . . . . . . . . . . . . 5-16
Configuring Switch Ports To Operate As Supplicants for 802.1x
Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
vi
!FishSecurity.book Page vii Thursday, October 10, 2002 9:19 PM
Displaying 802.1x Configuration, Statistics, and Counters . . . . . . 5-21
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 5-21
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 5-23
How 802.1x Authentication Affects VLAN Operation . . . . . . . . . . . 5-24
Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Messages Related to 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . 5-28
6 Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Port Security Command Options and Operation . . . . . . . . . . . . . . . . . 6-6
Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . . . 6-9
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
Web: Displaying and Configuring Port Security Features . . . . . . . 6-15
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . 6-15
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . . 6-17
Menu: Checking for Intrusions, Listing Intrusion Alerts, and
Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
CLI: Checking for Intrusions, Listing Intrusion Alerts, and
Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . 6-21
Web: Checking for Intrusions, Listing Intrusion Alerts, and
Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
vii
!FishSecurity.book Page viii Thursday, October 10, 2002 9:19 PM
7 Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . 7-4
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . . 7-5
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . . 7-6
Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . . 7-6
Configuring IP Authorized Managers for the Switch . . . . . . . . . . 7-7
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . 7-8
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Configuring One Station Per Authorized Manager IP Entry . . . . . . . . 7-9
Configuring Multiple Stations Per Authorized Manager IP Entry . . . 7-10
Additional Examples for Authorizing Multiple Stations . . . . . . . . . . 7-12
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index-1
viii
!FishSecurity.book Page ix Thursday, October 10, 2002 9:19 PM
Getting Started
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Getting Documentation From the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
ix
!FishSecurity.book Page x Thursday, October 10, 2002 9:19 PM
Getting Started
Introduction
Introduction
This Access Security Guide is intended for use with the following switches:
HP Procurve Switch 2650
HP Procurve Switch 6108
Overview of Access Security Features
Local Manager and Operator Passwords (page 1-1)
Control access and privileges for the CLI, menu, and web browser
interface.
TACACS+ Authentication (page 2-1)
Uses an authentication application on a central server to allow or
deny access to Switch 2650 or 6108.
RADIUS Authentication and Accounting (page 3-1)
Like TACACS+, uses an authentication application on a central server
to allow or deny access to Switch 2650 or 6108. RADIUS also provides
accounting services for sending data about user activity and system
events to a RADIUS server.
Secure Shell (SSH) Authentication (page 4-1)
Provides encrypted paths for remote access to switch management
functions.
Port-Based Access Control (802.1x) (page 5-1)
On point-to-point connections, enables the switch to allow or deny
traffic between a port and an 802.1x-aware device (supplicant)
attempting to access the switch. Also enables the switch to operate
as a supplicant for connections to other 802.1x-aware switches.
Port Security (page 6-1)
Enables a switch port to maintain a unique list of MAC addresses
defining which specific devices are allowed to access the network
through that port. Also enables a port to detect, prevent, and log
access attempts by unauthorized devices.
Authorized IP Managers (page 7-1)
Allows access to the switch by a networked device having an IP
address previously configured in the switch as "authorized".
x
!FishSecurity.book Page xi Thursday, October 10, 2002 9:19 PM
HP recommends that you use local passwords together with the switch’s other
security features to provide a more comprehensive security fabric than if you
use only the local password option. Table 1 lists these features with the
security coverage they provide.
Table 1. Management Access Security Protection
Getting Started
Overview of Access Security Features
Security Feature Offers Protection Against Unauthorized Client Access to
Switch Management Features
Connection Telne t SNMP
(Net Mgmt)
Local Manager and Operator
Usernames and Passwords*
TAC ACS +*
RADIUS*
SSH
Port-Based Access Control (802.1x)
Port Security (MAC address)
Authorized IP Managers
*Protection for serial port acc ess includes the local Manager/Operator, TACACS+, and RADIUS optio ns (direct connect
or modem access).
PtP: Yes No Ye s Yes No
Remote: Ye s No Ye s Yes No
PtP: Yes No No Yes No
Remote: Ye s No No Yes No
PtP: Yes No No Yes No
Remote: Ye s No No Yes No
Ptp: Yes No No Yes No
Remote: Ye s No No Yes No
PtP: Yes Yes Yes Yes Yes
Remote: No No No No No
PtP: Yes Yes Yes Yes Yes
Remote: Ye s Ye s Ye s Yes Yes
PtP: Yes Yes Yes Yes No
Remote: Ye s Ye s Ye s Yes No
Web
Browser
SSH
Client
Offers Protection
Against
Unauthorized Client
Access to the
Network
There are two security areas to protect: access to the switch management
features and access to the network through the switch. The above table shows
the type of protection each switch security feature offers.
The Product Documentation CD-ROM shipped with the switch includes a
copy of this guide. You can also download the latest copy from the HP
Procurve website. (Refer to “Getting Documentation From the Web”, below.)
xi
!FishSecurity.book Page xii Thursday, October 10, 2002 9:19 PM
Getting Started
Command Syntax Conventions
Command Syntax Conventions
This guide uses the following conventions for command syntax and displays.
Syntax: aaa port-access authenticator < port-list >
Vertical bars ( | ) separate alternative, mutually exclusive elements.
Square brackets ( [ ] ) indicate optional elements.
Braces ( < > ) enclose required elements.
Braces within square brackets ( [ < > ] ) indicate a required element within
an optional choice.
Boldface indicates use of a CLI command, part of a CLI command syntax,
or other displayed element in general text. For example:
[ control < authorized | auto | unauthorized >]
“Use the copy tftp command to download the key from a TFTP server.”
Italics indicate variables for which you must supply a value when executing the command. For example, in this command syntax, you must provide
one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
Command Prompts
In the default configuration, your Switch 2650 or 6108 displays one of the
following CLI prompts:
HP Procurve Switch 2650#
HP Procurve Switch 6108#
To simplify recognition, this guide uses HPswitch to represent command
prompts for all models. That is:
HPswitch#
(You can use the hostname command to change the text in the CLI prompt.)
Screen Simulations
Figures containing simulated screen text and command output look like this:
xii
!FishSecurity.book Page xiii Thursday, October 10, 2002 9:19 PM
Figure 1. Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear without figure identification. For example:
HPswitch(config)# clear public-key
HPswitch(config)# show ip client-public-key
show_client_public_key: cannot stat keyfile
Getting Started
Related Publications
Related Publications
Product Notes and Software Update Information. The Read Me First
shipped with your switch provides software update information, product
notes, and other information. A printed copy is shipped with your switch. For
the latest version, refer to “Getting Documentation From the Web” on page xv.
Installation and Getting Started Guide. Use the Installation and Get-
ting Started Guide shipped with your switch to prepare for and perform the
physical installation. This guide also steps you through connecting the switch
to your network and assigning IP addressing, as well as describing the LED
indications for correct operation and trouble analysis. A PDF version of this
guide is also provided on the Product Documentation CD-ROM shipped with
the switch. And you can download a copy from the HP Procurve website. (See
“Getting Documentation From the Web” on page xv.)
Management and Configuration Guide. Use the Management and Con-
figuration Guide for information on:
Using the command line interface (CLI), Menu interface, and web browser
interface
Learning the operation and configuration of all switch software features
other than the access security features included in this guide
Troubleshooting software operation
HP provides a PDF version of this guide on the Product Documentation
CD-ROM shipped with the switch. You can also download the latest copy from
the HP Procurve website. (See “Getting Documentation From the Web” on
page xv.)
xiii
!FishSecurity.book Page xiv Thursday, October 10, 2002 9:19 PM
Getting Started
Related Publications
Command Line Interface Reference Guide. This guide, available in a
PDF file on the HP Procurve website, provides a summary of the CLI commands generally available for HP Procurve switches. For the latest version,
see “Getting Documentation From the Web” on page xv.
Release Notes. Release notes are posted on the HP Procurve website and
provide information on new software updates:
New features and how to configure and use them
Software management, including downloading software to the switch
Software fixes addressed in current and previous releases
To view and download a copy of the latest release notes for your switch, see
“Getting Documentation From the Web” on page xv.
xiv
!FishSecurity.book Page xv Thursday, October 10, 2002 9:19 PM
Getting Documentation From the Web
1. Go to the HP Procurve website at
http://www.hp.com/go/hpprocurve
2. Click on technical support.
3. Click on manuals.
4. Click on the product for which you want to view or download a manual.
Getting Started
Getting Documentation From the Web
3
2
4
xv
!FishSecurity.book Page xvi Thursday, October 10, 2002 9:19 PM
Getting Started
Sources for More Information
Sources for More Information
If you need information on specific parameters in the menu interface,
refer to the online help provided in the interface.
Online Help
for Menu
If you need information on a specific command in the CLI, type the
command name followed by “help”. For example:
If you need information on specific features in the HP Web Browser
Interface (hereafter referred to as the “web browser interface”), use the
online help available for the web browser interface. For more information
on web browser Help options, refer to the Management and Configura-
tion Guide for your switch.
If you need further information on Hewlett-Packard switch technology,
visit the HP Procurve website at:
http://www.hp.com/go/hpprocurve
xvi
!FishSecurity.book Page xvii Thursday, October 10, 2002 9:19 PM
Need Only a Quick Start?
IP Addressing. If you just want to give the switch an IP address so that it
can communicate on your network, or if you are not using VLANs, HP
recommends that you use the Switch Setup screen to quickly configure IP
addressing. To do so, do one of the following:
Enter setup at the CLI Manager level prompt.
HPswitch# setup
In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, see the Installation and Getting
Started Guide you received with the switch.
Getting Started
Need Only a Quick Start?
To Set Up and Install the Switch in Your Network
Use the HP Procurve Switch 2650 and 6108 Installation and Getting Started
Guide (shipped with the switch) for the following:
Notes, cautions, and warnings related to installing and using the switch
and its related modules
Instructioins for physically installing the switch in your network
Quickly assigning an IP address and subnet mask, set a Manager password, and (optionally) configure other basic features.
xvii
!FishSecurity.book Page xviii Thursday, October 10, 2002 9:19 PM
!FishSecurity.book Page 1 Thursday, October 10, 2002 9:19 PM
Configuring Username and Password Security
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 1-6
1
1-1
!FishSecurity.book Page 2 Thursday, October 10, 2002 9:19 PM
Configuring Username and Password Security
Overview
Overview
Feature Default Menu CLI Web
Set Usernames no user names set — — page 1-6
Set a Password no passwords set page 1-4 page 1-5 page 1-6
Delete Password
Protection
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
n/a page 1-4 page 1-6 page 1-6
Note Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
1-2
!FishSecurity.book Page 3 Thursday, October 10, 2002 9:19 PM
If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.
If you set a Manager password, you may also want to configure the
Inactivity Time parameter. (Refer to the Management and Configuration
Guide for your switch.) This causes the console session to end after the
specified period of inactivity, thus giving you added security against unauthorized console access.
Note The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
Configuring Username and Password Security
Overview
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.
Passwords are case-sensitive.
Caution If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this section covers how to:
Set passwords
Delete passwords
Recover from a lost password
1-3
!FishSecurity.book Page 4 Thursday, October 10, 2002 9:19 PM
Configuring Username and Password Security
Configuring Local Password Security
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
Figure 1-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press
c. When prompted with Enter new password again, retype the new pass-
word and press
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
. (Remember that passwords are case-sensitive.)
.
1-4
!FishSecurity.book Page 5 Thursday, October 10, 2002 9:19 PM
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
Configuring Username and Password Security
Configuring Local Password Security
4. Press the Space bar to select Yes, then press
5. Press
to clear the Password Protection message.
.
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the web browser interface.
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Syntax:
[ no ] password <manager | operator > [ user-name ASCII-STR ]
[ no ] password < all >
Figure 1-2. Example of Configuring Manager and Operator Passwords
• Password entries appear
as asterisks.
• You must type the
password entry twice.
1-5
!FishSecurity.book Page 6 Thursday, October 10, 2002 9:19 PM
Configuring Username and Password Security
Configuring Local Password Security
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
Figure 1-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 1-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
Press
(for yes) and press
.
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
1. Click on the
Click on
2. Do one of the following:
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
• To remove username and password protection, leave the fields blank.
3. Implement the usernames and passwords by clicking on
To access the web-based help provided for the switch, click on
browser screen.
Security tab.
.
in the web
.
1-6
!FishSecurity.book Page 1 Thursday, October 10, 2002 9:19 PM
TACACS+ Authentication
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 2-4
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 2-6
2
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 2-9
Viewing the Switch’s Current Authentication Configuration . . . . . . 2-10
Viewing the Switch’s Current TACACS+ Server Contact
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 2-11
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 2-15
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
General Authentication Process Using a TACACS+ Server . . . . . . . . 2-20
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Controlling Web Browser Interface Access When
Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
2-1
!FishSecurity.book Page 2 Thursday, October 10, 2002 9:19 PM
TACACS+ Authentication
Overview
Overview
Feature Default Menu CLI Web
view the switch’s authentication configuration n/a — page
view the switch’s TACACS+ server contact
configuration
configure the switch’s authentication methods disabled — page
configure the switch to contact TACACS+ server(s) disabled — page
2-10
n/a — page
2-10
2-11
2-15
—
—
—
—
TACACS+ authentication enables you to use a central server to allow or deny
access to the Switch 2650 and 6108 (and other TACACS-aware devices) in your
network. This means that you can use a central database to create multiple
unique username/password sets with associated privilege levels for use by
individuals who have reason to access the switch from either the switch’s
console port (local access) or Telnet (remote access).
A3 or
B3
A2 or
Primary
TACACS+
Server
The switch passes the login
requests from term inals A and B
to the TACACS+ server for
authentication. The TACACS+
server determines whether to
allow access to the switch and
what privilege level to allow for
a given access request.
B2
A4
A1
Terminal "A" Directly
Accessing the Switch
Via Switch’s Console
Port
B4
Switch 2650 or 6108
Configured for
TACACS+ Operation
B
A
B1
Terminal "B" Remotely Accessing The Switch Via Telnet
Access Request A1 - A4 : Path for Request from
Terminal A (Through Console Port)
TACACS Server B1 - B4: Path for Request from
Response Terminal B (Through Telnet)
Figure 2-1. Example of TACACS+ Operation
TACACS+ in the Switch 2650 and 6108 manages authentication of logon
attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+
2-2
!FishSecurity.book Page 3 Thursday, October 10, 2002 9:19 PM
server and (2) local passwords configured on the switch. That is, with
TACACS+ configured, the switch first tries to contact a designated TACACS+
server for authentication services. If the switch fails to connect to any
TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet
access you can configure a login (read-only) and an enable (read/write)
privilege level access.
TACACS+ Authentication
Overview
Notes Regarding
Software
Release H.07.xx
Software release H.07.xx (or greater) for the Switch 2650 and 6108 enables
TACACS+ authentication, which allows or denies access to a Switch 2650 and
6108 on the basis of correct username/password pairs managed by the
TACACS+ server, and to specify the privilege level to allow if access is granted.
This release does not support TACACS+ authorization or accounting services.
In release H.07.xx, TACACS+ does not affect web browser interface access.
See "Controlling Web Browser Interface Access" on page 2-24.
2-3
!FishSecurity.book Page 4 Thursday, October 10, 2002 9:19 PM
TACACS+ Authentication
Terminology Used in TACACS Applications:
Terminology Used in TACACS
Applications:
NAS (Network Access Server): This is an industry term for a
TACACS-aware device that communicates with a TACACS server for
authentication services. Some other terms you may see in literature
describing TACACS operation are communication server, remote
access server, or terminal server. These terms apply to a Switch 2650
and 6108 when TACACS+ is enabled on the switch (that is, when the
switch is TACACS-aware).
TACACS+ Server: The server or management station configured as
an access control server for TACACS-enabled devices. To use
TACACS+ with the Switch 2650 and 6108 and any other TACACScapable devices in your network, you must purchase, install, and
configure a TACACS+ server application on a networked server or
management station in the network. The TACACS+ server application
you install will provide various options for access control and access
notifications. For more on the TACACS+ services available to you,
see the documentation provided with the TACACS+ server application you will use.
Authentication: The process for granting user access to a device
through entry of a user name and password and comparison of this
username/password pair with previously stored username/password
data. Authentication also grants levels of access, depending on the
privileges assigned to a user name and password pair by a system
administrator.
• Local Authentication: This method uses username/password
pairs configured locally on the switch; one pair each for managerlevel and operator-level access to the switch. You can assign local
usernames and passwords through the CLI or web browser interface. (Using the menu interface you can assign a local password,
but not a username.) Because this method assigns passwords to
the switch instead of to individuals who access the switch, you
must distribute the password information on each switch to
everyone who needs to access the switch, and you must configure
and manage password protection on a per-switch basis. (For
more on local authentication, see the password and username
information in the Configuration and Management Guide on the
Documentation CD-ROM shipped with your Switch 2650 and
6108.)
2-4
Loading...