Access Security Guide
2510
ProCurve Switches
Q.11.XX (2510-24)
U.11.XX (2510-48)
www.procurve.com
ProCurve Series 2510 Switches
January 2008
Access Security Guide
© Copyright 2008 Hewlett-Packard Company, L.P.
The information contained herein is subject to change without
notice.
or editorial errors or omissions contained herein. The
information is provided "as is" without warranty of any kind
and is subject to change without notice. The warranties for
Hewlett-Packard Company products are set forth in the
express limited warranty statements for such products.
Nothing herein should be construed as constituting an
additional warranty.
Publication Number
5991-4763
January 2008
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
Applicable Products
ProCurve Switch 2510-24
ProCurve Switch 2510-48
(J9019B)
(J9020A)
Warranty
See the Customer Support/Warranty booklet included with
the product.
Trademark Credits
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Software Credits
SSH on ProCurve Switches is based on the OpenSSH
software toolkit. This product includes software developed
by the OpenSSH Project for use in the OpenSSH Toolkit. For
more information on OpenSSH, visit www.openssh.com.
SSLon ProCurveSwitchesisbasedon theOpenSSLsoftware
toolkit. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit. For more
information on OpenSSL, visit
www.openssl.org.
This product includes cryptographic software written by
Eric Young ([email protected])
This product includes software written by Tim Hudson
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
Hewlett-Packard Company shall not be liable for technical
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
http://www.procurve.com
Contents
Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
iii
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Additional Information for Configuring the RADIUS
Server To Support MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Show Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
iv
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Viewing the Switch’s Current TACACS+ Server
Contact Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
How Authentication Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Controlling Web Browser Interface Access When Using TACACS+
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
v
1. Configure Authentication for the Access Methods
You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Controlling Web Browser Interface Access When Using RADIUS
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Steps for Configuring and Using SSH
for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
vi
4. Enable SSH on the Switch and Anticipate SSH
Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Steps for Configuring and Using SSL for
Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
3. Enable SSL on the Switch and Anticipate SSL
Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
8 Configuring Port-Based and Client-Based
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7
General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
vii
802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Operating Rules for Authorized-Client and
Unauthorized-Client VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
Option For Authenticator Ports: Configure Port-Security To Allow
Only 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Configuring Switch Ports To Operate As
Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . 8-42
viii
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Notice of Security Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Web: Checking for Intrusions, Listing Intrusion Alerts,
and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
Configuring Protected Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
ix
Product Documentation
About Your Switch Manual Set
The switch manual set includes the following:
■
Read Me First - a printed guide shipped with your switch. Provides
software update information, product notes, and other information.
■
Installation and Getting Started Guide - a printed guide shipped
with your switch. This guide explains how to prepare for and perform
the physical installation and connection to your network.
■
■
Management and Configuration Guide - a PDF file on the
ProCurve Networking Web Site. This guide describes how to
configure, manage, and monitor basic switch operation.
Advanced Traffic Management Guide - a PDF file on the ProCurve
Networking Web Site. This guide explains the configuration and
operation of traffic management features such as spanning tree and
VLANs.
■
■
Access Security Guide - a PDF file on the ProCurve Networking
Web Site. This guide explains the configuration and operation of
access security and user authentication features on the switch.
Release Notes - posted on the ProCurve web site to provide
information on software updates. The release notes describe new
features, fixes, and enhancements that become available between
revisions of the above guides.
Note
For the latest version of all ProCurve switch documentation, including release
notes covering recently added features, visit the ProCurve Networking
website at www.procurve.com. Click on Technical support, and then click on
Product manuals (all).
xi
Product Documentation
Feature Index
For the manual set supporting your switch model, the following feature index
indicates which manual to consult for information on a givensoftware feature.
Feature
Management and
Configuration
AdvancedTraffic Access Security
Management
Guide
802.1Q VLAN Tagging
802.1p Priority
-
X
-
-
-
X
X
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
X
-
802.1X Authentication
Authorized IP Managers
Config File
-
-
-
X
X
X
-
-
Copy Command
Debug
-
-
DHCP Configuration
DHCP/Bootp Operation
Diagnostic Tools
Downloading Software
Event Log
X
-
X
X
X
X
X
X
X
-
-
-
-
Factory Default Settings
File Management
File Transfers
-
-
-
GVRP
X
X
-
IGMP
-
Interface Access (Telnet, Console/Serial, Web)
IP Addressing
X
X
X
X
-
LACP
-
Link
-
xii
Product Documentation
Feature
Management and
Configuration
AdvancedTraffic Access Security
Management
Guide
LLDP
X
X
X
-
-
-
-
-
MAC Address Management
Monitoring and Analysis
Multicast Filtering
-
-
X
-
-
Network Management Applications (LLDP, SNMP)
Passwords
X
-
-
-
X
-
Ping
X
X
-
-
Port Configuration
-
-
Port Security
-
X
-
Port Status
X
X
-
-
Port Trunking (LACP)
Port-Based Access Control
Port-Based Priority (802.1Q)
Quality of Service (QoS)
RADIUS Authentication and Accounting
Secure Copy
-
-
-
X
-
X
-
-
X
-
-
-
X
-
X
X
X
X
-
-
SFTP
-
-
SNMP
-
-
Software Downloads (SCP/SFTP, TFTP, Xmodem)
Spanning Tree (MSTP)
SSH (Secure Shell) Encryption
SSL (Secure Socket Layer)
Stack Management (Stacking)
Syslog
-
-
X
-
-
-
X
X
-
-
-
-
X
-
X
X
-
-
System Information
-
-
TACACS+ Authentication
-
X
xiii
Product Documentation
Feature
Management and
Configuration
AdvancedTraffic Access Security
Management
Guide
Telnet Access
TFTP
X
X
X
X
-
-
-
-
-
-
-
-
-
Time Protocols (TimeP, SNTP)
Troubleshooting
VLANs
-
-
X
-
Xmodem
X
xiv
1
Getting Started
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Screen Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Sources for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Need Only a Quick Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
1-1
Getting Started
Introduction
Introduction
This Access Security Guide describes how to use ProCurve’s switch security
features to protect access to your switch. This guide is intended to support
the following switches:
■
■
ProCurve Switch 2510-24
ProCurve Switch 2510-48
For an overview of other product documentation for the above switches, refer
You can download a copy from the ProCurve Networking website,
www.procurve.com.
Overview of Access Security Features
The access security features covered in this guide include:
■
■
■
access and privileges for the CLI, menu, and web browser interfaces.
cation on a server to allow or deny access to a switch.
TACACS+, uses an authentication application on a central server to
allow or deny access to the switch. RADIUS also provides accounting
services for sending data about user activity and system events to a
RADIUS server.
■
■
encrypted paths for remote access to switch management functions.
to the switch via encrypted authentication paths between the switch
and management station clients capable of SSL/TLS operation.
1-2
Getting Started
Overview of Access Security Features
■
connections, enables the switch to allow or deny traffic between a
port and an 802.1X-aware device (supplicant) attempting to access
the switch. Also enables the switch to operate as a supplicant for
connections to other 802.1X-aware switches.
■
■
list of MAC addresses defining which specific devices are allowed to
access the network through that port. Also enables a port to detect,
prevent, and log access attempts by unauthorized devices.
by a networked device having an IP address previously configured in
the switch as “authorized”.
Management Access Security Protection
In considering management access security for your switch, there are two key
areas to protect:
■
■
Unauthorized client access to switch management features
Unauthorized client access to the network.
Table 1-1 on page 1-4 provides an overview of the type of protection offered
by each switch security feature.
Note
ProCurve recommends that you use local passwords together with your
switch’s other security features to provide a more comprehensive security
fabric than if you use only local passwords.
1-3
Getting Started
Overview of Access Security Features
Table 1-1. Management Access Security Protection
Security Feature
Offers Protection Against Unauthorized Client Access to Offers Protection
Switch Management Features
Against
Unauthorized Client
Access to the
Network
Connection Telnet
SNMP
Web
SSH
(Net Mgmt) Browser Client
Local Manager and Operator
PtP: Yes
Remote: Yes
PtP: Yes
Remote: Yes
PtP: Yes
Remote: Yes
Ptp: Yes
Remote: Yes
No
No
No
No
No
No
No
No
No
No
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
Yes
No
Yes
Yes
No
No
1
Usernames and Passwords
TACACS+
RADIUS
SSH
SSL
Ptp:
Remote:
No
No
Port-Based Access Control (802.1X)
Port Security (MAC address)
Authorized IP Managers
PtP: Yes
Remote:
No
PtP: Yes
Remote: Yes
PtP: Yes
Remote: Yes
General Switch Traffic Security Guidelines
Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. Port security
3. Authorized IP Managers
4. Application features at higher levels in the OSI model, such as SSH
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
1-4
Getting Started
Conventions
Conventions
This guide uses the following conventions for command syntax and displayed
information.
Command Syntax Statements
Syntax: aaa port-access authenticator < port-list >
[ control < authorized | auto | unauthorized >]
■
■
■
■
Vertical bars ( | ) separate alternative, mutually exclusive elements.
Square brackets ( [ ] ) indicate optional elements.
Braces ( < > ) enclose required elements.
Braces within square brackets ( [ < > ] ) indicate a required element
within an optional choice.
■
■
Boldface indicates use of a CLI command, part of a CLI command
syntax, or other displayed element in general text. For example:
“Use the copy tftp command to download the key from a TFTP server.”
Italics indicate variables for which you must supply a value when
executing the command. For example, in this command syntax, < port-
list > indicates that you must provide one or more port numbers:
Syntax: aaa port-access authenticator < port-list >
1-5
Getting Started
Conventions
Command Prompts
In the default configuration, your switch displays the following CLI prompt:
ProCurve Switch 2510-24#
To simplify recognition, this guide uses ProCurve to represent command
prompts for all models. For example:
ProCurve#
(You can use the hostname command to change the text in the CLI prompt.)
Screen Simulations
Figures containing simulated screen text and command output look similar
to this:
ProCurve(config)# show version
Image stamp:
Boot Image:
/sw/code/build/dosx(ndx)
Dec 11 2007 11:44:02
U.11.03
1340
Primary
Figure 1-1. Example of a Figure Showing a Simulated Screen
In some cases, brief command-output sequences appear outside of a
numbered figure. For example:
ProCurve(config)# ip default-gateway 18.28.152.1/24
ProCurve(config)# vlan 1 ip address 18.28.36.152/24
ProCurve(config)# vlan 1 ip igmp
Port Identity Examples
This guide describes software applicable to both chassis-based and stackable
ProCurve switches. Where port identities are needed in an example, this guide
uses the chassis-based port identity system, such as “A1”, “B3 - B5”, “C7”, etc.
However, unless otherwise noted, such examples apply equally to the
stackable switches, which for port identities typically use only numbers, such
as “1”, “3-5”, “15”, etc.
1-6
Getting Started
Sources for More Information
Sources for More Information
For additional information about switch operation and features not covered
in this guide, consult the following sources:
■
For information on which product manual to consult on a given
Note
For the latest version of all ProCurve switch documentation, including
release notes covering recently added features, visit the ProCurve
NetworkingWebSiteat www.procurve.com.ClickonTechnicalsupport, and
then click on Product manuals (all).
■
For information on specific parameters in the Menu interface, refer
to the online help provided in the interface. For example:
Online Help for
Menu interface
Figure 1-2. Getting Help in the Menu Interface
1-7
Getting Started
Need Only a Quick Start?
■
For information on a specific command in the CLI, type the command
name followed by “help”. For example:
Figure 1-3. Getting Help in the CLI
■
For information on specific features in the Web browser interface,
use the online help. For more information, refer to the Management
and Configuration Guide for your switch.
■
For further information on ProCurve Networking switch technology,
visit the ProCurve Networking Website at:
www.procurve.com
Need Only a Quick Start?
IP Addressing
If you just want to give the switch an IP address so that it can communicate
on your network, or if you are not using multiple VLANs, ProCurve
recommends that you use the Switch Setup screen to quickly configure IP
addressing. To do so, do one of the following:
■
Enter setup at the CLI Manager level prompt.
ProCurve# setup
■
Or, run the Menu interface and select 8. Run Setup from the Main Menu.
For more on using the Switch Setup screen, see the Installation and Getting
Started Guide you received with the switch.
1-8
Getting Started
Need Only a Quick Start?
To Set Up and Install the Switch in Your Network
Important!
Use the Installation and Getting Started Guide shipped with your switch for
the following:
■
Notes, cautions, and warnings related to installing and using the
switch
■
■
Instructions for physically installing the switch in your network
Quickly assigning an IP address and subnet mask, setting a Manager
password, and (optionally) configuring other basic features.
■
Interpreting LED behavior.
For the latest version of the Installation and Getting Started Guide and other
documentation for your switch, visit the ProCurve Networking Web site.
details.)
1-9
|