HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide
HP 6120XG Manual
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6120XG manual content summary:
- HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 1
ProCurve Series 6120 Switches Access Security Guide August 2009 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 2
without the prior written consent of Hewlett-Packard. Publication Number 5992-5525 August 2009 Applicable Products HP ProCurve Switch 6120G/XG HP ProCurve Switch 6120XG (498358-B21) (516733-B21) Trademark Credits Microsoft, Windows, and Microsoft Windows NT are U.S. registered trademarks of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 3
ii - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 4
Switch Manual Set xvii Printed Publications xvii Electronic Publications xvii Software Feature Index xviii 1 Security Overview Contents 1-1 Introduction 1-2 About This Guide Dynamic Configuration Arbiter 1-17 Network Immunity Manager 1-18 Arbitrating Client-Specific Attributes 1-19 ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 5
Important 2-23 Front-Panel Button Functions 2-24 Clear Button 2-25 Reset Button 2-25 Restoring the Factory Default Configuration 2-25 Configuring Front-Panel Security 2-27 Disabling the Clear Password Function of the Clear Button . . . 2-29 Re-Enabling the Clear Button and Setting or Changing - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 6
Password Recovery Process 2-34 3 Web and MAC Authentication Contents Configure Web/MAC Authentication 3-14 Configuring the RADIUS Server To Support MAC Authentication . . 3-16 Configuring the Switch To Access a RADIUS Server 3-17 Configuring Web Authentication 3-20 Overview 3-20 Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 7
You Begin 4-8 CLI Commands Described in this Section 4-9 Viewing the Switch's Current Authentication Configuration 4-9 Viewing the Switch's Current TACACS+ Server Contact Configuration 4-10 Configuring the Switch's Authentication Methods 4-11 Using the Privilege-Mode Option for Login 4-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 8
Services 5-4 RADIUS-Administered CoS and Rate-Limiting 5-4 RADIUIS-Administered Commands Authorization 5-4 SNMP Access to the Switch's Authentication Configuration MIB . . . 5-4 Terminology 5-5 Switch Operating Rules for RADIUS 5-6 General RADIUS Setup Procedure 5-7 Configuring the Switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 9
1. Assigning a Local Login (Operator) and Enable (Manager) Password 6-10 2. Generating the Switch's Public and Private Key Pair 6-10 Configuring Key Lengths 6-13 3. Providing the Switch's Public Key to Clients 6-13 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 6-15 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 10
7-5 General Operating Rules and Notes 7-6 Configuring the Switch for SSL Operation 7-7 1. Assigning a Local Login (Operator) and Enabling (Manager) Password 7-7 2. Generating the Switch's Server Host Certificate 7-8 To Generate or Erase the Switch's Server Certificate with the CLI 7-9 Comments - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 11
Database . . . . . 8-28 Potential Issues with Bindings 8-28 Adding a Static Binding 8-29 Verifying the Dynamic IP Lockdown Configuration 8-29 Displaying the Static Configuration of IP-to-MAC Bindings 8-30 Debugging Dynamic IP Lockdown 8-31 Using the Instrumentation Monitor 8-33 Operating Notes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 12
Displaying Traffic/Security Filters 9-20 10 Configuring Port-Based and User-Based Access Control (802.1X) Contents 10-1 Overview 10-3 Why Use Port-Based or User-Based Access Control 10-3 General Features 10-3 User Authentication Methods 10-4 802.1X User-Based Access Control 10-4 802.1X Port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 13
Authentication on the Switch . . . . . 10-17 Configuring Switch Ports as 802.1X Authenticators 10-18 1. Enable 802.1X Authentication on Selected Ports 10-19 A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication 10-19 B. Specify User-Based Authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 14
Ports To Operate As Supplicants for 802.1X Connections to Other Switches 10-47 Example 10-47 Supplicant Port Configuration 10-49 Displaying 802.1X Configuration, Statistics, and Counters . . . . 10-51 Show Commands for Port-Access Authenticator 10-51 Viewing 802.1X Open VLAN Mode Status 10 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 15
Operation 12-4 Menu: Viewing and Configuring IP Authorized Managers 12-5 CLI: Viewing and Configuring Authorized IP Managers 12-6 Listing the Switch's Current Authorized IP Manager(s 12-6 Configuring IP Authorized Managers for the Switch 12-7 Web: Configuring IP Authorized Managers 12-9 Web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 16
Building IP Masks 12-10 Configuring One Station Per Authorized Manager IP Entry 12-10 Configuring Multiple Stations Per Authorized Manager IP Entry . . 12-11 Additional Examples for Authorizing Multiple Stations 12-13 Operating Notes 12-13 xv - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 17
xvi - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 18
and Routing Guide-Explains how to configure IGMP fea- tures. ■ Access Security Guide-Explains how to configure access security fea- tures and user authentication on the switch. ■ IPv6 Configuration Guide-Describes the IPv6 protocol operations that are supported on the switch. ■ Release Notes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 19
TFTP) Auto MDIX Configuration BOOTP Config File Console Access Copy Command CoS (Class of Service) Debug DHCP Configuration DHCP/Bootp Operation Diagnostic Tools Manual Management Advanced Multicast and and Traffic Routing Configuration Management X X X X X X X X X X X Access Security Guide - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 20
Applications (SNMP) Passwords and Password Clear Protection ProCurve Manager (PCM) Ping Port Configuration Manual Management Advanced Multicast and and Traffic Routing Configuration Management X X X X X X X X X X X X X X X X X X X X X X Access Security Guide X X X X xix - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 21
TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Troubleshooting Uni-Directional Link Detection (UDLD) Manual Management Advanced Multicast and and Traffic Routing Configuration Management X X X X X X X X X X X X X X X X X X Access Security Guide X X X X X X X X xx - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 22
Intelligent Edge Software Features VLANs Web Authentication RADIUS Support Web-based Authentication Web UI Manual Management Advanced Multicast and and Traffic Routing Configuration Management X X Access Security Guide X X xxi - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 23
Security Overview Contents 1 Contents Introduction 1-2 About This Guide 1-2 For More Information 1-2 Access Security Features 1-3 Based Authentication: Dynamic Configuration Arbiter 1-17 Network Immunity Manager 1-18 Arbitrating Client-Specific Attributes 1-19 ProCurve Identity-Driven Manager - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 24
, refer to the IPV6 Configuration Guide for your switch. For information on which product manual to consult for a specific software feature, refer to the "Software Feature Index" on page xviii of this guide. For the latest version of all HP ProCurve switch documentation, including Release Notes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 25
1-10 for details. Table 1-1. Access Security and Switch Authentication Features Default Setting Security Guidelines More Information and Configuration Details no password Configuring a local Manager password is a fundamental "Configuring Local step in reducing the possibility of unauthorized - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 26
and Also, access security on the switch is incomplete Configuration Guide. without disabling Telnet and the standard Web "Configuring switch. Only a client with a private key that matches Secure Shell (SSH)" a stored public key can gain access to the switch. • switch SSH and user password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 27
(console) port or remotely, with Telnet. Chapter 5, "TACACS+ Authentication" If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 28
port-based or user-based Chapter 13 "Configuring authentication through a RADIUS server to protect the Port-Based and User-Based switch from unauthorized access and to enable the use Access Control (802.1X)" of RADIUS-based user profiles to control client access to network services. Included in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 29
provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. Management and Configuration Guide, Appendix A "File Transfers", refer to the section "Using Secure Copy and SFTP" These - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 30
behavior, and causes the switch to generate warning messages and (optionally) to throttle or drop all traffic from the offending hosts. This feature helps defeat ICMP denial-of-service Management and attacks by restricting ICMP traffic to percentage levels Configuration Guide, in the that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 31
" devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, ProCurve strongly recommends that you enforce a security policy to help ensure that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 32
. ■ Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings. ■ Disable or re-enable password recovery. For the commands used to configure the Clear and Reset buttons, refer to "Front-Panel Security" on page - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 33
to keep the cur- rent value. Press CTRL-C at any time to quit the wizard without saving any changes. Press ? for help. Operator password Manager password [not configured]: Confirm password: [*******]: Type in a new value to change a setting, or press to keep the current value. Confirm - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 34
password has been configured on the switch, you cannot remove it using the CLI wizard. Passwords can be removed by executing the no password user to modify the first community access parameters. ■ The wizard creates a new SNMP community only when no communities have been configured on the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 35
to configure security settings, with on-screen instructions for each option. • Advanced-provides a single summary screen in which to configure all the alert and then advance through the following setup pages: Operator Password, Manager Password, SNMP, Telnet, SSH, Web Management GUI, Timeout (see - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 36
Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. ■ If you click on the Web interface's navigation tab during setup, all configuration changes will be lost. ■ When you restrict SNMP access to SNMPv3 only, the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 37
SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options. ProCurve recommends that you enable SNMP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 38
To View and Configure Switch Authentication Features" on page 5-21. For more information on configuring SNMP, refer to the section "Using SNMP Tools To Manage the Switch" in the chapter "Configuring for Network Management Applications" in the Management and Configuration Guide for your switch. 1-16 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 39
model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port. 1. Disabled/Enabled physical port 2. MAC lockout (Applies to all ports on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 40
to the parameter. In this way, NIM allows you to minimize network problems without manual intervention. NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 41
and statically configured parameters are supported and if they are supported on a configured parameters over RADIUS-assigned and locally configured parameters. For information on Network Immunity Manager, go to the HP ProCurve Networking Web site at www.procurve statically configured local passwords. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 42
configure RADIUS-assigned and locally configured authentication settings, refer to: ■ RADIUS-assigned 802.1X authentication: "Configuring Port-Based and User "Configuring RADIUS Server Support for Switch Services" on page 7-1. ■ Statically (local) configured: "Configuring Username and Password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 43
network ■ time of day Responses can be configured to support the networking requirements, user (SNMP) community, service needs, and access security level for a given client and device. For more information on IDM, go to the ProCurve Web site at www.procurve.com/solutions, click on Security, and then - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 44
2-21 Front-Panel Security 2-23 When Security Is Important 2-23 Front-Panel Button Functions 2-24 Clear Button 2-25 Reset Button 2-25 Restoring the Factory Default Configuration 2-25 Configuring Front-Panel Security 2-27 Disabling the Clear Password Function of the Clear Button . . . 2-29 2-1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 45
Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the "Reset-On-Clear" Operation 2-30 Changing the Operation of the Reset+Clear Combination . . . . . 2-31 Password Recovery 2-32 Disabling or Re-Enabling the Password Recovery Process 2-32 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 46
using SNMP. For more information, refer to "Using SNMP To View and Configure Switch Authentication Features" on page 5-21. Usernames and passwords for Manager and Operator access can also be configured using the Management Interface Wizard. For more information, refer to "Quick Start: Using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 47
the Operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available. *Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable command if you can provide the Manager password. To configure password security: 1. Set - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 48
autorun feature, refer to the Appendix A on "File Transfers" in the Management and Configuration Guide for your switch. If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 49
Enter new password again, retype the new password and press [Enter]. After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 50
Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and passwords (Manager and Operator). If you have physical access to the switch, press and hold the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 51
Section password See below. Configuring Manager and Operator Passwords. Note You can configure manager and operator passwords in one step. See "Saving Security Credentials in a Config File" on page 2-10 of this guide. Syntax: [ no ] password [ user-name - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 52
Implement the usernames and passwords by clicking on [Apply Changes]. SNMP: Setting Passwords and Usernames Usernames and passwords for Manager and Operator access can also be configured using SNMP. For more information, refer to "Using SNMP To View and Configure Switch Authentication Features" on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 53
passwords and (optional) user names that control access to a management session on the switch through download the file to the ProCurve switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 54
, refer to "Switch Memory and Configuration" in the Management and Configuration Guide. The "no" form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration. Default: The - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 55
[user-name ] Set or clear a local username/password for a given access level. manager: configures access to the switch with manager-level privileges. operator: configures access to the switch with operator-level privileges. port-access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 56
twice to enter the actual password). ■ For more information about configuring local manager and operator passwords, refer to "Configuring Username and Password Security" on page 2-1 in this guide. ■ For more information about configuring a port-access password for 802.1X client authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 57
. For information about how to use 802.1X on the switch both as an authenticator and a supplicant, see "Configuring Port-Based and Client-Based Access Control (802.1X)" in this guide. The local password configured with the password command is no longer accepted as an 802.1X authenticator credential - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 58
in a TACACS+ server ■ Local manager and operator passwords configured on the switch. When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 59
the network. For more information, refer to "3. Configure the Switch To Access a RADIUS Server" on page 6-14 in this guide. RADIUS shared secret (encryption) keys can be saved in a configuration file by entering this command: ProCurve(config)# radius-server key The option - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 60
Note Configuring Username and Password Security Saving Security Credentials in a Config File "keystring": a legal SSHv2 public-key configurations on a running switch. If you download a software configuration file that contains SSH client publickey configurations, the downloaded public-keys - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 61
/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= [email protected]" ... Figure 2-5. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 62
Operating Notes Configuring Username and Password Security Saving Security Credentials in a Config File ■ When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 63
Uploads a configuration file from the switch to an Xmodem host. • copy xmodem config: Downloads a configuration file from an Xmodem host to the switch. For more information, see "Transferring Startup-Config Files To or From a Remote Server" in the Management and Configuration Guide. ■ The switch can - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 64
SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch: • The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 65
operator command and used for management access to the switch. For more information about how to use the password port-access command to configure operator passwords and usernames for 802.1X authentication, see "Do These Steps Before You Configure 802.1X Operation" on page 13-14 in this guide. 2-22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 66
provided for situations which require a higher level of switch security. The front-panel Security features are designed to prevent malicious users from: ■ Resetting the password(s) by pressing the Clear button ■ Restoring the factory default configuration by using the Reset+Clear button combination - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 67
the functionality of the Clear and Reset buttons located on the front panel of the switch. Clear Button Reset Button Figure 2-6. Front-Panel Button Locations on a ProCurve 6120G/XG Switch Clear Button Reset Button Figure 2-7. Front-Panel Button Locations on a ProCurve 6120XG Switch 2-24 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 68
for Five Seconds To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Clear Reset Figure 2-9. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 69
Reset 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will reboot. It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings. . Clear Reset 2-26 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 70
the operation of the Reset+Clear combination described under "Restoring the Factory Default Configuration" on page 2-25.) • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 71
(page 2-25) to reset the switch to its factory-default configuration. (Default: Enabled.) Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to "Password Recovery Process" on page 2-34.) (Default: Enabled.) CAUTION: Disabling this option - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 72
Clear Button Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch's front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 73
the Reset button (Reset+Clear) to restore the switch to its factory default configuration. You can then get access to the switch to set a new password. For example, suppose that password-clear is disabled and you want to restore it to its default configuration (enabled, with reset-on-clear disabled - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 74
-config file with the factorydefault startup-config file • Clearing any local usernames and passwords configured on the switch (Default: Both functions enabled.) Notes: The Reset+Clear button combination always reboots the switch, regardless of whether the "no" form of the command has been used to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 75
loses the local manager username (if configured) or password. Using Password Recovery requires: ■ password-recovery enabled (the default) on the switch prior to an attempt to recover from a lost username/password situation ■ Contacting your ProCurve Customer Care Center to acquire a one - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 76
other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch. Syntax: [no] front-panel-security password-recovery Enables - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 77
"Restoring the Factory Default Configuration" on page 2-25. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. To use the password-recovery option to recover - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 78
Authentication 3-14 Before You Configure Web/MAC Authentication 3-14 Configuring the RADIUS Server To Support MAC Authentication . . 3-16 Configuring the Switch To Access a RADIUS Server 3-17 Configuring Web Authentication 3-20 Overview 3-20 Configuration Commands for Web Authentication 3-21 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 79
Web and MAC Authentication Contents Overview 3-50 Configuration Commands for MAC Authentication 3-51 Show Commands for MAC-Based Authentication 3-54 Client Status 3-60 3-2 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 80
Status and Configuration Default n/a n/a n/a n/a Menu - - - - CLI 3-20 3-50 3-28 3-54 Web - - - - Web and MAC authentication are designed for employment on the "edge" of a network to provide port-based security measures for protecting private networks and a switch from unauthorized - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 81
MAC-Auth to "lock" a particular device to a specific switch and port. 802.1X port-access, Web authentication, and MAC authentication can be configured at the same time on the same port. A maximum of 32 clients is supported on the port. (The default is one client.) Web and/or MAC authentication and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 82
untagged VLAN. (If you want the switch to simultaneously support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 83
VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client's connection is determined according to the following hierarchy: 1. A RADIUS-assigned VLAN 2. An authorized VLAN specified in the Web- or MAC-Auth configuration for the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 84
and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1. Figure 3-1. Example of Default User Login Screen When a client connects to the switch, it sends a DHCP request to receive an IP address to connect to the network - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 85
then the port remains in this VLAN. 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 86
client connects to a MAC-Auth enabled port traffic is blocked. The switch immediately submits the client's MAC address (in the format specified by or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN. 4. If neither 1, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 87
server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing to unauthenticated clients the port remains in its original VLAN configuration. Should another client successfully authenticate through that port any unauthenticated - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 88
service to the switch. Authenticator: In ProCurve switch applications, a device such as a ProCurve Switch 8212zl that requires a client or device to provide the proper credentials (MAC address, or username and password A VLAN that has been configured as "permanent" on the switch by using the CLI vlan - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 89
and Notes Port Access Management Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a For example, be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication. If Port Security is enabled on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 90
authorized" VLAN (auth-vid) and "unauthorized" VLAN (unauth-vid) you can configure for Web- or MAC-based authentication must be statically configured VLANs on the switch. Also, if you configure one or both of these options, any services you want clients in either category to access must be available - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 91
or MAC-based configuration, ProCurve recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.) 2. Determine the switch ports that you want to configure as authenticators. Note - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 92
MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve (config)# show port-access config Port Access duration of the client session, if you choose to configure one. This must be a port-based, statically configured VLAN on the switch. c. If there is neither a RADIUS-assigned VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 93
RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: ■ Configure the client device's (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 94
in the Advanced Traffic Management Guide for your switch.) Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host 18 This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth. For information on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 95
does not have a serverspecific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. (Default: Null.) Syntax: radius-server host < ip-address > key [no] radius-server host < ip - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 96
Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of '1A7rd' Figure 3-5. Example of Configuring a Switch To Access a RADIUS Server 3-19 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 97
Web Authentication Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 98
• You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenticated egress port that has not yet - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 99
-directions in command) is supported only if: ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. The port is configured as an edge port in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 100
on the switch. For information about how to configure and use 802.1X authentication, refer to Chapter 10, "Configuring Port-Based and User-Based Access Control (802.1X)". ■ When a web-authenticated port is configured with the controlleddirections in setting, eavesdrop prevention is not supported on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 101
Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based < ] Specifies the maximum number of authenticated clients to allow on the port. (Default: 1) Note: On switches where Web Auth and 802.1X can operate concurrently, this limit includes the total - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 102
of 3 web servers may be configured on the switch. The optional Default: The default value is "/" for root directory. If the web server is also used for other purposes, you may wish to group the HTML files in their own directory, for example in "/EWA/") ProCurve Switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 103
before authentication fails. This allows the reentry of the user name and password if necessary. (Default: 3) Syntax: aaa port-access web-based [quiet-period ] Specifies the time period (in seconds) the switch uses before sending an authentication request for a client that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 104
Configuring Web Authentication Syntax: aaa port-access web-based [reauth-period ] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default URL that a user is redirected to ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 105
. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • If tagged VLANs (statically configured or RADIUSassigned) are used (Yes or No) • If client-specific per-port CoS (Class of Service) values are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 106
Web and MAC Authentication Configuring Web Authentication ProCurve (config)# show port-access web-based Port Access Web-Based Status Auth the session status, name, and address for each webauthenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 107
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients detailed Displays detailed information on the status of webauthenticated client sessions on specified switch ports. ProCurve (config)# show port-access web-based clients 1 detailed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 108
configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support default VLAN ID is used unless overridden by a RADIUSassigned value. ProCurve (config)# show port-access web-based config Port Access Web-Based Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 109
Web Authentication Syntax: show port-access web-based config detailed Displays more detailed information on the currently configured Web Authentication settings for specified ports. ProCurve (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 110
supported between authentication login attempts ProCurve (config)# show port-access web-based config auth-server Port Access Web-Based Configuration the currently configured Web Authentication settings for all ports or specified ports, including web-specific settings for password retries, SSL - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 111
to the user during login. The web pages that are displayed can be: ■ Generic, default pages generated directly by the switch software ■ . Operating Notes and Guidelines ■ Customized Web Authentication pages are configured per switch, so that each Web-Auth enabled port displays the same customized - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 112
HTML Files (Optional) ■ To configure a web server on your network, follow the instructions in the documentation provided with the an HTML file. The switch passes the request to a configured web server. ii. The web server responds by sending a customized HTML page to the switch. Each ESI call in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 113
HTML files, a set of the templates can be found on the download page for 'K' software. File Name Page index.html 3-36 accept.html Figure 8. User Login Page The index.html file is the first login page displayed, in which a client requesting access to the network enters a username and password. In - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 114
Optional) ProCurve Web Authentication Template index.html --> User Login User Login Password: - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 115
username and password are entered and accepted. The client device is then granted access to the network. To configure the VLAN switch to redirect an authenticated client while the client renews its IP address and gains access to the network. ■ The WAUTHREDIRECTURLGET ESI inserts the URL configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 116
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) ProCurve Web Authentication Template accept.html --> Access Granted - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 117
Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. ProCurve Web Authentication Template authen.html --> Authenticating - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 118
unauthorized client sessions. You can configure the VLAN used by unauthorized clients with the aaa port-access web-based unauth-vid command when you enable Web Authentication. The WAUTHREDIRECTTIMEGET ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 119
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) ProCurve Web Authentication Template reject_unauthvlan.html --> Invalid Credentials - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 120
is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication. ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 121
ESI displays the number of login retries that remain for a client that entered invalid login credentials. You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port-access web-based max-retries commands when you enable Web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 122
and MAC Authentication Customizing Web Authentication HTML Files (Optional) ProCurve Web Authentication Template retry_login.html --> Invalid Credentials user back to the login page. --> - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 123
to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl port on a server to verify the client's username and password. This ESI should not be modified. 3-46 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 124
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) ProCurve Web Authentication Template sslredirect.html --> User Login SSL Redirect < - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 125
to block an unauthorized client from attempting another login. To specify the time period before a new authentication request can be received by the switch, configure a value for the aaa port-access web-based quiet-period command when you enable Web Authentication. This ESI should not be modified - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 126
and MAC Authentication Customizing Web Authentication HTML Files (Optional) ProCurve Web Authentication Template reject_novlan.html --> Access Denied user back to the login page. --> - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 127
port assignments have been made. 3. Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch. 4. Configure the switch with the correct IP address and encryption key to access the RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 128
and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Configuration Level aaa port- format used to store the MAC addresses in the RADIUS server. (Default: no-delimiter) no-delimiter - specifies an aabbccddeeff format. single-dash - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 129
disabled, the switch does not allow moves and when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to port(s)) must be specified. Use the no form of the command to disable MAC address moves between ports under MAC Auth control. (Default: disabled - no - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 130
Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [logoff-period] ] Specifies the period, in seconds, that the switch the switch waits before processing an authentication request from a MAC address that failed authentication. (Default: 60 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 131
to 0. (Default: 0) switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • If tagged VLANs (statically configured or RADIUSassigned) are used (Yes or No) • If client-specific per-port CoS (Class of Service - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 132
Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve (config)# show port-access mac-based Port Access MAC-Based is found in the DHCP binding table, n/a - no info is displayed. ProCurve (config)# show port-access mac-based clients Port Access MAC-Based Client Status - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 133
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients detailed Displays detailed information on the status of MACauthenticated client sessions on specified ports. ProCurve (config)# show port-access mac-based clients 1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 134
currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for default VLAN ID is used unless overridden by a RADIUSassigned value. ProCurve (config)# show port-access mac-based config Port Access MAC-Based Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 135
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config detailed Displays more detailed information on the currently configured MAC Authentication settings for specified ports. ProCurve (config)# show port-access mac-based - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 136
before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve (config)# show port-access mac-based config auth-server Port Access MAC-Based Configuration Client Client Logoff Re-Auth Max Quiet Server Port Enabled Limit Moves Period - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 137
Client authenticated. Remains connected until logoff-period or reauth-period expires. Switch only Pending RADIUS request. No network access 1. Invalid credentials supplied. -period expires credentials are resubmitted when client generates traffic. Switch only Waiting for user credentials. 3-60 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 138
You Begin 4-8 CLI Commands Described in this Section 4-9 Viewing the Switch's Current Authentication Configuration 4-9 Viewing the Switch's Current TACACS+ Server Contact Configuration 4-10 Configuring the Switch's Authentication Methods 4-11 Using the Privilege-Mode Option for Login 4-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 139
TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch. That is, with - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 140
Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 141
must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to chapter 2, "Configuring Username and Password Security".) • TACACS+ Authentication: This method enables you to use a TACACS+ server in your network to assign a unique password, user name - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 142
ProCurve switches include the capability of configuring multiple backup TACACS+ servers. ProCurve recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to test the TACACS+ service before fully implementing it. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 143
a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Troubleshooting chapter of the Management and Configuration Guide for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 144
a username/password pair that should have Manager privileges, you must use a privilege level of 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, ProCurve recommends that you configure only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 145
access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 146
of access. Syntax: show authentication This example shows the default authentication configuration. Configuration for login and enable access to the switch through the switch console port. Configuration for login and enable access to the switch through Telnet. Figure 4-2. Example Listing of the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 147
the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 148
or Manager) that was configured on the TACACS+ server for this username/ password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. ProCurve(config) aaa authentication login privilege - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 149
to the switch by the TACACS+ server. Default: Single login disabled. < local | tacacs | radius > Selects the type of security access: local - Authenticates with the Manager and Operator password you configure in the switch. tacacs - Authenticates with a password and other data configured on a TACACS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 150
+ server. Specifies the primary method of authentication for the access method being configured. local: Use the username/password pair configured locally in the switch for the privilege level being configured tacacs: Use a TACACS+ server. Specifies the secondary (backup) type of authentication being - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 151
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with "Shell" (See Figure 4-5). Check the Shell box. Check the Privilege level box and set the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 152
Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch's console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 153
Enable Primary as Tacacs, when you attempt to Telnet to the switch, you will be prompted for a local password. If you enter the switch's local Manager password (or, if there is no local Manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 154
Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve using Local. ProCurve (config)# aaa Local. ProCurve (config)# - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 155
Setup Procedure" on page 4-5, ProCurve recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 156
Network Out-of-Band Management" in the Management and Configuration Guide for more information on out-of-band management. [no switch, then configuring either a global encryption key or a server-specific key in the switch for server "X" will block authentication support from server "X". Name Default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 157
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the IP address of a device Network Out-of-Band Management" in the Management and Configuration Guide for more information on out-of-band management. For switches that have a separate out-of-band management port, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 158
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the optional, global "encryption key" that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any "per-server" encryption keys you assign, and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 159
the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 160
key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 161
) Third-Choice TACACS+ Server (Optional) ProCurve Switch Configured for TACACS+ Operation ProCurve Switch Configured for TACACS+ Operation Terminal "A" Directly Accessing This Switch Via Switch's Console Port A Terminal "B" Remotely Accessing This Switch Via Telnet B Figure 4-8. Using a TACACS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 162
at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4. In the default configuration, the switch allows up to three attempts to authenticate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 163
the requesting terminal does not match either username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts. If the requesting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 164
intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server. At the TACACS with the application. Encryption Options in the Switch When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 165
key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. ■ Configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 166
or local), either the TACACS+ server application did not recognize the username/password pair or the username/password pair did not match the username/password pair configured in the switch. No Tacacs servers responding The switch has not been able to contact any designated TACACS+ servers. If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 167
TACACS+ servers are not accessible- setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthorized persons. ■ When using the copy command to transfer a configuration to a TFTP server, any optional, server-specific - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 168
Contents Overview 5-3 Authentication Services 5-3 Accounting Services 5-4 RADIUS-Administered CoS and Rate-Limiting 5-4 RADIUIS-Administered Commands Authorization 5-4 SNMP Access to the Switch's Authentication Configuration MIB . . . 5-4 Terminology 5-5 Switch Operating Rules for RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 169
VLAN Attributes 5-35 Additional RADIUS Attributes 5-36 Configuring RADIUS Accounting 5-37 Operating Rules for RADIUS Accounting 5-39 Steps for Configuring RADIUS Accounting 5-39 1. Configure the Switch To Access a RADIUS Server 5-40 2. Configure Accounting Types and the Controls for Sending - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 170
you track network resource usage. Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the ProCurve switch: ■ Serial port (Console) ■ Telnet ■ SSH ■ SFTP/SCP ■ Port-Access (802.1X) The switch also supports RADIUS accounting for Web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 171
Access to the Switch's Authentication Configuration MIB The switch's default configuration allows SNMP access to the hpSwitchAuth MIB (Management Information Base). A management station running an SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 172
Service (QoS)" chapter in the Advanced Traffic Management Guide for your switch.) EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports , a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 173
.) ■ In the ProCurve switch, EAP RADIUS uses password. In this case, use the local username (if any) and password configured on the switch itself. ■ Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers. ■ TACACS+ is not supported - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 174
switches covered in this guide problems with the server. Figure 5-1. Example of Possible RADIUS Access Assignments • Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.) • If you need to replace the default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 175
can be set by a Service Type value the RADIUS server includes in its authentication message to the switch. (Refer to "2. Enable the (Optional) Access Privilege Option" on page 5-13.) • Configure RADIUS on the server(s) used to support authentication on the switch. Configuring the Switch for RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 176
have already configured the RADIUS server(s) to support the switch. Refer to Default: null) 4. Configure the global RADIUS parameters. • Server Key: This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and accounting services unless you configure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 177
(the default). ■ SSH: To use RADIUS for SSH access, first configure the switch for SSH operation. Refer to chapter 6, "Configuring Secure Shell (SSH)" . ■ Web: You can enable RADIUS authentication for web browser interface access to the switch. You can configure RADIUS as the primary password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 178
peap-radius>> Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the web browser interface. (The default primary < switch. Use peap-mschapv2 when you want password verification without requiring access to a plain text password; it is more secure. Default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 179
configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A). ProCurve Method Suppose you already configured local passwords on the switch, but want RADIUS to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 180
covered in this guide. Figure 5-3. Example Configuration for RADIUS Authentication The switch now allows Telnet and SSH authentication only through RADIUS. Note If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 181
(Operator) access and once for Enable access. In the default RADIUS authentication operation, the switch's web browser interface requires only one successful authentication request. For more information on configuring the Service Type in your RADIUS application, refer to the documentation provided - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 182
the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the , the switch automatically assigns the default authentication port number. The auth-port number must match its server counterpart. (Default: 1812) - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 183
, see "Saving Security Credentials in a Config File" on page 2-10 in this guide. no radius-server host < ip-address > key Use the no form of the command to remove the key for a specified server. For example, suppose you have configured the switch as shown in figure 5-4 and you now need to make the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 184
Order" on page 5-50. 4. Configure the Switch's Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 185
key assignment. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. (Default: Null.) dead-time < 1 - 1440 > Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 186
console, Telnet, or SSH). If this occurs, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Management and Configuration Guide for your switch. For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 187
shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session. Figure 5-7. Listings of Global RADIUS Parameters Configured In Figure 5-6 Global RADIUS parameters from figure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 188
authentication MIB is always denied. Security Notes All usernames, passwords, and keys configured in the hpSwitchAuth MIB are not returned via SNMP, access to the security MIB open (the default setting), ProCurve recommends that you configure the switch with the SNMP version 3 management and access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 189
: Enables manager-level SNMP read/write access to the switch's authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch's authentication configuration (hpSwitchAuth) MIB. (Default: included ) Syntax: show snmp-server The output for this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 190
-B21 Configuration Editor; Created on release #Z.14.XX hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.55 snmp-server community "public" Operator vlan 1 name "DEFAULT_VLAN" untagged A1-A24,B1-B4 ip address 10.10.24.100 255.255.255.0 exit password manager - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 191
at the requesting terminal does not match either local username/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts. If the requesting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 192
to support RADIUS authentication for web browser interface access (Web Authentication, Chapter 7). ■ Options for the switches covered in this guide: • Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. • Configure the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 193
services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user's access to CLI commands. The authorization type implemented on the switches covered in this guide interface is not supported. By default, all users may execute a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 194
command exception flag, which indicates whether the user has permission to execute the commands in the list. See Configuring the RADIUS Server on page 5-28. After the Access-Accept packet is deliver, the command list resides on the switch. Any changes to the user's command list on the RADIUS server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 195
| Method Commands | RADIUS Figure 5-10. Example of Show Authorization Command Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 196
is allowed to execute all commands available on the switch. Authenticate user can only execute a minimal set of commands (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 197
that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ; ; The - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 198
for addition at UDV slot [0] Stopping any running services Creating backup of current config Adding Vendor [HP} added as [RADIUS (HP)] Done Checking new configuration... New configuration OK Re-starting stopped services 4. Start the registry editor (regedit) and browse to HKEY_LOCAL_MACHINE\software - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 199
you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 200
Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp 4. You can now use HP VSAs with other attributes when configuring user entries. 5-33 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 201
switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured VLAN that is statically configured on the switch for use in the authentication session. (For information on how to configure a user profile on a RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 202
802.1X-, Web-, and MAC-authenticated client (user). The VLAN information is part of the user's profile stored in the RADIUS server's database and is applied if the VLANs exist on the switch. The support for RADIUS-assigned tagged and untagged VLAN configuration on an authenticated port allows you to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 203
this information to make a more intelligent policy decision on the configuration settings to return to the switch for a client session. ■ HP-acct-terminate-cause: A ProCurve proprietary RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 204
here. RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot. The switches covered in this guide support four types of accounting services: ■ Network accounting: Provides records - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 205
RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: • Acct-Authentic • Acct-Delay-Time • Acct-Session-Id • Acct-Session-Time • Acct - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 206
RADIUS server IP address. - Optional-a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recommended). - Optional-if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 207
string >]" parameter on page 5-14. (Default: null) 2. Configure accounting types and the controls for sending user with no username access to the switch 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 208
. Use this command only if the specified server requires a different encryption key than configured for the global encryption key. Note: When you save the config file using Xmodem the config file is loaded back onto the switch. (For a more complete description of the radius-server command and its options, turn - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 209
in the command, the authentication UDP port is set to the default 1812. Figure 5-11. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS server at IP address 10.33.18 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 210
: Use Network if you want to collect accounting information on 802.1X port-based-access users connected to the physical ports on the switch to access the network. (See also "Accounting Services" on page 4.) ■ Commands: When commands authorization is enabled, a record accounting notice is sent after - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 211
to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress: The switch can suppress accounting for an unknown user having no username. Syntax: [no] aaa accounting update periodic < 1 - 525600> Sets - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 212
RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting To continue the example in figure 5-12, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Update Period - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 213
shows data for a specific RADIUS host. To use show radius, the server's IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See "Configuring RADIUS Accounting" on page 5-37.) Figure 5-14. Example of General RADIUS Information from Show Radius - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 214
RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Term Round Trip Time PendingRequests Retransmissions Timeouts Malformed Responses Bad Authenticators Unknown Types Packets Dropped Definition The - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 215
's interactions with this server. (Requires prior use of the radius-server host command to configure a RADIUS server IP address in the switch. See "Configuring RADIUS Accounting" on page 5-37.) Figure 5-16. Example of Login Attempt and Primary/Secondary Authentication Information from the Show - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 216
accounting interval, "Empty User" suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 217
of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the of any other server addresses in the list. For example if you initially configure three server addresses, they are listed in the order in which you - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 218
. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. 4. Re-enter 10.10.10.001. Because the only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 219
"001" address in the last position in the list. Figure 5-22. Example of New RADIUS Server Search Order Shows the new order in which the switch searches for a RADIUS server. 5-52 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 220
for and attempting RADIUS authentication, however it is not receiving a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server. (Use show radius.) If you also see the message Can't reach RADIUS server < x.x.x.x >, try the suggestions listed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 221
1. Assigning a Local Login (Operator) and Enable (Manager) Password 6-9 2. Generating the Switch's Public and Private Key Pair 6-10 Configuring Key Lengths 6-13 3. Providing the Switch's Public Key to Clients 6-13 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 6-16 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 222
The same private key can be stored on one or more clients.) ProCurve Switch (SSH Server) 1. Switch-to-Client SSH authentication. 2.Client-to-Switch (login rsa) authentication 3.User-to-Switch (enable password) authentication options: - Local - TACACS+ - RADIUS - None Figure 6-1. Client Public Key - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 223
Note Configuring Secure Shell (SSH) Terminology SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 224
Secure Shell (SSH) Terminology ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privileges on the switch. ■ Local password or username: A Manager-level or Operator-level password configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 225
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 226
switch uses client public-key authentication instead of the switch password options for primary authentication. The general steps for configuring ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch. (The client public key file can hold up to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 227
a login (Operator) and enable (Manager) password on the switch (page 6-10). 2. Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 228
In some situations this can temporarily allow security breaches. ■ The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure. ■ With SSH running, the switch allows one console session and up to five other - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 229
Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH rsa [bits ]] ip ssh cipher filetransfer ip-version mac port < 1 - 65535|default > timeout < 5 - 120 > listen aaa authentication ssh login < local | tacacs - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 230
(Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch's configuration. To Configure Local Passwords. You can configure both the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 231
Install RSA key for autorun. See "Configuring Autorun on the Switch" in Appendix A of the Management and Configuration Guide for more information. cert Install RSA key for https certificate. See "Configuring the Switch for SSL Operation" on page 7-7 in this guide for more information. ssh [dsa | rsa - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 232
Configuring the Switch for SSH Operation show crypto host-public-key Displays switch's public key. Displays the version 1 and version 2 views of the key. [ babble ] Displays hashes of the switch learning the key. If you wish to compare the switch key to the key as stored in your client's knownhosts - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 233
SSH with the ip ssh command before the switch can resume SSH operation. Configuring Key Lengths The crypto key generate ssh command switch's key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords. The most secure way to acquire the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 234
Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: 1. Use a terminal application such as HyperTerminal to display the switch text, and copy the switch's public key into the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 235
Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Non-encoded ASCII numeric string: key. The switch always uses ASCII version (without babble or fingerprint conversion) of its public key for file storage and default display format. 4. Enabling SSH on the Switch and Anticipating SSH - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 236
to download the switch's public key into the client. See the following Note.) When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 237
Secure Shell (SSH) Configuring the Switch for SSH Operation To disable SSH on the switch, do either of the following: ■ Execute no ip ssh. ■ Zeroize the switch's existing key pair. (page 6-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher ] Specify a cipher - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 238
port and on the data ports. This is the default value. Refer to Appendix G, "Network Out-of-Band Management" in the Management and Configuration Guide for more information on out-of-band management. The listen parameter is not available on switches that do not have a separate out-of-band management - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 239
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve recommends using the default access can be restricted by the use of passwords local to the switch, if you are unsure of the security this switch's Management and Configuration Guide. To protect against unauthorized 6-19 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 240
page 6-24 ProCurve recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch's configuration. Also, if you configure only an Operator password, entering the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 241
enable command. Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none). 6-21 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 242
Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and secondary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none. If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 243
Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager username and password. ProCurve(config)# password manager user-name leader New password for Manager: ******** Please retype new password for Manager: ******** ProCurve(config)# aaa authentication ssh login public - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 244
switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Management and Configuration Guide for your switch Operator) access via local password, then the switch will refuse other SSH clients. SSH clients that support client public-key authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 245
-key file. (As a prerequisite, you must use the switch's copy tftp command to download this file to flash.) 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 246
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Bit Size To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch The switch supports the following client-public-key properties: Property Supported - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 247
Configuring Secure in a single text file or individually on a TFTP server to which the switch has access. Terminate all client public-keys in the file except the last one you can manually add or edit any comments the client application adds to the end of the key, such as the [email protected] - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 248
through the data interface. The oobm parameter is not available on switches that do not have a separate outof-band management port. Refer to Appendix G, "Network Out-of-Band Management" in the Management and Configuration Guide for more information on outof-band management. show crypto client-public - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 249
3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication. After you TFTP a clientpublic-key file into the switch (described above), you can configure the switch to allow the following: ■ If an SSH client's public key matches the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 250
the switch experienced a problem when trying to copy tftp the requested file. The file may not be in the expected directory, the filename may be misspelled in the command, or the file permissions may be wrong. The ip ssh port command has attempted to configure a reserved TCP port. Use the default or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 251
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Client public key file corrupt or not The client key does not exist in the switch. Use copy found. Use 'copy tftp pub-key-file ' to download new file - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 252
Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging To add ssh messages to the debug log output, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): • fatal • error • info • verbose • debug • debug2 • - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 253
7-5 General Operating Rules and Notes 7-6 Configuring the Switch for SSL Operation 7-7 1. Assigning a Local Login (Operator) and Enabling (Manager) Password 7-7 2. Generating the Switch's Server Host Certificate 7-8 To Generate or Erase the Switch's Server Certificate with the CLI 7-9 Comments - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 254
web access, SSL provides encrypted, authenticated transactions. The authentication type includes server certificate authentication with user password authentication. Note SSL in the switches covered in this guide is based on the OpenSSL software toolkit. For more information on OpenSSL, visit www - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 255
SSL) Terminology ProCurve Switch (SSL Server) 1. Switch-to-Client SSL Cert. 2. User-to-Switch (login password and enable password authentication) options: - Local - TACACS+ - RADIUS SSL Client Browser Figure 7-1. Switch/User Authentication SSL on the switches covered in this guide supports these - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 256
certificates are pre-installed). ■ Manager Level: Manager privileges on the switch. ■ Operator Level: Operator privileges on the switch. ■ Local password or username: A Manager-level or Operator-level pass- word configured in the switch. ■ SSL Enabled: (1)A certificate key pair has been generated on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 257
the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL support SSL and TLS functionality. See browser documentation for additional details B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 258
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid regenerating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch's certificate on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 259
the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled "Using the ProCurve Web Browser Interface" in the Management and Configuration Guide for your switch. 7-7 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 260
(SSL) Configuring the Switch for SSL Operation Password Button Security Tab Figure 7-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords. You - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 261
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 262
CLI: i. Generate a certificate key pair. This is done with the crypto key generate cert command. The default key size is 512. Note: If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key pair - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 263
any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys. This should be the IP address or domain name associated with the switch. Your web browser may warn you if this field does not match the URL entered into the web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 264
Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled "Using the ProCurve Web Browser Interface" in the Management and Configuration Guide for your switch. 7-12 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 265
Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL configuration arguments (refer to "To Generate or Erase the Switch's Server Certificate with the CLI" on page 7-9). vi - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 266
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers interface: Security Tab Create Certificate Button Certificate Type Box Key Size - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 267
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing the web browser interface, refer to the chapter titled "Using the ProCurve Web Browser Interface" in the Management and Configuration Guide for your switch. 7-15 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 268
generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL To generate a certificate request from the web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 269
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior The web-management ssl command enables SSL - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 270
have not already done so, refer to "2. Generating the Switch's Server Host Certificate" on page 7-8. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard ProCurve web browser interface with the no web-management - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 271
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See "Note on Port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 272
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number ProCurve recommends using the default IP port number (443). However, you can use - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 273
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common You may not have SSL enabled (Refer to "3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior" on page 7-17.) Your browser may not support SSLv3 or TLSv1 or it may be disabled. (Refer to the documentation - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 274
Protection Contents Introduction 8-3 DHCP Snooping 8-4 Overview 8-4 Enabling DHCP Snooping 8-5 Enabling DHCP Snooping on VLANS 8-7 Configuring DHCP Snooping Trusted Ports 8-8 Configuring Authorized Server Addresses 8-9 Using DHCP Snooping with Option 82 8-9 Changing the Remote-id from a MAC - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 275
Database . . . . . 8-28 Potential Issues with Bindings 8-28 Adding a Static Binding 8-29 Verifying the Dynamic IP Lockdown Configuration 8-29 Displaying the Static Configuration of IP-to-MAC Bindings 8-30 Debugging Dynamic IP Lockdown 8-31 Using the Instrumentation Monitor 8-33 Operating Notes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 276
Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users A denial-of-service (DoS) attack to expose a vulnerability in the switch, indicated by an excessive number - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 277
the switch, indicated by an excessive number of failed logins or port authentication failures • Attempts to deny switch service by avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 278
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users globally by entering this command: ProCurve(config)# dhcp-snooping Use the no - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 279
for packets received on untrusted ports or the packet is dropped. Default: Yes vlan: Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: No To display the DHCP snooping configuration, enter this command: ProCurve(config)# show dhcp-snooping An example of the output is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 280
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type on VLANS DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command: ProCurve(config)# dhcp-snooping vlan You - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 281
Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust You can also use this command in the interface context - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 282
configuration context: ProCurve(config)# dhcp-snooping authorized-server ProCurve ports by default. (See the preceding section Configuring DHCP Relay for more information on Option 82.) When DHCP is enabled globally and also enabled on a VLAN, and the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 283
a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the option is replaced with a new Option 82 generated by the switch. The default drop policy should remain in effect if there are any untrusted - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 284
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 285
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch before writing to the database. Default = 300 seconds. timeout - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 286
dhcp-snooping binding ProCurve(config)# show dhcp-snooping binding MacAddress 22.22.22.22.22.22 IP VLAN Interface Time left 10.0.0.1 4 B2 1600 Figure 8-8. Example Showing DHCP Snooping Binding Database Contents Note If a lease database is configured, the switch drops all DHCP packets - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 287
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 288
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for < the remote server. DHCP packets being rate-limited. Too many DHCP packets are flowing through the switch and some are being dropped. Snooping table is full. The DHCP binding table is full and subsequent - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 289
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch " in the Multicast and Routing Guide. ARP requests are ordinarily broadcast to the poisoned address and can capture passwords, e-mail, and VoIP calls or even - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 290
and then re-forwards them through the switch software. During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retransmitted. ■ The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 291
ProCurve(config)# arp-protect vlan 1-101 Configuring Trusted Ports In a similar way to DHCP snooping, dynamic ARP protection allows you to configure hand, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch B opens itself - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 292
from an attacker and forward them to protected switches through trusted ports. To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports, enter the arp-protect trust command at the global configuration level. The switch does not check ARP requests and responses received - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 293
user-configured IP addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The switch uses manually configured and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here: ProCurve(config)# ip source- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 294
Drops any unicast ARP response packet in which the destination MAC address in the Ethernet header does not mach the target MAC address in the body of the ProCurve(config)# arp-protect validate src-mac dst-mac Verifying the Configuration of Dynamic ARP Protection To display the current configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 295
Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp-protect ARP Protection Information Enabled and IP validation failures, enter the show arp-protect statistics command: ProCurve(config)# show arp-protect statistics Status and Counters - ARP Protection Counters - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 296
and troubleshoot the validation of ARP packets with the debug arp-protect command. Use this command when you want to debug the following conditions: ■ The switch is dropping valid ARP packets that should be allowed. ■ The switch is allowing invalid ARP packets that should be dropped. ProCurve(config - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 297
Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 298
been configured. ■ For dynamic IP lockdown to work, a port must be a member of at least one VLAN that has DHCP snooping enabled. ■ Disabling DHCP snooping on a VLAN causes Dynamic IP bindings on Dynamic IP Lockdown-enabled ports in this VLAN to be removed. The port reverts back to switching traffic - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 299
IP lockdown globally on all ports or on specified ports on the routing switch. Operating Notes ■ Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 300
level or the dhcp-snooping command at the VLAN configuration level. • Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled.) By default, all ports are untrusted. To remove the trusted - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 301
IP address, and lease time. Dynamic IP lockdown supports a total of 4K static and dynamic bindings Static bindings are created manually with the CLI or from a downloaded configuration file. When dynamic IP , and a port or switch has the maximum number of bindings configured, the client DHCP request - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 302
port number on which the IP-toMAC address and VLAN binding is configured in the DHCP binding database. Note that the ip source-binding command is the same command used by the Dynamic ARP Protection feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 303
status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port. ProCurve(config)# show port number on which source IP-to-MAC address and VLAN bindings are configured in the DHCP lease database. An example of the show ip source-lockdown bindings - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 304
Configuring Advanced Threat Protection Dynamic IP Lockdown ProCurve(config)# show ip source-lockdown bindings Dynamic IP Lockdown the "Not in HW" column specifies whether or not (YES or NO) a statically configured IP-toMAC and VLAN binding on a specified port has been combined in the lease database - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 305
Configuring Advanced Threat Protection Dynamic IP Lockdown ProCurve(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 306
switch with an invalid login or password. Also, it might indicate a network management station has not been configured with the correct SNMP authentication parameters for the switch other features. A delay of several seconds indicates a problem. The number of MAC addresses learned in the forwarding - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 307
the instrumentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see "Configuring Instrumentation Monitor" on page 8-35). ■ When a parameter exceeds its threshold, an alert (event log message and/or SNMP trap) is generated to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 308
Instrumentation Monitor The following commands and parameters are used to configure the operational thresholds that are monitored on the switch. By default, the instrumentation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [] [log] : Enables - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 309
Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and thresholds, with the default medium values: ProCurve(config)# instrumentation monitor To turn off monitoring of the system delay parameter: ProCurve(config)# no - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 310
Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the configured thresholds for monitored parameters. ProCurve# show instrumentation monitor configuration PARAMETER LIMIT mac-address-count 1000 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 311
9-3 Source-Port Filters 9-4 Operating Rules for Source-Port Filters 9-4 Example 9-5 Named Source-Port Filters 9-6 Operating Rules for Named Source-Port Filters 9-6 Defining and Configuring Named Source-Port Filters 9-7 Viewing a Named Source-Port Filter 9-8 Using Named Source-Port Filters - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 312
Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this guide. Introduction Feature configure source-port filters display filter data Default none n/a Menu n/a n/a CLI Web page 9-18 n/a page 9-20 n/a You can enhance in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 313
Traffic/Security Filters and Monitors Filter Types and Operation Filter Types and Operation Table 9-1. Filter Types and Criteria Static Filter Selection Criteria Type Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 314
the indicated source-port to specific destination ports. End Node "A" End Node "B" End Node "C" Server Hub Port 1 Switch 6120 Configured for Port 2 Source-Port Filtering Configuring a source-port filter to drop traffic received on port 1 with an outbound destination of port 2 means that End - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 315
-port filter are subject to the same operation as inbound packets on a port that is not configured for source-port filtering. ■ With multiple IP addresses configured on a VLAN, and routing enabled on the switch, a single port or trunk can be both the source and destination of packets moving between - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 316
-port filter once and apply it to multiple ports and port trunks. This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below. Operating Rules for Named Source - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 317
filters that can be used is equal to the number of ports on a switch. A named source-port filter can only be removed if it is not in Since "forward" is the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for "drop" and you - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 318
-filter webonly ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks. To configure a named source-port filter to prevent inbound traffic from being forwarded to specific destination switch ports or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 319
may be sent to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Accounting Workstation 1 Accounting Accounting Server 1 Figure 9-4. Network Configuration for Named Source-Port Filters Example Defining and Configuring Example Named Source-Port Filters. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 320
the named source-port filters have been defined and configured we now apply them to the switch ports. ProCurve(config)# filter source-port 2-6,8,9,12-26 named-filter web-only ProCurve(config)# filter source-port 7,10,11 named-filter accounting ProCurve(config)# filter source-port 1 named-filter no - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 321
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters IDX Filter Type | Value 1 Source Port | 2 2 Source IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 322
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 4 ProCurve(config)# show filter 24 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Source Port : 5 Filter Type : Source Port Source Port : 10 Dest Port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 323
Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Accounting 9-10. Expanded Network Configuration for Named Source-Port Filters Example 9-13 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 324
remove the existing source-port filters on the port. ProCurve(config)# no filter source-port 8,12,13 ProCurve(config)# filter source-port 8,12,13 named-filter accounting ProCurve(config)# The named source-port filters now manage traffic on the switch ports as shown below, using the show filter - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 325
, determine the filter action you want for each outbound (destination) port on the switch (forward or drop). The default action for a new filter is to forward traffic of the specified type to all outbound ports. 3. Configure the filter. 4. Use show filter (page 9-20) to check the filter listing to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 326
for that filter to the Forward action. (Default: Forward on all ports.) Note: If multiple VLANs are configured, the source-port and the destination port trunk) to all destination ports (or trunks) on the switch. [ forward ] < port-list > Configures the filter to forward traffic for the ports and/ or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 327
of a port name. For example, to create a filter on port trunk 1 to drop traffic received inbound for trunk 2 and ports 10-15: ProCurve(config)# filter source-port trk1 drop trk2,10-15 Note that if you first configure a filter on a port and then later add the port to a trunk, the port remains - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 328
want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk. Note: If you configure an existing trunk for filtering and later add another port to the trunk, the switch will apply the filter to all traffic moving on any link in the trunk. If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 329
14. Assigning Additional Destination Ports to an Existing Filter For example, suppose you wanted to configure the filters in table 9-2 on a switch. (For more on source-port filters, refer to "Configuring a Source-Port Traffic Filter" on page 9-16.) Table 9-2. Filter Example Filter Type Filter Value - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 330
and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 331
Authentication on the Switch . . . . . 10-17 Configuring Switch Ports as 802.1X Authenticators 10-18 1. Enable 802.1X Authentication on Selected Ports 10-19 A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication 10-19 B. Specify User-Based Authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 332
Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method 10-24 4. Enter the RADIUS Host IP Address(es 10-25 5. Enable 802.1X Authentication on the Switch 10-25 6. Optional: Reset Authenticator Operation 10-26 7. Optional: Configure 802.1X - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 333
Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 10-18 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 10-29 n/a Configuring Switch Ports to Operate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 334
requiring further authentication. • Supplicant implementation using CHAP authentication and independent user credentials on each port. ■ The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 335
where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications the same configuration this should not be a problem. But if the RADIUS server responds with different configurations for different - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 336
a RADIUS Server Note that you can also configure 802.1X for authentication through the switch's local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes user credential administration, and reduces security by limiting authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 337
switch is configured to operate as an authenticator. In the case of a switch running 802.1X, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for authenticating a supplicant). Authenticator: In ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 338
port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN membership is required for a client that does not support 802.1q VLAN tagging. A port can simultaneously have one untagged VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 339
is denied and the port remains blocked. • If 802.1X on the switch is configured for local authentication, then: i. The switch compares the client's credentials to the username and password configured in the switch (Operator level). ii. If the client is successfully authenticated and authorized to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 340
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation Note The switches covered in this guide can use either 802.1X port-based authentication or 802.1X user-based authentication. For more information, refer to "User Authentication Methods" on page 10 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 341
New Client Authenticated Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation RADIUSAssigned VLAN? Assign New Client to RADIUS- Yes Specified VLAN No Authorized VLAN Configured? No Untagged VLAN Configured On Port ? No Assign New Client Yes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 342
to open a path for downloading 802.1X supplicant software to a client or to provide other services for unauthenticated clients. Refer to "802.1X Open VLAN Mode" on page 10-29.) ■ Using port-based 802.1X authentication, When a port on the switch is configured as an authenticator, one authenticated - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 343
is not supported on ports configured for 802.1X port-access security. ■ A port can be configured as an authenticator or an 802.1X supplicant, or both. Some configuration instances block traffic flow or allow traffic to flow without authentication. Refer to "Configuring Switch Ports To Operate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 344
not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.) For switches covered in this guide, the local operator password configured with the password command is not accepted as an 802 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 345
General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 10-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 346
or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.) 6. Unless you are using only the switch's local username and password for 802.1X authentication, configure at least one RADIUS server to authenticate access requests coming through the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 347
software to download the software so that they can initiate an authentication session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. Refer to page 10-29. 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (using the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 348
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 349
a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication. A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 350
(802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to PortBased Authentication User-Based 802.1X to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 351
-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X Authentication This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 352
User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 353
-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 354
method for port-access. The default primary authentication is local. (Refer to the documentation for your RADIUS server application.) For switches covered in this guide, you must use the password port-access command to configure the operator username and password for 802.1X access. See - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 355
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 356
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset state (using the aaa port-access controlleddirections in command) is supported only if: ■ The port is configured as an edge port in the network using the spanning- tree edge - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 357
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 358
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 359
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802 IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authentication session The 802.1X Open VLAN mode solves this problem by temporarily suspending the port's static VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 360
Note On ports configured to allow multiple sessions using 802.1X user-based access control, switch operates in an environment where some valid clients will not be running 802.1X supplicant software and need to download it is already assigned in the switch configuration. The port also becomes an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 361
to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication: ■ Unauthorized-Client VLAN: Configure this VLAN when unauthenti- cated, friendly clients will need access to some services before being authenticated or instead of being authenticated - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 362
the Unauthorized-Client VLAN. • To limit security risks, the network services and access available on the Unauthorized-Client VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as a tagged member of any other VLANs, access to these - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 363
Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Authorized-Client VLAN Port port does not become a member of the Unauthorized-Client VLAN. On the switches covered in this guide, you can use the unauth-period command- page 10-23-to delay - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 364
VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 365
Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 366
User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure clients allowed on switches covered in this guide, the first - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 367
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode are blocked. • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 368
Configuring Port-Based and User-Based manually configured IP address before connecting to the switch. VLAN Mode 802.1X Supplicant Software for a A friendly client, without 802.1X supplicant software, connecting to an Client Connected to a Port Configured authenticator port must be able to download - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 369
Allow Multiple-Client Access Rule You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1Xconfigured port regardless of how many clients the port is configured to support. However, all clients on the same port must operate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 370
connecting to the switch, or download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN. ■ Ensure that the switch is connected to a RADIUS server configured to support authentication requests from - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 371
802.1X supplicant software that supports the use of local switch passwords. Ensure that you do not introduce a security risk by allowing UnauthorizedClient VLAN access to network services or resources that could be compromised by an unauthorized client. Configuring General 802.1X Operation: These - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 372
Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > [oobm] Adds a server to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 373
. The server is connected to a port on the Default VLAN. ■ The switch's default VLAN is already configured with an IP address of 10.28.127.100 and a network mask of 255.255.255.0 ProCurve(config)# aaa authentication port-access eap-radius Configures the switch for 802.1X authentication using an EAP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 374
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 375
802.1X with the control mode in the port-access authenticator command set to auto (the default setting). For example, if port A10 was at a non-default 802.1X setting and you wanted to configure it to support the portsecurity option, you would use the following aaa port-access command: Control mode - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 376
port-access auth < port-list > client-limit < 1 - 32 > Configures user-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn. For more on this command, refer to "Configuring Switch Ports as 802.1X Authenticators" on page 10-18 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 377
Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands 802.1X Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held-period | start - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 378
a response/ID packet. If switch "B" is configured for RADIUS authentication, it forwards this request to a RADIUS server. If switch "B" is configured for Local 802.1X authentication, the authenticator compares the switch "A" response to its local username and password. 2. The RADIUS server then - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 379
[ethernet] < port-list > Configures a port as a supplicant with either the default supplicant settings or any previously configured supplicant options to configure the authenticator switch's local username and password on the supplicant port. Syntax: aaa port-access supplicant [ethernet] < - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 380
User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password authenticator port. (Default: 60 seconds) - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 381
ports configured to operate as 802.1X authenticators using the aaa port-access authenticator command? Yes or No • Allow RADIUS-assigned dynamic (GVRP) VLANs: Are RADIUSassigned dynamic (GVRP-learned) VLANs supported for authenticated and unauthenticated client sessions on the switch? Yes or No - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 382
switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • Tagged VLANs: Are tagged VLANs (statically configured port-access authentication is not displayed. ProCurve(config)# show port-access authenticator - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 383
User-Based Access Control (802.1X) Displaying 802.1X Configuration dynamic VLANs are supported • 802.1X configuration of ports configuration for all switch ports or specified ports. 802.1X configuration information for ports that are not enabled as 802.1X authenticators is not displayed. ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 384
and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics or disabled on specified port(s). Port number on switch. Period of time (in seconds) after which access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 385
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator statistics [port-list] Displays statistical information for all switch ports or specified ports that are enabled as 802.1X authenticators, including - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 386
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator session-counters [port-list] Displays information for active 802.1X authentication sessions on all switch ports or specified ports that are enabled - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 387
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch ports, or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 388
User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients [port-list] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch is displayed. ProCurve (config)# - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 389
Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients detailed Displays detailed information on the status of 802.1Xauthenticated client sessions on specified ports. ProCurve (config)# show - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 390
User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation. In these two show outputs, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 391
syntax: ProCurve(config)# aaa port-access authenticator < port-list > control < authorized | auto | unauthorized > Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. (This is the default authenticator - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 392
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table describing RADIUS support for Identity-Driven % Curr. Rate Limit Inbound Management-IDM-in chapter 5, "RADIUS Authentication, Authorization, and Accounting" in this guide. Syntax: - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 393
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under "Overridden Port VLAN configuration". This shows that static, untagged VLAN memberships on ports B1 and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 394
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access page 10-49). For descriptions of the supplicant parameters, refer to "Configuring a Supplicant Switch Port" on page 10-49. show port-access supplicant [< port- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 395
. If it is not, the switch temporarily reassigns the port as described below. If the Port Used by the Client Is Not Configured as an Untagged Member of the control to open a port for client access after authenticating valid user credentials. ■ MAC address: Authenticates a device's MAC address to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 396
use 802.1X, MAC, or Web authentication: ■ The port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. Tagged VLAN membership allows a port to be a member of multiple VLANs simultaneously. ■ The port is temporarily assigned as a member of an untagged - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 397
benefits: • You avoid the need of having static VLANs pre-configured on the switch. • You can centralize the administration of user accounts (including user VLAN IDs) on a RADIUS server. For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs on links to other - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 398
Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in "Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 399
-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 400
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X access, authenticated by a RADIUS server, where the server included an instruction to put the client's access on VLAN 22. Note: With the current VLAN configuration (figure 10-19), the only time port A2 appears in this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 401
For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, see the chapter on "GVRP" in the Advanced Traffic Management Guide. Notes: 1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 402
Configuring Port-Based and User port basis to prevent denial-of-service attacks. The interface unknown-vlans command on "GVRP" in the Advanced Traffic Management Guide. 3. If you disable the use of temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 403
page 10-49. No server(s) responding. This message can appear if you configured the switch for EAP-RADIUS or CHAP-RADIUS authentication, but the switch does not receive a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server. (Use show radius.) If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 404
MAC Lockdown Operating Notes 11-25 Deploying MAC Lockdown 11-26 MAC Lockout 11-26 Port Security and MAC Lockout 11-29 Web: Displaying and Configuring Port Security Features 11-30 Reading Intrusion Alerts and Resetting Alert Flags 11-30 Notice of Security Violations 11-30 How the Intrusion Log - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 405
Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 11-37 Operating Notes for Port Security 11-38 11-2 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 406
Security Overview Feature Default Menu CLI Web Displaying Current Port Security n/a - page 11-8 page 11-30 Configuring Port Security disabled 11-37 Port Security (Page 11-4). This feature enables you to configure each switch port with a unique list of the MAC addresses of devices that are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 407
ProCurve Manager (PCM and PCM+) ■ Alert Log entries in the switch's web browser interface ■ Event Log entries in the console interface ■ Intrusion Log entries in the menu interface, CLI, or web browser interface For any port, you can configure device. This is the default setting. • Limited-Continuous: - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 408
and Authentication Traps" in the Management and Configuration Guide for your switch.) ■ Port Access: Allows only the MAC address of a device authenticated through the switch's 802.1X Port-Based access control. Refer to chapter 10, Configuring Port-Based and User-Based Access Control (802.1X). For - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 409
either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 410
authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) optionally disable the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 411
11-17 11-17 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses. Note Use the global configuration level to execute port-security configuration commands. Port Security Display Options You can use the CLI to display the current port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 412
A7 and A8 Show the Default Setting) With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the specified ports on a switch. The following example lists the full port security configuration for a single port: 11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 413
Example of the Port Security Configuration Display for a Single Port The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 414
Configuring and Monitoring Port Security Port Security Figure 11-4. Examples of Show Mac-Address Outputs 11-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 415
| port-access | configured | limitedcontinuous > For the specified port: • Identifies the method for acquiring authorized addresses. • On switches covered in this guide, automatically invokes eavesdrop protection. (Refer to "Eavesdrop Protection" on page 11-5.) continuous (Default): Appears in the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 416
and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 417
, Configuring Port-Based and User-Based Access Control (802.1X). configured: Must specify which MAC addresses are allowed for this port. Range is 1 (default) limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learnmode with the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 418
and System Information" in the Management and Configuration Guide for your switch. To set the learn-mode to limited use configured, or limitedcontinuous, the address-limit parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 419
flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on 11-32. For information on configuring the switch for SNMP management, refer to the Management and Configuration Guide for your switch. -Continued- 11-16 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 420
Information" in the Management and Configuration Guide for your switch. Learned Addresses. In the Download a configuration file that does not include the unwanted MAC address assignment. ■ Reset the switch to its factory-default configuration. Assigned/Authorized Addresses. : If you manually - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 421
an authorized device. ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to manually change them or the switch is reset to its factory-default configuration. You can "turn off" authorized devices on a port by configuring - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 422
A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. ProCurve(config)# port-security a1 mac-address 0c0090456456 After executing the above command, the security configuration for port A1 would be: The Address Limit has been reached. Figure 11-6. Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 423
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC A1 that raises the address limit to 2 and specifies the additional device's MAC address. For example: ProCurve(config)# port-security a1 mac-address 0c0090456456 address-limit 2 11-20 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 424
(An Authorized Address list is available for each port for which Learn Mode is currently set to "Static". Refer to the command syntax listing under "Configuring Port Security" on page 11-12.) When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 425
ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090123456 The above command sequence results in the following configuration hijacking. It also controls address learning on the switch. When configured, the MAC Address can only be used on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 426
switch to learn the address on the malicious user's port, allowing the intruder to steal the traffic meant for the legitimate user the switch (by reconnecting the Ethernet cable configured for one port, you cannot perform port security using the same MAC address on any other port on that same switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 427
mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggregations). Differences Between MAC Lockdown and Port Security security the MAC Address could still be used on another port on the same switch. MAC Lockdown, on the other hand, is a clear one-to-one relationship - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 428
on every switch. In reality switch, the device (or a hacker "spoofing" the MAC address for the device) may still be able to use another switch can be useful for troubleshooting problems. If you are trying you determine the problem. Limiting the Frequency also configure the switch to send the same - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 429
MAC Lockdown is to prevent a malicious user from "hijacking" an approved MAC address switch which is supposed to be connected to the real device bearing that MAC address. However, you can run into trouble MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 430
network. If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don't have to configure every single port-just perform the command on the switch and it is effective for all ports. 11-27 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 431
You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch's own MAC Address) There are limits for the number of VLANs and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 432
and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to lock - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 433
Port Security, the switch responds in the following ways to notify you: ■ The switch sets an alert flag for that port. This flag remains set until: • You use either the CLI, menu interface, or web browser interface to reset the flag. • The switch is reset to its factory default configuration. 11-30 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 434
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the applications such as ProCurve Manager via an SNMP trap sent to a network management station How the Intrusion Log Operates When the switch detects an intrusion - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 435
recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 436
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 437
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 11-12 on page 11-33) does not indicate an intrusion for port A1, the alert flag for the intrusion on port A1 has already been reset. • Since the switch can show only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 438
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear Multiple Entries for the Same Port The above example shows three intrusions for port A1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 439
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch include the Intrusion Alert status.) ProCurve(config)# port-security a1 clear-intrusion-flag ProCurve(config)# show interfaces brief Intrusion Alert - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 440
Event Log contents. For More Event Log Information. See "Using the Event Log To Identify Problem Sources" in the "Troubleshooting" chapter of the Management and Configuration Guide for your switch. Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 1. Check the Alert - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 441
's IP Authorized Managers list. See "Using Authorized IP Managers" in the Management and Configuration Guide for your switch.) Without both of the above configured, the switch detects only the proxy server's MAC address, and not your PC or workstation MAC address, and interprets your connection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 442
address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 443
Operation 12-4 Menu: Viewing and Configuring IP Authorized Managers 12-5 CLI: Viewing and Configuring Authorized IP Managers 12-6 Listing the Switch's Current Authorized IP Manager(s 12-6 Configuring IP Authorized Managers for the Switch 12-7 Web: Configuring IP Authorized Managers 12-9 Web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 444
(Showing) Authorized Managers Configuring Authorized IP Managers Building IP Masks Operating and Troubleshooting Notes Default n/a None n/a n/a Thus, with authorized IP managers configured, having the correct passwords is not sufficient for accessing the switch through the network unless the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 445
browser and console interface screens for viewing, configuration, and all other operations available in these interfaces. ■ Operator: Allows read-only access from the web browser and console interfaces. (This is the same access that is allowed by the switch's operator-level password feature.) 12-3 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 446
topic, refer to "Configuring Multiple Stations Per Authorized Manager IP Entry" on page 12-11.) To configure the switch for authorized manager access, access to the switch by a management station. Overview of IP Mask Operation The default IP Mask is 255.255.255.255 and allows switch access only to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 447
mask serves a different purpose than IP subnet masks and is applied in a different manner. Menu: Viewing and Configuring IP Authorized Managers From the console Main Menu, select: 2. Switch Configuration ... 7. IP Authorized Managers 1. Select Add to add an authorized manager to the list. Figure 12 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 448
default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See "Building IP Masks" on page 12-10. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure Listing the Switch's Current - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 449
Operator Configuring IP Authorized Managers for the Switch Syntax: ip authorized-managers Configures one or more authorized IP addresses. [] Configures the IP 28.227.101 through 103: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager 12 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 450
switch assigns the Manager access. For example: Omitting a mask in the ip authorized-managers command results in a default mask of 255.255.255.255, which authorizes only the specified station. Refer to "Configuring command will be set to their default.): ProCurve(config)# ip authorized-managers 10.28 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 451
parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change. Web Proxy Servers If you use the web browser interface to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 452
web proxy server to connect to the switch, any proxy user can access the switch. If it is necessary to use the switch's web browser interface and your browser the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 453
only to a station having an IP address of 10.33.248.5. Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 454
of up to 10 28 227 125 4 management stations to access the switch. This is useful if the only devices in the IP address group allowed ". In this example, in order for a station to be authorized to access the switch: • The first three octets of the station's IP address must match the Authorized - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 455
to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations. ■ Modem and Direct Console Access: Configuring authorized IP managers does not protect - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 456
you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or "Exceptions" list in the web browser interface you are using on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 457
control authenticate users ... 10-5 authentication methods ... 10-4 authentication, local ... 10-6 authentication, user-based supported ... 10-13 messages ... 10-73 multiple clients ... 10-37 multiple clients, same VLAN ... 10-5 open port ... 10-4 open VLAN authorized client ... 10-31 configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 458
password switch port operating as ... 10-47 2 - Index supplicant state ... 10-64 supplicant statistics, note ... 10-64 supplicant, configuring ... 10-47 supplicant-timeout ... 10-22 terminology ... 10-6 traffic flow on unathenticated ports ... 10-27 troubleshooting also port-based. user-based vs. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 459
single station ... 12-10 IP mask operation ... 12-4 operating notes ... 12-13 overview ... 12-1 troubleshooting ... 12-13 authorized server ... 8-5 authorized server address, configuring ... 8-9 authorized, option for authentication ... 5-11, 10-24 autorun autorun-key ... 6-11 autorun-key ... 6-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 460
8-5 debug logging DHCP snooping ... 8-13 default configuration and security ... 1-15 default settings 802.1X aaa port-access authenticator control, 1-7 manager password, no password ... 1-3 passwords clear password, enabled ... 2-27 password recovery, enabled ... 2-28, 2-33 password-clear, enabled - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 461
1813 ... 5-7 UDP destination port for authentication, 1812 ... 5-7 user authentication, disabled ... 6-2 virus throttling, none ... 1-8 Web and 8-12 changing remote-id ... 8-11 configuring authorized server address ... 8-9 database ... 8-5 denial-of-service attack ... 8-4 DHCPACK ... 8-5 DHCPDECLINE - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 462
single authorized manager station ... 12-10 operation ... 12-4 IP routing dynamic ARP protection, enabling ... 8-16 validation checks on ARP packets, configuring ... 8-21 ip source-binding ... 8-29 ip source-lockdown ... 8-26, 8-27 ip source-lockdown bindings ... 8-30, 8-31 IP spoofing protection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 463
... 3-60 concurrent with Web ... 3-4 configuration commands ... 3-51 configuring on the switch ... 3-50 switch for RADIUS access ... 3-17 the RADIUS -38 operator password ... 2-4, 2-6, 2-7 saving to configuration file ... 2-12 Option 82 snooping ... 8-6 P packet validation ... 8-6 password 802.1X - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 464
ProCurve switch documentation ... -xvii ProCurve Manager IDM as a plug-in to ... 1-21 port security alerts ... 11-4 proxy web server ... 11-38 R RADIUS accounting ... 5-4, 5-37 accounting, configuration outline ... 5-39 accounting, configure 5-38, 5-42 administrative-user service-type value ... 5-14 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 465
14, 2-21 copying configurations on the switch ... 2-20 copying startup configuration ... 2-19 disabling Reset-on-clear option ... 2-20 downloading a configuration file ... 2-19 downloading from a server ... 2-10 enabling storage in configuration file ... 2-11 manager username and password ... 2-12 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 466
criteria ... 9-3 spanning tree edge port configuration ... 3-22, 10-26 security features ... 1-8 spoofing protection against ... 8-24 SSH authenticating switch to client ... 6-3 authentication, client public key ... 6-2 authentication, user password ... 6-2 caution, security ... 6-19 cipher ... 6-17 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 467
... 7-2 steps for configuring ... 7-5 supported encryption methods ... 7-3 terminology ... 7-3 TLSv1 ... 7-2 troubleshooting, operating ... 7-21 unsecured manager password requirement ... 4-30 messages ... 4-29 NAS ... 4-3 precautions ... 4-5 preparing to configure ... 4-8 preventing switch lockout - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 468
untrusted policy, snooping ... 8-10 user name cleared ... 2-7 SNMP configuration ... 2-3 V vendor-specific attribute configuring support for HP VSAs ... 5-29 defining ... on the switch ... 3-20 switch for RADIUS access ... 3-17 display all 802.1X, Web, and MAC authentication configuration ... 3-14 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 469
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP will not be liable for technical or editorial errors or omissions contained herein. August 2009 Manual Part Number 5992-5525 *5992-5525*
August 2009
ProCurve Series 6120 Switches
Access Security Guide