HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide
HP 6120XG Manual
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6120XG manual content summary:
- HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 1
ProCurve Series 6120 Switches Access Security Guide November 2010 Version Z.14.22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 2
- HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 3
HP ProCurve 6120G/XG Switch 6120XG Switch November 2010 Z.14.22 Access Security Guide - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 4
Applicable Products HP ProCurve Switch 6120G/XG HP ProCurve Switch 6120XG (498358-B21 connection with the furnishing, performance, or use of this material. The only warranties for HP products and services See the Customer Support/Warranty information at http://www.hp.com/#Support. A copy of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 5
Switch Manual Set xix Printed Publications xix Electronic Publications xix Software Feature Index xx 1 Security Overview Contents 1-1 Introduction 1-2 About This Guide 17 Precedence of Client-Based Authentication: Dynamic Configuration Arbiter 1-17 Network Immunity Manager 1-18 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 6
Security Is Important 2-23 Front-Panel Button Functions 2-24 Clear Button 2-25 Reset Button 2-25 Restoring the Factory Default Configuration 2-25 Configuring Front-Panel Security 2-27 Disabling the Clear Password Function of the Clear Button . . . 2-29 Re-Enabling the Clear Button and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 7
Enabling the Password Recovery Process 2-32 Password Recovery Configure Web/MAC Authentication 3-14 Configuring the RADIUS Server To Support MAC Authentication . . 3-17 Configuring the Switch To Access a RADIUS Server 3-17 Configuring Web Authentication 3-20 Overview 3-20 Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 8
Commands for MAC Authentication 3-51 Configuring the Global MAC Authentication Password 3-51 Configuring a MAC-based Address Format 3- the Switch's Current Authentication Configuration 4-9 Viewing the Switch's Current TACACS+ Server Contact Configuration 4-10 Configuring the Switch's - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 9
Contents 5-1 Overview 5-3 Authentication Services 5-3 Accounting Services 5-4 RADIUS-Administered CoS and Rate-Limiting 5-4 RADIUIS-Administered Commands Authorization 5-4 SNMP Access to the Switch's Authentication Configuration MIB . . . 5-4 Terminology 5-5 Switch Operating Rules for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 10
5-59 Changing RADIUS-Server Access Order 5-60 Messages Related to RADIUS Operation 5-63 6 Configuring RADIUS Server Support for Switch Services Contents 6-1 Overview 6-3 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting 6-4 Applied Rates for RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 11
(92) In an IPv4 ACL . . . 6-20 Example of Configuring a RADIUS-assigned ACL Using the FreeRADIUS Application 6-21 Format Details for ACEs Configured in a RADIUS-Assigned ACL 6-23 Configuration Notes 6-24 Configuring the Switch To Support RADIUS-Assigned ACLs 6-24 Displaying the Current - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 12
a Local Login (Operator) and Enable (Manager) Password 7-10 2. Generating the Switch's Public and Private Key Pair 7-10 Configuring Key Lengths 7-13 3. Providing the Switch's Public Key to Clients 7-13 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 7-15 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 13
Switch Resource Usage 9-17 Prioritizing and Monitoring ACL and QoS, Feature Usage . . . . . 9-17 ACL Resource Usage and Monitoring 9-17 Rule Usage 9-18 Managing ACL Resource Consumption 9-19 Oversubscribing Available Resources 9-19 Troubleshooting a Shortage of Resources 9-19 Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 14
and Assigning a Numbered, Standard ACL 9-40 Configuring and Assigning a Numbered, Extended ACL 9-45 Configuring a Named ACL 9-51 Enabling or Disabling ACL Filtering on an Interface 9-53 Deleting an ACL from the Switch 9-54 Displaying ACL Data 9-55 Display an ACL Summary 9-55 Display - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 15
for Using ACL Logging 9-68 ACL Logging Operation 9-69 Enabling ACL Logging on the Switch 9-69 Operating Notes for ACL Logging 9-71 General ACL Operating Notes 9-72 10 Configuring Advanced Threat Protection Contents 10-1 Introduction 10-3 DHCP Snooping 10-4 Overview 10-4 Enabling - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 16
IP Lockdown 10-31 Using the Instrumentation Monitor 10-33 Operating Notes 10-34 Configuring Instrumentation Monitor 10-35 Examples 10-36 Viewing the Current Instrumentation Monitor Configuration . . . . . 10-37 11 Traffic/Security Filters and Monitors Contents 11-1 Overview 11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 17
12-15 Overview: Configuring 802.1X Authentication on the Switch . . . . . 12-18 Configuring Switch Ports as 802.1X Authenticators 12-19 1. Enable 802.1X Authentication on Selected Ports 12-20 A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 18
.1X-Authenticated Devices 12-48 Port-Security 12-49 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 12-50 Example 12-50 Supplicant Port Configuration 12-52 Displaying 802.1X Configuration, Statistics, and Counters . . . . 12-54 Show Commands for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 19
MAC Lockdown Operating Notes 13-27 Deploying MAC Lockdown 13-28 MAC Lockout 13-28 Port Security and MAC Lockout 13-31 Web: Displaying and Configuring Port Security Features 13-32 Reading Intrusion Alerts and Resetting Alert Flags 13-32 Notice of Security Violations 13-32 xvii - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 20
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 13-39 Operating Notes for Port Security Configuring Authorized IP Managers 14-6 Listing the Switch's Current Authorized IP Manager(s 14-6 Configuring IP Authorized Managers for the Switch 14-7 Web: Configuring - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 21
Building IP Masks 14-10 Configuring One Station Per Authorized Manager IP Entry 14-10 Configuring Multiple Stations Per Authorized Manager IP Entry . . 14-11 Additional Examples for Authorizing Multiple Stations 14-13 Operating Notes 14-13 Index xix - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 22
xx - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 23
IGMP and IP routing features. ■ Access Security Guide-Explains how to configure access security fea tures and user authentication on the switch. ■ IPv6 Configuration Guide-Describes the IPv6 protocol operations that are supported on the switch. ■ Release Notes-Describe new features, fixes, and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 24
HP 6120XG switch, Pre mium License features can be acquired by purchasing the optional Premium License and installing it on the switch. Premium License Software Features Converged Enhanced Ethernet (CEE) Manual Management Advanced Multicast and and Traffic Routing Configuration Management - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 25
MDIX Configuration X BOOTP X CEE (Converged Enhanced Ethernet) (6120XG only) X Config File X Console Access X Copy Command X CoS (Class of Service) X Debug X DHCP Configuration X DHCP Option 82 X DHCP/Bootp Operation X DHCP Snooping Diagnostic Tools X Downloading Software - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 26
Management Applications (SNMP) Passwords and Password Clear Protection ProCurve Manager (PCM) Ping Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control (802.1X) Protocol VLANS Quality of Service (QoS) Manual Management Advanced Multicast and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 27
Telnet Access TFTP Time Protocols (TimeP, SNTP) Troubleshooting Uni-Directional Link Detection (UDLD) Uplink Failure Detection VLANs Voice VLAN Web Authentication RADIUS Support Web-based Authentication Manual Management Advanced Multicast and and Traffic Routing Configuration Management - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 28
Intelligent Edge Software Features Web UI Manual Management Advanced Multicast and and Traffic Routing Configuration Management X Access Security Guide xxiv - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 29
Security Overview Contents 1 Contents Introduction 1-2 About This Guide 1-2 For More Information 1-2 Access Security Features 1-3 Options 1-17 Precedence of Client-Based Authentication: Dynamic Configuration Arbiter 1-17 Network Immunity Manager 1-18 Arbitrating Client-Specific - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 30
provided. Before you connect your switch to a network, ProCurve Configuration Guide for your switch. For information on which product manual to consult for a specific software feature, refer to the "Software Feature Index" on page xx of this guide. For the latest version of all HP ProCurve switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 31
1-10 for details. Table 1-1. Access Security and Switch Authentication Features Default Setting Security Guidelines More Information and Configuration Details no password Configuring a local Manager password is a fundamental "Configuring Local step in reducing the possibility of unauthorized - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 32
and Also, access security on the switch is incomplete Configuration Guide. without disabling Telnet and the standard Web "Configuring switch. Only a client with a private key that matches Secure Shell (SSH)" a stored public key can gain access to the switch. • switch SSH and user password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 33
authentication with user password authentication. public, unrestricted In the default configuration, the switch is open to If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 34
services. Included in the general features are the following: • user-based access control supporting up to 32 authenticated clients per port • port-based access control allowing authentication by a single client to open the port • switch operation as a supplicant for point-to-point connections - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 35
provide a secure alternative to TFTP and auto-TFTP for transferring sensitive information such as configuration files and log information between the switch and other devices. Management and Configuration Guide, Appendix A "File Transfers", refer to the section "Using Secure Copy and SFTP" These - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 36
your switch from malicious Advanced Traffic attacks or configuration errors: Management Guide, refer to • BPDU Filtering and BPDU Protection: Protects the the chapter "Multiple network from denial-of-service attacks that use Instance Spanning-Tree spoofing BPDUs by dropping incoming BPDU frames - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 37
. ■ use of the switch's USB port for file transfers and autorun capabilities. ■ use of the switch's Clear and Reset buttons for these actions: • clearing (removing) local password protection • rebooting the switch • restoring the switch to the factory default configuration (and erasing any non - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 38
any local usernames and passwords. ■ Modify the operation of the Reset+Clear button combination so that the switch reboots, but does not restore the switch's factory default settings. ■ Disable or re-enable password recovery. For the commands used to configure the Clear and Reset buttons, refer - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 39
quit the wizard without saving any changes. Press ? for help. Operator password Manager password [not configured]: Confirm password: [*******]: Type in a new value to change a setting, or for no), then press [Enter]. [yes]: Figure 1-1. Example of Management Interface Wizard Configuration 1-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 40
wizard displays the summary configuration together with a prompt to save the changes (see Figure 1-1 on page 1-11 for an example). 3. When the message a password has been configured on the switch, you cannot remove it using the CLI wizard. Passwords can be removed by executing the no password command - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 41
to configure security settings, with on-screen instructions for each option. • Advanced-provides a single summary screen in which to configure all the alert and then advance through the following setup pages: Operator Password, Manager Password, SNMP, Telnet, SSH, Web Management GUI, Timeout (see - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 42
Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. ■ If you click on the Web interface's navigation tab during setup, all configuration changes will be lost. ■ When you restrict SNMP access to SNMPv3 only, the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 43
be a key element of your network security strategy. General SNMP Access to the Switch. The switch supports SNMP versions 1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 44
To View and Configure Switch Authentication Features" on page 5-30. For more information on configuring SNMP, refer to the section "Using SNMP Tools To Manage the Switch" in the chapter "Configuring for Network Management Applications" in the Management and Configuration Guide for your switch. 1-16 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 45
model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port. 1. Disabled/Enabled physical port 2. MAC lockout (Applies to all ports on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 46
to the parameter. In this way, NIM allows you to minimize network problems without manual intervention. NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 47
-assigned and statically configured parameters are supported and if they are supported on a per-port configured parameters over RADIUS-assigned and locally configured parameters. For information on Network Immunity Manager, go to the HP and overrides statically configured local passwords. 802.1X - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 48
supports conflict resolution for QoS (port-based CoS priority) and rate-limiting (ingress) by determining whether to configure either strict or non-strict resolution on a switch-wide basis. For example ■ Statically (local) configured: "Configuring Username and Password Security" on page 2-1. 1-20 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 49
a system administrator can configure automatic and dynamic security to operate at the network edge when a user connects to the network. This network ■ time of day Responses can be configured to support the networking requirements, user (SNMP) community, service needs, and access security level for a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 50
Security Overview ProCurve Identity-Driven Manager (IDM) 1-22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 51
-Panel Security 2-23 When Security Is Important 2-23 Front-Panel Button Functions 2-24 Clear Button 2-25 Reset Button 2-25 Restoring the Factory Default Configuration 2-25 Configuring Front-Panel Security 2-27 Disabling the Clear Password Function of the Clear Button . . . 2-29 2-1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 52
Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the "Reset-On-Clear" Operation 2-30 Changing the Operation of the Reset+Clear Combination . . . . . 2-31 Password Recovery 2-32 Disabling or Re-Enabling the Password Recovery Process 2-32 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 53
Notes Overview Configuring Username and Password Security Overview Feature Set Usernames Set a Password Delete Password Protection show front-panel-security front-panel-security password-clear reset-on-clear factory-reset password-recovery Default Menu none - none page 2-6 n/a page 2-7 n/a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 54
Operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available. *Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable command if you can provide the Manager password. To configure password security: 1. Set - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 55
will appear indicating that (USB) autorun has been disabled. For more information on the autorun feature, refer to the Appendix A on "File Transfers" in the Manage ment and Configuration Guide for your switch. If the switch has neither a Manager nor an Operator password, anyone having access to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 56
the new pass word and press [Enter]. After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt you for the username, and then the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 57
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass words (Manager and Operator). If you have physical access to the switch, press and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 58
guide. Syntax: [ no ] password [ user-name ASCII-STR ] [ ASCII-STR] • Password entries appear as asterisks. • You must type the password entry twice. Figure 2-2. Example of Configuring Manager and Operator Passwords To Remove Password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 59
. 3. Implement the usernames and passwords by clicking on [Apply Changes]. SNMP: Setting Passwords and Usernames Usernames and passwords for Manager and Operator access can also be configured using SNMP. For more information, refer to "Using SNMP To View and Configure Switch Authentication Features - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 60
having to manually configure the settings (except for SNMPv3 user parameters) on each switch. ■ By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 61
Security Saving Security Credentials in a Config File ■ The chapter on "Switch Memory and Configuration" in the Management and Configuration Guide. ■ "Configuring Local Password Security" on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials To enable the security - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 62
or clear ASCII text. For example, a manager username and password may be stored in a running config file as follows: password manager user-name George SHA1 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 Caution Use the write memory command to save the password configurations in the startup-config file - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 63
Configuring Username and Password Security Saving Security Credentials in a Config File user-name : the optional text string of the user name associated with the password. : specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 < - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 64
Configuring Username and Password Security Saving Security Credentials in a Config File [priv ] is the (optional) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the additional security - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 65
passwords configured on the switch. When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults authentication method for users who request access to a switch through Telnet, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 66
use SSH public keys to authenticate SSH clients that try to connect to the switch, refer to "Configuring Secure Shell (SSH)" on page 7-1 in this guide. The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 67
end of each line. The ip ssh public-key command allows you to configure only one SSH client public-key at a time. The ip ssh public-key command behavior includes an implicit append that never overwrites existing public-key configurations on a running switch. If you download a software configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 68
+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= [email protected]" ... Figure 2-5. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 69
Operating Notes Configuring Username and Password Security Saving Security Credentials in a Config File ■ When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 70
on the front panel, the manager and operator usernames and passwords are deleted from the running configuration. However, the switch does not reboot after the local passwords are erased. (The reset-on-clear option normally reboots the switch when you press the Clear button.) For more information - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 71
passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privi leges you want. • Only the snmpv3 user credentials from the SNMPv3 settings in a downloaded configuration file are loaded on the switch, for example: snmpv3 user - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 72
file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch. For more information about how to use the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 73
are designed to prevent malicious users from: ■ Resetting the password(s) by pressing the Clear button ■ Restoring the factory default configuration by using the Reset+Clear button combination. ■ Gaining management access to the switch by having physical access to the switch itself When Security Is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 74
Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions This section - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 75
Button for Five Seconds To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Clear Reset Figure 2-9. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 76
the Reset button. Clear Reset 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will reboot. It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch config uration to the factory default settings - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 77
alone, but does not affect the operation of the Reset+Clear combination described under "Restor ing the Factory Default Configuration" on page 2-25.) • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 78
, you will have to use the Reset and Clear buttons (page 2-25) to reset the switch to its factory-default configuration and create a new password. For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 79
usernames and passwords. (Default: Enabled.) Note: Although the Clear button does not erase passwords when disabled, you can still use it with the Reset button (Reset+Clear) to restore the switch to its factory default configuration, as described under "Restoring the Factory Default Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 80
the Clear button does not erase passwords when disabled, you can still use it with the Reset button (Reset+Clear) to restore the switch to its factory default configuration. You can then get access to the switch to set a new password. For example, suppose that password-clear is disabled and you want - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 81
use this button combination to replace the switch's current configu ration with the factory-default configuration, and render the switch acces sible without the need to input a username or password. You can use the factory-reset command to prevent the Reset+Clear combination from being used for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 82
the only method for recovering from a lost manager username (if configured) and password is to reset the switch to its factory-default configuration, which removes any nondefault configuration settings. Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 83
other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch. Syntax: [no] front-panel-security password-recovery Enables - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 84
locks out the ability to recover a manager username/password pair on the switch, then the only way to recover from a lost manager username/password pair is to use the Reset+Clear button combination described under "Restoring the Factory Default Configuration" on page 2-25. This can disrupt network - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 85
Authentication 3-14 Before You Configure Web/MAC Authentication 3-14 Configuring the RADIUS Server To Support MAC Authentication . . 3-17 Configuring the Switch To Access a RADIUS Server 3-17 Configuring Web Authentication 3-20 Overview 3-20 Configuration Commands for Web Authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 86
Web and MAC Authentication Contents Overview 3-50 Configuration Commands for MAC Authentication 3-51 Configuring the Global MAC Authentication Password 3-51 Configuring a MAC-based Address Format 3-53 Show Commands for MAC-Based Authentication 3-55 Client Status 3-62 3-2 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 87
login to authen ticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page. A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 88
the client connects to the network, you can use MAC-Auth to "lock" a particular device to a specific switch and port. 802.1X port-access, Web authentication, and MAC authentication can be configured at the same time on the same port. A maximum of 32 clients is supported on the port. (The default is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 89
untagged VLAN. (If you want the switch to simultaneously support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 90
VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client's connection is determined according to the following hierarchy: 1. A RADIUS-assigned VLAN 2. An authorized VLAN specified in the Web- or MAC-Auth configuration for the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 91
is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1. Figure 3-1. Example of Default User Login Screen When a client connects to the switch, it sends a DHCP request to receive an IP address to connect to the network. To avoid address - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 92
1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 93
MAC-based Authentication When a client connects to a MAC-Auth enabled port traffic is blocked. The switch immediately submits the client's MAC or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN. 4. If neither 1, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 94
given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti -timeout parameter sets how long the switch waits to receive a response from the port remains in its original VLAN configuration. Should another client successfully authenticate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 95
is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 96
Rules and Notes Port Access Management Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a is not enabled on the port. For example, be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 97
-client session. ■ When a port on the switch is configured for Web or MAC Authentica tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection. ■ When a port on the switch is configured as a Web- or MAC-based authenticator, it - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 98
You Configure Web/MAC Authentication 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, ProCurve recommends that you use a local user name and password pair - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 99
3-4. Example of show port-access config Command Output 3. Determine whether any VLAN assignments are needed for authenticated clients. a. If you configure the client session, if you choose to configure one. This must be a port-based, statically configured VLAN on the switch. c. If there is neither a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 100
example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure username and password fields of the RADIUS policy configuration for that device. Also, if you want to allow a particular device to receive authentication only through a designated port and switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 101
username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options: aabbccddeeff (the default the minimal commands for configuring a RADIUS server to support Web-Auth and MAC - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 102
does not have a serverspecific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. (Default: Null.) Syntax: radius-server host < ip-address > key [no] radius-server host < ip - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 103
Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of '1A7rd' Figure 3-5. Example of Configuring a Switch To Access a RADIUS Server 3-19 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 104
If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support Web-Auth on the switch. 5. Configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 105
incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti cated egress port that has not yet transitioned to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 106
-directions in command) is supported only if: ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. The port is configured as an edge port in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 107
the switch. For information about how to configure and use 802.1X authentica tion, refer to Chapter 12, "Configuring Port-Based and User-Based Access Control (802.1X)". ■ When a web-authenticated port is configured with the controlleddirections in setting, eavesdrop prevention is not supported on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 108
Authentication Configuring Web set the auth-vid to 0. (Default: 0). Syntax: aaa port-access web-based [clear-statistics] Clears (resets to 0) all counters used to monitor authenticated cli ents to allow on the port. (Default: 1) Note: On switches where Web Auth and 802.1X can operate concurrently, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 109
stored. A maximum of 3 web servers may be configured on the switch. The optional parameter defines the direc tory path on the server where all customized login web pages (graphics, HTML frames, and HTML files) are stored. (Default: The default value is "/" for root directory - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 110
before authen tication fails. This allows the reentry of the user name and password if necessary. (Default: 3) Syntax: aaa port-access web-based [quiet-period ] Specifies the time period (in seconds) the switch uses before sending an authentication request for a client that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 111
Configuring Web Authentication Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 112
. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • If tagged VLANs (statically configured or RADIUSassigned) are used (Yes or No) • If client-specific per-port CoS (Class of Service) values are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 113
MAC Authentication Configuring Web Authentication Yes Port COS -------70000000 Yes No Cntrl Dir ------ Figure 3-8.Example of show port-access web-based Command Output Syntax: show name, and address for each webauthenticated client on the switch. The IP address displayed is taken from the DHCP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 114
Configuring Web Authentication Syntax: show port-access web-based clients detailed Displays detailed information on the status of webauthenticated client sessions on specified switch : 98 : 100 Figure 3-10. Example of show port-access web-based clients detailed Command Output 3-30 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 115
configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support default VLAN ID is used unless overridden by a RADIUSassigned value. ProCurve (config)# show port-access web-based config Port Access Web-Based Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 116
show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port : 1 Client Limit : 1 Logoff Period : 300 Web-based enabled Max Retries : 3 Redirect URL : ... SSL Enabled : No Figure 3-12. Example of show port-access web-based config detail Command Output 3-32 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 117
based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 118
) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■ Generic, default pages generated directly by the switch software ■ Customized pages hosted on a local web server. By creating customized login web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 119
HTML Files (Optional) ■ To configure a web server on your network, follow the instructions in the documentation provided with the an HTML file. The switch passes the request to a configured web server. ii. The web server responds by sending a customized HTML page to the switch. Each ESI call in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 120
set of the templates can be found on the download page for 'K' software. File Name Page index.html User Login Page (index.html). Figure 3-14. User Login Page The index.html file is the first login page displayed, in which a client requesting access to the network enters a username and password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 121
must first log in. Username: Password: - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 122
valid username and password are entered and accepted. The client device is then granted access to the network. To configure the switch to redirect an authenticated client while the client renews its IP address and gains access to the network. ■ The WAUTHREDIRECTURLGET ESI inserts the URL configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 123
tag below will be replaced with the time in seconds until the page redirects. --> You have been authenticated. Please wait seconds while network connection refreshes itself. Figure 3-17. HTML Code for Access Granted Page Template 3-39 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 124
). Figure 3-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. Authenticating - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 125
client sessions. You can configure the VLAN used by unauthor ized clients with the aaa port-access web-based unauth-vid command when you enable Web Authentication. The WAUTHREDIRECTTIMEGET ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 126
>Invalid Credentials Your credentials were not accepted. However, you have been granted gues account status. Please wait seconds while networ connection refreshes itself. Figure 3-21. HTML Code for Invalid Credentials Page Template 3-42 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 127
timeout.html file is the web page used to return an error message if the RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 128
entered an invalid username and/or password, and is given another opportunity to log in. The WAUTHRETRIESLEFTGET ESI displays the number of login retries that remain for a client that entered invalid login credentials. You can configure the number of times that a client can enter their user name and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 129
Web Authentication Template retry_login.html --> Invalid Credentials user back to the login page. --> Invalid Credentials - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 130
SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based SSLenabled port on a server to verify the client's username and password. This ESI should not be modified. 3-46 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 131
and MAC Authentication Customizing Web Authentication HTML Files (Optional) User Login SSL Redirect - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 132
to block an unauthorized client from attempting another login. To specify the time period before a new authentication request can be received by the switch, configure a value for the aaa port-access web-based quiet-period command when you enable Web Authentication. This ESI should not be modified - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 133
Web Authentication Template reject_novlan.html --> Access Denied user back to the login page. --> - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 134
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 135
3-54 3-54 3-54 3-54 3-55 3-55 3-55 3-55 Configuring the Global MAC Authentication Password MAC authentication only requires that an entry is placed in the user database with the device's MAC address as both the username and the password, creating the opportunity for malicious device spoofing using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 136
0 0 0 both 6 No 1 No 300 0 0 0 both 7 No 1 No 300 0 0 0 both 8 No 1 No 300 0 0 0 both Figure 3-30. Example of Configuring a Global MAC Authentication Password Note The password value will display in an exported config file when includecredentials is enabled. 3-52 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 137
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa must match the format used to store the MAC addresses in the RADIUS server. (Default: no-delimiter) no-delimiter - specifies an aabbccddeeff format. single-dash - specifies an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 138
disabled, the switch does not allow moves and when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to port(s)) must be specified. Use the no form of the command to disable MAC address moves between ports under MAC Auth control. (Default: disabled - no - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 139
Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [reauth-period ] Specifies the time period (in seconds) that the switch max-requests value, the switch sends a new attempt or ends the authentication session. (Default: 30seconds) aaa port- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 140
. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • If tagged VLANs (statically configured or RADIUSassigned) are used (Yes or No) • If client-specific per-port CoS (Class of Service) values are - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 141
Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients [port-list] Displays the session status, name, and address for each MAC-authenticated client on the switch n/a authenticating Figure 3-32. Example of show port-access mac-based clients Command Output 3-57 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 142
MAC Authentication Configuring MAC Authentication on the Switch Syntax: show Client Base Details : Port : 1 Session Status : authenticated Username : client1 IP : n/a Session Time(sec) : 6 MAC : 100 Figure 3-33. Example of show port-access mac-based clients detail Command Output 3-58 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 143
currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for default VLAN ID is used unless overridden by a RADIUSassigned value. ProCurve (config)# show port-access mac-based config Port Access MAC-Based Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 144
Configuring MAC Authentication on the Switch Syntax Configuration Port : 1 Client Limit : 1 Logoff Period : 300 Web-based enabled : Yes Client Moves : No Re-Auth Period : 0 Unauth VLAN ID : 0 Auth VLAN ID : 0 Max Requests : 3 Server Timeout : 30 Quiet Period : 60 Figure 3-35. Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 145
based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 146
Available Network Connection Possible Explanations Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. Switch only Pending period expires credentials are resubmitted when client generates traffic. Switch only Waiting for user credentials. 3-62 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 147
You Begin 4-8 CLI Commands Described in this Section 4-9 Viewing the Switch's Current Authentication Configuration 4-9 Viewing the Switch's Current TACACS+ Server Contact Configuration 4-10 Configuring the Switch's Authentication Methods 4-11 Using the Privilege-Mode Option for Login - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 148
Example of TACACS+ Operation TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 149
Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 150
must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to chapter 2, "Configuring Username and Password Security".) • TACACS+ Authentication: This method enables you to use a TACACS+ server in your network to assign a unique password, user name - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 151
TACACS+ service before users, including yourself, out of access to a switch. While recovery is simple, it may pose an inconvenience that can be avoided.To prevent an unintentional lockout on the switch, use a procedure that configures and tests TACACS+ protection for one access type (for example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 152
a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Trouble shooting chapter of the Management and Configuration Guide for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 153
that the switch has a local Manager password. Other wise, if authentication through a TACACS+ server fails for any reason, then unauthorized access will be available through the console port or Telnet. 5. Using a terminal device connected to the switch's console port, configure the switch for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 154
access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 155
and the primary/secondary access methods configured for each type of access. Syntax: show authentication This example shows the default authentication configuration. Configuration for login and enable access to the switch through the switch console port. Configuration for login and enable access to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 156
the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 157
login command to enable TACACS+ for a single login. The switch authenti cates your username/password, then requests the privilege level (Operator or Manager) that was configured on the TACACS+ server for this username/ password. The TACACS+ server returns the allowed privilege level to the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 158
by the TACACS+ server. Default: Single login disabled. < local | tacacs | radius > Selects the type of security access: local - Authenticates with the Manager and Operator password you configure in the switch. tacacs - Authenticates with a password and other data configured on a TACACS+ server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 159
+ server. Specifies the primary method of authentication for the access method being configured. local: Use the username/password pair configured locally in the switch for the privilege level being configured tacacs: Use a TACACS+ server. Specifies the secondary (backup) type of authentication being - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 160
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with "Shell" (See Figure 4-5). Check the Shell box. Check the Privilege level box and set the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 161
Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch's console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 162
authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the Operator password, and read-write access if you enter the Manager password. For example, if you configure authentication on the switch with Telnet Login - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 163
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login ( the Session After Failure of Two Consecutive Username/Password Pairs: ProCurve (config)# aaa authentication num-attempts 2 4-17 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 164
page 4-5, ProCurve recommends that you configure, test, and troubleshoot authentica tion via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 165
Out-of-Band Manage ment" in the Management and Configuration Guide for more information on out-of-band management. [no] switch, then configuring either a global encryption key or a server-specific key in the switch for server "X" will block authentication support from server "X". Name Default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 166
Configuring TACACS+ on the Switch Name Default the Management and Configuration Guide for more information on out-of-band management. For switches that have a fails, then the switch tries the third address, if any. (See figure 4-3, "Example of the Switch's TACACS+ Configuration Listing" on 4- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 167
Configuring TACACS+ on the Switch Name Default Range Specifies the optional, global "encryption key" that is also assigned in the TACACS+ server(s) that the switch First-Choice TACACS+ Server Figure 4-6. Example of the Switch with Two TACACS+ Server Addresses Configured To move the "first-choice" - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 168
-choice" TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different "First-Choice" Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 169
Note Note TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 170
a response from the first-choice TACACS+ server, it attempts to query a secondary server. If the switch does not receive a response from any TACACS+ server, then it uses its own local username/password pairs to authenti cate the logon request. (See "Local Authentication Process" on page 4-26.) • If - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 171
at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4. In the default configuration, the switch allows up to three attempts to authenticate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 172
, the switch was unable to connect to any TACACS+ servers (or no servers were configured) AND username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 173
intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server. At with the application. Encryption Options in the Switch When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 174
Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. ■ Configure the switch's - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 175
. Connecting to secondary Tacacs server The switch was not able to contact the first-choice TACACS+ server, and is now attempting to contact the next (secondary) TACACS+ server identified in the switch's tacacs-server configuration. Invalid password The system does not recognize the username or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 176
+ servers are not accessible- setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor ized persons. ■ When using the copy command to transfer a configuration to a TFTP server, any optional, server-specific - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 177
Contents Overview 5-3 Authentication Services 5-3 Accounting Services 5-4 RADIUS-Administered CoS and Rate-Limiting 5-4 RADIUIS-Administered Commands Authorization 5-4 SNMP Access to the Switch's Authentication Configuration MIB . . . 5-4 Terminology 5-5 Switch Operating Rules for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 178
Specific Attributes (VSAs 5-37 Example Configuration on Cisco Secure ACS for MS Windows 5-39 Example Configuration Using FreeRADIUS 5-41 VLAN Assignment the RADIUS Server 5-52 3. (Optional) Configure Session Blocking and Interim Updating Options 5-54 Viewing RADIUS Statistics 5-56 General - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 179
you track network resource usage. Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the ProCurve switch: ■ Serial port (Console) ■ Telnet ■ SSH ■ SFTP/SCP ■ Port-Access (802.1X) The switch also supports RADIUS accounting for Web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 180
Access to the Switch's Authentication Configuration MIB The switch's default configuration allows SNMP access to the hpSwitchAuth MIB (Management Information Base). A management station running an SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 181
Service (QoS)" chapter in the Advanced Traffic Management Guide for your switch.) EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 182
again to enter a username and password. In this case, use the local username (if any) and password configured on the switch itself. ■ Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers. ■ TACACS+ is not supported for the web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 183
server. Figure 5-1. Example of Possible RADIUS Access Assignments • Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.) • If you need to replace the default UDP destination port (1812) the switch uses for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 184
can be set by a Service Type value the RADIUS server includes in its authentication message to the switch. (Refer to "2. Enable the (Optional) Access Privilege Option" on page 5-13.) • Configure RADIUS onthe server(s) used to support authentication on the switch. Configuring the Switch for RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 185
have already configured the RADIUS server(s) to support the switch. Refer to Default: null) 4. Configure the global RADIUS parameters. • Server Key: This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and account ing services unless you configure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 186
the correct username and password. (Default: Three times per session.) (For RADIUS accounting features, refer to "Configuring RADIUS Accounting" on page 5-47.) 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 187
-radius>> Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the web browser interface. (The default primary < switch. Use peap-mschapv2 when you want pass word verification without requiring access to a plain text password; it is more secure. Default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 188
access to the network even if the RADIUS server is unreachable. Figure 5-2. Example of AAA Authentication Using Authorized for the Secondary Authentication Method Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 189
this guide. Figure 5-3. Example Configuration for RADIUS Authentication The switch now allows Telnet and SSH authentication only through RADIUS. Note If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients connected to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 190
Login (Operator) access and once for Enable access. In the default RADIUS authentication operation, the switch's web browser interface requires only one successful authenti cation request. For more information on configuring the Service Type in your RADIUS application, refer to the docu mentation - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 191
Configuring the Switch for RADIUS Authentication If you want to configure RADIUS accounting on the switch, go to page 5-47: "Configuring host command, the switch automatically assigns the default authentication port number. The auth-port number must match its server counterpart. (Default: 1812) [ - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 192
, see "Saving Security Credentials in a Config File" on page 2-10 in this guide. no radius-server host < ip-address > key Use the no form of the command to remove the key for a specified server. For example, suppose you have configured the switch as shown in figure 5-4 and you now need to make the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 193
to "source0127" (step 1, above). Adds the new RADIUS server with its required "source0119" key. Lists the switch's new RADIUS server configuration. Compare this with Figure 5-5. Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 194
Configuring the Switch for RADIUS Authentication ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password tries for entering the correct username and password before shutting down the session due to input errors. (Default: 3; Range: 1 - - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 195
key. In this case your plan is to configure the switch with the following global authentication parameters: ■ Allow only two tries to correctly enter username and password. ■ Use the global encryption key to support the two servers that use the same key. (For this example, assume that you did not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 196
a response. Figure 5-6. Example of Global Configuration Exercise for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 197
on the switch can use up to fifteen RADIUS servers. This option allows the RADIUS servers to be put into groups. Up to 5 groups of 3 RADIUS servers each can be configured. The authentica tion and accounting features can choose which RADIUS server group to communicate with. End-user authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 198
| local | none | authorized]>> Configures the primary password authentication method for console, Telnet, SSH, and/or the WebAgent. : Primary authentication method. Default: local : Use either the local switch user/password database or a RADIUS server for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 199
web-based or MAC-based port access to the switch. Use peap-mschapv2 when you want password verification without requiring access to a plain text pass word; it is more secure. Default: chap-radius port-access : Configures local, chap-radius (MD5), or eap-radius as - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 200
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Displaying the RADIUS Server Group Information The show server- grp3_key No 192.173.60.7 1812 1813 No 300 grp3_key No Figure 5-9. Example of Output from show server-group radius Command 5-24 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 201
, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ProCurve(config SSH | Local None Figure 5-10. Example of Output from show authentication Command Server Information Interval(min) : 0 Suppress Empty User : No Sessions Identification : Unique Server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 202
reauthentication is supported for 802.1X, Web authentication, and MAC authentication. For more information about Web/MAC authentication, see "Web and MAC Authentication" in the Access Security Guide for your switch. For more information on 802.1X, see "Configuring Port-Based and User-Based Access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 203
RADIUS server is unavailable. Users already authenticated retain their currently Default: No limit is set. ProCurve(config)# aaa port-access web-based 6-8 cached-reauth-period 86400 The cached-reauth-period is set to 86400 seconds (1440 minutes, or 24 hours). Figure 5-12. Example of Configuring - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 204
default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example of 180 + X seconds. 7. The cached reauthentication period (900 seconds) ends. 8. The next reauthentication begins 180 seconds after the last cached reau - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 205
Note RADIUS Authentication, Authorization, and Accounting Cached Reauthentication 4. The time between step 8 and step 9 is X seconds. 5. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. The period of 1 to 30 seconds, represented by X, is not a firm time period; the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 206
sets can be used to configure username, password, and key MIB objects. To help prevent unauthorized access to the switch's authentication MIB, ProCurve access to the security MIB open (the default setting), ProCurve recommends that you configure the switch with the SNMP version 3 management and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 207
to the switch's authentication configuration (hpSwitchAuth) MIB. (Default: included ) Syntax: show snmp-server The output for this command has been enhanced to display the current access status of the switch's authentication configuration MIB in the Excluded MIBs field. For example, to disable - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 208
mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.55 snmp-server community "public" Operator vlan 1 name "DEFAULT_VLAN" untagged A1-A24,B1-B4 ip address 10.10.24.100 255.255.255.0 exit password manager Indicates that SNMP access to the authentication configuration MIB (hpSwitchAuth) is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 209
basis of which username/password pair was used. For example, suppose you configure Telnet primary username/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configu ration, the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 210
: ■ Configure the switch to support RADIUS authentication for web browser interface access. ■ Options for the switches covered in this guide: • Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. • Configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 211
management interface is not supported. By default, all users may execute a minimal set of commands regardless of their authorization status, for example, "exit" and "logout". This minimal set of commands can prevent deadlock on the switch due to an error in the user's authorization profile on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 212
NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes -the command list and the command exception flag. When an authenticated user enters a command on the switch, the switch examines the list of com mands delivered - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 213
: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed. An example of the output is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 214
commands available on the switch. Authenticate user can only execute a minimal set of commands (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 215
that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ; ; The - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 216
for addition at UDV slot [0] Stopping any running services Creating backup of current config Adding Vendor [HP} added as [RADIUS (HP)] Done Checking new configuration... New configuration OK Re-starting stopped services 4. Start the registry editor (regedit) and browse to HKEY_LOCAL_MACHINE\software - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 217
example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration Update/Watchdog Packets from this AAA Client. 7. Click Submit + Restart. You should be able to see the HP- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 218
Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp 4. You can now use HP VSAs with other attributes when configuring user entries. 5-42 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 219
switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured configured on the switch for use in the authentication session. (For information on how to configure a user connection for the new client will fail. 5-43 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 220
or VLAN ID (VID) number. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either "100" or "vlan100" to specify the VLAN. After the RADIUS server validates a client's username and password, the RADIUS server returns an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 221
assists the RADIUS server in its network configuration. ■ HP-capability-advert: A ProCurve proprietary RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, HP VSAs for port QoS, ingress rate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 222
IP Addr Reqs ACKs NAKs Reqs ACKs NAKs 154.34.23.106 1 1 0 2 2 0 154.45.234.12 2 1 1 3 3 0 Figure 5-16. Example of Output for Dynamic Authorization Configuration Switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 223
specified events occur on the switch, such as a logoff or a reboot. The switches covered in this guide support four types of accounting services: ■ Network accounting: Provides records containing the information listed below on clients directly connected to the switch and operating under Port-Based - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 224
-Station-Id • MS-RAS-Vendor • NAS-Identifier • NAS-IP-Address • Service-Type • Username ■ System accounting: Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disabling of system accounting. • Acct - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 225
, and Accounting Configuring RADIUS Accounting minute, it sends the accounting request packet to the RADIUS server without the Framed-IP-Address attribute. If the IP address is learned at a later time, it will be included in the next accounting request packet sent. The switch forwards the accounting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 226
switch assigns the default UDP port (1812; recom mended). - Optional-if you are also configuring the switch for user with no username access to the switch 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 227
do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) [key < key-string Use this command only if the specified server requires a different encryption key than configured for the global encryption key. Note: When you save the config file using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 228
in the command, the authentication UDP port is set to the default 1812. Figure 5-18. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 5-18, above, configures the switch to use a RADIUS server at IP address 10.33.18 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 229
.1X port-based-access users connected to the physical ports on the switch to access the network. (See also "Accounting Services" on page 4.) ■ session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type ( - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 230
accounting for an unknown user having no username. Syntax: [no] aaa accounting update periodic < 1 - 525600> Sets the accounting update period for all accounting ses sions on the switch. (The no form disables the update function and resets the value to zero.) (Default: zero; dis abled). Syntax - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 231
Accounting Configuring RADIUS Accounting To continue the example in figure 5-19, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Update Period Suppress Unknown User Figure 5-20. Example of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 232
for a specific RADIUS host. To use show radius, the server's IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See "Configuring RADIUS Accounting" on page 5-47.) Figure 5-21. Example of General RADIUS Information from Show Radius Command 5-56 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 233
of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server. Retransmissions include retries where the Identifier and Acct-Delay have been updated, as well as those in which they remain the same. The number of accounting timeouts to this server. After a timeout the client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 234
this server. (Requires prior use of the radius-server host command to configure a RADIUS server IP address in the switch. See "Configuring RADIUS Accounting" on page 5-47.) Figure 5-23. Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 235
Authorization, and Accounting Viewing RADIUS Statistics Figure 5-24. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User" suppres sion status, accounting types, methods, and modes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 236
Example of RADIUS Accounting Information for a Specific Server Figure 5-27. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch server addresses in the list. For example if you initially configure three server addresses, they are listed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 237
. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. 4. Re-enter 10.10.10.001. Because the only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 238
"003" address in the first position in the RADIUS server list, and inserts the "001" address in the last position in the list. Figure 5-29. Example of New RADIUS Server Search Order Shows the new order in which the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 239
for and attempting RADIUS authentication, however it is not receiving a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server. (Use show radius.) If you also see the message Can't reach RADIUS server < x.x.x.x >, try the suggestions listed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 240
RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation 5-64 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 241
6 Configuring RADIUS Server Support for Switch Services Contents Overview 6-3 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting 6-4 Applied Rates for RADIUS-Assigned Rate Limits 6-5 Viewing the Currently Active Per-Port CoS and Rate-Limiting Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 242
RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs 6-24 Displaying the Current RADIUS-Assigned ACL Activity on the Switch 6-26 ICMP Type Numbers and Keywords 6-28 Event Log Messages 6-29 Causes of Client Deauthentication Immediately - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 243
Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting configuration and management, monitoring network traffic, and alerts and troubleshooting and IDM manuals, visit the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 244
RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and RateLimiting This section provides general guidelines for configuring a RADIUS server to dynamically - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 245
Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on Vendor-Specific Attribute configured in the RADIUS server. inbound traffic ProCurve (HP 100 Mbps For example, some of the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 246
RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2. Examples of Assigned and Applied Rate Limits RADIUS-Assigned Bandwidth (Kbps) 5,250 50,250 51,000 525,000 530,000 1,250,000 1,300,000 Applied Increments - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 247
Support for Switch Services RADIUS Server Configuration switch resets these fields to the values to which they are configured in the switch RADIUS-imposed overrides of the switch's per-port RateLimiting configuration. show qos port-priority there is no default rate-limit configured for the port. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 248
RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and imposed CoS priority for the port is 5, which overrides the configured DSCP setting. See also the following Note. Figure 6-2. Example of Displaying Inbound CoS (802.1p) Priority Imposed by - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 249
Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter traffic entering the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 250
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated client on that port An ACL can be configured on an interface as a static - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 251
Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this action allows the switch authenticated by the server for that port. Static Port ACL: An ACL statically configured on a specific port, group of ports, or trunk. A static port ACL - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 252
, or MAC authentication services available on the switch to provide client authen tication services ■ configuring the ACLs on the RADIUS server (instead of the switch), and assigning each ACL to the username/password pair or MAC address of the clients you want the ACLs to support Using RADIUS to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 253
the credentials (username/password pair or Identified by a number in the range of 1-199 or an the MAC address) of the specific client the ACL is intended alphanumeric name. to service. Supports dynamic assignment to filter only the IP traffic Supports static assignments to filter switched or routed - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 254
is enabled by default on the switch and can be used Switch Port A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is designed to service. Where the username/password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 255
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password ACL.) When the client session ends, the switch removes the RADIUS-assigned ACL only apply to the authenticated client; the default ip deny any any applies to all - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 256
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 257
topic, refer to "Configuring an ACL in a RADIUS Server" on page 6-17. ■ Multiple Clients Using the Same Username/Password Pair: Multiple clients using the same username/password pair will use duplicate instances of the same ACL. ■ Limits for ACEs in RADIUS-assigned ACLs: The switch supports up to 80 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 258
example: Nas-filter-Rule="permit in tcp from any to any" ACLs Applied to Client HP-Nas-Filter-Rule (Vendor-Specific Attribute): 61 Traffic Inbound to the This attribute is maintained for legacy purposes to support ACEs in RADIUS-assigned ACLs. Switch However, for new or updated configurations HP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 259
Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Nas-filter-Rule = : Standard attribute for filtering inbound IPv4 traffic from an authenticated client. Refer also to table 6-4, "Nas-Filter-Rule Attribute Options" on page 6-18. HP Rule). For example: Nas- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 260
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists < ipv4-addr >: This example illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS using the standard attribute for two different client identification methods (username/password and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 261
ACL, you would enter the username/password and ACE information shown in figure 6-4 into the FreeRADIUS "users" file. Example of Configuring a RADIUS-assigned ACL Using the FreeRADIUS Application This example illustrates one method for configuring RADIUS-assigned ACL support for two different client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 262
server supporting the switch must be identical. Refer to the chapter titled "RADIUS Authentication and Accounting" in the Access Security Guide for your switch. Figure 6-5. Example of Configuring the Switch's Identity Information in a FreeRADIUS Server 3. For a given client username/password pair - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 263
Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the next section, "Format Details for ACEs Configured in a RADIUS-Assigned ACL". Client's Username (802.1X or Web Authentication) Client's Password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 264
any only applies to an authenti cated user. It pre-empts the implicit deny in ip from any to any ACE and permits packets not explicitly permitted or denied by earlier ACEs in the list. Configuring the Switch To Support RADIUS-Assigned ACLs An ACL configured in a RADIUS server is identified by the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 265
Note Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS- switch, and activates this feature on the specified ports. For more on 802.1X configuration and operation, refer to chapter 12, "Configuring Port-Based and User-Based Access Control (802.1X)" in this guide - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 266
" ACEs for inbound TCP and UDP traffic, with no counters configured. Note that the implicit "deny any/any" included automatically at the end of every ACL is not visible in ACL listings generate by the switch. Figure 6-7. Example Showing a RADIUS-assigned ACL Application to a Currently Active Client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 267
on the indicated port. (For more on traffic prioritization for the switches covered in this guide, refer to the chapter titled "Quality of Service (QoS): Managing Bandwidth More Effectively", in the Advanced Traffic Configuration Guide.) 0 - 7: Indicates that the displayed 802.1p priority has been - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 268
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config 0 1 7 90 No In 3 1 0 1 5 50 Yes In Figure 6-8. Example of Output Showing Current RADIUS-Applied Features ICMP Type Numbers and Keywords Below are the possible optional - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 269
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Deauthenticating second. client < mac-address > port < port-# >. Meaning Notifies of a problem with the permit/deny keyword in the indicated ACE included in the access list for the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 270
RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Invalid Access-list entry length, client < mac-address > port < port-# >. Memory allocation failure for IDM ACL. Meaning Notifies that the string configured for an ACE entry on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 271
Operating Rules and Notes 7-8 Configuring the Switch for SSH Operation 7-9 1. Assigning a Local Login (Operator) and Enable (Manager) Password 7-10 2. Generating the Switch's Public and Private Key Pair 7-10 Configuring Key Lengths 7-13 3. Providing the Switch's Public Key to Clients - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 272
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch's public key Enabling SSH Enabling client public-key authentication Default No n/a Disabled Disabled Enabling user authentication Disabled Menu CLI Web n/a page 7-10 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 273
on OpenSSH, visit www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client's key - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 274
Secure Shell (SSH) Terminology ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privileges on the switch. ■ Local password or username: A Manager-level or Operator-level password configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 275
must have the capability to export public keys. The switch can accept keys in the PEM-Encoded ASCII Format or in the Non-Encoded ASCII format. Comment describing public Beginning of actual SSHv2 public key in PEM-Encoded Figure 7-3. Example of Public Key in PEM-Encoded ASCII Format Common for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 276
switch uses client public-key authentication instead of the switch password options for primary authentication. The general steps for configuring ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch. (The client public key file can hold up to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 277
a login (Operator) and enable (Manager) password on the switch (page 7-10). 2. Generate a public/private key pair on the switch (page 7-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 278
In some situations this can temporarily allow security breaches. ■ The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure. ■ With SSH running, the switch allows one console session and up to five other - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 279
Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation rsa [bits ]] ip ssh cipher filetransfer ip-version mac port < 1 - 65535|default > timeout < 5 - 120 > listen aaa authentication ssh login < local | tacacs - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 280
access could modify the switch's configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command. Syntax: password < manager | operator | all > Figure 7-4. Example of Configuring Local Passwords 2. Generating the Switch's Public and Private Key - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 281
Install RSA key for autorun. See "Configuring Autorun on the Switch" in Appendix A of the Management and Configuration Guide for more information. cert Install RSA key for https certificate. See "Configuring the Switch for SSL Operation" on page 8-7 in this guide for more information. ssh [dsa | rsa - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 282
, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 7-5. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 283
with the ip ssh command before the switch can resume SSH operation. Configuring Key Lengths The crypto key generate ssh switch to learn your access passwords. The most secure way to acquire the switch's public key for distribution to clients is to use a direct, serial connection between the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 284
Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: 1. Use a terminal application such as HyperTerminal to display the switch corrupt the Key.) For example, if you are using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 285
the other corresponding to the hash you will see if connecting with a v2 client. These hashes do not correspond to different keys, but differ only because of the way v1 and v2 clients compute the hash of the same RSA key. The switch always uses ASCII version (without babble or fingerprint conversion - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 286
to download the switch's public key into the client. See the following Note.) When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 287
Configuring the Switch for SSH Operation To disable SSH on the switch, do either of the following: ■ Execute no ip ssh. ■ Zeroize the switch's existing key pair. (page 7-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher ] Specify a cipher type to use for connection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 288
port and on the data ports. This is the default value. Refer to Appendix G, "Network Out-of-Band Management" in the Management and Configuration Guide for more informa tion on out-of-band management. The listen parameter is not available on switches that do not have a separate out-of-band - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 289
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve recommends using the default TCP port number (22). However, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes. Examples use of passwords local to the switch, if - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 290
assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch's configuration. Also, if you configure only an Operator password, entering the Operator password through telnet, web, ssh or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 291
enable command. Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none). 7-21 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 292
successful SSH clients you want to use TACACS+ for primary password authentication and local for secondary password authenti cation, with a Manager username of "1eader" and a password of "m0ns00n". To set up this operation you would configure the switch in a manner similar to the following: 7-22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 293
Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager username and password. ProCurve(config)# password manager user-name leader New password for Manager: ******** Please retype new password for Manager: ******** ProCurve(config)# aaa authentication ssh login public - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 294
switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch Operator) access via local password, then the switch will refuse other SSH clients. SSH clients that support client public-key authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 295
-key file. (As a prerequisite, you must use the switch's copy tftp command to download this file to flash.) 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 296
public-keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application. Exponent Modulus Comment Figure 7-13. Example of a Client Public Key Notes Comments in public key files, such as [email protected] in figure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 297
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client's public key into a text file (filename.txt). (For example manually add or edit any comments the client application adds to the end of the key, such as the [email protected] at the end - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 298
on switches that do not have a separate out of-band management port. Refer to Appendix G, "Net work Out-of-Band Management" in the Management and Configuration Guide for more to select operator public keys. Note copy usb pub-key file can also be used as a method for copying a public key file to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 299
7-14. Example of Copying and Displaying a Client Public-Key File Containing Two Different Client Public Keys for the Same Client Replacing or Clearing the Public Key File. The client public-key file remains in the switch's flash memory even if you erase the startup-config file, reset the switch, or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 300
in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location. • Network misconfiguration • No cable connection to the network File transfer did not occur. Indicates the switch experienced a problem when trying to copy tftp the requested - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 301
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Client public key file corrupt or not The client key does not exist in the switch. Use copy found. Use 'copy tftp pub-key-file ' to download new file - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 302
Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging To add ssh messages to the debug log output, enter this command: ProCurve# debug ssh - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 303
8-5 General Operating Rules and Notes 8-6 Configuring the Switch for SSL Operation 8-7 1. Assigning a Local Login (Operator) and Enabling (Manager) Password 8-7 2. Generating the Switch's Server Host Certificate 8-8 To Generate or Erase the Switch's Server Certificate with the CLI - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 304
web access, SSL provides encrypted, authenticated transactions. The authentication type includes server certificate authentication with user password authentication. Note SSL in the switches covered in this guide is based on the OpenSSL software toolkit. For more information on OpenSSL, visit www - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 305
Terminology ProCurve Switch (SSL Server) 1. Switch-to-Client SSL Cert. 2. User-to-Switch (login password and enable password authentication) options: - Local - TACACS+ - RADIUS SSL Client Browser Figure 8-1. Switch/User Authentication SSL on the switches covered in this guide supports these data - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 306
certificates are pre-installed). ■ Manager Level: Manager privileges on the switch. ■ Operator Level: Operator privileges on the switch. ■ Local password or username: A Manager-level or Operator-level pass word configured in the switch. ■ SSL Enabled: (1)A certificate key pair has been generated on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 307
the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL support SSL and TLS functionality. See browser documentation for additional details B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 308
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch's certificate on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 309
the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled "Using the ProCurve Web Browser Interface" in the Management and Configuration Guide for your switch. 8-7 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 310
(SSL) Configuring the Switch for SSL Operation Password Button Security Tab Figure 8-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords. You - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 311
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 312
CLI: i. Generate a certificate key pair. This is done with the crypto key generate cert command. The default key size is 512. Note: If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key pair - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 313
the sub-entity (e.g. department) where the switch is in service. This is the name of the city where switch is in service This is the name of the state or province where switch is in service This is the ISO two-letter country-code where switch is in service For example, to generate a key and a new - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 314
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch's host certificate To view the current host certificate from the CLI you use the show crypto host cert command. For example, to display the new - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 315
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host current from the list. v. Fill in remaining certificate arguments (refer to "To Generate or Erase the Switch's Server Certificate with the CLI" on page 8-9). vi. Click on the [Apply Changes] button to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 316
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter face: Security Tab Create Certificate Button Certificate Type Box Key Size Selection SSL button Certificate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 317
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate to the chapter titled "Using the ProCurve Web Browser Interface" in the Man agement and Configuration Guide for your switch. 8-15 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 318
generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL To generate a certificate request from the web - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 319
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior The web-management ssl command enables SSL - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 320
, refer to "2. Generating the Switch's Server Host Certificate" on page 8-8. When configured for SSL, the switch uses its host certificate to authenticate switch, and learn the usernames and passwords controlling access to the switch. Use caution when connecting for the first time to a switch using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 321
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See "Note on Port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 322
Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number ProCurve recommends using the default IP port number (443). However, you can use - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 323
to "Note on Port Number" on page 8-20.) You may not have SSL enabled (Refer to "3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior" on page 8-17.) Your browser may not support SSLv3 or TLSv1 or it may be disabled. (Refer to the documentation provided for your browser.) 8-21 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 324
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 325
Switch Resource Usage 9-17 Prioritizing and Monitoring ACL and QoS, Feature Usage . . . . . 9-17 ACL Resource Usage and Monitoring 9-17 Rule Usage 9-18 Managing ACL Resource Consumption 9-19 Oversubscribing Available Resources 9-19 Troubleshooting a Shortage of Resources 9-19 Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 326
and Assigning a Numbered, Standard ACL 9-40 Configuring and Assigning a Numbered, Extended ACL 9-45 Configuring a Named ACL 9-51 Enabling or Disabling ACL Filtering on an Interface 9-53 Deleting an ACL from the Switch 9-54 Displaying ACL Data 9-55 Display an ACL Summary 9-55 Display - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 327
Creating an ACL Offline 9-65 Enable ACL "Deny" Logging 9-68 Requirements for Using ACL Logging 9-68 ACL Logging Operation 9-69 Enabling ACL Logging on the Switch 9-69 Operating Notes for ACL Logging 9-71 General ACL Operating Notes 9-72 9-3 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 328
(IDM) application available for use with PCM. However, the features described in this chapter can be used without PCM or IDM support, if desired. For information on configuring client authentication on the switch, refer to chapter 5, "RADIUS Authentication, Authorization, and Accounting". 9-4 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 329
monitoring network traffic, and alerts and trouble shooting information for ProCurve networks. Management on the Product manuals page of the Technical Support area.) General Application Options enter the switch on specific physical ports or trunks. This chapter describes how to configure, apply, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 330
[eq < src-port tcp/udp-id >] < any | host | dest-ip-address/mask > 1 [eq < dest-port tcp/udp-id >] [ log ]2 Configuring Standard (Named) ACLs ProCurve(config)# [no] ip access-list standard < name-str | 1-99 > 9-51 ProCurve(config-std-nacl)# < deny | permit > < any | host - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 331
Lists (ACLs) Terminology Action Deleting an ACL from the Switch Displaying ACL Data Command ProCurve(config)# no ip access-list set) consisting of one or more explicitly configured Access Control Entries (ACEs) and terminating with an implicit "deny" default which drops any packets that do not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 332
exact match require ment for IP addresses, and ones specify a wildcard. In this example, a matching IP address would be any address in the range 10.10.10.1-255. a match within an applicable ACL. As an option, you can configure the switch to generate a logging output to a Syslog server and a console - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 333
criteria: - The packet's DA is for an external device. - The packet's DA is for an IP address configured on the switch itself. (This increases your options for protecting the switch from unauthorized management access.) Because ACLs are assigned to physical ports or port trunks, an ACL that filters - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 334
On another device. (ACLs are not supported on dynamic LACP trunks.) ■ On the switch itself. In figure 9-1, below, this switch. (IP routing need not be enabled.) The switch can apply ACL filtering to traffic entering the switch on ports and/ or trunks configured to apply ACL filters. For example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 335
The logging occurs when there is a match on a "deny" ACE. (The switch sends ACL logging output to Syslog and, optionally, to a console session.) ■ Standard and Extended ACL features cannot be combined in one ACL. You can configure ACLs using either the CLI or a text editor. The text-editor method is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 336
ACL controls. For example, you can improve configured on the switch. 7. Test for desired results. For more details on ACL planning considerations, refer to "Planning an ACL Application" on page 9-17. Caution Regarding the Use of Source Routing Source routing is enabled by default on the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 337
inbound ACL to each port and static trunk configured on the switch. The complete range of options includes: ■ No ACL assigned. (In this case, all traffic entering the switch on the interface does so without any ACL filtering, which is the default.) ■ One ACL assigned to filter the inbound traffic - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 338
9-2. Example of Sequential Comparison 0.0.0.0 is an explicit host mask. 0.0.0.15 and 0.0.0.255 allow multiple hosts. That is, the switch tries the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the switch invokes the configured action - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 339
there a match? Yes Perform action (permit or deny). End No Deny the packet End (invoke implicit deny any). Figure 9-3. The Packet-Filtering Process in an ACL with N Entries (ACEs) For example, suppose you want to configure an ACL on the switch (with an ID of "100") to invoke these policies - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 340
port 12. The following ACL model, when assigned to inbound filtering on port 12, supports the above case: 1 2 3 4 5 1. Permits IP traffic inbound from source any" at the end of an ACL, but this solution does not apply in the preceding example, where the intention is for the switch to allow only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 341
switch resources available to support ACL operation, define the policies you want your ACLs to enforce, and understand how your ACLs will impact your network users. Switch Resource Usage ACLs load resources in ways that require more careful attention to resource usage when planning a configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 342
TCP or UDP specified. One rule is for normal packets and one is for fragmented packets. Table 9-2 on page 9-18 summarizes switch use of resources to support ACES. Table 9-2. ACL Rule and Mask Resource Usage ACE Type Standard ACLs Implicit deny any (automatically included in any standard ACL, but - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 343
Log (and in a Syslog server, if configured on the switch): ACL: unable to apply ACL < acl-# > to port < port-# >, failed to add entry < # > (Note that < port-# > is the first port in the assignment command that was unable to support the ACL.) Troubleshooting a Shortage of Resources Do the following - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 344
other devices. Another alternative is to inspect the switch's existing configuration for inefficient applications that could be removed or revised you to determine the resource usage of ACL policies. Example of ACL Resource Usage This example illustrates how to check for current rule availability, - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 345
inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.31-255 ■ Permit inbound VLAN 3 traffic on all ports. Because all ports in the example have the same inbound traffic requirements for ACL filtering, the system administrator needs to create only one ACL for application to all four ports. ■ All - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 346
ACL has at least two ACEs; the first ACE that you configure, and the implicit deny any ACE that follows all other configured ACEs in the ACL.. SEQ Entry 10 Action: permit IP : 0.0.0.31 ProCurve(config)# interface 1-4 ip access-group 1 in Figure 9-6. Example of Configuring an ACL 9-22 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 347
subnets, and to block user access to subnets, devices, and services. Answering the following questions in an ACL and make more economical use of switch resources. ■ What traffic should you permit? In or permit ip any any (extended ACL) entry at the end of an ACL. This means that all IP traffic not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 348
high usage of the resources the switch uses to support ACLs. In these cases it is switch implicitly denies packets that are not explic itly permitted or denied by the ACEs configured in the ACL. If you want the switch traffic that you want dropped. For example, an ACE allowing a small group of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 349
ACLs) Traffic Management and Improved Network Performance ACL Configuration and Operating Rules ■ Per-Interface ACL Limits. and will not encounter the "deny ip any" ACE the switch automatically includes at the end of the ACL. For an example, refer to figure 9-4 on page 9-16. ■ Explicitly Permitting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 350
any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks. ■ ACLs Screen Only the Traffic Entering the Switch on a : • Removing a port from an ACL-assigned trunk returns the port to its default settings. • To add a port to a trunk when an ACL is already assigned - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 351
defines which part of the IP address to use for the network number and which part to use for the hosts on the network. For example: IP Address Mask Network Address Host Address 18.38.252.195 255.255.255.0 first three octets The fourth octet. 18.38.252.195 255 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 352
and an Access Control Entry (ACE) ■ For a given ACE, when the switch compares an IP address and corresponding mask in the ACE to an IP address packet's IP address can be either 1 or 0 ("on" or "off"). For an example, refer to "Example of How the Mask Bit Settings Define a Match" on page 9-30. ■ In - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 353
a wildcard, which covers any IP address. • One IP address fits the matching criteria. In this case, you provide the IP address and the switch provides the mask. For example: access-list 1 permit host 18.28.100.15 produces this policy in an ACL listing: IP Address 18.28.100.15 Mask 0.0.0.0 This - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 354
of an IP address. An actual ACE applies this method to all four octets of an IP address. Example of Allowing Only One IP Address ("Host" Option). Sup pose, for example, that you have configured the ACL in figure 9-7 to filter inbound packets on port 20. Because the mask is all zeros, the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 355
an IP packet's source address is identical to the source address configured in the ACE. Inbound Packet "A" On Port 20 - Destination Address: Examples Allowing Multiple IP Addresses. Table 9-4 provides examples of how to apply masks to meet various filtering requirements. Table 9-4. Example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 356
addresses, there is one IP-address/ACL-mask pair for the source address, and another IP-address/ACL-mask pair for the destination address. See "Configur ing and Assigning an ACL" on page 9-33.) CIDR Notation. For information on using CIDR notation to specify ACL masks, refer to "Using CIDR Notation - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 357
ACL. This creates and stores the ACL in the switch configuration. 2. Assign an ACL. This applies the ACL to the inbound traffic on one or more designated interfaces. Caution Regarding the Use of Source Routing Source routing is enabled by default on the switch and can be used to override ACLs. For - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 358
denies any packets that do not have a match with the ACEs explicitly configured in the ACL. The implicit deny any does not appear in ACL configuration listings, but always functions when the switch uses an ACL to filter packets. (You cannot delete the implicit "deny any", but you can supersede - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 359
with List Type and ID String (Name or Number) Optional Logging Command End-of-List Marker Source IP Address Mask Figure 9-9. Example of a Displayed Standard ACL Configuration with Two ACEs Extended ACL Configuration Structure Individual ACEs in an extended ACL include: ■ A permit/deny "type - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 360
addresses. Denies TCP Port 80 traffic to any destination from any source. End-of-List Marker ACE Action (permit or deny) Source IP Addresses and from the source IP address. Figure 9-11. Example of a Displayed Extended ACL Configuration Destination IP Address and Mask Optional Destination UDP or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 361
switches using exten sive ACL applications. In this case, resource usage takes precedence over other factors when planning and configuring be used for that packet, regardless of whether they match the packet. For example, suppose that you have applied the ACL shown in figure 9-9 to inbound traffic - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 362
the list. In this example, line 6 permits ( end of the ACL. In Any ACL, There Will Always Be a Match As indicated in figure 9-12, the switch automatically uses an implicit "deny IP any" (Standard ACL) or "deny any" (Extended ACL) as the last ACE in any ACL. This means that if you configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 363
is always placed at the end of the ACL. ■ Duplicate ACEs are not allowed in an ACL, however the same ACE can be configured for multiple ACLs. For The switch interprets the bits specified with CIDR notation as the IP address bits in an ACL and the corresponding IP address bits in a packet. The switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 364
Configuring and Assigning a Numbered, Standard ACL To Configure: Refer to: Configuring Named ACLs "Configuring a Named ACL" on page 9-51 Configuring Extended, "Configuring you an opportunity to troubleshoot without sacrificing performance for users outside of the problem area. You can identify - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 365
not already exist, this command creates the specified ACL and its first ACE. To create a named ACL, refer to "Configuring a Named ACL" on page 9-51 < 1-99 > Specifies the ACL ID number. The switch interprets an ACL with a value in this range as a standard ACL. Note: To create an access list with an - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 366
in a packet's source IP address must exactly match the IP address configured in the ACL and which bits need not match. Note that specifying • The action is deny. • There is a match. • ACL logging is enabled on the switch. (Refer to "Enable ACL "Deny" Logging" on page 9-68.) (Use the debug command - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 367
example, ACL 50 is a new list, this command also creates the ACL. • Permits IP traffic from the indicated IP address. Startup configuration: • The deny any that the switch implicitly ; J9085A Configuration configured in the startup-config. access-group "50" in exit ip default-gateway - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 368
Switch 2610-24(config)# write mem ProCurve Switch 2610-24(config)# show config Denies IP traffic from the Startup configuration: indicated IP address. Since, for this example ACL "60" is listed in the switch configuration. access-group "60" in exit ip default-gateway 15.255.152.1 snmp-server - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 369
, extended ACLs. To con figure other ACL types, refer to the following table. To Configure: Standard, numbered ACLs Named ACLs Refer To: "Configuring and Assigning a Numbered, Standard ACL" on page 9-40 "Configuring a Named ACL" on page 9-51 While standard ACLs use only source IP addresses for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 370
the ACL already exists, this command adds a new, explicit ACE to the end of the ACL. For a match to occur, the packet must have the source To create a named ACL, refer to "Configuring a Named ACL" on page 9-51. < 100-199 > Specifies the ACL ID number. The switch interprets an ACL with a value in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 371
IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL < any | host < src-ip-addr > | ip- ACL to define which bits in a packet's source IP address must exactly match the IP address configured in the ACL and which bits need not match. Note that specifying a group of contiguous IP addresses - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 372
; generates an ACL log message if: • The action is deny. (This option is not configurable for Permit.) • There is a match. • ACL logging is enabled on the switch. (Refer to "Enabling ACL Logging on the Switch" on page 9-69) Syntax: interface < port-list > ip access-group < list-# | name-str > in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 373
IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Example of an Extended ACL. Suppose that you want to implement these traffic. 10.10.20.0 10.10.10.0 10.10.30.0 Figure 9-15. Example of an Extended ACL 2610 Switch 1 A VLAN 10 10.10.10.1 2 VLAN 20 B 10.10.20.1 3 VLAN 30 10. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 374
21 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit interface 1 access-group "110" in exit Access-List configuration in the interface 2 switch's startup-config file. access-group "120" in exit . . . Figure 9-16. Example of Configuration Commands for an Extended ACL 9-50 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 375
ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL. Syntax: ip access-list ACL already exists, these commands add a new, explicit ACE to the end of the ACL. For a match to occur, the packet must have - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 376
parameters in the preceding syntax statements, refer to the syntax descriptions under "Configuring and Assigning a Numbered, Standard ACL" on page 9-40 or "Configuring and Assigning a Numbered, Extended ACL" on page 9-45. For example, figure 9-17 shows the commands for creating an ACL in the "Named - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 377
12 ip access-group 150 in and Mask ProCurve (config)# show config Startup configuration: ; J9085A Configuration Editor; Created on release #A.14.03 Command Entry for Destination IP Address and Mask hostname "ProCurve Switch" ip access-list extended "150" permit tcp 10.10.20.100 0.0.0.0 10.10 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 378
Level Enabling an ACL from a interface Context. Disabling an ACL from the Global Configuration Level Disabling an ACL from an Interface Context. Figure 9-18. Methods for Enabling and Disabling ACLs Deleting an ACL from the Switch Syntax: no ip access-list standard < name-str | 1-99 > no ip access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 379
switch. show access-list config Display the ACL lists configured in the switch the switch or to a particular port configured on the switch. configured ACLs and assignments existing in the startup config file. show running includes configured This command lists the configured ACLs, regardless of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 380
yes yes yes yes yes Name 110 120 150 50 60 Figure 9-19. Example of a Summary Table of Access Lists Term Type Appl Name Meaning Shows whether ACL configured in the switch. Display the Content of All ACLs on the Switch This command lists the configuration details for every ACL configured in the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 381
. This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display. For example, with two ACLs configured in the switch, you will see results similar to the following: ProCurve (config)# show access-list config ip - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 382
ACLs) Displaying ACL Data Note This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display. For example, if you assigned a standard ACL with an ACL-ID of "1" to filter inbound traffic on port 10, you could - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 383
IPv4 Access Control Lists (ACLs) Displaying ACL Data For example, suppose you configured the following ACL in the switch: ACL ID 2 ACL Type Standard Desired Action • Deny IP traffic from 18.28.236.77 and 18.29.140.107. • Permit IP traffic from all - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 384
has been applied to an interface. "No" means the ACL exists in the switch configuration, but has not been applied to any interfaces, and is therefore not in to match. In Standard ACLs: The source IP address to which the configured mask is applied to determine whether there is a match with a packet - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 385
Example of a Show Access-List Resources Command Output Display All ACLs and Their Assignments in the Switch Startup-Config File and Running-Config File The show config and show running commands include in their listings any configured new ACEs to the end of an ACL. However, the CLI method does - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 386
and then re-configure it by entering your updated list of ACEs end of the ACL. b. Re-Enter the desired ACEs in the correct sequence. General Editing Rules ■ You can delete any ACE from an ACL by repeating the ACE's entry command, preceded by the "no" statement. When you enter a new ACE, the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 387
extended ACL. All variable param eters in the command must be an exact match with their counterparts in the ACE you want to delete. For example, the first of the following two commands creates an ACE in ACL 22 and the second deletes the same ACE: Creates an ACE in ACL - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 388
to apply an ACL to multiple interfaces and the switch does not have sufficient resources to support the ACL, the command will fail for all to copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl02.txt in - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 389
command file with a "no" command to remove the earlier version of the ACL from the switch's running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL. For example, if you plan to use the copy command to replace ACL "103", you would place this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 390
stored on your TFTP server retains comments, and they appear when you use copy to download the ACL command file. (Comments are not saved in the switch configuration.) Enables a comment in the file. Figure 9-27. Example of a.txt File Designed for Creating an ACL Blank lines in the file cause breaks - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 391
can access, you would then execute the following command to download the file to the switch's startup-config file: Figure 9-28. Example of Using "copy tftp command-file" To Configure an ACL in the Switch Note If a transport error occurs, the switch does not execute the command and the ACL is not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 392
, IP routing must be enabled. ■ For ACL logging to a Syslog server, the server must be accessible to the switch and identified (with the logging < ip-addr > command) in the switch configuration. ■ Debug must be enabled for ACLs and one or both of the following: • logging (for sending messages to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 393
address of the default VLAN on the sending switch, and the message configure the server's IP address. (You can configure up to six Syslog servers.) c. Ensure that the switch can access any Syslog servers you specify. 2. Configure one or more ACLs with the deny action and the log option. For example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 394
Telnet access from 10.38.100.127. ProCurve Switch Console RS-232 Port 11 Console 10 10.38.110.54 Syslog Server Configure extended ACL 143 here to deny Telnet access to inbound Telnet traffic from IP address 10.38.100.127. Figure 9-31. Example of an ACL Log Application 10.38.100 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 395
denied. To help test ACL logging, configure an ACL with an explicit deny any and log statements at the end of the list, and apply the ACL titled "ACL Problems", found in appendix C, "Trouble shooting" of the Management and Configuration Guide for your switch. ■ When configuring logging, you - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 396
must force the connection to close before the ACE can begin screening packets from that source. ACLs Do Not Filter Traffic Generated by the Switch. Because ACLs filter only inbound traffic at the inbound physical port, outbound traffic from any source is not filtered by any ACL(s) configured on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 397
to the interface. The command fails for all included interfaces, including any that do not already have an ACL assigned. Duplicate access control entry. The switch detects an attempt to create a duplicate ACE in the same ACL. 9-73 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 398
IPv4 Access Control Lists (ACLs) General ACL Operating Notes 9-74 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 399
Introduction 10-3 DHCP Snooping 10-4 Overview 10-4 Enabling DHCP Snooping 10-5 Enabling DHCP Snooping on VLANS 10-7 Configuring DHCP Snooping Trusted Ports 10-8 Configuring Authorized Server Addresses 10-9 Using DHCP Snooping with Option 82 10-9 Changing the Remote-id from a MAC to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 400
the Static Configuration of IP-to-MAC Bindings 10-30 Debugging Dynamic IP Lockdown 10-31 Using the Instrumentation Monitor 10-33 Operating Notes 10-34 Configuring Instrumentation Monitor 10-35 Examples 10-36 Viewing the Current Instrumentation Monitor Configuration . . . . . 10-37 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 401
Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users devices use the response to update their ARP caches. • A denial-of-service (DoS) attack from unsolicited - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 402
the switch, indicated by an excessive number of failed logins or port authentication failures • Attempts to deny switch service by the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 403
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 404
: Yes vlan: Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: No To display the DHCP snooping configuration, enter this command: ProCurve(config)# show dhcp-snooping An example of the output is shown below. ProCurve(config)# show dhcp-snooping DHCP Snooping Information - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 405
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping 0 failed verify MAC check 0 Figure 10-2. Example of Show DHCP Snooping Statistics Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 406
Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range : mac Store lease database : Not configured Port Trust ----- ----B1 Yes B2 Yes B3 No Figure 10-4. Example of Setting Trusted Ports DHCP server packets - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 407
configured, all servers are considered valid. You can configure a maximum of 20 authorized servers. To configure 0 0 11 Figure 10-5. Example of Authorized Servers for DHCP Snooping received on untrusted ports by default. (See the preceding section on a VLAN, and the switch is acting as a DHCP relay - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 408
switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the switch. The default drop policy should remain in effect if there are any untrusted nodes, such as clients, directly connected to this switch. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 409
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch : Yes Option 82 remote-id : subnet-ip Figure 10-6. Example of DHCP Snooping Option 82 using the VLAN IP Address Disabling the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 410
-id : subnet-ip Figure 10-7. Example Showing the DHCP Snooping Verify MAC Setting switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch to wait before writing to the database. Default = 300 seconds. timeout Number of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 411
binding MacAddress 22.22.22.22.22.22 IP VLAN Interface Time left 10.0.0.1 4 B2 1600 Figure 10-8. Example Showing DHCP Snooping Binding Database Contents Note If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 412
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 413
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for to the remote server. DHCP packets being rate-limited. Too many DHCP packets are flowing through the switch and some are being dropped. Snooping table is full. The DHCP binding table is full and subsequent - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 414
Guide. ARP requests are ordinarily broadcast and received by all devices in a broad cast domain. Most ARP devices update sent to the poisoned address and can capture passwords, e-mail, and VoIP calls or even is through unsolicited ARP responses. For example, an attacker can associate the IP address - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 415
then re-forwards them through the switch software. During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retrans mitted. ■ The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 416
for example, 1-200. An example of the arp-protect vlan command is shown here: ProCurve(config)# arp-protect vlan 1-101 Configuring connectivity. On the other hand, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 417
protection in your network: ■ You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information. ■ Switches that do not support dynamic ARP protection should be sepa - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 418
, user-configured IP addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The switch uses manually configured static port-number> MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 419
default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration the Ethernet configure one or more of the validation checks. The following example of the arp-protect validate command shows how to configure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 420
Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp-protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port Trust ----- ----B1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 421
troubleshoot the validation of ARP packets with the debug arp-protect command. Use this command when you want to debug the following conditions: ■ The switch port A2, vlan 1" Figure 10-3. Example of debug arp-protect Command Dynamic IP configured or learned by the DHCP Snooping feature. 10-23 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 422
network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD "r" protocols in the DHCP binding database lasts more than a week. Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients. In this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 423
as shown in the example in Figure 10-4. These VLAN_IDs correspond to the subset of configured and enabled VLANS for which DHCP snooping has been configured. ■ For dynamic back to switching traffic as usual. Filtering IP and MAC Addresses Per-Port and Per-VLAN This section contains an example that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 424
001122-110011 vlan 5 deny any vlan 1-10 permit any Figure 10-4. Example of Internal Statements used by Dynamic IP Lockdown Note that the deny switch. Operating Notes ■ Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 425
level or the dhcp-snooping command at the VLAN configuration level. • Dynamic IP lockdown is not supported on a trusted port. (However, note that the DHCP server must be connected to a trusted port when DHCP snooping is enabled.) By default, all ports are untrusted. To remove the trusted configura - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 426
IP address, and lease time. Dynamic IP lockdown supports a total of 4K static and dynamic bindings Static bindings are created manually with the CLI or from a downloaded configuration file. When dynamic IP , and a port or switch has the maximum number of bindings configured, the client DHCP request - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 427
port number on which the IP-toMAC address and VLAN binding is configured in the DHCP binding database. Note that the ip source-binding command is the same command used by the Dynamic ARP Protection feature to configure static bindings. The Dynamic ARP Protection and Dynamic IP Lockdown features share - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 428
Configuring Advanced Threat Protection Dynamic IP Lockdown An example of the show ip source-lockdown status command output is shown in Figure 10-5. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 429
Example of show ip source-lockdown bindings Command Output In the show ip source-lockdown bindings command output, the "Not in HW" column specifies whether or not (YES or NO) a statically configured command output. Packet counts are updated every five minutes. An example of the command output is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 430
Configuring Advanced Threat Protection Dynamic IP Lockdown ProCurve(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 DIPLD 01/01/90 00:41:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 300 packets Figure 10-7. Example of debug dynamic-ip-lockdown Command Output 10-32 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 431
switch with an invalid login or password. Also, it might indicate a network management station has not been configured with the correct SNMP authentication param eters for the switch other features. A delay of several seconds indicates a problem. The number of MAC addresses learned in the forwarding - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 432
trap) is generated to inform network administrators of this condition. The following example shows an event log message that occurs when the number of MAC addresses learned in the forwarding table exceeds the configured threshold: Standard Date/Time Prefix "inst-mon" label indicates an for Event - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 433
Instrumentation Monitor The following commands and parameters are used to configure the opera tional thresholds that are monitored on the switch. By default, the instrumen tation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [] [log - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 434
Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and revise the threshold limits as needed. Examples To turn on monitoring and event log messaging with the default medium values: ProCurve(config)# instrumentation - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 435
generation for alerts: enabled Instrumentation monitoring log : enabled Figure 10-10. Viewing the Instrumentation Monitor Configuration An alternate method of determining the current Instrumentation Monitor configuration is to use the show run command. However, the show run command output does not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 436
Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-38 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 437
a Named Source-Port Filter 11-8 Using Named Source-Port Filters 11-9 Configuring Traffic/Security Filters 11-15 Configuring a Source-Port Traffic Filter 11-16 Example of Creating a Source-Port Filter 11-17 Configuring a Filter on a Port Trunk 11-17 Editing a Source-Port Filter 11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 438
/Security Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this guide. Introduction Feature configure source-port filters display filter data Default none n/a Menu n/a n/a CLI Web page 11-18 n/a page 11-20 n/a You can - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 439
Traffic/Security Filters and Monitors Filter Types and Operation Filter Types and Operation Table 11-1. Filter Types and Criteria Static Filter Selection Criteria Type Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 440
ports. End Node "A" End Node "B" End Node "C" Server Hub Port 1 Switch 6120 Configured for Port 2 Source-Port Filtering Configuring a source you would also configure a source-port filter to drop traffic received on port 2 with an outbound destination of port 1. Figure 11-1. Example of a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 441
and port trunks (if any) on the switch appear as destinations on the list for that Example If you wanted to prevent server "A" from receiving traffic sent by workstation "X", but do not want to prevent any other servers or end nodes from receiving traffic from workstation "X", you would configure - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 442
-port filter once and apply it to multiple ports and port trunks. This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below. Operating Rules for Named Source - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 443
is equal to the number of ports on a switch. A named source-port filter can only be that you want to change to forward. For example: filter source-port named-filter default state for destinations in a filter, this command is useful when destinations in an existing filter are configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 444
By default, these two named source-port filters forward traffic to all ports and port trunks. To configure a named source-port filter to prevent inbound traffic from being forwarded to specific destination switch ports or port trunks, the drop option is used. For example, on a 26-port switch, to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 445
3 All other switch ports may only send traffic to Port 1. Accounting Workstation 1 Accounting Workstation 2 Port 10 Port 11 Port 1 Router to the Internet Port 7 Accounting Server 1 Figure 11-4. Network Configuration for Named Source-Port Filters Example Defining and Configuring Example Named - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 446
named source-port filter definition using the forward option. Figure 11-5. Applying Example Named Source-Port Filters Once the named source-port filters have been defined and configured we now apply them to the switch ports. ProCurve(config)# filter source-port 2-6,8,9,12-26 named-filter web-only - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 447
-port) filter deletion created a gap in the filter listing. Figure 11-7. Example of the show filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value).The two outputs below show a nonaccounting and an accounting switch port. 11-11 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 448
| Drop 7 10/100TX | Forward 8 10/100TX | Drop 9 10/100TX | Drop 10 10/100TX | Drop 11 10/100TX | Drop 12 10/100TX | Drop . . . Figure 11-8. Example Showing Traffic Filtered on Specific Ports The same command, using IDX 26, shows how traffic from the Internet is handled. 11-12 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 449
traffic may be sent to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Accounting Workstation 1 Accounting Workstation Accounting Server 1 Accounting Server 2 Figure 11-10. Expanded Network Configuration for Named Source-Port Filters Example 11-13 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 450
14-26 no-incoming-web | 1 | drop 7-8,10-13 ProCurve(config)# Figure 11-11. Example Showing Network Traffic Management with Source Port Filters We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 451
type, determine the filter action you want for each outbound (destination) port on the switch (forward or drop). The default action for a new filter is to forward traffic of the specified type to all outbound ports. 3. Configure the filter. 4. Use show filter (page 11-20) to check the filter listing - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 452
for that filter to the Forward action. (Default: Forward on all ports.) Note: If multiple VLANs are configured, the source-port and the destination port trunk) to all destination ports (or trunks) on the switch. [ forward ] < port-list > Configures the filter to forward traffic for the ports and/ or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 453
a filter on an individual port. However, the configuration process requires two steps: 1. Configure the port trunk. 2. Configure a filter on the port trunk by using the trunk name (trk1, trk2, ...trk6) instead of a port name. For example, to create a filter on port trunk 1 to drop traffic - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 454
source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter. For example, suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 455
/Security Filters Figure 11-14. Assigning Additional Destination Ports to an Existing Filter For example, suppose you wanted to configure the filters in table 11-2 on a switch. (For more on source-port filters, refer to "Configuring a Source-Port Traffic Filter" on page 11-16.) Table 11-2. Filter - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 456
and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 457
Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication 12-20 B. Specify User-Based Authentication or Return to Port-Based Authentication 12-21 Example: Configuring User-Based 802.1X Authentication . . . . 12-22 Example: Configuring Port-Based 802.1X Authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 458
.1X-Authenticated Devices 12-48 Port-Security 12-49 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 12-50 Example 12-50 Supplicant Port Configuration 12-52 Displaying 802.1X Configuration, Statistics, and Counters . . . . 12-54 Show Commands for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 459
Configuring Port-Based and User-Based Access Control (802.1X) Contents Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions 12-74 Messages Related to 802.1X Operation 12-76 12-3 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 460
Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-32 n/a Configuring Switch Ports to Operate - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 461
dent user credentials on each port. ■ The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.1X authenticator credential. The password port-access command configures the local operator username and password used as - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 462
can access any tagged VLAN memberships statically configured on the port, provided the client is configured to use the available, tagged VLAN memberships. ■ If the first client authenticates and opens the port, and then one or more other clients connect without trying to authenticate, then the port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 463
To Using a RADIUS Server Note that you can also configure 802.1X for authentication through the switch's local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes user credential admin istration, and reduces security by limiting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 464
an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of a switch running 802.1X, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 465
an end-user work station, but it can be a switch, router, or another device seeking network services. Tagged Membership in a VLAN: This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously. If a client connected to the port has an operating system that supports 802 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 466
to "802.1X Open VLAN Mode" on page 12-32.) Example of the Authentication Process Suppose that you have configured a port on the switch for 802.1X authentica tion operation, which blocks access to the LAN through that port. If you then connect an 802.1X-aware client (supplicant) to the port and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 467
Note Note Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation The switches covered in this guide can use either 802.1X port-based authen tication or 802.1X user-based authentication. For more information, refer to "User Authentication Methods" on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 468
Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated RADIUSAssigned VLAN? Assign New Client to RADIUS- Yes Specified VLAN No Authorized VLAN Configured? No Untagged VLAN Configured On Port ? No Assign New Client Yes to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 469
allowed. ■ When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the switch causes a re-authentication of the link. ■ Using user-based 802.1X authentication, when a port on the switch is configured as an authenticator the port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 470
Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes ■ If a port on switch "A" is configured as an 802.1X supplicant and is connected to a port on another switch, "B", that is not 802.1X-aware, access to switch "B" will occur without 802.1X security protection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 471
for network access to the switch. 802.1X network access is not allowed unless a password has been configured using the password port-access command. Syntax: password port-access [user-name ] Configures the operator username and password used to access the network through - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 472
password port-access user-name Jim secret3 Figure 12-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration 2-10. in this guide. 2. Determine the switch ports that you want to configure as authenticators and/or supplicants - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 473
ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.) 6. Unless you are using only the switch's local username and password for 802.1X authentication, configure at least one RADIUS server to authenti cate access requests coming through - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 474
download the software so that they can initiate an authenti cation session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. Refer to page 12-32. 3. Configure the 802.1X authentication type. Options include: • Local Operator username and password (using the password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 475
configure the supplicant operation. (Refer to "Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches" on page 12-50.) Configuring Switch controlled-directions 12-27 [no] port-security [ethernet] < port-list > learn-mode port-access 12-48 802.1X - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 476
a port, the switch automatically dis ables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication. A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 477
(802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port-Based Authentication User-Based 802.1X to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 478
the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.) auto (the default): The device connected to the port must support 802.1X authentication and provide valid credentials to get network access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 479
is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds) [max-requests < 1 - 10 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 480
-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 481
method for port-access. The default pri mary authentication is local. (Refer to the documentation for your RADIUS server application.) For switches covered in this guide, you must use the password port-access command to configure the operator username and password for 802.1X access. See - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 482
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 483
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa portaccess authenticator commands to reset 802.1X authentication and statistics - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 484
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 485
ProCurve(config)# aaa port-access a10 controlled-directions in Figure 12-7. Example of Configuring 802.1X Controlled Directions Unauthenticated VLAN Access (Guest VLAN Access) When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 486
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators when none of the authenticated clients are authorized on the untagged authen ticated VLAN. Instead of having just one client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 487
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Mixed Port Access Mode Syntax: [no] aaa port-access mixed Enables or disables guests on ports with authenticated clients. Default: Disabled; guests do not have access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 488
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802 IP addressing from a DHCP server ■ Downloading the 802.1X supplicant software necessary for an authenti cation session The 802.1X Open VLAN mode solves this problem by temporarily suspending the port's static - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 489
configured to allow multiple sessions using 802.1X user- switch operates in an environment where some valid clients will not be running 802.1X supplicant software and need to download port. Clients that connect without trying to already assigned in the switch configuration. The port also becomes - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 490
to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication: ■ Unauthorized-Client VLAN: Configure this VLAN when unauthenti cated, friendly clients will need access to some services before being authenticated or instead of being authenticated - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 491
the Unauthorized-Client VLAN. • To limit security risks, the network services and access available on the Unauthorized-Client VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as a tagged member of any other VLANs, access to these - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 492
User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration the Unauthorized-Client VLAN. On the switches covered in this guide, you can use the unauth-period -Client VLAN-while the client is connected. • If the port is statically configured as a tagged member of a VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 493
services and access available on this VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch duration of the client connection. Note for a Port Configured To Allow Multiple Client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 494
User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured for the duration of the client connection. Note: An authorized-client VLAN configuration can be overridden by a RADIUS authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 495
connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because membership in both VLANs is untagged, and the switch allows only one untagged, port-based VLAN membership per-port. For example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 496
of Authorized-Client VLAN session on untagged port VLAN membership. Rule • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 497
Port Configured for 802.x Open a manually configured IP address before connecting to the switch. VLAN Mode 802.1X Supplicant Software for a A friendly client, without 802.1X supplicant software, connecting to an Client Connected to a Port Configured authenticator port must be able to download this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 498
to Allow Multiple-Client Access Rule You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X configured port regardless of how many clients the port is configured to support. However, all clients on the same port must - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 499
IP address configured before connecting to the switch, or download one through the Unauthorized-Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN. ■ Ensure that the switch is connected to a RADIUS server configured to support - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 500
.1X supplicant software that supports the use of local switch passwords. Caution Ensure that you do not introduce a security risk by allowing UnauthorizedClient VLAN access to network services or resources that could be compro mised by an unauthorized client. Configuring General 802.1X Operation - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 501
Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > [oobm] Adds a server to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 502
vlan-id >] Configures an existing, static VLAN to be the Unauthor ized-Client VLAN. For example, suppose you want to configure 802.1X port- -specific key string. The server is connected to a port on the Default VLAN. ■ The switch's default VLAN is already configured with an IP address of 10.28 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 503
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to "Viewing 802.1X Open VLAN Mode Status" on page 12-63. 802.1X Open VLAN Operating - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 504
802.1X with the control mode in the port-access authenticator command set to auto (the default setting). For example, if port A10 was at a non-default 802.1X setting and you wanted to configure it to support the portsecurity option, you would use the following aaa port-access command: Control mode - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 505
port-access auth < port-list > client-limit < 1 - 32 > Configures user-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn. For more on this command, refer to "Configuring Switch Ports as 802.1X Authenticators" on page 12-19 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 506
To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands 802.1X Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 507
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch "B" is not 802 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 508
, then < username > and < password > must be the username and password expected by the RADIUS server. If the intended authenticator port is configured for Local authentication, then < username > and < password > must be the username and password configured on the Authenticator switch. (Default: Null - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 509
Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 510
ports configured to operate as 802.1X authenticators using the aaa port-access authenticator command? Yes or No • Allow RADIUS-assigned dynamic (GVRP) VLANs: Are RADIUSassigned dynamic (GVRP-learned) VLANs supported for authenticated and unauthenticated client sessions on the switch? Yes or No - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 511
untagged VLAN used in client sessions. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • Tagged VLANs: Are tagged VLANs (statically configured or RADIUS-assigned) used for authenticated clients - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 512
Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Figure 12-11.Example of show configuration available for switches.) You can display 802.1X port-access authenticator configuration for all switch ports or specified ports. 802.1X configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 513
TX Timeout Supplicant Timeout Server Timeout Cntrl Dir Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Port number on switch. Period of time (in seconds) afterwhich clients connected to the port need to be reauthenticated. Port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 514
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator statistics [port-list] Displays statistical information for all switch ports or spec ified ports that are enabled as 802.1X authenticators, includ - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 515
: • 802.1X frames received and transmitted on each port • Duration and status of active 802.1X authentication sessions (in-progress or terminated) • User name of 802.1X supplicant included in 802.1X response packets, configured with the aaa port-access supplicant identity command (see - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 516
User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch configuration Configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 517
User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients [port-list] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch Figure 12-16. Example of show port-access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 518
and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Open Session Time(sec) : 999999999 Frames In : 999999999 Frames Out : 99999999 Username : webuser1 MAC Address : 001321 Figure 12-17. Example of show port-access authenticator clients detailed Command Output 12-62 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 519
that can help you to see how the switch is using statically configured VLANs to support 802.1X operation. In these two show outputs, an Unauth VLAN ID appearing in the Current VLAN ID column for the same port indicates an unauthenticated client is connected to this port. (Assumes that the port is - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 520
port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. (This is the default authenticator setting.) Authorized: Configures the port for "Force Authorized", which allows access to any device connected to the port, regardless of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 521
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 12-2. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed:Either no client is connected or the connected client has not - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 522
User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under "Overridden Port VLAN configuration . Figure 12-19.Example of Showing a VLAN with Ports Configured for Open VLAN Mode 12-66 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 523
Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 524
. If it is not, the switch temporarily reassigns the port as described below. If the Port Used by the Client Is Not Configured as an Untagged Member of the control to open a port for client access after authenticating valid user credentials. ■ MAC address: Authenticates a device's MAC address to - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 525
in this guide. VLAN Assignment on a Port Following client authentication, VLAN configurations on a port are managed as follows when you use 802.1X, MAC, or Web authentication: ■ The port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration. Tagged VLAN - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 526
benefits: • You avoid the need of having static VLANs pre-configured on the switch. • You can centralize the administration of user accounts (including user VLAN IDs) on a RADIUS server. For information on how to enable the switch to dynamically create 802.1Q-compliant VLANs on links to other - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 527
or dynamic VLAN configured on the port (as described in the preceding bullet and in "Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session" on page 12-71), the disabled VLAN assignment is not advertised. When the authentication session ends, the switch: • Removes the temporary - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 528
-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 529
Configuring Port-Based and User where the server included an instruction to put the client's access on VLAN 22. Note: With the current VLAN configuration (figure 12-20), the with VLAN 22 ends, the active configuration returns port A2 to VLAN 33. Figure 12-22.The Active Configuration for VLAN 33 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 530
For information on how to enable a switch to dynamically create 802.1Q-compliant VLANs, see the chapter on "GVRP" in the Advanced Traffic Management Guide. Notes: 1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 531
per-port basis to prevent denial-of-service attacks. The interface unknown-vlans com mand on "GVRP" in the Advanced Traffic Management Guide. 3. If you disable the use of configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation (for example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 532
Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802 message can appear if you configured the switch for EAP-RADIUS or CHAP-RADIUS authentication, but the switch does not receive a response from a RADIUS server. Ensure that the switch is configured to access at least - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 533
Deploying MAC Lockdown 13-28 MAC Lockout 13-28 Port Security and MAC Lockout 13-31 Web: Displaying and Configuring Port Security Features 13-32 Reading Intrusion Alerts and Resetting Alert Flags 13-32 Notice of Security Violations 13-32 How the Intrusion Log Operates 13-33 Keeping the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 534
Configuring and Monitoring Port Security Contents Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 13-35 CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 13-36 Using the Event Log To Find Intrusion Alerts 13-38 Web: Checking - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 535
Security Overview Feature Default Menu CLI Web Displaying Current Port Security n/a - page 13-10 page 13-32 Configuring Port Security disabled 13-39 Port Security (Page 13-4). This feature enables you to configure each switch port with a unique list of the MAC addresses of devices that - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 536
switch's web browser interface ■ Event Log entries in the console interface ■ Intrusion Log entries in the menu interface, CLI, or web browser interface For any port, you can configure addresses from inbound traffic from any connected device. This is the default setting. • Limited-Continuous: Sets - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 537
traffic it receives from connected devices.) • Configured: Requires that you specify Configuration Guide for your switch.) ■ Port Access: Allows only the MAC address of a device authenticated through the switch's 802.1X Port-Based access control. Refer to chapter 12, Configuring Port-Based and User - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 538
address is learned and traffic is forwarded to it. The default. The Eavesdrop Prevention option does not apply because port security is Prevention should not cause any issues because all valid MAC addresses have been configured. Syntax [no] port-security eavesdrop-prevention When this - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 539
13-1. Example of show port-security Command Displaying Eavesdrop Prevention MIB Support The following MIB support is configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 540
either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 541
authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit ting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) option ally disable - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 542
13-19 13-19 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses. Note Use the global configuration level to execute port-security configuration commands. Port Security Display Options You can use the CLI to display the current port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 543
A7 and A8 Show the Default Setting) With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec ified ports on a switch. The following example lists the full port security configuration for a single port: 13 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 544
Port Security Figure 13-4. Example of the Port Security Configuration Display for a Single Port The next example shows the option for an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports. mac-address: Lists the specified MAC address with - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 545
Configuring and Monitoring Port Security Port Security Figure 13-5. Examples of Show Mac-Address Outputs 13-13 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 546
| configured | limitedcontinuous > For the specified port: • Identifies the method for acquiring authorized addresses. • On switches covered in this guide, automatically invokes eavesdrop protection. (Refer to "Eavesdrop Prevention" on page 13-5.) continuous (Default): Appears in the factory-default - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 547
(Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac -devices list and the first two additional MAC addresses it detects. If, for example: You use mac-address to authorize MAC address 0060b0-880a80 for port A4. - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 548
, Configuring Port-Based and User-Based Access Control (802.1X). configured: Must specify which MAC addresses are allowed for this port. Range is 1 (default) limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learnmode with the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 549
and System Information" in the Management and Configuration Guide for your switch. To set the learn-mode to limited use configured, or limitedcontinuous, the address-limit parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 550
to reach the device limit. For example, if you specify four devices, but switch will not disable the port again until you reset the intrusion flag. See the Note on 13-34. For information on configuring the switch for SNMP management, refer to the Management and Configuration Guide for your switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 551
tion" in the Management and Configuration Guide for your switch. Learned Addresses. In the following two Download a configuration file that does not include the unwanted MAC address assignment. ■ Reset the switch to its factory-default configuration. Assigned/Authorized Addresses. : If you manually - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 552
-number > mac-address < mac-addr >. ■ Download a configuration file that does not include the unwanted MAC address assignment. ■ Reset the switch to its factory-default configuration. Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 553
without having to also increase the Address Limit. The Address Limit has not been reached. Figure 13-6. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 554
Configuring and Monitoring Port Security Port Security (The message Inconsistent value and add the MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed: Figure 13-8. Example of Port Security on Port A1 with an Address Limit of - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 555
remove a device from the "Authorized" list without opening the possibility for an unwanted device to automatically become authorized. For example, suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list: When removing 0c0090-123456, first - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 556
The above command sequence results in the following configuration for port A1: Note 13-24 Figure 13-10. Example of Port A1 After Removing One MAC Address MAC address hijacking. It also controls address learning on the switch. When configured, the MAC Address can only be used on the assigned port - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 557
switch (by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch), address is configured for one port, you cannot perform port security using the same MAC address on any other port on that same switch. You - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 558
are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega tions). Differences Between MAC Lockdown and Port security the MAC Address could still be used on another port on the same switch. MAC Lockdown, on the other hand, is a clear one-to-one relationship - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 559
in the log file can be useful for troubleshooting problems. If you are trying to connect a device which has been locked down to resets itself to check once a day. The purpose of rate-limiting the log messaging is to prevent the log file from becoming too full. You can also configure the switch - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 560
MAC Lockdown is to prevent a malicious user from "hijacking" an approved MAC address switch which is supposed to be connected to the real device bearing that MAC address. However, you can run into trouble MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 561
network. If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don't have to configure every single port-just perform the command on the switch and it is effective for all ports. 13-29 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 562
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch's own MAC Address) If someone using a - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 563
and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to lock - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 564
Port Security, the switch responds in the following ways to notify you: ■ The switch sets an alert flag for that port. This flag remains set until: • You use either the CLI, menu interface, or web browser interface to reset the flag. • The switch is reset to its factory default configuration. 13-32 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 565
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusion alert flags for these attempts have been reset. This gives you a history of past intrusion attempts. Thus, for example, if there is an intrusion alert for - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 566
most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 567
Device on System Time of Intrusion on Port Indicates this intrusion on port A3 occurred prior to a reset (reboot) at the indicated time Figure 13-13. Example of the Intrusion Log Display The example in Figure 7-11 shows two intrusions for port A3 and one intrusion for port A1. In this case - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 568
no longer shows "Yes" for the port on which the intrusion occurred (port A3 in this example). (Because the Intrusion Log provides a history of the last 20 intrusions detected by the switch, resetting the alert flags does not change its content. Thus, displaying the Intrusion Log again will result - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 569
cleared (that is, the Alert Flag has been reset at least twice before the most recent intrusion Figure 13-15.Example of the Intrusion Log with Multiple Entries for the Same Port The above example shows three intrusions for port A1. Since the switch can show only one uncleared intrusion per port, the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 570
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch Alert on port A1 is now Figure 13-16.Example of Port Status Screen After Alert Flags Reset For more on clearing intrusions, see "Note on Send - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 571
More Event Log Information. See "Using the Event Log To Identify Problem Sources" in the "Troubleshooting" chapter of the Management and Configuration Guide for your switch. Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 1. Check the Alert Log by clicking on the - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 572
and Configuration Guide for your switch.) Without both of the above configured, the switch detects only the proxy server's MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. "Prior To" Entries in the Intrusion Log. If you reset the switch (using - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 573
2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together. ProCurve - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 574
Configuring and Monitoring Port Security Operating Notes for Port Security 13-42 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 575
Interface 14-10 Web-Based Help 14-10 Building IP Masks 14-10 Configuring One Station Per Authorized Manager IP Entry 14-10 Configuring Multiple Stations Per Authorized Manager IP Entry . . 14-11 Additional Examples for Authorizing Multiple Stations 14-13 Operating Notes 14-13 14-1 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 576
Managers Configuring Authorized IP Managers Building IP Masks Operating and Troubleshooting Notes Default n/a passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch's Authorized IP Managers configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 577
SNMPv1, and SNMPv2c access only) Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) to the switch restricted to authorized personnel, using the username/password and other security features available in the switch, and - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 578
Configuring Multiple Stations Per Authorized Manager IP Entry" on page 14-11.) To configure the switch switch by a manage ment station. Overview of IP Mask Operation The default IP Mask is 255.255.255.255 and allows switch ranges of authorized IP addresses. For example, a mask of 255.255.255.0 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 579
is applied in a different manner. Menu: Viewing and Configuring IP Authorized Managers From the console Main Menu, select: 2. Switch Configuration ... 7. IP Authorized Managers 1. Select Add to add an authorized manager to the list. Figure 14-1. Example of How To Add an Authorized Manager Entry 14 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 580
to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Applies only to access through Telnet, SNMPv1, and SNMPv2c. Refer to the note on page 14-3. Figure 14-2. Example of How To Add an Authorized Manager Entry (Continued) Editing or - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 581
10.28.227.0 through 255 Access Mode: Manager Manager Manager Operator Configuring IP Authorized Managers for the Switch Syntax: ip authorized-managers Configures one or more authorized IP addresses. [] Configures the IP mask for < ip address > [access - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 582
either Manager or Operator access, the switch assigns the Manager access. For example: Omitting a mask in the ip authorized-managers command results in a default mask of 255.255.255.255, which authorizes only the specified station. Refer to "Configuring Multiple Stations Per Authorized Manager IP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 583
parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change. Web Proxy Servers If you use the web browser interface to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 584
switch poses a security risk. If the station uses a web proxy server to connect to the switch, any proxy user can access the switch. If it is necessary to use the switch for the correspond ing mask. For example, as shown in figure 14-3 on page 14-7, if you configure an IP address of 10.28.227.125 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 585
having an IP address of 10.33.248.5. Configuring Multiple Stations Per Authorized Manager IP Entry The is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you in the Authorized Manager IP list. Thus, in the example shown above, a "255" in an IP Mask octet - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 586
. Where a mask bit is "off" the corresponding bit setting in the address can be either "on" or "off". In this example, in order for a station to be authorized to access the switch: • The first three octets of the station's IP address must match the Authorized IP Address. • Bit 0 and Bits 3 through - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 587
be applied, for example, to a subnetted manual, and preventing unauthorized access to data on your management stations. ■ Modem and Direct Console Access: Configuring authorized IP manag ers does not protect against access to the switch through a modem or direct Console (RS-232) port connection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 588
you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or "Exceptions" list in the web browser interface you are using on - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 589
authenticate users ... 12-6 authentication methods ... 12-5 authentication, local ... 12-7 authentication, user-based supported ... 12-14 messages ... 12-76 multiple clients ... 12-40 multiple clients, same VLAN ... 12-6 open port ... 12-5 open VLAN authorized client ... 12-34 configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 590
password switch port operating as ... 12-50 supplicant state ... 12-67 supplicant statistics, note ... 12-67 supplicant, configuring ... 12-50 supplicant-timeout ... 12-23 terminology ... 12-7 traffic flow on unathenticated ports ... 12-28 troubleshooting also port-based. user-based vs. port- - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 591
... 9-4 applied to open connection ... 9-72 assign to VLAN ... 9-38 basic structure ... 9-34 broadcasts, effect on ... 9-72 CIDR, mask ... 9-39 command summary ... 9-6 command syntax ... 9-41 configuration planning ... 9-12 configured but not used ... 9-38 configured, not used ... 9-38 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 592
9-17 resource usage, help display ... 9-19 resource use, example ... 9-20 resource use, troubleshooting ... 9-19 resource, display current use ... 9-19 routed traffic ... 9-26 rule and mask usage ... 9-17 rules, configuration ... 9-25 rules, operation ... 9-25 SA, defined ... 9-9 security - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 593
Class of Service See CoS. Clear button to delete password protection ... 2-7 configuration filters snooping ... 10-13 default configuration and security ... 1-15 default settings 802.1X aaa public-key authentication, disabled ... 7-2 connection-rate filtering, none ... 1-8 DHCP snooping - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 594
MAC lockdown and lockout, none ... 1-7 manager password, no password ... 1-3 passwords clear password, enabled ... 2-27 password recovery, enabled ... 2-28, 2-33 password-clear, enabled ... 2-29 reset-on-clear, disabled ... 2-28 username and passwords, none ... 2-3 port security, none - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 595
configured mode ... 13-6 continuous learn mode ... 13-6 disabling ... 13-5 interactions with learn modes ... 13-6 limited-continuous mode ... 13-6 mib support source-port filter value ... 11-19 static ... 11-2 types ... 11-3 Framed-IP-Address ... 5-48 G guest VLAN ... 12-8, 12-9, 12-32 GVRP - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 596
concurrent with Web ... 3-4 configuration commands ... 3-51 configuring on the switch ... 3-50 switch for RADIUS access ... configuration ... 3-55 terminology ... 3-11 MAC Lockdown ... 13-3 MAC Lockout ... 13-3 manager password ... 2-4, 2-6, 2-7 recommended ... 4-7 saving to configuration - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 597
, hierarchy of precedence in authentication session ... 1-18 operator only, caution ... 2-5 password pair ... 2-3 setting ... 2-6 SNMP configuration ... 2-3 password security ... 7-20 saved to configuration file ... 2-12 PCM See ProCurve Manager. peap-mschapv2 ... 5-11 port security - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 598
server groups ... 5-21 NAS-Prompt-User service-type value ... 5-14 network accounting ... 5-47 operating rules, switch ... 5-6 override CoS ... 6-7 override CoS, example ... 6-8 override Rate-Limiting ... 6-7 override Rate-Limiting, example ... 6-8 override, precedence, multiple clients - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 599
switch ... 2-20 copying startup configuration ... 2-19 disabling Reset-on-clear option ... 2-20 downloading a configuration file ... 2-19 downloading from a server ... 2-10 enabling storage in configuration file ... 2-11 manager username and password ... 2-12 operator username and password - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 600
to authentication MIB ... 1-15 password and username configuration ... 2-3 RADIUS access to auth config MIB ... 5-4 trap generation ... 10-35 SNMPv3 saving security credentials to configuration file ... 2-11, 2-13 security credentials not supported in download ed file ... 2-21 snooping - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 601
... 7-19 SSHv2 ... 7-2 steps for configuring ... 7-6 switch key to client ... 7-13 terminology ... ... 8-6 operating rules ... 8-6 passwords, assigning ... 8-7 prerequisites ... 8-5 configuring ... 8-5 supported encryption methods ... 8-3 terminology ... 8-3 TLSv1 ... 8-2 troubleshooting - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 602
10-8 U untrusted policy, snooping ... 10-10 user name cleared ... 2-7 SNMP configuration ... 2-3 V Vendor-Specific Attribute ... 6-11 vendor-specific attribute configured in RADIUS server ... 6-4 configuring ... 6-4 configuring support for HP VSAs ... 5-38 defining ... 5-39 virus detection - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 603
access control on unauthenticated ports ... 3-22 controlled directions ... 3-22 on the switch ... 3-20 switch for RADIUS access ... 3-17 display all 802.1X, Web, and MAC authentication configuration ... 3-14, 12-16 general setup ... 3-14 hierarchy of precedence in authentication session ... 1-18 - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 604
16 - Index - HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 605
- HP 6120XG | HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 606
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP will not be liable for technical or editorial errors or omissions contained herein. November 2010 Manual Part Number 5992-5525 *5992-5525*
ProCurve Series 6120 Switches
Access Security Guide
November 2010
Version Z.14.22