HP ProCurve 5300xl Series - General Operating Rules and Notes

To Next Page

To Previous Page

Configuring Secure Socket Layer (SSL)

General Operating Rules and Notes

■ Once you generate a certificate on the switch you should avoid re-

generating the certificate without a compelling reason. Otherwise,

you will have to re-introduce the switch’s certificate on all manage-

ment stations (clients) you previously set up for SSL access to the

switch. In some situations this can temporarily allow security

breaches.

■ The switch's own public/private certificate key pair and certificate

are stored in the switch's flash memory and are not affected by

reboots or the erase startup-config command

■ The public/private certificate key pair is not be confused with the SSH

public/private key pair. The certificate key pair and the SSH key pair

are independent of each other, which means a switch can have two

keys pairs stored in flash

7-6

Main Page

Table of Contents5
Getting Started14
Introduction14
Overview of Access Security Features14
General Switch Traffic Security Guideline15
Applications for Access Control Lists (Acls)16
Command Syntax Conventions17
Simulating Display Output17
Command Prompts17
Getting Documentation from the Web20
Sources for more Information21
Need Only a Quick Start22
To Set up and Install the Switch in Your Network22
Configuring Username and Password Security24
Overview24
Configuring Local Password Security27
Menu: Setting Passwords27
To Delete Password Protection28
To Recover from a Lost Manager Password28
CLI: Setting Passwords and Usernames29
Configuring Manager and Operator Passwords29
To Remove Password Protection29
Web: Setting Passwords and Usernames30
Front Panel Security30
When Security Is Important31
Front Panel Button Functions32
Clear Button32
Reset Button33
Restoring the Factory Default Configuration33
Configuring Front Panel Security35
Disabling the Clear Password Function of the Clear Button on the Switch's Front Panel36
Re-Enabling the Clear Button on the Switch's Front Panel38
Setting or Changing the "Reset-On-Clear" Operation38
Changing the Operation of the Reset+Clear Combination39
Password Recovery40
Password Recovery Process42
Web and MAC Authentication43
Contents43
Overview44
Client Options45
General Features46
How Web and MAC Authentication Operate47
Authenticator Operation47
Web-Based Authentication47
MAC-Based Authentication49
Terminology50
Operating Rules and Notes52
General Setup Procedure for Web/Mac Authentication54
Do These Steps before You Configure Web/Mac Authentication54
Additional Information for Configuring the RADIUS Server to Support MAC Authentication55
Configuring the Switch to Access a RADIUS Server56
Configuring Web Authentication on the Switch58
Overview58
Configure the Switch for Web-Based Authentication59
Configuring MAC Authentication on the Switch63
Overview63
Configure the Switch for MAC-Based Authentication64
Show Status and Configuration of Web-Based Authentication67
Show Status and Configuration of MAC-Based Authentication68
Client Status70
TACACS+ Authentication71
Contents71
Overview72
Terminology Used in TACACS Applications73
General System Requirements75
General Authentication Setup Procedure75
Configuring TACACS+ on the Switch78
Beforeyou Begin78
CLI Commands Described in this Section79
Viewing the Switch's Current Authentication Configuration79
Viewing the Switch's Current TACACS+ Server Contact80
Configuration80
Configuring the Switch's Authentication Methods81
Configuring the Switch's TACACS+ Server Access85
How Authentication Operates90
General Authentication Process Using a TACACS+ Server90
Local Authentication Process92
Using the Encryption Key93
Controlling Web Browser Interface Access When Using TACACS+ Authentication94
Messages Related to TACACS+ Operation95
Operating Notes95
RADIUS Authentication and Accounting97
Contents97
Overview98
Terminology99
Switch Operating Rules for RADIUS100
General RADIUS Setup Procedure101
Configuring the Switch for RADIUS Authentication102
Outline of the Steps for Configuring RADIUS Authentication102
Configure Authentication for the Access Methods You Want RADIUS to Protect104
Configure Authentication for the Access Methods You Want104
RADIUS to Protect104
Configure the Switch to Access a RADIUS Server106
Configure the Switch's Global RADIUS Parameters108
Local Authentication Process111
Controlling Web Browser Interface Access When Using RADIUS Authentication112
Configuring RADIUS Accounting113
Operating Rules for RADIUS Accounting114
Steps for Configuring RADIUS Accounting114
Configuring RADIUS Accounting114
Viewing RADIUS Statistics120
General RADIUS Statistics120
RADIUS Authentication Statistics122
RADIUS Accounting Statistics123
Changing RADIUS-Server Access Order124
Messages Related to RADIUS Operation126
Configuring Secure Shell (SSH)128
Overview128
Terminology129
Prerequisite for Using SSH131
Public Key Formats131
Steps for Configuring and Using SSH for Switch and Client132
Authentication132
General Operating Rules and Notes134
Assigning a Local Login (Operator) and Enable (Manager)135
Configuring the Switch for SSH Operation135
Generating the Switch's Public and Private Key Pair136
Providing the Switch's Public Key to Clients138
Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior141
Configuring the Switch for SSH Authentication144
Use an SSH Client to Access the Switch147
Further Information on SSH Client Public-Key148
Authentication149
Messages Related to SSH Operation153
Configuring Secure Socket Layer (SSL)156
Overview156
Terminology157
Prerequisite for Using SSL159
Steps for Configuring and Using SSL for Switch and Client159
Authentication159
General Operating Rules and Notes160
Configuring the Switch for SSL Operation161
Assigning a Local Login (Operator) and Enable (Manager)161
Password161
Generating the Switch's Server Host Certificate163
Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior171
Common Errors in SSL Setup175
Configuring Port-Based Access Control (802.1X)178
Overview178
Why Use Port-Based Access Control178
General Features178
How 802.1X Operates181
Authenticator Operation181
Switch-Port Supplicant Operation182
Terminology183
General Operating Rules and Notes185
General Setup Procedure for Port-Based Access Control187
(802.1X)187
Do These Steps before You Configure 802.1X Operation187
Overview: Configuring 802.1X Authentication on the Switch188
Configuring Switch Ports as 802.1X Authenticators190
Enable 802.1X Authentication on Selected Ports190
Configure the 802.1X Authentication Method194
Enter the RADIUS Host IP Address(Es)195
Enable 802.1X Authentication on the Switch195
802.1X Open VLAN Mode196
Introduction196
Use Models for 802.1X Open VLAN Modes197
Operating Rules for Authorized-Client and Unauthorized-Client200
Setting up and Configuring 802.1X Open VLAN Mode202
802.1X Open VLAN Operating Notes206
Option for Authenticator Ports: Configure Port-Security to Allow Only 802.1X Devices207
Configuring Switch Ports to Operate as Supplicants for 802.1X Connections to Other Switches209
Displaying 802.1X Configuration, Statistics, and Counters213
Show Commands for Port-Access Authenticator213
Viewing 802.1X Open VLAN Mode Status215
Show Commands for Port-Access Supplicant218
How Radius/802.1X Authentication Affects VLAN Operation219
Messages Related to 802.1X Operation223
Overview226
Basic Operation226
Blocking Unauthorized Traffic227
Trunk Group Exclusion228
Planning Port Security229
Port Security Command Options and Operation230
Displaying Current Port Security Settings230
Configuring Port Security232
Retention of Static Addresses237
MAC Lockdown242
Differences between MAC Lockdown and Port Security244
Deploying MAC Lockdown246
MAC Lockout250
Web: Displaying and Configuring Port Security Features253
Reading Intrusion Alerts and Resetting Alert Flags253
Notice of Security Violations253
How the Intrusion Log Operates254
Keeping the Intrusion Log Current by Resetting Alert Flags255
Using the Event Log to Find Intrusion Alerts259
Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags260
Web: Checking for Intrusions, Listing Intrusion Alerts, and260
Operating Notes for Port Security261
Using Authorized IP Managers264
Overview264
Options265
Access Levels265
Defining Authorized Management Stations266
Overview of IP Mask Operation266
Menu: Viewing and Configuring IP Authorized Managers267
CLI: Viewing and Configuring Authorized IP Managers268
Web: Configuring IP Authorized Managers270
Building IP Masks271
Configuring One Station Per Authorized Manager IP Entry271
Configuring Multiple Stations Per Authorized Manager IP Entry272
Additional Examples for Authorizing Multiple Stations274
Operating Notes274
Key Management System278
Overview278
Configuring Key Chain Management279
Creating and Deleting Key Chain Entries279
Assigning a Time-Independent Key to a Chain280
Assigning Time-Dependent Keys to a Chain281

HP ProCurve 5300xl Series - General Operating Rules and Notes

Table of Contents

Other manuals for HP ProCurve 5300xl Series

Related product manuals