Home » HP Manuals » Servers » HP 6120XG » Manual Viewer

HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 27

Security Guidelines, Configuration Details - user guide

Add to My Manuals
Save this manual to your list of manuals

Page 27 highlights

Security Overview Access Security Features Feature SSL SNMP Authorized IP Managers Secure Management VLAN TACACS+ Authentication RADIUS Authentication Default Setting Security Guidelines More Information and Configuration Details disabled Secure Socket Layer (SSL) and Transport Layer Security "Quick Start: Using the (TLS) provide remote Web browser access to the switch Management Interface via authenticated transactions and encrypted paths Wizard" on page 1-10 between the switch and management station clients Chapter 9, "Configuring capable of SSL/TLS operation. The authenticated type Secure Socket Layer (SSL)" includes server certificate authentication with user password authentication. public, unrestricted In the default configuration, the switch is open to access "SNMP Security Guidelines" by management stations running SNMP management on page 1-15 applications capable of viewing and changing the "Quick Start: Using the settings and status data in the switch's MIB Management Interface (Management Information Base). Thus, controlling Wizard" on page 1-10 SNMP access to the switch and preventing Management and unauthorized SNMP access should be a key element of Configuration Guide, your network security strategy. Chapter 14, refer to the section "Using SNMP Tools To Manage the Switch" none This feature uses IP addresses and masks to determine Chapter 15, "Using whether to allow management access to the switch Authorized IP Managers" across the network through the following : • Telnet and other terminal emulation applications • The switch's Web browser interface • SNMP (with a correct community name) disabled This feature creates an isolated network for managing Advanced Traffic the ProCurve switches that offer this feature. When a Management Guide, refer to secure management VLAN is enabled, CLI, Menu the chapter "Static Virtual interface, and Web browser interface access is LANs (VLANs)" restricted to ports configured as members of the VLAN. disabled This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch's serial (console) port or remotely, with Telnet. Chapter 5, "TACACS+ Authentication" If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access. disabled For each authorized client, RADIUS can be used to Chapter 6, "RADIUS authenticate operator or manager access privileges on Authentication and the switch via the serial port (CLI and Menu interface), Accounting" Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods. 1-5

Section	Page
Security Overview	23
Contents	23
Introduction	24
About This Guide	24
For More Information	24
Access Security Features	25
Network Security Features	29
Getting Started with Access Security	31
Physical Security	31
Quick Start: Using the Management Interface Wizard	32
SNMP Security Guidelines	37
Precedence of Security Options	39
Precedence of Port-Based Security Options	39
Precedence of Client-Based Authentication: Dynamic Configuration Arbiter	39
ProCurve Identity-Driven Manager (IDM)	43
Configuring Username and Password Security	44
Contents	44
Overview	46
Configuring Local Password Security	49
Menu: Setting Passwords	49
CLI: Setting Passwords and Usernames	51
Web: Setting Passwords and Usernames	52
SNMP: Setting Passwords and Usernames	52
Saving Security Credentials in a Config File	53
Benefits of Saving Security Credentials	53
Enabling the Storage and Display of Security Credentials	54
Security Settings that Can Be Saved	54
Local Manager and Operator Passwords	55
Password Command Options	55
SNMP Security Credentials	56
802.1X Port-Access Credentials	57
TACACS+ Encryption Key Authentication	58
RADIUS Shared-Secret Key Authentication	58
SSH Client Public-Key Authentication	59
Operating Notes	62
Restrictions	64
Front-Panel Security	66
When Security Is Important	66
Front-Panel Button Functions	67
Configuring Front-Panel Security	70
Password Recovery	75
Disabling or Re-Enabling the Password Recovery Process	75
Password Recovery Process	77
Web and MAC Authentication	78
Contents	78
Overview	80
Web Authentication	80
MAC Authentication	81
Concurrent Web and MAC Authentication	81
Authorized and Unauthorized Client VLANs	82
RADIUS-Based Authentication	83
Wireless Clients	83
How Web and MAC Authentication Operate	83
Web-based Authentication	84
MAC-based Authentication	86
Terminology	88
Operating Rules and Notes	89
Setup Procedure for Web/MAC Authentication	91
Before You Configure Web/MAC Authentication	91
Configuring the RADIUS Server To Support MAC Authentication	93
Configuring the Switch To Access a RADIUS Server	94
Configuring Web Authentication	97
Overview	97
Configuration Commands for Web Authentication	98
Show Commands for Web Authentication	105
Customizing Web Authentication HTML Files (Optional)	111
Implementing Customized Web-Auth Pages	111
Operating Notes and Guidelines	111
Customizing HTML Templates	112
Configuring MAC Authentication on the Switch	127
Overview	127
Configuration Commands for MAC Authentication	128
Show Commands for MAC-Based Authentication	131
Client Status	137
TACACS+ Authentication	138
Contents	138
Overview	139
Terminology Used in TACACS Applications:	140
General System Requirements	142
General Authentication Setup Procedure	142
Configuring TACACS+ on the Switch	145
Before You Begin	145
CLI Commands Described in this Section	146
Viewing the Switch’s Current Authentication Configuration	146
Viewing the Switch’s Current TACACS+ Server Contact Configuration	147
Configuring the Switch’s Authentication Methods	148
Configuring the TACACS+ Server for Single Login	150
Configuring the Switch’s TACACS+ Server Access	155
How Authentication Operates	161
General Authentication Process Using a TACACS+ Server	161
Local Authentication Process	163
Using the Encryption Key	164
Controlling Web Browser Interface Access When Using TACACS+ Authentication	165
Messages Related to TACACS+ Operation	166
Operating Notes	166
RADIUS Authentication, Authorization, and Accounting	168
Contents	168
Overview	170
Authentication Services	170
Accounting Services	171
RADIUS-Administered CoS and Rate-Limiting	171
RADIUIS-Administered Commands Authorization	171
SNMP Access to the Switch’s Authentication Configuration MIB	171
Terminology	172
Switch Operating Rules for RADIUS	173
General RADIUS Setup Procedure	174
Configuring the Switch for RADIUS Authentication	175
Outline of the Steps for Configuring RADIUS Authentication	176
1. Configure Authentication for the Access Methods You Want RADIUS To Protect	177
2. Enable the (Optional) Access Privilege Option	180
3. Configure the Switch To Access a RADIUS Server	181
4. Configure the Switch’s Global RADIUS Parameters	184
Using SNMP To View and Configure Switch Authentication Features	188
Changing and Viewing the SNMP Access Configuration	189
Local Authentication Process	191
Controlling Web Browser Interface Access	192
Commands Authorization	193
Enabling Authorization	194
Displaying Authorization Information	195
Configuring Commands Authorization on a RADIUS Server	195
VLAN Assignment in an Authentication Session	201
Tagged and Untagged VLAN Attributes	202
Additional RADIUS Attributes	203
Configuring RADIUS Accounting	204
Operating Rules for RADIUS Accounting	206
Steps for Configuring RADIUS Accounting	206
Viewing RADIUS Statistics	213
General RADIUS Statistics	213
RADIUS Authentication Statistics	215
RADIUS Accounting Statistics	216
Changing RADIUS-Server Access Order	217
Messages Related to RADIUS Operation	220
Configuring Secure Shell (SSH)	221
Contents	221
Overview	222
Terminology	223
Prerequisite for Using SSH	225
Public Key Formats	225
Steps for Configuring and Using SSH for Switch and Client Authentication	226
General Operating Rules and Notes	228
Configuring the Switch for SSH Operation	229
1. Assigning a Local Login (Operator) and Enable (Manager) Password	230
2. Generating the Switch’s Public and Private Key Pair	230
3. Providing the Switch’s Public Key to Clients	233
4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior	235
5. Configuring the Switch for SSH Authentication	240
6. Use an SSH Client To Access the Switch	244
Further Information on SSH Client Public-Key Authentication	244
Messages Related to SSH Operation	250
Logging Messages	251
Debug Logging	252
Configuring Secure Socket Layer (SSL)	253
Contents	253
Overview	254
Terminology	255
Prerequisite for Using SSL	257
Steps for Configuring and Using SSL for Switch and Client Authentication	257
General Operating Rules and Notes	258
Configuring the Switch for SSL Operation	259
1. Assigning a Local Login (Operator) and Enabling (Manager) Password	259
2. Generating the Switch’s Server Host Certificate	260
3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior	269
Common Errors in SSL setup	273
Configuring Advanced Threat Protection	274
Contents	274
Introduction	276
DHCP Snooping	277
Overview	277
Enabling DHCP Snooping	278
Enabling DHCP Snooping on VLANS	280
Configuring DHCP Snooping Trusted Ports	281
Configuring Authorized Server Addresses	282
Using DHCP Snooping with Option 82	282
The DHCP Binding Database	285
Operational Notes	286
Log Messages	287
Dynamic ARP Protection	289
Introduction	289
Enabling Dynamic ARP Protection	291
Configuring Trusted Ports	291
Adding an IP-to-MAC Binding to the DHCP Database	293
Configuring Additional Validation Checks on ARP Packets	294
Verifying the Configuration of Dynamic ARP Protection	294
Displaying ARP Packet Statistics	295
Monitoring Dynamic ARP Protection	296
Dynamic IP Lockdown	296
Protection Against IP Source Address Spoofing	297
Prerequisite: DHCP Snooping	297
Filtering IP and MAC Addresses Per-Port and Per-VLAN	298
Enabling Dynamic IP Lockdown	299
Operating Notes	299
Adding an IP-to-MAC Binding to the DHCP Binding Database	301
Verifying the Dynamic IP Lockdown Configuration	302
Displaying the Static Configuration of IP-to-MAC Bindings	303
Debugging Dynamic IP Lockdown	304
Using the Instrumentation Monitor	306
Operating Notes	307
Configuring Instrumentation Monitor	308
Viewing the Current Instrumentation Monitor Configuration	310
Traffic/Security Filters and Monitors	311
Contents	311
Overview	312
Introduction	312
Filter Limits	312
Using Port Trunks with Filters	312
Filter Types and Operation	313
Source-Port Filters	314
Named Source-Port Filters	316
Configuring Traffic/Security Filters	325
Configuring a Source-Port Traffic Filter	326
Editing a Source-Port Filter	328
Filter Indexing	329
Displaying Traffic/Security Filters	330
Configuring Port-Based and User-Based Access Control (802.1X)	331
Contents	331
Overview	333
Why Use Port-Based or User-Based Access Control?	333
General Features	333
User Authentication Methods	334
Terminology	336
General 802.1X Authenticator Operation	339
Example of the Authentication Process	339
VLAN Membership Priority	340
General Operating Rules and Notes	342
General Setup Procedure for 802.1X Access Control	344
Do These Steps Before You Configure 802.1X Operation	344
Overview: Configuring 802.1X Authentication on the Switch	347
Configuring Switch Ports as 802.1X Authenticators	348
1. Enable 802.1X Authentication on Selected Ports	349
2. Reconfigure Settings for Port-Access	351
3. Configure the 802.1X Authentication Method	354
4. Enter the RADIUS Host IP Address(es)	355
5. Enable 802.1X Authentication on the Switch	355
6. Optional: Reset Authenticator Operation	356
7. Optional: Configure 802.1X Controlled Directions	356
802.1X Open VLAN Mode	359
Introduction	359
VLAN Membership Priorities	360
Use Models for 802.1X Open VLAN Modes	361
Operating Rules for Authorized-Client and Unauthorized-Client VLANs	366
Setting Up and Configuring 802.1X Open VLAN Mode	370
802.1X Open VLAN Operating Notes	374
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices	375
Port-Security	376
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches	377
Example	377
Supplicant Port Configuration	379
Displaying 802.1X Configuration, Statistics, and Counters	381
Show Commands for Port-Access Authenticator	381
Viewing 802.1X Open VLAN Mode Status	390
Show Commands for Port-Access Supplicant	394
How RADIUS/802.1X Authentication Affects VLAN Operation	395
VLAN Assignment on a Port	396
Operating Notes	396
Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session	398
Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions	401
Messages Related to 802.1X Operation	403
Configuring and Monitoring Port Security	404
Contents	404
Overview	406
Port Security	407
Basic Operation	407
Eavesdrop Protection	408
Blocking Unauthorized Traffic	408
Trunk Group Exclusion	409
Planning Port Security	410
Port Security Command Options and Operation	411
Configuring Port Security	415
Retention of Static Addresses	420
MAC Lockdown	425
Differences Between MAC Lockdown and Port Security	427
Deploying MAC Lockdown	429
MAC Lockout	429
Port Security and MAC Lockout	432
Web: Displaying and Configuring Port Security Features	433
Reading Intrusion Alerts and Resetting Alert Flags	433
Notice of Security Violations	433
How the Intrusion Log Operates	434
Keeping the Intrusion Log Current by Resetting Alert Flags	435
Using the Event Log To Find Intrusion Alerts	439
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags	440
Operating Notes for Port Security	441
Using Authorized IP Managers	443
Contents	443
Overview	444
Options	445
Access Levels	445
Defining Authorized Management Stations	446
Overview of IP Mask Operation	446
Menu: Viewing and Configuring IP Authorized Managers	447
CLI: Viewing and Configuring Authorized IP Managers	448
Web: Configuring IP Authorized Managers	451
Web Proxy Servers	451
Web-Based Help	452
Building IP Masks	452
Configuring One Station Per Authorized Manager IP Entry	452
Configuring Multiple Stations Per Authorized Manager IP Entry	453
Additional Examples for Authorizing Multiple Stations	455
Operating Notes	455
Numerics	457
A	459
B	459
C	459
D	460
E	462
F	462
G	462
H	462
I	462
L	462
M	462
N	463
O	463
P	463
R	464
S	465
T	467
U	468
V	468

Match case Limit results 1 per page

1-5

Security Overview

Access Security Features

SSL

disabled

Secure Socket Layer (SSL) and Transport Layer Security

(TLS) provide remote Web browser access to the switch

via authenticated transactions and encrypted paths

between the switch and management station clients

capable of SSL/TLS operation. The authenticated type

includes server certificate authentication with user

password authentication.

“Quick Start: Using the

Management Interface

Wizard” on page 1-10

Chapter 9, “Configuring

Secure Socket Layer (SSL)”

SNMP

public,

unrestricted

In the default configuration, the switch is open to access

by management stations running SNMP management

applications capable of viewing and changing the

settings and status data in the switch’s MIB

(Management Information Base). Thus, controlling

SNMP access to the switch and preventing

unauthorized SNMP access should be a key element of

your network security strategy.

“SNMP Security Guidelines”

on page 1-15

“Quick Start: Using the

Management Interface

Wizard” on page 1-10

Management and

Configuration Guide,

Chapter 14,

refer to the

section

“Using SNMP Tools

To Manage the Switch”

Authorized IP

Managers

none

This feature uses IP addresses and masks to determine

whether to allow management access to the switch

across the network through the following :

•

Telnet and other terminal emulation applications

•

The switch’s Web browser interface

•

SNMP (with a correct community name)

Chapter 15, “Using

Authorized IP Managers”

Secure

Management

VLAN

disabled

This feature creates an isolated network for managing

the ProCurve switches that offer this feature. When a

secure management VLAN is enabled, CLI, Menu

interface, and Web browser interface access is

restricted to ports configured as members of the VLAN.

Advanced Traffic

Management Guide,

refer to

the chapter

“Static Virtual

LANs (VLANs)”

TACACS+

Authentication

disabled

This application uses a central server to allow or deny

access to TACACS-aware devices in your network.

TACACS+ uses username/password sets with

associated privilege levels to grant or deny access

through either the switch’s serial (console) port or

remotely, with Telnet.

If the switch fails to connect to a TACACS+ server for the

necessary authentication service, it defaults to its own

locally configured passwords for authentication control.

TACACS+ allows both login (read-only) and enable

(read/write) privilege level access.

Chapter 5, “TACACS+

Authentication”

RADIUS

Authentication

disabled

For each authorized client, RADIUS can be used to

authenticate operator or manager access privileges on

the switch via the serial port (CLI and Menu interface),

Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP)

access methods.

Chapter 6, “RADIUS

Authentication and

Accounting”

Feature

Default

Setting

Security Guidelines

More Information and

Configuration Details