User ManualTable of ContentsAccess Security Guide cover.pdf1!Value_Line-Security-12_2008.pdf3ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 61083Product Documentation13Getting Started17Contents17Introduction18Overview of Access Security Features18Management Access Security Protection19General Switch Traffic Security Guidelines20Conventions21Feature Descriptions by Model21Command Syntax Statements21Command Prompts22Screen Simulations22Port Identity Examples22Sources for More Information23Need Only a Quick Start?24IP Addressing24To Set Up and Install the Switch in Your Network25Configuring Username and Password Security27Contents27Overview28Configuring Local Password Security30Menu: Setting Passwords30CLI: Setting Passwords and Usernames31Web: Setting Passwords and Usernames32Front-Panel Security33When Security Is Important33Front-Panel Button Functions34Clear Button34Reset Button35Restoring the Factory Default Configuration35Configuring Front-Panel Security36Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel38Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation39Changing the Operation of the Reset+Clear Combination40Password Recovery41Disabling or Re-Enabling the Password Recovery Process41Password Recovery Process43Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches45Contents45Overview46Client Options47General Features48How Web and MAC Authentication Operate49Authenticator Operation49Web-based Authentication49MAC-based Authentication51Terminology53Operating Rules and Notes54General Setup Procedure for Web/MAC Authentication56Do These Steps Before You Configure Web/MAC Authentication56Additional Information for Configuring the RADIUS Server To Support MAC Authentication58Configuring the Switch To Access a RADIUS Server59Configuring Web Authentication61Overview61Configure the Switch for Web-Based Authentication62Configuring MAC Authentication on the Switch66Overview66Configure the Switch for MAC-Based Authentication67Show Status and Configuration of Web-Based Authentication70Show Status and Configuration of MAC-Based Authentication71Show Client Status73TACACS+ Authentication75Contents75Overview76Terminology Used in TACACS Applications:77General System Requirements79General Authentication Setup Procedure79Configuring TACACS+ on the Switch82Before You Begin82CLI Commands Described in this Section83Viewing the Switch’s Current Authentication Configuration83Viewing the Switch’s Current TACACS+ Server Contact Configuration84Configuring the Switch’s Authentication Methods85Configuring the Switch’s TACACS+ Server Access89How Authentication Operates94General Authentication Process Using a TACACS+ Server94Local Authentication Process96Using the Encryption Key97General Operation97Encryption Options in the Switch97Controlling Web Browser Interface Access When Using TACACS+ Authentication98Messages Related to TACACS+ Operation99Operating Notes99RADIUS Authentication and Accounting101Contents101Overview102Terminology103Switch Operating Rules for RADIUS104General RADIUS Setup Procedure105Configuring the Switch for RADIUS Authentication106Outline of the Steps for Configuring RADIUS Authentication1071. Configure Authentication for the Access Methods You Want RADIUS To Protect1082. Configure the Switch To Access a RADIUS Server1103. Configure the Switch’s Global RADIUS Parameters112Local Authentication Process116Controlling Web Browser Interface Access When Using RADIUS Authentication117Configuring RADIUS Accounting117Operating Rules for RADIUS Accounting119Steps for Configuring RADIUS Accounting1191. Configure the Switch To Access a RADIUS Server1202. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server1223. (Optional) Configure Session Blocking and Interim Updating Options124Viewing RADIUS Statistics125General RADIUS Statistics125RADIUS Authentication Statistics127RADIUS Accounting Statistics128Changing RADIUS-Server Access Order129Messages Related to RADIUS Operation131Configuring Secure Shell (SSH)133Contents133Overview134Terminology136Prerequisite for Using SSH137Public Key Formats137Steps for Configuring and Using SSH for Switch and Client Authentication138General Operating Rules and Notes140Configuring the Switch for SSH Operation1411. Assign Local Login (Operator) and Enable (Manager) Password1412. Generate the Switch’s Public and Private Key Pair1423. Provide the Switch’s Public Key to Clients1444. Enable SSH on the Switch and Anticipate SSH Client Contact Behavior1475. Configure the Switch for SSH Authentication1506. Use an SSH Client To Access the Switch153Further Information on SSH Client Public-Key Authentication153Messages Related to SSH Operation159Configuring Secure Socket Layer (SSL)161Contents161Overview162Terminology163Prerequisite for Using SSL165Steps for Configuring and Using SSL for Switch and Client Authentication165General Operating Rules and Notes166Configuring the Switch for SSL Operation1671. Assign Local Login (Operator) and Enable (Manager) Password1672. Generate the Switch’s Server Host Certificate169To Generate or Erase the Switch’s Server Certificate with the CLI170Comments on Certificate Fields.171Generate a Self-Signed Host Certificate with the Web browser interface173Generate a CA-Signed server host certificate with the Web Browser Interface1753. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior177Using the CLI interface to enable SSL179Using the web browser interface to enable SSL179Common Errors in SSL Setup181Configuring Port-Based Access Control (802.1X)183Contents183Overview185Why Use Port-Based Access Control?185General Features185How 802.1X Operates188Authenticator Operation188Switch-Port Supplicant Operation189Terminology190General Operating Rules and Notes192General Setup Procedure for Port-Based Access Control (802.1X)194Do These Steps Before You Configure 802.1X Operation194Overview: Configuring 802.1X Authentication on the Switch195Configuring Switch Ports as 802.1X Authenticators1971. Enable 802.1X Authentication on Selected Ports1973. Configure the 802.1X Authentication Method2014. Enter the RADIUS Host IP Address(es)2025. Enable 802.1X Authentication on the Switch202802.1X Open VLAN Mode203Introduction203Use Models for 802.1X Open VLAN Modes204Operating Rules for Authorized-Client and Unauthorized-Client VLANs207Setting Up and Configuring 802.1X Open VLAN Mode209802.1X Open VLAN Operating Notes213Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices214Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches216Displaying 802.1X Configuration, Statistics, and Counters220Show Commands for Port-Access Authenticator220Viewing 802.1X Open VLAN Mode Status222Show Commands for Port-Access Supplicant225How RADIUS/802.1X Authentication Affects VLAN Operation226Messages Related to 802.1X Operation230Configuring and Monitoring Port Security231Contents231Overview232Basic Operation232Blocking Unauthorized Traffic233Trunk Group Exclusion234Planning Port Security235Port Security Command Options and Operation236Retention of Static MAC Addresses240Learned MAC Addresses240Assigned/Authorized MAC Addresses240Removing Learned and Assigned Static MAC Addresses240Displaying Current Port Security Settings240Configuring Port Security242Specifying Authorized Devices and Intrusion Responses242Adding a MAC Address to an Existing Port List243MAC Lockdown247Differences Between MAC Lockdown and Port Security249MAC Lockdown Operating Notes250Deploying MAC Lockdown251MAC Lockout255Port Security and MAC Lockout257IP Lockdown258Operating Rules for IP Lockdown258Using the IP Lockdown Command258Web: Displaying and Configuring Port Security Features259Reading Intrusion Alerts and Resetting Alert Flags259Notice of Security Violations259How the Intrusion Log Operates260Keeping the Intrusion Log Current by Resetting Alert Flags261Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags261CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags264Using the Event Log To Find Intrusion Alerts266Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags266Operating Notes for Port Security267Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches)269Contents269Overview270Using Source-Port Filters272Operating Rules for Source-Port Filters272Configuring a Source-Port Filter273Viewing a Source-Port Filter275Filter Indexing276Editing a Source-Port Filter277Using Named Source-Port Filters278Operating Rules for Named Source-Port Filters278Defining and Configuring Named Source-Port Filters278Viewing a Named Source-Port Filter280Sample Configuration for Named Source-Port Filters280Using Authorized IP Managers287Contents287Overview288Configuration Options289Access Levels289Defining Authorized Management Stations290Overview of IP Mask Operation290Menu: Viewing and Configuring IP Authorized Managers291CLI: Viewing and Configuring Authorized IP Managers292Listing the Switch’s Current Authorized IP Manager(s)292Configuring IP Authorized Managers for the Switch293Web: Configuring IP Authorized Managers295Building IP Masks295Configuring One Station Per Authorized Manager IP Entry295Configuring Multiple Stations Per Authorized Manager IP Entry296Additional Examples for Authorizing Multiple Stations297Operating Notes298Numerics299A299C299D299E299F299G299I300K300L300M300O300P300Q301R301S302T303U304V304W304Size: 2.08 MBPages: 306Language: EnglishOpen manual