HP ProCurve 4100 Series, Function Manual

Page 1: ...ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600 PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series ...

Page 2: ......

Page 3: ...ProCurve Switch 2600 Series Switch 2600 PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide December 2008 ...

Page 4: ...re information on OpenSSL visit http www openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICUL...

Page 5: ...eature Descriptions by Model 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 2 Configuring Username and Password Security Contents 2 1 Overview 2 2 Configuring Local Password Security 2 4 Menu Setting Passwords 2...

Page 6: ...10 General Setup Procedure for Web MAC Authentication 3 12 Do These Steps Before You Configure Web MAC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentica...

Page 7: ...ication Methods 4 11 Configuring the Switch s TACACS Server Access 4 15 How Authentication Operates 4 20 General Authentication Process Using a TACACS Server 4 20 Local Authentication Process 4 22 Using the Encryption Key 4 23 Controlling Web Browser Interface Access When Using TACACS Authentication 4 24 Messages Related to TACACS Operation 4 25 Operating Notes 4 25 5 RADIUS Authentication and Acc...

Page 8: ...Statistics 5 27 RADIUS Accounting Statistics 5 28 Changing RADIUS Server Access Order 5 29 Messages Related to RADIUS Operation 5 31 6 Configuring Secure Shell SSH Contents 6 1 Overview 6 2 Terminology 6 4 Prerequisite for Using SSH 6 5 Public Key Formats 6 5 Steps for Configuring and Using SSH for Switch and Client Authentication 6 6 General Operating Rules and Notes 6 8 Configuring the Switch fo...

Page 9: ...r and Enable Manager Password 7 7 2 Generate the Switch s Server Host Certificate 7 9 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior 7 17 Common Errors in SSL Setup 7 21 8 Configuring Port Based Access Control 802 1X Contents 8 1 Overview 8 3 Why Use Port Based Access Control 8 3 General Features 8 3 How 802 1X Operates 8 6 Authenticator Operation 8 6 Switch Port Supplicant...

Page 10: ...Allow Only 802 1X Devices 8 32 Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 8 34 Displaying 802 1X Configuration Statistics and Counters 8 38 Show Commands for Port Access Authenticator 8 38 Viewing 802 1X Open VLAN Mode Status 8 40 Show Commands for Port Access Supplicant 8 43 How RADIUS 802 1X Authentication Affects VLAN Operation 8 44 Messages Rela...

Page 11: ... Using the Event Log To Find Intrusion Alerts 9 36 Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 9 36 Operating Notes for Port Security 9 37 10 Traffic Security Filters ProCurve Series 2600 2600 PWR and 2800 Switches Contents 10 1 Overview 10 2 Using Source Port Filters 10 4 Operating Rules for Source Port Filters 10 4 Configuring a Source Port Filter 10 5 Viewing ...

Page 12: ...1 5 CLI Viewing and Configuring Authorized IP Managers 11 6 Web Configuring IP Authorized Managers 11 9 Building IP Masks 11 9 Configuring One Station Per Authorized Manager IP Entry 11 9 Configuring Multiple Stations Per Authorized Manager IP Entry 11 10 Additional Examples for Authorizing Multiple Stations 11 11 Operating Notes 11 12 ...

Page 13: ...cluded as a PDF file on the Documentation CD This guide explains the configuration and operation of traffic management features such as spanning tree VLANs and IP routing Access Security Guide included as a PDF file on the Documentation CD This guide explains the configuration and operation of access security and user authentication features on the switch Release Notes posted on the ProCurve web s...

Page 14: ...s Feature Management and Configuration AdvancedTraffic Management Access Security Guide 802 1Q VLAN Tagging X 802 1X Port Based Priority X Authentication X Authorized IP Managers X Config File X Copy Command X Debug X DHCP Configuration X DHCP Bootp Operation X Diagnostic Tools X Downloading Software X Event Log X Factory Default Settings X File Management X File Transfers X GVRP X IGMP X Interfac...

Page 15: ...DP SNMP X Passwords X Ping X Port Configuration X Port Security X Port Status X Port Trunking LACP X Port Based Access Control X Port Based Priority 802 1Q X Power over Ethernet PoE X Quality of Service QoS X RADIUS Authentication and Accounting X Routing X Secure Copy X SFTP X SNMP X Software Downloads SCP SFTP TFTP Xmodem X Feature Management and Configuration AdvancedTraffic Management Access S...

Page 16: ...ocket Layer X Stack Management Stacking X Syslog X System Information X TACACS Authentication X Telnet Access X TFTP X Time Protocols TimeP SNTP X Traffic Security Filters X Troubleshooting X VLANs X Web based Authentication X Xmodem X Feature Management and Configuration AdvancedTraffic Management Access Security Guide ...

Page 17: ...3 General Switch Traffic Security Guidelines 1 4 Conventions 1 5 Feature Descriptions by Model 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 ...

Page 18: ... from the ProCurve website http www procurve com Overview of Access Security Features The access security features covered in this guide include Local Manager and Operator Passwords page 2 1 Control access and privileges for the CLI menu and web browser interfaces TACACS Authentication page 4 1 Uses an authentication appli cation on a server to allow or deny access to a switch RADIUS Authenticatio...

Page 19: ...prevent and log access attempts by unauthorized devices Traffic Security Filters page 10 1 Source Port filtering enhances in bandsecuritybyenablingoutbounddestinationportsontheswitch to forward or drop traffic from designated source ports within the same VLAN Authorized IP Managers page 11 1 Allows access to the switch by a networked device having an IP address previously configured in the switch ...

Page 20: ... exclusive relationship that exists among some security features Security Feature Offers Protection Against Unauthorized Client Access to Switch Management Features Offers Protection Against Unauthorized Client Access to the Network Connection Telnet SNMP Net Mgmt Web Browser SSH Client Local Manager and Operator Usernames and Passwords1 PtP Yes No Yes Yes No Remote Yes No Yes Yes No TACACS 1 PtP ...

Page 21: ...ort access authenticator port list control authorized auto unauthorized Vertical bars separate alternative mutually exclusive elements Square brackets indicate optional elements Braces enclose required elements Braces within square brackets indicate a required element within an optional choice Boldface indicates use of a CLI command part of a CLI command syntax or other displayed element in genera...

Page 22: ... look like this Figure 1 1 Example of a Figure Showing a Simulated Screen In some cases brief command output sequences appear outside of a numbered figure For example ProCurve config ip default gateway 18 28 152 1 24 ProCurve config vlan 1 ip address 18 28 36 152 24 ProCurve config vlan 1 ip igmp Port Identity Examples This guide describes software applicable to both chassis based and stackable Pr...

Page 23: ...latest version of all ProCurve switch documentation including release notes covering recently added features visit the ProCurve Networking website at http www procurve com Click on Technical support and then click on Product manuals For information on specific parameters in the menu interface refer to the online help provided in the interface For example Figure 1 2 Getting Help in the Menu Interfa...

Page 24: ...tp www procurve com Need Only a Quick Start IP Addressing If you just want to give the switch an IP address so that it can communicate on your network or if you are not using multiple VLANs ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing To do so do one of the following Enter setup at the CLI Manager level prompt ProCurve setup In the Main Menu of the Me...

Page 25: ... switch and its related modules Instructions for physically installing the switch in your network Quickly assigning an IP address and subnet mask setting a Manager password and optionally configuring other basic features Interpreting LED behavior For the latest version of the Installation and Getting Started Guide and other documentation for your switch visit the ProCurve website Refer to Product ...

Page 26: ...1 10 Getting Started Need Only a Quick Start This page is intentionally unused ...

Page 27: ...Security 2 4 Menu Setting Passwords 2 4 CLI Setting Passwords and Usernames 2 5 Web Setting Passwords and Usernames 2 6 Front Panel Security 2 7 When Security Is Important 2 7 Front Panel Button Functions 2 8 Configuring Front Panel Security 2 10 Password Recovery 2 15 Password Recovery Process 2 17 ...

Page 28: ...WR and 2800 Switches Show front panel security n a page 1 13 Front panel security page 1 13 password clear enabled page 1 13 reset on clear disabled page 1 14 factory reset enabled page 1 15 password recovery enabled page 1 15 Level Actions Permitted Manager Access to all console interface areas This is the default level That is if a Manager password has not been set prior to starting the current ...

Page 29: ... causes the console session to end after the specified period of inactivity thus giving you added security against unauthor ized console access Note The manager and operator passwords and optional usernames control access to the menu interface CLI and web browser interface If you configure only a Manager password with no Operator password and in a later session the Manager password is not entered ...

Page 30: ...pted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you will be prompted to enter the password If you use the CLI or web browser interfa...

Page 31: ...r to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con sole session at the Manager level because of a lost Manager password you can clear the password by getting physical access to the switch and pressing and holding the Clear button for a minimum of one second This action deletes all passwords and u...

Page 32: ...to remove password protection from the Operator level This means that anyone who can access the switch console can gain Operator access without having to enter a user name or password Web Setting Passwords and Usernames In the web browser interface you can enter passwords and optional user names To Configure or Remove Usernames and Passwords in the Web Browser Interface 1 Click on the Security tab...

Page 33: ... Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply ...

Page 34: ...witch includes the Reset button and the Clear button Figure 2 4 Example Front Panel Button Locations Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Figure 2 5 Press the Clear Button for One Second To Reset the Password s Clear Button Reset Button Port LED View Self Test Clear Reset Fan Status 4 5 1 13 12 11 10 9 8 7 6 Spd mode off 10 Mbp...

Page 35: ...d hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button 2 While holding the Reset button press and hold the Clear button Reset Clear Reset Clear Reset Clear ...

Page 36: ... or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 9 Configure the Clear button to reboot...

Page 37: ...en pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Factory Reset Shows the status of the Reset button on the front panel of the switch Enabled means t...

Page 38: ...y default configuration pressing the Clear button on the switch s front panel erases any local usernames and passwords configured on the switch This command disables the password clear function of the Clear button so that pressing it has no effect on any local usernames and passwords Default Enabled Note Although the Clear button does not erase passwords when disabled you can still use it with the...

Page 39: ...enable or disable the reset on clear option Defaults password clear Enabled reset on clear Disabled Thus To enable password clear with reset on clear disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password cl...

Page 40: ...an use the factory reset command to prevent the Reset Clear combination from being used for this purpose Shows password clear disabled Enables password clear with reset on clear disabled by the no statement at the beginning of the command Shows password clear enabled with reset on clear disabled Syntax no front panel security factory reset Disables or re enables the following functions associated ...

Page 41: ...switch to its factory default configuration which removes any non default configuration settings C a u t i o n Disabling password recovery requires that factory reset be enabled and locks out the ability to recover a lost manager username if configured and pass word on the switch In this event there is no way to recover from a lost manager username password situation without resetting the switch t...

Page 42: ...e command press N for No Figure 2 11 shows an example of disabling the password recovery parameter Syntax no front panel security password recovery Enables or using the no form of the command disables the ability to recover a lost password When this feature is enabled the switch allows management access through the password recovery process described below This provides a method for recovering fro...

Page 43: ...h from the network to prevent unauthorized access and other problems while it is being reconfigured To use the password recovery option to recover a lost password 1 Note the switch s base MAC address It is shown on the label located on the upper right front corner of the switch 2 Contact your ProCurve Customer Care Center for further assistance Using the switch s MAC address the ProCurve Customer ...

Page 44: ...2 18 Configuring Username and Password Security Front Panel Security This page is intentionally unused ...

Page 45: ...re Web MAC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for MAC Based Authentication 3 23...

Page 46: ...database in a single server You can use up to three RADIUS servers to provide backups in case access to the primary server fails It also means the same credentials can be used for authentication regardless of which switch or switch port is the current access point into the LAN Web Authentication Web Auth This method uses a web page login to authenticate users for access to the network When a user ...

Page 47: ...e authentication type on a port This means that Web authentication MAC authentication 802 1X MAC lockdown MAC lockout and port security are mutually exclusive on a given port Also LACP must be disabled on ports configured for any of these authentication methods Client Options Web Auth and MAC Auth provide a port based solution in which a port can belong to one untagged VLAN at a time However where...

Page 48: ...uthorization status are provided when using Web Authentication You can use the RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the Web or MAC...

Page 49: ...ly receive no network access or limited network access as defined by the System Administrator Web based Authentication When a client connects to a Web Auth enabled port communication is redi rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials Figure 3 1 Example of User Login Screen The temporary IP address ...

Page 50: ...LAN then for the duration of the client session the port belongs to the authorized VLAN auth vid if configured and temporarily drops all other VLAN memberships 3 If neither 1 or 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any staticall...

Page 51: ... vid to provide access to specific guest network resources If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available Should another client success fully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The...

Page 52: ...cess At the end of the session the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before ...

Page 53: ...sword before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an authorized client following Web Authentication Pro...

Page 54: ...the port this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments in your RADIUS server or considerusing either Authorized orUnauthorized VLANs Ifyour LAN does use multiple VLANs then some of the following factors may apply to your use of Web Auth and MAC Auth Web Auth and MAC Auth opera...

Page 55: ...want clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port In this case if there is a successful request for authentication from an authorized client the switch term...

Page 56: ...o These Steps Before You Configure Web MAC Authentication 1 Configure a local username and password on the switch for both the Operator login and Manager enable access levels While this is not required for a Web or MAC based configuration ProCurve recommends that you use a local user name and password pair at least until your other security measures are in place to protect the switch configuration...

Page 57: ...to use either 100 or vlan100 to specify the VLAN 4 Determine whether to use the optional Unauthorized VLAN mode for clients that the RADIUS server does not authenticate This VLAN must be statically configured on the switch If you do not configure an Unauthor ized VLAN the switch simply blocks access to unauthenticated clients trying to use the port 5 Determine the authentication policy you want on...

Page 58: ...l deny access The switch provides four format options aabbccddeeff the default format aabbcc ddeeff aa bb cc dd ee ff aa bb cc dd ee ff Note on MAC Addresses Letters in MAC addresses must be in lowercase If the device is a switch or other VLAN capable device use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the a...

Page 59: ...rver specific key string 3 15 Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration You can config ure up to three RADIUS server addresses The switch uses the first server it successfully accesses Refer to RADIUS Authentication and Accounting on page 5 1 key global key string Specifies the global encryption key the swit...

Page 60: ...ng sessions with the speci fied server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key above The no form of the command removes the key configured for a specific server ProCurve config radius server host 192 168 32 11 key 2Pzo22 ProCurve config show radiu...

Page 61: ...ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Configure the switch for Web Auth a Configure Web Authentication on the switch ports you want to use b If the necessary to avoid address...

Page 62: ... 3 20 max retries 3 20 quiet period 3 20 reauth period 3 20 reauthenticate 3 20 redirect url 3 21 server timeout 3 21 ssl login 3 21 unauth vid 3 21 Syntax aaa port access web based dhcp addr ip address mask Specifies the base address mask for the temporary IP pool used by DHCP The base address can be any valid ip address not a multicast address Valid mask range value is 255 255 240 0 255 255 255 ...

Page 63: ...ur unless the RADIUS server supplies one Use the no form of the command to set the auth vid to 0 Default 0 Syntax aaa port access web based e port list client limit 1 32 Specifies the maximum number of authenticated clients to allow on the port Default 1 Syntax no aaa port access web based e port list client moves Allows client moves between the specified ports under Web Auth control When enabled ...

Page 64: ...ls Default 2 Syntax aaa port access web based e port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and password before authen tication fails This allows the reentry of the user name and password if necessary Default 3 Syntax aaa port access web based e port list quiet period 1 65535 Specifies the time period in seconds the switch should wait b...

Page 65: ...ies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentication session Default 30 seconds Syntax no aaa port access web based e port list ssl login Enables or disables SSL login https on port 443 SSL must be enabled on the switch If SSL login is enabled a user is re...

Page 66: ...LANs are configured on the switch and that the appropriate port assignments have been made 3 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a...

Page 67: ...d 3 25 Syntax aaa port access mac based addr format no delimiter single dash multi dash multi colon Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa...

Page 68: ...trol Default disabled no moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid Specifies the VLAN to use for an authorized client The Radius server can override the value accept response includes a vid If auth vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use the no form of the command to set the auth vid to...

Page 69: ...tion is disabled Default 300 seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt...

Page 70: ...s is listed for each port as well as its current VLAN ID Ports without Web Authenti cation enabled are not listed Syntax show port access port list web based clients Shows the port address Web address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients ...

Page 71: ...eb Authentication settings for all ports or the specified ports along with the web specific settings for password retries SSL login status and a redirect URL if specified Syntax show port access port list web based config detail Shows all Web Authentication settings including the Radius server specific settings for the specified ports Command Page show port access port list mac based 3 27 clients ...

Page 72: ...or all ports or the specified ports including the MAC address format being used The authorized and unauthorized VLAN IDs are shown If the authorized or unauthorized VLAN ID is 0 then no VLAN change is made unless the RADIUS server supplies one Syntax show port access port list mac based config auth server Shows MAC Authentication settings for all ports or the specified ports along with the Radius ...

Page 73: ...upplied 2 RADIUS Server difficulties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfu...

Page 74: ...3 30 Web and MAC Authentication for the Series 2600 2600 PWR and 2800 Switches Show Client Status This page is intentionally unused ...

Page 75: ...uthentication Configuration 4 9 Viewing the Switch s Current TACACS Server Contact Configuration 4 10 Configuring the Switch s Authentication Methods 4 11 Configuring the Switch s TACACS Server Access 4 15 How Authentication Operates 4 20 General Authentication Process Using a TACACS Server 4 20 Local Authentication Process 4 22 Using the Encryption Key 4 23 Controlling Web Browser Interface Acces...

Page 76: ...TACACS configured the switch first tries to contact a designated TACACS server for authentica Feature Default Menu CLI Web view the switch s authentication configuration n a page 4 9 view the switch s TACACS server contact configuration n a page 4 10 configure the switch s authentication methods disabled page 4 11 configure the switch to contact TACACS server s disabled page 4 15 B ProCurve Switch...

Page 77: ...e access server or terminal server These terms apply when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with the switch and any other TACACS capable devices in your network you must purchase install and configure a TACACS server application on a n...

Page 78: ...on local authentication refer to Configuring Username and Password Security on page 2 1 TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Page 79: ...ommends that you use a TACACS server application that supports a redundant backup installation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 4 24 General Authentication Setup Proce...

Page 80: ... switch This includes the username password sets for logging in at the Operator read only privilege level and the sets for logging in at the Manager read write privilege level The IP address es of the TACACS server s youwanttheswitchtouse for authentication If you will use more than one server determine which server is your first choice for authentication services The encryption key if any for all...

Page 81: ... correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method Caution You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be ...

Page 82: ...ta that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash memory Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication ProCurve recommends that you read the General Authentication Setup Procedure ...

Page 83: ...s Syntax show authentication This example shows the default authentication configuration Figure 4 2 Example Listing of the Switch s Authentication Configuration Command Page show authentication 4 9 show tacacs 4 10 aaa authentication pages4 11through4 14 console Telnet num attempts 1 10 tacacs server pages 4 15 host ip addr pages 4 15 key 4 19 timeout 1 255 4 20 Configuration for login and enable ...

Page 84: ... TACACS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following Figure 4 3 Example of the Switch s TACACS Configuration Listing First Choice TACACS Server Second Choice TACACS Ser...

Page 85: ...aa authentication console telnet Selects either console serial port or Telnet access for configuration enable login Selects either the Manager enable or Operator login access level local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS s...

Page 86: ... for the access method being configured local Use the username password pair configured locally in the switch for the privilege level being configured tacacs Use a TACACS server local or none none n a Specifies the secondary backup type of authentication being configured local The username password pair configured locally in the switch for the privilege level being configured none No secondary typ...

Page 87: ...e purpose of using the TACACS authentication If you want Enable Primary log in attempts to go to a TACACS server then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console Login local none Local user...

Page 88: ...ary using TACACS server Secondary using Local ProCurve config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication telnet ena...

Page 89: ...t encryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the swi...

Page 90: ...keys If TACACS server X does not have an encryption key assigned for the switch then configuring either a global encryption key or a server specific key in the switch for server X will block authentication support from server X Syntax tacacs server host ip addr key key string Adds a TACACS server and optionally assigns a server specific encryption key no tacacs server host ip addr Removes a TACACS...

Page 91: ...server 2 When there is one TACACS serves already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the...

Page 92: ...also assigned in the TACACS server s that the switch will access for authentication This option is subordinate to any per server encryption keys you assign and applies only to accessing TACACS servers for which you have not given the switch a per server key See the host ip addr key key string entry at the beginning of this table For more on the encryption key see Using the Encryption Key on page 4...

Page 93: ...cryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 4 23 To configure north01 as a global encryption key ProCurve config tacacs server key north01 To configure north01 as a per...

Page 94: ... a response to an authentication request from a TACACS server before either sending a new request to the next server in the switch s Server IP Address list or using the local authentication option For example to change the timeout period from 5 seconds the default to 3 seconds ProCurve config tacacs server timeout 3 How Authentication Operates General Authentication Process Using a TACACS Server A...

Page 95: ...he server receives the username input the requesting terminal receives a password prompt from the server via the switch 4 When the requesting terminal responds to the prompt with a password the switch forwards it to the TACACS server and one of the following actions occurs If the username password pair received from the requesting terminal matches a username password pair previously stored in the ...

Page 96: ...hich enables only local password configuration If the operator at the requesting terminal correctly enters the user name password pair for either access level access is granted Iftheusername passwordpairenteredattherequestingterminaldoes not match either username password pair previously configured locally in the switch access is denied In this case the terminal is again prompted to enter a userna...

Page 97: ...on then communication between the switch and the TACACS server will fail Thus on the TACACS server side you have a choice as to how to implement a key On the switch side it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server For information on how to configure a general or individual key in the TACACS server refer to the documentation you received ...

Page 98: ...t 10 28 227 87 key south10campus With both of the above keys configured in the switch the south10campus key overrides the north40campus key only when the switch tries to access the TACACS server having the 10 28 227 87 address Controlling Web Browser Interface Access When Using TACACS Authentication Configuring the switch for TACACS authentication does not affect web browser interface access To pr...

Page 99: ...e first choice or only TACACS server Connecting to secondary Tacacs server The switch was not able to contact the first choice TACACS server and is now attempting to contact the next secondary TACACS server identified in the switch s tacacs server configuration Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local...

Page 100: ... TACACS is not enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unauthor ized persons ...

Page 101: ...nfigure the Switch To Access a RADIUS Server 5 10 3 Configure the Switch s Global RADIUS Parameters 5 12 Local Authentication Process 5 16 Controlling Web Browser Interface Access When Using RADIUS Authentication 5 17 Configuring RADIUS Accounting 5 17 Operating Rules for RADIUS Accounting 5 19 Steps for Configuring RADIUS Accounting 5 19 Viewing RADIUS Statistics 5 25 General RADIUS Statistics 5 ...

Page 102: ...the ProCurve switch Serial port Console Telnet SSH Web Series 2600 2600 PWR and 2800 switches Port Access Note The switch does not support RADIUS security for SNMP network manage ment access or for the 4100gl and 6108 switches web browser interface access For information on blocking unauthorized access through the web browser interface refer to Controlling Web Browser Interface Access When Using R...

Page 103: ...cess Server In this case a ProCurve switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service RADIUS Client The device that passes user information to designated RADIUS servers RADIUS Host See RADIUS server RADIUS Server A server running the RADIUS application you are using on your network This server receives user connection requests from the switch authent...

Page 104: ...which they are listed by showradius page 5 25 If the first server does not respond the switch tries the next one and so on To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 29 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access type I...

Page 105: ...he configuration process If you need to replace the default UDP destination port 1813 the switch uses for accounting requests to a specific Radius server select it before beginning the configuration process Determine whether you can use one global encryption key for all RADIUS servers or if unique keys will be required for specific servers With multiple RADIUS servers if one key applies to two or ...

Page 106: ...e you can set a bypass period in the range of 1 to 1440 minutes for non responsive servers This requires that you have multiple RADIUS servers accessible for service requests RADIUS Authentication Commands Page aaa authentication 5 8 console telnet ssh web enable login radius 5 8 local none 5 8 no radius server host IP address 5 10 auth port port number 5 10 acct port port number 5 10 5 20 key ser...

Page 107: ...mentation Server IP address Optional UDP destination port for authentication requests default 1812 recommended Optional UDP destination port for accounting requests default 1813 recommended Optional encryption key for use during authentication sessions with a RADIUS server This key overrides the global encryption key you can also configure on the switch and must match the encryption key used on th...

Page 108: ... password Default Three times per session For RADIUS accounting features refer to Configuring RADIUS Accounting on page 5 17 1 ConfigureAuthenticationfortheAccessMethodsYou Want RADIUS To Protect Thissectiondescribeshow toconfiguretheswitchfor RADIUSauthentication through the following access methods Console Either direct serial port connection or modem connection Telnet Inbound Telnet must be ena...

Page 109: ...ion method for console Telnet SSH and or theWeb browser interface The default primary enable login authentication is local local none Provides options for secondary authentication default none Note that for console access secondary authenti cation must be local if primary access is not local This prevents you from being completely locked out of the switch in the event of a failure in other access ...

Page 110: ...equests to the specified RADIUS server host If you do not use this option with the radius server host command the switch automatically assigns the default authentication port number The auth port number must match its server counterpart Default 1812 acct port port number Optional Changes the UDP destination port for account ing requests to the specified RADIUS server If you do not use this option ...

Page 111: ...urce0119 Figure 5 3 Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5 3 you would do the following Figure 5 4 Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5...

Page 112: ...RADIUS servers for which there is not a server specific key configured by radius server host ip address key key string This key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 2 Configure the Switch To Access a RADIUS Server on page 5 10 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout period expi...

Page 113: ...ion due to input errors Default 3 Range 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null dead time 1 1440 Optional Specifies the time in minu...

Page 114: ...tication parameters Allow only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a server specific key Use a dead time of five minutes for a server that fails to respond to an authentication request Allow three seconds for request timeouts Allow ...

Page 115: ... None SSH Radius None Radius None Web Auth ChapRadius MAC Auth ChapRadius ProCurve show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 3 Retransmit Attempts 2 Global Encryption Key My Global Key 1099 Auth Acct Server IP Addr Port Port Encryption Key 10 33 18 127 1812 1813 source0127 10 33 18 119 1812 1813 10 33 18 151 1812 1813 After two attempts failing due to u...

Page 116: ... the requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of the...

Page 117: ...local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow web browser access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Disable web browser access to the switch Configuring RADIUS Accounting RADIUS Account...

Page 118: ... the switch refer to Configuring Port Based Access Control 802 1X on page 8 1 Exec accounting Provides records holding the information listed below about login sessions console Telnet and SSH on the switch System accounting Provides records containing the information listed below when system events occur on the switch including system reset system boot and enabling or disabling of system accountin...

Page 119: ... server will not be accessed For more on this topic refer to Changing RADIUS Server Access Order on page 5 29 If access to a RADIUS server fails during a session but after the client has been authenticated the switch continues to assume the server is availabletoreceiveaccountingdata Thus ifserveraccessfailsduring a session it will not receive accounting data transmitted from the switch Steps for C...

Page 120: ...Trigger for sending accounting reports to a RADIUS server At session start and stop or only at session stop 3 Optional Configure session blocking and interim updating options Updating Periodically update the accounting data for sessions in progress Suppress accounting Block the accounting session for any unknown user with no username access to the switch 1 Configure the Switch To Access a RADIUS S...

Page 121: ...ication method for one or more types of access to the switch Telnet Console etc Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration acct port port number Optional Changes the UDP destination port for accounting requests to the specified RADIUS server If you do not use this option the switch automatically assigns the d...

Page 122: ...ta when A system boot or reload occurs System accounting is turned on or off Note that there is no time span associated with using the system option It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs Network Use Network if you want to collect accounting information on 802 1X port based access users connected to the physical ports o...

Page 123: ...ncludes the latest data the switch has collected for the requested accounting type Network Exec or System Do not wait for an acknowledgment Thesystemoption page5 22 alwaysdeliversstop onlyoperationbecause the switchsendsthe accumulated data only whenthere is a reboot reload or accounting on off event For example to configure RADIUS accounting on the switch with start stop for exec functions and st...

Page 124: ...inue the example in figure 5 8 suppose that you wanted the switch to Send updates every 10 minutes on in progress accounting sessions Block accounting for unknown users no username Figure 5 9 Example of Optional Accounting Update Period and Accounting Suppression on Unknown User Syntax no aaa accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions on the ...

Page 125: ...re 5 11 RADIUS Server Information From the Show Radius Host Command Syntax show radius host ip addr Shows general RADIUS configuration including the server IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Configuring RADIUS Accounting on page 5 1...

Page 126: ...equest as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received from t...

Page 127: ...cation Displays the primary and secondary authentication meth ods configured for the Console Telnet Port Access 802 1X and SSH methods of accessing the switch Also displays the number of access attempts currently allowed in a session show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch s interactions with this server Requires prior use of the r...

Page 128: ...ccounting Information for a Specific Server Syntax show accounting Lists configured accounting interval Empty User suppres sion status accounting types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch ...

Page 129: ...ey are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed second in the list Thus to move a server address up in the list you must delete it from the list ensure that the position to which you want to move it is vacant and then re enterit Forexample supposeyouhavealreadyc...

Page 130: ...hest position in the list 3 Re enter 10 10 10 003 Because the switch places a newly entered address in the highest available position this address becomes first in the list 4 Re enter 10 10 10 001 Because the only positionopen is the thirdposition this address becomes last in the list Figure 5 18 Example of New RADIUS Server Search Order Removes the 003 and 001 addresses from the RADIUS server lis...

Page 131: ...ctly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for...

Page 132: ...5 32 RADIUS Authentication and Accounting Messages Related to RADIUS Operation This page is intentionally unused ...

Page 133: ...Switch for SSH Operation 6 9 1 Assign Local Login Operator and Enable Manager Password 6 9 2 Generate the Switch s Public and Private Key Pair 6 10 3 Provide the Switch s Public Key to Clients 6 12 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior 6 15 5 Configure the Switch for SSH Authentication 6 18 6 Use an SSH Client To Access the Switch 6 21 Further Information on SSH Cli...

Page 134: ...option uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a stored public key can gain access to the switch The same private key can be stored on one or more clients Figure 6 1 Client Public Key Authentication Model Feature Default Menu CLI Web Generating a public private key pair on the switch No n a page 6 10 n a Using the sw...

Page 135: ...ds stored locally on the switch or on a TACACS or RADIUS server However the client does not use a key to authenticate itself to the switch Figure 6 2 Switch User Authentication SSH on the ProCurve switches covered in this guide supports these data encryption methods 3DES 168 bit DES 56 bit Note The ProCurve switches covered in this guide use the RSA algorithm for internally generated keys v1 v2 sh...

Page 136: ...g or copying A private key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Le...

Page 137: ...rate or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Figure 6 3 Example of Public Key in PEM Encoded ASCII Format Common for SSHv2 Clients Figure 6 4 Example of Public Key in Non Encoded ASCII...

Page 138: ...SSH application b Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch The client public key file can hold up to ten client keys This topic is covered under To Create a Client Public Key Text File on page 6 23 Switch Access Level Primary SSH Authentication Authenticate SwitchPublicKey to SSH Clients Authentica...

Page 139: ...econdary authentication methods you want the switch to use In all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none Option B Primary Client public key authentication login public key page 6 21 Secondary Local password or none N...

Page 140: ...itch you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches On ProCurve switches that support stacking when stacking is enabled SSH provides security only between an SSH...

Page 141: ...Manager password with one command Syntax password manager operator all SSH Related Commands in This Section Page show ip ssh 6 17 show crypto client public key keylist str babble fingerprint 6 24 show crypto host public key babble fingerprint 6 14 show authentication 6 21 crypto key generate zeroize ssh rsa 6 11 ip ssh 6 16 key size 512 768 1024 6 16 port 1 65535 default 6 16 timeout 5 120 6 16 ve...

Page 142: ...s flash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which should have access to the switch Some SSH client appli cations automatically add the switch spublic key to a knownhosts file Other SSH applications require you to manually create a known hosts file and place t...

Page 143: ...ver any active SSH sessions will continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private RSA Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key generate ssh rsa Gener...

Page 144: ...t match for PEM keys only the PEM encoded string itself must match Notes Zeroizing the switch s key automatically disables SSH sets ip ssh to no Thus if you zeroize the key and then generate a new key you must also re enable SSH with the ip ssh command before the switch can resume SSH operation 3 Provide the Switch s Public Key to Clients When an SSH client contacts the switch for the first time t...

Page 145: ...gure 6 6 2 Bring up the SSH client s known host file in a text editor such as Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that there are no changes in breaks in the text string A public key must be an unbroken ASCII string Line breaks are not allowed Changes in the line breaks will corrupt the Key For example if you are using Windows Notepad ensure that W...

Page 146: ...e switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 6 8 on page 6 13 Phonetic hash Outputs the key as a relatively short series of ...

Page 147: ...sion of its public key for file storage and default display format 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SSH clients Note Before enabling SSH on the switch you must generate the swit...

Page 148: ... to the switch You can remove this possibility by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a knowledge of where your client stores public keys plus the knowledge of what key editing and file format might be required by your client application However ...

Page 149: ...other reserved TCP ports on the ProCurve switches are 49 80 1506 and 1513 Figure 6 11 Example of Enabling IP SSH and Listing the SSH Configuration and Status port 1 65535 default The TCP port number for SSH connections default 22 Important See Note on Port Number on page 6 17 timeout 5 120 The SSH login timeout value default 120 seconds version 1 2 1 or 2 The version of SSH to accept connections f...

Page 150: ...button which removes local password protection keepphysical access to the switch restricted to authorized personnel 5 Configure the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B page 6 19 results in the switch also authenticating the client s public key Also for a more detailed discussi...

Page 151: ... Authentication on page 6 21 With steps 1 3 above completed and SSH properly configured on the switch if an SSH client contacts the switch login authentication automatically occurs using the switch and client public keys Then after the client gains login access the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable ...

Page 152: ...tp pub key file ip address filename Copies a public key file into the switch aaa authentication ssh login public key none Configures the switch to authenticate a client public key for primary login Operator access When the primary method is public key the secondary method is always none which may or may not be specified Syntax aaa authentication ssh enable local tacacs radius local none Configures...

Page 153: ...ed Problems in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch Further Information on SSH Client Public Key Authentication The section titled 5 Configure the Switch for SSH Authentication on page 6 18 lists the steps for configuring SSH authentication on the switch However if you are new to SSH or need more details on client public key authentication this sec...

Page 154: ...ly provide a utility to generate a key pair The private key is usually stored in a password protected file on the local host the public key is stored in another file and is not protected Note that even without using client public key authentication you can still require authentication from whoever attempts to access the switch from an SSH client by employing the local username password TACACS or R...

Page 155: ...key file into the switch Note that the switch can hold 10 keys The new key is appended to the client public key file 4 Use the aaa authentication ssh command to enable client public key authentication To Create a Client Public Key Text File These steps describe how to copy client public keys into the switch for RSA challenge response authenti cation and require an understanding of how to use your ...

Page 156: ...th a CR LF Note on Public Keys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key Although you can manually add or edit any comments the client application adds to the end of the key such as the smith fellow at the end of the key in figure 6 14 on page 6 23 Property Supported Value Comments Key Format ASCII See figure 6 8 on...

Page 157: ...xisting client public key file or specific keys by executing the clear crypto public key command Syntax clear crypto public key Deletes the client public key file from the switch Syntax clear crypto public key 3 Deletes the entry with an index of 3 from the client public key file on the switch Syntax copy tftp pub key file ip address filename Copies a public key file from a TFTP server into flash ...

Page 158: ...public key local configured if the switch does not have an Operator level password it blocks client public key access to SSH clients whose private keys do not match a public key in the switch s client public key file Caution To enable client public key authentication to block SSH clients whose public keys are not in the client public key file copied into the switch you must configure the Login Sec...

Page 159: ...mber See Note on Port Number on page 6 17 Client public key file corrupt or not found Use copy tftp pub key file ip addr filename to down load new file The client key does not exist in the switch Use copy tftp to download the key from a TFTP server Download failed overlength key in key file Download failed too many keys in key file Download failed one or more keys is not a valid public key The pub...

Page 160: ...es After you execute the crypto key generate ssh rsa command the switch displays this message while it is generating the key Host RSA key file corrupt or not found Use crypto key generate ssh rsa to create new host key The switch s key is missing or corrupt Use the crypto key generate ssh rsa command to generate a new key for the switch Message Meaning ...

Page 161: ...L for Switch and Client Authentication 7 5 General Operating Rules and Notes 7 6 Configuring the Switch for SSL Operation 7 7 1 Assign Local Login Operator and Enable Manager Password 7 7 2 Generate the Switch s Server Host Certificate 7 9 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior 7 17 Common Errors in SSL Setup 7 21 ...

Page 162: ...uthentication Note SSL in ProCurve switches is based on the OpenSSL software toolkit For more information on OpenSSL visit http www openssl com Server Certificate authentication with User Password Authentication This option is a subset of full certificate authentication of the user and host It occurs only if the switch has SSL enabled As in figure 7 1 the switch authenticates itself to SSL enabled...

Page 163: ...p part of server host certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signa...

Page 164: ... signed certificates Trusted certificates are distributed as an integral part of most popular web clients see browser documentation for which root certificates are pre installed Manager Level Manager privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level password configured in the switch SSL Enabled 1 A certificate key...

Page 165: ...tionality See the browser documentation for addi tional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 7 7 2 Generate a host certificate on the switch page 7 9 i Generate certificate key pair ii Generate host certificate You need to do this only once The switch s own public private certificate key pair and certificate are stored in the switch ...

Page 166: ...ty breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public private certificate key pair is not be confused with the SSH public private key pair The certificate key pair and the SSH key pair are independent of each other which means a switch can have two keys ...

Page 167: ...t least a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access could modify the switch s configuration SSL Related CLI Commands in This Section Page web management ssl page 7 19 show config page 7 19 show crypto host cert page 7 12 crypto key generate cert rsa 512 768 1024 page 7 10 zeroize cert page 7 10 crypto host cert generate self sign...

Page 168: ...anagement and Configuration Guide for your switch Figure 7 2 Example of Configuring Local Passwords 1 Proceed to the security tab and select device passwords button 2 Click in the appropriate box in the Device Passwords window and enter user names and passwords You will be required to repeat the password strings in the confirmation boxes Both the user names and passwords can be up to 16 printable ...

Page 169: ...ted and digitally signed by the switch Since self signed certificates are not signed by a third party certificate authority there is no audit trail to a root CA certificate and no fool proof means of verifying authenticity of certificate The second type is a certificate authority signed certificate which is digitally signed by a certificate authority has an audit trail to a root CA certificate and...

Page 170: ... pair when generating a new certificate The existing key pair may be re used and the crypto key generate cert command does not have to be executed ii Generate a new self signed host certificate This is done with the crypto host cert generate self signed Arg List command Note When generating a self signed host certificate on the CLI if there is not certificate key generated this command will fail S...

Page 171: ...te however good security practices would suggest a valid duration of about one year between updates of passwords and keys Common name This should be the IP address or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch Organization This is the name of the entity e g company where the switch...

Page 172: ...e a new key and server certificate you must also re enable SSL with the web management ssl command before the switch can resume SSL operation CLI Command to view host certificates To view the current host certificate from the CLI you use the show crypto host cert command For example to display the new server host certificate Figure 7 4 Example of show crypto host cert command Syntax show crypto ho...

Page 173: ... anewcertificatekeypairand self signed CA signed certificate The right half displays information on the currently installed certificate ii Select the Create Certificate Certificate Request radio button iii Select Self Signed in the Certificate Type drop down list iv Select the RSA Key Size desired If you want to re use the current certificate key select Current from this list v Fill in the remaini...

Page 174: ... web browsers inter face Figure 7 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Proceed to the Security tab 2 Then the SSL button Security Tab SSL button Certificate Type Box Key Size Selection Certificate Arguments Create Certificate Button ...

Page 175: ...d server host certificate with the Web Browser Interface This section describes how to install a CA Signed server host certificate from the web browser interface For more information on how to access the web browser interface refer to the chapter titled Using the Web Browser Inter face in the Management and Configuration Guide for your switch Current SSL Host Certificate ...

Page 176: ...ty tab then the SSL button ii Select the Create Certificate Certificate Request radio button iii Select Create CA Request from the Certificate Type drop down list iv Select the key size from the RSA Key Size drop down list If you want to re use the current certificate key select Current from this list v Fill in the remaining certificate arguments Refer to Comments on Certificate Fields on page 7 1...

Page 177: ...quest Certificate Request Reply BEGIN CERTIFICATE MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgV...

Page 178: ...ificate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Note When an SSL client connects to the switch for the first time it is possibl...

Page 179: ...le SSL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable to on and enter the TCP port you desire to connect on iii Click on the Apply Changes button to enable SSL on the port To disable SSL on the switch do either of the following i Proceed to the Security tab then the SSL button ii Select SSL Enable to off iii Click on the Apply Changes button to e...

Page 180: ...and 1513 Caution SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access Another security measure is to use the Auth...

Page 181: ...eb browser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 7 13 You may be using a reserved TCP port Refer to Note on Port Number on page 7 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior on page 7 17 Your browser may...

Page 182: ...7 22 Configuring Secure Socket Layer SSL Common Errors in SSL Setup This page is intentionally unused ...

Page 183: ... Authentication on the Switch 8 13 Configuring Switch Ports as 802 1X Authenticators 8 15 1 Enable 802 1X Authentication on Selected Ports 8 15 3 Configure the 802 1X Authentication Method 8 19 4 Enter the RADIUS Host IP Address es 8 20 5 Enable 802 1X Authentication on the Switch 8 20 802 1X Open VLAN Mode 8 21 Introduction 8 21 Use Models for 802 1X Open VLAN Modes 8 22 Operating Rules for Autho...

Page 184: ...ions to Other Switches 8 34 Displaying 802 1X Configuration Statistics and Counters 8 38 Show Commands for Port Access Authenticator 8 38 Viewing 802 1X Open VLAN Mode Status 8 40 Show Commands for Port Access Supplicant 8 43 How RADIUS 802 1X Authentication Affects VLAN Operation 8 44 Messages Related to 802 1X Operation 8 48 ...

Page 185: ...plicants having a point to point connection to the switch and as a supplicant for point to point connections to other 802 1X aware switches Authentication of 802 1X clients using a RADIUS server and either the EAP or CHAP protocol Provision for enabling clients that do not have 802 1 supplicant soft ware to use the switch as a path for downloading the software and initiating the authentication pro...

Page 186: ... servers to provide backups in case access to the primary server fails It also means a user can enter the same username and password pair for authentication regardless of which switch is the access point into the LAN Note that you can also configure 802 1X for authentication through the switch s local username and password instead of a RADIUS server but doing so increases the administrative burden...

Page 187: ...ion Accounting The switch also provides RADIUS Network accounting for 802 1X access Refer to RADIUS Authentication and Accounting on page 5 1 RADIUS Server LAN Core 802 1X Aware Client Supplicant SwitchRunning802 1Xand Connected as a Supplicant Switch Running 802 1X and Operating as an Authenticator ...

Page 188: ...e client 4 The switch responds in one of the following ways If 802 1X port access on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS se...

Page 189: ...to the authenticated state If switch B is operating properly and is not 802 1X aware then the link should begin functioning normally but without 802 1X security If after sending one or more start packets port A1 receives a request packet from port B5 then switch B is operating as an 802 1X authenticator The supplicant port then sends a response ID packet Switch B forwards this request to a RADIUS ...

Page 190: ...ally configured VLAN memberships or any VLAN member ships that may be assigned during the RADIUS authentication process While an 802 1X port is a member of this VLAN the port is untagged When the client connection terminates the port drops its membership in this VLAN Authentication Server The entity providing an authentication service to the switch when the switch is configured to operate as an au...

Page 191: ...aneously If a client connected to the port has an operating system that supports 802 1q VLAN tagging then the client can access VLANs for which the port is a tagged member If the client does not support VLAN tagging then it can access only a VLAN for which the port is an untagged member A port can be an untagged member of only one VLAN at a time 802 1X Open VLAN mode does not affect a port s tagge...

Page 192: ...connected to another device rebooting the switch causes a re authentication of the link When a port on the switch is configured as an authenticator it will block access to a client that either does not provide the proper authentication credentials or is not 802 1X aware You can use the optional 802 1X Open VLAN mode to open a path for downloading 802 1X supplicant software to a client which enable...

Page 193: ...tication is successful the port becomes unblocked Similarly if the supplicant is authenticated and later the port becomes a trunk member the port will be blocked If the port is then removed from the trunk it tries to re authenticate the supplicant If successful the port becomes unblocked To help maintain security 802 1X and LACP cannot both be enabled on the same port If you try to configure 802 1...

Page 194: ...re not 802 1X aware that is for clients that are not running 802 1X supplicant software This will require you to provide download able software that the client can use to enable an authentication session For more on this topic refer to 802 1X Open VLAN Mode on page 8 21 4 For each port you want to operate as a supplicant determine a username and password pair You can either use the same pair for e...

Page 195: ...an initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 8 21 3 Configure the 802 1X authentication type Options include Local Operator username and password the default This option allows a client to use the switch s local username and password as valid 802 1X credentials for network access EAP RADIUS This option requires ...

Page 196: ...r 802 1X operation and if desired the action to take if an unauthorized device attempts access through an 802 1X port See page 8 32 8 If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802 1X authenticator on another device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections ...

Page 197: ...ically disables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can config ure it for 802 1X authentication 802 1X Authentication Commands Page no aaa port access authenticator ethernet port list 8 15 control quiet period tx period supplicant timeout server timeout max requests reauth period auth vid unauth vid initiali...

Page 198: ... the default The device connected to the port must support 802 1X authentication and provide valid credentials in order to get network access You have the option of using the Open VLAN mode to provide a path for clients without 802 1X supplicant software to download this software and begin the authentication process Refer to 802 1X Open VLAN Mode on page 8 21 unauthorized Also termed Force Unautho...

Page 199: ...ime out before authentication fails and the authenti cation session ends If you are using the Local authen tication option or are using RADIUS authentication with only one host server the switch will not start another session until a client tries a new access attempt If you are using RADIUS authentication with two or three host servers the switch will open a session with each server in turn until ...

Page 200: ...d outbound traffic and restarts the 802 1X authentication process This happens only on ports configured with controlauto and actively operating as 802 1X authenticators Note If a specified port is configured with control authorized and port security and the port has learned an authorized address the port will remove this address and learn a new one from the first packet it receives reauthenticate ...

Page 201: ... capable RADIUS servers Figure 8 3 Example of 802 1X Port Access Authentication Syntax aaa authentication port access local eap radius chap radius Determines the type of RADIUS authentication to use local Use the switch s local username and password for supplicant authentication eap radius Use EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radius Use CHAP RADIUS M...

Page 202: ...s command Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use during authentication or accounting sessions with the spec ified server This key must match the key used on the RADIUS server Use this option only if the specified server requires a different key than configured for the global encryption key ...

Page 203: ... server Downloading the 802 1X supplicant software necessary for an authen tication session The 802 1X Open VLAN mode solves this problem by temporarily suspending the port s static tagged and untagged VLAN memberships and placing the port in a designated Unauthorized Client VLAN In this state the client can proceed with initialization services such as acquiring IP addressing and 802 1X software a...

Page 204: ...2 above then it operates as an untagged member of that VLAN while the client is connected When the client disconnects the port reverts to tagged membership in the VLAN Use Models for 802 1X Open VLAN Modes You can apply the 802 1X Open VLAN mode in more than one way Depending on your use you will need to create one or two static VLANs on the switch for exclusive use by per port 802 1X Open VLAN mo...

Page 205: ...while the port is a member of the Unauthorized Client VLAN Authorized Client VLAN After the client is authenticated the port drops membership in the Unauthorized Client VLAN and becomes an untagged member of this VLAN Note if RADIUS authentication assigns a VLAN the port temporarily becomes a member of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If ...

Page 206: ... RADIUS server assigns theporttoanother authorizedVLAN Notethatiftheportisalready configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the duration of the client connection After the client disconnects the port returns to tagged membership in that VLAN Open VLAN Mode with Only an Authorized Client VLAN Configure...

Page 207: ... the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 8 22 TemporaryVLANMembershipDuring a Client Session Port membership in a VLAN assigned to operate as the Unauthorized Client VLAN is temporary ...

Page 208: ...authorized Client and Authorized Client VLANs You can use the same static VLAN as the Unauthorized Client VLAN for all 802 1X authenticator ports configured on the switch Similarly you can use the same static VLAN as the Authorized Client VLAN for all 802 1X authenticator ports configured on the switch Caution Do not use the same static VLAN for both the unauthorized and the Authorized Client VLAN...

Page 209: ...ator ports do not have to be members of this VLAN Note that if an 802 1X authenticator port is an untagged member of another VLAN the port s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port For example if i Port A5 is an untagged member of VLAN 1 the default VLAN ii You configure port A5 as an 802 1X authenticator port iii You configure p...

Page 210: ...802 1X VLAN operation 1 Enable 802 1X authentication on the individual ports you want to serve as authenticators The switch automatically disables LACP on the ports on which you enable 802 1X On the ports you will use as authenticators with VLAN operation ensure that the default port control parameter is set to auto Refer to 1 Enable 802 1X Authentication on Selected Ports on page 8 15 This settin...

Page 211: ... 8 32 After you complete steps 1 and 2 the configured ports are enabled for 802 1X authentication without VLAN operation and you are ready to configure VLAN Operation Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use with the specified server This key must match the key used on the RADIUS server Use t...

Page 212: ...st auth vid vlan id Configures an existing static VLAN to be the Authorized Client VLAN unauth vid vlan id Configures an existing static VLAN to be the Unauthor ized Client VLAN ProCurve config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server ProCurve config aaa port access authenticator a10 a20 Configures ports A10 A20 as 802 1 a...

Page 213: ...ed as a tagged member of VLAN X that is not used as an Unauthorized Client Authorized Client or RADIUS assigned VLAN then the port returns to tagged membership in VLAN X upon successful client authentication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as an authorized VLAN then the port becomes an untagged member of VLAN X...

Page 214: ...ic from this specific device is allowed on the port When this device logs off another 802 1X aware device can be authenticated on the port Note Port Security operates with 802 1X authentication as described above only if the selected ports are configured as 802 1X that is with the control mode in the port access authenticator command set to auto For example to configure port A10 for 802 1X authent...

Page 215: ... don t want authorized If this occurs you can block access by the unauthorized non 802 1X device by using one of the following options If 802 1X authentication is disabled on the port use these command syntaxes to enable it and allow only an 802 1X aware device If 802 1X authentication is enabled on the port but set to authorized Force Authorized use this command syntax to allow only an 802 1X awa...

Page 216: ...tor and a supplicant For example suppose that you want to connect two switches where Switch A has port A1 configured for 802 1X supplicant operation You want to connect port A1 on switch A to port B5 on switch B Figure 8 4 Example of Supplicant Operation 802 1X Authentication Commands page 8 15 802 1X Supplicant Commands no aaa port access supplicant ethernet port list page 8 35 auth timeout held ...

Page 217: ...rname and password 2 The RADIUS server then responds with an access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with a hash response based on its unique credentials Switch B forwards this response to the RADIUS server 4 The RADIUS server then analyzes the response and sends either a suc cess or failure packet back through switch B to port A1 A success response unblock...

Page 218: ...orts execute this command without any other parameters After doing this you can use the command again with the following parameters to configure supplicant oper tion Use one instance of the command for each parameter you want to configure The no form disables supplicant operation on the designated port s identity username Sets the username and password to pass to the authen ticator port when a cha...

Page 219: ...sponse Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 1X session fails before trying to re acquire the authenticator port Default 60 seconds start period 1 300 Sets the time period between Start packet retransmis sions That is after a supplicant sends a start packet it waits during the start period for a response If no response comes during the sta...

Page 220: ...ers displays whether port access authenticator is active Yes or No and the status of all ports configured for 802 1X authentication The Authenticator Backend State in this data refers to the switch s interaction with the authentication server With port list only same as above but limits port status to only the specified port Does not display data for a specified port that is not enabled as an auth...

Page 221: ...port access authenticator is active The statistics of the ports configured as 802 1X authenticators including the supplicant s MAC address as determined by the content of the last EAPOL frame received on the port Does not display data for a specified port that is not enabled as an authenticator session counters e port list Shows Whether port access authenticator is active The session status on the...

Page 222: ... is configured and matches the Current VLAN ID in the above command output an authenticated client is connected to the port This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN An Unauth VLAN ID appearing in the Current VLAN ID column for the same port indicates an unauthenticated client is connected to this port Assumes that the port is not a statica...

Page 223: ...port to allow network access to any connected device that supports 802 1X authentication and provides valid 802 1X credentials This is the default authenticator setting FA Configures the port for Force Authorized which allows access to any device connected to the port regardless of whether it meets 802 1X criteria You can still configure console Telnet or SSH security on the port FU Configures the...

Page 224: ... indicated port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Status Indicator Meaning Syntax show vlan vlan id Displays the port status for the selected VLAN including an indication of which port memberships have been temporarily overridden by Open VLAN mode Note that ports B1 and B3 are...

Page 225: ...atistics it most recently received until one of the above events occurs Also if you move a link with an authenticator from one Syntax show port access supplicant e port list statistics show port access supplicant e port list Shows the port access supplicant configuration excluding the secret parameter for all ports or port list ports configured on the switch as supplicants The Supplicant State can...

Page 226: ...ot exist or is a dynamic VLAN created by GVRP authentication fails Also for the session to proceed the port must be an untagged member of the required VLAN If it is not the switch temporarily reassigns the port as described below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already confi...

Page 227: ... client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port You can use the show vlan vlan id command to view this temporary change to the active configuration as shown below You can see the temporary VLAN assignment by using t...

Page 228: ...rarily Drops Port 22 for the 802 1X Session This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802 1X session This is to accommodate an 802 1X client s access authenticated by a RADIUS server where the server included an instruction to put the client s access on VLAN 22 Note With the current VLAN configuration figure 8 7 the only time port A2 appears in this show vlan 22 listi...

Page 229: ... Session Ends Notes Any port VLAN ID changes you make on 802 1X aware ports during an 802 1X authenticated session do not take effect until the session ends With GVRP enabled a temporary untagged static VLAN assignment created on a port by 802 1X authentication is advertised as an existing VLAN If this temporary VLAN assignment causes the switch to disable a configured untagged static VLAN assignm...

Page 230: ... 8 35 No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page 5 31 LAC...

Page 231: ...ifferences Between MAC Lockdown and Port Security 9 19 Deploying MAC Lockdown 9 21 MAC Lockout 9 25 Port Security and MAC Lockout 9 27 IP Lockdown 9 28 Web Displaying and Configuring Port Security Features 9 29 Reading Intrusion Alerts and Resetting Alert Flags 9 29 Notice of Security Violations 9 29 How the Intrusion Log Operates 9 30 Keeping the Intrusion Log Current by Resetting Alert Flags 9 3...

Page 232: ... intruders from receiving broadcast and multi cast traffic Basic Operation Default Port Security Operation The default port security setting for each port is off or continuous That is any device can access a port without causing a security reaction Intruder Protection A port that detects an intruder blocks the intruding device from transmitting to the network through that port Feature Default Menu...

Page 233: ...allowed to send inbound traffic through the port This feature Closes the port to inbound traffic from any unauthorized devices that are connected to the port Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and optionally disables the port For more on configuring the switch for SNMP management refer to Trap Receivers and Auth...

Page 234: ...ion Ports configured for either Active or Passive LACP and which are not members of a trunk can be configured for port security Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A PC 2 MAC Address NOT Authorized by Switch A PC 3 MAC Address NOT Authorized by Switch A Switch C MAC Address NOT Authorized by Switch A Switch A Port Secu...

Page 235: ...t detects or not d For each port what security actions do you want The switch automatically blocks intruders detected on that port from transmit ting to the network You can configure the switch to 1 send intrusion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected e How do you want to learn of the security violation attempts the switch de...

Page 236: ...is section describes the CLI port security command and how the switch acquires and maintains authorized addresses Note Use the global configuration level to execute port security configuration commands show port security 9 11 port security 9 12 ethernet port list 9 12 learn mode 9 12 address limit 9 12 mac address 9 12 action 9 12 clear intrusion flag 9 12 no port security 9 12 ...

Page 237: ...d address limit That is if you enter fewer MAC addresses than you authorized the port fills the remainder of the address allowance with MAC addresses it automatically learns For example if you specify three authorized devices but enter only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses ...

Page 238: ...e Networking website Refer to Getting Documentation From the Web on page 1 9 Port Access Enables you to use Port Security with 802 1X Port Based Access Control Refer to Configuring Port Based Access Control 802 1X on page 8 1 address limit integer When Learn Mode is set to static static learn or configured static configured this parameter specifies the number of authorized devices MAC addresses to...

Page 239: ... alarm Causes the switch to send an SNMP trap to a network management station send disable Available only with learn mode configured and learn mode static Causes the switch to send an SNMP trap to a network management station and disable the port If you subsequently re enable the port without clearing the port s intrusion flag the port will block further intruders but the switch will not disable t...

Page 240: ...the startup config file to match the running config file Assigned Authorized MAC Addresses If you manually assign a MAC address using mac address mac addr and then execute write memory the assigned MAC address remains in memory unless removed by one of the methods described below Removing Learned and Assigned Static MAC Addresses To remove a static MAC address do one of the following Delete the ad...

Page 241: ... security displays operating control settings for all ports on a switch For example Figure 9 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbersincludedinthecommand showport securitydisplaysLearn Mode Address Limit alarm Action and Authorized Addresses for the spec ified ports on a switch The following example lists the full port security configuration for a si...

Page 242: ...mac addr mac addr action none send alarm send disable clear intrusion flag For the configured option above refer to the Note on page 9 8 no port security port list mac address mac addr mac addr mac addr Specifying Authorized Devices and Intrusion Responses Learn Mode Static This example configures port A1 to automatically accept the first device MAC address it detects as the only authorized device...

Page 243: ...Mode Configured This option allows only MAC addresses specifi cally configured with learn mode configured mac address mac address and does not automatically learn non specified MAC addresses learned from the network This example configures port A1 to Allow only a MAC address of 0c0090 123456 as the authorized device Reserve the option for adding two more specified MAC addresses at a later time wit...

Page 244: ...sistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list If you change aportfromstatic tocontinuous learnmode theportretainsinmemory any authorized addresses it had while in static mode If you subsequently attempt to convert the port back to static mode with the same authorized address es the Inconsistent value message appears...

Page 245: ...he Authorized List for a Port Configured for Learn Mode Static This command option removes unwanted devices MAC addresses from the Authorized Addresses list An Authorized Address list is available for each port for which Learn Mode is currently set to Static See the MAC Address entry in the table on 9 8 Caution The address limit setting controls how many MAC addresses are allowed in the Authorized...

Page 246: ... become authorized If you use learn mode configured instead the switch cannot automatically add detected devices not included in the mac address configuration Refer to the Note on page 9 8 For example suppose port A1 is configured as shown below and you want to remove 0c0090 123456 from the Authorized Address list Figure 9 7 Example of Two Authorized Addresses on Port A1 The following command serv...

Page 247: ...station movement and MAC address hijacking It also controls address learning on the switch When configured the MAC Address can only be used on the assigned port and the client device will only be allowed on the assigned VLAN Not e Port security and MAC Lockdown are mutually exclusive on a given port You can either use port security or MAC Lockdown but never both at the same time on the same port Y...

Page 248: ... the port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the addre...

Page 249: ...MAC address and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tighter control over MAC addresses and which ports they are allowed to ...

Page 250: ...sages in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a messag...

Page 251: ... paths The purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing th...

Page 252: ...an use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edge switches That way users on the edge can still use other network resources but they cannot spoof Server A and hijack data traffic which is intended for that server alone 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch Internal C...

Page 253: ...ge any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect agains...

Page 254: ...the above figure would defeat the purpose of using STP or having an alternate path Technologies such as STP are primarily intended for an internal campus network environment in which all users are trusted STP does not work well with MAC Lockdown If you deploy MAC Lockdown as shown in the Model Topology in figure 9 9 page 9 22 you should have no problems with either security or connectivity M i x e...

Page 255: ...d by the switch MAC Lockout is implemented on a per switch assignment You can think of MAC Lockout as a simple blacklist The MAC address is locked out on the switch and on all VLANs No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout To fully lock out a MAC address from the network it would be necessary to use the MAC Lockout command on all switches To use MAC Loc...

Page 256: ...ckout to lock Broadcast or Multicast Addresses Switches do not learn these Switch Agents The switch s own MAC Address If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 maclock module A 0001e6 1f96c0 detected on port ...

Page 257: ...ses Be careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A port security static address is p...

Page 258: ...sk must be used for all ports within an 8 port block 1 8 7 16 etc for example If you configure Port 1 with ip lockdown 192 168 0 1 24 Then configure Port 2 with ip lockdown 50 0 0 0 24 This is an acceptable subnet for port 2 Then configure Port 3 with ip lockdown 120 15 32 7 32 This command would return an error and not be configured due to the differing subnet mask Using the IP Lockdown Command T...

Page 259: ...for that port and makes the intrusion information available as described below While the switch can detect additional intrusions for the same port it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset When a security violation occurs on a port configured for Port Security the switch responds in the following ways to n...

Page 260: ...l you acknowledge the earlier intrusion event by reset ting the alert flag The Intrusion Log lists the 20 most recently detected security violation attempts regardless of whether the alert flags for these attempts have been reset This gives you a history of past intrusion attempts Thus for example if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1...

Page 261: ... the port s alert flag and disables the port If you re enable the port without resetting the port s alert flag then the port operates as follows The port comes up and will block traffic from unauthorized devices it detects If the port detects another intruder it will send another SNMP trap but will not become disabled again unless you first reset the port s intrusion flag This operation enables th...

Page 262: ...ledged reset This is indicated by the following Because the Port Status screen figure 9 14 on page 9 32 does not indicate an intrusion for port A1 the alert flag for the intru sion on port A1 has already been reset Since the switch can show only one uncleared intrusion per port the older intrusion for port A3 in this example has also been previously reset The Intrusion Alert column shows Yes for a...

Page 263: ...on on this port type R for Reset alert flags Note that if there are unacknowledged intrusions on two or more ports this step resets the alert flags for all such ports If you then re display the port status screen you will see that the Intrusion Alert entry for port A3 has changed to No That is your evidence that the Intrusion Alert flag has been acknowledged reset is that the Intrusion Alert colum...

Page 264: ...Port Security on page 9 37 In the following example executing show interfaces brief lists the switch s port status which indicates an intrusion alert on port A1 Figure 9 16 Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion you would then enter the show port security intrusion log command For example Syntax show interfaces brief ...

Page 265: ...urred prior to the reset To clear the intrusion from port A1 and enable the switch to enter any subsequentintrusionforportA1intheIntrusionLog executetheport security clear intrusion flag command If you then re display the port status screen you will see that the Intrusion Alert entry for port A1 has changed to No Executing showport securityintrusion log again will result in the same display as abo...

Page 266: ...violation For example Figure 9 19 Example of Log Listing With and Without Detected Security Violations From the Menu Interface In the Main Menu click on 4 Event Log and use Next page and Prev page to review the Event Log contents For More Event Log Information See Using the Event Log To Identify Problem Sources in the Troubleshooting chapter of the Management and Configuration Guide for your switc...

Page 267: ...ses list Enter your PC or workstation s IP address in the switch s IP Autho rized Managers list See chapter 11 Using Authorized IP Managers Without both of the above configured the switch detects only the proxy server s MAC address and not your PC or workstation MAC address and interprets your connection as unauthorized Prior To Entries in the Intrusion Log If you reset the switch using the Reset ...

Page 268: ...ays a notice that LACP is disabled on the port s and enables port security on that port For example ProCurve config port security e a17 learn mode static address limit 2 LACP has been disabled on secured port s ProCurve config The switch will not allow you to configure LACP on a port on which port security is enabled For example ProCurve config int e a17 lacp passive Error configuring port A17 LAC...

Page 269: ...es Contents Contents 10 1 Overview 10 2 Using Source Port Filters 10 4 Operating Rules for Source Port Filters 10 4 Configuring a Source Port Filter 10 5 Viewing a Source Port Filter 10 7 Filter Indexing 10 8 Editing a Source Port Filter 10 9 Using Named Source Port Filters 10 10 ...

Page 270: ...n the same VLAN However if you configure and enable routing on the switch when multinetting within a VLAN has been configured source port filtering will not work Source port filters have no effect on traffic being routed across VLANs Note The switch manages a port trunk as a single source or destination for source port filtering If you configure a port for filtering before adding it to a port trun...

Page 271: ...er in a Multinetted VLAN If you have mul tiple IP addresses configured on the same VLAN multinetting and routing is enabled on the switch then a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN In this case you can prevent the traffic of one subnet from being routed to another subnet on the same port by configuring the port or trunk as...

Page 272: ...mposed of One source port or port trunk trk1 trk2 trk6 A set of destination ports and or port trunks that includes all LAN ports and port trunks on the switch An action for each destination port or port trunk When you create a source port filter the switch automatically sets the filter to forward traffic from the designated source to all destinations for which you do not specifically configure a d...

Page 273: ...ward drop Creates or deletes the source port filter assigned to source port number If you create a source port filter without specifying a drop or forward action the switch automatically creates a filter with a forward action from the designated source to all destinations on the switch drop e destination port list Configures the filter for the designated source port or source trunk source port num...

Page 274: ...rt configuration You must still explicitly con figure the filter on the port trunk If you use the show filter index command for a filter created before the related source port was added to a trunk the port number appears between asterisks indicating that the filter action has been suspended for that filter For example if you create a filter on port 5 then create a trunk with ports 5 and 6 and disp...

Page 275: ...new filter This can result in a newerfilterhavingalowerIDXnumberthananolderfilterifaprevious source port filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number Value Indicatestheportnumberorport trunknameofthesourceport or trunk assigned to the filter Use show filter to learn the index number of a specific filter you want to examine ...

Page 276: ... to the lowest available index IDX number If there are no filters currently configured and you create three filters in succession they will have index numbers 1 3 However if you then delete the filter using index number 2 and then configure two new filters the first new filter will receive the index number 2 and the second new filter will receive the index number 4 This is because the index number...

Page 277: ...e destination ports or trunks use the filter source port command to update the existing filter For example suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2 The resulting filter is shown on the left in figure 10 5 Later you update the filter to drop traffic received on port 8 and destined for ports 3 through 5 Since only one filter exists for a given ...

Page 278: ...port filter is defined subsequent changes only modify its action they don t replace it To change the named source port filter used on a port or port trunk the current filter must first be removed using the no filter source port named filter filter name command A named source port filter can only be deleted when it is not applied to any ports Defining and Configuring Named Source Port Filters Thena...

Page 279: ...ation port list Syntax filter source port named filter filter name drop destination port list Configures the named source port filter to drop traffic having a destination on the portsand orporttrunksinthe destination port list Canbefollowedbytheforward option if you have other destination ports or port trunks previously set to drop that you want to change to forward For example filter source port ...

Page 280: ...er to communicate with each other and not the Internet Syntax show filter source port Displays a listing of configured source port filters where each filter entry includes a Filter Name Port List and Action Filter Name The filter name used when a named source port filter is defined Non named source port filters are automatically assigned the port or port trunk number of the source port Port List L...

Page 281: ... accounting drop 1 6 8 9 12 26 ProCurve config filter source port named filter no incoming web drop 7 10 11 ProCurve config show filter source port Traffic Security Filters Filter Name Port List Action web only NOT USED drop 2 26 accounting NOT USED drop 1 6 8 9 12 26 no incoming web NOT USED drop 7 10 11 ProCurve Switch 2626 config Ports and port trunks using the filter When NOT USED is displayed...

Page 282: ...rt 7 24 Source Port 10 25 Source Port 11 26 Source Port 1 Indicates the port number or port trunknameofthesourceportortrunk assigned to the filter An automatically assigned index number used to identify the filter for a detailed information listing A filter retains its assigned IDX number for as long as the filter exists in the switch The switch assigns the lowestavailableIDXnumbertoanew filter Th...

Page 283: ...rce Port Source Port 5 Dest Port Type Action 1 10 100TX Forward 2 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 5 10 100TX Drop 6 10 100TX Drop 7 10 100TX Drop 8 10 100TX Drop 9 10 100TX Drop 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Drop ProCurve config show filter 24 Traffic Security Filters Filter Type Source Port Source Port 10 Dest Port Type Action 1 10 100TX Drop 2 10 100TX Drop 3 10 100...

Page 284: ...ters Filter Type Source Port Source Port 1 Dest Port Type Action 1 10 100TX Forward 2 10 100TX Forward 3 10 100TX Forward 4 10 100TX Forward 5 10 100TX Forward 6 10 100TX Forward 7 10 100TX Drop 8 10 100TX Forward 9 10 100TX Forward 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Forward Accounting Server 1 Port 7 Port 1 Router to the Internet Port 12 Accounting Workstation 3 Port 13 Accounting Work...

Page 285: ...switch ports as shown below using the show filter source port command ProCurve config filter source port named filter accounting forward 8 12 13 ProCurve config filter source port named filter no incoming web drop 8 12 13 ProCurve config ProCurve config show filter source port Traffic Security Filters Filter Name Port List Action web only 2 6 8 9 12 26 drop 2 26 acconting 7 10 11 drop 1 6 9 14 26 ...

Page 286: ...10 18 Traffic Security Filters ProCurve Series 2600 2600 PWR and 2800 Switches Using Source Port Filters This page is intentionally unused ...

Page 287: ...enu Viewing and Configuring IP Authorized Managers 11 5 CLI Viewing and Configuring Authorized IP Managers 11 6 Web Configuring IP Authorized Managers 11 9 Building IP Masks 11 9 Configuring One Station Per Authorized Manager IP Entry 11 9 Configuring Multiple Stations Per Authorized Manager IP Entry 11 10 Additional Examples for Authorizing Multiple Stations 11 11 Operating Notes 11 12 ...

Page 288: ...tures If the Authorized IP Managers feature disallows access to the device then access is denied Thus with authorized IP managers configured having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch s Authorized IP Managers configuration You can use Authorized IP Managers along with other access s...

Page 289: ...nnel using the username password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Note The Authorized IP Manager feature can assign an access level to stations using Telnet SNMPv1 or SNMPv2c for switch access The access level the switch allows for authorized stations using SSH SNMPv3 or the web browser interfac...

Page 290: ...c refer to Config uring Multiple Stations Per Authorized Manager IP Entry on page 11 10 To configure the switch for authorized manager access enter the appropriate Authorized Manager IP value specify an IP Mask and select either Manager or Operator for the Access Level The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage ment station ...

Page 291: ...ks on page 11 9 Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch This mask serves a different purpose than IP subnet masks and is applied in a different manner Menu Viewing and Configuring IP Authorized Managers From the console Main Menu select 2 Switch Configuration 7 IP Authorized Managers Figure 11 1 Example of How To Add...

Page 292: ...se the show ip authorized managers command to list IP stations authorized to access the switch For example 5 Press Enter then S for Save to configure the IP Authorized Manager entry 3 Use the default mask to allow access by one management device or edit the mask to allow access by a block of management devices See Building IP Masks on page 11 9 2 Enter an Authorized Manager IP address here 4 Use t...

Page 293: ...h 10 28 227 255 ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access manager IP Mask Authorized Station IP Address Access Mode 255 255 255 252 10 28 227 100 through 103 Manager 255 255 255 254 10 28 227 104 through 105 Manager 255 255 255 255 10 28 227 125 Manager 255 255 255 0 10 28 227 0 through 255 Operator Syntax ip authorized managers ip address Configures one or more aut...

Page 294: ...lue s Notice that any parameters not included in the command will be set to their default ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access level for IP address 10 28 227 101 with 255 255 255 0 and operator The following command replaces the existing mask and access level for IP address 10 28 227 101 with 255 ...

Page 295: ...etwork Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask If you have ten or fewer management and or operator stations you can configure them quickly by simply adding the address of each to the Authorized Manager IP list with 255 255 255 255 for the corresponding mask For example as shown in Figure 11 3 on page 11 7 if you configure an IP address of 10 ...

Page 296: ...tet are off means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station You can also specify a series of values that are a subset of the 0 255 range by using a value that is greater than 0 but less than 255 Figure 11 5 Analysis of IP Mask for Multiple Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager Level or Operator Level Devi...

Page 297: ... authorized to access the switch The first three octets of the station s IP address must match the Authorized IP Address Bit 0 and Bits 3 through 6 of the 4th octet in the station s address must be on value 1 Bit 7 of the 4th octet in the station s address must be off value 0 Bits 1 and 2 can be either on or off This means that stations with the IP address 13 28 227 X where X is 121 123 125 or 127...

Page 298: ...Proxy Servers If you use the web browser interface to access the switch from an authorized IP manager station it is recommended that you avoid the use of a web proxy server in the path between the station and the switch This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list This reduces security by opening switch ...

Page 299: ...P mask operation 11 4 operating notes 11 12 overview 11 1 precedence over other security 11 2 troubleshooting 11 12 C certificate CA signed 7 4 root 7 4 self signed 7 4 Clear button to delete password protection 2 5 configuration port security 9 5 RADIUS See RADIUS SSH See SSH connection inactivity time 2 3 console for configuring authorized IP managers 11 5 D DES 6 3 7 3 disclaimer 1 ii duplicate...

Page 300: ...on 3 10 show status and configuration 3 27 terminology 3 9 manager password 2 2 2 4 manager password recommended 4 7 MD5 See RADIUS message inconsistent value 9 14 O open VLAN mode See port access control OpenSSH 6 3 OpenSSL 7 2 operating notes authorized IP managers 11 12 port security 9 37 operator password 2 2 2 4 P password authorized IP managers precedence 11 2 browser console access 2 3 case...

Page 301: ...2 VLAN after authentication 8 22 8 26 8 31 VLAN tagged 8 21 8 22 8 23 8 26 8 31 8 42 operation 8 6 overview 8 3 port security with 802 1X 8 32 RADIUS 8 3 RADIUS host IP address 8 20 rules of operation 8 10 show commands 8 38 show commands supplicant 8 43 statistics 8 38 supplicant operation 8 8 supplicant operation switch port 8 7 supplicant state 8 43 supplicant statistics note 8 43 supplicant co...

Page 302: ...en 1 8 show locked down MAC addresses 9 25 locked out MAC addresses 9 26 SSH authenticating switch to client 6 3 authentication client public key 6 2 authentication user password 6 2 caution security 6 18 CLI commands 6 9 client behavior 6 15 6 16 client public key authentication 6 19 6 21 client public key clearing 6 25 client public key creating file 6 23 client public key displaying 6 25 config...

Page 303: ...ubleshooting operating 7 21 version 7 2 zeroize 7 10 7 12 stacking SSH security 6 8 SSL security 7 6 T TACACS aaa parameters 4 12 authentication 4 3 authentication process 4 20 authentication local 4 22 authorized IP managers effect 4 25 authorized IP managers precedence 11 2 configuration authentication 4 11 configuration encryption key 4 19 configuration server access 4 15 configuration timeout ...

Page 304: ...enticator operation 3 5 blocked traffic 3 4 CHAP defined 3 9 usage 3 4 client status 3 29 configuration commands 3 18 configuring on the switch 3 17 switch for RADIUS access 3 15 features 3 4 general setup 3 12 LACP not allowed 3 11 redirect URL 3 9 rules of operation 3 10 show status and configuration 3 26 terminology 3 9 web browser interface for configuring authorized IP managers 11 7 11 9 web ...

Page 305: ... This page is intentionally unused ...

Page 306: ... 2000 2008 Hewlett Packard Development Company LP The information contained herein is subject to change without notice December 2008 Manual Part Number 5990 6024 ...