Summary of Contents for HP ProCurve Switch 6120G/XG
Page 1
ProCurve Series 6120 Switches Access Security Guide August 2009...
Page 2
ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF Applicable Products MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors HP ProCurve Switch 6120G/XG (498358-B21) contained herein or for incidental or consequential damages in...
Page 9
2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server ....5-42 3. (Optional) Configure Session Blocking and Interim Updating Options .
Product Documentation About Your Switch Manual Set N o t e For the latest version of switch documentation, please visit any of the follow- ing websites: www.procurve.com/manuals www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with your switch. The latest version is also available in PDF format, as described in the Note at the top of this page.
Software Feature Index This feature index indicates which manual to consult for information on a given software feature. N o t e This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide.
Page 20
Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide Downloading Software Event Log Factory Default Settings Flow Control (802.3x) File Transfers Friendly Port Names GVRP Identity-Driven Management (IDM) IGMP Interface Access (Telnet, Console/Serial, Web) IP Addressing Jumbo Packets LACP...
Page 21
Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control (802.1X) Protocol VLANS Quality of Service (QoS) RADIUS Authentication and Accounting RADIUS-Based Configuration RMON 1,2,3,9 Secure Copy SFTP...
Page 22
Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide VLANs Web Authentication RADIUS Support Web-based Authentication Web UI...
Security Overview Introduction Introduction This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3 outlines the access security and authentication features, while Table 1-2 on page 1-7 highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.
Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
Page 26
Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
Page 27
Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details disabled Secure Socket Layer (SSL) and Transport Layer Security “Quick Start: Using the (TLS) provide remote Web browser access to the switch Management Interface via authenticated transactions and encrypted paths Wizard”...
Page 28
Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details 802.1X Access none This feature provides port-based or user-based Chapter 13 “Configuring Control authentication through a RADIUS server to protect the Port-Based and User-Based switch from unauthorized access and to enable the use Access Control (802.1X)”...
Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Table 1-2. Network Security—Default Settings and Security Guidelines Feature Default Security Guidelines...
Page 30
Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Connection- none This feature helps protect the network from attack and Chapter 3, “Virus Throttling Rate Filtering is recommended for use on the network edge. It is (Connection-Rate Filtering)”...
Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible...
Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
Page 33
Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 1-1. Welcome to the Management Interface Setup Wizard This wizard will help you with the initial setup of the various management interfaces.
Security Overview Getting Started with Access Security When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
Page 35
Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allows you to choose between two setup types: Typical—provides a multiple page, step-by-step method to configure • security settings, with on-screen instructions for each option. •...
Page 36
Security Overview Getting Started with Access Security The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summary Setup From this screen, you have the following options: • To change any setting that is shown, type in a new value or make a different selection.
Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the switch is open to access by management stations running SNMP (Simple Network Management Protocol) management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base).
Page 38
Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from the software: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately after downloading and booting from the software for the first time, use the following command to disable this feature:...
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
Security Overview Precedence of Security Options value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority: Attribute profiles applied through the Network Immunity network-man- agement application using SNMP (see “Network Immunity Manager”) 802.1X authentication parameters (RADIUS-assigned)
Security Overview Precedence of Security Options The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for Network Immunity Manager. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS -assigned and statically configured parameters are supported and if they are supported on a per-port or per-client basis.
Page 42
Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
Configuring Username and Password Security Contents Overview ........... . . 2-3 Configuring Local Password Security .
Page 45
Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation ....2-30 Changing the Operation of the Reset+Clear Combination ..2-31 Password Recovery .
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-9 Set a Password none page page 2-8 page 2-9 Delete Password Protection page page 2-8 page 2-9 show front-panel-security — page 1-13 — front-panel-security —...
Page 47
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
Page 48
Configuring Username and Password Security Overview N o t e s The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
Page 50
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. N o t e You can configure manager and operator passwords in one step. See “Saving Security Credentials in a Config File”...
Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names.
Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store and view the following security settings in internal flash memory by entering the include-credentials command: ■ Local manager and operator passwords and (optional) user names that control access to a management session on the switch through the CLI, menu interface, or web browser interface SNMP security credentials used by network management stations to...
Configuring Username and Password Security Saving Security Credentials in a Config File The chapter on “Switch Memory and Configuration” in the Management ■ and Configuration Guide. ■ “Configuring Local Password Security” on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials To enable the security settings, enter the include-credentials command.
Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Operator Passwords The information saved to the running-config file when the include-credentials command is entered includes: password manager [user-name ] password operator [user-name ] where ...
Configuring Username and Password Security Saving Security Credentials in a Config File user-name : the optional text string of the user name associated with the password. : specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 : the clear ASCII text string or SHA-1 hash of the password.
Configuring Username and Password Security Saving Security Credentials in a Config File [priv ] is the (optional) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file: snmpv3 user boris \ auth md5 “9e4cfef901f21cf9d21079debeca453”...
Configuring Username and Password Security Saving Security Credentials in a Config File The password port-access values are configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see “Password Command Options”...
Configuring Username and Password Security Saving Security Credentials in a Config File during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network. For more information, refer to “3. Configure the Switch To Access a RADIUS Server” on page 6-14 in this guide.
Page 60
Configuring Username and Password Security Saving Security Credentials in a Config File “keystring”: a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring').
Page 61
Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: include-credentials...
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
Page 63
Configuring Username and Password Security Saving Security Credentials in a Config File • copy config config : Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
Page 65
Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
This section describes the functionality of the Clear and Reset buttons located on the front panel of the switch. Reset Button Clear Button Figure 2-6. Front-Panel Button Locations on a ProCurve 6120G/XG Switch Clear Button Reset Button Figure 2-7. Front-Panel Button Locations on a ProCurve 6120XG Switch...
Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Reset Clear Figure 2-8. Press the Clear Button for Five Seconds To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot.
Page 69
Configuring Username and Password Security Front-Panel Security While holding the Reset button, press and hold the Clear button for five seconds. Clear Reset Release the Reset button. Clear Reset If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will reboot.
Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch.
Page 71
Configuring Username and Password Security Front-Panel Security Reset-on-clear: Shows the status of the reset-on-clear option (Enabled or Disabled). When reset-on-clear is disabled and Clear Password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch.
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords.
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. •...
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-12. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina- tion described under “Restoring the Factory Default Configuration”...
Configuring Username and Password Security Password Recovery The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front- panel-security configuration, with Factory Reset disabled.
Page 76
Configuring Username and Password Security Password Recovery factory-default configuration. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch.
Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.
Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-20 — Configure MAC Authentication — 3-50 — Display Web Authentication Status and Configuration — 3-28 — Display MAC Authentication Status and Configuration — 3-54 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. In the login page, a client enters a username and password, which the ■...
Web and MAC Authentication Overview Each new Web/MAC Auth client always initiates a MAC authentica- ■ tion attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authenti- cation succeeds then the other authentication (if in progress) is ended.
Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VLAN for each session. The unauthorized VLAN ID assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients. You configure access to an optional, unauthorized VLAN when you configure Web and MAC authentication on a port.
Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1.
Page 85
Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL value (redirect-url) when you configure web authentication.
Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out.
Page 87
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concur- rent operation of Web and MAC authentication with other types of authentication on the same port is not supported.
Page 90
Web and MAC Authentication Operating Rules and Notes If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C Web or MAC authentication and LACP are not supported at the same time on A u t h e n t i c a t i on a port.
Page 92
Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled Enabled Enabled Enabled...
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
Web and MAC Authentication Setup Procedure for Web/MAC Authentication aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or other VLAN-capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch.
Page 95
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-address >] [oobm] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses.
Page 96
Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 3-5. Example of Configuring a Switch To Access a RADIUS Server 3-19...
Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. Pro- Curve recommends that you provide a redirect URL when using Web Authentication.
Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti- cated egress port that has not yet transitioned to the authenticated state;...
Page 99
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc- tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
Page 100
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
Page 101
Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based [auth-vid ]] no aaa port-access web-based ...
Page 102
Web and MAC Authentication Configuring Web Authentication Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.0) Syntax: aaa port-access web-based [dhcp-lease <5 - 25>]...
Page 103
Web and MAC Authentication Configuring Web Authentication ProCurve Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 ProCurve Switch (config)# Figure 7. Removing a Web Server with the aaa port-access web-based ews- server Command aaa port-access web-based logoff-period <60-9999999>...
Page 104
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds) Syntax: aaa port-access web-based ...
Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-28 show port-access web-based clients [port-list] 3-29 show port-access web-based clients detailed 3-30 show port-access web-based config [port-list] 3-31 show port-access web-based config detailed 3-32 show port-access web-based config [port-list] auth-server 3-33...
Page 106
Web and MAC Authentication Configuring Web Authentication ProCurve (config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clients VLAN VLANs ----- -------- -------- -------- ------ -------- ------ 4006 70000000 MACbased No Figure 4. Example of show port-access web-based Command Output Syntax: show port-access web-based clients [port-list]...
Page 107
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients detailed Displays detailed information on the status of web- authenticated client sessions on specified switch ports. ProCurve (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
Page 108
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] Displays the currently configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support for RADIUS-assigned dynamic VLANs (Yes or •...
Page 109
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config detailed Displays more detailed information on the currently config- ured Web Authentication settings for specified ports. ProCurve (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes Client Limit...
Page 110
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails •...
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■...
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions ■ in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page 3-36...
Page 114
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) User Login
User Login
In order to access this network, you must first log in.