Instruction/ maintenance manual of the product 2650 (J4899A/B) HP (Hewlett-Packard)
Go to page of 306
ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series.
.
ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide December 2008.
Hewlett-Packa rd Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 http://www .procurve.com © Copyright 2001-2008 Hewle tt-Packard Company, L.
iii Contents Product Documentation About Your Swi tch Manual Se t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv Front-Panel Secu rity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Front-Panel Button Functi ons . .
v 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi 1. Configure Au thentication for th e Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 2. Configu re the Switch To Access a RADI US Server . . . . . . .
vii 6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21 Further Informati on on SSH Client Pu blic -Key Authentication . . . . . . . . 6-21 Messages Related to SSH Operati on . . . . . . . . . . . . . . . . . . . .
viii Configuring Sw itch Ports as 8 02.1X Authenticators . . . . . . . . . . . . . . . . . 8-15 1. Enable 802.1X Authentic a tion on Selected Ports . . . . . . . . . . . . . . 8-15 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . .
ix MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17 Differences Betwee n MAC Lockdown an d Po rt Security . . . . . . . . . 9-19 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . .
x Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Co nfiguring IP Author ized Managers . . .
xi Product Documentation About Y our Switch Manual Set The switch manual set includes the following: ■ Read Me First - a printed guid e shipped with your switch. Provides software update infor mation, product notes, and other information . ■ Installation and Getting Started Guid e - a printed gu ide shipped with your switch.
xii Product Documentation Feature Index For the manual set supporting your switch model, the followi ng feature index indicates which manual to consult for in formation on a given software feature. (Note that some software f eatures are not supported on all switch models.
xiii Product Documentation LACP X -- Link X - - LLDP X -- MAC Address Management X - - MAC Lockdown - - X MAC Lockout - - X MAC-based Authentication - - X Monitoring and Analysis X - - Multicast Filte.
xiv Product Documentation Source-Port Filters - - X Spanning T ree (STP , RSTP , MSTP) - X - SSH (Secure Shell) Encryption - - X SSL (Secure Socket Layer) - - X Stack Management (Stacking) - X - Syslo.
1-1 1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Security Prot ection .
1-2 Getting Started Introduction Introduction This Access Security Guide de scribes how to use ProCurve’ s switch security features to protect access to your swit ch.
1-3 Getting Started Overview of Access Security Features ■ Secure Socket Layer (SSL) (page 7-1): Provides remote web acc ess to the switch via encrypted authe n tication paths between the switch and management statio n clients capable of SSL/TLS operation.
1-4 Getting Started Overview of Access Security Features T abl e 1-1. Management Access Security Pro tection General Switch T raffi c Security Guidelines Where the switch is ru nning multiple securi t.
1-5 Getting Started Conventions Conventions This guide uses the following conventi ons for command syntax and displ ayed information. Feature Descriptions by Model In cases where a software feature is.
1-6 Getting Started Conventions Command Prompts In the defaul t configurat ion, your swit ch displays one of the following CLI prompts: ProCurve Switch 4104# ProCurve Switch 4108# ProCurve Switch 2626# ProCurve Switch 2650# ProCurve Switch 6108# T o sim plify recognition, this gu ide uses ProCurve to represent co mmand prompts for all models.
1-7 Getting Started Sources for More Information Sources for More Information For additional i nformation ab out switch operation and feat ures not covered in this guide , consult the following so urces: ■ For information on which product manual to consult o n a given software feature, refer to “Pro duct Documentation” on page xi.
1-8 Getting Started Need Only a Quick Start? Figure 1-3. Getting Help in the CLI ■ For information on specific featur es in the W eb browser interface, use the online help. For m ore information, refer to the Management and Configuration Guide for your switch.
1-9 Getting Started Need Only a Quick Start? T o Set Up and In stall the Switch in Y our Network Important! Use the Installation and Gettin g Started Guide shipped with your switch for the followin g:.
1-10 Getting Started Need Only a Quick Start? — This page is intentionally unused. —.
2-1 2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Lo cal Password Se curity . . . . . . . . . . . . . . . . . .
2-2 Configuring Username and Password Security Overview Overview Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator . For security , you can set a password pair (username and password) on each of these lev els.
2-3 Configuring Username and Password Security Overview T o configure password security: 1. Set a Manager password pair (and an Operator password pair , if applicable for your system). 2. Exit from the cur rent console session. A Manager password pair will now be needed for full acc ess to the console.
2-4 Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames ar e optional. Configu ring a user - name requires either the CLI or the web browser interface.
2-5 Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch , press and hold the Clear button (on the front of th e switch) for a minimum of one second to clear all passwo rd protection, th en enter new passwords as described earlier in this chapter .
2-6 Configuring Username and Password Security Configuring Local Password Security T o Remove Password Protection. Removing password protection means to eliminate passw ord security . This command prompt s you to verify that you want to remove one or both passwords, then clears the indicate d password(s).
2-7 Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features pro vide the ability t o independent ly enable or disable some of the f unct.
2-8 Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by disabl ing the Clear and/or Reset buttons on the f ront of the switch.
2-9 Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset butt on alone for o ne second causes the switch to reboot.
2-10 Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait fo r about one second for the Self- T est LED to start flashing . 4. When the Self-T est LED be gins flashing, release the Clear button . This process restores the switch config uration to the factor y default settings.
2-11 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combina tion (page 2-9) so that the switch stil l reboots, but does not restore the switch’ s factory default configuratio n settings. (Use of the Reset button alone, to simply reboot the swit ch, is not affected.
2-12 Configuring Username and Password Security Front-Panel Security For example, show front-pane l-security produces the following ou tput when the switch is configu red with the defa ult front-panel secu rity settings.
2-13 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’ s Front Panel and Setting or Changing the “Reset-On-Clear” Operation For example, suppose that password-clear is disabled and you want to restore it to its defaul t configuration (enabled, with reset-on-clear disabled).
2-14 Configuring Username and Password Security Front-Panel Security Figure 2-9. Example of Re-Enabling the Clea r Button’ s Default Operation Changing the Operation of the Reset+Clear Combination I.
2-15 Configuring Username and Password Security Front-Panel Security Figure 2-10. Example of Di sabling the Factory Re set Option Password Recovery The password recovery f eature is en abled by d efau.
2-16 Configuring Username and Password Security Front-Panel Security Steps for Disabling Password-Recovery . 1. Set the CLI to the gl obal interface context. 2. Use show front-panel-se curity to determine wh ethe r the factory-reset parameter is enab led.
2-17 Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Step s for Disabling Password-Recovery Password Recovery Process If you have lost the switch’ s manag.
2-18 Configuring Username and Password Security Front-Panel Security — This page is intentionally unused. —.
3-1 3 W eb and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Client Options . . . . . . . . . . . . .
3-2 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Overview Overview Applicable Switch Models. W eb and MAC Authenticat ion are available on these current ProCurve swit ch .
3-3 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Overview MAC Authentication (MAC-Auth). This method grants access to a secure network by authenticati ng devices fo r access to the netw ork.
3-4 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Overview General Features W eb and MAC Au thentication o n the Pr oCurve Series 2600, 2600-PWR , and 2800 switches inc lu.
3-5 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches How Web and MAC Authentication Operate How W eb and MAC Authentication Operate Authenticator Operation Before gaining access to the network cl ients first present their authentication credentials to the sw itch.
3-6 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated .
3-7 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches How Web and MAC Authentication Operate moves have not been en abled ( client-moves ) on the ports, the sessi on ends and the client must reau thenticate fo r ne twork access.
3-8 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply , then the clie nt session does not have access to any statically configured, untag ged VLANs and client access is blocked.
3-9 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Terminology T erminology Authorized-C lient VLAN: L ike the Unaut horized-Client VLAN, t his is a conventional, static, untagged, port-b a sed VLAN previously configured on the switch by the System Administrator .
3-10 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Operating Rules and Notes Operating Rules and Notes ■ Y ou can configure one type o f authenticat ion on a port. That is, the following au thentication typ es are mutually exclusive on a given port: • W eb Authentication • MAC Authentication • 802.
3-11 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Operating Rules and Notes 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, t he port belongs to th e Authorized VLAN ( if configured) and temporari ly drops all other VLAN memberships.
3-12 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication Note on We b/ MAC Authentication and LACP The switch does not allow W eb or MAC Authentication and LACP to both be enabled at the same time on the same po rt.
3-13 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication a. If you configure the RADIUS server to assign a VLAN for an authen- ticated client, this assignment o verrides any VLAN assignments con- figured on the switc h while the au thenticated client session remains active.
3-14 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication Additional Information fo r Configuring the RADIUS Server T o Support.
3-15 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring the Switch To Ac cess a RADIUS Server Configuring the Switch T o Access a RADIUS Server This section describ es the minima l comma nds for configur ing a RADIUS server to support W eb-Auth and MAC Auth.
3-16 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server -specifi c shared secret key of ‘2Pzo22’ Figure 3-4.
3-17 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring Web Authentication Configuring W eb Authentication This feature is available only on the Series 2600, 2600-PWR, an d 2800 switches. Overview 1. If you have not already done so, configure a local username and password pair on th e switch.
3-18 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Configuring Web Authentication Configure the Switch for W eb-Based Authentication Command Page Configuration Level aaa p.
3-19 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring Web Authentication Syntax: [no] aaa port-access web-ba sed [e] < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports.
3-20 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Configuring Web Authentication Syntax: aaa port-access w eb-based [e] < port-list > [logoff-period] <60-9999999>] Specifies the period, in seco nds, that the switch enforces for an implicit logoff.
3-21 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring Web Authentication Syntax: aaa port-access w eb-based [e] < port-list > [redirec t-url < url >] no aaa port-access web-b ased [e] < port-list > [redirect-url] Specifies the URL that a user is redirected to after a successful login.
3-22 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch This feature is available only on the Series 2600, 2600-PWR, an d 2800 Switches. Overview 1.
3-23 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring MAC Authent ication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configurati.
3-24 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Configuring MAC Authentication on the Switch Syntax: aaa port-access m ac-based [e] < port-list > [add r -limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port.
3-25 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Configuring MAC Authent ication on the Switch Syntax: aaa port-access m ac-based [e] < port-list > [quiet-period &.
3-26 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Show Status and Configuration of W eb-Based Authentication Com.
3-27 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Show Status and Configuration of MAC-Based Authentication Synt.
3-28 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [ port-list ] mac-based [ clients]] Shows the port address, M AC address, session status, and elapsed session time for attached clients on all ports or the specified ports.
3-29 Web and MAC Authentication for the Series 2600/2 600-PWR and 2800 Switches Show Client Status Show Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command.
3-30 Web and MAC Authentication for the Series 2600/260 0-PWR and 2800 Switches Show Client Status — This page is intentionally unused. —.
4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Appl ications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements .
4-2 TACACS+ Authentication Configuring TACACS+ on the Switch Overview T ACACS+ authentication enables you to use a central server to a llow or deny access to the switch (and other T ACACS-a ware devices) in your network.
4-3 TACACS+ Authentication Configuring TACACS+ on the Switch tion services. If the switch fails to connect to any T ACACS+ server , it defaults to its own locally assigned passwords f or authentication c ontrol if it has been configured to do so.
4-4 TACACS+ Authentication Configuring TACACS+ on the Switch • Local Authentication: This method uses username/password pairs configured locally on the switch; on e pair each for manager - level and operator -level access to the switch. Y ou can assign loca l usernames and passwords through the CLI or web browser inter - face.
4-5 TACACS+ Authentication Configuring TACACS+ on the Switch General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server applicati on installed and co nfigured on o ne or more servers or management stations in your netw ork.
4-6 TACACS+ Authentication Configuring TACACS+ on the Switch other access type (console, in this case) open in case the T elnet access fails due to a configuration problem.
4-7 TACACS+ Authentication Configuring TACACS+ on the Switch Note on Privilege Levels When a T ACACS+ server au thenticates an access re quest from a switch, it includes a privilege leve l code for th e switch to use in determining which privilege level to grant to the te rminal requesti ng access.
4-8 TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your T ACACS+ ser ver application fo r mis-configura- tions or missing data that could aff ect the server’ s interoperation with the switch.
4-9 TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section V iewing the Switch’ s Current Authentication Configuration This command lists the numb er of logi n attempts t he switch all ows in a sin gle login session, and the pr imary/secondary access methods config ured for each type of access.
4-10 TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Curren t T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encrypti on key , and the IP addresses of the first-choice and backup T ACACS + servers the switch can contact.
4-11 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures the access control for console port and T elnet access to the switch .
4-12 TACACS+ Authentication Configuring TACACS+ on the Switch T abl e 4-1. AAA Authentication Pa rameters As shown in the next table, login and en able access is always available locall y through a direct t erminal connection to the switch’ s console port.
4-13 TACACS+ Authentication Configuring TACACS+ on the Switch T abl e 4-2. Primary/Secondary Aut hentication T able Caution Regarding the Use of Local for Login Primary Access During local authenticat.
4-14 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acce ss options and the corre sponding commands to configure them: Console Login (Operator or Re ad-Only) Access: Primary using T ACACS+ server . Secondary using Local.
4-15 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACAC S+ servers; one first- choice and up to two backups.
4-16 TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Keys Encryption keys configured in the swit ch must exactly ma tch the encryption keys configured in T ACACS+ servers th e switch will a ttempt to use for authentication.
4-17 TACACS+ Authentication Configuring TACACS+ on the Switch T abl e 4-3. Details on Configuring T ACACS Servers and Keys Name Default Range tacacs-server host < ip-addr > none n/a This command specifies the IP address of a device running a T A CACS+ server application.
4-18 TACACS+ Authentication Configuring TACACS+ on the Switch Adding, Removing, or Cha nging th e Priority of a T AC ACS+ Server . Suppose that the switch was already co nfigured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15 . In this cas e, 10.
4-19 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve(config)# no tacacs-server host 10.
4-20 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encry ption key in the switch, re-enter the tacacs-server host comman d without th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.
4-21 TACACS+ Authentication Configuring TACACS+ on the Switch Using figure 4-6, above, after either sw itch detects an operator’ s logon request from a remote or di rectly connecte d terminal, the fo ll owing events occur: 1. The switch queries the first- choi ce T ACACS+ server for authentication of the request.
4-22 TACACS+ Authentication Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use T ACACS+, it reverts to local authentica- tion only if one of these two condit ions exists: ■ “Local” is the authentication option for the access method being used.
4-23 TACACS+ Authentication Configuring TACACS+ on the Switch Using the Encryption Key General Operation When used, the encr yption key (sometimes t erm ed “key”, “secret key”, or “secret”.
4-24 TACACS+ Authentication Configuring TACACS+ on the Switch For example, you would use the next co mmand to configure a global encryp- tion key in the switc h to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
4-25 TACACS+ Authentication Configuring TACACS+ on the Switch Messages Related to T ACACS+ Operation The switch generates the CLI message s listed below . How ever , you may see other messages generated in your T ACACS+ server a pplication. For informa- tion on such messages, re fer to the documentation you rec eived with the application .
4-26 TACACS+ Authentication Configuring TACACS+ on the Switch ■ When T ACACS+ is not enabled on th e switch—or when the switch’ s only designated T ACACS+ servers ar e not accessible— setting .
5-1 5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2 RADIUS Authenti cation and Accounting Overview Overview RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server and one or two backups) and maint ain separate authentication and accountin g for each RADIUS server employed.
5-3 RADIUS Authentication and Accounting Terminology T erminology CHAP (Challenge-Handshake Authe ntication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADI US server .
5-4 RADIUS Authenti cation and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS ■ Y ou must ha ve at least one RADIU S server accessible to the switch. ■ The switch supports authentication and ac counting us ing up to three RADIUS servers.
5-5 RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application.
5-6 RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wa it for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds).
5-7 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three main steps to con figuring RADIUS authentica tion: 1.
5-8 RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • Server Dead-T ime: The period during which the switch will no t send new authentication requests to a RADIUS server that has failed to respond to a previous request.
5-9 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have alread y configured local passwords on the switch, but want to use RADIUS to pr .
5-10 RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication 2. Configure the Switch T o Access a RADIUS Server This section desc ribes how to con figure the switch to interact with a RADIUS server for both authenticat ion and accounting services.
5-11 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you h ave configured the switch as shown in figure 5-3 and you now need to make the following changes: 1. Change the encryption k ey for the server at 10.
5-12 RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication 3. Configure the Switch’ s Global RADIUS Parameters Y ou can configure the sw itch for the following glo .
5-13 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS se rvers conf igured to support authen- tication requests, if the firs t server fails to respond, then the switch tries the next server in the list, and so-o n.
5-14 RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through T elnet and SSH. T wo of these servers use the same encryption key .
5-15 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-6. Listings of Globa l RADIUS Parameters Configured In Figure 5-5 ProCurve# show authentication Stat.
5-16 RADIUS Authenti cation and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to l ocal authentication only if one of these two condit ions exists: ■ “Local” is the authentication option for the access method being used.
5-17 RADIUS Authentication and Accounting Controlling Web Browser Interface Acces s When Using RADIUS Authentication Controlling W eb Browser Interface Access When Using RADIUS Authentication T o prev.
5-18 RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authen ticat ion on the switch for one or more access methods.
5-19 RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting info rmation it collects to the designated RADIUS server , where the information is formatted, stored , and managed by the server .
5-20 RADIUS Authenti cation and Accounting Configuring RADIUS Accounting – Optional—if you are also conf iguring the switch for RADIUS authentication, and n eed a unique encryption key for use duri ng authentication sessions with th e RADIUS server you are desig- nating, configure a server -specifi c key .
5-21 RADIUS Authentication and Accounting Configuring RADIUS Accounting (For a more complete d escription of th e radius-server command and its options, turn to page 5-10.) For example, suppose you want to th e switch t o use the RADI US server described below for both authenti cation and acco unting purpose s.
5-22 RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Figure 5-7. Example of Configu ring for a RADIUS Se rver with a Non-Def ault Accounting UDP Port Number The radius-server command as shown in figure 5-7, above, configures the switch to use a RADIUS serv er at IP a ddress 10.
5-23 RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Start-Stop: • Send a start record acc ounting notice at the beginning of the account- ing session and a stop record noti ce at the end of the session.
5-24 RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Sessi on Blocking and Interim Updating Options These optional parameters give you additi onal control ov er accounting data.
5-25 RADIUS Authentication and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-10. Example of Genera l RADIUS Information from Sh ow Radius Command Figure 5-11.
5-26 RADIUS Authenti cation and Accounting Viewing RADIUS Statistics T able 5-2. V alues for Show Radius Host Output (Figure 5-11) Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Respo nse and the Accounting- Request that matched it from this RADIUS accounting server .
5-27 RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Figure 5-12. Example of Login Attempt and Primary/Se condary Authenticatio n Information from the Sho w Authentication Comma nd Figure 5-13.
5-28 RADIUS Authenti cation and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Figure 5-14. Listing the Account ing Configuration in t he Switch Figure 5-15.
5-29 RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on t he Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS ser vers according to the order in which their IP addresses are listed by the show radius command.
5-30 RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order T o excha nge the positions of the addre sses so that the server at 10.10 .10.003 will be the first choice and the server at 10.10.10.001 will be the last, you w ould do the follow ing: 1.
5-31 RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request.
5-32 RADIUS Authenti cation and Accounting Messages Related to RADIUS Operation — This page is intentionally unused. —.
6-1 6 Configuring Secure Shell (SSH) Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2 Configuring Secure Shell (SSH) Overview Overview The ProCurve swit ches covered i n this guide use Secure Sh ell version 1 or 2 (SSHv1 or SSHv2) to provide remote acc ess to management functions on the switches via encrypted paths between the switc h and ma nagement station clients capable of S SH operation.
6-3 Configuring Secure Shell (SSH) Overview Note SSH in the ProCurve is based on the OpenSSH software t oolkit. For more informatio n on OpenSSH, visit http://www .openssh .com . Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key aut hentication show in figure 6-1.
6-4 Configuring Secure Shell (SSH) Terminology T erminology ■ SSH Server: A ProCurve switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includ es a public key , that can be r ead by anyone and a pri vate key , that is held internally in the switch or by a client.
6-5 Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH se rver , you must install a publicly or commercially avail able SSH client appli cation on the computer(s) you use for management access to the switch.
6-6 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level.
6-7 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep aration 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 6-9). 2. Generate a public/private key pa ir on the switch (page 6-10).
6-8 Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be expor table to the switch.
6-9 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation 1. Assign Local Login (Opera tor) and Enable (Manager) Password At a minimum, ProCurve recommends th at you always assign at least a Manager password to the switch.
6-10 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Config uring Local Passwords 2. Generate the Switch’ s Pu blic and Private Key Pair Y ou must genera te a public and private ho st key pair on the switch.
6-11 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (a nd not in the running-config file). Also, the switch maintains the key pai r across reboots, including p ower cycles.
6-12 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Figure 6-6. Example of Gen erating a Public/ Private Host Key Pair for the.
6-13 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a dire ct, serial connection between the sw itch and a management device (laptop, PC, or UNIX workstat ion), as described below .
6-14 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH c lient ap plication. For example Be fore saving the key to an SSH client’ s "known hosts" file you may have to insert the switch’ s IP address: Figure 6-9.
6-15 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-10. Examples of Visual Phonetic and He xadecimal Conversions of the Switch’ s Public Key The two commands sho wn.
6-16 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavio r . At the first contact be tween the switch and an SSH client, if you have not copied th e swit.
6-17 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The ip ssh key-siz e command affects only a per -se ssion, inte rnal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’ s public (host ) key is a separate, accessibl e key that is always 896 bits.
6-18 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from ac cess by anyone ot her than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by ap pearing to be you.
6-19 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Config uring the Switch for Cl ient Public-Key SSH Authentication. When configured with this option, the sw itch uses its pub- lic key to authenticate itself to a client, but the client must also pr ovide a client public-key f or the swit ch to authenticate.
6-20 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, assume that you have a client public-key fil e named Client- Keys.
6-21 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Figure 6-13 shows how to check the results of the above commands.
6-22 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication When config ured for S SH operation, the switch automatic ally attemp ts to use its own host pu blic-key to authenticate itself to SSH clients.
6-23 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication a. Combines the decrypte d byte seq uence with specific session data. b. Uses a secure hash algorithm to create a hash version of this informa- tion. c. Returns the hash version to the switch.
6-24 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 1. Use your SSH client application to cr eate a public/private key pair . Refer to the documentation pr ovided with your SSH client appl ication for details.
6-25 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication For example, if you wanted t o copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 an d then display th e file contents: Figure 6-15.
6-26 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Enabling Clie nt Public -Key Authentication. After you TFTP a client- public-key file into the switc h .
6-27 Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download.
6-28 Configuring Secure Shell (SSH) Messages Related to SSH Operation Generating new RSA host ke y. If the cache is depleted, this could take up to two minutes. After you execute the crypt o key generate ssh [rsa] command, the switch displays this me ssage while it is gene rating t he key .
7-1 7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2 Configuring Secure Socket Layer (SSL) Overview Overview The ProCurve switc hes covered by th is manual use Secure Socket Layer V ersion 3 (SSLv3) and support for T rans port Layer Security(TLSv1) to provide remote web access to the switches vi a encrypted paths be tween the switch and management station clients capable of SSL/TLS operation.
7-3 Configuring Secure Socket Layer (SSL) Terminology Figure 7-1. Switch/User Authent ication SSL on the ProCurve switch es supports these data encrypti on methods: ■ 3DES (168-bit, 112 Effective) ■ DES (56-bit) ■ RC4 (40-bit, 128-bit) Note: ProCurve switches use RS A public key algorithms and Dif fie-Hellman.
7-4 Configuring Secure Socket Layer (SSL) Terminology ■ Self-Signed Certif icate: A certificate not verifi ed by a third- party certificate authority (CA). Self-signed certificate s provide a reduced level of security compared to a CA-signed certificate.
7-5 Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch.
7-6 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificat e without a compelli ng reason.
7-7 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation 1. Assign Local Login (Opera tor) and Enable (Manager) Password At a minimum, ProCurve recommends th at you always assign at least a Manager password to the switch.
7-8 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface T o Configure Local Passwo rds. Y ou can configure both the Op erator and Manager passwo rd on one screen.
7-9 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generate the Switch’ s Server Host Certificate Y ou must genera te a server certificate on the switc h before enabling SSL.
7-10 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o Generate or Erase the Switch’ s Server Certificate with the CLI Because the host certificate is stored in flash instead of the runn ing-config file, it is not necessary to use write memory to save the certificate.
7-11 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in th e generation of a server certificate. table 7-1, “Cer tificate Fiel d Descriptions” desc ribes these argu ments.
7-12 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’ s server host ce rtificate or key automatically disables SSL (sets web-managemen t ssl to No ).
7-13 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Ce rtificate with the W eb browser interface Y ou can configure SSL from the web b rowser interface.
7-14 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web brow sers inter - face: Figure 7-5. Self-Signed Ce rtificate genera tion via SSL Web Browser Interface Scree n T o view the curre nt host certifi cate in the web browser interface: 1.
7-15 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-6. Web browser Interface showing current SSL Host Certifica te Generate a CA-Signed server host certificate with the W eb Browser Interface This section d escribes how to install a CA- Signed serv er host certificate from the web browser interface.
7-16 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA- signed certif ic ate involves in teraction with o ther entities and consis ts of three phases.
7-17 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-7. Example of a Ce rtificate Request a nd Reply 3. Enable SSL on the Sw itch and Anticipate SSL Browser Contact Behavior T he web-management ssl comma nd enables SSL on the switch and modifies parameters the swit ch uses for transactions with client s.
7-18 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s host certificate and key . If you have not alr eady done so, refer to “2. Generate the Switch’ s Server Host Certificate” on page 7-9.
7-19 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL T o ena ble SSL on the switch 1. Generate a Host certificate if you h ave not already done so. (Refer to “2. Generate the Switch’ s Server Ho st Certifi cate” on page 7-9.
7-20 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-8. Using the web brow ser interface to enable SSL an d select TCP port number Note on Port Number ProCurve recommends usin g the default IP port number (443).
7-21 Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.
7-22 Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup — This page is intentionally unused. —.
8-1 8 Configuring Port-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . .
8-2 Configuring Port-Based Ac cess Cont rol (802.1X) Contents Configuring Swit ch Ports To Operate As S upplicants fo r 802.1X Conne ctions to Oth er Switche s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34 Displaying 802.1X Configuratio n, Statistics, and C ounters .
8-3 Configuring Port-Based Access Control (802.1X) Overview Overview Why Use Port-Based Access Control? Local area networks are often deploye d in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a networ k.
8-4 Configuring Port-Based Ac cess Cont rol (802.1X) Overview ■ Local authentication of 802.1X clients using the switch’ s local user - name and password (as an altern ative to RADIUS authentication). ■ T emporary on-demand change of a po rt’ s VLAN membership status to support a cu rrent client’ s session.
8-5 Configuring Port-Based Access Control (802.1X) Overview Figure 8-1. Example of an 802.1X Application Accounting . The switch also provide s RA DIUS Network accounting for 802.1X access. Re fer to “ RADIUS Authentication and Accounting” on page 5-1.
8-6 Configuring Port-Based Ac cess Cont rol (802.1X) How 802.1X Operates How 802.1X Operates Authenticator Operation This operation provi des security on a direct, point-to-point link between a single client an d the switch, where bo th devices are 802.
8-7 Configuring Port-Based Access Control (802.1X) How 802.1X Operates Switch-Port Supplicant Operation This operation provides se curity on links between 802.1X- aware switches. For example, suppose that you want to connect two switches, where: ■ Switch “A” has port A1 configured for 802.
8-8 Configuring Port-Based Ac cess Cont rol (802.1X) Terminology • A “failure” response conti nues the block on port B5 and causes po rt A1 to wait for the “held-time” peri od before trying again to achieve authentication th rough port B5.
8-9 Configuring Port-Based Access Control (802.1X) Terminology EAP (Extensible Auth entication P rotocol) : EAP enables network access that supports multiple authen tication methods. EAPOL: Extensible Authenticat ion Protocol Over LAN, as defined in the 802.
8-10 Configuring Port-Based Ac cess Cont rol (802.1X) General Operating Rules and Notes member of that VLAN as long as at least one oth er port on the swi tch is statically configured as a tagge d or untagged member of the same Unau- thorized-Client VLAN.
8-11 Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes ■ If a client already has access to a switch port when you configure the port for 802.1X authenticator operati on, the port will block the client from further network access until it can be authenticated.
8-12 Configuring Port-Based Ac cess Cont rol (802.1X) General Setup Procedure for Port-B ased Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.
8-13 Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port -Based Access C ontrol (802.1X) Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.
8-14 Configuring Port-Based Ac cess Cont rol (802.1X) General Setup Procedure for Port-B ased Access Control (802.1X) 7. If you are using Port S ecurity on the switch, conf igure the switch to allow only 802.
8-15 Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.
8-16 Configuring Port-Based Ac cess Cont rol (802.1X) Configuring Switch Ports as 802.1X Authenticators Syntax: aaa port-access a uthenticator < port -list > Enables specified ports to op erate as 802.1X authen ti- cators with current per- port authenticator configura- tion.
8-17 Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Sets the period of time the switch waits for a supplicant response to an EAP re quest. If the suppli cant does not respond within the configured time frame, the session times out.
8-18 Configuring Port-Based Ac cess Cont rol (802.1X) Configuring Switch Ports as 802.1X Authenticators Configures an existing, stat ic VLAN to be the Autho- rized-Client VLAN.
8-19 Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specif ies how the swit ch will authenticate the cr edentials provided by a supplicant connected to a switch port configured as an 802.
8-20 Configuring Port-Based Ac cess Cont rol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either e ap-radius or chap-radius for the a uthentication m ethod, configure the switch to use 1 to 3 RADIUS servers for authentication.
8-21 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode This section describes how to use the 802.1X Open VLAN mode to configur e unauthorized-client and authorized-client VLANs on po rts configured as 802.1X authenticators.
8-22 Configuring Port-Based Ac cess Cont rol (802.1X) 802.1X Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been a ssigned by a RADIUS server during auth entication.
8-23 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 8-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port auto matically blocks a client that c annot initiate an authenti cation sessio n.
8-24 Configuring Port-Based Ac cess Cont rol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Unauthoriz ed-Clie nt VLAN Configured: • When the port dete cts a client, it automatically b ecomes an untagged member of this VLAN.
8-25 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs These must be configured o n the switch before you co nfigure an 802.
8-26 Configuring Port-Based Ac cess Cont rol (802.1X) 802.1X Open VLAN Mode Note: If you use th e same VLAN as the Unau thorized-Client VLAN for all authenti- cator ports, unauth enticated clients on different ports can communicate wit h each other .
8-27 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 8-1 on page 8- 23 for other options.
8-28 Configuring Port-Based Ac cess Cont rol (802.1X) 802.1X Open VLAN Mode ■ Ensure that the switch is connec ted to a RADIUS server configured to support auth enticatio n requests from clients using ports config- ured as 802.1X authenti cators. (The RADIUS server should not be on the Unauthorized-Client VLAN.
8-29 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap -radius for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. 4. Activa te authentication on the switch.
8-30 Configuring Port-Based Ac cess Cont rol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, re fer to “Preparation” on page 8-27.
8-31 Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operatio n, refer to “Viewing 802.1X Open VLAN Mode Status” on page 8-40.
8-32 Configuring Port-Based Ac cess Cont rol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices ■ If an authenticat ed c lient loses authenti cation during a session in 802.1X Open VLAN mode, the port VL AN membership reverts back to the Unauthorize d-Client VLAN.
8-33 Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices Note on Blocking a Non- 802.
8-34 Configuring Port-Based Ac cess Cont rol (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches Y ou can configure a switch port to operate as a supplicant in a connec tion to a port on another 802.
8-35 Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches 1. When port A1 on switch “A” is firs t connecte d .
8-36 Configuring Port-Based Ac cess Cont rol (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli- cant operation on a port before you ca n change the supplic ant config uration.
8-37 Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches aaa port-access supplicant [ ethernet] < port-list > (Syntax Continu ed) [auth-timeout < 1 - 300 > ] Sets the period of time the port waits to receive a challenge from the authentica tor .
8-38 Configuring Port-Based Ac cess Cont rol (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authenticator 802.1X Authentication Commands page 8-15 802.
8-39 Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters show port-access au thenticator (Syntax Conti nued) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.
8-40 Configuring Port-Based Ac cess Cont rol (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre nt VLAN status by using the show port- access authenticator and show vlan < vlan-id > commands as illu strated in this section.
8-41 Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters ■ When the Unauth VLAN ID is configured and matches the Current VLAN ID in the above comman d output, an unauthenticat ed client is connected to the port.
8-42 Configuring Port-Based Ac cess Cont rol (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 8-6. Example of Showin g a VLAN with Ports Configured for Open VLAN Mo de Unauthorized VLAN ID < vlan -id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.
8-43 Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Show Commands for Po rt-Access Supplicant Note on Supplicant Statistics.
8-44 Configuring Port-Based Ac cess Cont rol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wil l appear in the supplicant statistics for both ports.
8-45 Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1X-a ware client on port A2 requires access to VLAN 22, but VLA N 22 is config ured for no access on port A2, and VLAN 33 is conf igured as untagged on port A2: Figure 8-7.
8-46 Configuring Port-Based Ac cess Cont rol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Figure 8-8. The Active Configuration for VLAN 22 T emporarily Changes for the 802.
8-47 Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 ends, th e port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes av ailable.
8-48 Configuring Port-Based Ac cess Cont rol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 8-3. 802.1X Ope rating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.
9-1 9 Configuring and Monitoring Port Security Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2 Configuring and Monitoring Port Security Overview Overview Using Port Security , you can configure each switch po rt with a unique list of the MAC addresses of devices that ar e authorized to access the network through that port.
9-3 Configuring and Monitoring Port Security Overview General Operation for Port Security . On a per -port basis, you can configure security measure s to block un authori zed devices, and to send notic e of security violations.
9-4 Configuring and Monitoring Port Security Overview Figure 9-1. Example of How Port Security Controls Access Note Broadcast and Mult icast traffic is not “unau thorized” traffic, and can be read by intruders connecte d to a port on wh ich you have configured port security .
9-5 Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Pl an your port securi ty configuration and moni toring according to the following: a.
9-6 Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Comm ands Used in This Section This section descr ibes the CLI port secu rity command and how th e switch acquires a nd maintains authorized addresses.
9-7 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-sec urity [e] < port-list > learn-mode < continuou s | static | configured | p ort-access > Continuous (Default) : Appears in the factory-default setting or when you execute no port-security.
9-8 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-sec urity [e] < port-list > (- Continued -) learn-mode < continuous | static | configured.
9-9 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-sec urity [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whethe r an SNMP trap is sent to a network m an- agement station.
9-10 Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Stat ic MAC Addresses Learned MAC Addresses In the following two cases, a po rt in Static learn m.
9-11 Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI T o Display Port Security Settings. Syntax : show port-security show port-security [e] <port number> show port-security [e] [< port number >-< port number ].
9-12 Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows th e option for entering a range of ports, including a series of non- contiguous ports.
9-13 Configuring and Monitoring Port Security Port Security Command Options and Operation ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to: ■ Allow two MAC addresses, 0 0c100-7fec00 and 0060b0-889e00, as the authorized devices.
9-14 Configuring and Monitoring Port Security Port Security Command Options and Operation Figure 9-4. Example of Adding an Authorized Device to a Port W ith the above configuration for port A1, the follow ing command adds the 0c0090-456456 MAC addres s as th e second authorized address.
9-15 Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Au thorized Addresses list is already full (as.
9-16 Configuring and Monitoring Port Security Port Security Command Options and Operation T o remove a device (MAC a ddress) from the “Authorized” list and when the current number of devices equals the Address Li mit value, you sh ould first reduce the Address Limit value by 1, then remove the unwanted device.
9-17 Configuring and Monitoring Port Security MAC Lockdown Figure 9-8. Example of Port A1 After Removing One MAC Address MAC Lockdown MAC Lockdown is available on the Seri es 2600, 2600-PWR, and 28 00 switches only.
9-18 Configuring and Monitoring Port Security MAC Lockdown How It W orks. When a device’ s MAC address is locked down to a port (typically in a pair with a VLAN) all in formation sent to that MAC address must go through the locked-down port. If the device is mo ved to another port it cannot receive data.
9-19 Configuring and Monitoring Port Security MAC Lockdown Y ou cannot perform MAC Lockdow n and 802.1x authentication on t he same port or on the same MAC address. M A C Lockdown and 802.1x authentication are mutually exclusive. Lockdown is permitted on static trun ks (manually configured link aggrega- tions).
9-20 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can sa fely code per switch. T o truly lo ck down a MAC ad dr ess it would be necessary to use the MAC Lockdown command fo r every MAC Address and VLAN I D on every switch.
9-21 Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you ne ed to consider how you use it within your network topology to ensure security .
9-22 Configuring and Monitoring Port Security MAC Lockdown Figure 9-9. MAC Lockdown Deployed At the Network Ed ge Provides Security Basic MAC Lockdown Deployment. I n the Model Network T opology shown above, the switches that are connected to the edge of the netwo rk each hav e one and only one connection to the core network.
9-23 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model T opology are: • The Core Ne twork is separat ed from the edge by the use of switches which have been “locked down” for security .
9-24 Configuring and Monitoring Port Security MAC Lockdown Figure 9-10. Connecti vity Problems Using MAC Lockdo wn with Multiple Paths The resultant connectivit y issues would prevent you from locking do wn Server A to Switch 1.
9-25 Configuring and Monitoring Port Security MAC Lockout Displaying status. Locked down ports are list ed in the output of the show running-config command in the CLI . The show stat ic-mac command also lists the locked down MAC addr esses, as shown below .
9-26 Configuring and Monitoring Port Security MAC Lockout Lockout command ( lockout-mac < mac-address > ). When the wireless clients then attempt to use the network, the switch recogni zes the intr uding MAC addresses and prevents them from sending or receiving data on that network.
9-27 Configuring and Monitoring Port Security MAC Lockout Figure 9-12. Listi ng Locked Out Ports Port Security and MAC Lockout MAC Lockout is independ ent of port-secur ity and in fact will override it.
9-28 Configuring and Monitoring Port Security IP Lockdown IP Lockdown IP lockdown is ava ilable on the Series 2600 and 2 800 switches only. The “IP lockdown” utility enables you to restrict incomi ng traffic on a port to a specific IP address/subnet, and de ny all other traffic on that por t.
9-29 Configuring and Monitoring Port Security Web: Displaying and Configur ing Port Security Features W eb: Displaying and Configuring Port Security Features 1. Click on the Security tab . 2. Click on [Port Security] . 3. Sel ect the settings you want and, if you are usin g the Static Learn Mode, add or edit the Author ized Addresses field.
9-30 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • In the menu interface: – The Port Status screen includ es a per -port intrusion alert – The Eve.
9-31 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Keeping the Intrusion Log Cu rrent by Resetting Alert Flags When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Lo g.
9-32 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 9-14. Example of Port Status Sc reen with Intrusion Alert on Po rt A3 2.
9-33 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log ho lds up to 20 intrusi on records and deletes an intrusion re cord only when the log becomes full and a new intrusion is subsequentl y detected.
9-34 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts , and Resetting Alert Flags The following comman.
9-35 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 9-17. Example of the In trusion Log with Multi ple Entries for the Same Port The above exam ple shows three intr usions for port A1.
9-36 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log T o Find Intrusion Alerts The Event Log lists port security in trusions as: W MM/DD.
9-37 Configuring and Monitoring Port Security Operating Notes for Port Security a. Click on the Security tab. b. Click on [Intrusion Log] . “Ports with Intrusion Flag” indicates any ports for which the alert flag has not been cleared. c. T o clea r the current alert flags, c lick on [Reset Alert Flags] .
9-38 Configuring and Monitoring Port Security Operating Notes for Port Security LACP Not A vailable on Ports Co nfigured for Port Security . To m a i n - tain security , LACP is not allowed on po rts configured for port securi ty .
10-1 10 T raffic/Security Filters (ProCurve Series 2600/2600- PWR and 2800 Switches) Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Overview . . . . . . . . . . . . . .
10-2 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Overview Overview This chapter describes the use of sour ce-port filters on the Seri es 2600/ 2600-PWR switches and on the Series 28 00 switches.
10-3 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Overview from receiving traf fic from workstation "X" , you would configure a fi lter to drop traffic from port 5 to port 7.
10-4 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters Using Source-Port Filters This feature is available only on the Series 2600, 2600-PWR, an d 2800 switches.
10-5 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters Configuring a Source-Port Filter The source-port filter command operates from the glob al configuration level. Example of Creating a Source-Port Fi lter .
10-6 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters Configuring a Filter on a Port T runk. This operation uses the same com- mand as that used for configuring a filt er on an individual port. However , the configuration pro cess requires two steps: 1.
10-7 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters V iewing a Source-Port Filter Y ou can list all source-port filters co nfigur ed in the switch and, optionally , the detailed info rmation on a specific filter .
10-8 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters If you wanted to determine the index number for the filter on source port 3 and then view a listing the filter deta ils on source port 3, you wo uld use the show filter and show fi lter [ INDEX ] commands, as shown in figure 10-4.
10-9 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters Editing a Source-Port Filter The switch includes in one filter the action(s) for al l destination po rts and/or trunks configured for a given source por t.
10-10 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters Using Named Source-Port Filters This feature is available only on the Series 2600 and 2600-PWR switches. Named source-port filters are filters that may be used on multiple ports and port trunks.
10-11 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters A named source-port f ilter must f irst be defined and co nfigured before it can be applied. In the followin g example two named source-port filt ers are defined, web-only and accounting .
10-12 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters Viewing a Named Source-Port Filter Y ou can list all source-port filters co nfigured in the switch, both named and unnamed, and t heir action using the show command below .
10-13 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters Defining and Con figuring Example Named Source-Port Fi lters. While named source-p ort filters may be defined and configured in two steps, this is not necessary .
10-14 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters ProCurve(config)# show filter Traffic/Security Filters IDX Filter Type | Value --- ---------.
10-15 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two outputs below sh ow a non- accounting and an accou nting switch port.
10-16 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters The same command, using IDX 26, shows how traffic from the In ternet is handled. As the company grows, mo re resources are requir ed in accounting.
10-17 Traffic/Security Filters (ProCurve Se ries 2600/2600-PW R and 2800 Switches) Using Source-Port Filters The following revisions to the named so urce-port fi lter definiti ons maintain the desired network traffic management , as shown in the Action column of t he show command.
10-18 Traffic/Security Filters (ProCurve Series 2600/260 0-PWR and 2800 Switches) Using Source-Port Filters — This page is intentionally unused. —.
11-1 11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2 Using Authorized IP Managers Overview Overview Authorized IP Manager Features The Authorized IP Managers feature us es IP addresses and masks to deter - mine which stations (PCs or workstat ions) can access the switch through the network.
11-3 Using Authorized IP Managers Access Levels Configuration Options Y ou can configure: ■ Up to 10 authorized manager addresses , where eac h address applies to either a single management station .
11-4 Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Sin gle Station s: The table entry au thorizes a single management station to have IP acce ss to the switch.
11-5 Using Authorized IP Managers Defining Authorized Management Stations 255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to authorize four IP addr esses for manage ment station access. The details o n how to use IP masks are provided un der “Building IP Masks” on page 11-9.
11-6 Using Authorized IP Managers Defining Authorized Management Stations Figure 11-2. Example of How T o Add an Authorized Man ager Entry (Continued) Editing or Dele ting an Au thorized Manager Entry . Go to the IP Ma nag- ers List screen (figure 11-1), high light the desired entry , and press [E] (for Edit ) or [D] (for Delete ).
11-7 Using Authorized IP Managers Defining Authorized Management Stations Figure 11-3. Example of the Show IP Auth orized-Manager Display The above example shows an Authorized IP Ma nager List that allows statio ns to access the switch as show n below: Configuring IP Authorized Managers for the Switch T o Authorize Manager Access.
11-8 Using Authorized IP Managers Defining Authorized Management Stations Similarly , the next command authoriz es manager -level access for any station having an IP address of 10.28.227 .101 through 103: ProCurve(config)# ip authorized-managers 10.28.
11-9 Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Mana gers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1.
11-10 Using Authorized IP Managers Building IP Masks Configuring Multiple Statio ns Per Authorized Manager IP Entry The mask dete rmines whet he r the IP address of a station on the network meets the criteria you specify .
11-11 Using Authorized IP Managers Building IP Masks Figure 11-6. Example of How th e Bitmap in the IP Mask Defines Authorized Manager Addresses Additional Examples for Au thorizing Mult iple Stations.
11-12 Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s security by keeping physical access to the switch re stricted to.
Index – 1 Index Numerics 3DES … 6-3, 7-3 802.1X See port-based acc ess control. …8 - 1 A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authoriz ed IP managers … 11-3 accounting See RADIUS. address authorized for port security … 9-3 authentication See TACACS.
2 – Index I inconsistent value, message … 9-14 intrusion alarms entries dropped from log … 9-37 event log … 9-36 prior to … 9-37 Intrusion Log prior to … 9-33, 9-35 IP authorized IP manage.
Index – 3 prior to … 9-37 proxy web server … 9-37 port-based access control authenticate switch … 8-4 authenticate users … 8-4 authenticator backend state … 8-38 authenticator operation … 8-6, 8-8 authenticator, show commands … 8-38 authorized IP managers, precedence … 11-2 block traffic … 8-3 blocking non-802.
4 – Index accounting, system … 5-18, 5-22 authentication options … 5-2 authentication, local … 5-16 authorized IP managers, precedence … 11-2 bypass RADIUS server … 5-9 commands, accountin.
Index – 5 zeroing a key … 6-11 zeroize … 6-11 SSL CA-signed … 7-4, 7-15 CA-signed certifi cate … 7-4, 7-15 CLI commands … 7-7 client behavi or … 7-17, 7-18 crypto key … 7-10 disabling .
6 – Index See also LACP. U user name cleared … 2-5 V value, inconsistent … 9-1 4 VLAN 802.1X … 8-44 802.1X, ID changes … 8 -47 802.1X, suspend untagged VLAN … 8-41 filter, source-port … .
— This page is intentionally unused. —.
© 2000 - 2008 Hewlett-Packard Development Company , LP . The information contained herein is subject to change without notice. December 2008 Manual Part Number 5990-6024.
An important point after buying a device HP (Hewlett-Packard) 2650 (J4899A/B) (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought HP (Hewlett-Packard) 2650 (J4899A/B) yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data HP (Hewlett-Packard) 2650 (J4899A/B) - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, HP (Hewlett-Packard) 2650 (J4899A/B) you will learn all the available features of the product, as well as information on its operation. The information that you get HP (Hewlett-Packard) 2650 (J4899A/B) will certainly help you make a decision on the purchase.
If you already are a holder of HP (Hewlett-Packard) 2650 (J4899A/B), but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime HP (Hewlett-Packard) 2650 (J4899A/B).
However, one of the most important roles played by the user manual is to help in solving problems with HP (Hewlett-Packard) 2650 (J4899A/B). Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device HP (Hewlett-Packard) 2650 (J4899A/B) along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center