Home » HP Manuals » Servers » HP 6120XG » Manual Viewer

HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 166

Messages Related to TACACS+ Operation, Operating Notes

Add to My Manuals
Save this manual to your list of manuals

Page 166 highlights

TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application. CLI Message Meaning Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch's tacacsserver configuration as the first-choice (or only) TACACS+ server. Connecting to secondary Tacacs server The switch was not able to contact the first-choice TACACS+ server, and is now attempting to contact the next (secondary) TACACS+ server identified in the switch's tacacs-server configuration. Invalid password The system does not recognize the username or the password or both. Depending on the authentication method (tacacs or local), either the TACACS+ server application did not recognize the username/password pair or the username/password pair did not match the username/password pair configured in the switch. No Tacacs servers responding The switch has not been able to contact any designated TACACS+ servers. If this message is followed by the Username prompt, the switch is attempting local authentication. Not legal combination of authentication methods For console access, if you select tacacs as the primary authentication method, you must select local as the secondary authentication method. This prevents you from being locked out of the switch if all designated TACACS+ servers are inaccessible to the switch. Record already exists When resulting from a tacacs-server host command, indicates an attempt to enter a duplicate TACACS+ server IP address. Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch. Also, the switch does not attempt TACACS+ authentication for a management station that the Authorized IP Manager list excludes because, independent of TACACS+, the switch already denies access to such stations. 4-29

Section	Page
Security Overview	23
Contents	23
Introduction	24
About This Guide	24
For More Information	24
Access Security Features	25
Network Security Features	29
Getting Started with Access Security	31
Physical Security	31
Quick Start: Using the Management Interface Wizard	32
SNMP Security Guidelines	37
Precedence of Security Options	39
Precedence of Port-Based Security Options	39
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	39
ProCurve Identity-Driven Manager (IDM)	43
Configuring Username and Password Security	44
Contents	44
Overview	46
Configuring Local Password Security	49
Menu: Setting Passwords	49
CLI: Setting Passwords and Usernames	51
Web: Setting Passwords and Usernames	52
SNMP: Setting Passwords and Usernames	52
Saving Security Credentials in a Config File	53
Benefits of Saving Security Credentials	53
Enabling the Storage and Display of Security Credentials	54
Security Settings that Can Be Saved	54
Local Manager and Operator Passwords	55
Password Command Options	55
SNMP Security Credentials	56
802.1X Port-Access Credentials	57
TACACS+ Encryption Key Authentication	58
RADIUS Shared-Secret Key Authentication	58
SSH Client Public-Key Authentication	59
Operating Notes	62
Restrictions	64
Front-Panel Security	66
When Security Is Important	66
Front-Panel Button Functions	67
Configuring Front-Panel Security	70
Password Recovery	75
Disabling or Re-Enabling the Password Recovery Process	75
Password Recovery Process	77
Web and MAC Authentication	78
Contents	78
Overview	80
Web Authentication	80
MAC Authentication	81
Concurrent Web and MAC Authentication	81
Authorized and Unauthorized Client VLANs	82
RADIUS-Based Authentication	83
Wireless Clients	83
How Web and MAC Authentication Operate	83
Web-based Authentication	84
MAC-based Authentication	86
Terminology	88
Operating Rules and Notes	89
Setup Procedure for Web/MAC Authentication	91
Before You Configure Web/MAC Authentication	91
Configuring the RADIUS Server To Support MAC Authentication	93
Configuring the Switch To Access a RADIUS Server	94
Configuring Web Authentication	97
Overview	97
Configuration Commands for Web Authentication	98
Show Commands for Web Authentication	105
Customizing Web Authentication HTML Files (Optional)	111
Implementing Customized Web-Auth Pages	111
Operating Notes and Guidelines	111
Customizing HTML Templates	112
Configuring MAC Authentication on the Switch	127
Overview	127
Configuration Commands for MAC Authentication	128
Show Commands for MAC-Based Authentication	131
Client Status	137
TACACS+ Authentication	138
Contents	138
Overview	139
Terminology Used in TACACS Applications:	140
General System Requirements	142
General Authentication Setup Procedure	142
Configuring TACACS+ on the Switch	145
Before You Begin	145
CLI Commands Described in this Section	146
Viewing the Switch’s Current Authentication Configuration	146
Viewing the Switch’s Current TACACS+ Server Contact Configuration	147
Configuring the Switch’s Authentication Methods	148
Configuring the TACACS+ Server for Single Login	150
Configuring the Switch’s TACACS+ Server Access	155
How Authentication Operates	161
General Authentication Process Using a TACACS+ Server	161
Local Authentication Process	163
Using the Encryption Key	164
Controlling Web Browser Interface Access When Using TACACS+ Authentication	165
Messages Related to TACACS+ Operation	166
Operating Notes	166
RADIUS Authentication, Authorization, and Accounting	168
Contents	168
Overview	170
Authentication Services	170
Accounting Services	171
RADIUS-Administered CoS and Rate-Limiting	171
RADIUIS-Administered Commands Authorization	171
SNMP Access to the Switch’s Authentication Configuration MIB	171
Terminology	172
Switch Operating Rules for RADIUS	173
General RADIUS Setup Procedure	174
Configuring the Switch for RADIUS Authentication	175
Outline of the Steps for Configuring RADIUS Authentication	176
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	177
2. Enable the (Optional) Access Privilege Option	180
3. Configure the Switch To Access a RADIUS Server	181
4. Configure the Switch’s Global RADIUS Parameters	184
Using SNMP To View and Configure Switch Authentication Features	188
Changing and Viewing the SNMP Access Configuration	189
Local Authentication Process	191
Controlling Web Browser Interface Access	192
Commands Authorization	193
Enabling Authorization	194
Displaying Authorization Information	195
Configuring Commands Authorization on a RADIUS Server	195
VLAN Assignment in an Authentication Session	201
Tagged and Untagged VLAN Attributes	202
Additional RADIUS Attributes	203
Configuring RADIUS Accounting	204
Operating Rules for RADIUS Accounting	206
Steps for Configuring RADIUS Accounting	206
Viewing RADIUS Statistics	213
General RADIUS Statistics	213
RADIUS Authentication Statistics	215
RADIUS Accounting Statistics	216
Changing RADIUS-Server Access Order	217
Messages Related to RADIUS Operation	220
Configuring Secure Shell (SSH)	221
Contents	221
Overview	222
Terminology	223
Prerequisite for Using SSH	225
Public Key Formats	225
Steps for Configuring and Using SSH for Switch and Client Authentication	226
General Operating Rules and Notes	228
Configuring the Switch for SSH Operation	229
1. Assigning a Local Login (Operator) and Enable (Manager) Password	230
2. Generating the Switch’s Public and Private Key Pair	230
3. Providing the Switch’s Public Key to Clients	233
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	235
5. Configuring the Switch for SSH Authentication	240
6. Use an SSH Client To Access the Switch	244
Further Information on SSH Client Public-Key Authentication	244
Messages Related to SSH Operation	250
Logging Messages	251
Debug Logging	252
Configuring Secure Socket Layer (SSL)	253
Contents	253
Overview	254
Terminology	255
Prerequisite for Using SSL	257
Steps for Configuring and Using SSL for Switch and Client Authentication	257
General Operating Rules and Notes	258
Configuring the Switch for SSL Operation	259
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	259
2. Generating the Switch’s Server Host Certificate	260
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	269
Common Errors in SSL setup	273
Configuring Advanced Threat Protection	274
Contents	274
Introduction	276
DHCP Snooping	277
Overview	277
Enabling DHCP Snooping	278
Enabling DHCP Snooping on VLANS	280
Configuring DHCP Snooping Trusted Ports	281
Configuring Authorized Server Addresses	282
Using DHCP Snooping with Option 82	282
The DHCP Binding Database	285
Operational Notes	286
Log Messages	287
Dynamic ARP Protection	289
Introduction	289
Enabling Dynamic ARP Protection	291
Configuring Trusted Ports	291
Adding an IP-to-MAC Binding to the DHCP Database	293
Configuring Additional Validation Checks on ARP Packets	294
Verifying the Configuration of Dynamic ARP Protection	294
Displaying ARP Packet Statistics	295
Monitoring Dynamic ARP Protection	296
Dynamic IP Lockdown	296
Protection Against IP Source Address Spoofing	297
Prerequisite: DHCP Snooping	297
Filtering IP and MAC Addresses Per-Port and Per-VLAN	298
Enabling Dynamic IP Lockdown	299
Operating Notes	299
Adding an IP-to-MAC Binding to the DHCP Binding Database	301
Verifying the Dynamic IP Lockdown Configuration	302
Displaying the Static Configuration of IP-to-MAC Bindings	303
Debugging Dynamic IP Lockdown	304
Using the Instrumentation Monitor	306
Operating Notes	307
Configuring Instrumentation Monitor	308
Viewing the Current Instrumentation Monitor Configuration	310
Traffic/Security Filters and Monitors	311
Contents	311
Overview	312
Introduction	312
Filter Limits	312
Using Port Trunks with Filters	312
Filter Types and Operation	313
Source-Port Filters	314
Named Source-Port Filters	316
Configuring Traffic/Security Filters	325
Configuring a Source-Port Traffic Filter	326
Editing a Source-Port Filter	328
Filter Indexing	329
Displaying Traffic/Security Filters	330
Configuring Port-Based and User-Based Access Control (802.1X)	331
Contents	331
Overview	333
Why Use Port-Based or User-Based Access Control?	333
General Features	333
User Authentication Methods	334
Terminology	336
General 802.1X Authenticator Operation	339
Example of the Authentication Process	339
VLAN Membership Priority	340
General Operating Rules and Notes	342
General Setup Procedure for 802.1X Access Control	344
Do These Steps Before You Configure 802.1X Operation	344
Overview: Configuring 802.1X Authentication on the Switch	347
Configuring Switch Ports as 802.1X Authenticators	348
1. Enable 802.1X Authentication on Selected Ports	349
2. Reconfigure Settings for Port-Access	351
3. Configure the 802.1X Authentication Method	354
4. Enter the RADIUS Host IP Address(es)	355
5. Enable 802.1X Authentication on the Switch	355
6. Optional: Reset Authenticator Operation	356
7. Optional: Configure 802.1X Controlled Directions	356
802.1X Open VLAN Mode	359
Introduction	359
VLAN Membership Priorities	360
Use Models for 802.1X Open VLAN Modes	361
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	366
Setting Up and Configuring 802.1X Open VLAN Mode	370
802.1X Open VLAN Operating Notes	374
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	375
Port-Security	376
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	377
Example	377
Supplicant Port Configuration	379
Displaying 802.1X Configuration, Statistics, and Counters	381
Show Commands for Port-Access Authenticator	381
Viewing 802.1X Open VLAN Mode Status	390
Show Commands for Port-Access Supplicant	394
How RADIUS/802.1X Authentication Affects VLAN Operation	395
VLAN Assignment on a Port	396
Operating Notes	396
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	398
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	401
Messages Related to 802.1X Operation	403
Configuring and Monitoring Port Security	404
Contents	404
Overview	406
Port Security	407
Basic Operation	407
Eavesdrop Protection	408
Blocking Unauthorized Traffic	408
Trunk Group Exclusion	409
Planning Port Security	410
Port Security Command Options and Operation	411
Configuring Port Security	415
Retention of Static Addresses	420
MAC Lockdown	425
Differences Between MAC Lockdown and Port Security	427
Deploying MAC Lockdown	429
MAC Lockout	429
Port Security and MAC Lockout	432
Web: Displaying and Configuring Port Security Features	433
Reading Intrusion Alerts and Resetting Alert Flags	433
Notice of Security Violations	433
How the Intrusion Log Operates	434
Keeping the Intrusion Log Current by Resetting Alert Flags	435
Using the Event Log To Find Intrusion Alerts	439
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	440
Operating Notes for Port Security	441
Using Authorized IP Managers	443
Contents	443
Overview	444
Options	445
Access Levels	445
Defining Authorized Management Stations	446
Overview of IP Mask Operation	446
Menu: Viewing and Configuring IP Authorized Managers	447
CLI: Viewing and Configuring Authorized IP Managers	448
Web: Configuring IP Authorized Managers	451
Web Proxy Servers	451
Web-Based Help	452
Building IP Masks	452
Configuring One Station Per Authorized Manager IP Entry	452
Configuring Multiple Stations Per Authorized Manager IP Entry	453
Additional Examples for Authorizing Multiple Stations	455
Operating Notes	455
Numerics	457
A	459
B	459
C	459
D	460
E	462
F	462
G	462
H	462
I	462
L	462
M	462
N	463
O	463
P	463
R	464
S	465
T	467
U	468
V	468

Match case Limit results 1 per page

4-29

TACACS+ Authentication

Messages Related to TACACS+ Operation

Messages Related to TACACS+

Operation

The switch generates the CLI messages listed below. However, you may see

other messages generated in your TACACS+ server application. For informa-

tion on such messages, refer to the documentation you received with the

application.

Operating Notes

■

If you configure Authorized IP Managers on the switch, it is not

necessary to include any devices used as TACACS+ servers in the

authorized manager list. That is, authentication traffic between a

TACACS+ server and the switch is not subject to Authorized IP

Manager controls configured on the switch. Also, the switch does not

attempt TACACS+ authentication for a management station that the

Authorized IP Manager list excludes because, independent of

TACACS+, the switch already denies access to such stations.

CLI Message

Meaning

Connecting to Tacacs server

The switch is attempting to contact the TACACS+ server identified in the switch’s

tacacs-

server

configuration as the

first-choice

(or only) TACACS+ server.

Connecting to secondary

Tacacs server

The switch was not able to contact the

first-choice

TACACS+ server, and is now

attempting to contact the next (secondary) TACACS+ server identified in the switch’s

tacacs-server

configuration.

Invalid password

The system does not recognize the username or the password or both. Depending on the

authentication method (

tacacs

local

), either the TACACS+ server application did not

recognize the username/password pair or the username/password pair did not match the

username/password pair configured in the switch.

No Tacacs servers

responding

The switch has not been able to contact any designated TACACS+ servers. If this message

is followed by the

Username

prompt, the switch is attempting local authentication.

Not legal combination of

authentication methods

For console access,

if you select

tacacs

as the primary authentication method, you must

select

local

as the secondary authentication method. This prevents you from being locked

out of the switch if all designated TACACS+ servers are inaccessible to the switch.

Record already exists

When resulting from a

tacacs-server host

ip addr

> command, indicates an attempt to

enter a duplicate TACACS+ server IP address.