Home » HP Manuals » Repeaters & Transceivers » HP GbE2c » Manual Viewer

HP GbE2c HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Application Gu - Page 21

User accounts for RADIUS users, RADIUS attributes for user privileges, TACACS+ authentication - password reset

UPC - 808736802215

Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

User accounts for RADIUS users The user accounts listed in the following table can be defined in the RADIUS server dictionary file. Table 2 User access levels User account User Operator Administrator Description and tasks performed User interaction with the switch is completely passive; nothing can be changed on the switch. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information. Operators can only effect temporary changes on the switch. These changes are lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation, but do have access to the Maintenance menu. By default, the operator account is disabled and has no password. Administrators are the only ones that can make permanent changes to the switch configuration-changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the switch level. Because administrators can also make temporary (operator-level) changes as well, they must be aware of the interactions between temporary and permanent changes. RADIUS attributes for user privileges When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote user and authorizes the appropriate access. The administrator has the option to allow backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor access is enabled, access is allowed even if the primary and secondary authentication servers are reachable. Only when both the primary and secondary authentication servers are not reachable, the administrator has the option to allow secure backdoor (secbd) access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either backdoor or secure backdoor enabled, but not both at the same time. The default value for backdoor access through the console port only is enabled. You always can access the switch via the console port, by using noradius and the administrator password, whether backdoor/secure backdoor are enabled or not. The default value for backdoor and secure backdoor access through Telnet/SSH/HTTP/HTTPS is disabled. All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege levels. Table 3 Proprietary attributes for RADIUS User name/access User service type Value User Vendor-supplied 255 Operator Vendor-supplied 252 TACACS+ authentication The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the switch either through a data or management port. TACACS+ offers the following advantages over RADIUS: • TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers. Accessing the switch 21

Section	Page
HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Application Guide	1
Notice	2
Contents	3
Accessing the switch	8
Introduction	8
Additional references	8
Typographical conventions	9
Management Network	9
Connecting through the console port	10
Connecting through Telnet	10
Connecting through Secure Shell	10
Using the command line interfaces	10
Configuring an IP interface	11
Using the Browser-based Interface	11
Using Simple Network Management Protocol	12
SNMP v1.0	12
SNMP v3.0	12
Default configuration	12
User configuration	13
View based configurations	14
CLI user equivalent	14
CLI oper equivalent	14
Configuring SNMP trap hosts	15
SNMPv1 trap host	15
SNMPv2 trap host configuration	16
SNMPv3 trap host configuration	16
Secure access to the switch	17
Setting allowable source IP address ranges	17
Configuring an IP address range for the management network	17
RADIUS authentication and authorization	18
How RADIUS authentication works	18
Configuring RADIUS on the switch (CLI example)	18
Configuring RADIUS on the switch (BBI example)	19
RADIUS authentication features	20
User accounts for RADIUS users	21
RADIUS attributes for user privileges	21
TACACS+ authentication	21
How TACACS+ authentication works	22
TACACS+ authentication features	22
Authorization	22
Accounting	23
Configuring TACACS+ authentication on the switch (CLI example)	23
Configuring TACACS+ authentication on the switch (BBI example)	24
Secure Shell and Secure Copy	25
Configuring SSH and SCP features (CLI example)	26
Using SSH and SCP client commands	27
SSH and SCP encryption of management messages	28
Generating RSA host and server keys for SSH access	28
SSH/SCP integration with RADIUS and TACACS+ authentication	28
User access control	29
Setting up user IDs	29
Ports and trunking	30
Introduction	30
Ports on the switch	30
Port trunk groups	31
Statistical load distribution	31
Built-in fault tolerance	31
Before you configure trunks	31
Trunk group configuration rules	31
Port trunking example	32
Configuring trunk groups (CLI example)	33
Configuring trunk groups (BBI example)	34
Configurable Trunk Hash algorithm	36
Link Aggregation Control Protocol	37
Configuring LACP	38
Port-based Network Access and traffic control	39
Port-based Network Access control	39
Extensible authentication protocol over LAN	39
802.1x authentication process	39
EAPoL Message Exchange	40
802.1x port states	41
Supported RADIUS attributes	41
EAPoL configuration guidelines	42
Port-based traffic control	42
Configuring port-based traffic control	42
VLANs	43
Introduction	43
Overview	43
VLANs and port VLAN ID numbers	43
VLAN numbers	43
Viewing VLANs	43
PVID numbers	43
Viewing and configuring PVIDs	44
Port information	44
Port configuration	44
VLAN tagging	44
VLANs and IP interfaces	47
VLAN topologies and design considerations	47
VLAN configuration rules	47
Multiple VLANS with tagging	47
Configuring the example network	49
Configuring ports and VLANs on Switch 1 (CLI example)	49
Configuring ports and VLANs on Switch 2 (CLI example)	50
Configuring ports and VLANs on Switch 1 (BBI example)	51
FDB static entries	54
Trunking support for FDB static entries	54
Configuring a static FDB entry	54
Spanning Tree Protocol	55
Introduction	55
Overview	55
Bridge Protocol Data Units	55
Determining the path for forwarding BPDUs	55
Bridge priority	55
Port priority	55
Port path cost	56
Spanning Tree Group configuration guidelines	56
Default Spanning Tree configuration	56
Adding a VLAN to a Spanning Tree Group	56
Creating a VLAN	56
Rules for VLAN tagged ports	56
Adding and removing ports from STGs	57
Assigning cost to ports and trunk groups	57
Multiple Spanning Trees	57
Why do we need Multiple Spanning Trees?	57
VLAN participation in Spanning Tree Groups	58
Configuring Multiple Spanning Tree Groups	58
Configuring Switch 1 (CLI example)	59
Configuring Switch 2 (CLI example)	59
Configuring Switch 1 (BBI example)	59
Port Fast Forwarding	60
Configuring Port Fast Forwarding	61
Fast Uplink Convergence	61
Configuration guidelines	61
Configuring Fast Uplink Convergence	61
RSTP and MSTP	62
Introduction	62
Rapid Spanning Tree Protocol	62
Port state changes	62
Port type and link type	62
Edge port	62
Link type	63
RSTP configuration guidelines	63
RSTP configuration example	63
Configuring Rapid Spanning Tree (CLI example)	63
Configuring Rapid Spanning Tree Protocol (BBI example)	63
Multiple Spanning Tree Protocol	65
MSTP region	65
Common Internal Spanning Tree	65
MSTP configuration guidelines	65
MSTP configuration example	65
Configuring Multiple Spanning Tree Protocol (CLI example)	65
Configuring Multiple Spanning Tree Protocol (BBI example)	66
Quality of Service	70
Introduction	70
Overview	70
Using ACL filters	71
Summary of packet classifiers	71
Summary of ACL actions	72
Understanding ACL precedence	72
Using ACL Groups	74
ACL Metering and Re-marking	74
Metering	74
Re-marking	75
Viewing ACL statistics	75
ACL configuration examples	75
Configure Access Control Lists (CLI example)	75
Configure Access Control Lists and Groups (BBI example 1)	76
Using DSCP values to provide QoS	80
Differentiated Services concepts	80
Per Hop Behavior	80
QoS levels	81
Using 802.1p priorities to provide QoS	81
802.1p configuration (CLI example)	82
802.1p configuration (BBI example)	83
Queuing and scheduling	86
Basic IP routing	87
IP routing benefits	87
Routing between IP subnets	87
Example of subnet routing	89
Using VLANs to segregate broadcast domains	91
Dynamic Host Configuration Protocol	92
DHCP relay agent	92
DHCP relay agent configuration	93
Routing Information Protocol	94
Distance vector protocol	94
Stability	94
Routing updates	94
RIPv1	94
RIPv2	94
RIPv2 in RIPv1 compatibility mode	95
RIP Features	95
Poison	95
Triggered updates	95
Multicast	95
Default	95
Metric	95
Authentication	95
RIP configuration example	96
IGMP Snooping	97
Introduction	97
Overview	97
FastLeave	97
IGMP Filtering	98
Configuring the range	98
Configuring the action	98
Static multicast router	98
IGMP Snooping configuration example	98
Configuring IGMP Snooping (CLI example)	98
Configuring IGMP Filtering (CLI example)	99
Configuring a Static Mrouter (CLI example)	100
Configuring IGMP Snooping (BBI example)	100
Configuring IGMP Filtering (BBI example)	102
Configuring a Static Multicast Router (BBI example)	105
OSPF	107
OSPF overview	107
Types of OSPF areas	107
Types of OSPF routing devices	108
Neighbors and adjacencies	109
Link-State Database	109
Shortest Path First Tree	109
Internal versus external routing	109
OSPF implementation in GbE2c software	110
Configurable parameters	110
Defining areas	110
Assigning the area index	111
Using the area ID to assign the OSPF area number	111
Attaching an area to a network	111
Interface cost	112
Electing the designated router and backup	112
Summarizing routes	112
Default routes	112
Virtual links	113
Router ID	114
Authentication	114
Host routes for load balancing	115
OSPF features not supported in this release	116
OSPF configuration examples	116
Example 1: Simple OSPF domain (CLI example)	116
Example 1: Simple OSPF domain (BBI example)	117
Example 2: Virtual links	124
Configuring OSPF for a virtual link on Switch A	124
Configuring OSPF for a virtual link on Switch B	126
Other Virtual Link Options	127
Example 3: Summarizing routes	127
Verifying OSPF configuration	128
Remote monitoring	129
Introduction	129
Overview	129
RMON group 1—statistics	129
Configuring RMON Statistics (CLI example)	129
Configuring RMON Statistics (BBI example)	130
RMON group 2—history	132
History MIB objects	132
RMON group 3—alarms	134
Alarm MIB objects	134
RMON group 9—events	138
Configuring RMON Events (CLI example)	138
Configuring RMON Events (BBI example 1)	139
High availability	140
Introduction	140
Uplink Failure Detection	140
Failure Detection Pair	141
Spanning Tree Protocol with UFD	141
Configuration guidelines	141
Monitoring Uplink Failure Detection	141
Configuring Uplink Failure Detection	142
Configuring UFD on Switch 1 (CLI example)	142
Configuring UFD on Switch 2 (CLI example)	142
Configuring Uplink Failure Detection (BBI example)	143
VRRP overview	145
VRRP components	145
Virtual router	145
Virtual router MAC address	145
Owners and renters	145
Master and backup virtual router	145
Virtual Interface Router	145
VRRP operation	146
Selecting the master VRRP router	146
Failover methods	146
Active-Active redundancy	147
GbE2c extensions to VRRP	147
Tracking VRRP router priority	147
Virtual router deployment considerations	147
Assigning VRRP virtual router ID	148
Configuring the switch for tracking	148
High availability configurations	148
Active-Active configuration	148
Task 1: Configure Switch A	149
Task 2: Configure Switch B	150
Task 1: Configure Switch A (BBI example)	151
Troubleshooting tools	159
Introduction	159
Port Mirroring	159
Configuring Port Mirroring (CLI example)	160
Configuring Port Mirroring (BBI example)	161
Other network troubleshooting techniques	162
Console and Syslog messages	162
Ping	162
Trace route	163
Statistics and state information	163
Customer support tools	163

Match case Limit results 1 per page

Accessing the switch 21

User accounts for RADIUS users

The user accounts listed in the following table can be defined in the RADIUS server dictionary file.

Table 2

User access levels

User account

Description and tasks performed

User

User interaction with the switch is completely passive; nothing can be changed on the switch.

Users may display information that has no security or privacy implications, such as switch

statistics and current operational state information.

Operator

Operators can only effect temporary changes on the switch. These changes are lost when the

switch is rebooted/reset. Operators have access to the switch management features used for

daily switch operations. Because any changes an operator makes are undone by a reset of the

switch, operators cannot severely impact switch operation, but do have access to the

Maintenance menu. By default, the operator account is disabled and has no password.

Administrator

Administrators are the only ones that can make permanent changes to the switch

configuration—changes that are persistent across a reboot/reset of the switch. Administrators

can access switch functions to configure and troubleshoot problems on the switch level. Because

administrators can also make temporary (operator-level) changes as well, they must be aware of

the interactions between temporary and permanent changes.

RADIUS attributes for user privileges

When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the

client authentication request, to the RADIUS authentication server.

If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote

user and authorizes the appropriate access. The administrator has the option to allow backdoor access through the

console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor access is enabled,

access is allowed even if the primary and secondary authentication servers are reachable. Only when both the

primary and secondary authentication servers are not reachable, the administrator has the option to allow secure

backdoor (

secbd

) access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access.

When RADIUS is on, you can have either backdoor or secure backdoor enabled, but not both at the same time. The

default value for backdoor access through the console port only is

enabled

. You always can access the switch via

the console port, by using

noradius

and the administrator password, whether backdoor/secure backdoor are

enabled or not. The default value for backdoor and secure backdoor access through Telnet/SSH/HTTP/HTTPS is

disabled

All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary. RADIUS

attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary is RADIUS

vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege levels.

Table 3

Proprietary attributes for RADIUS

User name/access

User service type

Value

User

Vendor-supplied

255

Operator

Vendor-supplied

252

TACACS+ authentication

The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems

TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client

and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined

as someone requiring management access to the switch either through a data or management port.

TACACS+ offers the following advantages over RADIUS:

•

TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a

connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable

variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level

of built-in support that a TCP transport offers.