Resumen del contenido incluido en la página 1
access security guide
hp procurve
series 4100gl switches
www.hp.com/go/hpprocurve
Resumen del contenido incluido en la página 2
Resumen del contenido incluido en la página 3
HP Procurve Series 4100GL Switches Software Release G.07.XX or Greater Access Security Guide
Resumen del contenido incluido en la página 4
© Copyright 2001-2002 Hewlett-Packard Company Disclaimer All Rights Reserved. The information contained in this document is subject to change without notice. This document contains information which is protected by copyright. Reproduction, adaptation, or translation without HEWLETT-PACKARD COMPANY MAKES NO WARRANTY prior permission is prohibited, except as allowed under the OF ANY KIND WITH REGARD TO THIS MATERIAL, copyright laws. INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
Resumen del contenido incluido en la página 5
Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating Display Output . . . . . . .
Resumen del contenido incluido en la página 6
2 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 2-4 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 General Authentication Setup Procedure . . . .
Resumen del contenido incluido en la página 7
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 3-6 1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-10 3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 3-12 Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 Cont
Resumen del contenido incluido en la página 8
1. Assigning a Local Login (Operator) and Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 4-10 3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 5. Configuring the Switch for SSH Authenticat
Resumen del contenido incluido en la página 9
6 Configuring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 How 80
Resumen del contenido incluido en la página 10
How RADIUS/802.1x Authentication Affects VLAN Operation . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages Related to 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 11
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . . 8-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . . 8-6 Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . . 8-6 Configuring IP Authorized Managers for the Switch . . . . . . . . . . 8-7 Web: Co
Resumen del contenido incluido en la página 12
Resumen del contenido incluido en la página 13
Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Command Prompts . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 14
Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: ■ HP Procurve Switch 4104GL ■ HP Procurve Switch 4108GL Together, these two devices are termed the HP Procurve Series 4100GL Switches. Overview of Access Security Features ■ Local Manager and Operator passwords (page 1-1) Control access and privileges for the CLI, menu, and web browser interface. ■ TACACS+ Authentication (page 2-1) Uses an authentication application
Resumen del contenido incluido en la página 15
Getting Started Overview of Access Security Features Allows access to the switch by a networked device having an IP address previously configured in the switch as "authorized". HP recommends that you use local passwords together with the switch’s other security features to provide a more comprehensive security fabric than if you use only the local password option. Table 1 lists these features with the security coverage they provide. Table 1. Management Access Security Protection Securit
Resumen del contenido incluido en la página 16
Getting Started Command Syntax Conventions Command Syntax Conventions This guide uses the following conventions for command syntax and displays. Syntax: aaa port-access authenticator < port-list > [ control < authorized | auto | unauthorized >] ■ Vertical bars ( | ) separate alternative, mutually exclusive elements. ■ Square brackets ( [ ] ) indicate optional elements. ■ Braces ( < > ) enclose required elements. ■ Braces within square brackets ( [ < > ] ) indicate a required element wi
Resumen del contenido incluido en la página 17
Getting Started Related Publications Screen Simulations Figures containing simulated screen text and command output look like this: Figure 1. Example of a Figure Showing a Simulated Screen In some cases, brief command-output sequences appear without figure iden tification. For example: HPswitch(config)# clear public-key HPswitch(config)# show ip client-public-key show_client_public_key: cannot stat keyfile Related Publications Product Notes and Software Update Information. The Read Me
Resumen del contenido incluido en la página 18
Getting Started Related Publications HP provides a PDF version of this guide on the Product Documentation CD- ROM shipped with the switch. You can also download the latest copy from the HP Procurve website. (See “Getting Documentation From the Web” on page xvii.) Command Line Interface Reference Guide. This guide, available in a PDF file on the HP Procurve website, provides a summary of the CLI com mands generally available for HP Procurve switches. For the latest version, see “Getting D
Resumen del contenido incluido en la página 19
Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. Go to the HP Procurve website at http://www.hp.com/go/hpprocurve 2. Click on technical support. 3. Click on manuals. 4. Click on the product for which you want to view or download a manual. 3 2 4 xvii
Resumen del contenido incluido en la página 20
Getting Started Sources for More Information Sources for More Information ■ If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. Online Help for Menu ■ If you need information on a specific command in the CLI, type the command name followed by “help”. For example: ■ If you need information on specific features in the HP Web Browser Interface (hereafter referred to as the “web browser interface”), use the online he