Access Security Guide
2610
2610-PWR
ProCurve Switches
R.11.XX
www.procurve.com
ProCurve
Switch 2610 Series
Switch 2610-PWR Series
December 2007
Access Security Guide
© Copyright 2007 Hewlett-Packard Company, L.P.
The information contained herein is subject to change without
notice.
Publication Number
5991-8642
December 2007
Applicable Products
ProCurve Switch 2610-24 (J9085A)
ProCurve Switch 2610-48 (J9088A)
ProCurve Switch 2610-24-PWR (J9087A)
ProCurve Switch 2610-48-PWR (J9089A)
ProCurve Switch 2610-24/12-PWR (J9086A)
Trademark Credits
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH
software toolkit. This product includes software developed
by the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on ProCurve Switches is based on the OpenSSL software
toolkit. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit. For more
information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
This product includes software written by Tim Hudson
(tjh@cryptsoft.com)
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information is provided "as is" without warranty of any kind
and is subject to change without notice. The warranties for
Hewlett-Packard Company products are set forth in the
express limited warranty statements for such products.
Nothing herein should be construed as constituting an
additional warranty.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
Product Documentation
Software Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
1 Getting Started
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9
2 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
1
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
3 Web and MAC Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12
Do These Steps Before You Configure Web/MAC Authentication . . 3-12
Additional Information for Configuring the RADIUS
Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-19
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-23
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-24
Show Commands for Web-Based Authentication . . . . . . . . . . . . . . . . . . . 3-28
Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . . . . . 3-31
Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
4 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Viewing the Switch’s Current TACACS+ Server Contact
Controlling Web Browser Interface Access When Using TACACS+
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9
Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-17
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
General Authentication Process Using a TACACS+ Server . . . . . . . . 4-22
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
5 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-7
1. Configure Authentication for the Access Methods
You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-11
3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-13
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
3
Controlling Web Browser Interface Access When Using RADIUS
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Configuring RADIUS Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Commands Authorization Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Enabling Authorization with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19
Showing Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Configuring the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-27
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-28
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-37
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39
6 Configuring RADIUS Server Support
for Switch Services
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Configuring the RADIUS Server for
Viewing the Currently Active Per-Port CoS
How a RADIUS Server Applies a Dynamic Port ACL
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
CoS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . . 6-3
Configuring and Using RADIUS-Assigned Access Control Lists . . . . . . . . 6-6
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Overview of RADIUS-Assigned, Dynamic Port ACLs . . . . . . . . . . . . . . 6-9
Contrasting Dynamic and Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 6-13
4
The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
Configuring the Switch To Support Dynamic Port
Displaying the Current Dynamic Port ACL Activity
Causes of Client Deauthentication Immediately
Operating Rules for Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . 6-14
Configuring an ACL in a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 6-15
Configuring ACE Syntax in RADIUS Servers . . . . . . . . . . . . . . . . . . . 6-18
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24
After Authenticating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Monitoring Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
7 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Steps for Configuring and Using SSH for
Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
1. Assign Local Login (Operator) and Enable (Manager) Password . 7-9
2. Generate the Switch’s Public and Private Key Pair . . . . . . . . . . . . 7-10
3. Provide the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . . 7-12
4. Enable SSH on the Switch and Anticipate SSH Client
Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 7-18
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 7-21
Further Information on SSH Client Public-Key Authentication . . . . . . . . 7-22
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
5
8 Configuring Secure Socket Layer (SSL)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Steps for Configuring and Using SSL for
Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
1. Assign Local Login (Operator) and Enable (Manager) Password . 8-7
2. Generate the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . . 8-9
3. Enable SSL on the Switch and Anticipate SSL Browser Contact
Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
9 Access Control Lists (ACLs)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Optional Network Management Applications . . . . . . . . . . . . . . . . . . . . 9-3
Optional PCM and IDM Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
General Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
ACL Inbound Application Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Features Common to All ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
General Steps for Planning and Configuring ACLs . . . . . . . . . . . . . . . 9-11
ACL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12
The Packet-Filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
Planning an ACL Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
Switch Resource Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16
6
Managing ACL Resource Consumption . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Traffic Management and Improved Network Performance . . . . . . . . . . . 9-22
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22
Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . . 9-23
ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . . 9-24
How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-25
Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-32
ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-33
ACL Configuration Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36
Using the CLI To Create an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-38
Configuring and Assigning a Numbered, Standard ACL . . . . . . . . . . 9-39
Configuring and Assigning a Numbered, Extended ACL . . . . . . . . . . 9-44
Configuring a Named ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50
Enabling or Disabling ACL Filtering on an Interface . . . . . . . . . . . . . 9-52
Deleting an ACL from the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-53
Displaying ACL Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54
Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54
Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 9-55
Display the ACL Assignments for an Interface . . . . . . . . . . . . . . . . . . 9-56
Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . . . 9-57
Displaying the Current ACL Resources . . . . . . . . . . . . . . . . . . . . . . . . 9-59
Display All ACLs and Their Assignments in
the Switch Startup-Config File and Running-Config File . . . . . . . . . . 9-60
Editing ACLs and Creating an ACL Offline . . . . . . . . . . . . . . . . . . . . . . . . . 9-60
Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-60
Working Offline To Create or Edit an ACL . . . . . . . . . . . . . . . . . . . . . 9-63
Enable ACL “Deny” Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67
Requirements for Using ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67
ACL Logging Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67
Enabling ACL Logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . 9-68
Operating Notes for ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-70
General ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-71
7
10
11
Traffic/Security Filters
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Applying a Source Port Filter in a Multinetted VLAN . . . . . . . . . . . . . 10-3
Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9
Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
Configuring Port-Based and
User-Based Access Control (802.1X)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 11-3
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 11-9
VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
General Setup Procedure for 802.1X Access Control . . . . . . . . . . . . . . . 11-14
Do These Steps Before You Configure 802.1X Operation . . . . . . . . 11-14
Overview: Configuring 802.1X Authentication on the Switch . . . . . 11-16
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . 11-17
1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . 11-18
2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 11-20
3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 11-24
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 11-25
8
5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 11-26
6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 11-26
7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . 11-26
Operating Rules for Authorized-Client and
Option For Authenticator Ports: Configure Port-Security
Configuring Switch Ports To Operate As
Example of Untagged VLAN Assignment in a RADIUS-Based
Enabling the Use of GVRP-Learned Dynamic VLANs
802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . 11-31
Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . 11-40
802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 11-44
To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . . . . . 11-45
Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-46
Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . 11-47
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47
Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48
Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . 11-51
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . 11-51
Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . 11-54
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . 11-57
How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . 11-58
VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59
Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61
in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-64
Operating Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-66
Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-67
9
12
13
Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5
Port Security Command Options and Operation . . . . . . . . . . . . . . . . . . . . 12-6
Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . 12-10
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Differences Between MAC Lockdown and Port Security . . . . . . . . 12-19
Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-25
Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-27
Web: Displaying and Configuring Port Security Features . . . . . . . . . . . . 12-27
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . . . . . . 12-28
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-28
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-29
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 12-29
Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . 12-34
Web: Checking for Intrusions, Listing Intrusion Alerts,
and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-35
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-35
Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
10
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 13-5
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 13-6
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9
Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10
Configuring One Station Per Authorized Manager IP Entry . . . . . . 13-10
Configuring Multiple Stations Per Authorized Manager IP Entry . . 13-11
Additional Examples for Authorizing Multiple Stations . . . . . . . . . 13-13
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13
Index
11
12
Product Documentation
Note For the latest version of all ProCurve switch documentation, including release
notes covering recently added features, visit the ProCurve Networking
website at www.procurve.com. Click on Technical support, and then click
on Product manuals.
Printed Publications
The two publications listed below are printed and shipped with your switch.
The latest version of each is also available in PDF format on the ProCurve Web
site, as described in the Note at the top of this page.
■ Read Me First—Provides software update information, product notes,
and other information.
■ Installation and Getting Started Guide—Explains how to prepare for
and perform the physical installation and connect the switch to your
network.
Electronic Publications
The latest version of each of the publications listed below is available in PDF
format on the ProCurve Web site, as described in the Note at the top of this
page.
■ Management and Configuration Guide—Describes how to configure,
manage, and monitor basic switch operation.
■ Advanced Traffic Management Guide—Explains how to configure
traffic management features, such as spanning tree, VLANs, and IP
routing.
■ Access Security Guide—Explains how to configure access security
features and user authentication on the switch.
■ Release Notes—Describe new features, fixes, and enhancements that
become available between revisions of the above guides.
xiii
Product Documentation
Software Feature Index
For the software manual set supporting your switch model, the following
feature index indicates which manual to consult for information on a given
software feature. (Note that some software features are not supported on all
switch models.)
Feature Management and
Configuration
Advanced Traffic
Management
Access Security
Guide
802.1Q VLAN Tagging - X -
802.1X Port-Based Priority X - -
ACLs - - X
AAA Authentication - - X
Authorized IP Managers - - X
Auto-MDIX Configuration X - -
BootP X - -
Config File X - -
Console Access X - -
Copy Command X - -
Debug X - -
DHCP Configuration - X -
DHCP/Bootp Operation X - -
DHCP Option 82 - X -
Diagnostic Tools X - -
Downloading Software X - -
Event Log X - -
Factory Default Settings X - -
File Management X - -
xiv
Product Documentation
Feature Management and
Configuration
Advanced Traffic
Management
Access Security
Guide
File Transfers X - -
Friendly Port Names X
GVRP - X -
IGMP - X -
Interface Access (Telnet, Console/Serial, Web) X - -
Jumbo Packets X - -
IP Addressing X - -
IP Routing - X -
LACP X - -
Link X - -
LLDP X - -
LLDP-MED X - -
MAC Address Management X - -
MAC Lockdown - - X
MAC Lockout - - X
MAC-based Authentication - - X
Monitoring and Analysis X - -
Multicast Filtering - X -
Multiple Configuration Files X - -
Network Management Applications (LLDP, SNMP) X - -
Passwords - - X
Ping X - -
Port Configuration X - -
Port Security - - X
Port Status X - -
Port Trunking (LACP) X - -
xv
Product Documentation
Feature Management and
Configuration
Advanced Traffic
Management
Access Security
Guide
Port-Based Access Control - - X
Port-Based Priority (802.1Q) X - -
Power over Ethernet (PoE) X - -
Quality of Service (QoS) - X -
RADIUS ACLs - - X
RADIUS Authentication and Accounting - - X
Routing - X -
Secure Copy X - -
sFlow X
SFTP X - -
SNMP X - -
Software Downloads (SCP/SFTP, TFTP, Xmodem) X - -
Source-Port Filters - - X
Spanning Tree (STP, RSTP, MSTP) - X -
SSH (Secure Shell) Encryption - - X
SSL (Secure Socket Layer) - - X
Stack Management (Stacking) - X -
Syslog X - -
System Information X - -
TACACS+ Authentication - - X
Telnet Access X - -
TFTP X - -
Time Protocols (TimeP, SNTP) X - -
Traffic/Security Filters - - X
Troubleshooting X - -
Uni-Directional Link Detection (UDLD) X - -
xvi
Product Documentation
Feature Management and
Configuration
Advanced Traffic
Management
Access Security
Guide
VLANs - X -
Web-based Authentication - - X
Xmodem X - -
xvii
Product Documentation
xviii
1
Getting Started
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9
1-1
Getting Started
Introduction
Introduction
This Access Security Guide describes how to use ProCurve’s switch security
features to protect access to your switch. This guide is intended to support
the following switches:
■ ProCurve Series 2610
■ ProCurve Series 2610-PWR
For an overview of other product documentation for the above switches, refer
to “Product Documentation” on page xiii.
You can also download the software manuals from the ProCurve website,
www.procurve.com.
Overview of Access Security Features
The access security features covered in this guide include:
■ Local Manager and Operator Passwords (page 2-1): Control
access and privileges for the CLI, menu, and web browser interfaces.
■ TACACS+ Authentication (page 4-1): Uses an authentication appli-
cation on a server to allow or deny access to a switch.
■ RADIUS Authentication and Accounting (page 5-1): Like
TACACS+, uses an authentication application on a central server to
allow or deny access to the switch. RADIUS also provides accounting
services for sending data about user activity and system events to a
RADIUS server.
■ Secure Shell (SSH) Authentication (page 7-1): Provides
encrypted paths for remote access to switch management functions.
■ Secure Socket Layer (SSL) (page 8-1): Provides remote web access
to the switch via encrypted authentication paths between the switch
and management station clients capable of SSL/TLS operation.
1-2
Getting Started
Overview of Access Security Features
■ Access Control Lists (page 9-1): Permits or denies in-band manage-
ment access. This includes preventing the use of certain TCP or UDP
applications (such as Telnet, SSH, Web browser, and SNMP) for
transactions between specific source and destination IP addresses.
Eliminates unwanted IP, TCP, or UDP traffic by filtering packets
where they enter or leave the switch on specific interfaces.
■ Traffic/Security Filters (page 10-1): Source-Port filtering enhances
in-band security by enabling outbound destination ports on the switch
to forward or drop traffic from designated source ports (within the
same VLAN).
■ Port-Based and User-Based Access Control (802.1X)
(page 11-1): On point-to-point connections, enables the switch to
allow or deny traffic between a port and an 802.1X-aware device
(supplicant) attempting to access the switch. Also enables the switch
to operate as a supplicant for connections to other 802.1X-aware
switches.
■ Port Security (page 12-1): Enables a switch port to maintain a unique
list of MAC addresses defining which specific devices are allowed to
access the network through that port. Also enables a port to detect,
prevent, and log access attempts by unauthorized devices.
■ Authorized IP Managers (page 13-1): Allows access to the switch
by a networked device having an IP address previously configured in
the switch as “authorized”.
Management Access Security Protection
In considering management access security for your switch, there are two key
areas to protect:
■ Unauthorized client access to switch management features
■ Unauthorized client access to the network.
Table 1-1 on page 1-4 provides an overview of the type of protection offered
by each switch security feature.
Note ProCurve recommends that you use local passwords together with your
switch’s other security features to provide a more comprehensive security
fabric than if you use only local passwords.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature Offers Protection Against Unauthorized Client Access to
Switch Management Features
Offers Protection
Against
Unauthorized Client
Access to the
Network
Connection Telnet SNMP
(Net Mgmt)
Web
Browser
SSH
Client
Local Manager and Operator
Usernames and Passwords
1
PtP: Yes No Yes Yes
Yes No Ye s Yes
No
NoRemote:
TACACS+
1
PtP: Yes No No Ye s
Yes No No Yes
No
NoRemote:
RADIUS
1
PtP: Yes No No Ye s
Yes No No Yes
No
NoRemote:
SSH
Ptp: Yes No No Ye s
Yes No No Yes
No
NoRemote:
SSL
Ptp: No No Yes No
No No Yes No
No
NoRemote:
Port-Based Access Control (802.1X) PtP: Yes Yes Ye s Yes
No No No No
Yes
NoRemote:
Port Security (MAC address)
PtP: Yes Yes Yes Ye s
Yes Yes Ye s Yes
Yes
Yes Remote:
Authorized IP Managers
PtP: Yes Yes Yes Ye s
Yes Yes Ye s Yes
No
NoRemote:
1
The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection
for serial port access.
General Switch Traffic Security Guidelines
Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. MAC lockout (applies to all ports on the switch)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
1-4
Getting Started
Conventions
Conventions
This guide uses the following conventions for command syntax and displayed
information.
Feature Descriptions by Model
In cases where a software feature is not available in all of the switch models
covered by this guide, the section heading specifically indicates which product
or product series offer the feature.
For example (the switch model is highlighted here in bold italics):
“Web and MAC Authentication for the Series 2610/2610-PWR
Switches”.
Command Syntax Statements
Syntax: aaa port-access authenticator < port-list >
[ control < authorized | auto | unauthorized >]
■ Vertical bars ( | ) separate alternative, mutually exclusive elements.
■ Square brackets ( [ ] ) indicate optional elements.
■ Braces ( < > ) enclose required elements.
■ Braces within square brackets ( [ < > ] ) indicate a required element
within an optional choice.
■ Boldface indicates use of a CLI command, part of a CLI command
syntax, or other displayed element in general text. For example:
“Use the copy tftp command to download the key from a TFTP server.”
■ Italics indicate variables for which you must supply a value when
executing the command. For example, in this command syntax, < port-
list > indicates that you must provide one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
1-5
Getting Started
Conventions
Command Prompts
In the default configuration, your switch displays the following CLI prompt:
ProCurve Switch 2610#
To simplify recognition, this guide uses ProCurve to represent command
prompts for all models. For example:
ProCurve#
(You can use the hostname command to change the text in the CLI prompt.)
Screen Simulations
Figures containing simulated screen text and command output look like this:
ProCurve> show version
Image stamp: /sw/code/build/info
Nov 2 2007 13 43:14
R.01.XX
430
ProCurve>
Figure 1-1. Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear outside of a
numbered figure. For example:
ProCurve(config)# ip default-gateway 18.28.152.1/24
ProCurve(config)# vlan 1 ip address 18.28.36.152/24
ProCurve(config)# vlan 1 ip igmp
Port Identity Examples
This guide describes software applicable to both chassis-based and stackable
ProCurve switches. Where port identities are needed in an example, this guide
uses the chassis-based port identity system, such as “A1”, “B3 - B5”, “C7”, etc.
However, unless otherwise noted, such examples apply equally to the
stackable switches, which for port identities typically use only numbers, such
as “1”, “3-5”, “15”, etc.
1-6
Getting Started
Sources for More Information
Sources for More Information
For additional information about switch operation and features not covered
in this guide, consult the following sources:
■ For information on which product manual to consult on a given
software feature, refer to “Product Documentation” on page xiii.
Note For the latest version of all ProCurve switch documentation, including
release notes covering recently added features, visit the ProCurve
Networking website at www.procurve.com. Click on Te c hn ic al
support, and then click on Product manuals.
■ For information on specific parameters in the menu interface, refer
to the online help provided in the interface. For example:
Online Help for
Menu interface
Figure 1-2. Getting Help in the Menu Interface
■ For information on a specific command in the CLI, type the command
name followed by “help”. For example:
1-7
Getting Started
Need Only a Quick Start?
Figure 1-3. Getting Help in the CLI
■ For information on specific features in the Web browser interface,
use the online help. For more information, refer to the Management
and Configuration Guide for your switch.
■ For further information on ProCurve Networking switch technology,
visit the ProCurve website at:
www.procurve.com
Need Only a Quick Start?
IP Addressing
If you just want to give the switch an IP address so that it can communicate
on your network, or if you are not using multiple VLANs, ProCurve
recommends that you use the Switch Setup screen to quickly configure IP
addressing. To do so, do one of the following:
■ Enter setup at the CLI Manager level prompt.
ProCurve# setup
■ In the Main Menu of the Menu interface, select
8. Run Setup
For more on using the Switch Setup screen, see the Installation and Getting
Started Guide you received with the switch.
1-8
Getting Started
Need Only a Quick Start?
To Set Up and Install the Switch in Your Network
Important! Use the Installation and Getting Started Guide shipped with your switch for
the following:
■ Notes, cautions, and warnings related to installing and using the
switch and its related modules
■ Instructions for physically installing the switch in your network
■ Quickly assigning an IP address and subnet mask, setting a Manager
password, and (optionally) configuring other basic features.
■ Interpreting LED behavior.
For the latest version of the Installation and Getting Started Guide and other
documentation for your switch, visit the ProCurve website. (Refer to “Product
Documentation” on page xiii of this guide for further details.)
1-9
Getting Started
Need Only a Quick Start?
1-10
2
Configuring Username and Password Security
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
2-1
Configuring Username and Password Security
Overview
Overview
Feature Default Menu CLI Web
Set Usernames none — — page 2-6
Set a Password none page 2-4 page 2-5 page 2-6
Delete Password Protection n/a page 2-4 page 2-6 page 2-6
Show front-panel-security n/a — page 1-13 —
Front-panel-security — page 1-13 —
password-clear enabled — page 1-13 —
reset-on-clear disabled — page 1-14 —
factory-reset enabled — page 1-15 —
password-recovery enabled — page 1-15 —
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
Note Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
2-2
Configuring Username and Password Security
Overview
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable
for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.
If you set a Manager password, you may also want to configure the
Inactivity Time parameter. (Refer to the Management and Configuration
Guide for your switch.) This causes the console session to end after the
specified period of inactivity, thus giving you added security against unauthorized console access.
Note The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
Passwords are case-sensitive.
Caution If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this section covers how to:
■ Set passwords
■ Delete passwords
■ Recover from a lost password
2-3
Configuring Username and Password Security
Configuring Local Password Security
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
Figure 2-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press
[Enter]. (Remember that passwords are case-sensitive.)
c. When prompted with Enter new password again, retype the new pass-
word and press
[Enter].
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
2-4
Configuring Username and Password Security
Configuring Local Password Security
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
4. Press the Space bar to select Ye s, then press
[Enter].
5. Press
[Enter] to clear the Password Protection message.
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the web browser interface.
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Syntax:
[ no ] password <manager | operator > [ user-name ASCII-STR ]
[ no ] password < all >
• Password entries appear
as asterisks.
• You must type the
password entry twice.
Figure 2-2. Example of Configuring Manager and Operator Passwords
2-5
Configuring Username and Password Security
Configuring Local Password Security
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
Press [Y] (for yes) and press [Enter].
Figure 2-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
1. Click on the Security tab.
Click on [Device Passwords].
2. Do one of the following:
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
• To remove username and password protection, leave the fields blank.
3. Implement the usernames and passwords by clicking on [Apply Changes].
To access the web-based help provided for the switch, click on
[?] in the web
browser screen.
2-6
Configuring Username and Password Security
Front-Panel Security
Front-Panel Security
The front-panel security features provide the ability to independently enable
or disable some of the functions of the two buttons located on the front of the
switch for clearing the password (Clear button) or restoring the switch to its
factory default configuration (Reset+Clear buttons together). The ability to
disable Password Recovery is also provided for situations which require a
higher level of switch security.
The front-panel Security features are designed to prevent malicious users
from:
■ Resetting the password(s) by pressing the Clear button
■ Restoring the factory default configuration by using the Reset+Clear
button combination.
■ Gaining management access to the switch by having physical access to
the switch itself
When Security Is Important
Some customers require a high level of security for information. Also, the
Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires
that systems handling and transmitting confidential medical records must be
secure.
It used to be assumed that only system and network administrators would be
able to get access to a network switch because switches were typically placed
in secure locations under lock and key. For some customers this is no longer
true. Others simply want the added assurance that even if someone did
manage to get to the switch that data would still remain secure.
If you do not invoke front-panel security on the switch, user-defined passwords can be deleted by pushing the Clear button on the front panel. This
function exists so that if customers forget the defined passwords they can still
get back into the switch and reset the passwords. This does, however, leave
the switch vulnerable when it is located in an area where non-authorized
people have access to it. Passwords could easily be cleared by pressing the
Clear button. Someone who has physical access to the switch may be able to
erase the passwords (and possibly configure new passwords) and take control
of the switch.
2-7
Configuring Username and Password Security
Front-Panel Security
As a result of increased security concerns, customers now have the ability to
stop someone from removing passwords by disabling the Clear and/or Reset
buttons on the front of the switch.
Front-Panel Button Functions
The front panel of the switch includes the Reset button and the Clear button.
Reset Button Clear Button
Figure 2-4. Example Front-Panel Button Locations
Clear Button
Pressing the Clear button alone for one second resets the password(s) configured on the switch.
Reset Clear
Figure 2-5. Press the Clear Button for One Second To Reset the Password(s)
2-8
Configuring Username and Password Security
Front-Panel Security
Reset Button
Pressing the Reset button alone for one second causes the switch to reboot.
Reset Clear
Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch
Restoring the Factory Default Configuration
You can also use the Reset button together with the Clear button (Reset+Clear)
to restore the factory default configuration for the switch. To do this:
1. Press and hold the Reset button.
Reset Clear
2. While holding the Reset button, press and hold the Clear button.
Reset Clear
2-9
Configuring Username and Password Security
Front-Panel Security
3. Release the Reset button and wait for about one second for the Self-Test
LED to start flashing.
Self
Test
Reset Clear
4. When the Self-Test LED begins flashing, release the Clear button
.
Self
Test
Reset Clear
This process restores the switch configuration to the factory default settings.
Configuring Front-Panel Security
Using the front-panel-security command from the global configuration context
in the CLI you can:
• Disable or re-enable the password-clearing function of the Clear
button. Disabling the Clear button means that pressing it does not
remove local password protection from the switch. (This action
affects the Clear button when used alone, but does not affect the
operation of the Reset+Clear combination described under “Restoring the Factory Default Configuration” on page 2-9.)
2-10
Configuring Username and Password Security
Front-Panel Security
• Configure the Clear button to reboot the switch after clearing any
local usernames and passwords. This provides an immediate, visual
means (plus an Event Log message) for verifying that any usernames
and passwords in the switch have been cleared.
• Modify the operation of the Reset+Clear combination (page 2-9) so
that the switch still reboots, but does not restore the switch’s factory
default configuration settings. (Use of the Reset button alone, to
simply reboot the switch, is not affected.)
• Disable or re-enable Password Recovery.
Syntax: show front-panel-security
Displays the current front-panel-security settings:
Clear Password: Shows the status of the Clear button on the front
panel of the switch. Enabled means that pressing the Clear
button erases the local usernames and passwords configured
on the switch (and thus removes local password protection
from the switch). Disabled means that pressing the Clear
button does not remove the local usernames and passwords
configured on the switch. (Default: Enabled.)
Reset-on-clear: Shows the status of the reset-on-clear option
(Enabled or Disabled). When reset-on-clear is disabled and
Clear Password is enabled, then pressing the Clear button
erases the local usernames and passwords from the switch.
When reset-on-clear is enabled, pressing the Clear button
erases the local usernames and passwords from the switch
and reboots the switch. (Enabling reset-on-clear
automatically enables clear-password.) (Default: Disabled.)
Factory Reset: Shows the status of the Reset button on the front
panel of the switch. Enabled means that pressing the Reset
button reboots the switch and also enables the Reset button to
be used with the Clear button (page 2-9) to reset the switch to
its factory-default configuration. (Default: Enabled.)
2-11
Configuring Username and Password Security
Front-Panel Security
Password Recovery: Shows whether the switch is configured
with the ability to recover a lost password. (Refer to
“Password Recovery Process” on page 2-18.) (Default:
Enabled.)
CAUTION: Disabling this option removes the ability to
recover a password on the switch. Disabling this option is
an extreme measure and is not recommended unless you
have the most urgent need for high security. If you disable
password-recovery and then lose the password, you will
have to use the Reset and Clear buttons (page 2-9) to reset
the switch to its factory-default configuration and create a
new password.
For example, show front-panel-security produces the following output when
the switch is configured with the default front-panel security settings.
Figure 2-7. The Default Front-Panel Security Settings
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel
Syntax: no front-panel-security password-clear
In the factory-default configuration, pressing the Clear button
on the switch’s front panel erases any local usernames and
passwords configured on the switch. This command disables
the password clear function of the Clear button, so that
pressing it has no effect on any local usernames and
passwords. (Default: Enabled.)
Note: Although the Clear button does not erase passwords
when disabled, you can still use it with the Reset button
(Reset+Clear) to restore the switch to its factory default
configuration, as described under “Restoring the Factory
Default Configuration” on page 2-9.
This command displays a Caution message in the CLI. If you want to proceed
with disabling the Clear button, type
[Y]; otherwise type [N]. For example:
2-12
Configuring Username and Password Security
Front-Panel Security
Indicates the command has disabled the Clear
button on the switch’s front panel. In this case
the Show command does not include the reset-
on-clear status because it is inoperable while
the Clear Password functionality is disabled, and
must be reconfigured whenever Clear Password
is re-enabled .
Figure 2-8. Example of Disabling the Clear Button and Displaying the New Configuration
2-13
Configuring Username and Password Security
Front-Panel Security
Re-Enabling the Clear Button on the Switch’s Front Panel and
Setting or Changing the “Reset-On-Clear” Operation
Syntax: [no] front-panel-security password-clear reset-on-clear
This command does both of the following:
• Re-enables the password-clearing function of the Clear
button on the switch’s front panel.
• Specifies whether the switch reboots if the Clear button is
pressed.
To re-enable password-clear, you must also specify whether
to enable or disable the reset-on-clear option.
Defaults:
– password-clear: Enabled.
– reset-on-clear: Disabled.
Thus:
• To enable password-clear with reset-on-clear disabled, use
this syntax:
no front-panel-security password-clear reset-on-clear
• To enable password-clear with reset-on-clear also enabled,
use this syntax:
front-panel-security password-clear reset-on-clear
(Either form of the command enables
password-clear.)
Note: If you disable password-clear and also disable the
password-recovery option, you can still recover from a lost
password by using the Reset+Clear button combination at
reboot as described on page 2-9. Although the Clear button
does not erase passwords when disabled, you can still use
it with the Reset button (Reset+Clear) to restore the switch
to its factory default configuration. You can then get access
to the switch to set a new password.
For example, suppose that password-clear is disabled and you want to restore
it to its default configuration (enabled, with reset-on-clear disabled).
2-14
Configuring Username and Password Security
Front-Panel Security
Shows password-clear disabled.
Enables password-clear, with reset-on-
clear disabled by the “no” statement at
the beginning of the command.
Shows password-clear enabled, with
reset-on-clear disabled.
Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation
Changing the Operation of the Reset+Clear Combination
In their default configuration, using the Reset+Clear buttons in the combination described under “Restoring the Factory Default Configuration” on page
2-9 replaces the switch’s current startup-config file with the factory-default
startup-config file, then reboots the switch, and removes local password
protection. This means that anyone who has physical access to the switch
could use this button combination to replace the switch’s current configuration with the factory-default configuration, and render the switch accessible without the need to input a username or password. You can use the
factory-reset command to prevent the Reset+Clear combination from being
used for this purpose.
Syntax: [no] front-panel-security factory-reset
Disables or re-enables the following functions associated with
using the Reset+Clear buttons in the combination described
under “Restoring the Factory Default Configuration” on page 2-9:
• Replacing the current startup-config file with the factorydefault startup-config file
• Clearing any local usernames and passwords configured on
the switch
(Default: Both functions enabled.)
Notes: The Reset+Clear button combination always reboots
the switch, regardless of whether the “no” form of the
command has been used to disable the above two functions.
Also, if you disable factory-reset, you cannot disable the
password-recovery option, and the reverse.
2-15
Configuring Username and Password Security
Front-Panel Security
The command to disable the factory-reset operation produces this caution.
To complete the command, press [Y]. To abort the command, press [N].
Displays the current frontpanel-security configuration,
with Factory Reset disabled.
Completes the command to
disable the factory reset option.
Figure 2-10. Example of Disabling the Factory Reset Option
Password Recovery
The password recovery feature is enabled by default and provides a method
for regaining management access to the switch (without resetting the switch
to its factory default configuration) in the event that the system administrator
loses the local manager username (if configured) or password. Using Password Recovery requires:
■ password-recovery enabled (the default) on the switch prior to an attempt
to recover from a lost username/password situation
■ Contacting your ProCurve Customer Care Center to acquire a one-time-
use password
Disabling or Re-Enabling the Password Recovery Process
Disabling the password recovery process means that the only method for
recovering from a lost manager username (if configured) and password is to
reset the switch to its factory-default configuration, which removes any non
default configuration settings.
Caution Disabling password-recovery requires that factory-reset be enabled, and locks
out the ability to recover a lost manager username (if configured) and password on the switch. In this event, there is no way to recover from a lost
manager username/password situation without resetting the switch to its
factory-default configuration. This can disrupt network operation and make
it necessary to temporarily disconnect the switch from the network to prevent
unauthorized access and other problems while it is being reconfigured. Also,
with factory-reset enabled, unauthorized users can use the Reset+Clear button
combination to reset the switch to factory-default configuration and gain
management access to the switch.
2-16
Configuring Username and Password Security
Front-Panel Security
Syntax: [no] front-panel-security password-recovery
Enables or (using the “no” form of the command) disables the
ability to recover a lost password.
When this feature is enabled, the switch allows management
access through the password recovery process described below.
This provides a method for recovering from a lost manager
username (if configured) and password. When this feature is
disabled, the password recovery process is disabled and the
only way to regain management access to the switch is to use
the Reset+Clear button combination (page 2-9) to restore the
switch to its factory default configuration.
Note: To disable password-recovery:
– You must have physical access to the front panel of the
switch.
– The factory-reset parameter must be enabled (the default).
(Default: Enabled.)
Steps for Disabling Password-Recovery.
1. Set the CLI to the global interface context.
2. Use show front-panel-security to determine whether the factory-reset
parameter is enabled. If it is disabled, use the front-panel-security factory-
reset command to enable it.
3. Press and release the Clear button on the front panel of the switch.
4. Within 60-seconds of pressing the Clear button, enter the following command:
no front-panel-security password-recovery
5. Do one of the following after the “CAUTION” message appears:
• If you want to complete the command, press
[Y] (for “Yes”).
• If you want to abort the command, press
[N] (for “No”)
Figure 2-11 shows an example of disabling the password-recovery parameter.
2-17
Configuring Username and Password Security
Front-Panel Security
Figure 2-11. Example of the Steps for Disabling Password-Recovery
Password Recovery Process
If you have lost the switch’s manager username/password, but password-
recovery is enabled, then you can use the Password Recovery Process to gain
management access to the switch with an alternate password supplied by
ProCurve.
Note If you have disabled password-recovery, which locks out the ability to recover
a manager username/password pair on the switch, then the only way to
recover from a lost manager username/password pair is to use the
Reset+Clear button combination described under “Restoring the Factory
Default Configuration” on page 2-9. This can disrupt network operation and
make it necessary to temporarily disconnect the switch from the network to
prevent unauthorized access and other problems while it is being reconfigured.
To use the password-recovery option to recover a lost password:
1. Note the switch’s base MAC address. It is shown on the label located on
the upper right front corner of the switch.
2. Contact your ProCurve Customer Care Center for further assistance.
Using the switch’s MAC address, the ProCurve Customer Care Center will
generate and provide a “one-time use” alternate password you can use
with the to gain management access to the switch. Once you gain access,
you can configure a new, known password.
2-18
Configuring Username and Password Security
Front-Panel Security
Note The alternate password provided by the ProCurve Customer Care Center is
valid only for a single login attempt.
You cannot use the same “one-time-use” password if you lose the password
a second time. Because the password algorithm is randomized based upon
your switch's MAC address, the password will change as soon as you use the
“one-time-use” password provided to you by the ProCurve Customer Care
Center.
2-19
Configuring Username and Password Security
Front-Panel Security
2-20
3
Web and MAC Authentication
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12
Do These Steps Before You Configure Web/MAC Authentication . . 3-12
Additional Information for Configuring the RADIUS
Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-19
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-23
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-24
Show Commands for Web-Based Authentication . . . . . . . . . . . . . . . . . . . 3-28
Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . . . . . 3-31
Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
3-1
Web and MAC Authentication
Overview
Overview
Feature Default Menu CLI Web
Configure Web Authentication n/a — 3-18 —
Configure MAC Authentication n/a — 3-23 —
Display Web Authentication Status and Configuration n/a — 3-28 —
Display MAC Authentication Status and Configuration n/a — 3-31 —
Web and MAC Authentication are designed for employment on the “edge” of
a network to provide port-based security measures for protecting private
networks and the switch itself from unauthorized access. Because neither
method requires clients to run any special supplicant software, both are
suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both methods rely on using
a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single
server. (You can use up to three RADIUS servers to provide backups in case
access to the primary server fails.) It also means the same credentials can be
used for authentication, regardless of which switch or switch port is the
current access point into the LAN.
Web Authentication (Web-Auth). This method uses a web page login to
authenticate users for access to the network. When a user connects to the
switch and opens a web browser the switch automatically presents a login
page. The user then enters a username and password, which the switch
forwards to a RADIUS server for authentication. After authentication, the
switch grants access to the secured network. Other than a web browser, the
client needs no special supplicant software.
Note Client web browsers may not use a proxy server to access the network.
MAC Authentication (MAC-Auth). This method grants access to a secure
network by authenticating devices for access to the network. When a device
connects to the switch, either by direct link or through the network, the switch
forwards the device’s MAC address to the RADIUS server for authentication.
The RADIUS server uses the device MAC address as the username and
password, and grants or denies network access in the same way that it does
3-2
Web and MAC Authentication
Overview
for clients capable of interactive logons. (The process does not use either a
client device configuration or a logon session.) MAC authentication is wellsuited for clients that are not capable of providing interactive logons, such as
telephones, printers, and wireless access points. Also, because most RADIUS
servers allow for authentication to depend on the source switch and port
through which the client connects to the network, you can use MAC-Auth to
“lock” a particular device to a specific switch and port.
Note 802.1X port-access and either Web authentication or MAC authentication can
be concurrently configured on the same port, with a maximum of eight 802.1X
clients allowed on the port. (The default is one client.)
LACP must be disabled on ports configured for any of these authentication
methods.
Client Options
Web-Auth and MAC-Auth provide a port-based solution in which a port can
belong to one, untagged VLAN at a time. However, where all clients can
operate in the same VLAN, the switch allows up to 8 simultaneous clients per
port. (In applications where you want the switch to simultaneously support
multiple client sessions in different VLANs, design your system so that such
clients will use different switch ports.)
In the default configuration, the switch blocks access to clients that the
RADIUS server does not authenticate. However, you can configure an individual port to provide limited services to unauthorized clients by joining a
specified “unauthorized” VLAN during sessions with such clients. The unauthorized VLAN assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients.
Access to an optional, unauthorized VID is configured in the switch when Web
and MAC Authentication are configured on a port.
3-3
Web and MAC Authentication
Overview
General Features
Web and MAC authentication include the following:
■ On a port configured for Web or MAC Authentication, the switch
operates as a port-access authenticator using a RADIUS server and
the CHAP protocol. Inbound traffic is processed by the switch alone,
until authentication occurs. Some traffic from the switch is available
to an unauthorized client (for example, broadcast or unknown destination packets) before authentication occurs.
■ Proxy servers may not be used by browsers accessing the switch
through ports using Web Authentication.
■ You can optionally configure the switch to temporarily assign “autho-
rized” and “unauthorized” VLAN memberships on a per-port basis to
provide different services and access to authenticated and unauthenticated clients.
■ Web pages for username and password entry and the display of
authorization status are provided when using Web Authentication.
■ You can use the RADIUS server to temporarily assign a port to a static
VLAN to support an authenticated client. When a RADIUS server
authenticates a client, the switch-port membership during the client’s
connection is determined according to the following hierarchy:
1. A RADIUS-assigned VLAN
2. An authorized VLAN specified in the Web- or MAC-Auth configuration
for the subject port.
3. A static, port-based, untagged VLAN to which the port is configured.
A RADIUS-assigned VLAN has priority over switch-port membership
in any VLAN.
■ You can allow wireless clients to move between switch ports under
Web/MAC Authentication control. Clients may move from one Web
authorized port to another or from one MAC authorized port to
another. This capability allows wireless clients to move from one
access point to another without having to reauthenticate.
■ Unlike 802.1X operation, clients do not need supplicant software for
Web or MAC Authentication; only a web browser (for Web Authentication) or a MAC address (for MAC Authentication).
■ You can use “Show” commands to display session status and port-
access configuration settings.
3-4
Web and MAC Authentication
How Web and MAC Authentication Operate
How Web and MAC Authentication
Operate
Authenticator Operation
Before gaining access to the network clients first present their authentication
credentials to the switch. The switch then verifies the supplied credentials
with a RADIUS authentication server. Successfully authenticated clients
receive access to the network, as defined by the System Administrator. Clients
who fail to authenticate successfully receive no network access or limited
network access as defined by the System Administrator.
Web-based Authentication
When a client connects to a Web-Auth enabled port communication is redirected to the switch. A temporary IP address is assigned by the switch and a
login screen is presented for the client to enter their credentials.
Figure 3-1. Example of User Login Screen
The temporary IP address pool can be specified using the dhcp-addr and
dhcp-lease options of the aaa port-access web-based command. If SSL is
enabled on the switch and ssl-login is enabled on the port the client is
redirected to a secure login page (https://...).
The switch passes the supplied username and password to the RADIUS server
for authentication.
3-5
Web and MAC Authentication
How Web and MAC Authentication Operate
Figure 3-2. Progress Message During Authentication
If the client is authenticated and the maximum number of clients allowed on
the port (client-limit) has not been reached, the port is assigned to a static,
untagged VLAN for network access. If specified, the client is redirected to a
specific URL (redirect-url).
Figure 3-3. Authentication Completed
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
3-6
Web and MAC Authentication
How Web and MAC Authentication Operate
moves have not been enabled (client-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authorized port take affect at the end of the
session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The max-retries parameter specifies how many times a client
may enter their credentials before authentication fails. The server-timeout
parameter sets how long the switch waits to receive a response from the
RADIUS server before timing out. The max-requests parameter specifies how
many authentication attempts may result in a RADIUS server timeout before
authentication fails. The switch waits a specified amount of time (quiet-
period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
is blocked and no network access is available. Should another client successfully authenticate through that port any unauthenticated clients on the unauth-
vid are dropped from the port.
MAC-based Authentication
When a client connects to a MAC-Auth enabled port, traffic is blocked. The
switch immediately submits the client’s MAC address (in the format specified
by the addr-format) as its certification credentials to the RADIUS server for
authentication.
If the client is authenticated and the maximum number of MAC addresses
allowed on the port (addr-limit) has not been reached, the port is assigned to
a static, untagged VLAN for network access.
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the Authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
3-7
Web and MAC Authentication
How Web and MAC Authentication Operate
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
moves have not been enabled (addr-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authenticated port take affect at the end of
the session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The server-timeout parameter sets how long the switch waits
to receive a response from the RADIUS server before timing out. The max-
requests parameter specifies how many authentication attempts may result in
a RADIUS server timeout before authentication fails. The switch waits a
specified amount of time (quiet-period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
remains in its original VLAN configuration. Should another client successfully
authenticate through that port any unauthenticated clients are dropped from
the port.
3-8
Web and MAC Authentication
Terminology
Terminology
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static, untagged, port-based VLAN previously configured on
the switch by the System Administrator. The intent in using this VLAN is
to provide authenticated clients with network access and services. When
the client connection terminates, the port drops its membership in this
VLAN.
Authentication Server: The entity providing an authentication service to
the switch, for example, a RADIUS server.
Authenticator: In ProCurve switch applications, a device that requires a
client or device to provide the proper credentials (MAC address, or
username and password) before being allowed access to the network.
CHAP: Challenge Handshake Authentication Protocol. Also known as
“CHAP-RADIUS”.
Client: In this application, an end-node device such as a management station,
workstation, or mobile PC linked to the switch through a point-to-point
LAN link.
Redirect URL: A System Administrator-specified web page presented to an
authorized client following Web Authentication. ProCurve recommends
specifying this URL when configuring Web Authentication on a switch.
Refer to aaa port-access web-based [e] < port-list > [redirect-url < url >] on
page 3-22.
Static VLAN: A VLAN that has been configured as “permanent” on the switch
by using the CLI vlan < vid > command or the Menu interface.
Unauthorized-Client VLAN: A conventional, static, untagged, port-based
VLAN previously configured on the switch by the System Administrator.
It is used to provide limited network access and services to clients who
are not authenticated.
3-9
Web and MAC Authentication
Operating Rules and Notes
Operating Rules and Notes
■ The switch supports concurrent 802.1X and either Web- or MAC-
authentication operation on a port (with up to 8 clients allowed).
However, concurrent operation of Web- or MAC-authentication with
other types of authentication on the same port is not supported. That
is, the following authentication types are mutually exclusive on a
given port:
• Web Authentication (with or without 802.1X)
• MAC Authentication (with or without 802.1X)
• MAC lockdown
• MAC lockout
• Port-Security
■ Order of Precedence for Port Access Management (highest to lowest):
• MAC lockout
• MAC lockdown or Port Security
• Port-based Access Control (802.1X) or Web Authentication or MAC
Authentication
Note on Port When configuring a port for Web or MAC Authentication, be sure that a higher
Access
precedent port access management feature is not enabled on the port. For
Management
example, be sure that Port Security is disabled on a port before configuring it
for Web or MAC Authentication. If Port Security is enabled on the port this
misconfiguration does not allow Web or MAC Authentication to occur.
■ VLANs: If your LAN does not use multiple VLANs, then you do not
need to configure VLAN assignments in your RADIUS server or
consider using either Authorized or U na u th o riz ed VLA Ns . I f y o ur L AN
does use multiple VLANs, then some of the following factors may
apply to your use of Web-Auth and MAC-Auth.
• Web-Auth and MAC-Auth operate only with port-based VLANs. Oper-
ation with protocol VLANs is not supported, and clients do not have
access to protocol VLANs during Web-Auth and MAC-Auth sessions.
• A port can belong to one, untagged VLAN during any client session.
Where multiple authenticated clients may simultaneously use the
same port, they must all be capable of operating on the same VLAN.
3-10
Web and MAC Authentication
Operating Rules and Notes
• During an authenticated client session, the following hierarchy deter-
mines a port’s VLAN membership:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
• After an authorized client session begins on a given port, the port’s
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
• The optional “authorized” VLAN (auth-vid) and “unauthorized” VLAN
(unauth-vid) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
■ Where a given port’s configuration includes an unauthorized client
VLAN assignment, the port will allow an unauthenticated client
session only while there are no requests for an authenticated client
session on that port. In this case, if there is a successful request for
authentication from an authorized client, the switch terminates the
unauthorized-client session and begins the authorized-client session.
■ When a port on the switch is configured for Web or MAC Authentica-
tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.
■ When a port on the switch is configured as a Web- or MAC-based
authenticator, it blocks access to a client that does not provide the
proper authentication credentials. If the port configuration includes
an optional, unauthorized VLAN (unauth-vid), the port is temporarily
placed in the unauthorized VLAN if there are no other authorized
clients currently using the port with a different VLAN assignment. If
an authorized client is using the port with a different VLAN or if there
is no unauthorized VLAN configured, the unauthorized client does not
receive access to the network.
3-11
Web and MAC Authentication
General Setup Procedure for Web/MAC Authentication
■ Web- or MAC-based authentication and LACP cannot both be enabled
on the same port.
Note on Web/ The switch does not allow Web or MAC Authentication and LACP to both be
MAC
enabled at the same time on the same port. The switch automatically disables
Authentication
LACP on ports configured for Web or MAC Authentication.
and LACP
General Setup Procedure for Web/MAC
Authentication
Do These Steps Before You Configure Web/MAC
Authentication
1. Configure a local username and password on the switch for both the
Operator (login) and Manager (enable) access levels. (While this is not
required for a Web- or MAC-based configuration, ProCurve recommends
that you use a local user name and password pair, at least until your other
security measures are in place, to protect the switch configuration from
unauthorized access.)
2. Determine which ports on the switch you want to operate as authenticators. Note that before you configure Web- or MAC-based authentication
on a port operating in an LACP trunk, you must remove the port from the
trunk. (refer to the “Note on Web/MAC Authentication and LACP” on
page 3-12.)
3. Determine whether any VLAN assignments are needed for authenticated
clients.
a. If you configure the RADIUS server to assign a VLAN for an authen-
ticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains
active. Note that the VLAN must be statically configured on the
switch.
b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized
VLAN” for the duration of the client session, if you choose to configure
one. This must be a port-based, statically configured VLAN on the
switch.
3-12
Web and MAC Authentication
General Setup Procedure for Web/MAC Authentication
c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”
for an authenticated client session on a port, then the port’s VLAN
membership remains unchanged during authenticated client sessions. In this case, configure the port for the VLAN in which you want
it to operate during client sessions.
Note that when configuring a RADIUS server to assign a VLAN, you can
use either the VLAN’s name or VID. For example, if a VLAN configured in
the switch has a VID of 100 and is named vlan100, you could configure the
RADIUS server to use either “100” or “vlan100” to specify the VLAN.
4. Determine whether to use the optional “Unauthorized VLAN” mode for
clients that the RADIUS server does not authenticate. This VLAN must be
statically configured on the switch. If you do not configure an “Unauthorized VLAN”, the switch simply blocks access to unauthenticated clients
trying to use the port.
5. Determine the authentication policy you want on the RADIUS server and
configure the server. Refer to the documentation provided with your
RADIUS application and include the following in the policy for each client
or client device:
• The CHAP-RADIUS authentication method.
• An encryption key
• One of the following:
– If you are configuring Web-based authentication, include the user
name and password for each authorized client.
– If you are configuring MAC-based authentication, enter the
device MAC address in both the username and password fields of
the RADIUS policy configuration for that device. Also, if you want
to allow a particular device to receive authentication only
through a designated port and switch, include this in your policy.
6. Determine the IP address of the RADIUS server(s) you will use to support
Web- or MAC-based authentication. (For information on configuring the
switch to access RADIUS servers, refer to “Configuring the Switch To
Access a RADIUS Server” on page 3-15.)
Additional Information for Configuring the RADIUS
Server To Support MAC Authentication
On the RADIUS server, configure the client device authentication in the same
way that you would any other client, except:
3-13
Web and MAC Authentication
General Setup Procedure for Web/MAC Authentication
■ Configure the client device’s (hexadecimal) MAC address as both
username and password. Be careful to configure the switch to use the
same format that the RADIUS server uses. Otherwise, the server will
deny access. The switch provides eight format options:
aabbccddeeff (the default format)
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
AABBCCDDEEFF
AABBCC-DDEEFF
AA-BB-CC-DD-EE-FF
AA:BB:CC:DD:EE:FF
■ If the device is a switch or other VLAN-capable device, use the base
MAC address assigned to the device, and not the MAC address
assigned to the VLAN through which the device communicates with
the authenticator switch. Note that each switch covered by this guide
applies a single MAC address to all VLANs configured in the switch.
Thus, for a given switch, the MAC address is the same for all VLANs
configured on the switch. (Refer to the chapter titled “Static Virtual
LANs (VLANs)” in the Advanced Traffic Management Guide for your
switch.)
3-14
Web and MAC Authentication
Configuring the Switch To Access a RADIUS Server
Configuring the Switch To Access a
RADIUS Server
RADIUS Server Configuration Commands
radius-server
[host <ip-address> [auth-port UDP-PORT | acct-port below
UDP- PORT]]
[key < global-key-string >] below
timeout 3-16
retransmit 3-16
dead-time 3-16
radius-server host <ip-address> key <server-specific key- 3-16
string>
This section describes the minimal commands for configuring a RADIUS
server to support Web-Auth and MAC Auth. For information on other RADIUS
command options, refer to chapter 5, “RADIUS Authentication and Accounting” .
Syntax: [no] radius-server
[host < ip-address >]
Adds a server to the RADIUS configuration or (with no)
deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses
the first server it successfully accesses. (Refer to
“RADIUS Authentication and Accounting” on page 5-1.)
[key < global-key-string >]
Specifies the global encryption key the switch uses with
servers for which the switch does not have a serverspecific key assignment (below). This key is optional if
all RADIUS server addresses configured in the switch
include a server-specific encryption key. (Default: Null.)
3-15
Web and MAC Authentication
Configuring the Switch To Access a RADIUS Server
timeout <1-15>
The server response timeout interval in seconds.
Default: 5 seconds
retransmit <1-5>
Specifies the maximum number of retransmission
attempts. Default: 3 attempts
dead-time <1-1440> (in minutes)
If the switch does not receive a response from a specific
RADIUS server, the switch does not send any new authentication requests to that server until the dead-time has
expired. During a new authentication attempt, the
switch bypasses a specified RADIUS server if a dead-time
period is running on the switch because of a previous
failure to receive a response from that server. The switch
continues to send new authentication requests to any
other configured RADIUS servers not affected by a deadtime condition.
Dead-time begins with the end of the last timeout in the
last retransmit attempt of the failed authentication session. When dead-time is set to zero, there is no dead-time
and the switch will not bypass a RADIUS server that has
failed to respond to an earlier authentication attempt.
Default: 0 (zero)
Syntax: radius-server host < ip-address > key <server-specific key-string>
[no] radius-server host < ip-address > key
Optional. Specifies an encryption key for use during
authentication (or accounting) sessions with the specified server. This key must match the encryption key used
on the RADIUS server. Use this command only if the
specified server requires a different encryption key than
configured for the global encryption key, above.
The no form of the command removes the key configured
for a specific server.
For example, to configure the switch to access a RADIUS server at IP address
192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’
3-16
Web and MAC Authentication
Configuring the Switch To Access a RADIUS Server
ProCurve(config)# radius-server host 192.168.32.11 key 2Pzo22
ProCurve(config)# show radius
Status and Counters - General RADIUS Information
Deadtime(min) :0
Timeout(secs) :5
Retransmit Attempts :3
Global Encryption Key :
Auth Acct
Server IP Addr Port Port Encryption Key
-------------- ---- ---- ------------- -
192.168.32.11 1812 1813 2Pzo22
Figure 3-4. Example of Configuring a Switch To Access a RADIUS Server
3-17
Web and MAC Authentication
Configuring Web Authentication
Configuring Web Authentication
Overview
1. If you have not already done so, configure a local username and password
pair on the switch.
2. Identify or create a redirect URL for use by authenticated clients.
ProCurve recommends that you provide a redirect URL when using Web
Authentication. If a redirect URL is not specified, web browser behavior
following authentication may not be acceptable.
3. If you plan to use multiple VLANs with Web Authentication, ensure that
these VLANs are configured on the switch and that the appropriate port
assignments have been made. Also, confirm that the VLAN used by
authorized clients can access the redirect URL.
4. Use the ping command in the switch console interface to ensure that the
switch can communicate with the RADIUS server you have configured to
support Web-Auth on the switch.
5. Configure the switch with the correct IP address and encryption key to
access the RADIUS server.
6. Configure the switch for Web-Auth:
a. Configure Web Authentication on the switch ports you want to use.
b. If the necessary to avoid address conflicts with the secure network,
specify the base IP address and mask to be used by the switch for
temporary DHCP addresses.The lease length for these temporary IP
addresses may also be set.
c. If you plan to use SSL for logins configure and enable SSL on the
switch before you specify it for use with Web-Auth.
d. Configure the switch to use the redirect URL for authorized clients.
7. Test both authorized and unauthorized access to your system to ensure
that Web Authentication works properly on the ports you have configured
for port-access using Web Authentication.
Note Client web browsers may not use a proxy server to access the network.
3-18
Web and MAC Authentication
Configuring Web Authentication
Configure the Switch for Web-Based Authentication
Command Page
Configuration Level
aaa port-access web-based dhcp-addr 3-19
aaa port-access web-based dhcp-lease 3-19
[no] aaa port-access web-based [e] < port-list > 3-20
[auth-vid] 3-20
[client-limit] 3-20
[client-moves] 3-20
[logoff-period] 3-20
[max-requests] 3-21
[max-retries] 3-21
[quiet-period] 3-21
[reauth-period] 3-21
[reauthenticate] 3-21
[redirect-url 3-22
[server-timeout] 3-22
[ssl-login] 3-22
[unauth-vid] 3-22
Syntax: aaa port-access web-based dhcp-addr <ip-address/mask>
Specifies the base address/mask for the temporary IP
pool used by DHCP. The base address can be any valid
ip address (not a multicast address). Valid mask range
value is <255.255.240.0 - 255.255.255.0>.
(Default: 192.168.0.0/255.255.255.0)
Syntax: aaa port-access web-based dhcp-lease <5 - 25>
Specifies the lease length, in seconds, of the temporary
IP address issued for Web Auth login purposes.
(Default: 10 seconds)
3-19
Web and MAC Authentication
Configuring Web Authentication
Syntax: [no] aaa port-access web-based < port-list>
Enables web-based authentication on the specified
ports. Use the no form of the command to disable webbased authentication on the specified ports.
Syntax: aaa port-access web-based < port-list> [auth-vid <vid>]]
no aaa port-access web-based < port-list> [auth-vid]
Specifies the VLAN to use for an authorized client. The
Radius server can override the value (accept-response
includes a vid). If auth-vid is 0, no VLAN changes occur
unless the RADIUS server supplies one.
Use the no form of the command to set the auth-vid to 0.
(Default: 0).
Syntax: aaa port-access web-based < port-list > [client-limit <1-8>]
Specifies the maximum number of authenticated
clients to allow on the port. (Default: 1)
Syntax: [no] aaa port-access web-based < port-list > [client-moves]
Allows client moves between the specified ports under
Web Auth control. When enabled, the switch allows
clients to move without requiring a re-authentication.
When disabled, the switch does not allow moves and
when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to
port(s)) must be specified.
Use the no form of the command to disable client moves
between ports under Web Auth control.
(Default: disabled – no moves allowed)
Syntax: aaa port-access web-based < port-list > [logoff-period] <60-9999999>]
Specifies the period, in seconds, that the switch
enforces for an implicit logoff. This parameter is
equivalent to the MAC age interval in a traditional
switch sense. If the switch does not see activity after a
logoff-period interval, the client is returned to its preauthentication state. (Default: 300 seconds)
3-20
Web and MAC Authentication
Configuring Web Authentication
Syntax: aaa port-access web-based < port-list > [max-requests <1-10>]
Specifies the number of authentication attempts that
must time-out before authentication fails.
(Default: 2)
Syntax: aaa port-access web-based < port-list > [max-retries <1-10>]
Specifies the number of the number of times a client
can enter their user name and password before authentication fails. This allows the reentry of the user name
and password if necessary.
(Default: 3)
Syntax: aaa port-access web-based < port-list > [quiet-period <1 - 65535>]
Specifies the time period, in seconds, the switch should
wait before attempting an authentication request for
a client that failed authentication.
(Default: 60 seconds)
Syntax: aaa port-access web-based < port-list > [reauth-period <0 - 9999999>]
Specifies the time period, in seconds, the switch
enforces on a client to re-authenticate. When set to 0,
reauthentication is disabled. (Default: 300 seconds)
Syntax: aaa port-access web-based < port-list > [reauthenticate]
Forces a reauthentication of all attached clients on the
port.
3-21
Web and MAC Authentication
Configuring Web Authentication
Syntax:
Syntax:
Syntax:
Syntax:
aaa port-access web-based < port-list > [redirect-url <url>]
no aaa port-access web-based < port-list > [redirect-url]
Specifies the URL that a user is redirected to after a
successful login. Any valid, fully-formed URL may be
used, for example, http://welcome-server/welcome.htm
or http://192.22.17.5. ProCurve recommends that you
provide a redirect URL when using Web Authentication.
Use the no form of the command to remove a specified
redirect URL.
(Default: There is no default URL. Browser behavior
for authenticated clients may not be acceptable.)
aaa port-access web-based < port-list > [server-timeout <1 - 300>]
Specifies the period, in seconds, the switch waits for a
server response to an authentication request. Depending on the current max-requests value, the switch sends
a new attempt or ends the authentication session.
(Default: 30 seconds)
[no] aaa port-access web-based < port-list > [ssl-login]]
Enables or disables SSL login (https on port 443). SSL
must be enabled on the switch.
If SSL login is enabled, a user is redirected to a secure
page, where they enter their username and password.
If SSL login is disabled, a user is not redirected to a
secure page to enter their credentials.
Use the no form of the command to disable SSL login.
(Default: disabled)
aaa port-access web-based < port-list > [unauth-vid <vid>]
no aaa port-access web-based < port-list > [unauth-vid]
Specifies the VLAN to use for a client that fails authentication. If unauth-vid is 0, no VLAN changes occur.
Use the no form of the command to set the unauth-vid to 0.
(Default: 0)
3-22
Web and MAC Authentication
Configuring MAC Authentication on the Switch
Configuring MAC Authentication on the
Switch
Overview
1. If you have not already done so, configure a local username and password
pair on the switch.
2. If you plan to use multiple VLANs with MAC Authentication, ensure that
these VLANs are configured on the switch and that the appropriate port
assignments have been made.
3. Use the ping command in the switch console interface to ensure that the
switch can communicate with the RADIUS server you have configured to
support MAC-Auth on the switch.
4. Configure the switch with the correct IP address and encryption key to
access the RADIUS server.
5. Configure the switch for MAC-Auth:
a. Configure MAC Authentication on the switch ports you want to use.
6. Test both the authorized and unauthorized access to your system to
ensure that MAC Authentication works properly on the ports you have
configured for port-access.
3-23
Web and MAC Authentication
Configuring MAC Authentication on the Switch
Configure the Switch for MAC-Based Authentication
Command Page
Configuration Level
aaa port-access mac-based addr-format 3-24
[no] aaa port-access mac-based < port-list > 3-25
[addr-limit] 3-25
[addr-moves] 3-25
[auth-vid] 3-25
[logoff-period] 3-26
[max-requests] 3-26
[quiet-period] 3-26
[reauth-period] 3-26
[reauthenticate] 3-26
[server-timeout] 3-26
[unauth-vid] 3-27
Syntax: aaa port-access mac-based addr-format
<no-delimiter | single-dash | multi-dash | multi-colon | no-delimiteruppercase | single-dash-uppercase | multi-dash-uppercase | multicolon-uppercase>
Specifies the MAC address format to be used in the
RADIUS request message. This format must match the
format used to store the MAC addresses in the RADIUS
server. (Default: no-delimiter)
no-delimiter — specifies an aabbccddeeff format.
single-dash — specifies an aabbcc-ddeeff format.
multi-dash — specifies an aa-bb-cc-dd-ee-ff format.
multi-colon — specifies an aa:bb:cc:dd:ee:ff format.
no-delimiter-uppercase—specifies an AABBCCDDEEFF
format
single-dash-uppercase—specifies an AABBCC-DDEEFF
format
3-24
Web and MAC Authentication
Configuring MAC Authentication on the Switch
multi-dash-uppercase—specifies an
AA-BB-CC-DD-EE-FF format
multi-colon-uppercase—specifies an
AA:BB:CC:DD:EE:FF format
Syntax: [no] aaa port-access mac-based < port-list >
Enables MAC-based authentication on the specified
ports. Use the no form of the command to disable MACbased authentication on the specified ports.
Syntax: aaa port-access mac-based < port-list > [addr-limit <1-8>]
Specifies the maximum number of authenticated
MACs to allow on the port. (Default: 1)
Syntax: [no] aaa port-access mac-based < port-list > [addr-moves]
Allows client moves between the specified ports under
MAC Auth control. When enabled, the switch allows
addresses to move without requiring a re-authentication. When disabled, the switch does not allow moves
and when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to
port(s)) must be specified.
Use the no form of the command to disable MAC address
moves between ports under MAC Auth control.
(Default: disabled – no moves allowed)
Syntax: aaa port-access mac-based < port-list > [auth-vid <vid>]
no aaa port-access mac-based < port-list > [auth-vid]
Specifies the VLAN to use for an authorized client. The
Radius server can override the value (accept-response
includes a vid). If auth-vid is 0, no VLAN changes occur
unless the RADIUS server supplies one.
Use the no form of the command to set the auth-vid to 0.
(Default: 0).
3-25
Web and MAC Authentication
Configuring MAC Authentication on the Switch
Syntax:
Syntax:
aaa port-access mac-based < port-list >
[logoff-period] <60-9999999>
]
Specifies the period, in seconds, that the switch
enforces for an implicit logoff. This parameter is
equivalent to the MAC age interval in a traditional
switch sense. If the switch does not see activity after a
logoff-period interval, the client is returned to its preauthentication state. (Default: 300 seconds)
aaa port-access mac-based < port-list > [max-requests <1-10>]
Specifies the number of authentication attempts that
must time-out before authentication fails.
(Default: 2)
Syntax: aaa port-access mac-based < port-list > [quiet-period <1 - 65535>]
Specifies the time period, in seconds, the switch should
wait before attempting an authentication request for
a MAC address that failed authentication.
(Default: 60 seconds)
Syntax: aaa port-access mac-based < port-list > [reauth-period <0 - 9999999>]
Specifies the time period, in seconds, the switch
enforces on a client to re-authenticate. When set to 0,
reauthentication is disabled. (Default: 300 seconds)
Syntax: aaa port-access mac-based < port-list > [reauthenticate]
Forces a reauthentication of all attached clients on the
port.
Syntax: aaa port-access mac-based < port-list > [server-timeout <1 - 300>]
Specifies the period, in seconds, the switch waits for a
server response to an authentication request. Depending on the current max-requests value, the switch sends
a new attempt or ends the authentication session.
(Default: 30seconds)
3-26
Web and MAC Authentication
Configuring MAC Authentication on the Switch
Syntax: aaa port-access mac-based < port-list > [unauth-vid <vid>]
no aaa port-access mac-based < port-list > [unauth-vid]
Specifies the VLAN to use for a client that fails authentication. If unauth-vid is 0, no VLAN changes occur.
Use the no form of the command to set the unauth-vid to 0.
(Default: 0)
3-27
Web and MAC Authentication
Show Commands for Web-Based Authentication
Show Commands for Web-Based
Authentication
Command Page
show port-access [port-list] web-based 3-28
[clients] 3-28
[config] 3-28
[config [auth-server]] 3-29
[config [web-server]] 3-29
show port-access port-list web-based config detail 3-29
Syntax: show port-access [port-list] web-based
Shows the status of all Web-Authentication enabled
ports or the specified ports. The number of authorized
and unauthorized clients is listed for each port, as well
as its current VLAN ID. Ports without Web Authentication enabled are not listed.
Syntax: show port-access [port-list] web-based [clients]]
Shows the port address, Web address, session status,
and elapsed session time for attached clients on all
ports or the specified ports. Ports with multiple clients
have an entry for each attached client. Ports without
any attached clients are not listed.
Syntax: show port-access [port-list] web-based [config]
Shows Web Authentication settings for all ports or the
specified ports, including the temporary DHCP base
address and mask. The authorized and unauthorized
VLAN IDs are shown. If the authorized or unauthorized VLAN ID is 0 then no VLAN change is made,
unless the RADIUS server supplies one.
3-28
Web and MAC Authentication
Show Commands for Web-Based Authentication
Syntax: show port-access [port-list] web-based [config [auth-server]]
Shows Web Authentication settings for all ports or the
specified ports, along with the RADIUS server specific
settings for the timeout wait, the number of timeout
failures before authentication fails, and the length of
time between authentication requests.
Syntax: show port-access [port-list] web-based [config [web-server]]
Shows Web Authentication settings for all ports or the
specified ports, along with the web specific settings for
password retries, SSL login status, and a redirect URL,
if specified.
Syntax: show port-access port-list web-based config detail
Shows all Web Authentication settings, including the
Radius server specific settings for the specified ports.
Example: Verifying a Web Authentication Configuration
The following example shows how to use the show port-access web-based
config command to display the currently configured web-authentication
settings for all switch ports, including:
■ Temporary DHCP base address and mask
■ Authorized and unauthorized VLAN IDs
■ Controlled directions setting for transmitting Wake-on-LAN traffic on
egress ports
3-29
Web and MAC Authentication
Show Commands for Web-Based Authentication
ProCurve(config)#
show port-access web-based config
Port Access Web-Based Configuration
DHCP Base Address : 192.168.0.0
DHCP Subnet Mask : 255.255.255.0
DHCP Lease Length : 10
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- -------- ------ ------ --------- --------- -------- -------- ----1 No 1 No 300 0 0 0 both
2 No 1 No 300 0 0 0 both
3 No 1 No 300 0 0 0 both
4 No 1 No 300 0 0 0 both
5 No 1 No 300 0 0 0 both
6 No 1 No 300 0 0 0 both
7 No 1 No 300 0 0 0 both
8 No 1 No 300 0 0 0 both
Figure 3-5. Example of Verifying a Web Authentication Configuration
3-30
Web and MAC Authentication
Show Commands for MAC-Based Authentication
Show Commands for MAC-Based
Authentication
Command Page
show port-access [port-list] mac-based 3-31
[clients] 3-31
[config] 3-31
[config [auth-server]] 3-32
show port-access port-list mac-based config detail 3-32
Syntax: show port-access [port-list] mac-based
Shows the status of all MAC-Authentication enabled
ports or the specified ports. The number of authorized
and unauthorized clients is listed for each port, as well
as its current VLAN ID. Ports without MAC Authentication enabled are not listed.
Syntax: show port-access [port-list] mac-based [clients]]
Shows the port address, MAC address, session status,
and elapsed session time for attached clients on all
ports or the specified ports. Ports with multiple clients
have an entry for each attached client. Ports without
any attached clients are not listed.
Syntax: show port-access [port-list] mac-based [config]
Shows MAC Authentication settings for all ports or the
specified ports, including the MAC address format
being used. The authorized and unauthorized VLAN
IDs are shown. If the authorized or unauthorized
VLAN ID is 0 then no VLAN change is made, unless the
RADIUS server supplies one.
3-31
Web and MAC Authentication
Show Commands for MAC-Based Authentication
Syntax: show port-access [port-list] mac-based [config [auth-server]]
Shows MAC Authentication settings for all ports or the
specified ports, along with the Radius server specific
settings for the timeout wait, the number of timeout
failures before authentication fails, and the length of
time between authentication requests.
Syntax: show port-access port-list mac-based config detail
Shows all MAC Authentication settings, including the
Radius server specific settings for the specified ports.
Example: Verifying a MAC Authentication Configuration
The following example shows how to use the show port-access mac-based
config command display the currently configured MAC authentication settings
for all switch ports, including:
■ MAC address format
■ Authorized and unauthorized VLAN IDs
■ Controlled directions setting for transmitting Wake-on-LAN traffic on
egress ports
ProCurve(config)# show port-access mac-based config
Port Access MAC-Based Configuration
MAC Address Format : no-delimiter
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- -------- ------ ------ --------- --------- -------- -------- ----1 No 1 No 300 0 0 0 both
2 No 1 No 300 0 0 0 both
3 No 1 No 300 0 0 0 both
4 No 1 No 300 0 0 0 both
5 No 1 No 300 0 0 0 both
6 No 1 No 300 0 0 0 both
Figure 3-6. Example of Verifying a MAC Authentication Configuration
3-32
Web and MAC Authentication
Show Client Status
Show Client Status
The table below shows the possible client status information that may be
reported by a Web-based or MAC-based ‘show... clients’ command.
Reported Status Available Network
Connection
Possible Explanations
authenticated Authorized VLAN Client authenticated. Remains
connected until logoff-period or
reauth-period expires.
authenticating Switch only Pending RADIUS request.
rejected-no vlan No network access 1. Invalid credentials supplied.
2. RADIUS Server difficulties. See log
file.
3. If unauth-vid is specified it cannot be
successfully applied to the port. An
authorized client on the port has
precedence.
rejected-unauth vlan Unauthorized VLAN only 1. Invalid credentials supplied.
2. RADIUS Server difficulties. See log
file.
timed out-no vlan No network access RADIUS request timed out. If unauth-
vid is specified it cannot be
successfully applied to the port. An
authorized client on the port has
precedence. Credentials resubmitted
after quiet-period expires.
timed out-unauth vlan Unauthorized VLAN only RADIUS request timed out. After the
quiet-period expires credentials are
resubmitted when client generates
traffic.
unauthenticated Switch only Waiting for user credentials.
3-33
Web and MAC Authentication
Show Client Status
3-34
4
TACACS+ Authentication
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Viewing the Switch’s Current TACACS+ Server Contact
Controlling Web Browser Interface Access When Using TACACS+
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9
Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-17
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
General Authentication Process Using a TACACS+ Server . . . . . . . . 4-22
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
4-1
TACACS+ Authentication
Configuring TACACS+ on the Switch
Overview
Feature Default Menu CLI Web
view the switch’s authentication configuration n/a — page 4-9 —
view the switch’s TACACS+ server contact n/a — page —
configuration 4-10
configure the switch’s authentication methods disabled — page —
4-10
configure the switch to contact TACACS+ server(s) disabled — page —
4-17
TACACS+ authentication enables you to use a central server to allow or deny
access to the switch (and other TACACS-aware devices) in your network. This
means that you can use a central database to create multiple unique username/
password sets with associated privilege levels for use by individuals who have
reason to access the switch from either the switch’s console port (local
access) or Telnet (remote access).
B
ProCurve Switch
Configured for
TACACS+ Operation
Terminal “A” Directly
Accessing the Switch
Via Switch’s Console
Port
Termin al “B” Remotely Accessing The Switch Via Telnet
A
Primary
TA CA CS +
Server
The switch passes the login
requests from terminals A and B
to the TACACS+ server for
authentication. The TACACS+
server determines whether to
allow access to the switch and
what privilege level to allow for
a given access request.
Access Request A1 - A4: Path for Request from
Terminal A (Through Console Port)
TACACS Server B1 - B4: Path for Request from
Response Terminal B (Through Telnet)
B1
A2 or
B2
A3 or
B3
B4
A1
A4
Figure 4-1. Example of TACACS+ Operation
TACACS+ in the switch manages authentication of logon attempts through
either the Console port or Telnet. TACACS+ uses an authentication hierarchy
consisting of (1) remote passwords assigned in a TACACS+ server and (2)
local passwords configured on the switch. That is, with TACACS+ configured,
the switch first tries to contact a designated TACACS+ server for authentica-
4-2
TACACS+ Authentication
Configuring TACACS+ on the Switch
tion services. If the switch fails to connect to any TACACS+ server, it defaults
to its own locally assigned passwords for authentication control if it has been
configured to do so. For both Console and Telnet access you can configure a
login (read-only) and an enable (read/write) privilege level access.
Notes The software does not support TACACS+ authorization or accounting
services.
TACACS+ does not affect web browser interface access. See “Controlling Web
Browser Interface Access” on page 4-26.
Terminology Used in TACACS
Applications:
■ NAS (Network Access Server): This is an industry term for a
TACACS-aware device that communicates with a TACACS server for
authentication services. Some other terms you may see in literature
describing TACACS operation are communication server, remote
access server, or terminal server. These terms apply when TACACS+
is enabled on the switch (that is, when the switch is TACACS-aware).
■ TACACS+ Server: The server or management station configured as
an access control server for TACACS-enabled devices. To use
TACACS+ with the switch and any other TACACS-capable devices in
your network, you must purchase, install, and configure a TACACS+
server application on a networked server or management station in
the network. The TACACS+ server application you install will provide
various options for access control and access notifications. For more
on the TACACS+ services available to you, see the documentation
provided with the TACACS+ server application you will use.
■ Authentication: The process for granting user access to a device
through entry of a user name and password and comparison of this
username/password pair with previously stored username/password
data. Authentication also grants levels of access, depending on the
privileges assigned to a user name and password pair by a system
administrator.
4-3
TACACS+ Authentication
Configuring TACACS+ on the Switch
• Local Authentication: This method uses username/password
pairs configured locally on the switch; one pair each for managerlevel and operator-level access to the switch. You can assign local
usernames and passwords through the CLI or web browser interface. (Using the menu interface you can assign a local password,
but not a username.) Because this method assigns passwords to
the switch instead of to individuals who access the switch, you
must distribute the password information on each switch to
everyone who needs to access the switch, and you must configure
and manage password protection on a per-switch basis. (For
more on local authentication, refer to “Configuring Username
and Password Security” on page 2-1.)
• TACACS+ Authentication: This method enables you to use a
TACACS+ server in your network to assign a unique password,
user name, and privilege level to each individual or group who
needs access to one or more switches or other TACACS-aware
devices. This allows you to administer primary authentication
from a central server, and to do so with more options than you
have when using only local authentication. (You will still need to
use local authentication as a backup if your TACACS+ servers
become unavailable.) This means, for example, that you can use
a central TACACS+ server to grant, change, or deny access to a
specific individual on a specific switch instead of having to
change local user name and password assignments on the switch
itself, and then have to notify other users of the change.
4-4
TACACS+ Authentication
Configuring TACACS+ on the Switch
General System Requirements
To use TACACS+ authentication, you need the following:
■ A TACACS+ server application installed and configured on one or
more servers or management stations in your network. (There are
several TACACS+ software packages available.)
■ A switch configured for TACACS+ authentication, with access to one
or more TACACS+ servers.
Notes The effectiveness of TACACS+ security depends on correctly using your
TACACS+ server application. For this reason, ProCurve recommends that you
thoroughly test all TACACS+ configurations used in your network.
TACACS-aware ProCurve switches include the capability of configuring
multiple backup TACACS+ servers. ProCurve recommends that you use a
TACACS+ server application that supports a redundant backup installation.
This allows you to configure the switch to use a backup TACACS+ server if it
loses access to the first-choice TACACS+ server.
TACACS+ does not affect web browser interface access. Refer to “Controlling
Web Browser Interface Access When Using TACACS+ Authentication” on
page 4-26.
General Authentication Setup Procedure
It is important to test the TACACS+ service before fully implementing it.
Depending on the process and parameter settings you use to set up and test
TACACS+ authentication in your network, you could accidentally lock all
users, including yourself, out of access to a switch. While recovery is simple,
it may pose an inconvenience that can be avoided.To prevent an unintentional
lockout on a switch, use a procedure that configures and tests TACACS+
protection for one access type (for example, Telnet access), while keeping the
4-5
TACACS+ Authentication
Configuring TACACS+ on the Switch
other access type (console, in this case) open in case the Telnet access fails
due to a configuration problem. The following procedure outlines a general
setup procedure.
Note If a complete access lockout occurs on the switch as a result of a TACACS+
configuration, see “Troubleshooting TACACS+ Operation” in the Troubleshooting chapter of the Management and Configuration Guide for your
switch.
1. Familiarize yourself with the requirements for configuring your
TACACS+ server application to respond to requests from a switch. (Refer
to the documentation provided with the TACACS+ server software.) This
includes knowing whether you need to configure an encryption key. (See
“Using the Encryption Key” on page 4-25.)
2. Determine the following:
• The IP address(es) of the TACACS+
• The period you want the switch to
server(s) you want the switch to use
wait for a reply to an authentication
for authentication. If you will use
request before trying another
more than one server, determine
server.
which server is your first-choice for
• The username/password pairs you
authentication services.
want the TACACS+ server to use for
• The encryption key, if any, for
controlling access to the switch.
allowing the switch to communicate
The privilege level you want for •
with the server. You can use either a
each username/password pair
global key or a server-specific key,
administered by the TACACS+
depending on the encryption
server for controlling access to the
configuration in the TACACS+
switch.
server(s).
• The username/password pairs you
• The number of log-in attempts you
want to use for local authentication
will allow before closing a log-in
(one pair each for Operator and
session. (Default: 3)
Manager levels).
3. Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.
4-6
TACACS+ Authentication
Configuring TACACS+ on the Switch
Note on
Privilege Levels
Caution
When a TACACS+ server authenticates an access request from a switch,
it includes a privilege level code for the switch to use in determining which
privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of “15” as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/password pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.
If you are a first-time user of the TACACS+ service, ProCurve recommends that you configure only the minimum feature set required by the
TACACS+ application to provide service in your network environment.
After you have success with the minimum feature set, you may then want
to try additional features that the application offers.
4. Ensure that the switch has the correct local username and password for
Manager access. (If the switch cannot find any designated TACACS+
servers, the local manager and operator username/password pairs are
always used as the secondary access control method.)
You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason,
then unauthorized access will be available through the console port or
Telnet.
5. Using a terminal device connected to the switch’s console port, configure
the switch for TACACS+ authentication only for telnet login access and
telnet enable access. At this stage, do not configure TACACS+ authentication for console access to the switch, as you may need to use the
console for access if the configuration for the Telnet method needs
debugging.
6. Ensure that the switch is configured to operate on your network and can
communicate with your first-choice TACACS+ server. (At a minimum,
this requires IP addressing and a successful ping test from the switch to
the server.)
7. On a remote terminal device, use Telnet to attempt to access the switch.
If the attempt fails, use the console access to check the TACACS+
configuration on the switch. If you make changes in the switch configuration, check Telnet access again. If Telnet access still fails, check the
4-7
TACACS+ Authentication
Configuring TACACS+ on the Switch
configuration in your TACACS+ server application for mis-configurations or missing data that could affect the server’s interoperation with
the switch.
8. After your testing shows that Telnet access using the TACACS+ server is
working properly, configure your TACACS+ server application for
console access. Then test the console access. If access problems occur,
check for and correct any problems in the switch configuration, and then
test console access again. If problems persist, check your TACACS+
server application for mis-configurations or missing data that could
affect the console access.
9. When you are confident that TACACS+ access through both Telnet and
the switch’s console operates properly, use the write memory command
to save the switch’s running-config file to flash memory.
Configuring TACACS+ on the Switch
Before You Begin
If you are new to TACACS+ authentication, ProCurve recommends that you
read the “General Authentication Setup Procedure” on page 4-5 and configure
your TACACS+ server(s) before configuring authentication on the switch.
The switch offers three command areas for TACACS+ operation:
■ show authentication and show tacacs: Displays the switch’s TACACS+
configuration and status.
■ aaa authentication: A command for configuring the switch’s authenti-
cation methods
■ tacacs-server: A command for configuring the switch’s contact with
TACACS+ servers
4-8
TACACS+ Authentication
Configuring TACACS+ on the Switch
CLI Commands Described in this Section
Command Page
show authentication 4-9
show tacacs 4-10
aaa authentication pages 4-10 through 4-16
console
Telnet
num-attempts <1-10 >
login <privilege-mode>
tacacs-server pages 4-17
host < ip-addr > pages 4-17
key 4-21
timeout < 1-255 > 4-22
Viewing the Switch’s Current Authentication
Configuration
This command lists the number of login attempts the switch allows in a single
login session, and the primary/secondary access methods configured for each
type of access.
Syntax: show authentication
This example shows the default authentication configuration.
Configuration for login and enable access
to the switch through the switch console
port.
Configuration for login and enable access
to the switch through Telnet.
Figure 4-2. Example Listing of the Switch’s Authentication Configuration
4-9
TACACS+ Authentication
Configuring TACACS+ on the Switch
Viewing the Switch’s Current TACACS+ Server Contact
Configuration
This command lists the timeout period, encryption key, and the IP addresses
of the first-choice and backup TACACS+ servers the switch can contact.
Syntax: show tacacs
For example, if the switch was configured for a first-choice and two backup
TACACS+ server addresses, the default timeout period, and paris-1 for a
(global) encryption key, show tacacs would produce a listing similar to the
following:
First-Choice
TACACS+ Server
Second-Choice
TACACS+ Server
Third-Choice
TACACS+ Server
Figure 4-3. Example of the Switch’s TACACS+ Configuration Listing
Configuring the Switch’s Authentication Methods
The aaa authentication command configures access control for the following
access methods:
■ Console
■ Telnet
■ SSH
■ Web
■ Port-access (802.1X)
However, TACACS+ authentication is only used with the console, Telnet, or
SSH access methods. The command specifies whether to use a TACACS+
server or the switch’s local authentication, or (for some secondary scenarios)
no authentication (meaning that if the primary method fails, authentication is
denied). The command also reconfigures the number of access attempts to
allow in a session if the first attempt uses an incorrect username/password
pair.
4-10
TACACS+ Authentication
Configuring TACACS+ on the Switch
Using the Privilege-Mode Option for Login
When using TACACS+ to control user access to the switch, you must first login
with your username at the Operator privilege level using the password for
Operator privileges, and then login again with the same username but using
the Manger password to obtain Manager privileges. You can avoid this double
login process by entering the privilege-mode option with the aaa authentication
login command to enable TACACS+ for a single login. The switch authenticates your username/password, then requests the privilege level (Operator or
Manager) that was configured on the TACACS+ server for this username/
password. The TACACS+ server returns the allowed privilege level to the
switch. You are placed directly into Operator or Manager mode, depending on
your privilege level.
ProCurve(config) aaa authentication login privilege-mode
The no version of the above command disables TACACS+ single login capability.
Syntax: aaa authentication
< console | telnet | ssh >
Selects the access method for configuration.
< enable>
The server grants privileges at the Manager privilege
level.
<login [privilege-mode] >
The server grants privileges at the Operator privilege
level. If the privilege-mode option is entered, TACACS+ is
enabled for a single login. The authorized privilege level
(Operator or Manager) is returned to the switch by the
TACACS+ server.
Default: Single login disabled.
< local | tacacs | radius >
Selects the type of security access:
local — Authenticates with the Manager and Operator
password you configure in the switch.
tacacs — Authenticates with a password and other
data configured on a TACACS+ server.
radius — Authenticates with a password and other
data configured on a RADIUS server.
4-11
TACACS+ Authentication
Configuring TACACS+ on the Switch
[< local | none >]
If the primary authentication method fails, determines
whether to use the local password as a secondary method
or to disallow access.
aaa authentication num-attempts < 1-10 >
Specifies the maximum number of login attempts allowed in
the current session. Default: 3
Table 4-1. AAA Authentication Parameters
Name Default Range Function
console, Telnet,
SSH, web or portaccess
n/a n/a Specifies the access method used when authenticating. TACACS+
authentication only uses the console, Telnet or SSH access methods.
enable n/a n/a Specifies the Manager (read/write) privilege level for the access
method being configured.
login <privilegemode>
privilege-mode
disabled
n/a login: Specifies the Operator (read-only) privilege level for the
access method being configured.
The privilege-mode option enables TACACS+ for a single login. The
authorized privilege level (Operator or Manager) is returned to the
switch by the TACACS+ server.
local
- or -
tacacs
local n/a Specifies the primary method of authentication for the access
method being configured.
local: Use the username/password pair configured locally in the
switch for
the privilege level being configured
tacacs: Use a TACACS+ server.
local
none n/a Specifies the secondary (backup) type of authentication being
- or -
configured.
none
local: The username/password pair configured locally in the switch
for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the
switch automatically assigns the secondary method as follows:
• If the primary method is
tacacs, the only secondary method is
local.
• If the primary method is
local, the default secondary method is
none.
num-attempts 3 1 - 10 In a given session, specifies how many tries at entering the correct
username/password pair are allowed before access is denied and
the session terminated.
4-12
TACACS+ Authentication
Configuring TACACS+ on the Switch
Configuring the TACACS+ Server for Single Login
In order for the single login feature to work correctly, you need to check some
entries in the User Setup on the TACACS+ server.
In the User Setup, scroll to the Advanced TACACS+ Settings section. Make
sure the radio button for “Max Privilege for any AAA Client” is checked and
the level is set to 15, as shown in Figure 4-4. Privileges are represented by the
numbers 0 through 15, with zero allowing only Operator privileges (and
requiring two logins) and 15 representing root privileges. The root privilege
level is the only level that will allow Manager level access on the switch.
Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup
Then scroll down to the section that begins with “Shell” (See Figure 4-5).
Check the Shell box.
Check the Privilege level box and set the privilege level to 15 to allow “root”
privileges. This allows you to use the single login option.
4-13
TACACS+ Authentication
Configuring TACACS+ on the Switch
Figure 4-5. The Shell Section of the TACACS+ Server User Setup
Primary/Secondary Authentication
As shown in the next table, login and enable access is always available locally
through a direct terminal connection to the switch’s console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+
server goes down or otherwise becomes unavailable to the switch.
4-14
Loading...