Hp 2800 Uživatelský manuál

Access Security Guidewww.hp.com/go/hpprocurveSwitch 2600 SeriesSwitch 2600-PWR SeriesSwitch 2800 SeriesSwitch 4100 SeriesSwitch 6108

5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20 802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Operating Notes  When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acces

5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-6 n/a Configu

RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p

RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS  You must have at least one RADIUS server a

RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS serv

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authenti

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note- This step assumes you have already configured the RADIUS s

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADI

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords

MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Port Security and MAC Lockout . .

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section d

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can confi

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specif

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication After two attempts failing due to username or password entry err

RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts

RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Acces

RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already:  Configured RADIUS authentication on

RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Configuring One Station Per Authori

RADIUS Authentication and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and n

RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS c

RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non-default

RADIUS Authentication and Accounting Configuring RADIUS Accounting  Start-Stop: • Send a start record accounting notice at the beginning of the acc

RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optiona

RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-

RADIUS Authentication and Accounting Viewing RADIUS Statistics Table 5-2. Values for Show Radius Host Output (Figure 5-11) Term Definition Round Tri

RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and

RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting inter

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Swit

1 Getting Started Contents Introduction and Applicable Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About the Feature Desc

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003

RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS ser

RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused. — 5-32

6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI Web Generating a public/private key pair on the switch No n/a page 6-

Configuring Secure Shell (SSH) Overview Note SSH in the HP Procurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit

Configuring Secure Shell (SSH) Terminology Terminology  SSH Server: An HP ProCurve switch with SSH enabled.  Key Pair: A pair of keys generated by

Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publ

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Oper

Getting Started Introduction and Applicable Switches Introduction and Applicable Switches This guide describes how to use HP’s switch security feature

Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes  Public keys generated on an SSH client must be e

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generating the Switch’s

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the swit

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before s

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerprints" of the Same Switch Phonetic "Hash&qu

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an S

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (de

Getting Started Overview of Access Security Features Overview of Access Security Features  Local Manager and Operator Passwords (page 2-1): Control

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourse

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< l

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution To allow SSH access only to clients having the correct public key, yo

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Figure 6-13 shows how to check the results of the above com

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication When configured for SSH operation, the switch automatically

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication a. Combines the decrypted byte sequence with specific sess

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 1. Use your SSH client application to create a public/priv

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: copy tftp pub-key-file <ip-address> <file

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Enabling Client Public-Key Authentication. After you TFTP

Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates

Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Una

Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Generating new RSA host key. If the cache is depleted, this could

7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI Web Generating a Self Signed Certificate on the switch No n/a

Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Browser 1. Switch-to-Client SSL Cert. 2. User-to-Switch (login pas

Configuring Secure Socket Layer (SSL) Terminology  Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA).

Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install

Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes  Once you generate a certificate on the sw

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in Th

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a

Getting Started General Switch Traffic Security Guideline General Switch Traffic Security Guideline Where the switch is running multiple security opti

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Becau

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in th

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’s server host certificate or key automati

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers in

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with o

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl

Getting Started Command Syntax Conventions Command Syntax Conventions This guide uses the following conventions for command syntax and displays. Synta

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate o

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 7-22

8 Configuring Port-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Port-Based Access Control (802.1X) Contents Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches

Configuring Port-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators D

Configuring Port-Based Access Control (802.1X) Overview  Local authentication of 802.1X clients using the switch’s local user-name and password (as

Configuring Port-Based Access Control (802.1X) Overview RADIUS ServerLAN Core 802.1X-Aware Client (Supplicant) Switch Running 802.1X and Connected as

Configuring Port-Based Access Control (802.1X) How 802.1X Operates How 802.1X Operates Authenticator Operation This operation provides security on a d

Configuring Port-Based Access Control (802.1X) How 802.1X Operates Switch-Port Supplicant Operation This operation provides security on links between

Getting Started Port Identity Convention for Examples Screen Simulations Figures containing simulated screen text and command output appear similar to

Configuring Port-Based Access Control (802.1X) Terminology • A “failure” response continues the block on port B5 and causes port A1 to wait for the “

Configuring Port-Based Access Control (802.1X) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple

Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch

Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes  If a client already has access to a switch port when you configure

Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) General Setup Procedure for Port-Based A

Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) Overview: Configuring 802.1X Authenticat

Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) 7. If you are using Port Security on th

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Switch Ports as 802.1X Authenticators 802

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Syntax: aaa port-access authenticator < port-list

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Sets the period of time the switch waits for a suppli

Getting Started Related Publications PDF version of this guide is also provided on the Product Documentation CD-ROM shipped with the switch. And you c

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configures an existing, static VLAN to be the Autho-r

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This ta

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 8-15 802.1X Supplicant

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Res

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthor

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Ru

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN • When a client becomes authen

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assume

Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. Go to the HP ProCurve website at http://www.hp.com/go/hpproc

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode  Ensure that the switch is connected to a RADIUS server configured to support a

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius h

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open

Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on vi

Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices  If an authentic

Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices Note on If the po

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 1. When po

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring

Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-ac

Getting Started Sources for More Information Sources for More Information  If you need information on specific parameters in the menu interface, ref

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics,

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Contin

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters  When the Unauth VLAN ID is configured and

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN I

Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Synt

Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the

Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticate

Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily un

Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 end

Getting Started Need Only a Quick Start?  If you need further information on Hewlett-Packard switch tech-nology, visit the HP ProCurve website at: h

Configuring Port-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 8-3. 802.1X Operating

9 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 9-10 page

Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to blo

Configuring and Monitoring Port Security Overview Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Autho

Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port security configuration and monitoring accord

Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Command

Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < co

Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) le

Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) ac

Getting Started To Set Up and Install the Switch in Your Network — This page is intentionally unused. — 1-12

Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the fo

Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: show por

Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a ran

Configuring and Monitoring Port Security Port Security Command Options and Operation HPswitch(config)# port-security a1 learn-mode static mac-address

Configuring and Monitoring Port Security Port Security Command Options and Operation The Address Limit has not been reached. Although the Address Limi

Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the A

Configuring and Monitoring Port Security Port Security Command Options and Operation To remove a device (MAC address) from the “Authorized” list and w

Configuring and Monitoring Port Security MAC Lockdown Figure 9-8. Example of Port A1 After Removing One MAC Address MAC Lockdown MAC Lockdown is avali

Configuring and Monitoring Port Security MAC Lockdown How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a V

Configuring and Monitoring Port Security MAC Lockdown You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC ad

2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely

Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within y

Configuring and Monitoring Port Security MAC Lockdown 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch

Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by th

Configuring and Monitoring Port Security MAC Lockdown M i x e d U s e r s Internal Network External Network Switch 1 Server A Server A is locked dow

Configuring and Monitoring Port Security MAC Lockout Displaying status. Locked down ports are listed in the output of the show running-config command

Configuring and Monitoring Port Security MAC Lockout Lockout command (lockout-mac <mac-address>). When the wireless clients then attempt to use

Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features HPswitch# show lockout-mac Locked Out Addresses 0 0734

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags 4. Implement your new data by clicking on [Apply Changes]

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • In an active network management environment via an SNMP

Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-6 Set a Password none

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Note on On a given port, if the intrusion action is to se

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags 2. Type [I] (Intrusion log) to display the Intrusion Log.

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags provides a history of the last 20 intrusions detected by t

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts, an

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Dates and Times of Intrusions MAC Address of latest Intrud

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log To Find Intrusion Alerts The Event Log

Configuring and Monitoring Port Security Operating Notes for Port Security a. Click on the Security tab. b. Click on [Intrusion Log]. “Ports with In

Configuring and Monitoring Port Security Operating Notes for Port Security LACP Not Available on Ports Configured for Port Security. To main-tain sec

Configuring and Monitoring Port Security Operating Notes for Port Security — This page is intentionally unused. — 9-38

10 Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Username and Password Security Overview To configure password security: 1. Set a Manager password pair (and an Operator password pair, if

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Overview Overview Applicable Switch Models. Traffic/Security filters a

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Overview to drop traffic. (Destination ports that comprise a trunk are

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters case, you can prevent the traffic of one subn

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Configuring a Source-Port Filter The source-p

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Configuring a Filter on a Port Trunk. This o

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Viewing a Source-Port Filter You can list all

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters If you wanted to determine the index number f

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Editing a Source-Port Filter The switch inclu

Traffic/Security Filters (HP ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters — This page is intentionally unused. — 10-10

11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Username and Password Security Configuring Local Password Security  Delete passwords  Recover from a lost password Configuring Local P

Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n

Using Authorized IP Managers Options Options You can configure:  Up to 10 authorized manager addresses, where each address applies to either a singl

Using Authorized IP Managers Defining Authorized Management Stations  Operator: Allows read-only access from the web browser and console interfaces.

Using Authorized IP Managers Defining Authorized Management Stations for the Authorized Manager IP parameter allows a range of 0 through 255 in the 4t

Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 5. Press [Enter], then [S] (for

Using Authorized IP Managers Defining Authorized Management Stations Figure 11-3. Example of the Show IP Authorized-Manager Display The above example

Using Authorized IP Managers Defining Authorized Management Stations Similarly, the next command authorizes manager-level access for any station havin

Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can conf

Using Authorized IP Managers Building IP Masks Table 11-1. Analysis of IP Mask for Single-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Man

Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP addres

Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password)

Using Authorized IP Managers Building IP Masks Figure 11-5. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet M

Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Manager List Results IP Mask

Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still elimina

Numerics 3DES … 6-3, 7-3 802.1X See port-based access control. …8-1 A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access l

IP authorized IP managers … 11-1 reserved port numbers … 6-17 IP masks building … 11-9 for multiple authorized manager stations … 11-11 for single au

block traffic … 8-3 blocking non-802.1X device … 8-33 CHAP … 8-3 chap-radius … 8-19 configuration commands … 8-15 configuration overview … 8-13 config

configuring switch global parameters … 5-12 general setup … 5-5 local authentication … 5-9 MD5…5-4 messages … 5-31 network accounting … 5-18 operating

disabling … 7-10 enabling … 7-17 erase certificate key pair … 7-10 erase host key pair … 7-10 generate CA-signed certificate … 7-15 generate host key

U user name cleared … 2-5 V value, inconsistent … 9-14 VLAN 802.1X … 8-44 802.1X, ID changes … 8-47 802.1X, suspend untagged VLAN … 8-41 filter, sourc

HP ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide October 2004

Configuring Username and Password Security Configuring Local Password Security • Password entries appear as asterisks. • You must type the password

Technical information in this documentis subject to change without notice.©Copyright 2000, 2004.Hewlett-Packard Development Company, L.P.Reproduction,

Configuring Username and Password Security Front-Panel Security • To remove username and password protection, leave the fields blank. 3. Implement t

Configuring Username and Password Security Front-Panel Security the switch vulnerable when it is located in an area where non-authorized people have a

Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button a

Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboo

Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to st

Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the globa

Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover

Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In th

Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “

© Copyright 2001-2004 Hewlett-Packard Company, L..P. The infor-mation contained herein is subject to change without notice. Publication Number 5990-60

Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on-clear disabled by

Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete

Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form o

Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Steps for Disabling Password-Recovery Password Recovery Pr

Configuring Username and Password Security Front-Panel Security — This page is intentionally unused. — 2-20

3 Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview Overview Feature Default Menu CLI Web Configure Web Authenticat

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview MAC Authentication (MAC-Auth). This method grants access to a secu

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview General Features Web and MAC Authentication on the Series 5300XL sw

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate How Web and MAC Authentication Operat

Contents 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate Figure 3-2. Progress Message During A

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate moves have not been enabled (client-m

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, app

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes Operating Rules and Notes  You can configure one

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes 2. If there is no RADIUS-assigned VLAN, then, for

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication Note on Web/ The switch

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication a. If you configure the

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication Additional Information fo

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server Configuring the Switch To A

Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 Password Recovery . . . . . . . . . . . . . . . . .

--------------- -----Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server Option

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication on the Switch Configuring Web Authentication

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication on the Switch Note Client web browsers may n

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication on the Switch Syntax: aaa port-access web-ba

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication on the Switch Syntax: [no] aaa port-access w

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication on the Switch Syntax: aaa port-access web-ba

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access w

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch 5. Configure the switch for MA

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access m

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Specifies the period, in second

Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . .

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Specifies the VLAN

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Shows Web Authenti

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Show Status and Co

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Shows MAC Authenti

Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Client Status Client Status The table below shows the possible client status

4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the

TACACS+ Authentication Terminology Used in TACACS Applications: tion services. If the switch fails to connect to any TACACS+ server, it defaults to it

TACACS+ Authentication Terminology Used in TACACS Applications: • Local Authentication: This method uses username/password pairs configured locally o

TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following:  A TACACS+ ser

Controlling Web Browser Interface Access When Using RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a

TACACS+ Authentication General Authentication Setup Procedure Note on Privilege Levels Caution When a TACACS+ server authenticates an access request

TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura-tions or missing data that

TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa auth

TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the time

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console n/a n/a S

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authenti

TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these par

7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Keys Syntax: tacacs-server host < ip-addr > [key < key-string &

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key <key-string> ] none (null) n/a Specifies the optional, glo

TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example

TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command withou

TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or d

TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local auth

TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “

TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to confi

TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below.