Section |
Page |
HP ProCurve 6120G/XG Switch 6120XG Switch Access Security Guide |
1 |
Front Cover |
1 |
Title Page |
3 |
Copyright, Notices, & Publication Data |
4 |
Contents |
5 |
Feature Index |
24 |
1. Security Overview |
29 |
Contents |
29 |
Introduction |
30 |
About This Guide |
30 |
For More Information |
30 |
Access Security Features |
31 |
Network Security Features |
35 |
Getting Started with Access Security |
37 |
Physical Security |
37 |
Quick Start: Using the Management Interface Wizard |
38 |
CLI: Management Interface Wizard |
38 |
Web: Management Interface Wizard |
40 |
SNMP Security Guidelines |
43 |
Precedence of Security Options |
45 |
Precedence of Port-Based Security Options |
45 |
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter |
45 |
Network Immunity Manager |
46 |
Arbitrating Client-Specific Attributes |
47 |
ProCurve Identity-Driven Manager (IDM) |
49 |
2. Configuring Username and Password Security |
51 |
Contents |
51 |
Overview |
53 |
Configuring Local Password Security |
56 |
Menu: Setting Passwords |
56 |
CLI: Setting Passwords and Usernames |
58 |
Web: Setting Passwords and Usernames |
59 |
SNMP: Setting Passwords and Usernames |
59 |
Saving Security Credentials in a Config File |
60 |
Benefits of Saving Security Credentials |
60 |
Enabling the Storage and Display of Security Credentials |
61 |
Security Settings that Can Be Saved |
61 |
Local Manager and Operator Passwords |
62 |
Password Command Options |
62 |
SNMP Security Credentials |
63 |
802.1X Port-Access Credentials |
64 |
TACACS+ Encryption Key Authentication |
65 |
RADIUS Shared-Secret Key Authentication |
65 |
SSH Client Public-Key Authentication |
66 |
Operating Notes |
69 |
Restrictions |
71 |
Front-Panel Security |
73 |
When Security Is Important |
73 |
Front-Panel Button Functions |
74 |
Clear Button |
75 |
Reset Button |
75 |
Restoring the Factory Default Configuration |
75 |
Configuring Front-Panel Security |
77 |
Disabling the Clear Password Function of the Clear Button |
79 |
Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation |
80 |
Changing the Operation of the Reset+Clear Combination |
81 |
Password Recovery |
82 |
Disabling or Re-Enabling the Password Recovery Process |
82 |
Password Recovery Process |
84 |
3. Web and MAC Authentication |
85 |
Contents |
85 |
Overview |
87 |
Web Authentication |
87 |
MAC Authentication |
88 |
Concurrent Web and MAC Authentication |
88 |
Authorized and Unauthorized Client VLANs |
89 |
RADIUS-Based Authentication |
90 |
Wireless Clients |
90 |
How Web and MAC Authentication Operate |
90 |
Web-based Authentication |
91 |
MAC-based Authentication |
93 |
Terminology |
95 |
Operating Rules and Notes |
96 |
Setup Procedure for Web/MAC Authentication |
98 |
Before You Configure Web/MAC Authentication |
98 |
Configuring the RADIUS Server To Support MAC Authentication |
101 |
Configuring the Switch To Access a RADIUS Server |
101 |
Configuring Web Authentication |
104 |
Overview |
104 |
Configuration Commands for Web Authentication |
105 |
Show Commands for Web Authentication |
112 |
Customizing Web Authentication HTML Files (Optional) |
118 |
Implementing Customized Web-Auth Pages |
118 |
Operating Notes and Guidelines |
118 |
Customizing HTML Templates |
119 |
Customizable HTML Templates |
120 |
Configuring MAC Authentication on the Switch |
134 |
Overview |
134 |
Configuration Commands for MAC Authentication |
135 |
Configuring the Global MAC Authentication Password |
135 |
Configuring a MAC-based Address Format |
137 |
Show Commands for MAC-Based Authentication |
139 |
Client Status |
146 |
4. TACACS+ Authentication |
147 |
Contents |
147 |
Overview |
148 |
Terminology Used in TACACS Applications: |
149 |
General System Requirements |
151 |
General Authentication Setup Procedure |
151 |
Configuring TACACS+ on the Switch |
154 |
Before You Begin |
154 |
CLI Commands Described in this Section |
155 |
Viewing the Switch’s Current Authentication Configuration |
155 |
Viewing the Switch’s Current TACACS+ Server Contact Configuration |
156 |
Configuring the Switch’s Authentication Methods |
157 |
Using the Privilege-Mode Option for Login |
157 |
Authentication Parameters |
158 |
Configuring the TACACS+ Server for Single Login |
159 |
Configuring the Switch’s TACACS+ Server Access |
164 |
How Authentication Operates |
170 |
General Authentication Process Using a TACACS+ Server |
170 |
Local Authentication Process |
172 |
Using the Encryption Key |
173 |
General Operation |
173 |
Encryption Options in the Switch |
173 |
Controlling Web Browser Interface Access When Using TACACS+ Authentication |
174 |
Messages Related to TACACS+ Operation |
175 |
Operating Notes |
175 |
5. RADIUS Authentication, Authorization, and Accounting |
177 |
Contents |
177 |
Overview |
179 |
Authentication Services |
179 |
Accounting Services |
180 |
RADIUS-Administered CoS and Rate-Limiting |
180 |
RADIUIS-Administered Commands Authorization |
180 |
SNMP Access to the Switch’s Authentication Configuration MIB |
180 |
Terminology |
181 |
Switch Operating Rules for RADIUS |
182 |
General RADIUS Setup Procedure |
183 |
Configuring the Switch for RADIUS Authentication |
184 |
Outline of the Steps for Configuring RADIUS Authentication |
185 |
1. Configure Authentication for the Access Methods You Want RADIUS To Protect |
186 |
2. Enable the (Optional) Access Privilege Option |
189 |
3. Configure the Switch To Access a RADIUS Server |
190 |
4. Configure the Switch’s Global RADIUS Parameters |
193 |
Using Multiple RADIUS Server Groups |
197 |
Commands |
197 |
Enhanced Commands |
198 |
Displaying the RADIUS Server Group Information |
200 |
Cached Reauthentication |
202 |
Timing Considerations |
203 |
Using SNMP To View and Configure Switch Authentication Features |
206 |
Changing and Viewing the SNMP Access Configuration |
207 |
Local Authentication Process |
209 |
Controlling Web Browser Interface Access |
210 |
Commands Authorization |
211 |
Enabling Authorization |
212 |
Displaying Authorization Information |
213 |
Configuring Commands Authorization on a RADIUS Server |
213 |
Using Vendor Specific Attributes (VSAs) |
213 |
Example Configuration on Cisco Secure ACS for MS Windows |
215 |
Example Configuration Using FreeRADIUS |
217 |
VLAN Assignment in an Authentication Session |
219 |
Tagged and Untagged VLAN Attributes |
220 |
Additional RADIUS Attributes |
221 |
Configuring RADIUS Accounting |
223 |
Operating Rules for RADIUS Accounting |
225 |
Steps for Configuring RADIUS Accounting |
225 |
1. Configure the Switch To Access a RADIUS Server |
226 |
2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server |
228 |
3. (Optional) Configure Session Blocking and Interim Updating Options |
230 |
Viewing RADIUS Statistics |
232 |
General RADIUS Statistics |
232 |
RADIUS Authentication Statistics |
234 |
RADIUS Accounting Statistics |
235 |
Changing RADIUS-Server Access Order |
236 |
Messages Related to RADIUS Operation |
239 |
6. Configuring RADIUS Server Support for Switch Services |
241 |
Contents |
241 |
Overview |
243 |
RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate- Limiting |
244 |
Applied Rates for RADIUS-Assigned Rate Limits |
245 |
Viewing the Currently Active Per-Port CoS and Rate- Limiting Configuration Specified by a RADIUS Server |
246 |
Configuring and Using RADIUS-Assigned Access Control Lists |
249 |
Introduction |
249 |
Terminology |
249 |
Overview of RADIUS-Assigned, Dynamic ACLs |
252 |
Contrasting Dynamic (RADIUS-Assigned) and Static ACLs |
253 |
How a RADIUS Server Applies a RADIUS-Assigned ACL to a Switch Port |
254 |
General ACL Features, Planning, and Configuration |
255 |
The Packet-filtering Process |
256 |
Operating Rules for RADIUS-Assigned ACLs |
256 |
Configuring an ACL in a RADIUS Server |
257 |
Nas-Filter-Rule-Options |
258 |
Configuring ACE Syntax in RADIUS Servers |
258 |
Example Using the Standard Attribute (92) In an IPv4 ACL |
260 |
Example of Configuring a RADIUS-assigned ACL Using the FreeRADIUS Application |
261 |
Format Details for ACEs Configured in a RADIUS-Assigned ACL |
263 |
Configuration Notes |
264 |
Configuring the Switch To Support RADIUS-Assigned ACLs |
264 |
Displaying the Current RADIUS-Assigned ACL Activity on the Switch |
266 |
ICMP Type Numbers and Keywords |
268 |
Event Log Messages |
269 |
Causes of Client Deauthentication Immediately After Authenticating |
270 |
Monitoring Shared Resources |
270 |
7. Configuring Secure Shell (SSH) |
271 |
Contents |
271 |
Overview |
272 |
Terminology |
273 |
Prerequisite for Using SSH |
275 |
Public Key Formats |
275 |
Steps for Configuring and Using SSH for Switch and Client Authentication |
276 |
General Operating Rules and Notes |
278 |
Configuring the Switch for SSH Operation |
279 |
1. Assigning a Local Login (Operator) and Enable (Manager) Password |
280 |
2. Generating the Switch’s Public and Private Key Pair |
280 |
Configuring Key Lengths |
283 |
3. Providing the Switch’s Public Key to Clients |
283 |
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior |
285 |
5. Configuring the Switch for SSH Authentication |
290 |
6. Use an SSH Client To Access the Switch |
294 |
Further Information on SSH Client Public-Key Authentication |
294 |
Messages Related to SSH Operation |
300 |
Logging Messages |
301 |
Debug Logging |
302 |
8. Configuring Secure Socket Layer (SSL) |
303 |
Contents |
303 |
Overview |
304 |
Terminology |
305 |
Prerequisite for Using SSL |
307 |
Steps for Configuring and Using SSL for Switch and Client Authentication |
307 |
General Operating Rules and Notes |
308 |
Configuring the Switch for SSL Operation |
309 |
1. Assigning a Local Login (Operator) and Enabling (Manager) Password |
309 |
2. Generating the Switch’s Server Host Certificate |
310 |
To Generate or Erase the Switch’s Server Certificate with the CLI |
311 |
Comments on Certificate Fields. |
312 |
Generate a Self-Signed Host Certificate with the Web browser interface |
314 |
Generate a CA-Signed server host certificate with the Web browser interface |
317 |
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior |
319 |
Using the CLI Interface to Enable SSL |
321 |
Using the Web Browser Interface to Enable SSL |
321 |
Common Errors in SSL setup |
323 |
9. IPv4 Access Control Lists (ACLs) |
325 |
Contents |
325 |
Introduction |
328 |
ACL Applications |
328 |
Optional Network Management Applications |
328 |
Optional PCM and IDM Applications |
329 |
General Application Options |
329 |
Terminology |
331 |
Overview |
334 |
Types of IP ACLs |
334 |
ACL Inbound Application Points |
334 |
Features Common to All ACLs |
335 |
General Steps for Planning and Configuring ACLs |
336 |
ACL Operation |
337 |
Introduction |
337 |
The Packet-Filtering Process |
338 |
Planning an ACL Application |
341 |
Switch Resource Usage |
341 |
Prioritizing and Monitoring ACL and QoS, Feature Usage |
341 |
ACL Resource Usage and Monitoring |
341 |
Rule Usage |
342 |
Managing ACL Resource Consumption |
343 |
Oversubscribing Available Resources |
343 |
Troubleshooting a Shortage of Resources |
343 |
Example of ACL Resource Usage |
344 |
Viewing the Current Rule Usage |
344 |
Traffic Management and Improved Network Performance |
347 |
Security |
347 |
Guidelines for Planning the Structure of an ACL |
348 |
ACL Configuration and Operating Rules |
349 |
How an ACE Uses a Mask To Screen Packets for Matches |
350 |
What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? |
351 |
Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) |
352 |
Configuring and Assigning an ACL |
357 |
Overview |
357 |
General Steps for Implementing ACLs |
357 |
Types of ACLs |
357 |
ACL Configuration Structure |
358 |
Standard ACL Structure |
359 |
Extended ACL Configuration Structure |
359 |
ACL Configuration Factors |
361 |
ACL Resource Consumption |
361 |
The Sequence of Entries in an ACL Is Significant |
361 |
In Any ACL, There Will Always Be a Match |
362 |
A Configured ACL Has No Effect Until You Apply It to an Interface |
362 |
Using the CLI To Create an ACL |
363 |
General ACE Rules |
363 |
Using CIDR Notation To Enter the ACL Mask |
363 |
Configuring and Assigning a Numbered, Standard ACL |
364 |
Configuring and Assigning a Numbered, Extended ACL |
369 |
Configuring a Named ACL |
375 |
Enabling or Disabling ACL Filtering on an Interface |
377 |
Deleting an ACL from the Switch |
378 |
Displaying ACL Data |
379 |
Display an ACL Summary |
379 |
Display the Content of All ACLs on the Switch |
380 |
Display the ACL Assignments for an Interface |
381 |
Displaying the Content of a Specific ACL |
382 |
Displaying the Current ACL Resources |
384 |
Display All ACLs and Their Assignments in the Switch Startup-Config File and Running-Config File |
385 |
Editing ACLs and Creating an ACL Offline |
385 |
Using the CLI To Edit ACLs |
385 |
General Editing Rules |
386 |
Deleting Any ACE from an ACL |
386 |
Working Offline To Create or Edit an ACL |
388 |
Creating an ACL Offline |
389 |
Enable ACL “Deny” Logging |
392 |
Requirements for Using ACL Logging |
392 |
ACL Logging Operation |
393 |
Enabling ACL Logging on the Switch |
393 |
Operating Notes for ACL Logging |
395 |
General ACL Operating Notes |
396 |
10. Configuring Advanced Threat Protection |
399 |
Contents |
399 |
Introduction |
401 |
DHCP Snooping |
402 |
Overview |
402 |
Enabling DHCP Snooping |
403 |
Enabling DHCP Snooping on VLANS |
405 |
Configuring DHCP Snooping Trusted Ports |
406 |
Configuring Authorized Server Addresses |
407 |
Using DHCP Snooping with Option 82 |
407 |
Changing the Remote-id from a MAC to an IP Address |
409 |
Disabling the MAC Address Check |
409 |
The DHCP Binding Database |
410 |
Operational Notes |
411 |
Log Messages |
412 |
Dynamic ARP Protection |
414 |
Introduction |
414 |
Enabling Dynamic ARP Protection |
416 |
Configuring Trusted Ports |
416 |
Adding an IP-to-MAC Binding to the DHCP Database |
418 |
Configuring Additional Validation Checks on ARP Packets |
419 |
Verifying the Configuration of Dynamic ARP Protection |
419 |
Displaying ARP Packet Statistics |
420 |
Monitoring Dynamic ARP Protection |
421 |
Dynamic IP Lockdown |
421 |
Protection Against IP Source Address Spoofing |
422 |
Prerequisite: DHCP Snooping |
422 |
Filtering IP and MAC Addresses Per-Port and Per-VLAN |
423 |
Enabling Dynamic IP Lockdown |
424 |
Operating Notes |
424 |
Adding an IP-to-MAC Binding to the DHCP Binding Database |
426 |
Potential Issues with Bindings |
426 |
Adding a Static Binding |
427 |
Verifying the Dynamic IP Lockdown Configuration |
427 |
Displaying the Static Configuration of IP-to-MAC Bindings |
428 |
Debugging Dynamic IP Lockdown |
429 |
Using the Instrumentation Monitor |
431 |
Operating Notes |
432 |
Configuring Instrumentation Monitor |
433 |
Examples |
434 |
Viewing the Current Instrumentation Monitor Configuration |
435 |
11. Traffic/Security Filters and Monitors |
437 |
Contents |
437 |
Overview |
438 |
Introduction |
438 |
Filter Limits |
438 |
Using Port Trunks with Filters |
438 |
Filter Types and Operation |
439 |
Source-Port Filters |
440 |
Operating Rules for Source-Port Filters |
440 |
Example |
441 |
Named Source-Port Filters |
442 |
Operating Rules for Named Source-Port Filters |
442 |
Defining and Configuring Named Source-Port Filters |
443 |
Viewing a Named Source-Port Filter |
444 |
Using Named Source-Port Filters |
445 |
Configuring Traffic/Security Filters |
451 |
Configuring a Source-Port Traffic Filter |
452 |
Example of Creating a Source-Port Filter |
453 |
Configuring a Filter on a Port Trunk |
453 |
Editing a Source-Port Filter |
454 |
Filter Indexing |
455 |
Displaying Traffic/Security Filters |
456 |
12. Configuring Port-Based and User-Based Access Control (802.1X) |
457 |
Contents |
457 |
Overview |
460 |
Why Use Port-Based or User-Based Access Control? |
460 |
General Features |
460 |
User Authentication Methods |
461 |
802.1X User-Based Access Control |
461 |
802.1X Port-Based Access Control |
462 |
Alternative To Using a RADIUS Server |
463 |
Accounting |
463 |
Terminology |
463 |
General 802.1X Authenticator Operation |
466 |
Example of the Authentication Process |
466 |
VLAN Membership Priority |
467 |
General Operating Rules and Notes |
469 |
General Setup Procedure for 802.1X Access Control |
471 |
Do These Steps Before You Configure 802.1X Operation |
471 |
Overview: Configuring 802.1X Authentication on the Switch |
474 |
Configuring Switch Ports as 802.1X Authenticators |
475 |
1. Enable 802.1X Authentication on Selected Ports |
476 |
A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication |
476 |
B. Specify User-Based Authentication or Return to Port-Based Authentication |
477 |
Example: Configuring User-Based 802.1X Authentication |
478 |
Example: Configuring Port-Based 802.1X Authentication |
478 |
2. Reconfigure Settings for Port-Access |
478 |
3. Configure the 802.1X Authentication Method |
481 |
4. Enter the RADIUS Host IP Address(es) |
482 |
5. Enable 802.1X Authentication on the Switch |
482 |
6. Optional: Reset Authenticator Operation |
483 |
7. Optional: Configure 802.1X Controlled Directions |
483 |
Wake-on-LAN Traffic |
484 |
Operating Notes |
484 |
Example: Configuring 802.1X Controlled Directions |
485 |
Unauthenticated VLAN Access (Guest VLAN Access) |
485 |
Characteristics of Mixed Port Access Mode |
486 |
Configuring Mixed Port Access Mode |
487 |
802.1X Open VLAN Mode |
488 |
Introduction |
488 |
VLAN Membership Priorities |
489 |
Use Models for 802.1X Open VLAN Modes |
490 |
Operating Rules for Authorized-Client and Unauthorized-Client VLANs |
495 |
Setting Up and Configuring 802.1X Open VLAN Mode |
499 |
802.1X Open VLAN Operating Notes |
503 |
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices |
504 |
Port-Security |
505 |
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches |
506 |
Example |
506 |
Supplicant Port Configuration |
508 |
Displaying 802.1X Configuration, Statistics, and Counters |
510 |
Show Commands for Port-Access Authenticator |
510 |
Viewing 802.1X Open VLAN Mode Status |
519 |
Show Commands for Port-Access Supplicant |
523 |
How RADIUS/802.1X Authentication Affects VLAN Operation |
524 |
VLAN Assignment on a Port |
525 |
Operating Notes |
525 |
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session |
527 |
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions |
530 |
Messages Related to 802.1X Operation |
532 |
13. Configuring and Monitoring Port Security |
533 |
Contents |
533 |
Overview |
535 |
Port Security |
536 |
Basic Operation |
536 |
Eavesdrop Prevention |
537 |
Disabling Eavesdrop Prevention |
537 |
Feature Interactions When Eavesdrop Prevention is Disabled |
538 |
MIB Support |
539 |
Blocking Unauthorized Traffic |
539 |
Trunk Group Exclusion |
540 |
Planning Port Security |
541 |
Port Security Command Options and Operation |
542 |
Port Security Display Options |
542 |
Configuring Port Security |
546 |
Retention of Static Addresses |
551 |
MAC Lockdown |
556 |
Differences Between MAC Lockdown and Port Security |
558 |
MAC Lockdown Operating Notes |
559 |
Deploying MAC Lockdown |
560 |
MAC Lockout |
560 |
Port Security and MAC Lockout |
563 |
Web: Displaying and Configuring Port Security Features |
564 |
Reading Intrusion Alerts and Resetting Alert Flags |
564 |
Notice of Security Violations |
564 |
How the Intrusion Log Operates |
565 |
Keeping the Intrusion Log Current by Resetting Alert Flags |
566 |
Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags |
567 |
CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags |
568 |
Using the Event Log To Find Intrusion Alerts |
570 |
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags |
571 |
Operating Notes for Port Security |
572 |
14. Using Authorized IP Managers |
575 |
Contents |
575 |
Overview |
576 |
Options |
577 |
Access Levels |
577 |
Defining Authorized Management Stations |
578 |
Overview of IP Mask Operation |
578 |
Menu: Viewing and Configuring IP Authorized Managers |
579 |
CLI: Viewing and Configuring Authorized IP Managers |
580 |
Listing the Switch’s Current Authorized IP Manager(s) |
580 |
Configuring IP Authorized Managers for the Switch |
581 |
Web: Configuring IP Authorized Managers |
583 |
Web Proxy Servers |
583 |
How to Eliminate the Web Proxy Server |
583 |
Using a Web Proxy Server to Access the Web Browser Interface |
584 |
Web-Based Help |
584 |
Building IP Masks |
584 |
Configuring One Station Per Authorized Manager IP Entry |
584 |
Configuring Multiple Stations Per Authorized Manager IP Entry |
585 |
Additional Examples for Authorizing Multiple Stations |
587 |
Operating Notes |
587 |
Index |
589 |
Numerics |
589 |
A |
591 |
B |
593 |
C |
593 |
D |
593 |
E |
595 |
F |
595 |
G |
595 |
H |
596 |
I |
596 |
L |
596 |
M |
596 |
N |
597 |
O |
597 |
P |
597 |
R |
598 |
S |
599 |
T |
601 |
U |
602 |
V |
602 |
W |
602 |