Access Security Guide
ProCurve Switches
T.13.01
2900
www.procurve.com
ProCurve Switch 2900
January 2008
T.13.01
Access Security Guide
© Copyright 2006-2008 Hewlett-Packard Development Company,
L.P. The information contained herein is subject to change without notice. All Rights Reserved.
This document contains proprietary information, which is
protected by copyright. No part of this document may be
photocopied, reproduced, or translated into another langauge without the prior written consent of Hewlett-Packard.
Publication Number
5991-6198
January 2008
Applicable Products
ProCurve Switch 2
900-24G (J9049A)
ProCurve Switch 2
900-48G (J9050A)
Trademark Credits
Microsoft, Windows, and Microsoft Windows NT are U.S.
registered trademarks of Microsoft Corporation.
Software Credits and Notices
SSH on ProCurve Switches is based on the OpenSSH software toolkit. This product includes software developed by
the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit http://
www.openssh.com.
SSL on ProCurve Switches is based on the OpenSSL software
toolkit. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit. For more
information on OpenSSL, visit
http://www.openssl.org.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com). This product includes
software written by Tim Hudson (tjh@cryptsoft.com).
Portions of the software on ProCurve switches are based on
the lightweight TCP/IP (lwIP) software toolkit by Adam
Dunkels, and are covered by the following notices.
Copyright © 2001-2003 Swedish Institute of Computer
Science. All rights reserved. Redistribution and use in source
and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. The name of the author may not be used to endorse or
promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software written by Adam Dunkels
(adam@sics.se).
Disclaimer
The information contained in this document is subject to
change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Warranty
See the Customer Support/Warranty booklet included with
the product.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
Product Documentation
About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
1 Security Overview
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-4
Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-4
SNMP Access (Simple Network Management Protocol) . . . . . . . 1-5
Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-6
Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-7
Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . 1-10
Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
i
Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
2 Configuring Username and Password Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Saving Security Credentials in a
Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11
Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12
Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15
RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16
SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
ii
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Re-Enabling the Clear Button on the Switch’s Front Panel
and Setting or Changing the “Reset-On-Clear” Operation . . . 2-30
Changing the Operation of the Reset+Clear Combination . . . . . 2-31
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
3 Web and MAC Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Using Customized Login Web Pages for Enhanced
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 3-4
RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-6
Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Customized Login Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 3-14
Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 3-14
Configuring the RADIUS Server To Support MAC Authentication . . 3-17
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Configuring a DNS Server for Enhanced Web Authentication . . . . . 3-28
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-28
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Configuration Commands for Web Authentication . . . . . . . . . . . . . . 3-32
Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 3-39
iii
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 3-45
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-46
Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-49
Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
4 TACACS+ Authentication
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Viewing the Switch’s Current TACACS+
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5
Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9
Viewing the Switch’s Current Authentication Configuration . . . . . . . 4-9
Server Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Configuring the Switch’s Authentication Methods . . . . . . . . . . . . . . . 4-10
Using the Privilege-Mode Option for Login . . . . . . . . . . . . . . . . . 4-11
Authentication Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Configuring the TACACS+ Server for Single Login . . . . . . . . . . . . . . 4-13
Configuring the Switch’s TACACS+ Server Access . . . . . . . . . . . . . . 4-18
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
General Authentication Process Using a TACACS+ Server . . . . . . . . 4-24
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Using the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Encryption Options in the Switch . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Controlling Web Browser Interface
Access When Using TACACS+ Authentication . . . . . . . . . . . . . . . . . . 4-28
Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . 4-28
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
iv
5 RADIUS Authentication and Accounting
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
RADIUS-Administered CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-8
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-9
1. Configure Authentication for the Access Methods
You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 5-13
3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-14
4. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-17
Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 5-22
Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Configuring Commands Authorization on a RADIUS Server . . . . . . 5-25
Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 5-25
Example Configuration on Cisco Secure ACS for MS Windows 5-27
Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 5-29
VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 5-31
Tagged and Untagged VLAN Attributes . . . . . . . . . . . . . . . . . . . . . . . . 5-32
Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-33
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34
Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-35
Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-36
1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 5-37
v
2. Configure Accounting Types and the Controls for
Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . 5-38
3. (Optional) Configure Session Blocking and
Interim Updating Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42
RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 5-46
Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . 5-49
6 Configuring Secure Shell (SSH)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Overview
Steps for Configuring and Using SSH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 6-9
1. Assigning a Local Login (Operator) and
Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 6-10
3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 6-13
4. Enabling SSH on the Switch and Anticipating SSH
Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
5. Configuring the Switch for SSH Authentication . . . . . . . . . . . . . . . 6-18
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-22
Further Information on SSH Client Public-Key Authentication . 6-22
Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28
vi
7 Configuring Secure Socket Layer (SSL)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Overview
Steps for Configuring and Using SSL for Switch and Client
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . 7-7
1. Assigning a Local Login (Operator) and
Enable (Manager)Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
2. Generating the Switch’s Server Host Certificate . . . . . . . . . . . . . . . . 7-8
To Generate or Erase the Switch’s Server Certificate
Generate a Self-Signed Host Certificate with the Web
Generate a CA-Signed server host certificate with the
with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Comments on Certificate Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
3. Enabling SSL on the Switch and Anticipating SSL
Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 7-19
Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 7-19
Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21
8 Traffic/Security Filters and Monitors
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Filter Types and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . 8-4
vii
9
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Operating Rules for Named Source-Port Filters . . . . . . . . . . . . . . 8-6
Defining and Configuring Named Source-Port Filters . . . . . . . . . 8-7
Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16
Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . . 8-18
Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . . 8-19
Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . . . . . . . . 8-19
Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Configuring a Multicast or Protocol Traffic Filter . . . . . . . . . . . . . . . 8-21
Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
Displaying Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Configuring Port-Based and
User-Based Access Control (802.1X)
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . . 9-4
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
802.1X User-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . 9-7
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 9-10
Example of the Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . 9-10
VLAN Membership Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13
General Setup Procedure for 802.1X Access Control . . . . . . . . . . . 9-15
viii
Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 9-15
Overview: Configuring 802.1X Authentication on the Switch . . . . . . 9-18
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . 9-19
1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 9-20
A. Enable the Selected Ports as Authenticators and Enable
the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . 9-20
B. Specify User-Based Authentication or Return to Port-Based
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21
Example: Configuring User-Based 802.1X Authentication . . . . . 9-22
Example: Configuring Port-Based 802.1X Authentication . . . . . 9-22
2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . . 9-22
3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 9-25
4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 9-26
5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 9-26
6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . . 9-27
7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . . . 9-27
Wake-on-LAN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
Example: Configuring 802.1X Controlled Directions . . . . . . . . . 9-29
802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30
VLAN Membership Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-31
Use Models for 802.1X Open VLAN Modes . . . . . . . . . . . . . . . . . . . . . 9-32
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37
Setting Up and Configuring 802.1X Open VLAN Mode . . . . . . . . . . . . 9-41
802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 9-45
Option For Authenticator Ports: Configure Port-Security
To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . . 9-46
Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-47
Configuring Switch Ports To Operate As Supplicants for 802.1X
Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Supplicant Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50
Displaying 802.1X Configuration, Statistics, and Counters . . . . . 9-52
ix
10
Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 9-52
Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 9-61
Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 9-63
How RADIUS/802.1X Authentication Affects VLAN Operation . . 9-64
VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-65
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-65
Example of Untagged VLAN Assignment in a RADIUS-Based
Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-67
Enabling the Use of GVRP-Learned Dynamic VLANs
in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-70
Operating Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-72
Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . 9-73
Configuring and Monitoring Port Security
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Port Security Command Options and Operation . . . . . . . . . . . . . . . . 10-8
Port Security Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12
Retention of Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22
Differences Between MAC Lockdown and Port Security . . . . . . . . 10-23
MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 10-24
Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-25
MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-31
Web: Displaying and Configuring Port Security Features . . . . . . 10-32
Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . 10-32
x
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32
How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33
Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 10-34
Menu: Checking for Intrusions, Listing Intrusion Alerts, and
Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-35
CLI: Checking for Intrusions, Listing Intrusion Alerts,
and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36
Using the Event Log To Find Intrusion Alerts
Web: Checking for Intrusions, Listing Intrusion
. . . . . . . . . . . . . . . . . . 10-38
Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-39
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-40
11 Using Authorized IP Managers
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 11-4
Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5
CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6
Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . 11-6
Configuring IP Authorized Managers for the Switch . . . . . . . . . 11-7
Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 11-9
Web Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
How to Eliminate the Web Proxy Server . . . . . . . . . . . . . . . . . . . 11-9
Using a Web Proxy Server to Access the Web
Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Configuring One Station Per Authorized Manager IP Entry . . . . . . 11-10
Configuring Multiple Stations Per Authorized Manager IP Entry . . 11-11
Additional Examples for Authorizing Multiple Stations . . . . . . . . . 11-13
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
xi
12 Key Management System
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 12-3
Assigning a Time-Independent Key to a Chain . . . . . . . . . . . . . . . . . . 12-4
Assigning Time-Dependent Keys to a Chain . . . . . . . . . . . . . . . . . . . . 12-5
Index
xii
Product Documentation
About Your Switch Manual Set
The switch manual set includes the following documentation:
■ Read Me First—a printed guide shipped with your switch. Provides
software update information, product notes, and other information.
■ Installation and Getting Started Guide—a printed guide shipped with
your switch. This guide explains how to prepare for and perform the
physical installation and connect the switch to your network.
■ Management and Configuration Guide—a PDF on the ProCurve Net-
working Web Site that describes how to configure, manage, and monitor
basic switch operation.
■ Advanced Traffic Management Guide—a PDF on the ProCurve Network-
ing Web Site that explains how to configure traffic management features
such as VLANs, MSTP, and QoS.
■ Multicast and Routing Guide—a PDF on the ProCurve Networking Web
Site that explains how to configure IGMP and IP routing.
■ Access Security Guide—a PDF on the ProCurve Networking Web Site
that explains how to configure access security features and user authentication on the switch.
■ Release Notes—posted on the ProCurve Networking Web Site to provide
information on software updates. The release notes describe new features, fixes, and enhancements that become available between revisions
of the main product guide.
Note For the latest version of all ProCurve switch documentation, including
Release Notes covering recently added features, visit the ProCurve Networking Web Site at www.procurve.com, click on Technical support, and then click
on Product manuals (all).
xiii
Product Documentation
Feature Index
For the manual set supporting your switch model, the following feature index
indicates which manual to consult for information on a given software feature.
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
802.1Q VLAN Tagging X
802.1p Priority X
802.1X Port-Based Authentication X
AAA Authentication X
Authorized IP Managers X
Authorized Manager List (web, telnet, TFTP) X
Auto MDIX Configuration X
BOOTP X
Config File X
Console Access X
Copy Command X
CoS (Class of Service) X
Debug X
DHCP Configuration X
DHCP Option 82 X
DHCP/Bootp Operation X
Diagnostic Tools X
Downloading Software X
Dynamic Configuration Arbiter X
Eavesdrop Protection X
Event Log X
xiv
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Factory Default Settings X
Flow Control (802.3x) X
File Management X
File Transfers X
Friendly Port Names X
GVRP X
Identity-Driven Management (IDM) X
IGMP X
Interface Access (Telnet, Console/Serial, Web) X
IPv4 Addressing X
IPv6 Addressing (see the IPv6 Configuration Guide)
IP Routing X
Jumbos Support X
LACP X
Link X
LLDP X
LLDP-Med X
MAC Address Management X
MAC Lockdown X
MAC Lockout X
MAC-based Authentication X
MAC authentication RADIUS support X
Management VLAN X
Monitoring and Analysis X
Multicast Filtering X
Multiple Configuration Files X
Network Immunity Manager X
xv
X
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Network Management Applications (SNMP) X
OpenView Device Management X
Passwords and Password Clear Protection
PCM X
Ping X
Port Configuration X
Port Monitoring X
Port Security
Port Status X
Port Trunking (LACP) X
Port-Based Access Control
Port-Based Priority (802.1Q) X
Protocol Filters X
Protocol VLANS X
Quality of Service (QoS) X
RADIUS Authentication and Accounting X
RADIUS-Based Configuration X
RADIUS VLAN Control
RMON 1,2,3,9 X
Routing X
Routing - IP Static X
Secure Copy X
SFLOW X
SFTP X
SNMPv3 X
Software Downloads (SCP/SFTP, TFPT, Xmodem) X
Source-Port Filters
xvi
X
X
X
Product Documentation
Feature Management
and
Configuration
Advanced
Traffic
Management
Multicast
and
Routing
Access
Security
Guide
Spanning Tree (MSTP) X
SSHv2 (Secure Shell) Encryption X
SSLv3 (Secure Socket Layer) X
Stack Management X
Syslog X
System Information X
TACACS+ Authentication X
Telnet Access X
TFTP X
Tiered Dynamic Override
Time Protocols (TimeP, SNTP) X
Traffic/Security Filters X
Troubleshooting X
USB Autorun X
VLANs X
VLAN Mirroring (1 static VLAN) X
Web Authentication RADIUS Support X
Web-based Authentication X
Web UI X
Xmodem X
xvii
Product Documentation
xviii
1
Security Overview
Contents
Security Overview
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Default Configuration Settings and Access Security . . . . . . . . . . . . . . 1-3
Local Manager Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Inbound Telnet Access and Web Browser Access . . . . . . . . . . . . . 1-3
SNMP Access (Simple Network Management Protocol) . . . . . . . 1-4
Front-Panel Access and Physical Security . . . . . . . . . . . . . . . . . . . 1-5
Secure File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Other Provisions for Management Access Security . . . . . . . . . . . . . . . 1-6
Authorized IP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Secure Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Network Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
802.1X Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Secure Socket Layer (SSLv3/TLSv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . . 1-9
Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Identity-Driven Manager (IDM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
1-1
Security Overview
Contents
Dynamic Configuration Arbiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Network Immunity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Arbitrating Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
1-2
Security Overview
Introduction
Introduction
Before you connect your switch to a network, ProCurve strongly recommends
that you review the Security Overview beginning on page 1-3. It outlines the
potential threats for unauthorized switch and network access, and provides
guidelines on how to use the various security features available on the switch
to prevent such access. For more information on individual features, see the
references provided.
About This Guide
This Access Security Guide describes how to configure security features on
the switches covered in this guide.
Note For an introduction to the standard conventions used in this guide, refer to
the Getting Started chapter in the Management and Configuration Guide for
your switch.
For More Information
For information on which product manual to consult for a specific software
feature, refer to the “Feature Index” on page xiv of this guide.
For the latest version of all ProCurve switch documentation, including
Release Notes covering recently added features and other software topics,
visit the ProCurve Networking web site at www.procurve.com, click on Te ch -
nical support, and then click on Product Manuals (all).
Switch Access Security
This section outlines provisions for protecting access to the switch’s status
information and configuration settings. ProCurve switches are designed as
“plug and play” devices, allowing quick and easy installation in your network.
However, when preparing the switch for network operation, ProCurve
strongly recommends that you enforce a security policy to help ensure that
the ease in getting started is not used by unauthorized persons as an opportu-
1-3
Security Overview
Switch Access Security
nity for access and possible malicious actions. Since security incidents can
originate with sources inside as well as outside of an organization, your access
security provisions must protect against internal and external threats while
preserving the necessary network access for authorized clients and users.
Default Configuration Settings and Access Security
In its default configuration, the switch is open to unauthorized access of
various types. In addition to applying local passwords, ProCurve recommends
that you consider using the switch’s other security features to provide a more
complete security fabric.
Switch management access is available through the following methods:
■ Inbound Telnet access and Web-browser access
■ SNMP access
■ Front-Panel access (serial port access to the console, plus resets and
clearing the password(s) or current configuration)
It is important to evaluate the level of management access vulnerability
existing in your network and take steps to ensure that all reasonable security
precautions are in place. This includes both configurable security options and
physical access to the switch hardware.
Local Manager Password
In the default configuration, there is no password protection. Configuring a
local Manager password is a fundamental step in reducing the possibility of
unauthorized access through the switch’s Web browser and console (CLI and
Menu) interfaces. The Manager password can easily be set using the CLI
password manager command, the Menu interface Console Passwords option, or
the password options under the Security tab in the Web browser interface.
Inbound Telnet Access and Web Browser Access
The default remote management protocols enabled on the switch are plain
text protocols, which transfer passwords in open or plain text that is easily
captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for
remote access. This enables you to employ increased access security while
still retaining remote client access.
■ SSHv2 provides Telnet-like connections through encrypted and authenti-
cated transactions.
1-4
Security Overview
Switch Access Security
■ SSLv3/TLSv1 provides remote Web browser access to the switch via
encrypted paths between the switch and management station clients
capable of SSL/TLS operation.
(For information on SSH, refer to Chapter 6 “Configuring Secure Shell (SSH)”;
for details on SSL, refer to Chapter 7, “Configuring Secure Socket Layer
(SSL)”.)
Also, access security on the switch is incomplete without disabling Telnet and
the standard Web browser access. Among the methods for blocking unauthorized access attempts using Telnet or the Web browser are the following two
CLI commands:
■ no telnet-server: This command blocks inbound Telnet access.
■ no web-management: This command prevents use of the Web browser
interface through http (port 80) server access.
If you choose not to disable Telnet and Web browser access, you may want to
consider using RADIUS accounting to maintain a record of password-protected access to the switch. Refer to Chapter 5, “RADIUS Authentication and
Accounting” in this guide.
SNMP Access (Simple Network Management Protocol)
In the default configuration, the switch is open to access by management
stations running SNMP management applications capable of viewing and
changing the settings and status data in the switch’s MIB (Management
Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network
security strategy.
General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The
default configuration supports versions 1 and 2c compatibility, which uses
plain text and does not provide security options. ProCurve recommends that
you enable SNMP version 3 for improved security. SNMPv3 includes the ability
to configure restricted access and to block all non-version 3 messages (which
blocks version 1 and 2c unprotected operation).
SNMPv3 security options include:
■ configuring device communities as a means for excluding management
access by unauthorized stations
■ configuring for access authentication and privacy
■ reporting events to the switch CLI and to SNMP trap receivers
1-5
Security Overview
Switch Access Security
■ restricting non-SNMPv3 agents to either read-only access or no access
■ co-existing with SNMPv1 and v2c if necessary
For information on SNMP, refer to “Using SNMP Tools To Manage the Switch”
in the chapter titled “Configuring for Network Management Applications” in
the Management and Configuration Guide for your switch.
Front-Panel Access and Physical Security
Physical access to the switch allows the following:
■ use of the console serial port (CLI and Menu interface) for viewing and
changing the current configuration and for reading status, statistics, and
log messages.
■ use of the switch’s Clear and Reset buttons for these actions:
• clearing (removing) local password protection
• rebooting the switch
• restoring the switch to the factory default configuration (and erasing
any non-default configuration settings)
Keeping the switch in a locked wiring closet or other secure space helps to
prevent unauthorized physical access. As additional precautions, you can do
the following:
■ Disable or re-enable the password-clearing function of the Clear button.
■ Configure the Clear button to reboot the switch after clearing any local
usernames and passwords.
■ Modify the operation of the Reset+Clear button combination so that the
switch reboots, but does not restore the switch’s factory default settings.
■ Disable or re-enable password recovery.
For the commands used to implement the above actions, refer to the section
titled “Front-Panel Security” on page 2-23.
Secure File Transfers
Secure Copy and SFTP provide a secure alternative to TFTP and auto-TFTP
for transferring sensitive information such as configuration files and log
information between the switch and other devices. For more on these features, refer to the section on “Using Secure Copy and SFTP” in the “File
Transfers” appendix of the Management and Configuration Guide for your
switch.
1-6
Security Overview
Switch Access Security
Other Provisions for Management Access Security
The following features can help to prevent unauthorized management access
to the switch.
Authorized IP Managers
This feature uses IP addresses and masks to determine whether to allow
management access to the switch across the network through the following :
■ Telnet and other terminal emulation applications
■ The switch’s Web browser interface
■ SNMP (with a correct community name)
For more information, refer to Chapter 11, “Using Authorized IP Managers”.
Secure Management VLAN
This feature creates an isolated network for managing the ProCurve switches
that offer this feature. When a secure management VLAN is enabled, CLI, Menu
interface, and Web browser interface access is restricted to ports configured
as members of the VLAN. For more information, refer to the chapter titled
“Static Virtual LANs (VLANs)” in the Advanced Traffic Management Guide.
TACACS+ Authentication
This application uses a central server to allow or deny access to TACACSaware devices in your network. TACACS+ uses username/password sets with
associated privilege levels to grant or deny access through either the switch’s
serial (console) port or remotely, with Telnet. If the switch fails to connect to
a TACACS+ server for the necessary authentication service, it defaults to its
own locally configured passwords for authentication control. TACACS+
allows both login (read-only) and enable (read/write) privilege level access.
For more information, refer to Chapter 4, “TACACS+ Authentication”.
RADIUS Authentication
For each authorized client, RADIUS can be used to authenticate operator or
manager access privileges on the switch via the serial port (CLI and Menu
interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access
methods. Refer to Chapter 5, “RADIUS Authentication and Accounting”.
1-7
Security Overview
Network Security Features
Network Security Features
This section outlines features for protecting access through the switch to the
network. For more detailed information, see the indicated chapters.
802.1X Access Control
This feature provides port-based or user-based authentication through a
RADIUS server to protect the switch from unauthorized access and to enable
the use of RADIUS-based user profiles to control client access to network
services. Included in the general features are the following:
■ user-based access control supporting up to 32 authenticated clients per
port
■ port-based access control allowing authentication by a single client to
open the port
■ switch operation as a supplicant for point-to-point connections to other
802.1X-compliant ProCurve switches
For more information, refer to Chapter 9 “Configuring Port-Based and UserBased Access Control (802.1X)”.
Web and MAC Authentication
These options are designed for application on the edge of a network to provide
port-based security measures for protecting private networks and the switch
itself from unauthorized access. Because neither method requires clients to
run any special supplicant software, both are suitable for legacy systems and
temporary access situations where introducing supplicant software is not an
attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control
access from a master database in a single server. It also means the same
credentials can be used for authentication, regardless of which switch or
switch port is the current access point into the LAN. Web authentication uses
a web page login to authenticate users for access to the network. MAC
authentication grants access to a secure network by authenticating device
MAC addresses for access to the network. For more information, refer to
Chapter 3, “Web and MAC Authentication”.
1-8
Security Overview
Network Security Features
Secure Shell (SSH)
SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types:
■ client public-key authentication: uses one or more public keys (from
clients) that must be stored on the switch. Only a client with a private key
that matches a stored public key can gain access to the switch.
■ switch SSH and user password authentication: this option is a subset
of the client public-key authentication, and is used if the switch has SSH
enabled without a login access configured to authenticate the client’s key.
In this case, the switch authenticates itself to clients, and users on SSH
clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.
■ secure copy (SC) and secure FTP (SFTP): By opening a secure,
encrypted SSH session, you can take advantage of SC and SFTP to provide
a secure alternative to TFTP for transferring sensitive switch information.
For more information on SSH, refer to Chapter 6, “Configuring Secure Shell
(SSH)”. For more on SC and SFTP, refer to the section titled “Using Secure
Copy and SFTP” in the “File Transfers” appendix of the Management and
Configuration Guide for your switch.
Secure Socket Layer (SSLv3/TLSv1)
This feature includes use of Transport Layer Security (TLSv1) to provide
remote web access to the switch via authenticated transactions and encrypted
paths between the switch and management station clients capable of SSL/TLS
operation. The authenticated type includes server certificate authentication
with user password authentication. For more information, refer to Chapter 7,
“Configuring Secure Socket Layer (SSL)”.
Traffic/Security Filters
These statically configured filters enhance in-band security (and improve
control over access to network resources) by forwarding or dropping inbound
network traffic according to the configured criteria. Filter options include:
■ source-port filters: Inbound traffic from a designated, physical source-
port will be forwarded or dropped on a per-port (destination) basis.
■ multicast filters: Inbound traffic having a specified multicast MAC
address will be forwarded to outbound ports or dropped on a per-port
(destination) basis.
1-9
Security Overview
Network Security Features
■ protocol filters: Inbound traffic having the selected frame (protocol)
type will be forwarded or dropped on a per-port (destination) basis.
For details, refer to Chapter 8, “Traffic/Security Filters and Monitors”.
Port Security, MAC Lockdown, and MAC Lockout
The features listed below provide device-based access security in the following ways:
■ Port security: Enables configuration of each switch port with a unique
list of the MAC addresses of devices that are authorized to access the
network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through
the switch. Some switch models also include eavesdrop prevention in the
port security feature.
■ MAC lockdown: This “static addressing” feature is used as an alternative
to port security to prevent station movement and MAC address “hijacking”
by allowing a given MAC address to use only one assigned port on the
switch. MAC lockdown also restricts the client device to a specific VLAN.
■ MAC lockout: This feature enables blocking of a specific MAC address
so that the switch drops all traffic to or from the specified address.
Precedence of Security Options. Where the switch is running multiple
security options, it implements network traffic security based on the OSI
(Open Systems Interconnection model) precedence of the individual options,
from the lowest to the highest. The following list shows the order in which the
switch implements configured security features on traffic moving through a
given port.
1. Disabled/Enabled physical port
2. MAC lockout (Applies to all ports on the switch.)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
For more information, refer to Chapter 10, “Configuring and Monitoring Port
Security”.
1-10
Security Overview
Identity-Driven Manager (IDM)
Key Management System (KMS)
KMS is available in several ProCurve switch models and is designed to
configure and maintain key chains for use with KMS-capable routing protocols
that use time-dependent or time-independent keys. (A key chain is a set of
keys with a timing mechanism for activating and deactivating individual keys.)
KMS provides specific instances of routing protocols with one or more Send
or Accept keys that must be active at the time of a request.
For more information, refer to Chapter 12, “Key Management System”.
Identity-Driven Manager (IDM)
IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based
technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of
access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal
threats.
Using IDM, a system administrator can configure automatic and dynamic
security to operate at the network edge when a user connects to the network.
This operation enables the network to:
■ approve or deny access at the edge of the network instead of in the core;
■ distinguish among different users and what each is authorized to do;
■ configure guest access without compromising internal security.
Criteria for enforcing RADIUS-based security for IDM applications includes
classifiers such as:
■ authorized user identity
■ authorized device identity (MAC address)
■ software running on the device
■ physical location in the network
■ time of day
Responses can be configured to support the networking requirements, user
(SNMP) community, service needs, and access security level for a given client
and device.
1-11
Security Overview
Dynamic Configuration Arbiter
For more information on IDM, visit the ProCurve Web site at
www.procurve.com, and click on Products and Solutions, then Identity Driven
Manager (under Network Management).
Dynamic Configuration Arbiter
Starting in software release T.13.xx, the Dynamic Configuration Arbiter (DCA)
is implemented to determine the client-specific parameters that are assigned
in an authentication session.
A client-specific authentication configuration is bound to the MAC address of
a client device and may include the following parameters:
■ Untagged client VLAN ID
■ Tagged VLAN IDs
■ Per-port CoS (802.1p) priority
DCA allows client-specific parameters configured in any of the following ways
to be applied and removed as needed in a specified hierarchy of precedence.
When multiple values for an individual configuration parameter exist, the
value applied to a client session is determined in the following order (from
highest to lowest priority) in which a value configured with a higher priority
overrides a value configured with a lower priority:
1. Attribute profiles applied through the Network Immunity network-management application using SNMP (see “Network Immunity Manager” on
page 1-13)
2. 802.1X authentication parameters (RADIUS-assigned)
3. Web- or MAC-authentication parameters (RADIUS-assigned)
4. Local, statically-configured parameters
Although RADIUS-assigned settings are never applied to ports for non-authenticated clients, the Dynamic Configuration Arbiter allows you to configure and
assign client-specific port configurations to non-authenticated clients, provided that a client’s MAC address is known in the switch in the forwarding
database. DCA arbitrates the assignment of attributes on both authenticated
and non-authenticated ports.
DCA does not support the arbitration and assignment of client-specific
attributes on trunk ports.
1-12
Security Overview
Dynamic Configuration Arbiter
Network Immunity Manager
Network Immunity Manager (NIM) is a plug-in to ProCurve Manager (PCM)
and a key component of the ProCurve Network Immunity security solution
that provides comprehensive detection and per-port-response to malicious
traffic at the ProCurve network edge.
NIM allows you to apply policy-based actions to minimize the negative impact
of a client’s behavior on the network. For example, using NIM you can apply
a client-specific profile that adds or modifies per-port VLAN ID assignments.
Note NIM actions only support the configuration of per-port VLAN ID assignment;
NIM does not support CoS (802.1p) priority assignment and ACL configuration.
NIM-applied parameters temporarily override RADIUS-configured and locally
configured parameters in an authentication session. When the NIM-applied
action is removed, the previously applied client-specific parameter (locally
configured or RADIUS-assigned) is re-applied unless there have been other
configuration changes to the parameter. In this way, NIM allows you to
minimize network problems without manual intervention.
NIM also allows you to configure and apply client-specific profiles on ports
that are not configured to authenticate clients (unauthorized clients), provided that a client’s MAC address is known in the switch’s forwarding database.
The profile of attributes applied for each client (MAC address) session is
stored in the hpicfUsrProfile MIB, which serves as the configuration interface
for Network Immunity Manager. A client profile consists of NIM-configured,
RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS
-assigned and statically configured parameters are supported and if they are
supported on a per-port or per-client basis.
A NIM policy accesses the hpicfUsrProfileMIB through SNMP to perform the
following actions:
■ Bind (or unbind) a profile of configured attributes to the MAC address of
a client device on an authenticated or unauthenticated port.
■ Configure or unconfigure an untagged VLAN for use in an authenticated
or unauthenticated client session.
1-13
Security Overview
Dynamic Configuration Arbiter
Note that the attribute profile assigned to a client is often a combination of
NIM-configured, RADIUS-assigned, and statically configured settings.
Precedence is always given to the temporarily applied NIM-configured
parameters over RADIUS-assigned and locally configured parameters.
For more information on Network Immunity Manager, go to the ProCurve Web
site at www.procurve.com, and click on Products and Solutions, then under
Network Management, click on ProCurve Network Immunity Manager 1.0.
Arbitrating Client-Specific Attributes
In previous releases, client-specific authentication parameters for 802.1X
Web, and MAC authentication are assigned to a port using different criteria.
A RADIUS-assigned parameter is always given highest priority and overrides
statically configured local passwords. 802.1X authentication parameters override Web or MAC authentication parameters.
Starting in release T.13.xx, DCA stores three levels of client-specific authentication parameters and prioritizes them according to the following hierarchy
of precedence:
1. NIM access policy (applied through SNMP)
2. RADIUS-assigned
a. 802.1X authentication
b. Web or MAC authentication
3. Statically (local) configured
Client-specific configurations are applied on a per-parameter basis on a port.
In a client-specific profile, if DCA detects that a parameter has configured
values from two or more levels in the hierarchy of precedence described
above, DCA decides which parameters to add or remove, or whether to fail
the authentication attempt due to an inability to apply the parameters.
Also, you can assign NIM-configured parameters (for example, VLAN ID
assignment) to be activated in a client session when a threat to network
security is detected. When the NIM-configured parameters are later removed,
the parameter values in the client session return to the RADIUS-configured or
locally configured settings, depending on which are next in the hierarchy of
precedence.
In addition, DCA supports conflict resolution for QoS (port-based CoS priority) by determining whether to configure either strict or non-strict resolution
on a switch-wide basis.
1-14
Security Overview
Dynamic Configuration Arbiter
For information about how to configure RADIUS-assigned and locally configured authentication settings, refer to:
■ RADIUS-assigned 802.1X authentication:
“Configuring Port-Based and User-Based Access Control (802.1X)”chapter of the Access Security Guide
■ RADIUS-assigned Web or MAC authentication:
“Web and MAC Authentication” chapter of the Access Security Guide
■ RADIUS-assigned CoS
“Configuring RADIUS Server Support for Switch Services” chapter of the
Access Security Guide
■ Statically (local) configured:
“Configuring Username and Password Security” chapter of the Access
Security Guide
1-15
Security Overview
Dynamic Configuration Arbiter
1-16
2
Configuring Username and Password Security
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Saving Security Credentials in a
Config File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Benefits of Saving Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Enabling the Storage and Display of Security Credentials . . . . . . . . 2-11
Security Settings that Can Be Saved . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Local Manager and Operator Passwords . . . . . . . . . . . . . . . . . . . . . . . 2-12
Password Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
SNMP Security Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
802.1X Port-Access Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
TACACS+ Encryption Key Authentication . . . . . . . . . . . . . . . . . . . . . 2-15
RADIUS Shared-Secret Key Authentication . . . . . . . . . . . . . . . . . . . . 2-16
SSH Client Public-Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Clear Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Reset Button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Restoring the Factory Default Configuration . . . . . . . . . . . . . . . . 2-25
Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
2-1
Configuring Username and Password Security
Contents
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Re-Enabling the Clear Button on the Switch’s Front Panel
and Setting or Changing the “Reset-On-Clear” Operation . . . 2-30
Changing the Operation of the Reset+Clear Combination . . . . . 2-31
Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32
Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
2-2
Configuring Username and Password Security
Overview
Overview
Feature Default Menu CLI Web
Set Usernames none — — page 2-9
Set a Password none page 2-6 page 2-8 page 2-9
Delete Password Protection n/a page 2-7 page 2-8 page 2-9
show front-panel-security
n/a — page 1-13 —
front-panel-security
— page 1-13 —
password-clear
enabled — page 1-13 —
reset-on-clear
disabled — page 1-14 —
factory-reset
enabled — page 1-15 —
password-recovery
enabled — page 1-15 —
Console access includes both the menu interface and the CLI. There are two
levels of console access: Manager and Operator. For security, you can set a
password pair (username and password) on each of these levels.
Notes Usernames are optional. Also, in the menu interface, you can configure
passwords, but not usernames. To configure usernames, use the CLI or the
web browser interface.
2-3
Configuring Username and Password Security
Overview
Level Actions Permitted
Manager: Access to all console interface areas.
This is the default level. That is, if a Manager password has not been set prior
to starting the current console session, then anyone having access to the
console can access any area of the console interface.
Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no
Configuration capabilities.
On the Operator level, the configuration menus, Download OS, and Reboot
Switch options in the Main Menu are not available.
*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable
command if you can provide the Manager password.
To configure password security:
1. Set a Manager password pair (and an Operator password pair, if applicable for your system).
2. Exit from the current console session. A Manager password pair will now
be needed for full access to the console.
If you do steps 1 and 2, above, then the next time a console session is started
for either the menu interface or the CLI, a prompt appears for a password.
Assuming you have protected both the Manager and Operator levels, the level
of access to the console interface will be determined by which password is
entered in response to the prompt.
If you set a Manager password, you may also want to configure an inactivity
timer. This causes the console session to end after the specified period of
inactivity, thus giving you added security against unauthorized console
access. You can use either of the following to set the inactivity timer:
■ Menu Interface: System Information screen (Select “2. Switch Configu-
ration.)
■ CLI: Use the console inactivity-timer < 0 | 1 | 5 | 10 | 15 | 20 | 30 | 60 | 120 >
2-4
Configuring Username and Password Security
Overview
Notes The manager and operator passwords and (optional) usernames control
access to the menu interface, CLI, and web browser interface.
If you configure only a Manager password (with no Operator password), and
in a later session the Manager password is not entered correctly in response
to a prompt from the switch, then the switch does not allow management
access for that session.
If the switch has a password for both the Manager and Operator levels, and
neither is entered correctly in response to the switch’s password prompt, then
the switch does not allow management access for that session.
Passwords are case-sensitive.
When configuring an operator or manager password a message will appear
indicating that (USB) autorun has been disabled. For more information on the
autorun feature, refer to the Appendix A on “File Transfers” in the Manage-
ment and Configuration Guide for your switch.
Caution If the switch has neither a Manager nor an Operator password, anyone
having access to the switch through either Telnet, the serial port, or the web
browser interface can access the switch with full manager privileges. Also,
if you configure only an Operator password, entering the Operator password enables full manager privileges.
The rest of this chapter covers how to:
■ Set passwords
■ Delete passwords
■ Recover from a lost password
■ Maintain front-panel security
2-5
Configuring Username and Password Security
Configuring Local Password Security
Configuring Local Password Security
Menu: Setting Passwords
As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface.
1. From the Main Menu select:
3. Console Passwords
Figure 2-1. The Set Password Screen
2. To set a new password:
a. Select Set Manager Password or Set Operator Password. You will then
be prompted with Enter new password.
b. Type a password of up to 16 ASCII characters with no spaces and
press [Enter]. (Remember that passwords are case-sensitive.)
c. When prompted with Enter new password again, retype the new pass-
word and press [Enter].
After you configure a password, if you subsequently start a new console
session, you will be prompted to enter the password. (If you use the CLI or
web browser interface to configure an optional username, the switch will
prompt you for the username, and then the password.)
2-6
Configuring Username and Password Security
Configuring Local Password Security
To Delete Password Protection (Including Recovery from a Lost
Password): This procedure deletes all usernames (if configured) and pass-
words (Manager and Operator).
If you have physical access to the switch, press and hold the Clear button (on
the front of the switch) for a minimum of one second to clear all password
protection, then enter new passwords as described earlier in this chapter.
If you do not have physical access to the switch, you will need Manager-Level
access:
1. Enter the console at the Manager level.
2. Go to the Set Passwords screen as described above.
3. Select Delete Password Protection. You will then see the following prompt:
Continue Deletion of password protection? No
4. Press the Space bar to select Yes, then press [Enter].
5. Press [Enter] to clear the Password Protection message.
To Recover from a Lost Manager Password: If you cannot start a console session at the Manager level because of a lost Manager password, you
can clear the password by getting physical access to the switch and pressing
and holding the Clear button for a minimum of one second. This action deletes
all passwords and usernames (Manager and Operator) used by both the
console and the web browser interface.
2-7
Configuring Username and Password Security
Configuring Local Password Security
CLI: Setting Passwords and Usernames
Commands Used in This Section
password See below.
Configuring Manager and Operator Passwords.
Note The password command has changed. You can now configure manager and
operator passwords in one step. See “Saving Security Credentials in a Config
File” on page 2-10 of this guide.
Syntax: [ no ] password <manager | operator | all | port-access>
[ user-name ASCII-STR ] [<plaintext | sha1> ASCII-STR]
• Password entries appear
as asterisks.
• You must type the
password entry twice.
Figure 2-2. Example of Configuring Manager and Operator Passwords
To Remove Password Protection. Removing password protection means
to eliminate password security. This command prompts you to verify that you
want to remove one or both passwords, then clears the indicated password(s).
(This command also clears the username associated with a password you are
removing.) For example, to remove the Operator password (and username, if
assigned) from the switch, you would do the following:
Press [Y] (for yes) and press [Enter].
Figure 2-3. Removing a Password and Associated Username from the Switch
The effect of executing the command in figure 2-3 is to remove password
protection from the Operator level. (This means that anyone who can access
the switch console can gain Operator access without having to enter a username or password.)
2-8
Configuring Username and Password Security
Configuring Local Password Security
If you want to remove both operator and manager password protection, use
the no password all command.
Web: Setting Passwords and Usernames
In the web browser interface you can enter passwords and (optional) usernames.
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface.
1. Click on the
Security tab.
Click on
[Device Passwords].
2. Do one of the following:
• To set username and password protection, enter the usernames and
passwords you want in the appropriate fields.
• To remove username and password protection, leave the fields blank.
3. Implement the usernames and passwords by clicking on
[Apply Changes].
2-9
Configuring Username and Password Security
Saving Security Credentials in a Config File
Saving Security Credentials in a
Config File
You can store and view the following security settings in the running-config
file associated with the current software image by entering the include-
credentials command (formerly this information was stored only in internal
flash memory):
■ Local manager and operator passwords and (optional) user names that
control access to a management session on the switch through the CLI,
menu interface, or web browser interface
■ SNMP security credentials used by network management stations to
access a switch, including authentication and privacy passwords
■ Port-access passwords and usernames used as 802.1X authentication
credentials for access to the switch
■ TACACS+ encryption keys used to encrypt packets and secure
authentication sessions with TACACS+ servers
■ RADIUS shared secret (encryption) keys used to encrypt packets and
secure authentication sessions with RADIUS servers
■ Secure Shell (SSH) public keys used to authenticate SSH clients that try
to connect to the switch.
Benefits of Saving Security Credentials
The benefits of including and saving security credentials in a configuration
file are as follows:
■ After making changes to security parameters in the running configuration,
you can experiment with the new configuration and, if necessary, view
the new security settings during the session. After verifying the
configuration, you can then save it permanently by writing the settings to
the startup-config file.
■ By permanently saving a switch’s security credentials in a configuration
file, you can upload the file to a TFTP server or Xmodem host, and later
download the file to the ProCurve switches on which you want to use the
same security settings without having to manually configure the settings
(except for SNMPv3 user parameters) on each switch.
2-10
Configuring Username and Password Security
Saving Security Credentials in a Config File
■ By storing different security settings in different files, you can test
different security configurations when you first download a new software
version that supports multiple configuration files, by changing the
configuration file used when you reboot the switch.
For more information about how to experiment with, upload, download, and
use configuration files with different software versions, refer to the following:
■ “Switch Memory and Configuration” on page 6-1 in the Management and
Configuration Guide
■ “Configuring Local Password Security” on page 2-6 in this guide.
Enabling the Storage and Display of Security
Credentials
To enable the security settings, enter the include-credentials command.
Syntax: [no] include-credentials
Enables the inclusion and display of the currently configured
manager and operator usernames and passwords, RADIUS shared
secret keys, SNMP and 802.1X authenticator (port-access) security
credentials, and SSH client public-keys in the running
configuration. (Earlier software releases store these security
configuration settings only in internal flash memory and do not
allow you to include and view them in the running-config file.)
To view the currently configured security settings in the running
configuration, enter one of the following commands:
■ show running-config: Displays the configuration settings in the
current running-config file.
■ write terminal: Displays the configuration settings in the current
running-config file.
For more information, refer to “Switch Memory and
Configuration” on page 6-1 in the Management and Configuration
Guide.
The “no” form of the command disables only the display and copying
of these security parameters from the running configuration, while
the security settings remain active in the running configuration.
Default: The security credentials described in “Security Settings
that Can Be Saved” on page 2-12 are not stored in the running
configuration.
2-11
Configuring Username and Password Security
Saving Security Credentials in a Config File
Security Settings that Can Be Saved
The security settings that can be saved to a configuration file are:
■ Local manager and operator passwords and user names
■ SNMP security credentials, including SNMPv1 community names and
SNMPv3 usernames, authentication, and privacy settings
■ 802.1X port-access passwords and usernames
■ TACACS+ encryption keys
■ RADIUS shared secret (encryption) keys
■ Public keys of SSH-enabled management stations that are used by the
switch to authenticate SSH clients that try to connect to the switch
Local Manager and Operator Passwords
The information saved to the running-config file when the include-credentials
command is entered includes:
password manager [user-name <name>] <hash-type> <pass-hash>
password operator [user-name <name>] <hash-type> <pass-hash>
where
<name> is an alphanumeric string for the user name assigned to the
manager or operator.
<hash-type> indicates the type of hash algorithm used: SHA-1 or plain
text.
<pass-hash> is the SHA-1 authentication protocol’s hash of the password or clear ASCII text.
For example, a manager username and password may be stored in a runningconfig file as follows:
password manager user-name George SHA1
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
Use the write memory command to save the password configurations in the
startup-config file. The passwords take effect when the switch boots with the
software version associated with that configuration file.
Caution If a startup configuration file includes other security credentials, but does not
contain a manager or operator password, the switch will not have password
protection and can be accessed through Telnet, the serial port, or web
interface with full manager privileges.
2-12
Configuring Username and Password Security
Saving Security Credentials in a Config File
Password Command Options
The password command has the following options:
Syntax: [no] password <manager | operator | port-access> [user-name <name>]
<hash-type> <password>
Set or clear a local username/password for a given access level.
manager: configures access to the switch with manager-level
privileges.
operator: configures access to the switch with operator-level
privileges.
port-access: configures access to the switch through 802.1X
authentication with operator-level privileges.
user-name <name>: the optional text string of the user name
associated with the password.
<hash-type>: specifies the type of algorithm (if any) used to
hash the password. Valid values are plaintext or sha-1
<password>: the clear ASCII text string or SHA-1 hash of the
password.
You can enter a manager, operator, or 802.1X port-access password in clear
ASCII text or hashed format. However, manager and operator passwords are
displayed and saved in a configuration file only in hashed format; port-access
passwords are displayed and saved only as plain ASCII text.
After you enter the complete command syntax, the password is set. You are
not prompted to enter the password a second time.
This command enhancement allows you to configure manager, operator, and
802.1X port-access passwords in only one step (instead of entering the
password command and then being prompted twice to enter the actual
password).
■ For more information about configuring local manager and operator
passwords, refer to “Configuring Username and Password Security” on
page 2-1 in this guide.
■ For more information about configuring a port-access password for
802.1X client authentication, see “802.1X Port-Access Credentials” on
page 2-14 in this guide.
2-13
Configuring Username and Password Security
Saving Security Credentials in a Config File
SNMP Security Credentials
SNMPv1 community names and write-access settings, and SNMPv3
usernames continue to be saved in the running configuration file even when
you enter the include-credentials command.
In addition, the following SNMPv3 security parameters are also saved:
snmpv3 user “<name>" [auth <md5|sha> “<auth-pass>”]
[priv “<priv-pass>"]
where:
<name> is the name of an SNMPv3 management station.
[auth <md5 | sha>] is the (optional) authentication method used for the
management station.
<auth-pass> is the hashed authentication password used with the
configured authentication method.
[priv <priv-pass>] is the (optional) hashed privacy password used by a
privacy protocol to encrypt SNMPv3 messages between the switch and the
station.
The following example shows the additional security credentials for SNMPv3
users that can be saved in a running-config file:
snmpv3 user boris \
auth md5 “9e4cfef901f21cf9d21079debeca453” \
priv “82ca4dc99e782db1a1e914f5d8f16824”
snmpv3 user alan \
auth sha “8db06202b8f293e9bc0c00ac98cf91099708ecdf” \
priv “5bc4313e9fd7c2953aaea9406764fe8bb629a538”
Figure 2-4. Example of Security Credentials Saved in the Running-Config
Although you can enter an SNMPv3 authentication or privacy password in
either clear ASCII text or the SHA-1 hash of the password, the password is
displayed and saved in a configuration file only in hashed format, as shown in
the preceding example.
802.1X Port-Access Credentials
802.1X authenticator (port-access) credentials can be stored in a
configuration file. 802.1X authenticator credentials are used by a port to
authenticate supplicants requesting a point-to-point connection to the switch.
802.1X supplicant credentials are used by the switch to establish a point-topoint connection to a port on another 802.1X-aware switch. Only 802.1X
authenticator credentials are stored in a configuration file. For information
2-14
Configuring Username and Password Security
Saving Security Credentials in a Config File
about how to use 802.1X on the switch both as an authenticator and a
supplicant, see “Configuring Port-Based and Client-Based Access Control
(802.1X)” in this guide.
The local password configured with the password command is no longer
accepted as an 802.1X authenticator credential. A new configuration
command (password port-access) is introduced to configure the local operator
username and password used as 802.1X authentication credentials for access
to the switch.
The password port-access values are now configured separately from the
manager and operator passwords configured with the password manager and
password operator commands and used for management access to the switch.
For information on the new password command syntax, see “Password
Command Options” on page 2-13.
After you enter the complete password port-access command syntax, the
password is set. You are not prompted to enter the password a second time.
TACACS+ Encryption Key Authentication
You can use TACACS+ servers to authenticate users who request access to a
switch through Telnet (remote) or console (local) sessions. TACACS+ uses
an authentication hierarchy consisting of:
■ Remote passwords assigned in a TACACS+ server
■ Local manager and operator passwords configured on the switch.
When you configure TACACS+, the switch first tries to contact a designated
TACACS+ server for authentication services. If the switch fails to connect to
any TACACS+ server, it defaults to its own locally assigned passwords for
authentication control if it has been configured to do so.
For improved security, you can configure a global or server-specific
encryption key that encrypts data in TACACS+ packets transmitted between
a switch and a RADIUS server during authentication sessions. The key
configured on the switch must match the encryption key configured in each
TACACS+ server application. (The encryption key is sometimes referred to
as “shared secret” or “secret” key.) For more information, see “TACACS+
Authentication” on page 4-1 in this guide.
TACACS+ shared secret (encryption) keys can be saved in a configuration file
by entering this command:
ProCurve(config)# tacacs-server key <keystring>
2-15
Configuring Username and Password Security
Saving Security Credentials in a Config File
The option <keystring> is the encryption key (in clear text) used for secure
communication with all or a specific TACACS+ server.
RADIUS Shared-Secret Key Authentication
You can use RADIUS servers as the primary authentication method for users
who request access to a switch through Telnet, SSH, Web interface, console,
or port-access (802.1X). The shared secret key is a text string used to encrypt
data in RADIUS packets transmitted between a switch and a RADIUS server
during authentication sessions. Both the switch and the server have a copy of
the key; the key is never transmitted across the network. For more
information, refer to “3. Configure the Switch To Access a RADIUS Server” on
page 5-14 in this guide.
RADIUS shared secret (encryption) keys can be saved in a configuration file
by entering this command:
ProCurve(config)# radius-server key <keystring>
The option <keystring> is the encryption key (in clear text) used for secure
communication with all or a specific RADIUS server.
SSH Client Public-Key Authentication
Secure Shell version 2 (SSHv2) is used by ProCurve switches to provide
remote access to SSH-enabled management stations. Although SSH provides
Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way
authenticated transactions. SSH client public-key authentication is one of the
types of authentication used.
Client public-key authentication uses one or more public keys (from clients)
that must be stored on the switch. Only a client with a private key that matches
a public key stored on the switch can gain access at the manager or operator
level. For more information about how to configure and use SSH public keys
to authenticate SSH clients that try to connect to the switch, refer to
“Configuring Secure Shell (SSH)” on page 6-1 in this guide.
2-16
Configuring Username and Password Security
Saving Security Credentials in a Config File
The SSH security credential that is stored in the running configuration file is
configured with the ip ssh public-key command used to authenticate SSH
clients for manager or operator access, along with the hashed content of each
SSH client public-key.
Syntax: ip ssh public-key <manager |operator> keystring
Set a key for public-key authentication.
manager: allows manager-level access using SSH public-key
authentication.
operator: allows operator-level access using SSH public-key
authentication.
“keystring”:. a legal SSHv2 (RSA or DSA) public key. The text
string for the public key must be a single quoted token. If the
keystring contains double-quotes, it can be quoted with single
quotes ('keystring'). The following restrictions for a
keystring apply:
■ A keystring cannot contain both single and double quotes.
■ A keystring cannot have extra characters, such as a blank
space or a new line. However, to improve readability, you
can add a backlash at the end of each line.
Note The ip ssh public-key command allows you to configure only one SSH client
public-key at a time. The ip ssh public-key command behavior includes an
implicit append that never overwrites existing public-key configurations on a
running switch.
If you download a software configuration file that contains SSH client publickey configurations, the downloaded public-keys overwrite any existing keys,
as happens with any other configured values.
2-17
Configuring Username and Password Security
Saving Security Credentials in a Config File
To display the SSH public-key configurations (72 characters per line) stored
in a configuration file, enter the show config or show running-config command.
The following example shows the SSH public keys configured for manager
access, along with the hashed content of each SSH client public-key, that are
stored in a configuration file:
...
include-credentials
ip ssh public-key manager “ssh-dss \
AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \
EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \
BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \
K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \
pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \
EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \
gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \
G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \
imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \
LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” \
ip ssh public-key manager ‘ssh-rsa \
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \
JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \
oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \
M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \
nobody@testmachine, Mon Aug 15 2005 14:47:34]”’
ip ssh public-key manager “ssh-rsa \
AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \
+SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \
NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \
qPFj1zdI4sIo5bDett2d0= joe@hp.com”
...
Figure 2-5. Example of SSH Public Keys
If a switch configuration contains multiple SSH client public keys, each public
key is saved as a separate entry in the configuration file. You can configure up
to ten SSH client public-keys on a switch.
2-18
Configuring Username and Password Security
Saving Security Credentials in a Config File
Operating Notes
Caution ■ When you first enter the include-credentials command to save the
additional security credentials to the running configuration, these settings
are moved from internal storage on the switch to the running-config file.
You are prompted by a warning message to perform a write memory
operation to save the security credentials to the startup configuration. The
message reminds you that if you do not save the current values of these
security settings from the running configuration, they will be lost the next
time you boot the switch and will revert to the values stored in the startup
configuration.
■ When you boot a switch with a startup configuration file that contains the
include-credentials command, any security credentials that are stored in
internal flash memory are ignored and erased. The switch will load only
the security settings in the startup configuration file.
■ Security settings are no longer automatically saved internally in flash
memory and loaded with the startup configuration when a switch boots
up. The configuration of all security credentials requires that you use the
write memory command to save them in the startup configuration in order
for them to not be lost when you log off. A warning message reminds you
to permanently save a security setting.
■ After you enter the include-credentials command, the currently configured
manager and operator usernames and passwords, RADIUS shared secret
keys, SNMP and 802.1X authenticator (port-access) security credentials,
and SSH client public-keys are saved in the running configuration.
Use the no include-credentials command to disable the display and copying
of these security parameters from the running configuration (using the
show running-config and copy running-config commands), without disabling
the configured security settings on the switch.
After you enter the include-credentials command, you can toggle between
the non-display and display of security credentials in show and copy
command output by alternately entering the no include-credentials and
include-credentials commands.
■ After you permanently save security configurations to the current startup-
config file using the write memory command, you can view and manage
security settings with the following commands:
• show config: Displays the configuration settings in the current startupconfig file.
2-19
Configuring Username and Password Security
Saving Security Credentials in a Config File
• copy config <source-filename> config <target-filename>: Makes a local
copy of an existing startup-config file by copying the contents of the
startup-config file in one memory slot to a new startup-config file in
another, empty memory slot.
• copy config tftp: Uploads a configuration file from the switch to a TFTP
server.
• copy tftp config: Downloads a configuration file from a TFTP server to
the switch.
• copy config xmodem: Uploads a configuration file from the switch to
an Xmodem host.
• copy xmodem config: Downloads a configuration file from an Xmodem
host to the switch.
For more information, see “Transferring Startup-Config Files To or From
a Remote Server” on page 6-36 in the Management and Configuration
Guide.
■ The switch can store up to three configuration files. Each configuration
file contains its own security credentials and these security configurations
may differ. It is the responsibility of the system administrator to ensure
that the appropriate security credentials are contained in the
configuration file that is loaded with each software image and that all
security credentials in the file are supported.
■ If you have already enabled the storage of security credentials (including
local manager and operator passwords) by entering the includecredentials command, the Reset-on-clear option is disabled. When you
press the Clear button on the front panel, the manager and operator
usernames and passwords are deleted from the running configuration.
However, the switch does not reboot after the local passwords are erased.
(The reset-on-clear option normally reboots the switch when you press
the Clear button.)
For more information about the Reset-on-clear option and other frontpanel security features, see “Configuring Front-Panel Security” on page
2-26 in this guide.
2-20
Configuring Username and Password Security
Saving Security Credentials in a Config File
Restrictions
The following restrictions apply when you enable security credentials to be
stored in the running configuration with the include-credentials command:
■ The private keys of an SSH host cannot be stored in the running
configuration. Only the public keys used to authenticate SSH clients can
be stored. An SSH host’s private key is only stored internally, for example,
on the switch or on an SSH client device.
■ SNMPv3 security credentials saved to a configuration file on a switch
cannot be used after downloading the file on a different switch. The
SNMPv3 security parameters in the file are only supported when loaded
on the same switch for which they were configured. This is because when
SNMPv3 security credentials are saved to a configuration file, they are
saved with the engine ID of the switch as shown here:
snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01
If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software
version the SNMPv3 engine ID value in the downloaded file must match
the engine ID of the switch in order for the SNMPv3 users to be configured
with the authentication and privacy passwords in the file. (To display the
engine ID of a switch, enter the show snmpv3 engine-id command. To
configure authentication and privacy passwords for SNMPv3 users, enter
the snmpv3 user command.)
If the engine ID in the saved SNMPv3 security settings in a downloaded
configuration file does not match the engine ID of the switch:
• The SNMPv3 users are configured, but without the authentication and
privacy passwords. You must manually configure these passwords on
the switch before the users can have SNMPv3 access with the privileges you want.
• Only the snmpv3 user <user_name> credentials from the SNMPv3
settings in a downloaded configuration file are loaded on the switch,
for example:
snmpv3 user boris
snmpv3 user alan
■ You can store 802.1X authenticator (port-access) credentials in a
configuration file. However, 802.1X supplicant credentials cannot be
stored.
■ The local operator password configured with the password command is
no longer accepted as an 802.1X authenticator credential. A new
configuration command (password port-access) is introduced to configure
2-21
Configuring Username and Password Security
Saving Security Credentials in a Config File
the username and password used as 802.1X authentication credentials for
access to the switch. You can store the password port-access values in the
running configuration file by using the include-credentials command.
Note that the password port-access values are configured separately from
local operator username and passwords configured with the password
operator command and used for management access to the switch. For
more information about how to use the password port-access command
to configure operator passwords and usernames for 802.1X authentication, see “Do These Steps Before You Configure 802.1X Operation” on
page 9-15 in this guide.
2-22
Configuring Username and Password Security
Front-Panel Security
Front-Panel Security
The front-panel security features provide the ability to independently enable
or disable some of the functions of the two buttons located on the front of the
switch for clearing the password (Clear button) or restoring the switch to its
factory default configuration (Reset+Clear buttons together). The ability to
disable Password Recovery is also provided for situations which require a
higher level of switch security.
The front-panel Security features are designed to prevent malicious users
from:
■ Resetting the password(s) by pressing the Clear button
■ Restoring the factory default configuration by using the Reset+Clear
button combination.
■ Gaining management access to the switch by having physical access to
the switch itself
When Security Is Important
Some customers require a high level of security for information. Also, the
Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires
that systems handling and transmitting confidential medical records must be
secure.
It used to be assumed that only system and network administrators would be
able to get access to a network switch because switches were typically placed
in secure locations under lock and key. For some customers this is no longer
true. Others simply want the added assurance that even if someone did
manage to get to the switch that data would still remain secure.
If you do not invoke front-panel security on the switch, user-defined passwords can be deleted by pushing the Clear button on the front panel. This
function exists so that if customers forget the defined passwords they can still
get back into the switch and reset the passwords. This does, however, leave
the switch vulnerable when it is located in an area where non-authorized
people have access to it. Passwords could easily be cleared by pressing the
Clear button. Someone who has physical access to the switch may be able to
erase the passwords (and possibly configure new passwords) and take control
of the switch.
2-23
Configuring Username and Password Security
Front-Panel Security
As a result of increased security concerns, customers now have the ability to
stop someone from removing passwords by disabling the Clear and/or Reset
buttons on the front of the switch.
Front-Panel Button Functions
The front panel of the switch includes the Reset button and the Clear button.
Clear Button
Pressing the Clear button alone for one second resets the password(s) configured on the switch.
Reset Clear
Figure 2-6. Press the Clear Button for One Second To Reset the Password(s)
2-24
Configuring Username and Password Security
Front-Panel Security
Reset Button
Pressing the Reset button alone for one second causes the switch to reboot.
Reset Clear
Figure 2-7. Press and hold the Reset Button for One Second To Reboot the Switch
Restoring the Factory Default Configuration
You can also use the Reset button together with the Clear button (Reset+Clear)
to restore the factory default configuration for the switch. To do this:
1. Press and hold the Reset button.
Reset Clear
2. While holding the Reset button, press and hold the Clear button.
Reset Clear
3. Release the Reset button.
2-25
Configuring Username and Password Security
Front-Panel Security
Reset Clear
Test
4. When the Test LED to the right of the Clear button begins flashing, release
the Clear button.
.
Reset Clear
Test
It can take approximately 20-25 seconds for the switch to reboot. This process
restores the switch configuration to the factory default settings.
Configuring Front-Panel Security
Using the front-panel-security command from the global configuration context
in the CLI you can:
• Disable or re-enable the password-clearing function of the Clear
button. Disabling the Clear button means that pressing it does not
remove local password protection from the switch. (This action
affects the Clear button when used alone, but does not affect the
operation of the Reset+Clear combination described under “Restoring the Factory Default Configuration” on page 2-25.)
• Configure the Clear button to reboot the switch after clearing any
local usernames and passwords. This provides an immediate, visual
means (plus an Event Log message) for verifying that any usernames
and passwords in the switch have been cleared.
2-26
Configuring Username and Password Security
Front-Panel Security
• Modify the operation of the Reset+Clear combination (page 2-25) so
that the switch still reboots, but does not restore the switch’s factory
default configuration settings. (Use of the Reset button alone, to
simply reboot the switch, is not affected.)
• Disable or re-enable Password Recovery.
Syntax: show front-panel-security
Displays the current front-panel-security settings:
Clear Password: Shows the status of the Clear button on the
front panel of the switch. Enabled means that pressing the
Clear button erases the local usernames and passwords
configured on the switch (and thus removes local password
protection from the switch). Disabled means that pressing the
Clear button does not remove the local usernames and
passwords configured on the switch. (Default: Enabled.)
Reset-on-clear: Shows the status of the reset-on-clear option
(Enabled or Disabled). When reset-on-clear is disabled and
Clear Password is enabled, then pressing the Clear button
erases the local usernames and passwords from the switch.
When reset-on-clear is enabled, pressing the Clear button
erases the local usernames and passwords from the switch
and reboots the switch. (Enabling reset-on-clear
automatically enables clear-password.) (Default: Disabled.)
Note: If you have stored security credentials (including the
local manager and operator usernames and passwords) to the
running config file by entering the include-credentials
command, the Reset-on-clear option is ignored. If you press
the Clear button on the front panel, the manager and operator
usernames and passwords are deleted from the startup
configuration file, but the switch does not reboot. For more
information about storing security credentials, see “Saving
Security Credentials in a Config File” on page 2-10 in this
guide.
Factory Reset: Shows the status of the System Reset button on
the front panel of the switch. Enabled means that pressing the
System Reset button reboots the switch and also enables the
System Reset button to be used with the Clear button (page
2-25) to reset the switch to its factory-default configuration.
(Default: Enabled.)
2-27
Configuring Username and Password Security
Front-Panel Security
Password Recovery: Shows whether the switch is configured
with the ability to recover a lost password. (Refer to
“Password Recovery Process” on page 2-34.) (Default:
Enabled.)
CAUTION: Disabling this option removes the ability to
recover a password on the switch. Disabling this option is
an extreme measure and is not recommended unless you
have the most urgent need for high security. If you disable
password-recovery and then lose the password, you will
have to use the Reset and Clear buttons (page 2-25) to reset
the switch to its factory-default configuration and create a
new password.
For example, show front-panel-security produces the following output when
the switch is configured with the default front-panel security settings.
Figure 2-8. The Default Front-Panel Security Settings
2-28
Configuring Username and Password Security
Front-Panel Security
Disabling the Clear Password Function of the Clear Button
on the Switch’s Front Panel
Syntax: no front-panel-security password-clear
In the factory-default configuration, pressing the Clear button
on the switch’s front panel erases any local usernames and
passwords configured on the switch. This command disables
the password clear function of the Clear button, so that
pressing it has no effect on any local usernames and
passwords.
(Default: Enabled.)
Note: Although the Clear button does not erase passwords
when disabled, you can still use it with the Reset button
(Reset+Clear) to restore the switch to its factory default
configuration, as described under “Restoring the Factory
Default Configuration” on page 2-25.
This command displays a Caution message in the CLI. If you want to proceed
with disabling the Clear button, type
[Y]; otherwise type [N]. For example:
Indicates the command has disabled the Clear
button on the switch’s front panel. In this case
the Show command does not include the reset-
on-clear status because it is inoperable while
the Clear Password functionality is disabled, and
must be reconfigured whenever Clear Password
is re-enabled .
Figure 2-9. Example of Disabling the Clear Button and Displaying the New Configuration
2-29
Configuring Username and Password Security
Front-Panel Security
Re-Enabling the Clear Button on the Switch’s Front Panel
and Setting or Changing the “Reset-On-Clear” Operation
Syntax: [no] front-panel-security password-clear reset-on-clear
This command does both of the following:
• Re-enables the password-clearing function of the Clear
button on the switch’s front panel.
• Specifies whether the switch reboots if the Clear button is
pressed.
To re-enable password-clear, you must also specify whether to
enable or disable the reset-on-clear option.
Defaults:
– password-clear: Enabled.
– reset-on-clear: Disabled.
Thus:
• To enable password-clear with reset-on-clear disabled, use
this syntax:
no front-panel-security password-clear reset-on-clear
• To enable password-clear with reset-on-clear also enabled,
use this syntax:
front-panel-security password-clear reset-on-clear
(Either form of the command enables
password-clear.)
Note: If you disable password-clear and also disable the
password-recovery option, you can still recover from a lost
password by using the Reset+Clear button combination at
reboot as described on page 2-25. Although the Clear button
does not erase passwords when disabled, you can still use
it with the Reset button (Reset+Clear) to restore the switch
to its factory default configuration. You can then get access
to the switch to set a new password.
For example, suppose that password-clear is disabled and you want to restore
it to its default configuration (enabled, with reset-on-clear disabled).
2-30
Configuring Username and Password Security
Front-Panel Security
Shows password-clear disabled.
Enables password-clear, with reset-on-
clear disabled by the “no” statement at
the beginning of the command.
Shows password-clear enabled, with
reset-on-clear disabled.
Figure 2-10. Example of Re-Enabling the Clear Button’s Default Operation
Changing the Operation of the Reset+Clear Combination
In their default configuration, using the Reset+Clear buttons in the combination described under “Restoring the Factory Default Configuration” on page
2-25 replaces the switch’s current startup-config file with the factory-default
startup-config file, then reboots the switch, and removes local password
protection. This means that anyone who has physical access to the switch
could use this button combination to replace the switch’s current configuration with the factory-default configuration, and render the switch accessible without the need to input a username or password. You can use the
factory-reset command to prevent the Reset+Clear combination from being
used for this purpose.
Syntax: [no] front-panel-security factory-reset
Disables or re-enables the following functions associated with
using the Reset+Clear buttons in the combination described
under “Restoring the Factory Default Configuration” on page
2-25:
• Replacing the current startup-config file with the factorydefault startup-config file
• Clearing any local usernames and passwords configured on
the switch
(Default: Both functions enabled.)
Notes: The Reset+Clear button combination always reboots
the switch, regardless of whether the “no” form of the
command has been used to disable the above two functions.
Also, if you disable factory-reset, you cannot disable the
password-recovery option, and the reverse.
2-31
Configuring Username and Password Security
Front-Panel Security
The command to disable the factory-reset operation produces this caution.
To complete the command, press [Y]. To abort the command, press [N].
Displays the current frontpanel-security configuration,
with Factory Reset disabled.
Completes the command to
disable the factory reset option.
Figure 2-11. Example of Disabling the Factory Reset Option
Password Recovery
The password recovery feature is enabled by default and provides a method
for regaining management access to the switch (without resetting the switch
to its factory default configuration) in the event that the system administrator
loses the local manager username (if configured) or password. Using Password Recovery requires:
■ password-recovery enabled (the default) on the switch prior to an attempt
to recover from a lost username/password situation
■ Contacting your ProCurve Customer Care Center to acquire a one-time-
use password
Disabling or Re-Enabling the Password Recovery Process
Disabling the password recovery process means that the only method for
recovering from a lost manager username (if configured) and password is to
reset the switch to its factory-default configuration, which removes any nondefault configuration settings.
Caution Disabling password-recovery requires that factory-reset be enabled, and locks
out the ability to recover a lost manager username (if configured) and password on the switch. In this event, there is no way to recover from a lost
manager username/password situation without resetting the switch to its
factory-default configuration. This can disrupt network operation and make
it necessary to temporarily disconnect the switch from the network to prevent
unauthorized access and other problems while it is being reconfigured. Also,
with factory-reset enabled, unauthorized users can use the Reset+Clear button
combination to reset the switch to factory-default configuration and gain
management access to the switch.
2-32
Configuring Username and Password Security
Front-Panel Security
Syntax: [no] front-panel-security password-recovery
Enables or (using the “no” form of the command) disables the
ability to recover a lost password.
When this feature is enabled, the switch allows management
access through the password recovery process described below.
This provides a method for recovering from a lost manager
username (if configured) and password. When this feature is
disabled, the password recovery process is disabled and the
only way to regain management access to the switch is to use
the Reset+Clear button combination (page 2-25) to restore the
switch to its factory default configuration.
Note: To disable password-recovery:
– You must have physical access to the front panel of the switch.
– The factory-reset parameter must be enabled (the default).
(Default: Enabled.)
Steps for Disabling Password-Recovery.
1. Set the CLI to the global interface context.
2. Use show front-panel-security to determine whether the factory-reset
parameter is enabled. If it is disabled, use the front-panel-security factory-
reset command to enable it.
3. Press and release the Clear button on the front panel of the switch.
4. Within 60-seconds of pressing the Clear button, enter the following command:
no front-panel-security password-recovery
5. Do one of the following after the “CAUTION” message appears:
• If you want to complete the command, press
[Y] (for “Yes”).
• If you want to abort the command, press
[N] (for “No”)
Figure 2-12 shows an example of disabling the password-recovery parameter.
2-33
Configuring Username and Password Security
Front-Panel Security
Figure 2-12. Example of the Steps for Disabling Password-Recovery
Password Recovery Process
If you have lost the switch’s manager username/password, but password-
recovery is enabled, then you can use the Password Recovery Process to gain
management access to the switch with an alternate password supplied by
ProCurve.
Note If you have disabled password-recovery, which locks out the ability to recover a
manager username/password pair on the switch, then the only way to recover
from a lost manager username/password pair is to use the Reset+Clear button
combination described under “Restoring the Factory Default Configuration”
on page 2-25. This can disrupt network operation and make it necessary to
temporarily disconnect the switch from the network to prevent unauthorized
access and other problems while it is being reconfigured.
To use the password-recovery option to recover a lost password:
1. Note the switch’s base MAC address. It is shown on the label located on
the upper right front corner of the switch.
2. Contact your ProCurve Customer Care Center for further assistance.
Using the switch’s MAC address, the ProCurve Customer Care Center will
generate and provide a “one-time use” alternate password you can use
with the to gain management access to the switch. Once you gain access,
you can configure a new, known password.
Note The alternate password provided by the ProCurve Customer Care Center is
valid only for a single login attempt. You cannot use the same “one-time-use”
password if you lose the password a second time. Because the password
algorithm is randomized based upon your switch's MAC address, the password will change as soon as you use the “one-time-use” password provided
to you by the ProCurve Customer Care Center.
2-34
3
Web and MAC Authentication
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Authorized and Unauthorized Client VLANs . . . . . . . . . . . . . . . . . . . . . 3-4
RADIUS-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Wireless Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-6
Web-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Customized Login Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
MAC-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . . . . 3-14
Before You Configure Web/MAC Authentication . . . . . . . . . . . . . . . . 3-14
Configuring the RADIUS Server To Support MAC Authentication . . 3-17
Using Customized Login Web Pages for Enhanced
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Configuring a DNS Server for Enhanced Web Authentication . . . . . 3-28
Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-28
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Configuration Commands for Web Authentication . . . . . . . . . . . . . . 3-32
Show Commands for Web Authentication . . . . . . . . . . . . . . . . . . . . . . 3-39
Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . 3-45
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-46
Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-49
3-1
Web and MAC Authentication
Contents
Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
3-2
Web and MAC Authentication
Overview
Overview
Feature Default Menu CLI Web
Configure Web Authentication n/a — 3-30 —
Configure MAC Authentication n/a — 3-45 —
Display Web Authentication Status and Configuration n/a — 3-39 —
Display MAC Authentication Status and Configuration n/a — 3-49 —
Web and MAC authentication are designed for employment on the “edge” of
a network to provide port-based security measures for protecting private
networks and a switch from unauthorized access. Because neither method
requires clients to run special supplicant software (unlike 802.1X authentication), both Web and MAC authentication are suitable for legacy systems and
temporary access situations where introducing supplicant software is not an
attractive option. Only a web browser (for Web authentication) or a MAC
address (for MAC authentication) is required.
Both Web and MAC authentication methods rely on a RADIUS server to
authenticate network access. This simplifies access security management by
allowing you to control access from a master database in a single server. (You
can use up to three RADIUS servers to provide backups in case access to the
primary server fails.) It also means the same credentials can be used for
authentication, regardless of which switch or switch port is the current access
point into the LAN.
On a port configured for Web or MAC Authentication, the switch operates as
a port-access authenticator using a RADIUS server and the CHAP protocol.
Inbound traffic is processed by the switch alone, until authentication occurs.
Some traffic from the switch to an unauthorized client is supported (for
example, broadcast or unknown destination packets) before authentication
occurs.
Web Authentication
The Web Authentication (Web-Auth) method uses a web page login to authenticate users for access to the network. When a client connects to the switch
and opens a web browser, the switch automatically presents a login page.
3-3
Web and MAC Authentication
Overview
Note A proxy server is not supported for use by a browser on a client device that
accesses the network through a port configured for web authentication.
In the login page, a client enters a username and password, which the switch
forwards to a RADIUS server for authentication. After authenticating a client,
the switch grants access to the secured network. Besides a web browser, the
client needs no special supplicant software. The enhanced Web Authentication (EWA) feature allows you to provide customized web pages for client
login.
MAC Authentication
The MAC Authentication (MAC-Auth) method grants access to a secure
network by authenticating devices for access to the network. When a device
connects to the switch, either by direct link or through the network, the switch
forwards the device’s MAC address to the RADIUS server for authentication.
The RADIUS server uses the device MAC address as the username and
password, and grants or denies network access in the same way that it does
for clients capable of interactive logons. (The process does not use either a
client device configuration or a logon session.) MAC authentication is wellsuited for clients that are not capable of providing interactive logons, such as
telephones, printers, and wireless access points. Also, because most RADIUS
servers allow for authentication to depend on the source switch and port
through which the client connects to the network, you can use MAC-Auth to
“lock” a particular device to a specific switch and port.
Note 802.1X port-access and either Web authentication or MAC authentication can
be configured at the same time on the same port. A maximum of 32 clients is
supported on the port. (The default is one client.)
Web authentication, MAC authentication, MAC lockdown, MAC lockout, and
port-security are mutually exclusive on a given port. If you configure any of
these authentication methods on a port, you must disable LACP on the port.
Authorized and Unauthorized Client VLANs
Web-Auth and MAC-Auth provide a port-based solution in which a port
belongs to one, untagged VLAN at a time. The switch supports up to 32
simultaneous client sessions per port. All authenticated client sessions
operate in the same untagged VLAN. (If you want the switch to simultaneously
3-4
Web and MAC Authentication
Overview
support multiple client sessions in different VLANs for a network application,
design your system so that clients request network access on different switch
ports.)
In the default configuration, the switch blocks access to all clients that the
RADIUS server does not authenticate. However, you can configure an
individual port to provide limited network services and access to unauthorized
clients by using an “unauthorized” VLAN for each session. The unauthorized
VLAN ID assignment can be the same for all ports, or different, depending on
the services and access you plan to allow for unauthenticated clients.
You configure access to an optional, unauthorized VLAN when you configure
Web and MAC authentication on a port.
RADIUS-Based Authentication
In Web and MAC authentication, you use a RADIUS server to temporarily
assign a port to a static VLAN to support an authenticated client. When a
RADIUS server authenticates a client, the switch-port membership during the
client’s connection is determined according to the following hierarchy:
1. A RADIUS-assigned VLAN
2. An authorized VLAN specified in the Web- or MAC-Auth configuration for
the subject port.
3. A static, port-based, untagged VLAN to which the port is configured. A
RADIUS-assigned VLAN has priority over switch-port membership in any
VLAN.
Wireless Clients
You can allow wireless clients to move between switch ports under Web/MAC
Authentication control. Clients may move from one Web-authorized port to
another or from one MAC-authorized port to another. This capability allows
wireless clients to move from one access point to another without having to
reauthenticate.
3-5
Web and MAC Authentication
How Web and MAC Authentication Operate
How Web and MAC Authentication
Operate
Before gaining access to the network, a client first presents authentication
credentials to the switch. The switch then verifies the credentials with a
RADIUS authentication server. Successfully authenticated clients receive
access to the network, as defined by the System Administrator. Clients who
fail to authenticate successfully receive no network access or limited network
access as defined by the System Administrator.
Web-based Authentication
When a client connects to a Web-Auth enabled port, communication is redirected to the switch. A temporary IP address is assigned by the switch and a
login screen is presented for the client to enter their username and password.
The default User Login screen is shown in Figure 3-1. You can also prepare
customized web pages to use for Web-Auth login and present them to clients
who try to connect to the network (see “Customized Login Web Pages” on
page 3-9).
Figure 3-1. Example of Default User Login Screen
When a client connects to the switch, it sends a DHCP request to receive an
IP address to connect to the network. To avoid address conflicts in a secure
network, you can specify a temporary IP address pool to be used by DHCP by
configuring the dhcp-addr and dhcp-lease options when you enable web
authentication with the aaa port-access web-based command.
3-6
Web and MAC Authentication
How Web and MAC Authentication Operate
The Secure Socket Layer (SSLv3/TLSv1) feature provides remote web access
to the network via authenticated transactions and encrypted paths between
the switch and management station clients capable of SSL/TLS. If you have
enabled SSL on the switch, you can specify the ssl-login option when you
configure web authentication so that clients who log in to specified ports are
redirected to a secure login page (https://...) to enter their credentials.
The switch passes the supplied username and password to the RADIUS server
for authentication and displays the following progress message:
Figure 3-2. Progress Message During Authentication
If the client is authenticated and the maximum number of clients allowed on
the port (client-limit) has not been reached, the port is assigned to a static,
untagged VLAN for network access. After a successful login, a client may be
redirected to a URL if you specify a URL value (redirect-url) when you
configure web authentication.
Figure 3-3. Authentication Completed
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
3-7
Web and MAC Authentication
How Web and MAC Authentication Operate
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
moves have not been enabled (client-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authorized port take affect at the end of the
session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The max-retries parameter specifies how many times a client
may enter their credentials before authentication fails. The server-timeout
parameter sets how long the switch waits to receive a response from the
RADIUS server before timing out. The max-requests parameter specifies how
many authentication attempts may result in a RADIUS server timeout before
authentication fails. The switch waits a specified amount of time (quiet-
period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
is blocked and no network access is available. Should another client successfully authenticate through that port any unauthenticated clients on the unauth-
vid are dropped from the port.
3-8
Web and MAC Authentication
How Web and MAC Authentication Operate
Customized Login Web Pages
Enhanced web authentication allows you to customize the web pages used by
clients to connect to the network. A customized login screen is presented to
a client to enter their credentials.
By creating customized login web pages, you can improve the “look and feel”
of the web authentication process to correspond more closely with your
network and business needs. The default web page that is currently used and
stored on the switch is shown in Figure 3-1.
Customized login web pages provide greater flexibility to:
■ Identify the network that a client is trying to log into.
■ Provide contact information if a client has difficulty connecting to the
network.
You store customized login web pages on up to three web servers in your
network. Using multiple servers provides redundancy in case access to the
primary server fails.
To present customized web pages to clients who request network access,
configure the IP address or host name of each web server when you enable
web authentication. To prepare customized login pages, follow the procedure
described in “Using Customized Login Web Pages for Enhanced Web
Authentication” on page 3-17.
MAC-based Authentication
When a client connects to a MAC-Auth enabled port traffic is blocked. The
switch immediately submits the client’s MAC address (in the format specified
by the addr-format) as its certification credentials to the RADIUS server for
authentication.
If the client is authenticated and the maximum number of MAC addresses
allowed on the port (addr-limit) has not been reached, the port is assigned to
a static, untagged VLAN for network access.
The assigned VLAN is determined, in order of priority, as follows:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to this VLAN and temporarily drops all other
VLAN memberships.
3-9
Web and MAC Authentication
How Web and MAC Authentication Operate
2. If there is no RADIUS-assigned VLAN, then, for the duration of the client
session, the port belongs to the Authorized VLAN (auth-vid if configured)
and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member of a
statically configured, port-based VLAN, then the port remains in this
VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not have
access to any statically configured, untagged VLANs and client access is
blocked.
The assigned port VLAN remains in place until the session ends. Clients may
be forced to reauthenticate after a fixed period of time (reauth-period) or at
any time during a session (reauthenticate). An implicit logoff period can be set
if there is no activity from the client after a given amount of time (logoff-period).
In addition, a session ends if the link on the port is lost, requiring reauthentication of all clients. Also, if a client moves from one port to another and client
moves have not been enabled (addr-moves) on the ports, the session ends and
the client must reauthenticate for network access. At the end of the session
the port returns to its pre-authentication state. Any changes to the port’s VLAN
memberships made while it is an authenticated port take affect at the end of
the session.
A client may not be authenticated due to invalid credentials or a RADIUS
server timeout. The server-timeout parameter sets how long the switch waits
to receive a response from the RADIUS server before timing out. The max-
requests parameter specifies how many authentication attempts may result in
a RADIUS server timeout before authentication fails. The switch waits a
specified amount of time (quiet-period) before processing any new authentication requests from the client.
Network administrators may assign unauthenticated clients to a specific
static, untagged VLAN (unauth-vid), to provide access to specific (guest)
network resources. If no VLAN is assigned to unauthenticated clients the port
remains in its original VLAN configuration. Should another client successfully
authenticate through that port any unauthenticated clients are dropped from
the port.
3-10
Web and MAC Authentication
Terminology
Terminology
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a
conventional, static, untagged, port-based VLAN previously configured on
the switch by the System Administrator. The intent in using this VLAN is
to provide authenticated clients with network access and services. When
the client connection terminates, the port drops its membership in this
VLAN.
Authentication Server: The entity providing an authentication service to
the switch. In the case of a ProCurve switch running Web/MAC-Authentication, this is a RADIUS server.
Authenticator: In ProCurve switch applications, a device such as a ProCurve
switch that requires a client or device to provide the proper credentials
(MAC address, or username and password) before being allowed access
to the network.
CHAP: Challenge Handshake Authentication Protocol. Also known as
“CHAP-RADIUS”.
Client: In this application, an end-node device such as a management station,
workstation, or mobile PC linked to the switch through a point-to-point
LAN link.
Enhanced web authentication (EWA): Enhanced web authentication
allows you to present customized login web pages to clients who request
access to the network.
Redirect URL: A System Administrator-specified web page presented to an
authorized client following Web Authentication. ProCurve recommends
specifying this URL when configuring Web Authentication on a switch.
Refer to aaa port-access web-based [e] < port-list > [redirect-url < url >] on
page 3-38.
Static VLAN: A VLAN that has been configured as “permanent” on the switch
by using the CLI vlan < vid > command or the Menu interface.
Unauthorized-Client VLAN: A conventional, static, untagged, port-based
VLAN previously configured on the switch by the System Administrator.
It is used to provide limited network access and services to clients who
are not authenticated.
3-11
Web and MAC Authentication
Operating Rules and Notes
Operating Rules and Notes
■ The switch supports concurrent 802.1X and either Web- or MAC-
authentication operation on a port (with up to 32 clients allowed).
However, concurrent operation of Web- or MAC-authentication with
other types of authentication on the same port is not supported. That
is, the following authentication types are mutually exclusive on a
given port:
• Web Authentication (with or without 802.1X)
• MAC Authentication (with or without 802.1X)
• MAC lockdown
• MAC lockout
• Port-Security
■ Order of Precedence for Port Access Management (highest to lowest):
a. MAC lockout
b. MAC lockdown or Port Security
c. Port-based Access Control (802.1X) or Web Authentication or MAC
Authentication
Port Access When configuring a port for Web or MAC Authentication, be sure that a higher
Management
precedent port access management feature is not enabled on the port. For
example, be sure that Port Security is disabled on a port before configuring
the port for Web or MAC Authentication. If Port Security is enabled on the
port this misconfiguration does not allow Web or MAC Authentication to
occur.
■ VLANs: If your LAN does not use multiple VLANs, then you do not
need to configure VLAN assignments in your RADIUS server or
consider using either Authorized or U na u th o ri ze d VL A Ns . If y ou r LA N
does use multiple VLANs, then some of the following factors may
apply to your use of Web-Auth and MAC-Auth.
• Web-Auth and MAC-Auth operate only with port-based VLANs. Oper-
ation with protocol VLANs is not supported, and clients do not have
access to protocol VLANs during Web-Auth and MAC-Auth sessions.
• A port can belong to one, untagged VLAN during any client session.
Where multiple authenticated clients may simultaneously use the
same port, they must all be capable of operating on the same VLAN.
3-12
Web and MAC Authentication
Operating Rules and Notes
• During an authenticated client session, the following hierarchy deter-
mines a port’s VLAN membership:
1. If there is a RADIUS-assigned VLAN, then, for the duration of the
client session, the port belongs to this VLAN and temporarily
drops all other VLAN memberships.
2. If there is no RADIUS-assigned VLAN, then, for the duration of
the client session, the port belongs to the Authorized VLAN (if
configured) and temporarily drops all other VLAN memberships.
3. If neither 1 or 2, above, apply, but the port is an untagged member
of a statically configured, port-based VLAN, then the port remains
in this VLAN.
4. If neither 1, 2, or 3, above, apply, then the client session does not
have access to any statically configured, untagged VLANs and
client access is blocked.
• After an authorized client session begins on a given port, the port’s
VLAN membership does not change. If other clients on the same port
become authenticated with a different VLAN assignment than the first
client, the port blocks access to these other clients until the first client
session ends.
• The optional “authorized” VLAN (auth-vid) and “unauthorized” VLAN
(unauth-vid) you can configure for Web- or MAC-based authentication
must be statically configured VLANs on the switch. Also, if you
configure one or both of these options, any services you want clients
in either category to access must be available on those VLANs.
■ Where a given port’s configuration includes an unauthorized client
VLAN assignment, the port will allow an unauthenticated client
session only while there are no requests for an authenticated client
session on that port. In this case, if there is a successful request for
authentication from an authorized client, the switch terminates the
unauthorized-client session and begins the authorized-client session.
■ When a port on the switch is configured for Web or MAC Authentica-
tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.
■ When a port on the switch is configured as a Web- or MAC-based
authenticator, it blocks access to a client that does not provide the
proper authentication credentials. If the port configuration includes
an optional, unauthorized VLAN (unauth-vid), the port is temporarily
placed in the unauthorized VLAN if there are no other authorized
clients currently using the port with a different VLAN assignment. If
an authorized client is using the port with a different VLAN or if there
is no unauthorized VLAN configured, the unauthorized client does not
receive access to the network.
3-13
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
■ Web- or MAC-based authentication and LACP cannot both be enabled
on the same port.
Web/MAC Web or MAC authentication and LACP are not supported at the same time on
Authentication
a port. The switch automatically disables LACP on ports configured for Web
and LACP
or MAC authentication.
■ Use the show port-access web-based commands to display session
status, port-access configuration settings, and statistics for Web-Auth
sessions.
■ Because enhanced web authentication is configured per switch, each
Web-Auth enabled port displays the customized web pages you
prepare for client login. The use of customized web pages is enabled
after you configure the valid IP address or host name of an EWA
server.
Setup Procedure for Web/MAC
Authentication
Before You Configure Web/MAC Authentication
1. Configure a local username and password on the switch for both the
Operator (login) and Manager (enable) access levels. (While this is not
required for a Web- or MAC-based configuration, ProCurve recommends
that you use a local user name and password pair, at least until your other
security measures are in place, to protect the switch configuration from
unauthorized access.)
2. Determine the switch ports that you want to configure as authenticators.
Note that before you configure Web- or MAC-based authentication on a
port operating in an LACP trunk, you must remove the port from the trunk.
(For more information, refer to the “Web/MAC Authentication and LACP”
on page 3-14.)
To display the current configuration of 802.1X, Web-based, and MAC
authentication on all switch ports, enter the show port-access config
command.
3-14
---- ---------- ------------- -------- --------
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
ProCurve (config)# show port-access config
Port Access Status Summary
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes
Supplicant Authenticator Web Auth Mac Auth
Port Enabled Enabled Enabled Enabled
1 Yes No No Yes
2 No Yes No Yes
3 No Yes No No
4 No No No No
5 No No No No
6 No No No No
7 No No No No
8 No No No No
9 No No No No
10 No No No No
11 No No No No
12 No No No No
...
Figure 3-4. Example of show port-access config Command Output
3. Determine whether any VLAN assignments are needed for authenticated
clients.
a. If you configure the RADIUS server to assign a VLAN for an authen-
ticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains
active. Note that the VLAN must be statically configured on the
switch.
b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized
VLAN” for the duration of the client session, if you choose to configure
one. This must be a port-based, statically configured VLAN on the
switch.
c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN”
for an authenticated client session on a port, then the port’s VLAN
membership remains unchanged during authenticated client sessions. In this case, configure the port for the VLAN in which you want
it to operate during client sessions.
3-15
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Note that when configuring a RADIUS server to assign a VLAN, you can
use either the VLAN’s name or VID. For example, if a VLAN configured in
the switch has a VID of 100 and is named vlan100, you could configure the
RADIUS server to use either “100” or “vlan100” to specify the VLAN.
4. Determine whether to use the optional “Unauthorized VLAN” mode for
clients that the RADIUS server does not authenticate. This VLAN must be
statically configured on the switch. If you do not configure an “Unauthorized VLAN”, the switch simply blocks access to unauthenticated clients
trying to use the port.
5. Determine the authentication policy you want on the RADIUS server and
configure the server. Refer to the documentation provided with your
RADIUS application and include the following in the policy for each client
or client device:
• The CHAP-RADIUS authentication method.
• An encryption key
• One of the following:
– If you are configuring Web-based authentication, include the user
name and password for each authorized client.
– If you are configuring MAC-based authentication, enter the
device MAC address in both the username and password fields of
the RADIUS policy configuration for that device. Also, if you want
to allow a particular device to receive authentication only
through a designated port and switch, include this in your policy.
6. Determine the IP address of the RADIUS server(s) you will use to support
Web- or MAC-based authentication. (For information on configuring the
switch to access RADIUS servers, refer to “Configuring the Switch To
Access a RADIUS Server” on page 3-28.)
7. (Optional) For enhanced web authentication, determine the IP address or
host name of the web servers used to store and display customized login
web pages, and the page path on the server where the HTML files (including all graphics and HTML frames) used for the login pages are stored.
• Create the customized web pages as described in “Using Customized
Login Web Pages for Enhanced Web Authentication” on page 3-17.
• If necessary, configure the DNS server required to resolve the host
name to its target IP address. For more information, see the “Diagnostic Tools” section in the Troubleshooting chapter of the Management
and Configuration Guide.
3-16
Note on MAC
Addresses
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Configuring the RADIUS Server To Support MAC
Authentication
On the RADIUS server, configure the client device authentication in the same
way that you would any other client, except:
■ Configure the client device’s (hexadecimal) MAC address as both
username and password. Be careful to configure the switch to use the
same format that the RADIUS server uses. Otherwise, the server will
deny access. The switch provides eight format options:
aabbccddeeff (the default format)
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
AABBCCDDEEFF
AABBCC-DDEEFF
AA-BB-CC-DD-EE-FF
AA:BB:CC:DD:EE:FF
You must enter the letters in a MAC address in lowercase.
■ If the device is a switch or other VLAN-capable device, use the base
MAC address assigned to the device, and not the MAC address
assigned to the VLAN through which the device communicates with
the authenticator switch. Note that the switch applies a single MAC
address to all VLANs configured in the switch. Thus, for a given
switch, the MAC address is the same for all VLANs configured on the
switch. (Refer to the chapter titled “Static Virtual LANs (VLANs)” in
the Advanced Traffic Management Guide for your switch.)
Using Customized Login Web Pages for Enhanced
Web Authentication
You can use up to three web servers in your network to store and display
customized web pages for enhanced web-authentication (EWA) login.
To configure the switch to access a web server, specify the server’s IP address
or host name (using the aaa port-access web-based ewa-server command)
when you enable web authentication.
3-17
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
To configure a web server on your network, follow the instructions in the
documentation provided with the server.
This section describes how to use HTML skeleton pages as a basis to create
customized login web pages for web authentication on your ProCurve
switches.
When you customize an HTML skeleton file, follow these guidelines:
■ Store all customized login web pages (including all graphics, and
HTML frames) that you create for client login on each web server at
the page path you configure with the aaa port-access web-based ewa-
server command.
■ Do not change the name of each HTML file (index.html, accept.html,
and so on).
■ Do not change any of the HTML source code that appears in bold in
the skeleton pages in this section.
■ Insert the prefix /EWA/ before any reference to a graphic, HTML frame,
or HTML file; for example, /EWA/loginprocess and /EWA/index.html.
■ HTML skeleton pages use Embedded Switch Includes (ESIs) or Active
Server Pages. ESIs behave as follows:
i. A client’s web browser sends a request for an HTML file. The switch
passes the request to a configured EWA web server.
ii. The web server responds by sending a customized HTML page to the
switch. Each ESI call in the HTML page is replaced with the value (in
plain text) retrieved by the call.
iii. The switch sends the final version of the HTML page to the client’s
web browser.
■ The HTML skeleton pages that you can customize are as follows:
index.html timout.html
accept.html retry_login.html
authen.html
loginprocess.html
reject_unauthvlan.html
sslredirect.html
statusprocess.html
rejectnovlan.html
3-18
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: index.html
The index.html file is the first login page displayed, in which a client requesting
access to the network enters a username and password. In the index.html
skeleton file, you can customize any part of the source code except for the
lines that appear in bold. The lines in bold specify the form that processes the
username and password entered by a client.
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA User Login </font></h1>
<p><font face="Verdan a, Arial, Helvetica, sans-serif">In order to access this network, you must first
log in.</font></p>
<!-- method=POST required to prevent the browser caching the URL with password -->
<form name="login" action="/EWA/loginprocess" method="post">
<table width="31%" border="1" bordercolor="#FFFFFF">
<tr>
<td height="36" width="15%">
<font face="Verdana, Arial, Helvetica, sans-serif">Username:</font></td>
<td height="36" width="85%">
<input type="text" name="user" size="25" maxlength="40">
</td>
</tr>
<tr>
<td width="15%" height="31">
<font face="Verdana, Arial, Helvetica, sans-serif">Password:</font></td>
<td width="85%" height="31">
<input type="password" name="pass" size="25" maxlength="40">
</td>
</tr>
</table>
<p>
<input type="submit" name="Submit" value="Submit">
</p>
</form>
</body>
</html>
3-19
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: accept.html
The accept.html file is the web page used to confirm a valid client login. This
web page is displayed after a valid username and password are entered and
accepted.
The client device is then granted access to the network. To configure the VLAN
used by authorized clients, specify a VLAN ID with the authid parameter (see
page
3-35).
The accept.html file contains the following ESIs:
■ The WAUTHREDIRECTTIMEGET ESI inserts the value for the
waiting time used by the switch to redirect an authenticated client
while the client renews its IP address and gains access to the network.
■ The WAUTHREDIRECTURLGET ESI inserts the URL configured
with the redirect-url parameter (see page
3-38) to redirect a client login
or the first web page requested by the client.
3-20
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: accept.html
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<!ESI(WAUTHREDIRECTURLGET, 1) ->">
<SCRIPT>
var interval = "";
var i = <!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;
function startcountdown( )
{
interval = window.setInterval("tick()",1000);
}
function stopcountdown ()
{
window.clearInterval (interval);
interval="";
}
function tick()
{
document.countdown.display.value = i--;
if (i == -1){
stopcountdown();
}
}
</SCRIPT>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Access Granted</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">You have been authenticated.
Please wait while network connection refreshes itself. </font></p>
<form name=countdown>
<p><font face="Arial, Helvetica, sans-serif">Time (sec) Remaining: </font>
<input type=text name=display value="">
</p>
</form>
<script>
startcountdown();
</script>
</body>
</html>
3-21
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: authen.html
The authen.html file is the web page used to process a client login and is
refreshed while user credentials are checked and verified.
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="10;URL=/EWA/statusprocess">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Authenticating...</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Please wait while your credentials
are verified. </font></p>
</body>
</html>
Filename: reject_unauthvlan.html
The reject_unauthvlan.html file is the web page used to display login failures in
which an unauthenticated client is assigned to the VLAN configured for
unauthorized client sessions. You can configure the VLAN used by unauthorized clients with the unauthid parameter (see page
3-49).
When a client’s web browser sends a request for an HTML file, a web server
passes the response to the switch, which replaces the ESI call in the
accept.html file with plain text.
The WAUTHREDIRECTTIMEGET ESI inserts the value for the waiting time
used by the switch to redirect an unauthenticated client while the client
renews its IP address and gains access to the VLAN for unauthorized clients.
3-22
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: reject_unauthvlan.html
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<SCRIPT>
var interval = "";
var i = <!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;
function startcountdown( )
{
interval = window.setInterval("tick()",1000);
}
function stopcountdown ()
{
window.clearInterval (interval);
interval="";
}
function tick()
{
document.countdown.display.value = i--;
if (i == -1){
stopcountdown();
}
}
</SCRIPT>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Invalid Credentials</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Y o ur credentials were not accepted.
However, you have been granted guest account status.
Please wait while network connection refreshes itself. </font></p>
<form name=countdown>
<p><font face="Arial, Helvetica, sans-serif">Time (sec) Remaining: </font>
<input type=text name=display value="">
</p>
</form>
<script>
startcountdown();
</script>
</body>
</html>
3-23
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: statusprocess
The statusprocess file contains the WAUTHSTATUSPROC ESI. This ESI is
used to redirect an authenticated client to the appropriate web page during
the login process.
<html>
<head>
<!- ESI(WAUTHSTATUSPROC, 1) ->
</head>
</html>
Filename: timeout.html
The timeout.html file is the web page used to return an error message if the
RADIUS server is not reachable. You can configure the time period (in
seconds) that the switch waits for a response from the RADIUS server used
to verify client credentials with the server-timeout parameter (see page
3-38).
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Timeout</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Your credentials could not
be verified with authentication server.</font></p>
</body>
</html>
3-24
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: retry_login.html
The retry_login.html file is the web page displayed to a client that has entered
an invalid username and/or password, and is given another opportunity to log
in.
The WAUTHRETRIESLEFTGET ESI displays the number of login retries that
remain for a client that entered invalid login credentials. You can configure
the number of times that a client can enter their user name and password
before authentication fails with the max-retries parameter (see page
3-37).
Filename: retry_login.html
HTML Source:
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="5;URL=/EWA/index.html">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Invalid Credentials</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Your credentials were not
accepted. <!- ESI(WAUTHRETRIESLEFTGET,1) -> retries left. Please try again. </font></p>
</body>
</html>
Filename: loginprocess
The loginprocess file contains the WAUTHLOGINPROC ESI. This ESI is used
to process the username and password entered by a client to log in to the
switch.
<html>
<head>
<!- ESI(WAUTHLOGINPROC, 1) ->
</head>
</html>
3-25
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: sslredirect.html
The sslredirect file is the web page displayed when a client is redirected to an
SSL server to enter credentials for web authentication. If you have enabled
SSL on the switch, you can enable secure SSL-based web authentication by
entering the ssl-login parameter when you enable web authentication.
The WAUTHSSLSRVGET ESI inserts the URL that redirects a client to an SSLenabled port on an EWA server to verify the client’s username and password.
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="5;URL=https://<!- ESI(WAUTHSSLSRVGET,1) ->/EWA/
index.html">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA User Login </font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">In order to access this
network, you must first log in.</font></p>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Redirecting in 5 seconds
to secure page for you to enter credentials or <a href="https://<!- ESI(WAUTHSSLSRVGET,1) ->
/EWA/index.html">click
here</a>.</font></p>
<p> </p>
</body>
</html>
Filename: reject_novlan.html
The reject_novlan file is the web page displayed after a client login fails and
no VLAN is configured for unauthorized clients.
The WAUTHQUIETTIMEGET ESI inserts the time period used to block an
unauthorized client from attempting another login. To specify the time period
before a new authentication request can be received by the switch, configure
a value for the quiet-period parameter (see page
3-37).
3-26
Web and MAC Authentication
Setup Procedure for Web/MAC Authentication
Filename: reject_novlan.html
<html>
<head>
<title>EWA User Login</t itle>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="refresh" content="<!- ESI(WAUTHQUIETTIMEGET,1) ->;URL=/EWA/
index.html">
<SCRIPT>
var interval = "";
var i = <!- ESI(WAUTHQUIETTIMEGET, 1) ->;
function startcountdown( )
{
interval = window.setInterval("tick()",1000);
}
function stopcountdown ()
{
window.clearInterval (interval);
interval="";
}
function tick()
{
document.countdown.display.value = i--;
if (i == -1){
stopcountdown();
}
}
</SCRIPT>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<h1><font face="Verdana, Arial, Helvetica, sans-serif">EWA Access Denied</font></h1>
<p><font face="Verdana, Arial, Helvetica, sans-serif">Y o ur credentials were not accepted.
Please wait <!- ESI(WAUTHQUIETTIMEGET, 1) -> seconds to retry. You will be redirected
automatically to login page. </font></p>
<form name=countdown>
<p><font face="Arial, Helvetica, sans-serif">Time (sec) Remaining: </font>
<input type=text name=display value="" size="5">
</p>
</form>
<script>
startcountdown();
</script>
</body>
</html>
3-27
Web and MAC Authentication
Configuring the Switch To Access a RADIUS Server
Configuring a DNS Server for Enhanced Web
Authentication
If you use a host name to configure access to a web server on which customized login web pages are stored, you must first configure a Domain Name
System (DNS) server to resolve the web server’s host name into a target IP
address. (If you specify an IP address to configure a web server, it is not
necessary to configure a DNS server.)
For example, the following web-server host name requires the configuration
of a DNS server to resolve the host (
webserver1) and domain name
(
accounts.procurve.com) into a target IP address:
http://webserver1.accounts.procurve.com
To configure switch access to a DNS server to support the use of a host name
in the aaa port-access web-based ewa server command, follow the instructions
in the “Diagnostic Tools” section in the Troubleshooting chapter of the Man-
agement and Configuration Guide.
Configuring the Switch To Access a
RADIUS Server
RADIUS Server Configuration Commands
radius-server
[host <
ip-address>] below
[key < global-key-string
>] below
radius-server host <
ip-address> key <server-specific key-string> 3-29
This section describes the minimal commands for configuring a RADIUS
server to support Web-Auth and MAC Auth. For information on other RADIUS
command options, refer to chapter 5, “RADIUS Authentication and Accounting” .
3-28
Loading...