ProCurve

Switch 2600 Series

Switch 2600-PWR Series

Switch 2800 Series

Switch 4100gl Series

Switch 6108

December 2008

Access Security Guide

Hewlett-Packard Company

8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551

http://www.procurve.com

Contents

Product Documentation

About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

1 Getting Started

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3 General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9

2 Configuring Username and Password Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6

iii

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

3Web and MAC Authentication for the Series 2600/ 2600-PWR and 2800 Switches

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12 Do These Steps Before You Configure Web/MAC Authentication . . 3-12

Additional Information for Configuring the RADIUS Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-18

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-22 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-23

Show Status and Configuration of Web-Based Authentication . . . . . . . . 3-26

Show Status and Configuration of MAC-Based Authentication . . . . . . . . 3-27

Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

iv

4 TACACS+ Authentication

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Controlling Web Browser Interface Access When Using TACACS+

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

5 RADIUS Authentication and Accounting

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . . . . . . 5-6 Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-7

v

1. Configure Authentication for the Access Methods You Want RADIUS

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

Controlling Web Browser Interface Access When Using RADIUS

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17 Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-19 Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-19

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31

6 Configuring Secure Shell (SSH)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Steps for Configuring and Using SSH for Switch and Client Authentication . 6-6

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 1. Assign Local Login (Operator) and Enable (Manager) Password . 6-9 2. Generate the Switch???s Public and Private Key Pair . . . . . . . . . . . . 6-10 3. Provide the Switch???s Public Key to Clients . . . . . . . . . . . . . . . . . . . 6-12

4. Enable SSH on the Switch and Anticipate SSH Client Contact Behavior 6-15

5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 6-18

vi

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21

Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

7 Configuring Secure Socket Layer (SSL)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Steps for Configuring and Using SSL for Switch and Client Authentication . 7-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 1. Assign Local Login (Operator) and Enable (Manager) Password . 7-7 2. Generate the Switch???s Server Host Certificate . . . . . . . . . . . . . . . . . 7-9

3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21

8 Configuring Port-Based Access Control (802.1X)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

How 802.1X Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

General Setup Procedure for Port-Based Access Control (802.1X) . . . . . 8-12 Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 8-12 Overview: Configuring 802.1X Authentication on the Switch . . . . . . 8-13

vii

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15 1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20

Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . . 8-38 Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 8-38 Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 8-40 Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 8-43

How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . 8-44

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

9 Configuring and Monitoring Port Security

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

Port Security Command Options and Operation . . . . . . . . . . . . . . . . . . . . . 9-6 Retention of Static MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Displaying Current Port Security Settings . . . . . . . . . . . . . . . . . . . . . . 9-10 Configuring Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

viii

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

Differences Between MAC Lockdown and Port Security . . . . . . . . . 9-19

Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27

IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28

Web: Displaying and Configuring Port Security Features . . . . . . . . . . . . . 9-29

Reading Intrusion Alerts and Resetting Alert Flags . . . . . . . . . . . . . . . . . . 9-29 Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29 How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30 Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . . 9-31 Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . . . 9-36

Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36

Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37

10Traffic/Security Filters

(ProCurve Series 2600/2600-PWR and 2800 Switches)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Viewing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Filter Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Editing a Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9

Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

11 Using Authorized IP Managers

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

ix

Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6

Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Configuring One Station Per Authorized Manager IP Entry . . . . . . . 11-9 Configuring Multiple Stations Per Authorized Manager IP Entry . . 11-10 Additional Examples for Authorizing Multiple Stations . . . . . . . . . 11-11

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

x

Product Documentation

About Your Switch Manual Set

The switch manual set includes the following:

??? Read Me First - a printed guide shipped with your switch. Provides software update information, product notes, and other information.

??? Installation and Getting Started Guide - a printed guide shipped with your switch. This guide explains how to prepare for and perform the physical installation and connection to your network.

??? Management and Configuration Guide - included as a PDF file on

the Documentation CD. This guide describes how to configure, manage, and monitor basic switch operation.

??? Advanced Traffic Management Guide - included as a PDF file on

the Documentation CD. This guide explains the configuration and operation of traffic management features such as spanning tree, VLANs, and IP routing.

??? Access Security Guide - included as a PDF file on the

xi

Product Documentation

Feature Index

For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.)

xii

Product Documentation

xiii

Product Documentation

xiv

1

Getting Started

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3

General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Feature Descriptions by Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Port Identity Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 To Set Up and Install the Switch in Your Network . . . . . . . . . . . . . . . . 1-9

1-1

Getting Started

Introduction

Introduction

This Access Security Guide describes how to use ProCurve???s switch security features to protect access to your switch. This guide is intended to support the following switches:

???ProCurve Series 2600

???ProCurve Series 2600-PWR

???ProCurve Series 2800

???ProCurve Series 4100gl

???ProCurve Switch 6108

For an overview of other product documentation for the above switches, refer to ???Product Documentation??? on page xi.

The Product Documentation CD-ROM shipped with the switch includes a copy of this guide. You can also download a copy from the ProCurve website, http://www.procurve.com.

Overview of Access Security Features

The access security features covered in this guide include:

???Local Manager and Operator Passwords (page 2-1): Control access and privileges for the CLI, menu, and web browser interfaces.

???TACACS+ Authentication (page 4-1): Uses an authentication appli- cation on a server to allow or deny access to a switch.

???RADIUS Authentication and Accounting (page 5-1): Like TACACS+, uses an authentication application on a central server to allow or deny access to the switch. RADIUS also provides accounting services for sending data about user activity and system events to a RADIUS server.

???Secure Shell (SSH) Authentication (page 6-1): Provides encrypted paths for remote access to switch management functions.

1-2

Getting Started

Overview of Access Security Features

???Secure Socket Layer (SSL) (page 7-1): Provides remote web access to the switch via encrypted authentication paths between the switch and management station clients capable of SSL/TLS operation.

???Port-Based Access Control (802.1X) (page 8-1): On point-to-point connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches.

???Port Security (page 9-1): Enables a switch port to maintain a unique list of MAC addresses defining which specific devices are allowed to access the network through that port. Also enables a port to detect, prevent, and log access attempts by unauthorized devices.

???Traffic/Security Filters (page 10-1): Source-Port filtering enhances in-band security by enabling outbound destination ports on the switch to forward or drop traffic from designated source ports (within the same VLAN).

???Authorized IP Managers (page 11-1): Allows access to the switch by a networked device having an IP address previously configured in the switch as "authorized".

Management Access Security Protection

In considering management access security for your switch, there are two key areas to protect:

???Unauthorized client access to switch management features

???Unauthorized client access to the network.

Table 1-1 on page 1-4 provides an overview of the type of protection offered by each switch security feature.

1-3

Getting Started

Overview of Access Security Features

Table 1-1. Management Access Security Protection

1 The local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access) also offer protection for serial port access.

General Switch Traffic Security Guidelines

Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

1.Disabled/Enabled physical port

2.MAC lockout (applies to all ports on the switch)

3.MAC lockdown

4.Port security

5.Authorized IP Managers

6.Application features at higher levels in the OSI model, such as SSH

(The above list does not address the mutually exclusive relationship that exists among some security features.)

1-4

Getting Started

Conventions

Conventions

This guide uses the following conventions for command syntax and displayed information.

Feature Descriptions by Model

In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature.

For example (the switch model is highlighted here in bold italics):

???Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches???.

Command Syntax Statements

Syntax: aaa port-access authenticator < port-list >

[ control < authorized | auto | unauthorized >]

???Vertical bars ( | ) separate alternative, mutually exclusive elements.

???Square brackets ( [ ] ) indicate optional elements.

???Braces ( < > ) enclose required elements.

???Braces within square brackets ( [ < > ] ) indicate a required element within an optional choice.

???Boldface indicates use of a CLI command, part of a CLI command syntax, or other displayed element in general text. For example:

???Use the copy tftp command to download the key from a TFTP server.???

???Italics indicate variables for which you must supply a value when executing the command. For example, in this command syntax, < port- list > indicates that you must provide one or more port numbers:

Syntax: aaa port-access authenticator < port-list >

1-5

Getting Started

Conventions

Command Prompts

In the default configuration, your switch displays one of the following CLI prompts:

ProCurve Switch 4104#

ProCurve Switch 4108#

ProCurve Switch 2626#

ProCurve Switch 2650#

ProCurve Switch 6108#

To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example:

ProCurve#

(You can use the hostname command to change the text in the CLI prompt.)

Screen Simulations

Figures containing simulated screen text and command output look like this:

Figure 1-1. Example of a Figure Showing a Simulated Screen

In some cases, brief command-output sequences appear outside of a numbered figure. For example:

ProCurve(config)# ip default-gateway 18.28.152.1/24

ProCurve(config)# vlan 1 ip address 18.28.36.152/24

ProCurve(config)# vlan 1 ip igmp

Port Identity Examples

This guide describes software applicable to both chassis-based and stackable ProCurve switches. Where port identities are needed in an example, this guide uses the chassis-based port identity system, such as ???A1???, ???B3 - B5???, ???C7???, etc. However, unless otherwise noted, such examples apply equally to the stackable switches, which for port identities typically use only numbers, such as ???1???, ???3-5???, ???15???, etc.

1-6

1-7

Getting Started

Need Only a Quick Start?

Figure 1-3. Getting Help in the CLI

???For information on specific features in the Web browser interface, use the online help. For more information, refer to the Management and Configuration Guide for your switch.

???For further information on ProCurve Networking switch technology, visit the ProCurve website at:

http://www.procurve.com

Need Only a Quick Start?

IP Addressing

If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following:

???Enter setup at the CLI Manager level prompt.

ProCurve# setup

???In the Main Menu of the Menu interface, select

8.Run Setup

For more on using the Switch Setup screen, see the Installation and Getting Started Guide you received with the switch.

1-8

Getting Started

Need Only a Quick Start?

To Set Up and Install the Switch in Your Network

1-9

Getting Started

Need Only a Quick Start?

??? This page is intentionally unused. ???

1-10

2

Configuring Username and Password Security

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Web: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17

2-1

Configuring Username and Password Security

Overview

Overview

The following features apply only to the Series 2600, 2600-PWR, and 2800 Switches.

Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator. For security, you can set a password pair (username and password) on each of these levels.

*Allows use of the ping, link-test, show, menu, exit, and logout commands, plus the enable command if you can provide the Manager password.

2-2

2-3

Configuring Username and Password Security

Configuring Local Password Security

Configuring Local Password Security

Menu: Setting Passwords

As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface.

1.From the Main Menu select:

3. Console Passwords

Figure 2-1. The Set Password Screen

2.To set a new password:

a.Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password.

b.Type a password of up to 16 ASCII characters with no spaces and press [Enter]. (Remember that passwords are case-sensitive.)

c.When prompted with Enter new password again, retype the new pass- word and press [Enter].

After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt you for the username, and then the password.)

To Delete Password Protection (Including Recovery from a Lost

Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator).

2-4

Configuring Username and Password Security

Configuring Local Password Security

If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.

If you do not have physical access to the switch, you will need Manager-Level access:

1.Enter the console at the Manager level.

2.Go to the Set Passwords screen as described above.

3.Select Delete Password Protection. You will then see the following prompt:

Continue Deletion of password protection? No

4.Press the Space bar to select Yes, then press [Enter].

5.Press [Enter] to clear the Password Protection message.

To Recover from a Lost Manager Password: If you cannot start a con- sole session at the Manager level because of a lost Manager password, you can clear the password by getting physical access to the switch and pressing and holding the Clear button for a minimum of one second. This action deletes all passwords and usernames (Manager and Operator) used by both the console and the web browser interface.

CLI: Setting Passwords and Usernames

Commands Used in This Section

Configuring Manager and Operator Passwords.

Syntax: [ no ] password <manager | operator > [ user-name ASCII-STR ] [ no ] password < all >

??? Password entries appear as asterisks.

??? You must type the password entry twice.

Figure 2-2. Example of Configuring Manager and Operator Passwords

2-5

Configuring Username and Password Security

Configuring Local Password Security

To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:

Press [Y] (for yes) and press [Enter].

Figure 2-3. Removing a Password and Associated Username from the Switch

The effect of executing the command in figure 2-3 is to remove password protection from the Operator level. (This means that anyone who can access the switch console can gain Operator access without having to enter a user- name or password.)

Web: Setting Passwords and Usernames

In the web browser interface you can enter passwords and (optional) user- names.

To Configure (or Remove) Usernames and Passwords in the Web

Browser Interface.

1. Click on the Security tab.

Click on [Device Passwords].

2.Do one of the following:

???To set username and password protection, enter the usernames and passwords you want in the appropriate fields.

???To remove username and password protection, leave the fields blank.

3.Implement the usernames and passwords by clicking on [Apply Changes].

To access the web-based help provided for the switch, click on [?] in the web browser screen.

2-6

Configuring Username and Password Security

Front-Panel Security

Front-Panel Security

The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together). The ability to disable Password Recovery is also provided for situations which require a higher level of switch security.

The front-panel Security features are designed to prevent malicious users from:

???Resetting the password(s) by pressing the Clear button

???Restoring the factory default configuration by using the Reset+Clear button combination.

???Gaining management access to the switch by having physical access to the switch itself

When Security Is Important

Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.

It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key. For some customers this is no longer true. Others simply want the added assurance that even if someone did manage to get to the switch that data would still remain secure.

If you do not invoke front-panel security on the switch, user-defined pass- words can be deleted by pushing the Clear button on the front panel. This function exists so that if customers forget the defined passwords they can still get back into the switch and reset the passwords. This does, however, leave the switch vulnerable when it is located in an area where non-authorized people have access to it. Passwords could easily be cleared by pressing the Clear button. Someone who has physical access to the switch may be able to erase the passwords (and possibly configure new passwords) and take control of the switch.

2-7

Configuring Username and Password Security

Front-Panel Security

As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch.

Front-Panel Button Functions

The front panel of the switch includes the Reset button and the Clear button.

Reset ButtonClear Button

Figure 2-4. Example Front-Panel Button Locations

Clear Button

Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.

Figure 2-5. Press the Clear Button for One Second To Reset the Password(s)

2-8

Configuring Username and Password Security

Front-Panel Security

Reset Button

Pressing the Reset button alone for one second causes the switch to reboot.

Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch

Restoring the Factory Default Configuration

You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch. To do this:

1.Press and hold the Reset button.

2.While holding the Reset button, press and hold the Clear button.

2-9

Configuring Username and Password Security

Front-Panel Security

3.Release the Reset button and wait for about one second for the Self-Test LED to start flashing.

Self

Test

4. When the Self-Test LED begins flashing, release the Clear button

.

Self

Test

This process restores the switch configuration to the factory default settings.

Configuring Front-Panel Security

Using the front-panel-security command from the global configuration context in the CLI you can:

???Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch. (This action affects the Clear button when used alone, but does not affect the operation of the Reset+Clear combination described under ???Restor- ing the Factory Default Configuration??? on page 2-9.)

???Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared.

2-10

Configuring Username and Password Security

Front-Panel Security

???Modify the operation of the Reset+Clear combination (page 2-9) so that the switch still reboots, but does not restore the switch???s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.)

???Disable or re-enable Password Recovery.

Syntax: show front-panel-security

Displays the current front-panel-security settings:

Clear Password: Shows the status of the Clear button on the front panel of the switch. Enabled means that pressing the Clear button erases the local usernames and passwords configured on the switch (and thus removes local password protection from the switch). Disabled means that pressing the Clear button does not remove the local usernames and passwords configured on the switch. (Default: Enabled.)

Reset-on-clear: Shows the status of the reset-on-clear option (Enabled or Disabled). When reset-on-clear is disabled and Clear Password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch. (Enabling reset-on-clear automatically enables clear-password.) (Default: Disabled.)

Factory Reset: Shows the status of the Reset button on the front panel of the switch. Enabled means that pressing the Reset button reboots the switch and also enables the Reset button to be used with the Clear button (page 2-9) to reset the switch to its factory-default configuration. (Default: Enabled.)

Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to ???Password Recovery Process??? on page 2-17.) (Default:

Enabled.)

CAUTION: Disabling this option removes the ability to recover a password on the switch. Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security. If you disable password-recovery and then lose the password, you will have to use the Reset and Clear buttons (page 2-9) to reset the switch to its factory-default configuration and create a new password.

2-11

Configuring Username and Password Security

Front-Panel Security

For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings.

Figure 2-7. The Default Front-Panel Security Settings

Disabling the Clear Password Function of the Clear Button on the Switch???s Front Panel

Syntax: no front-panel-security password-clear

In the factory-default configuration, pressing the Clear button on the switch???s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords. (Default: Enabled.)

Note: Although the Clear button does not erase passwords when disabled, you can still use it with the Reset button (Reset+Clear) to restore the switch to its factory default configuration, as described under ???Restoring the Factory Default Configuration??? on page 2-9 .

This command displays a Caution message in the CLI. If you want to proceed with disabling the Clear button, type [Y]; otherwise type [N]. For example:

Indicates the command has disabled the Clear button on the switch???s front panel. In this case the Show command does not include the reset- on-clear status because it is inoperable while the Clear Password functionality is disabled, and must be reconfigured whenever Clear Password is re-enabled .

Figure 2-8. Example of Disabling the Clear Button and Displaying the New Configuration

2-12

Configuring Username and Password Security

Front-Panel Security

Re-Enabling the Clear Button on the Switch???s Front Panel and Setting or Changing the ???Reset-On-Clear??? Operation

Syntax: [no] front-panel-security password-clear reset-on-clear

This command does both of the following:

???Re-enables the password-clearing function of the Clear button on the switch???s front panel.

???Specifies whether the switch reboots if the Clear button is pressed.

To re-enable password-clear, you must also specify whether to enable or disable the reset-on-clear option.

Defaults:

???password-clear: Enabled.

???reset-on-clear: Disabled. Thus:

???To enable password-clear with reset-on-clear disabled, use this syntax:

no front-panel-security password-clear reset-on-clear

???To enable password-clear with reset-on-clear also enabled, use this syntax:

front-panel-security password-clear reset-on-clear

(Either form of the command enables password-clear.)

Note: If you disable password-clear and also disable the password-recovery option, you can still recover from a lost password by using the Reset+Clear button combination at reboot as described on page 2-9. Although the Clear button does not erase passwords when disabled, you can still use it with the Reset button (Reset+Clear) to restore the switch to its factory default configuration. You can then get access to the switch to set a new password.

For example, suppose that password-clear is disabled and you want to restore it to its default configuration (enabled, with reset-on-clear disabled).

2-13

Configuring Username and Password Security

Front-Panel Security

Shows password-clear disabled.

Enables password-clear, with reset-on- clear disabled by the ???no??? statement at the beginning of the command.

Shows password-clear enabled, with reset-on-clear disabled.

Figure 2-9. Example of Re-Enabling the Clear Button???s Default Operation

Changing the Operation of the Reset+Clear Combination

In their default configuration, using the Reset+Clear buttons in the combina- tion described under ???Restoring the Factory Default Configuration??? on page 2-9 replaces the switch???s current startup-config file with the factory-default startup-config file, then reboots the switch, and removes local password protection. This means that anyone who has physical access to the switch could use this button combination to replace the switch???s current configu- ration with the factory-default configuration, and render the switch acces- sible without the need to input a username or password. You can use the factory-reset command to prevent the Reset+Clear combination from being used for this purpose.

Syntax: [no] front-panel-security factory-reset

Disables or re-enables the following functions associated with using the Reset+Clear buttons in the combination described under ???Restoring the Factory Default Configuration??? on page 2-9:

???Replacing the current startup-config file with the factory- default startup-config file

???Clearing any local usernames and passwords configured on the switch

(Default: Both functions enabled.)

Notes: The Reset+Clear button combination always reboots the switch, regardless of whether the ???no??? form of the command has been used to disable the above two functions. Also, if you disable factory-reset, you cannot disable the password-recovery option, and the reverse.

2-14

Configuring Username and Password Security

Front-Panel Security

The command to disable the factory-reset operation produces this caution.

To complete the command, press [Y]. To abort the command, press [N].

Completes the command to disable the factory reset option.

Displays the current front- panel-security configuration, with Factory Reset disabled.

Figure 2-10. Example of Disabling the Factory Reset Option

Password Recovery

The password recovery feature is enabled by default and provides a method for regaining management access to the switch (without resetting the switch to its factory default configuration) in the event that the system administrator loses the local manager username (if configured) or password. Using Pass- word Recovery requires:

???password-recovery enabled (the default) on the switch prior to an attempt to recover from a lost username/password situation

???Contacting your ProCurve Customer Care Center to acquire a one-time- use password

2-15

Configuring Username and Password Security

Front-Panel Security

Syntax: [no] front-panel-security password-recovery

Enables or (using the ???no??? form of the command) disables the ability to recover a lost password.

When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password. When this feature is disabled, the password recovery process is disabled and the only way to regain management access to the switch is to use the Reset+Clear button combination (page 2-9) to restore the switch to its factory default configuration.

Note: To disable password-recovery:

???You must have physical access to the front panel of the switch.

???The factory-reset parameter must be enabled (the default).

(Default: Enabled.)

Steps for Disabling Password-Recovery.

1.Set the CLI to the global interface context.

2.Use show front-panel-security to determine whether the factory-reset parameter is enabled. If it is disabled, use the front-panel-security factory- reset command to enable it.

3.Press and release the Clear button on the front panel of the switch.

4.Within 60-seconds of pressing the Clear button, enter the following com- mand:

no front-panel-security password-recovery

5.Do one of the following after the ???CAUTION??? message appears:

???If you want to complete the command, press [Y] (for ???Yes???).

???If you want to abort the command, press [N] (for ???No???)

Figure 2-11 shows an example of disabling the password-recovery parameter.

2-16

Configuring Username and Password Security

Front-Panel Security

Figure 2-11. Example of the Steps for Disabling Password-Recovery

2-17

Configuring Username and Password Security

Front-Panel Security

??? This page is intentionally unused. ???

2-18

3

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

General Setup Procedure for Web/MAC Authentication . . . . . . . . . . . . . . 3-12 Do These Steps Before You Configure Web/MAC Authentication . . 3-12

Additional Information for Configuring the RADIUS Server

To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Configuring the Switch To Access a RADIUS Server . . . . . . . . . . . . . . . . 3-15

Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Configure the Switch for Web-Based Authentication . . . . . . . . . . . . . 3-18

Configuring MAC Authentication on the Switch . . . . . . . . . . . . . . . . . . . . 3-22 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 Configure the Switch for MAC-Based Authentication . . . . . . . . . . . . 3-23

Show Status and Configuration of Web-Based Authentication . . . . . . . . 3-26

Show Status and Configuration of MAC-Based Authentication . . . . . . . . 3-27

Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

3-1

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Overview

Overview

Applicable Switch Models. Web and MAC Authentication are available on these current ProCurve switch models:

???ProCurve Series 2600 and 2600-PWR Switches

???ProCurve Series 2800 Switches

Web and MAC Authentication are designed for employment on the ???edge??? of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introduc- ing supplicant software is not an attractive option. Both methods rely on using a RADIUS server for authentication. This simplifies access security manage- ment by allowing you to control access from a master database in a single server. (You can use up to three RADIUS servers to provide backups in case access to the primary server fails.) It also means the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN.

Web Authentication (Web-Auth). This method uses a web page login to authenticate users for access to the network. When a user connects to the switch and opens a web browser the switch automatically presents a login page. The user then enters a username and password, which the switch forwards to a RADIUS server for authentication. After authentication, the switch grants access to the secured network. Other than a web browser, the client needs no special supplicant software.

3-2

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Overview

Client Options

Web-Auth and MAC-Auth provide a port-based solution in which a port can belong to one, untagged VLAN at a time. However, where all clients can operate in the same VLAN, the switch allows up to 32 simultaneous clients per port. (In applications where you want the switch to simultaneously support multiple client sessions in different VLANs, design your system so that such clients will use different switch ports.)

In the default configuration, the switch blocks access to clients that the RADIUS server does not authenticate. However, you can configure an individ- ual port to provide limited services to unauthorized clients by joining a specified ???unauthorized??? VLAN during sessions with such clients. The unau- thorized VLAN assignment can be the same for all ports, or different, depend- ing on the services and access you plan to allow for unauthenticated clients.

Access to an optional, unauthorized VID is configured in the switch when Web and MAC Authentication are configured on a port.

3-3

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Overview

General Features

Web and MAC Authentication on the ProCurve Series 2600, 2600-PWR, and 2800 switches include the following:

???On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs. Some traffic from the switch is available to an unauthorized client (for example, broadcast or unknown desti- nation packets) before authentication occurs.

???Proxy servers may not be used by browsers accessing the switch through ports using Web Authentication.

???You can optionally configure the switch to temporarily assign ???autho- rized??? and ???unauthorized??? VLAN memberships on a per-port basis to provide different services and access to authenticated and unauthen- ticated clients.

???Web pages for username and password entry and the display of authorization status are provided when using Web Authentication.

???You can use the RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client???s connection is determined according to the following hierarchy:

1.A RADIUS-assigned VLAN

2.An authorized VLAN specified in the Web- or MAC-Auth configuration for the subject port.

3.A static, port-based, untagged VLAN to which the port is configured. A RADIUS-assigned VLAN has priority over switch-port membership in any VLAN.

???You can allow wireless clients to move between switch ports under Web/MAC Authentication control. Clients may move from one Web authorized port to another or from one MAC authorized port to another. This capability allows wireless clients to move from one access point to another without having to reauthenticate.

???Unlike 802.1X operation, clients do not need supplicant software for Web or MAC Authentication; only a web browser (for Web Authenti- cation) or a MAC address (for MAC Authentication).

???You can use ???Show??? commands to display session status and port- access configuration settings.

3-4

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

How Web and MAC Authentication Operate

How Web and MAC Authentication

Operate

Authenticator Operation

Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator. Clients who fail to authenticate successfully receive no network access or limited network access as defined by the System Administrator.

Web-based Authentication

When a client connects to a Web-Auth enabled port communication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials.

Figure 3-1. Example of User Login Screen

The temporary IP address pool can be specified using the dhcp-addr and dhcp-lease options of the aaa port-access web-based command. If SSL is enabled on the switch and ssl-login is enabled on the port the client is redirected to a secure login page (https://...).

The switch passes the supplied username and password to the RADIUS server for authentication.

3-5

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

How Web and MAC Authentication Operate

Figure 3-2. Progress Message During Authentication

If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. If specified, the client is redirected to a specific URL (redirect-url).

Figure 3-3. Authentication Completed

The assigned VLAN is determined, in order of priority, as follows:

1.If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

2.If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships.

3.If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

4.If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.

The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti- cation of all clients. Also, if a client moves from one port to another and client

3-6

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

How Web and MAC Authentication Operate

moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port???s VLAN memberships made while it is an authorized port take affect at the end of the session.

A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max-requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails. The switch waits a specified amount of time (quiet- period) before processing any new authentication requests from the client.

Network administrators may assign unauthenticated clients to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available. Should another client success- fully authenticate through that port any unauthenticated clients on the unauth- vid are dropped from the port.

MAC-based Authentication

When a client connects to a MAC-Auth enabled port traffic is blocked. The switch immediately submits the client???s MAC address (in the format specified by the addr-format) as its certification credentials to the RADIUS server for authentication.

If the client is authenticated and the maximum number of MAC addresses allowed on the port (addr-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.

The assigned VLAN is determined, in order of priority, as follows:

1.If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

2.If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships.

3.If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

3-7

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

How Web and MAC Authentication Operate

4.If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.

The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti- cation of all clients. Also, if a client moves from one port to another and client moves have not been enabled (addr-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port???s VLAN memberships made while it is an authenticated port take affect at the end of the session.

A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max- requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails. The switch waits a specified amount of time (quiet-period) before processing any new authenti- cation requests from the client.

Network administrators may assign unauthenticated clients to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients the port remains in its original VLAN configuration. Should another client successfully authenticate through that port any unauthenticated clients are dropped from the port.

3-8

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Terminology

Terminology

Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.

Authentication Server: The entity providing an authentication service to the switch, for example, a RADIUS server.

Authenticator: In ProCurve switch applications, a device that requires a client or device to provide the proper credentials (MAC address, or username and password) before being allowed access to the network.

CHAP: Challenge Handshake Authentication Protocol. Also known as ???CHAP-RADIUS???.

Client: In this application, an end-node device such as a management station, workstation, or mobile PC linked to the switch through a point-to-point LAN link.

Redirect URL: A System Administrator-specified web page presented to an authorized client following Web Authentication. ProCurve recommends specifying this URL when configuring Web Authentication on a switch. Refer to aaa port-access web-based [e] < port-list > [redirect-url < url >] on page 3-21.

Static VLAN: A VLAN that has been configured as ???permanent??? on the switch by using the CLI vlan < vid > command or the Menu interface.

Unauthorized-Client VLAN: A conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. It is used to provide limited network access and services to clients who are not authenticated.

3-9

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Operating Rules and Notes

Operating Rules and Notes

??? You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port:

for Web or MAC Authentication. If Port Security is enabled on the port this misconfiguration does not allow Web or MAC Authentication to occur.

??? VLANs: If your LAN does not use multiple VLANs, then you do not need to configure VLAN assignments in your RADIUS server or consider using either Authorized or Unauthorized VLANs. If your LAN does use multiple VLANs, then some of the following factors may apply to your use of Web-Auth and MAC-Auth.

??? Web-Auth and MAC-Auth operate only with port-based VLANs. Oper- ation with protocol VLANs is not supported, and clients do not have access to protocol VLANs during Web-Auth and MAC-Auth sessions.

??? A port can belong to one, untagged VLAN during any client session. Where multiple authenticated clients may simultaneously use the same port, they must all be capable of operating on the same VLAN.

??? During an authenticated client session, the following hierarchy deter- mines a port???s VLAN membership:

1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

3-10

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Operating Rules and Notes

2.If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.

3.If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

4.If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.

???After an authorized client session begins on a given port, the port???s VLAN membership does not change. If other clients on the same port become authenticated with a different VLAN assignment than the first client, the port blocks access to these other clients until the first client session ends.

???The optional ???authorized??? VLAN (auth-vid) and ???unauthorized??? VLAN (unauth-vid) you can configure for Web- or MAC-based authentication must be statically configured VLANs on the switch. Also, if you configure one or both of these options, any services you want clients in either category to access must be available on those VLANs.

???Where a given port???s configuration includes an unauthorized client VLAN assignment, the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port. In this case, if there is a successful request for authentication from an authorized client, the switch terminates the unauthorized-client session and begins the authorized-client session.

???When a port on the switch is configured for Web or MAC Authentica- tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.

???When a port on the switch is configured as a Web- or MAC-based authenticator, it blocks access to a client that does not provide the proper authentication credentials. If the port configuration includes an optional, unauthorized VLAN (unauth-vid), the port is temporarily placed in the unauthorized VLAN if there are no other authorized clients currently using the port with a different VLAN assignment. If an authorized client is using the port with a different VLAN or if there is no unauthorized VLAN configured, the unauthorized client does not receive access to the network.

???Web- or MAC-based authentication and LACP cannot both be enabled on the same port.

3-11

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

General Setup Procedure for Web/MAC Authentication

Do These Steps Before You Configure Web/MAC

Authentication

1.Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, ProCurve recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)

2.Determine which ports on the switch you want to operate as authentica- tors. Note that before you configure Web- or MAC-based authentication on a port operating in an LACP trunk, you must remove the port from the trunk. (refer to the ???Note on Web/MAC Authentication and LACP??? on page 3-12.)

3.Determine whether any VLAN assignments are needed for authenticated clients.

3-12

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

General Setup Procedure for Web/MAC Authentication

a.If you configure the RADIUS server to assign a VLAN for an authen- ticated client, this assignment overrides any VLAN assignments con- figured on the switch while the authenticated client session remains active. Note that the VLAN must be statically configured on the switch.

b.If there is no RADIUS-assigned VLAN, the port can join an ???Authorized VLAN??? for the duration of the client session, if you choose to configure one. This must be a port-based, statically configured VLAN on the switch.

c.If there is neither a RADIUS-assigned VLAN or an ???Authorized VLAN??? for an authenticated client session on a port, then the port???s VLAN membership remains unchanged during authenticated client ses- sions. In this case, configure the port for the VLAN in which you want it to operate during client sessions.

Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN???s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either ???100??? or ???vlan100??? to specify the VLAN.

4.Determine whether to use the optional ???Unauthorized VLAN??? mode for clients that the RADIUS server does not authenticate. This VLAN must be statically configured on the switch. If you do not configure an ???Unauthor- ized VLAN???, the switch simply blocks access to unauthenticated clients trying to use the port.

5.Determine the authentication policy you want on the RADIUS server and configure the server. Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device:

???The CHAP-RADIUS authentication method.

???An encryption key

???One of the following:

???If you are configuring Web-based authentication, include the user name and password for each authorized client.

???If you are configuring MAC-based authentication, enter the device MAC address in both the username and password fields of the RADIUS policy configuration for that device. Also, if you want to allow a particular device to receive authentication only through a designated port and switch, include this in your policy.

6.Determine the IP address of the RADIUS server(s) you will use to support Web- or MAC-based authentication. (For information on configuring the switch to access RADIUS servers, refer to ???Configuring the Switch To Access a RADIUS Server??? on page 3-15.)

3-13

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

General Setup Procedure for Web/MAC Authentication

Additional Information for Configuring the RADIUS

Server To Support MAC Authentication

On the RADIUS server, configure the client device authentication in the same way that you would any other client, except:

???Configure the client device???s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options:

aabbccddeeff (the default format)

aabbcc-ddeeff

aa-bb-cc-dd-ee-ff

aa:bb:cc:dd:ee:ff

Note on MAC Letters in MAC addresses must be in lowercase.

Addresses

???If the device is a switch or other VLAN-capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. Note that each switch covered by this guide applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (Refer to the chapter titled ???Static Virtual LANs (VLANs)??? in the Advanced Traffic Management Guide for your switch.)

3-14

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring the Switch To Access a RADIUS Server

Configuring the Switch To Access a

RADIUS Server

This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth. For information on other RADIUS command options, refer to chapter 5, ???RADIUS Authentication and Account- ing??? .

Syntax: [no] radius-server

[host < ip-address >]

Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to ???RADIUS Authentication and Accounting??? on page 5-1.)

[key < global-key-string >]

Specifies the global encryption key the switch uses with servers for which the switch does not have a server- specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. (Default: Null.)

Syntax: radius-server host < ip-address > key <server-specific key-string> [no] radius-server host < ip-address > key

3-15

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring the Switch To Access a RADIUS Server

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the speci- fied server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above.

The no form of the command removes the key configured for a specific server.

For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server-specific shared secret key of ???2Pzo22???

ProCurve(config)# radius-server host 192.168.32.11 key 2Pzo22

ProCurve(config)# show radius

Status and Counters - General RADIUS Information

ProCurve(config)#

Figure 3-4. Example of Configuring a Switch To Access a RADIUS Server

3-16

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring Web Authentication

Configuring Web Authentication

This feature is available only on the Series 2600, 2600-PWR, and 2800 switches.

Overview

3-17

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring Web Authentication

Configure the Switch for Web-Based Authentication

Syntax: aaa port-access web-based dhcp-addr <ip-address/mask>

Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>.

(Default: 192.168.0.0/255.255.255.0)

Syntax: aaa port-access web-based dhcp-lease <5 - 25>

Specifies the lease length, in seconds, of the temporary IP address issued for Web Auth login purposes. (Default: 10 seconds)

3-18

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring Web Authentication

Syntax: [no] aaa port-access web-based [e] < port-list>

Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports.

Syntax: aaa port-access web-based [e] < port-list> [auth-vid <vid>]] no aaa port-access web-based [e] < port-list> [auth-vid]

Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one.

Use the no form of the command to set the auth-vid to 0. (Default: 0).

Syntax: aaa port-access web-based [e] < port-list > [client-limit <1-32>]

Specifies the maximum number of authenticated clients to allow on the port. (Default: 1)

Syntax: [no] aaa port-access web-based [e] < port-list > [client-moves]

Allows client moves between the specified ports under Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate. At least two ports (from port(s) and to port(s)) must be specified.

Use the no form of the command to disable client moves between ports under Web Auth control.

(Default: disabled ??? no moves allowed)

3-19

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring Web Authentication

Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <60-9999999>]

Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds)

Syntax: aaa port-access web-based [e] < port-list > [max-requests <1-10>]

Specifies the number of authentication attempts that must time-out before authentication fails.

(Default: 2)

Syntax: aaa port-access web-based [e] < port-list > [max-retries <1-10>]

Specifies the number of the number of times a client can enter their user name and password before authen- tication fails. This allows the reentry of the user name and password if necessary.

(Default: 3)

Syntax: aaa port-access web-based [e] < port-list > [quiet-period <1 - 65535>]

Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a client that failed authentication.

(Default: 60 seconds)

Syntax: aaa port-access web-based [e] < port-list > [reauth-period <0 - 9999999>]

Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds)

Syntax: aaa port-access web-based [e] < port-list > [reauthenticate]

Forces a reauthentication of all attached clients on the port.

3-20

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring Web Authentication

Syntax: aaa port-access web-based [e] < port-list > [redirect-url <url>] no aaa port-access web-based [e] < port-list > [redirect-url]

Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentica- tion.

Use the no form of the command to remove a specified redirect URL.

(Default: There is no default URL. Browser behavior for authenticated clients may not be acceptable.)

Syntax: aaa port-access web-based [e] < port-list > [server-timeout <1 - 300>]

Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.

(Default: 30 seconds)

Syntax: [no] aaa port-access web-based [e] < port-list > [ssl-login]]

Enables or disables SSL login (https on port 443). SSL must be enabled on the switch.

If SSL login is enabled, a user is redirected to a secure page, where they enter their username and password. If SSL login is disabled, a user is not redirected to a secure page to enter their credentials.

Use the no form of the command to disable SSL login. (Default: disabled)

Syntax: aaa port-access web-based [e] < port-list > [unauth-vid <vid>] no aaa port-access web-based [e] < port-list > [unauth-vid]

Specifies the VLAN to use for a client that fails authen- tication. If unauth-vid is 0, no VLAN changes occur.

Use the no form of the command to set the unauth-vid to 0. (Default: 0)

3-21

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring MAC Authentication on the Switch

Configuring MAC Authentication on the

Switch

This feature is available only on the Series 2600, 2600-PWR, and 2800

Switches.

Overview

1.If you have not already done so, configure a local username and password pair on the switch.

2.If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.

3.Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch.

4.Configure the switch with the correct IP address and encryption key to access the RADIUS server.

5.Configure the switch for MAC-Auth:

a. Configure MAC Authentication on the switch ports you want to use.

6.Test both the authorized and unauthorized access to your system to ensure that MAC Authentication works properly on the ports you have configured for port-access.

3-22

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring MAC Authentication on the Switch

Configure the Switch for MAC-Based Authentication

Syntax: aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|multi-colon>

Specifies the MAC address format to be used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server. (Default: no-delimiter)

no-delimiter ??? specifies an aabbccddeeff format.

single-dash ??? specifies an aabbcc-ddeeff format.

multi-dash ??? specifies an aa-bb-cc-dd-ee-ff format.

multi-colon ??? specifies an aa:bb:cc:dd:ee:ff format.

Syntax: [no] aaa port-access mac-based [e] < port-list >

Enables MAC-based authentication on the specified ports. Use the no form of the command to disable MAC- based authentication on the specified ports.

3-23

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring MAC Authentication on the Switch

Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>]

Specifies the maximum number of authenticated

MACs to allow on the port. (Default: 1)

Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves]

Syntax: aaa port-access mac-based [e] < port-list > [max-requests <1-10>]

Specifies the number of authentication attempts that must time-out before authentication fails.

(Default: 2)

3-24

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Configuring MAC Authentication on the Switch

Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>]

Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication.

(Default: 60 seconds)

Syntax: aaa port-access mac-based [e] < port-list > [reauth-period <0 - 9999999>]

Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds)

Syntax: aaa port-access mac-based [e] < port-list > [reauthenticate]

Forces a reauthentication of all attached clients on the port.

Syntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>]

Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.

(Default: 30seconds)

Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid <vid>] no aaa port-access mac-based [e] < port-list > [unauth-vid]

Specifies the VLAN to use for a client that fails authen- tication. If unauth-vid is 0, no VLAN changes occur.

Use the no form of the command to set the unauth-vid to 0. (Default: 0)

3-25

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Show Status and Configuration of Web-Based Authentication

Show Status and Configuration of

Web-Based Authentication

Syntax: show port-access [port-list] web-based

Shows the status of all Web-Authentication enabled ports or the specified ports. The number of authorized and unauthorized clients is listed for each port, as well as its current VLAN ID. Ports without Web Authenti- cation enabled are not listed.

Syntax: show port-access [port-list] web-based [clients]]

Shows the port address, Web address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client. Ports without any attached clients are not listed.

Syntax: show port-access [port-list] web-based [config]

Shows Web Authentication settings for all ports or the specified ports, including the temporary DHCP base address and mask. The authorized and unauthorized VLAN IDs are shown. If the authorized or unauthor- ized VLAN ID is 0 then no VLAN change is made, unless the RADIUS server supplies one.

3-26

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Show Status and Configuration of MAC-Based Authentication

Syntax: show port-access [port-list] web-based [config [auth-server]]

Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

Syntax: show port-access [port-list] web-based [config [web-server]]

Shows Web Authentication settings for all ports or the specified ports, along with the web specific settings for password retries, SSL login status, and a redirect URL, if specified.

Syntax: show port-access port-list web-based config detail

Shows all Web Authentication settings, including the

Radius server specific settings for the specified ports.

Show Status and Configuration of

MAC-Based Authentication

Syntax: show port-access [port-list] mac-based

Shows the status of all MAC-Authentication enabled ports or the specified ports. The number of authorized and unauthorized clients is listed for each port, as well as its current VLAN ID. Ports without MAC Authenti- cation enabled are not listed.

3-27

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Show Status and Configuration of MAC-Based Authentication

Syntax: show port-access [port-list] mac-based [clients]]

Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client. Ports without any attached clients are not listed.

Syntax: show port-access [port-list] mac-based [config]

Shows MAC Authentication settings for all ports or the specified ports, including the MAC address format being used. The authorized and unauthorized VLAN IDs are shown. If the authorized or unauthorized VLAN ID is 0 then no VLAN change is made, unless the RADIUS server supplies one.

Syntax: show port-access [port-list] mac-based [config [auth-server]]

Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

Syntax: show port-access port-list mac-based config detail

Shows all MAC Authentication settings, including the

Radius server specific settings for the specified ports.

3-28

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Show Client Status

Show Client Status

The table below shows the possible client status information that may be reported by a Web-based or MAC-based ???show... clients??? command.

3-29

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Show Client Status

??? This page is intentionally unused. ???

3-30

4

TACACS+ Authentication

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3

General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 CLI Commands Described in this Section . . . . . . . . . . . . . . . . . . . . . . . 4-9 Viewing the Switch???s Current Authentication Configuration . . . . . . . 4-9

Viewing the Switch???s Current TACACS+ Server

Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

Configuring the Switch???s Authentication Methods . . . . . . . . . . . . . . . 4-11

Configuring the Switch???s TACACS+ Server Access . . . . . . . . . . . . . . 4-15

Controlling Web Browser Interface Access When Using TACACS+

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Messages Related to TACACS+ Operation . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25

4-1

TACACS+ Authentication

Configuring TACACS+ on the Switch

Overview

TACACS+ authentication enables you to use a central server to allow or deny access to the switch (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/ password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch???s console port (local access) or Telnet (remote access).

Figure 4-1. Example of TACACS+ Operation

TACACS+ in the switch manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch. That is, with TACACS+ configured, the switch first tries to contact a designated TACACS+ server for authentica-

4-2

4-3

TACACS+ Authentication

Configuring TACACS+ on the Switch

???Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter- face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to ???Configuring Username and Password Security??? on page 2-1.)

???TACACS+ Authentication: This method enables you to use a TACACS+ server in your network to assign a unique password, user name, and privilege level to each individual or group who needs access to one or more switches or other TACACS-aware devices. This allows you to administer primary authentication from a central server, and to do so with more options than you have when using only local authentication. (You will still need to use local authentication as a backup if your TACACS+ servers become unavailable.) This means, for example, that you can use a central TACACS+ server to grant, change, or deny access to a specific individual on a specific switch instead of having to change local user name and password assignments on the switch itself, and then have to notify other users of the change.

4-4

4-5

TACACS+ Authentication

Configuring TACACS+ on the Switch

other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure.

3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager (read/ write) privilege level.

4-6

TACACS+ Authentication

Configuring TACACS+ on the Switch

4-7

TACACS+ Authentication

Configuring TACACS+ on the Switch

configuration in your TACACS+ server application for mis-configura- tions or missing data that could affect the server???s interoperation with the switch.

8.After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access.

9.When you are confident that TACACS+ access through both Telnet and the switch???s console operates properly, use the write memory command to save the switch???s running-config file to flash memory.

Configuring TACACS+ on the Switch

Before You Begin

If you are new to TACACS+ authentication, ProCurve recommends that you read the ???General Authentication Setup Procedure??? on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch.

The switch offers three command areas for TACACS+ operation:

???show authentication and show tacacs: Displays the switch???s TACACS+ configuration and status.

???aaa authentication: A command for configuring the switch???s authenti- cation methods

???tacacs-server: A command for configuring the switch???s contact with TACACS+ servers

4-8

TACACS+ Authentication

Configuring TACACS+ on the Switch

CLI Commands Described in this Section

Viewing the Switch???s Current Authentication

Configuration

This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access.

Syntax: show authentication

This example shows the default authentication configuration.

Configuration for login and enable access to the switch through the switch console port.

Configuration for login and enable access to the switch through Telnet.

Figure 4-2. Example Listing of the Switch???s Authentication Configuration

4-9

TACACS+ Authentication

Configuring TACACS+ on the Switch

Viewing the Switch???s Current TACACS+ Server Contact

Configuration

This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.

Syntax: show tacacs

For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the following:

First-Choice

TACACS+ Server

Second-Choice

TACACS+ Server

Third-Choice

TACACS+ Server

Figure 4-3. Example of the Switch???s TACACS+ Configuration Listing

4-10

TACACS+ Authentication

Configuring TACACS+ on the Switch

Configuring the Switch???s Authentication Methods

The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch???s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied). This command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect username/password pair.

Syntax: aaa authentication

< console | telnet >

Selects either console (serial port) or Telnet access for configuration.

< enable | login >

Selects either the Manager (enable) or Operator (login) access level.

< local | tacacs | radius >

Selects the type of security access:

local ??? Authenticates with the Manager and Operator password you configure in the switch.

tacacs ??? Authenticates with a password and other data configured on a TACACS+ server.

radius ??? Authenticates with a password and other data configured on a RADIUS server. (Refer to ???RADIUS Authentication and Accounting??? on page 5-1.)

[< local | none >]

If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.

aaa authentication num-attempts < 1-10 >

Specifies the maximum number of login attempts allowed in the current session. Default: 3

4-11

TACACS+ Authentication

Configuring TACACS+ on the Switch

Table 4-1. AAA Authentication Parameters

As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch???s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.

4-12

TACACS+ Authentication

Configuring TACACS+ on the Switch

Table 4-2. Primary/Secondary Authentication Table

*When ???local??? is the primary option, you can also select ???local??? as the secondary option. However, in this case, a secondary ???local??? is meaningless because the switch has only one local level of username/password protection.

4-13

TACACS+ Authentication

Configuring TACACS+ on the Switch

For example, here is a set of access options and the corresponding commands to configure them:

Console Login (Operator or Read-Only) Access: Primary using TACACS+ server.

Secondary using Local.

ProCurve (config)# aaa authentication console login tacacs local

Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.

ProCurve (config)# aaa authentication console enable tacacs local

Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.

Secondary using Local.

ProCurve (config)# aaa authentication Telnet login tacacs local

Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server.

Secondary using Local.

ProCurve (config)# aaa authentication telnet enable tacacs local

Deny Access and Close the Session After Failure of Two Consecutive Username/Password Pairs:

ProCurve (config)# aaa authentication num-attempts 2

4-14

TACACS+ Authentication

Configuring TACACS+ on the Switch

Configuring the Switch???s TACACS+ Server Access

The tacacs-server command configures these parameters:

??? The host IP address(es) for up to three TACACS+ servers; one first- choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.

??? An optional encryption key. This key helps to improve security, and must match the encryption key used in your TACACS+ server appli- cation. In some applications, the term ???secret key??? or ???secret??? may be used instead of ???encryption key???. If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryp- tion keys for different TACACS+ servers.

??? The timeout value in seconds for attempts to contact a TACACS+

4-15

TACACS+ Authentication

Configuring TACACS+ on the Switch

Syntax: tacacs-server host < ip-addr > [key < key-string >]

Adds a TACACS+ server and optionally assigns a server-specific encryption key.

[no] tacacs-server host < ip-addr >

Removes a TACACS+ server assignment (including its server- specific encryption key, if any).

tacacs-server key <key-string>

Enters the optional global encryption key.

[no] tacacs-server key

Removes the optional global encryption key. (Does not affect any server-specific encryption key assignments.)

tacacs-server timeout < 1-255 >

Changes the wait period for a TACACS server response. (Default: 5 seconds.)

4-16

TACACS+ Authentication

Configuring TACACS+ on the Switch

Table 4-3. Details on Configuring TACACS Servers and Keys

This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see ???Using the Encryption Key??? on page 4-23 and the documentation provided with your TACACS+ server application.

You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one third- choice).

Use show tacacs to view the current IP address list.

If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.

(See figure 4-3, ???Example of the Switch???s TACACS+ Configuration Listing??? on 4-10.)

The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch???s TACACS+ configuration depends on the order in which you enter the server IP addresses:

1.When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice TACACS+ server.

2.When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-choice (backup) TACACS+ server.

3.When there are two TACACS+ servers already configured, entering another server IP address makes that server the third-choice (backup) TACACS+ server.

???The above position assignments are fixed. Thus, if you remove one server and replace it with another, the new server assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B, and C, configured in order:

First-Choice:A Second-Choice:B Third-Choice: C

???If you removed server B and then entered server X, the TACACS+ server order of priority would be:

First-Choice:A Second-Choice:X Third-Choice: C

???If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new address will take the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1) remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C.

???The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in the list and then re-enter them in order, with the new first-choice server address first, and so on.

To add a new address to the list when there are already three addresses present, you must first remove one of the currently listed addresses.

See also ???General Authentication Process Using a TACACS+ Server??? on page 4-20.

4-17

TACACS+ Authentication

Configuring TACACS+ on the Switch

Specifies the optional, global ???encryption key??? that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any ???per-server??? encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a ???per-server??? key. (See the host <ip-addr> [key <key-string> entry at the beginning of this table.)

For more on the encryption key, see ???Using the Encryption Key??? on page 4-23 and the documentation provided with your TACACS+ server application.

Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).

Adding, Removing, or Changing the Priority of a TACACS+ Server.

Suppose that the switch was already configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as the first-choice server:

First-Choice TACACS+ Server

Figure 4-4. Example of the Switch with Two TACACS+ Server Addresses Configured

To move the ???first-choice??? status from the ???15??? server to the ???10??? server, use the no tacacs-server host <ip-addr> command to delete both servers, then use tacacs-server host <ip-addr> to re-enter the ???10??? server first, then the ???15??? server.

The servers would then be listed with the new ???first-choice??? server, that is:

4-18

TACACS+ Authentication

Configuring TACACS+ on the Switch

The ???10??? server is now the ???first-choice??? TACACS+ authentication device.

Figure 4-5. Example of the Switch After Assigning a Different ???First-Choice??? Server

To remove the 10.28.227.15 device as a TACACS+ server, you would use this command:

ProCurve(config)# no tacacs-server host 10.28.227.15

Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt will fail.) Use a global encryption key if the same key applies to all TACACS+ servers the switch may use for authentication attempts. Use a per-server encryption key if different servers the switch may use will have different keys. (For more details on encryption keys, see ???Using the Encryption Key??? on page 4-23.)

To configure north01 as a global encryption key:

ProCurve(config) tacacs-server key north01

To configure north01 as a per-server encryption key:

ProCurve(config)# tacacs-server host 10.28.227.63 key north01

An encryption key can contain up to 100 characters, without spaces, and is likely to be case-sensitive in most TACACS+ server applications.

To delete a global encryption key from the switch, use this command:

ProCurve(config)# no tacacs-server key

4-19

TACACS+ Authentication

Configuring TACACS+ on the Switch

To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command:

Configuring the Timeout Period. The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch???s Server IP Address list or using the local authentication option. For example, to change the timeout period from 5 seconds (the default) to 3 seconds:

ProCurve(config)# tacacs-server timeout 3

How Authentication Operates

General Authentication Process Using a TACACS+

Server

Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.

Figure 4-6. Using a TACACS+ Server for Authentication

4-20

TACACS+ Authentication

Configuring TACACS+ on the Switch

Using figure 4-6, above, after either switch detects an operator???s logon request from a remote or directly connected terminal, the following events occur:

1.The switch queries the first-choice TACACS+ server for authentication of the request.

???If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server. If the switch does not receive a response from any TACACS+ server, then it uses its own local username/password pairs to authenti- cate the logon request. (See ???Local Authentication Process??? on page 4-22.)

???If a TACACS+ server recognizes the switch, it forwards a user- name prompt to the requesting terminal via the switch.

2.When the requesting terminal responds to the prompt with a username, the switch forwards it to the TACACS+ server.

3.After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch.

4.When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs:

???If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.

???If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4. In the default configuration, the switch allows up to three attempts to authenticate a login session. If the requesting terminal exhausts the attempt limit without a successful TACACS+ authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.

4-21

TACACS+ Authentication

Configuring TACACS+ on the Switch

Local Authentication Process

When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists:

??? ???Local??? is the authentication option for the access method being used.

??? TACACS+ is the primary authentication mode for the access method being used. However, the switch was unable to connect to any TACACS+ servers (or no servers were configured) and Local is the secondary authentication mode being used.

(For a listing of authentication options, see table 4-2, ???Primary/Secondary Authentication Table??? on 4-13.)

For local authentication, the switch uses the operator-level and manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface???which enables only local password configuration).

??? If the operator at the requesting terminal correctly enters the user- name/password pair for either access level, access is granted.

??? If the username/password pair entered at the requesting terminal does not match either username/password pair previously configured

4-22

TACACS+ Authentication

Configuring TACACS+ on the Switch

4-23

TACACS+ Authentication

Configuring TACACS+ on the Switch

For example, you would use the next command to configure a global encryp- tion key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:

ProCurve(config)# tacacs-server key north40campus

Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server:

ProCurve(config)# tacacs-server host 10.28.227.87 key south10campus

With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.

Controlling Web Browser Interface

Access When Using TACACS+

Authentication

Configuring the switch for TACACS+ authentication does not affect web browser interface access. To prevent unauthorized access through the web browser interface, do one or more of the following:

???Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch.

???Configure the switch???s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)

???Disable web browser access to the switch by going to the System Information screen in the Menu interface and configuring the Web Agent Enabled parameter to No.

4-24

TACACS+ Authentication

Configuring TACACS+ on the Switch

Messages Related to TACACS+

Operation

The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.

Operating Notes

???If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch. Also, the switch does not attempt TACACS+ authentication for a management station that the Authorized IP Manager list excludes because, independent of TACACS+, the switch already denies access to such stations.

4-25

TACACS+ Authentication

Configuring TACACS+ on the Switch

???When TACACS+ is not enabled on the switch???or when the switch???s only designated TACACS+ servers are not accessible??? setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor- ized persons.)

4-26

5

RADIUS Authentication and Accounting

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

Controlling Web Browser Interface Access When Using RADIUS

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17 Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-19 Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-19

Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25

RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27

RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28

Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29

Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31

5-1

RADIUS Authentication and Accounting

Overview

Overview

access. For information on blocking unauthorized access through the web browser interface, refer to ???Controlling Web Browser Interface Access When Using RADIUS Authentication??? on page 5-17.

Accounting. RADIUS accounting on the switch collects resource consump- tion data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.

5-2

RADIUS Authentication and Accounting

Terminology

Terminology

CHAP (Challenge-Handshake Authentication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server.

EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports multiple authentication mechanisms. A specific authentication mechanism is known as an EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security).

Host: See RADIUS Server.

NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation.

RADIUS (Remote Authentication Dial In User Service):

RADIUS Client: The device that passes user information to designated RADIUS servers.

RADIUS Host: See RADIUS server.

RADIUS Server: A server running the RADIUS application you are using on your network. This server receives user connection requests from the switch, authenticates users, and then returns all necessary information to the switch. For the ProCurve switch, a RADIUS server can also perform accounting functions. Sometimes termed a RADIUS host.

Shared Secret Key: A text value used for encrypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key, and the key is never transmitted across the network.

5-3

RADIUS Authentication and Accounting

Switch Operating Rules for RADIUS

Switch Operating Rules for RADIUS

???You must have at least one RADIUS server accessible to the switch.

???The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-25). If the first server does not respond, the switch tries the next one, and so-on. (To change the order in which the switch accesses RADIUS servers, refer to ???Changing RADIUS-Server Access Order??? on page 5-29.)

???You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.)

???In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.

5-4

RADIUS Authentication and Accounting

General RADIUS Setup Procedure

General RADIUS Setup Procedure

Preparation:

1.Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application.

2.Before configuring the switch, collect the information outlined below.

Table 5-1. Preparation for Configuring RADIUS on the Switch

???Determine the access methods (console, Telnet, Port-Access (802.1X), SSH, and/or web browser interface) for which you want RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond.

ProCurve> show authentication

Status and Counters - Authentication Information

Figure 5-1. Example of Possible RADIUS Access Assignments

???Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.)

???If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.

???If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific Radius server, select it before beginning the configuration process.

???Determine whether you can use one, global encryption key for all RADIUS servers or if unique keys will be required for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can configure this key as the global encryption key. For any server whose key differs from the global key you are using, you must configure that key in the same command that you use to designate that server???s IP address to the switch.

5-5

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

???Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds).

???Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.)

???Determine whether you want to bypass a RADIUS server that fails to respond to requests for service. To shorten authentication time, you can set a bypass period in the range of 1 to 1440 minutes for non-responsive servers. This requires that you have multiple RADIUS servers accessible for service requests.

Configuring the Switch for RADIUS

Authentication

*The web authentication option for the web browser interface is available on the 2600, 2600-PWR, and 2800 switches running software releases H.08.58 and I.08.60 or greater.

5-6

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

Outline of the Steps for Configuring RADIUS

Authentication

There are three main steps to configuring RADIUS authentication:

1.Configure RADIUS authentication for controlling access through one or more of the following

???Serial port

???Telnet

???SSH

???Web browser interface (2600, 2600-PWR, and 2800 switches running software releases H.08.58 and I.08.60 or greater)

???Port-Access (802.1X)

2.Configure the switch for accessing one or more RADIUS servers (one primary server and up to two backup servers):

???Server IP address

???(Optional) UDP destination port for authentication requests (default: 1812; recommended)

???(Optional) UDP destination port for accounting requests (default: 1813; recommended)

???(Optional) encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (Default: null)

3.Configure the global RADIUS parameters.

???Server Key: This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and account- ing services unless you configure one or more per-server keys. (Default: null.)

???Timeout Period: The timeout period the switch waits for a RADIUS

server to reply. (Default: 5 seconds; range: 1 to 15 seconds.)

???Retransmit Attempts: The number of retries when there is no server

response to a RADIUS authentication request. (Default: 3; range of 1 to 5.)

5-7

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

???Server Dead-Time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0???disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.

???Number of Login Attempts: This is an aaa authentication command. It controls how many times in one session a RADIUS client (as well as clients using other forms of access) can try to log in with the correct username and password. (Default: Three times per session.)

(For RADIUS accounting features, refer to ???Configuring RADIUS Accounting??? on page 5-17.)

1.Configure Authentication for the Access Methods You Want RADIUS To Protect

This section describes how to configure the switch for RADIUS authentication through the following access methods:

???Console: Either direct serial-port connection or modem connection.

???Telnet: Inbound Telnet must be enabled (the default).

???SSH: To employ RADIUS for SSH access, you must first configure the switch for SSH operation. Refer to ???Configuring Secure Shell (SSH)??? on page 6-1.

???Web: Web browser interface (2600, 2600-PWR, and 2800 switches).

You can also use RADIUS for Port-Based Access authentication. Refer to ???Configuring Port-Based Access Control (802.1X)??? on page 8-1.

You can configure RADIUS as the primary password authentication method for the above access methods. You will also need to select either local or none as a secondary, or backup, method. Note that for console access, if you configure radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being com- pletely locked out of the switch in the event that all primary access methods fail.

5-8

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius >

Configures RADIUS as the primary password authentication method for console, Telnet, SSH and/or the Web browser interface. (The default primary < enable | login > authentication is local.)

[< local | none >]

Provides options for secondary authentication (default: none). Note that for console access, secondary authenti- cation must be local if primary access is not local. This prevents you from being completely locked out of the switch in the event of a failure in other access methods.

For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch???s local passwords):

ProCurve(config)# aaa authentication telnet login radius none ProCurve(config)# aaa authentication telnet enable radius none ProCurve(config)# aaa authentication ssh login radius none ProCurve(config)# aaa authentication ssh enable radius none ProCurve(config)# show authentication

Status and Counters - Authentication Information

can gain access to either the Operator or Manager level without encountering the RADIUS authentication specified for Enable Primary. Refer to ???Local Authentication Process??? on page 5-16.

5-9

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

2. Configure the Switch To Access a RADIUS Server

This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services.

Syntax: [no] radius-server host < ip-address >

Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to ???Changing the RADIUS Server Access Order??? on page 5-29.)

[auth-port < port-number >]

Optional. Changes the UDP destination port for authenti- cation requests to the specified RADIUS server (host). If you do not use this option with the radius-server host command, the switch automatically assigns the default authentication port number. The auth-port number must match its server counterpart. (Default: 1812)

[acct-port < port-number >]

Optional. Changes the UDP destination port for account- ing requests to the specified RADIUS server. If you do not use this option with the radius-server host command, the switch automatically assigns the default accounting port number. The acct-port number must match its server coun- terpart.(Default: 1813)

[key < key-string >]

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.

no radius-server host < ip-address > key

Use the no form of the command to remove the key for a specified server.

5-10

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes:

1.Change the encryption key for the server at 10.33.18.127 to ???source0127???.

2.Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of ???source0119???.

Figure 5-3. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server

To make the changes listed prior to figure 5-3, you would do the following:

Changes the key for the existing server to ???source0127???

Adds the new RADIUS server with its required ???source0119??? key.

Lists the switch???s new RADIUS server configuration. Compare this with

Figure 5-4. Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server

To change the order in which the switch accesses RADIUS servers, refer to ???Changing RADIUS-Server Access Order??? on page 5-29.

5-11

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

3. Configure the Switch???s Global RADIUS Parameters

You can configure the switch for the following global RADIUS parameters:

???Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.)

???Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch. (Refer to ???2. Configure the Switch To Access a RADIUS Server??? on page 5-10.)

5-12

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

Syntax: aaa authentication num-attempts < 1 - 10 >

Specifies how many tries for entering the correct user- name and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10).

[no] radius-server

key < global-key-string >

Specifies the global encryption key the switch uses with servers for which the switch does not have a server- specific key assignment. This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. (Default: Null.)

dead-time < 1 - 1440 >

Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. (Default: 0; Range: 1 - 1440 minutes)

radius-server timeout < 1 - 15 >

5-13

RADIUS Authentication and Accounting

Configuring the Switch for RADIUS Authentication

For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters:

???Allow only two tries to correctly enter username and password.

???Use the global encryption key to support the two servers that use the same key. (For this example, assume that you did not configure these two servers with a server-specific key.)

???Use a dead-time of five minutes for a server that fails to respond to an authentication request.

???Allow three seconds for request timeouts.

???Allow two retries following a request that did not receive a response.

Figure 5-5. Example of Global Configuration Exercise for RADIUS Authentication

5-14

Figure 5-6. Listings of Global RADIUS Parameters Configured In Figure 5-5

5-15

RADIUS Authentication and Accounting

Local Authentication Process

Local Authentication Process

When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists:

??????Local??? is the authentication option for the access method being used.

???The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and local is the configured secondary option.

For local authentication, the switch uses the Operator-level and Manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface???which enables only local password configuration).

???If the operator at the requesting terminal correctly enters the user- name/password pair for either access level (Operator or Manager), access is granted on the basis of which username/password pair was used. For example, suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local. If a RADIUS access attempt fails, then you can still get access to either the Operator or Manager level of the switch by entering the correct username/pass- word pair for the level you want to enter.

???If the username/password pair entered at the requesting terminal does not match either local username/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configu- ration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentica- tion, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.

5-16

RADIUS Authentication and Accounting

Controlling Web Browser Interface Access When Using RADIUS Authentication

Controlling Web Browser Interface Access

When Using RADIUS Authentication

To prevent unauthorized access through the web browser interface, do one or more of the following:

???For Series 2600, 2600-PWR, and Series 2800 switches, configure RADIUS authentication access (software releases H.08.58 and I.08.60 or greater). (Configuring the switch for RADIUS authentication does not affect web browser interface access for the 4100 and 6108 switches.)

???Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch.

???Configure the switch???s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)

???Disable web browser access to the switch.

Configuring RADIUS Accounting

5-17

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

(For 802.1X information for the switch, refer to ???Configuring Port-Based Access Control (802.1X)??? on page 8-1.)

???Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch:

???System accounting: Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disabling of system accounting.

5-18

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server.

Operating Rules for RADIUS Accounting

???You can configure up to three types of accounting to run simultane- ously: exec, system, and network.

???RADIUS servers used for accounting are also used for authentication.

???The switch must be configured to access at least one RADIUS server.

???RADIUS servers are accessed in the order in which their IP addresses were configured in the switch. Use show radius to view the order. As long as the first server is accessible and responding to authentication requests from the switch, a second or third server will not be accessed. (For more on this topic, refer to ???Changing RADIUS-Server Access Order??? on page 5-29.)

???If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.

Steps for Configuring RADIUS Accounting

1.Configure the switch for accessing a RADIUS server.

You can configure a list of up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode. (Refer to the documentation for your RADIUS server application.)

???Use the same radius-server host command that you would use to configure RADIUS authentication. Refer to ???2. Configure the Switch To Access a RADIUS Server??? on page 5-10.

???Provide the following:

???A RADIUS server IP address.

???Optional???a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom- mended).

5-19

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

???Optional???if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig- nating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. For more information, refer to the key < key-string > param- eter on page 5-10. (Default: null)

2.Configure accounting types and the controls for sending reports to the RADIUS server.

???Accounting types: exec (page 5-18), network (page 5-18), or system (page 5-18)

???Trigger for sending accounting reports to a RADIUS server: At session start and stop or only at session stop

3.(Optional) Configure session blocking and interim updating options

???Updating: Periodically update the accounting data for sessions-in- progress

???Suppress accounting: Block the accounting session for any unknown user with no username access to the switch

1. Configure the Switch To Access a RADIUS Server

Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-10. You need to repeat this step here only if you have not yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests. Note that switch operation expects a RADIUS server to accommodate both authentication and accounting.

5-20

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

Syntax: [no] radius-server host < ip-address >

Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration.

[acct-port < port-number >]

Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813)

[key < key-string >]

Optional. Specifies an encryption key for use during accounting or authentication sessions with the speci- fied server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.

(For a more complete description of the radius-server command and its options, turn to page 5-10.)

For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes.

???IP address: 10.33.18.151

???A non-default UDP port number of 1750 for accounting.

For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and that RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.).

5-21

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.

Figure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number

The radius-server command as shown in figure 5-7, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of ???source0151???.

2.Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server

Select the Accounting Type(s):

???Exec: Use exec if you want to collect accounting information on login sessions on the switch via the console, Telnet, or SSH. (See also ???Accounting??? on page 5-2.)

???System: Use system if you want to collect accounting data when:

???A system boot or reload occurs

???System accounting is turned on or off

Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs.

???Network: Use Network if you want to collect accounting information on 802.1X port-based-access users connected to the physical ports on the switch to access the network. (See also ???Accounting??? on page 2.) For information on this feature, refer to ???Configuring Port-Based Access Control (802.1X)??? on page 8-1.

Determine how you want the switch to send accounting data to a RADIUS server:

5-22

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

???Start-Stop:

???Send a start record accounting notice at the beginning of the account- ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).

???Do not wait for an acknowledgement.

The system option (page 5-22) ignores start-stop because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event.

???Stop-Only:

???Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (Network, Exec, or System).

???Do not wait for an acknowledgment.

The system option (page 5-22) always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event.

Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only > radius

Configures RADIUS accounting type and how data will be sent to the RADIUS server.

For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions:

Configures exec and system accounting and controls.

Summarizes the switch???s accounting configuration.

Exec and System accounting are active. (Assumes the switch is configured to access a reachable

Figure 5-8. Example of Configuring Accounting Types

5-23

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

3. (Optional) Configure Session Blocking and Interim

Updating Options

These optional parameters give you additional control over accounting data.

???Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server.

???Suppress: The switch can suppress accounting for an unknown user having no username.

Syntax: [no] aaa accounting update periodic < 1 - 525600 >

Sets the accounting update period for all accounting ses- sions on the switch. (The no form disables the update function and resets the value to zero.) (Default: zero; dis- abled)

Syntax: [no] aaa accounting suppress null-username

Disables accounting for unknown users having no user- name. (Default: suppression disabled)

To continue the example in figure 5-8, suppose that you wanted the switch to:

???Send updates every 10 minutes on in-progress accounting sessions.

???Block accounting for unknown users (no username).

??? Update Period

??? Suppress Unknown User

Figure 5-9. Example of Optional Accounting Update Period and Accounting Suppression on Unknown User

5-24

RADIUS Authentication and Accounting

Viewing RADIUS Statistics

Viewing RADIUS Statistics

General RADIUS Statistics

Syntax: show radius [host < ip-addr >]

Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server???s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See ???Configuring RADIUS Accounting??? on page 5-17.)

Figure 5-10. Example of General RADIUS Information from Show Radius Command

Figure 5-11. RADIUS Server Information From the Show Radius Host Command

5-25

RADIUS Authentication and Accounting

Viewing RADIUS Statistics

Table 5-2. Values for Show Radius Host Output (Figure 5-11)

5-26

RADIUS Authentication and Accounting

Viewing RADIUS Statistics

RADIUS Authentication Statistics

Syntax: show authentication

Displays the primary and secondary authentication meth- ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session.

show radius authentication

Displays NAS identifier and data on the configured RADIUS server and the switch???s interactions with this server. (Requires prior use of the radius-server host command to configure a RADIUS server IP address in the switch. See ???Configuring RADIUS Accounting??? on page 5-17.)

Figure 5-12. Example of Login Attempt and Primary/Secondary Authentication

Information from the Show Authentication Command

Figure 5-13. Example of RADIUS Authentication Information from a Specific Server

5-27

RADIUS Authentication and Accounting

Viewing RADIUS Statistics

RADIUS Accounting Statistics

Syntax: show accounting

Lists configured accounting interval, ???Empty User??? suppres- sion status, accounting types, methods, and modes.

show radius accounting

Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command).

show accounting sessions

Lists the accounting sessions currently active on the switch.

Figure 5-14. Listing the Accounting Configuration in the Switch

Figure 5-15. Example of RADIUS Accounting Information for a Specific Server

5-28

RADIUS Authentication and Accounting

Changing RADIUS-Server Access Order

Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch

Changing RADIUS-Server Access Order

The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.

Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list. For example if you initially configure three server addresses, they are listed in the order in which you entered them. However, if you subsequently remove the second server address in the list and add a new server address, the new address will be placed second in the list.

Thus, to move a server address up in the list, you must delete it from the list, ensure that the position to which you want to move it is vacant, and then re- enter it. For example, suppose you have already configured the following three RADIUS server IP addresses in the switch:

RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 10.10.10.1 is first.

Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server.

Figure 5-17. Search Order for Accessing a RADIUS Server

5-29

RADIUS Authentication and Accounting

Changing RADIUS-Server Access Order

To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following:

1.Delete 10.10.10.003 from the list. This opens the third (lowest) position in the list.

2.Delete 10.10.10.001 from the list. This opens the first (highest) position in the list.

3.Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list.

4.Re-enter 10.10.10.001. Because the only position open is the third position, this address becomes last in the list.

Removes the ???003??? and ???001??? addresses from the RADIUS server list.

Inserts the ???003??? address in the first position in the RADIUS server list, and inserts the ???001??? address in the last position in the list.

Shows the new order in which the switch searches for a RADIUS server.

Figure 5-18. Example of New RADIUS Server Search Order

5-30

RADIUS Authentication and Accounting

Messages Related to RADIUS Operation

Messages Related to RADIUS Operation

5-31

RADIUS Authentication and Accounting

Messages Related to RADIUS Operation

??? This page is intentionally unused. ???

5-32

6

Configuring Secure Shell (SSH)

Contents

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Steps for Configuring and Using SSH for Switch and

Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 1. Assign Local Login (Operator) and Enable (Manager) Password . 6-9 2. Generate the Switch???s Public and Private Key Pair . . . . . . . . . . . . 6-10 3. Provide the Switch???s Public Key to Clients . . . . . . . . . . . . . . . . . . . 6-12

4. Enable SSH on the Switch and Anticipate SSH Client

Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 6-18 6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21

Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27

6-1

Configuring Secure Shell (SSH)

Overview

Overview

The ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation.

SSH provides Telnet-like functions but, unlike Telnet, SSH provides encrypted, authenticated transactions. The authentication types include:

???Client public-key authentication

???Switch SSH and user password authentication

Client Public Key Authentication (Login/Operator Level) with User

Password Authentication (Enable/Manager Level). This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch. (The same private key can be stored on one or more clients.)

Figure 6-1. Client Public Key Authentication Model

6-2

Figure 6-2. Switch/User Authentication

SSH on the ProCurve switches covered in this guide supports these data encryption methods:

6-3

Configuring Secure Shell (SSH)

Terminology

Terminology

???SSH Server: A ProCurve switch with SSH enabled.

???Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client.

???PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figures 6-3 and 6-4 for examples of PEM-encoded ASCII and non- encoded ASCII keys.

???Private Key: An internally generated key used in the authentication process. A private key generated by the switch is not accessible for viewing or copying. A private key generated by an SSH client applica- tion is typically stored in a file on the client device and, together with its public key counterpart, can be copied and stored on multiple devices.

???Public Key: An internally generated counterpart to a private key. A device???s public key is used to authenticate the device to other devices.

???Enable Level: Manager privileges on the switch.

???Login Level: Operator privileges on the switch.

???Local password or username: A Manager-level or Operator-level password configured in the switch.

???SSH Enabled: (1) A public/private key pair has been generated on the switch (crypto key generate ssh [rsa]) and (2) SSH is enabled (ip ssh). (You can generate a key pair without enabling SSH, but you cannot enable SSH without first generating a key pair. See ???2. Generate the Switch???s Public and Private Key Pair??? on page 6-10 and ???4. Enable SSH on the Switch and Anticipate SSH Client Contact Behavior??? on page 6-15.)

6-4

Configuring Secure Shell (SSH)

Prerequisite for Using SSH

Prerequisite for Using SSH

Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.

Public Key Formats

Any client application you use for client public-key authentication with the switch must have the capability export public keys. The switch can accept keys in the PEM-Encoded ASCII Format or in the Non-Encoded ASCII format.

Figure 6-3. Example of Public Key in PEM-Encoded ASCII Format Common for SSHv2 Clients

Figure 6-4. Example of Public Key in Non-Encoded ASCII Format (Common for SSHv1 Client Applications)

6-5

Configuring Secure Shell (SSH)

Steps for Configuring and Using SSH for Switch and Client Authentication

Steps for Configuring and Using SSH for

Switch and Client Authentication

For two-way authentication between the switch and an SSH client, you must use the login (Operator) level.

1 For ssh login public-key, the switch uses client public-key authentication instead of the switch password options for primary authentication.

The general steps for configuring SSH include:

A.Client Preparation

1.Install an SSH client application on a management station you want to use for access to the switch. (Refer to the documentation provided with your SSH client application.)

2.Optional???If you want the switch to authenticate a client public-key on the client:

a.Either generate a public/private key pair on the client computer (if your client application allows) or import a client key pair that you have generated using another SSH application.

b.Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch. (The client public key file can hold up to ten client keys.) This topic is covered under ???To Create a Client-Public-Key Text File??? on page 6-23.

6-6

Configuring Secure Shell (SSH)

Steps for Configuring and Using SSH for Switch and Client Authentication

B.Switch Preparation

1.Assign a login (Operator) and enable (Manager) password on the switch (page 6-9).

2.Generate a public/private key pair on the switch (page 6-10).

You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.)

3.Copy the switch???s public key to the SSH clients you want to access the switch (page 6-12).

4.Enable SSH on the switch (page 6-15).

5.Configure the primary and secondary authentication methods you want the switch to use. In all cases, the switch will use its host-public- key to authenticate itself when initiating an SSH session with a client.

???SSH Login (Operator) options:

???Option A:

Primary: Local, TACACS+, or RADIUS password

Secondary: Local password or none

??? Option B:

Primary: Client public-key authentication (login public- key ??? page 6-21)

Secondary: Local password or none

Note that if you want the switch to perform client public-key authentication, you must configure the switch with Option B.

??? SSH Enable (Manager) options:

Primary: Local, TACACS+, or RADIUS

Secondary: Local password or none

6.Use your SSH client to access the switch using the switch???s IP address or DNS name (if allowed by your SSH client application). Refer to the documentation provided with the client application.

6-7

Configuring Secure Shell (SSH)

General Operating Rules and Notes

General Operating Rules and Notes

???Public keys generated on an SSH client must be exportable to the switch. The switch can only store ten keys client key pairs.

???The switch???s own public/private key pair and the (optional) client public key file are stored in the switch???s flash memory and are not affected by reboots or the erase startup-config command.

???Once you generate a key pair on the switch you should avoid re- generating the key pair without a compelling reason. Otherwise, you will have to re-introduce the switch???s public key on all management stations (clients) you previously set up for SSH access to the switch. In some situations this can temporarily allow security breaches.

???On ProCurve switches that support stacking, when stacking is enabled, SSH provides security only between an SSH client and the stack manager. Communications between the stack commander and stack members is not secure.

???The switch does not support outbound SSH sessions. Thus, if you Telnet from an SSH-secure switch to another SSH-secure switch, the session is not secure.

6-8

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Configuring the Switch for SSH

Operation

1. Assign Local Login (Operator) and Enable (Manager)

Password

At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch???s configuration.

To Configure Local Passwords. You can configure both the Operator and Manager password with one command.

Syntax:password < manager | operator | all >

6-9

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Figure 6-5. Example of Configuring Local Passwords

2. Generate the Switch???s Public and Private Key Pair

You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.

The host key pair is stored in the switch???s flash memory, and only the public key in this pair is readable. The public key should be added to a "known hosts" file (for example, $HOME/.ssh/known_hosts on UNIX systems) on the SSH clients which should have access to the switch. Some SSH client appli- cations automatically add the switch???s public key to a "known hosts" file. Other SSH applications require you to manually create a known hosts file and place the switch???s public key in the file. (Refer to the documentation for your SSH client application.)

(The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client ses- sion, and then discarded.)

6-10

6-11

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

For example, to generate and display a new key:

Host Public

Key for the

Switch

Version 1 and Version 2 Views

of Same Host Public Key

Figure 6-6. Example of Generating a Public/Private Host Key Pair for the Switch

The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key. If you wish to compare the switch key to the key as stored in your client's known-hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent <e>, and modulus <n> must match; for PEM keys, only the PEM-encoded string itself must match.

3. Provide the Switch???s Public Key to Clients

When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client???s "known host" file. Copying the switch???s key in this way reduces the chance that an unauthorized device can pose as the switch to learn your access passwords. The most secure way to acquire the switch???s public key for

6-12

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.

The public key generated by the switch consists of three parts, separated by one blank space each:

896 35 427199470766077426366625060579924214851527933248752021855126493

2934075407047828604329304580321402733049991670046707698543529734853020

0176777055355544556880992231580238056056245444224389955500310200336191

3610469786020092436232649374294060627777506601747146563337525446401

Figure 6-7. Example of a Public Key Generated by the Switch

(The generated public key on the switch is always 896 bits.)

With a direct serial connection from a management station to the switch:

1.Use a terminal application such as HyperTerminal to display the switch???s public key with the show crypto host-public-key command (figure 6-6).

2.Bring up the SSH client???s "known host" file in a text editor such as Notepad as straight ASCII text, and copy the switch???s public key into the file.

3.Ensure that there are no changes in breaks in the text string. (A public key must be an unbroken ASCII string. Line breaks are not allowed Changes in the line breaks will corrupt the Key.) For example, if you are using Windows?? Notepad, ensure that Word Wrap (in the Edit menu) is disabled, and that the key text appears on a single line.

Figure 6-8. Example of a Correctly Formatted Public Key

6-13

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

4.Add any data required by your SSH client application. For example Before saving the key to an SSH client???s "known hosts" file you may have to insert the switch???s IP address:

Figure 6-9. Example of a Switch Public Key Edited To Include the Switch???s IP Address

For more on this topic, refer to the documentation provided with your SSH client application.

Displaying the Public Key. The switch provides three options for display- ing its public key. This is helpful if you need to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client???s "known hosts" file:

???Non-encoded ASCII numeric string: Requires a client ability to display the keys in the ???known hosts??? file in the ASCII format. This method is tedious and error-prone due to the length of the keys. (See figure 6-8 on page 6-13.)

???Phonetic hash: Outputs the key as a relatively short series of alpha- betic character groups. Requires a client ability to convert the key to this format.

???Hexadecimal hash: Outputs the key as a relatively short series of hexadecimal numbers. Requires a parallel client ability.

For example, on the switch, you would generate the phonetic and hexadecimal versions of the switch???s public key in figure 6-8 as follows:

6-14

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Figure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch???s Public Key

The two commands shown in figure 6-10 convert the displayed format of the switch???s (host) public key for easier visual comparison of the switch???s public key to a copy of the key in a client???s ???known host??? file. The switch has only one RSA host key. The 'babble' and 'fingerprint' options produce two hashes for the key--one that corresponds to the challenge hash you will see if con- necting with a v1 client, and the other corresponding to the hash you will see if connecting with a v2 client. These hashes do not correspond to different keys, but differ only because of the way v1 and v2 clients compute the hash of the same RSA key. The switch always uses ASCII version (without babble or fingerprint conversion) of its public key for file storage and default display format.

4. Enable SSH on the Switch and Anticipate SSH Client Contact Behavior

The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSH, the switch can authenticate itself to SSH clients.

When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients. If you also want SSH clients to authenticate themselves to the switch you must configure SSH on the switch for client public-key authentication at the login (Operator) level. To enhance security, you should also configure local, TACACS+, or RADIUS authentication at the enable (Manager) level.

Refer to ???5. Configure the Switch for SSH Authentication??? on page 6-18.

6-15

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch???s public key into the client, your client???s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing. As long as you are confident that an unauthorized device is not using the switch???s IP address in an attempt to gain access to your data or network, you can accept the connection. (As a more secure alternative, you can directly connect the client to the switch???s serial port and copy the switch???s public key into the client. See the following Note.)

To enable SSH on the switch.

1.Generate a public/private key pair if you have not already done so. (Refer to ???2. Generate the Switch???s Public and Private Key Pair??? on page 6-10.)

2.Execute the ip ssh command.

To disable SSH on the switch, do either of the following:

???Execute no ip ssh.

???Zeroize the switch???s existing key pair. (page 6-11).

Syntax: [no] ip ssh

Enables or disables SSH on the switch.

[key-size < 512 | 768 | 1024 >] Version 1 only

The size of the internal, automatically generated key the switch uses for negotiations with an SSH client. A larger key provides greater security; a smaller key results in faster authentication (default: 512 bits).

6-16

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

[port < 1-65535 | default >]

The TCP port number for SSH connections (default: 22). Important: See ???Note on Port Number??? on page 6-17.

[timeout < 5 - 120 >]

The SSH login timeout value (default: 120 seconds).

[version <1 | 2 | 1-or-2 >

With SSH running, the switch allows one console session and up to three other sessions (SSH and/or Telnet). Web browser sessions are

also allowed, but do not appear in the show ip ssh

Figure 6-11. Example of Enabling IP SSH and Listing the SSH Configuration and Status

6-17

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

6-18

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >]

Configures a password method for the primary and second- ary login (Operator) access. If you do not specify a secondary method, it defaults to none.

If the primary method is local, the secondary method is always none, which may or may not be specified.

aaa authentication ssh enable < local | tacacs | radius>[< local | none >]

Configures a password method for the primary and second- ary enable (Manager) access. If you do not specify a second- ary method, it defaults to none.

If the primary method is local, the secondary method is always none, which may or may not be specified.

Option B: Configuring the Switch for Client Public-Key SSH

Authentication. When configured with this option, the switch uses its pub- lic key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP server into the switch.

This means that before you can use this option, you must:

1.Create a key pair on an SSH client.

2.Copy the client???s public key into a public-key file (which can contain up to ten client public-keys).

3.Copy the public-key file into a TFTP server accessible to the switch and download the file to the switch.

(For more on these topics, refer to ???Further Information on SSH Client Public- Key Authentication??? on page 6-21.)

With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs using the switch and client public-keys. Then, after the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

6-19

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Syntax: copy tftp pub-key-file < ip-address > < filename >

Copies a public key file into the switch.

aaa authentication ssh login public-key < none >

Configures the switch to authenticate a client public-key for primary login (Operator) access.

When the primary method is public-key, the secondary method is always none, which may or may not be specified.

Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none >

Configures a password method for the primary and second- ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.

If the primary method is local, the secondary method is always none, which may or may not be specified.

For example, assume that you have a client public-key file named Client- Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub. For Manager- level (enable) access for successful SSH clients you want to use TACACS+ for primary password authentication and local for secondary password authenti- cation, with a Manager username of "1eader" and a password of "m0ns00n". To set up this operation you would configure the switch in a manner similar to the following:

Figure 6-12. Configuring for SSH Access Requiring a Client Public-Key Match and Manager Passwords

6-20

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

Figure 6-13 shows how to check the results of the above commands.

Figure 6-13. SSH Configuration and Client-Public-Key Listing From Figure 6-12

6. Use an SSH Client To Access the Switch

Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage- ment and Configuration Guide for your switch.

Further Information on SSH Client

Public-Key Authentication

The section titled ???5. Configure the Switch for SSH Authentication??? on page 6-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.

6-21

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

When configured for SSH operation, the switch automatically attempts to use its own host public-key to authenticate itself to SSH clients. To provide the optional, opposite service???client public-key authentication to the switch???you can configure the switch to store up to ten RSA or DSA public keys for authenticating clients. This requires storing an ASCII version of each client???s public key (without babble conversion, or fingerprint conversion) in a client public-key file that you create and TFTP-copy to the switch. In this case, only clients that have a private key corresponding to one of the stored public keys can gain access to the switch using SSH. That is, if you use this feature, only the clients whose public keys are in the client public-key file you store on the switch will have SSH access to the switch over the network. If you do not allow secondary SSH login (Operator) access via local password, then the switch will refuse other SSH clients.

SSH clients that support client public-key authentication normally provide a utility to generate a key pair. The private key is usually stored in a password- protected file on the local host; the public key is stored in another file and is not protected.

(Note that even without using client public-key authentication, you can still require authentication from whoever attempts to access the switch from an SSH client??? by employing the local username/password, TACACS+, or RADIUS features. Refer to ???5. Configure the Switch for SSH Authentication??? on page 6-18.)

If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH:

1.The client sends its public key to the switch with a request for authenti- cation.

2.The switch compares the client???s public key to those stored in the switch???s client-public-key file. (As a prerequisite, you must use the switch???s copy tftp command to download this file to flash.)

3.If there is not a match, and you have not configured the switch to accept

alogin password as a secondary authentication method, the switch denies SSH access to the client.

4.If there is a match, the switch:

a.Generates a random sequence of bytes.

b.Uses the client???s public key to encrypt this sequence.

c.Send these encrypted bytes to the client.

5.The client uses its private key to decrypt the byte sequence.

6.The client then:

6-22

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

a.Combines the decrypted byte sequence with specific session data.

b.Uses a secure hash algorithm to create a hash version of this informa- tion.

c.Returns the hash version to the switch.

7.The switch computes its own hash version of the data in step 6 and compares it to the client???s hash version. If they match, then the client is authenticated. Otherwise, the client is denied access.

Using client public-key authentication requires these steps:

1.Generate a public/private key pair for each client you want to have SSH access to the switch. This can be a separate key for each client or the same key copied to several clients.

2.Copy the public key for each client into a client-public-key text file.

3.Use copy tftp to copy the client-public-key file into the switch. Note that the switch can hold 10 keys. The new key is appended to the client public- key file

4.Use the aaa authentication ssh command to enable client public-key authentication.

To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti- cation, and require an understanding of how to use your SSH client applica- tion.

Figure 6-14. Example of a Client Public Key

6-23

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

1.Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The switch supports the following client-public-key properties:

2.Copy the client???s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft?? Windows?? software. If you want several clients to use client public-key authentica- tion, copy a public key for each of these clients (up to ten) into the file. Each key should be separated from the preceding key by a <CR><LF>.

3.Copy the client-public-key file into a TFTP server accessible to the switch.

Copying a client-public-key into the switch requires the following:

???One or more client-generated public keys. Refer to the documentation provided with your SSH client application.

???A copy of each client public key (up to ten) stored in a single text file or individual on a TFTP server to which the switch has access. Terminate all client public-keys in the file except the last one with a <CR><LF>.

Note on Public The actual content of a public key entry in a public key file is determined by Keysthe SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such

as the smith@fellow at the end of the key in figure 6-14 on page 6-23.)

6-24

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

Syntax: copy tftp pub-key-file <ip-address> <filename>

Copies a public key file from a TFTP server into flash memory in the switch.

show crypto client-public-key [babble | fingerprint]

Displays the client public key(s) in the switch???s current client-public-key file.

The babble option converts the key data to phonetic hashes that are easier for visual comparisons.

The fingerprint option converts the key data to phonetic hashes that are for the same purpose.

For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents:

Key Index Number

Figure 6-15. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys

Replacing or Clearing the Public Key File. The client public-key file remains in the switch???s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch.

???You can remove the existing client public-key file or specific keys by executing the clear crypto public-key command.

Syntax:clear crypto public-key

Deletes the client-public-key file from the switch.

Syntax:clear crypto public-key 3

Deletes the entry with an index of 3 from the client-public-key file on the switch.

6-25

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

Enabling Client Public-Key Authentication. After you TFTP a client- public-key file into the switch (described above), you can configure the switch to allow one of the following:

??? If an SSH client???s public key matches the switch???s client-public-key file, allow that client access to the switch. If there is not a public-key match, then deny access to that client.

??? If an SSH client???s public key does not have a match in the switch???s client-public-key file, allow the client access if the user can enter the switch???s login (Operator) password. (If the switch does not have an Operator password, then deny access to that client.

Syntax: aaa authentication ssh login public-key none

Allows SSH client access only if the switch detects a match between the client???s public key and an entry in the client- public-key file most recently copied into the switch.

aaa authentication ssh login public-key local

6-26

Configuring Secure Shell (SSH)

Messages Related to SSH Operation

Messages Related to SSH Operation

Error: Requested keyfile does not exist. The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server.

6-27

Configuring Secure Shell (SSH)

Messages Related to SSH Operation

6-28

7

Configuring Secure Socket Layer (SSL)

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

Steps for Configuring and Using SSL for Switch

and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 Configuring the Switch for SSL Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 1. Assign Local Login (Operator) and Enable (Manager) Password . 7-7 2. Generate the Switch???s Server Host Certificate . . . . . . . . . . . . . . . . . 7-9

3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Common Errors in SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-21

7-1

Configuring Secure Socket Layer (SSL)

Overview

Overview

7-2

Configuring Secure Socket Layer (SSL)

Terminology

???Local

???TACACS+

???RADIUS

Figure 7-1. Switch/User Authentication

Terminology

???SSL Server: A ProCurve switch with SSL enabled.

???Key Pair: Public/private pair of RSA keys generated by switch, of which public portion makes up part of server host certificate and private portion is stored in switch flash (not user accessible).

???Digital Certificate: A certificate is an electronic ???passport??? that is used to establish the credentials of the subject to which the certificate was issued. Information contained within the certificate includes: name of the subject, serial number, date of validity, subject's public key, and the digital signature of the authority who issued the certifi- cate. Certificates on Procurve switches conform to the X.509v3 stan- dard, which defines the format of the certificate.

7-3

Configuring Secure Socket Layer (SSL)

Terminology

???Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate.

???CA-Signed Certificate: A certificate verified by a third party certif- icate authority (CA). Authenticity of CA-Signed certificates can be verified by an audit trail leading to a trusted root certificate.

???Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distributed as an integral part of most popular web clients. (see browser documentation for which root certificates are pre-installed).

???Manager Level: Manager privileges on the switch.

???Operator Level: Operator privileges on the switch.

???Local password or username: A Manager-level or Operator-level password configured in the switch.

???SSL Enabled: (1) A certificate key pair has been generated on the

switch (web interface or CLI command: crypto key generate cert [key size] (2) A certificate been generated on the switch (web interface or CLI command: crypto host-cert generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI command: web-management ssl). (You can generate a certificate without enabling SSL, but you cannot enable SSL without first generating a Certificate.

7-4

7-5

Configuring Secure Socket Layer (SSL)

General Operating Rules and Notes

General Operating Rules and Notes

???Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch???s certificate on all manage- ment stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.

???The switch's own public/private certificate key pair and certificate are stored in the switch's flash memory and are not affected by reboots or the erase startup-config command

???The public/private certificate key pair is not be confused with the SSH public/private key pair. The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two keys pairs stored in flash

???On ProCurve switches that support stacking, when stacking is enabled, SSL provides security only between an SSL client and the stack manager. Communications between the stack commander and stack members is not secure.

7-6

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Configuring the Switch for SSL

Operation

1.Assign Local Login (Operator) and Enable (Manager) Password

At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch???s configuration.

7-7

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled ???Using the Web Browser Interface??? in the Management and Configuration Guide for your switch.

Security Tab

Password Button

Figure 7-2. Example of Configuring Local Passwords

1.Proceed to the security tab and select device passwords button.

2.Click in the appropriate box in the Device Passwords window and enter user names and passwords. You will be required to repeat the password strings in the confirmation boxes.

Both the user names and passwords can be up to 16 printable ASCII characters.

3.Click on Apply Changes button to activate the user names and pass- words.

7-8

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

7-9

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

7-10

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Comments on Certificate Fields.

There are a number arguments used in the generation of a server certificate. table 7-1, ???Certificate Field Descriptions??? describes these arguments.

Table 7-1. Certificate Field Descriptions

For example, to generate a key and a new host certificate:

Generate New Key

Generate New Certificate

Enter certificate Arguments

Figure 7-3. Example of Generating a Self-Signed Server Host certificate on the CLI for the Switch.

7-11

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Figure 7-4. Example of show crypto host-cert command

7-12

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Generate a Self-Signed Host Certificate with the Web browser interface

You can configure SSL from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled ???Using the Web Browser Interface??? in the Management and Configuration Guide for your switch.

To generate a self signed host certificate from the web browser interface:

i.Select the Security tab then the [SSL] button. The SSL configuration screen is divided into two halves. The left half is used for creating a new certificate key pair and (self-signed / CA-signed) certificate. The right half displays information on the currently installed certificate.

ii.Select the Create Certificate/Certificate Request radio button.

iii.Select Self-Signed in the Certificate Type drop-down list.

iv.Select the RSA Key Size desired. If you want to re-use the current certificate key, select Current from this list.

v.Fill in the remaining certificate arguments. (Refer to ???Comments on Certificate Fields.??? on page 7-11.)

vi.Click on the [Apply Changes] button to generate new certificate and key, if selected.

7-13

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

For example, to generate a new host certificate via the web browsers inter- face:

Security Tab

SSL button

Create Certificate Button

Certificate Type Box

Key Size Selection

Certificate Arguments

Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen

To view the current host certificate in the web browser interface:

1.Proceed to the Security tab

2.Then the [SSL] button

7-14

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Current SSL Host Certificate

Figure 7-6. Web browser Interface showing current SSL Host Certificate

Generate a CA-Signed server host certificate with the Web

Browser Interface

This section describes how to install a CA-Signed server host certificate from the web browser interface. (For more information on how to access the web browser interface, refer to the chapter titled ???Using the Web Browser Inter- face??? in the Management and Configuration Guide for your switch.)

7-15

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.

To generate a certificate request from the web browser interface:

i.Select the Security tab, then the [SSL] button.

ii.Select the Create Certificate/Certificate Request radio button.

iii.Select Create CA Request from the Certificate Type drop-down list.

iv.Select the key size from the RSA Key Size drop-down list. If you want to re-use the current certificate key, select Current from this list.

v.Fill in the remaining certificate arguments. (Refer to ???Comments on Certificate Fields.??? on page 7-11.)

vi.Click on [Apply Changes] to create the certificate request. A new web browser page appears, consisting of two text boxes. The switch uses the upper text box for the certificate request text. The lower text box appears empty. You will use it for pasting in the certificate reply after you receive it from the certificate authority. (This authority must return a none-PEM encoded certificate request reply.)

vii.After the certificate authority processes your request and sends you a certificate reply (that is, an installable certificate), copy and paste the certificate into the lower text box.

viii.Click on the [Apply Changes] button to install the certificate.

7-16

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Certificate Request

Certificate Request Reply

-----BEGIN CERTIFICATE-----

MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa

QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU

VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww

GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy

MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh

cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW

BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u

emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe

0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml

MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B

Figure 7-7. Example of a Certificate Request and Reply

3.Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior

The web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. The no web- management ssl command is used to disable SSL on the switch.

7-17

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

7-18

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Using the CLI interface to enable SSL

Syntax: [no] web-management ssl

Enables or disables SSL on the switch.

[port < 1-65535 | default:443 >]

The TCP port number for SSL connections (default: 443). Important: See ???Note on Port Number??? on page 7-20.

show config

Shows status of the SSL server. When enabled, web- management ssl appears in the config list.

To enable SSL on the switch

1.Generate a Host certificate if you have not already done so. (Refer to ???2. Generate the Switch???s Server Host Certificate??? on page 7-9.)

2.Execute the web-management ssl command.

To disable SSL on the switch, do either of the following:

???Execute no web-management ssl.

???Zeroize the switch???s host certificate or certificate key. (page 7-10).

Using the web browser interface to enable SSL

To enable SSL on the switch

i.Proceed to the Security tab then the SSL button

ii.Select SSL Enable to on and enter the TCP port you desire to connect on.

iii.Click on the [Apply Changes] button to enable SSL on the port.

To disable SSL on the switch, do either of the following:

i.Proceed to the Security tab then the SSL button

ii.Select SSL Enable to off .

iii.Click on the [Apply Changes] button to enable SSL on the port.

7-19

Configuring Secure Socket Layer (SSL)

Configuring the Switch for SSL Operation

Enable SLL

and port number Selection

Figure 7-8. Using the web browser interface to enable SSL and select TCP port number

7-20

Configuring Secure Socket Layer (SSL)

Common Errors in SSL Setup

Common Errors in SSL Setup

7-21

Configuring Secure Socket Layer (SSL)

Common Errors in SSL Setup

??? This page is intentionally unused. ???

7-22

8

Configuring Port-Based Access Control (802.1X)

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

How 802.1X Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

Switch-Port Supplicant Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

General Setup Procedure for Port-Based Access Control (802.1X) . . . . . 8-12 Do These Steps Before You Configure 802.1X Operation . . . . . . . . . 8-12 Overview: Configuring 802.1X Authentication on the Switch . . . . . . 8-13

Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15 1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20

Option For Authenticator Ports: Configure Port-Security To

Allow Only 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

8-1

Configuring Port-Based Access Control (802.1X)

Contents

Configuring Switch Ports To Operate As Supplicants for

802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . . 8-38 Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 8-38 Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 8-40 Show Commands for Port-Access Supplicant . . . . . . . . . . . . . . . . . . . 8-43

How RADIUS/802.1X Authentication Affects VLAN Operation . . . . . . . . 8-44

Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

8-2

Configuring Port-Based Access Control (802.1X)

Overview

Overview

Why Use Port-Based Access Control?

Local area networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a network. Also, the use of DHCP services and zero configuration make access to networking services easily available. This exposes the network to unauthorized use and malicious attacks. While access to the network should be made easy, uncontrolled and unauthorized access is usually not desirable. 802.1X provides access control along with the ability to control user profiles from a central RADIUS server while allowing users access from multiple points within the network.

General Features

802.1X on the ProCurve switches covered in this manual includes the follow- ing:

???Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point- to-point connections to other 802.1X-aware switches.

???Authentication of 802.1X clients using a RADIUS server and either the EAP or CHAP protocol.

???Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).

???Supplicant implementation using CHAP authentication and indepen- dent username and password configuration on each port.

???Prevention of traffic flow in either direction on unauthorized ports.

8-3

Configuring Port-Based Access Control (802.1X)

Overview

???Local authentication of 802.1X clients using the switch???s local user- name and password (as an alternative to RADIUS authentication).

???Temporary on-demand change of a port???s VLAN membership status to support a current client???s session. (This does not include ports that are members of a trunk.)

???Session accounting with a RADIUS server, including the accounting update interval.

???Use of Show commands to display session counters.

???With port-security enabled for port-access control, limit a port to one 802.1X client session at a given time.

Authenticating Users. Port-Based Access Control (802.1X) provides switch-level security that allows LAN access only to users who enter the authorized RADIUS username and password on 802.1X-capable clients (sup- plicants). This simplifies security management by allowing you to control access from a master database in a single server (although you can use up to three RADIUS servers to provide backups in case access to the primary server fails). It also means a user can enter the same username and password pair for authentication, regardless of which switch is the access point into the LAN. Note that you can also configure 802.1X for authentication through the switch???s local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes username/password administration, and reduces security by limiting authentication to one Oper- ator/Manager password set for all users.

Providing a Path for Downloading 802.1X Supplicant Software. For clients that do not have the necessary 802.1X supplicant software, there is also the option to configure the 802.1X Open VLAN mode. This mode allows you to assign such clients to an isolated VLAN through which you can provide the necessary supplicant software these clients need to begin the authentication process. (Refer to ???802.1X Open VLAN Mode??? on page 8-21.)

Authenticating One Switch to Another. 802.1X authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1X authentication.

8-4

Configuring Port-Based Access Control (802.1X)

Figure 8-1. Example of an 802.1X Application

Accounting . The switch also provides RADIUS Network accounting for 802.1X access. Refer to ???RADIUS Authentication and Accounting??? on page 5-1.

8-5

Configuring Port-Based Access Control (802.1X)

How 802.1X Operates

How 802.1X Operates

Authenticator Operation

This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode???refer to ???802.1X Open VLAN Mode??? on page 8-21.) For example, suppose that you have configured a port on the switch for 802.1X authentication operation. If you then connect an 802.1X-aware client (suppli- cant) to the port and attempt to log on:

1.When the switch detects the client on the port, it blocks access to the LAN from that port.

2.The switch responds with an identity request.

3.The client responds with a user name that uniquely defines this request for the client.

4.The switch responds in one of the following ways:

???If 802.1X (port-access) on the switch is configured for RADIUS authentication, the switch then forwards the request to a RADIUS server.

i.The server responds with an access challenge which the switch forwards to the client.

ii.The client then provides identifying credentials (such as a user certificate), which the switch forwards to the RADIUS server.

iii.The RADIUS server then checks the credentials provided by the client.

iv.If the client is successfully authenticated and authorized to con- nect to the network, then the server notifies the switch to allow access to the client. Otherwise, access is denied and the port remains blocked.

???If 802.1X (port-access) on the switch is configured for local authenti- cation, then:

i.The switch compares the client???s credentials with the username and password configured in the switch (Operator or Manager level).

ii.If the client is successfully authenticated and authorized to con- nect to the network, then the switch allows access to the client. Otherwise, access is denied and the port remains blocked.

8-6

Configuring Port-Based Access Control (802.1X)

How 802.1X Operates

Switch-Port Supplicant Operation

This operation provides security on links between 802.1X-aware switches. For example, suppose that you want to connect two switches, where:

???Switch ???A??? has port A1 configured for 802.1X supplicant operation.

???You want to connect port A1 on switch ???A??? to port B5 on switch ???B???.

Switch ???B???

Port B5

Port A1

Switch ???A???

Port A1 Configured as an

802.1X Supplicant

Figure 8-2. Example of Supplicant Operation

1.When port A1 on switch ???A??? is first connected to a port on switch ???B???, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch ???B???.

???If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch ???B??? is not 802.1X-aware, and transitions to the authenticated state. If switch ???B??? is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.

???If, after sending one or more start packets, port A1 receives a request packet from port B5, then switch ???B??? is operating as an 802.1X authenticator. The supplicant port then sends a response/ID packet. Switch ???B??? forwards this request to a RADIUS server.

2.The RADIUS server then responds with an MD5 access challenge that switch ???B??? forwards to port A1 on switch ???A???.

3.Port A1 replies with an MD5 hash response based on its username and password or other unique credentials. Switch ???B??? forwards this response to the RADIUS server.

4.The RADIUS server then analyzes the response and sends either a ???suc- cess??? or ???failure??? packet back through switch ???B??? to port A1.

???A ???success??? response unblocks port B5 to normal traffic from port A1.

8-7

Configuring Port-Based Access Control (802.1X)

Terminology

???A ???failure??? response continues the block on port B5 and causes port A1 to wait for the ???held-time??? period before trying again to achieve authentication through port B5.

Terminology

802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard.

Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authen- ticated clients with network services that are not available on either the port???s statically configured VLAN memberships or any VLAN member- ships that may be assigned during the RADIUS authentication process. While an 802.1X port is a member of this VLAN, the port is untagged. When the client connection terminates, the port drops its membership in this VLAN.

Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of an ProCurve switch running 802.1X, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for authenticating a supplicant).

Authenticator: In ProCurve switch applications, a device such as a switch that requires a supplicant to provide the proper credentials (username and password) before being allowed access to the network.

CHAP (MD5): Challenge Handshake Authentication Protocol.

Client: In this application, an end-node device such as a management station, workstation, or mobile PC linked to the switch through a point-to-point LAN link.

8-8

Configuring Port-Based Access Control (802.1X)

Terminology

EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods.

EAPOL: Extensible Authentication Protocol Over LAN, as defined in the

802.1X standard.

Friendly Client: A client that does not pose a security risk if given access to the switch and your network.

MD5: An algorithm for calculating a unique digital signature over a stream of bytes. It is used by CHAP to perform authentication without revealing the shared secret (password).

PVID (Port VID): This is the VLAN ID for the untagged VLAN to which an 802.1X port belongs.

Static VLAN: A VLAN that has been configured as ???permanent??? on the switch by using the CLI vlan < vid > command or the Menu interface.

Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user work- station, but it can be a switch, router, or another device seeking network services.

Tagged VLAN Membership: This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously. If a client connected to the port has an operating system that supports 802.1q VLAN tagging, then the client can access VLANs for which the port is a tagged member. If the client does not support VLAN tagging, then it can access only a VLAN for which the port is an untagged member. (A port can be an untagged member of only one VLAN at a time.) 802.1X Open VLAN mode does not affect a port???s tagged VLAN access unless the port is statically configured as a member of a VLAN that is also configured as the Unauthorized-Client or Authorized-Client VLAN. See also ???Untagged VLAN Membership???.

Unauthorized-Client VLAN: A conventional, static VLAN previously config- ured on the switch by the System Administrator. It is used to provide access to a client prior to authentication. It should be set up to allow an unauthenticated client to access only the initialization services necessary to establish an authenticated connection, plus any other desirable services whose use by an unauthenticated client poses no security threat to your network. (Note that an unauthenticated client has access to all network resources that have membership in the VLAN you designate as the Unauthorized-Client VLAN.) A port configured to use a given Unau- thorized-Client VLAN does not have to be statically configured as a

8-9

Configuring Port-Based Access Control (802.1X)

General Operating Rules and Notes

member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau- thorized-Client VLAN.

Untagged VLAN Membership: A port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN member- ship is required for a client that does not support 802.1q VLAN tagging. A port can simultaneously have one untagged VLAN membership and multiple tagged VLAN memberships. Depending on how you configure 802.1X Open VLAN mode for a port, a statically configured, untagged VLAN membership may become unavailable while there is a client session on the port. See also ???Tagged VLAN Membership???.

General Operating Rules and Notes

???When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the switch causes a re-authentication of the link.

???When a port on the switch is configured as an authenticator, it will block access to a client that either does not provide the proper authentication credentials or is not 802.1X-aware. (You can use the optional 802.1X Open VLAN mode to open a path for downloading 802.1X supplicant software to a client, which enables the client to initiate the authentication procedure. Refer to ???802.1X Open VLAN Mode??? on page 8-21.)

???If a port on switch ???A??? is configured as an 802.1X supplicant and is connected to a port on another switch, ???B???, that is not 802.1X-aware, access to switch ???B??? will occur without 802.1X security protection.

8-10

Configuring Port-Based Access Control (802.1X)

General Operating Rules and Notes

???If a client already has access to a switch port when you configure the port for 802.1X authenticator operation, the port will block the client from further network access until it can be authenticated.

???On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked. If the port is later removed from the trunk, the port will try to authenticate the supplicant. If authentication is successful, the port becomes unblocked. Similarly, if the supplicant is authenticated and later the port becomes a trunk member, the port will be blocked. If the port is then removed from the trunk, it tries to re-authenticate the supplicant. If successful, the port becomes unblocked.

???To help maintain security, 802.1X and LACP cannot both be enabled on the same port. If you try to configure 802.1X on a port already configured for LACP (or the reverse) you will see a message similar to the following:

Error configuring port X: LACP and 802.1X cannot be run together.

Note on 802.1X To help maintain security, the switch does not allow 802.1X and LACP to both and LACP be enabled at the same time on the same port. Refer to ???802.1X Operating

Messages??? on page 8-48

8-11

Configuring Port-Based Access Control (802.1X)

General Setup Procedure for Port-Based Access Control (802.1X)

General Setup Procedure for Port-Based

Access Control (802.1X)

Do These Steps Before You Configure 802.1X Operation

1.Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)

2.Determine which ports on the switch you want to operate as authentica- tors and/or supplicants, and disable LACP on these ports. (See the ???Note on 802.1X and LACP??? on page 8-11.)

3.Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software. (This will require you to provide download- able software that the client can use to enable an authentication session.) For more on this topic, refer to ???802.1X Open VLAN Mode??? on page 8-21.

4.For each port you want to operate as a supplicant, determine a username and password pair. You can either use the same pair for each port or use unique pairs for individual ports or subgroups of ports. (This can also be the same local username/password pair that you assign to the switch.)

5.Unless you are using only the switch???s local username and password for 802.1X authentication, configure at least one RADIUS server to authenti- cate access requests coming through the ports on the switch from external supplicants (including switch ports operating as 802.1X supplicants). You can use up to three RADIUS servers for authentication; one primary and two backups. Refer to the documentation provided with your RADIUS application.

8-12

Configuring Port-Based Access Control (802.1X)

General Setup Procedure for Port-Based Access Control (802.1X)

Overview: Configuring 802.1X Authentication on the

Switch

This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to ???RADIUS Authentication and Accounting??? on page 5-1 or ???Configuring Switch Ports To Operate As Suppli- cants for 802.1X Connections to Other Switches??? on page 8-34.

1.Enable 802.1X authentication on the individual ports you want to serve as authenticators. On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access. Refer to page 8-15.

2.If you want to provide a path for clients without 802.1X supplicant software to download the software so that they can initiate an authenti- cation session, enable the 802.1X Open VLAN mode on the ports you want to support this feature. Refer to page 8-21.

3.Configure the 802.1X authentication type. Options include:

???Local Operator username and password (the default). This option allows a client to use the switch???s local username and password as valid 802.1X credentials for network access.

???EAP RADIUS: This option requires your RADIUS server application to support EAP authentication for 802.1X.

???CHAP (MD5) RADIUS: This option requires your RADIUS server application to support CHAP (MD5) authentication.

See page 8-19.

4.If you select either eap-radius or chap-radius for step 3, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. See page 8-20.

5.Enable 802.1X authentication on the switch. See page 8-15.

6.Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.

8-13

Configuring Port-Based Access Control (802.1X)

General Setup Procedure for Port-Based Access Control (802.1X)

7.If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port. See page 8-32.

8.If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.1X authenticator on another device, then configure the supplicant operation. (Refer to ???Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches??? on page 8-34.)

8-14

8-15

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

Syntax: aaa port-access authenticator < port-list >

Enables specified ports to operate as 802.1X authenti- cators with current per- port authenticator configura- tion. To activate configured 802.1X operation, you must enable 802.1X authentication. Refer to ???5. Enable 802.1X Authentication on the switch??? on page 8-13.

[control < authorized | auto | unauthorized >]

Controls authentication mode on the specified port:

authorized: Also termed Force Authorized. Grants access to any device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (However, you can still configure console, Telnet, or SSH security on the port.)

auto (the default): The device connected to the port must support 802.1X authentication and provide valid credentials in order to get network access. (You have the option of using the Open VLAN mode to provide a path for clients without 802.1X supplicant software to download this software and begin the authentication process. Refer to ???802.1X Open VLAN Mode??? on page 8-21.)

unauthorized: Also termed Force Unauthorized. Do not grant access to the network, regardless of whether the device provides the correct credentials and has 802.1X support. In this state, the port blocks access to any connected device.

[quiet-period < 0 - 65535 >]

Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds)

[tx-period < 0 - 65535 >]

Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)

[supplicant-timeout < 1 - 300 >]

8-16

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

Sets the period of time the switch waits for a supplicant response to an EAP re quest. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)

aaaport-access authenticator < port-list > (Syntax Continued)

[server-timeout < 1 - 300 >]

Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)

[max-requests < 1 - 10 >]

Sets the number of authentication attempts that must time-out before authentication fails and the authenti- cation session ends. If you are using the Local authen- tication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the quiet- period (previous page), if any, you cannot reconfigure this parameter. (Default: 2)

[reauth-period < 1 - 9999999 >]

Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second)

[unauth-vid < vlan-id >]

Configures an existing static VLAN to be the Unauthor- ized-Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session. Refer to ???802.1X Open VLAN Mode??? on page 8-21.

[auth-vid < vid >

8-17

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

Configures an existing, static VLAN to be the Autho- rized-Client VLAN. Refer to ???802.1X Open VLAN Mode??? on page 8-21.

aaaport-access authenticator < port-list > (Syntax Continued)

[initialize]

On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators.

Note: If a specified port is configured with control authorized and port-security, and the port has learned an authorized address, the port will remove this address and learn a new one from the first packet it receives.

[reauthenticate]

Forces reauthentication (unless the authenticator is in 'HELD' state).

[clear-statistics]

Clears authenticator statistics counters.

8-18

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

3. Configure the 802.1X Authentication Method

This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator.

Syntax: aaa authentication port-access < local | eap-radius | chap-radius >

Determines the type of RADIUS authentication to use.

local Use the switch???s local username and password for supplicant authentication.

eap-radius Use EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server.)

chap-radius Use CHAP-RADIUS (MD-5) authentication. (Refer to the documentation for your RADIUS server appli- cation.)

For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers:

Configuration command for EAP-RADIUS authentication.

802.1X (Port-Access) configured for EAP- RADIUS authentication.

Figure 8-3. Example of 802.1X (Port-Access) Authentication

8-19

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports as 802.1X Authenticators

4. Enter the RADIUS Host IP Address(es)

If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to ???RADIUS Authentication and Accounting??? on page 5-1.

Syntax: radius host < ip-address >

Adds a server to the RADIUS configuration.

[key < server-specific key-string >]

Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the spec- ified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key.

radius-server key < global key-string >

Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key.

5. Enable 802.1X Authentication on the Switch

After configuring 802.1X authentication as described in the preceding four sections, activate it with this command:

Syntax: aaa port-access authenticator active

Activates 802.1X port-access on ports you have configured as authenticators.

8-20

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

802.1X Open VLAN Mode

This section describes how to use the 802.1X Open VLAN mode to configure unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.

Introduction

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client. In earlier releases, a ???friendly??? client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security. As a result, the port would become blocked and the client could not access the network. This prevented the client from:

???Acquiring IP addressing from a DHCP server

???Downloading the 802.1X supplicant software necessary for an authen- tication session

The 802.1X Open VLAN mode solves this problem by temporarily suspending the port???s static, tagged and untagged VLAN memberships and placing the port in a designated Unauthorized-Client VLAN. In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X software, and starting the authentication process. Following client authentication, the port drops its temporary (untagged) membership in the Unauthorized-Client VLAN and joins (or rejoins) one of the following as an untagged member:

8-21

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

1.1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication.

2.2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port???s 802.1X configuration as an Authorized-Client VLAN, if config- ured.

3.3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN.

If the port is not configured for any of the above, then it must be a tagged member of at least one static VLAN. If the client is capable of operating with that tagged VLAN, then it receives access to the VLAN. Otherwise, the con- nection fails.

Use Models for 802.1X Open VLAN Modes

You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication:

???Unauthorized-Client VLAN: Configure this VLAN when unauthen- ticated, friendly clients will need access to some services before being authenticated.

???Authorized-Client VLAN: Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use, or when the port is statically configured as an untagged member of a VLAN you do not want clients to use. (A port can be configured as untagged on only one VLAN. When an Authorized-Client VLAN is configured, it will always be untagged and will block the port from using a statically configured, untagged membership in another VLAN.) Note that after client authentication, the port returns to membership in any tagged VLANs for which you have configured it. See the "Note", above.

8-22

Open VLAN mode with both of the following configured:

8-23

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Open VLAN Mode with Only an Unauthorized-Client VLAN Configured:

???When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.

???After the client is authenticated, and if the port is statically configured as an untagged member of another VLAN, the port???s access to this other VLAN is restored.

Note: If RADIUS authentication assigns a VLAN to the port, this assignment overrides any statically configured, untagged VLAN membership on the port (while the client is connected).

???If the port is statically configured as a tagged member of a VLAN that is not used by 802.1X Open VLAN mode, the port returns to tagged membership in this VLAN upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. Note that if the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection. After the client disconnects, the port returns to tagged membership in that VLAN.

Open VLAN Mode with Only an Authorized-Client VLAN Configured:

???Port automatically blocks a client that cannot initiate an authentication session.

???If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.

Note: if RADIUS authentication assigns a VLAN, the port temporarily becomes an untagged member of the RADIUS- assigned VLAN ???instead of the Authorized-Client VLAN???while the client is connected.

???If the port is statically configured as a tagged member of any other VLAN, the port returns to tagged membership in this VLAN upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN. If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN, then the port becomes an untagged member of that VLAN for the duration of the client connection. After the client disconnects, the port returns to tagged membership in that VLAN.

8-24

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Operating Rules for Authorized-Client and

Unauthorized-Client VLANs

Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id >

command or the VLAN Menu screen in the Menu interface.)

8-25

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

each other. However, in this case, you can improve security between authen- ticator ports by using the switch???s Source-Port filter feature. For example, if you are using ports B1 and B2 as authenticator ports on the same Unauthor- ized-Client VLAN, you can configure a Source-Port filter on B1 to drop all packets from B2 and the reverse.

8-26

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Setting Up and Configuring 802.1X Open VLAN Mode

Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 8-1 on page 8-23 for other options.

Before you configure the 802.1X Open VLAN mode on a port:

???Statically configure an ???Unauthorized-Client VLAN??? in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)

???Statically configure an Authorized-Client VLAN in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients. 802.1X authen- ticator ports do not have to be members of this VLAN.

Note that if an 802.1X authenticator port is an untagged member of another VLAN, the port???s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port. For example, if:

i.Port A5 is an untagged member of VLAN 1 (the default VLAN).

ii.You configure port A5 as an 802.1X authenticator port.

iii.You configure port A5 to use an Authorized-Client VLAN.

Then, if a client connects to port A5 and is authenticated, port A5 becomes an untagged member of the Authorized-Client VLAN and is temporarily suspended from membership in the default VLAN.

???If you expect friendly clients to connect without having 802.1X suppli- cant software running, provide a server on the Unauthorized-Client VLAN for downloading 802.1X supplicant software to the client, and a procedure by which the client initiates the download.

???A client must either have a valid IP address configured before connecting to the switch, or download one through the Unauthorized- Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.

8-27

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

??? Ensure that the switch is connected to a RADIUS server configured

Configuring General 802.1X Operation: These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation.

1.Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the (default) port-control parameter is set to auto. (Refer to ???1. Enable 802.1X Authentication on Selected Ports??? on page 8-15.) This setting requires a client to support 802.1X authenti- cation (with 802.1X supplicant operation) and to provide valid creden- tials to get network access.

Syntax: aaa port-access authenticator e < port-list > control auto

Activates 802.1X port-access on ports you have configured as authenticators.

2.Configure the 802.1X authentication type. Options include:

Syntax: aaa authentication port-access < local | eap-radius | chap-radius >

Determines the type of RADIUS authentication to use.

local: Use the switch???s local username and password for supplicant authentication (the default).

eap-radiusUse EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server.

chap-radiusUse CHAP-RADIUS (MD5) authentication. (Refer to the documentation for your RADIUS server software.)

8-28

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

3.If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch.

Syntax: radius host < ip-address >

Adds a server to the RADIUS configuration.

[key < server-specific key-string >]

Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server. Use this option only if the specified server requires a different key than configured for the global encryption key.

radius-server key < global key-string >

Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key.

4.Activate authentication on the switch.

Syntax: aaa port-access authenticator active

Activates 802.1X port-access on ports you have config- ured as authenticators.

5.Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.

8-29

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to ???Preparation??? on page 8-27.

Syntax: aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >]

Configures an existing, static VLAN to be the Authorized-

Client VLAN.

[< unauth-vid < vlan-id >]

Configures an existing, static VLAN to be the Unauthor- ized-Client VLAN.

For example, suppose you want to configure 802.1X port-access with Open VLAN mode on ports A10 - A20 and:

???These two static VLANs already exist on the switch:

???Unauthorized, VID = 80

???Authorized, VID = 81

???Your RADIUS server has an IP address of 10.28.127.101. The server uses rad4all as a server-specific key string. The server is connected to a port on the Default VLAN.

???The switch's default VLAN is already configured with an IP address of 10.28.127.100 and a network mask of 255.255.255.0

ProCurve(config)# aaa authentication port-access eap-radius

Configures the switch for 802.1X authentication using an EAP-RADIUS server.

ProCurve(config)# aaa port-access authenticator a10-a20

Configures ports A10 - A20 as 802.1 authenticator ports.

ProCurve(config)# radius host 10.28.127.101 key rad4all

Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all.

ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80

Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.

ProCurve(config)# aaa port-access authenticator e a10-a20 auth-vid 81

Configures ports A10 - A20 to use VLAN 81 as the Authorized-Client VLAN.

ProCurve(config)# aaa port-access authenticator active

Activates 802.1X port-access on ports you have configured as authenticators.

8-30

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to ???Viewing 802.1X Open VLAN Mode Status??? on page 8-40.

802.1X Open VLAN Operating Notes

???Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Using the same VLAN for both purposes allows unauthenticated clients access to a VLAN intended only for authenticated clients, which poses a security breach.

???While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still display the port???s statically configured VLAN(s).

???A VLAN used as the Unauthorized-Client VLAN should not allow access to resources that must be protected from unauthenticated clients.

???If a port is configured as a tagged member of VLAN "X" that is not used as an Unauthorized-Client, Authorized-Client, or RADIUS-assigned VLAN, then the port returns to tagged membership in VLAN "X" upon successful client authentication. This happens even if the RADIUS server assigns the port to another, authorized VLAN "Y". Note that if RADIUS assigns VLAN "X" as an authorized VLAN, then the port becomes an untagged member of VLAN "X" for the duration of the client connection. After the client disconnects, the port returns to tagged membership in VLAN "X". (If there is no Authorized-Client or RADIUS-assigned VLAN, then an authenticated client without tagged VLAN capability can access only a statically configured, untagged VLAN on that port.)

???When a client???s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port.

???During an authentication session on a port in 802.1X Open VLAN mode, if RADIUS specifies membership in an untagged VLAN, this assignment overrides port membership in the Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS assignment overrides any untagged VLAN for which the port is statically configured.

8-31

Configuring Port-Based Access Control (802.1X)

Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices

???If an authenticated client loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.

Option For Authenticator Ports:

Configure Port-Security To Allow Only

802.1X Devices

If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.1X-aware device can be authenticated on the port.

Syntax: port-security [ethernet] < port-list >

learn-mode port-access

8-32

Configuring Port-Based Access Control (802.1X)

Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices

8-33

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches

Configuring Switch Ports To Operate As

Supplicants for 802.1X Connections to

Other Switches

You can configure a switch port to operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (Note that a port can operate as both an authenticator and a supplicant.)

For example, suppose that you want to connect two switches, where:

???Switch ???A??? has port A1 configured for 802.1X supplicant operation

???You want to connect port A1 on switch ???A??? to port B5 on switch ???B???.

Port A1

Switch ???A???

Port A1 Configured as an

802.1X Supplicant

Figure 8-4. Example of Supplicant Operation

8-34

Configuring Port-Based Access Control (802.1X)

Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches

1.When port A1 on switch ???A??? is first connected to a port on switch ???B???, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch ???B???.

???If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch ???B??? is not 802.1X-aware, and transitions to the authenticated state. If switch ???B??? is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.

???If, after sending one or more start request packets, port A1 receives a request packet from port B5, then switch ???B??? is operating as an 802.1X authenticator. The supplicant port then sends a response/ID packet. If switch ???B??? is configured for RADIUS authentication, it forwards this request to a RADIUS server. If switch ???B??? is configured for Local 802.1X authentication (page 8-19), the authenticator com- pares the switch ???A??? response to its local username and password.

2.The RADIUS server then responds with an access challenge that switch ???B??? forwards to port A1 on switch ???A???.

3.Port A1 replies with a hash response based on its unique credentials. Switch ???B??? forwards this response to the RADIUS server.

4.The RADIUS server then analyzes the response and sends either a ???suc- cess??? or ???failure??? packet back through switch ???B??? to port A1.

???A ???success??? response unblocks port B5 to normal traffic from port A1.

???A ???failure??? response continues the block on port B5 and causes port A1 to wait for the ???held-time??? period before trying again to achieve authentication through port B5.