Home » HP Manuals » Servers » HP 6120XG » Manual Viewer

HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 236

SSH Client Contact Behavior., To enable SSH on the switch.

Add to My Manuals
Save this manual to your list of manuals

Page 236 highlights

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch's public/ private key pair. If you have not already done so, refer to "2. Generating the Switch's Public and Private Key Pair" on page 6-10. When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients. If you also want SSH clients to authenticate themselves to the switch you must configure SSH on the switch for client public-key authentication at the login (Operator) level. To enhance security, you should also configure local, TACACS+, or RADIUS authentication at the enable (Manager) level. Refer to "5. Configuring the Switch for SSH Authentication" on page 6-20. Note SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch's public key has not been copied into the client, then the client's first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing. If it is safe to assume that an unauthorized device is not using the switch's IP address in an attempt to gain access to the client's data or network, the connection can be accepted. (As a more secure alternative, the client can be directly connected to the switch's serial port to download the switch's public key into the client. See the following Note.) When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch. This possibility can be removed by directly connecting the management station to the switch's serial port, using a show command to display the switch's public key, and copying the key from the display into a file. This requires a knowledge of where the client stores public keys, plus the knowledge of what key editing and file format might be required by the client application. However, if the first contact attempt between a client and the switch does not pose a security problem, this is unnecessary. To enable SSH on the switch. 1. Generate a public/private key pair if you have not already done so. (Refer to "2. Generating the Switch's Public and Private Key Pair" on page 6-10.) 2. Execute the ip ssh command. 6-16

Section	Page
Security Overview	23
Contents	23
Introduction	24
About This Guide	24
For More Information	24
Access Security Features	25
Network Security Features	29
Getting Started with Access Security	31
Physical Security	31
Quick Start: Using the Management Interface Wizard	32
SNMP Security Guidelines	37
Precedence of Security Options	39
Precedence of Port-Based Security Options	39
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	39
ProCurve Identity-Driven Manager (IDM)	43
Configuring Username and Password Security	44
Contents	44
Overview	46
Configuring Local Password Security	49
Menu: Setting Passwords	49
CLI: Setting Passwords and Usernames	51
Web: Setting Passwords and Usernames	52
SNMP: Setting Passwords and Usernames	52
Saving Security Credentials in a Config File	53
Benefits of Saving Security Credentials	53
Enabling the Storage and Display of Security Credentials	54
Security Settings that Can Be Saved	54
Local Manager and Operator Passwords	55
Password Command Options	55
SNMP Security Credentials	56
802.1X Port-Access Credentials	57
TACACS+ Encryption Key Authentication	58
RADIUS Shared-Secret Key Authentication	58
SSH Client Public-Key Authentication	59
Operating Notes	62
Restrictions	64
Front-Panel Security	66
When Security Is Important	66
Front-Panel Button Functions	67
Configuring Front-Panel Security	70
Password Recovery	75
Disabling or Re-Enabling the Password Recovery Process	75
Password Recovery Process	77
Web and MAC Authentication	78
Contents	78
Overview	80
Web Authentication	80
MAC Authentication	81
Concurrent Web and MAC Authentication	81
Authorized and Unauthorized Client VLANs	82
RADIUS-Based Authentication	83
Wireless Clients	83
How Web and MAC Authentication Operate	83
Web-based Authentication	84
MAC-based Authentication	86
Terminology	88
Operating Rules and Notes	89
Setup Procedure for Web/MAC Authentication	91
Before You Configure Web/MAC Authentication	91
Configuring the RADIUS Server To Support MAC Authentication	93
Configuring the Switch To Access a RADIUS Server	94
Configuring Web Authentication	97
Overview	97
Configuration Commands for Web Authentication	98
Show Commands for Web Authentication	105
Customizing Web Authentication HTML Files (Optional)	111
Implementing Customized Web-Auth Pages	111
Operating Notes and Guidelines	111
Customizing HTML Templates	112
Configuring MAC Authentication on the Switch	127
Overview	127
Configuration Commands for MAC Authentication	128
Show Commands for MAC-Based Authentication	131
Client Status	137
TACACS+ Authentication	138
Contents	138
Overview	139
Terminology Used in TACACS Applications:	140
General System Requirements	142
General Authentication Setup Procedure	142
Configuring TACACS+ on the Switch	145
Before You Begin	145
CLI Commands Described in this Section	146
Viewing the Switch’s Current Authentication Configuration	146
Viewing the Switch’s Current TACACS+ Server Contact Configuration	147
Configuring the Switch’s Authentication Methods	148
Configuring the TACACS+ Server for Single Login	150
Configuring the Switch’s TACACS+ Server Access	155
How Authentication Operates	161
General Authentication Process Using a TACACS+ Server	161
Local Authentication Process	163
Using the Encryption Key	164
Controlling Web Browser Interface Access When Using TACACS+ Authentication	165
Messages Related to TACACS+ Operation	166
Operating Notes	166
RADIUS Authentication, Authorization, and Accounting	168
Contents	168
Overview	170
Authentication Services	170
Accounting Services	171
RADIUS-Administered CoS and Rate-Limiting	171
RADIUIS-Administered Commands Authorization	171
SNMP Access to the Switch’s Authentication Configuration MIB	171
Terminology	172
Switch Operating Rules for RADIUS	173
General RADIUS Setup Procedure	174
Configuring the Switch for RADIUS Authentication	175
Outline of the Steps for Configuring RADIUS Authentication	176
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	177
2. Enable the (Optional) Access Privilege Option	180
3. Configure the Switch To Access a RADIUS Server	181
4. Configure the Switch’s Global RADIUS Parameters	184
Using SNMP To View and Configure Switch Authentication Features	188
Changing and Viewing the SNMP Access Configuration	189
Local Authentication Process	191
Controlling Web Browser Interface Access	192
Commands Authorization	193
Enabling Authorization	194
Displaying Authorization Information	195
Configuring Commands Authorization on a RADIUS Server	195
VLAN Assignment in an Authentication Session	201
Tagged and Untagged VLAN Attributes	202
Additional RADIUS Attributes	203
Configuring RADIUS Accounting	204
Operating Rules for RADIUS Accounting	206
Steps for Configuring RADIUS Accounting	206
Viewing RADIUS Statistics	213
General RADIUS Statistics	213
RADIUS Authentication Statistics	215
RADIUS Accounting Statistics	216
Changing RADIUS-Server Access Order	217
Messages Related to RADIUS Operation	220
Configuring Secure Shell (SSH)	221
Contents	221
Overview	222
Terminology	223
Prerequisite for Using SSH	225
Public Key Formats	225
Steps for Configuring and Using SSH for Switch and Client Authentication	226
General Operating Rules and Notes	228
Configuring the Switch for SSH Operation	229
1. Assigning a Local Login (Operator) and Enable (Manager) Password	230
2. Generating the Switch’s Public and Private Key Pair	230
3. Providing the Switch’s Public Key to Clients	233
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	235
5. Configuring the Switch for SSH Authentication	240
6. Use an SSH Client To Access the Switch	244
Further Information on SSH Client Public-Key Authentication	244
Messages Related to SSH Operation	250
Logging Messages	251
Debug Logging	252
Configuring Secure Socket Layer (SSL)	253
Contents	253
Overview	254
Terminology	255
Prerequisite for Using SSL	257
Steps for Configuring and Using SSL for Switch and Client Authentication	257
General Operating Rules and Notes	258
Configuring the Switch for SSL Operation	259
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	259
2. Generating the Switch’s Server Host Certificate	260
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	269
Common Errors in SSL setup	273
Configuring Advanced Threat Protection	274
Contents	274
Introduction	276
DHCP Snooping	277
Overview	277
Enabling DHCP Snooping	278
Enabling DHCP Snooping on VLANS	280
Configuring DHCP Snooping Trusted Ports	281
Configuring Authorized Server Addresses	282
Using DHCP Snooping with Option 82	282
The DHCP Binding Database	285
Operational Notes	286
Log Messages	287
Dynamic ARP Protection	289
Introduction	289
Enabling Dynamic ARP Protection	291
Configuring Trusted Ports	291
Adding an IP-to-MAC Binding to the DHCP Database	293
Configuring Additional Validation Checks on ARP Packets	294
Verifying the Configuration of Dynamic ARP Protection	294
Displaying ARP Packet Statistics	295
Monitoring Dynamic ARP Protection	296
Dynamic IP Lockdown	296
Protection Against IP Source Address Spoofing	297
Prerequisite: DHCP Snooping	297
Filtering IP and MAC Addresses Per-Port and Per-VLAN	298
Enabling Dynamic IP Lockdown	299
Operating Notes	299
Adding an IP-to-MAC Binding to the DHCP Binding Database	301
Verifying the Dynamic IP Lockdown Configuration	302
Displaying the Static Configuration of IP-to-MAC Bindings	303
Debugging Dynamic IP Lockdown	304
Using the Instrumentation Monitor	306
Operating Notes	307
Configuring Instrumentation Monitor	308
Viewing the Current Instrumentation Monitor Configuration	310
Traffic/Security Filters and Monitors	311
Contents	311
Overview	312
Introduction	312
Filter Limits	312
Using Port Trunks with Filters	312
Filter Types and Operation	313
Source-Port Filters	314
Named Source-Port Filters	316
Configuring Traffic/Security Filters	325
Configuring a Source-Port Traffic Filter	326
Editing a Source-Port Filter	328
Filter Indexing	329
Displaying Traffic/Security Filters	330
Configuring Port-Based and User-Based Access Control (802.1X)	331
Contents	331
Overview	333
Why Use Port-Based or User-Based Access Control?	333
General Features	333
User Authentication Methods	334
Terminology	336
General 802.1X Authenticator Operation	339
Example of the Authentication Process	339
VLAN Membership Priority	340
General Operating Rules and Notes	342
General Setup Procedure for 802.1X Access Control	344
Do These Steps Before You Configure 802.1X Operation	344
Overview: Configuring 802.1X Authentication on the Switch	347
Configuring Switch Ports as 802.1X Authenticators	348
1. Enable 802.1X Authentication on Selected Ports	349
2. Reconfigure Settings for Port-Access	351
3. Configure the 802.1X Authentication Method	354
4. Enter the RADIUS Host IP Address(es)	355
5. Enable 802.1X Authentication on the Switch	355
6. Optional: Reset Authenticator Operation	356
7. Optional: Configure 802.1X Controlled Directions	356
802.1X Open VLAN Mode	359
Introduction	359
VLAN Membership Priorities	360
Use Models for 802.1X Open VLAN Modes	361
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	366
Setting Up and Configuring 802.1X Open VLAN Mode	370
802.1X Open VLAN Operating Notes	374
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	375
Port-Security	376
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	377
Example	377
Supplicant Port Configuration	379
Displaying 802.1X Configuration, Statistics, and Counters	381
Show Commands for Port-Access Authenticator	381
Viewing 802.1X Open VLAN Mode Status	390
Show Commands for Port-Access Supplicant	394
How RADIUS/802.1X Authentication Affects VLAN Operation	395
VLAN Assignment on a Port	396
Operating Notes	396
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	398
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	401
Messages Related to 802.1X Operation	403
Configuring and Monitoring Port Security	404
Contents	404
Overview	406
Port Security	407
Basic Operation	407
Eavesdrop Protection	408
Blocking Unauthorized Traffic	408
Trunk Group Exclusion	409
Planning Port Security	410
Port Security Command Options and Operation	411
Configuring Port Security	415
Retention of Static Addresses	420
MAC Lockdown	425
Differences Between MAC Lockdown and Port Security	427
Deploying MAC Lockdown	429
MAC Lockout	429
Port Security and MAC Lockout	432
Web: Displaying and Configuring Port Security Features	433
Reading Intrusion Alerts and Resetting Alert Flags	433
Notice of Security Violations	433
How the Intrusion Log Operates	434
Keeping the Intrusion Log Current by Resetting Alert Flags	435
Using the Event Log To Find Intrusion Alerts	439
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	440
Operating Notes for Port Security	441
Using Authorized IP Managers	443
Contents	443
Overview	444
Options	445
Access Levels	445
Defining Authorized Management Stations	446
Overview of IP Mask Operation	446
Menu: Viewing and Configuring IP Authorized Managers	447
CLI: Viewing and Configuring Authorized IP Managers	448
Web: Configuring IP Authorized Managers	451
Web Proxy Servers	451
Web-Based Help	452
Building IP Masks	452
Configuring One Station Per Authorized Manager IP Entry	452
Configuring Multiple Stations Per Authorized Manager IP Entry	453
Additional Examples for Authorizing Multiple Stations	455
Operating Notes	455
Numerics	457
A	459
B	459
C	459
D	460
E	462
F	462
G	462
H	462
I	462
L	462
M	462
N	463
O	463
P	463
R	464
S	465
T	467
U	468
V	468

Match case Limit results 1 per page

6-16

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Note

Before enabling SSH on the switch you must generate the switch’s public/

private key pair. If you have not already done so, refer to “2. Generating the

Switch’s Public and Private Key Pair” on page 6-10.

When configured for SSH, the switch uses its host public-key to authenticate

itself to SSH clients. If you also want SSH clients to authenticate themselves

to the switch you must configure SSH on the switch for client public-key

authentication at the login (Operator) level. To enhance security, you should

also configure local, TACACS+, or RADIUS authentication at the enable

(Manager) level.

Refer to “5. Configuring the Switch for SSH Authentication” on page 6-20.

SSH Client Contact Behavior.

At the first contact between the switch and

an SSH client, if the switch’s public key has not been copied into the client,

then the client’s first connection to the switch will question the connection

and, for security reasons, provide the option of accepting or refusing. If it is

safe to assume that an unauthorized device is not using the switch’s IP address

in an attempt to gain access to the client’s data or network, the connection

can be accepted. (As a more secure alternative, the client can be directly

connected to the switch’s serial port to download the switch’s public key into

the client. See the following Note.)

Note

When an SSH client connects to the switch for the first time, it is possible for

a “man-in-the-middle” attack; that is, for an unauthorized device to pose

undetected as the switch, and learn the usernames and passwords controlling

access to the switch. This possibility can be removed by directly connecting

the management station to the switch’s serial port, using a

show

command to

display the switch’s public key, and copying the key from the display into a

file. This requires a knowledge of where the client stores public keys, plus the

knowledge of what key editing and file format might be required by the client

application. However, if the first contact attempt between a client and the

switch does not pose a security problem, this is unnecessary.

To enable SSH on the switch.

Generate a public/private key pair if you have not already done so. (Refer

to “2. Generating the Switch’s Public and Private Key Pair” on page 6-10.)

Execute the

ip ssh

command.