9.2.3.12. HP
9.2.3.12.1. 1920
Firmware: Comware 5
Administration Portal > ON CMDB > Network Devices Brand/Model: HP/1920
9.2.3.12.1.1. Radius Global Configuration
In this section, we will define the RADIUS servers to be used for authentications and their format:
[switch_hp] radius scheme opennac [switch_hp-radius-opennac] primary authentication <Authentication_Server_IP> [switch_hp-radius-opennac] primary accounting <Accounting_Server_IP> [switch_hp-radius-opennac] key authentication simple <radius_sharedKey> [switch_hp-radius-opennac] key accounting simple <radius_sharedKey> [switch_hp-radius-opennac] user-name-format without-domain
We can define secondary RADIUS servers using the command:
[switch_hp-radius-opennac] secondary authentication <Authentication_Server_IP> key simple <radius_sharedKey> [switch_hp-radius-opennac] secondary accounting <Accounting_Server_IP> key simple <radius_sharedKey>
In this section, you will determine the domain and the RADIUS schemes that you will use:
[switch_hp] domain opennac [switch_hp-isp-opennac] authentication lan-access radius-scheme opennac [switch_hp-isp-opennac] authorization lan-access radius-scheme opennac [switch_hp-isp-opennac] accounting lan-access radius-scheme opennac [switch_hp-isp-opennac] access-limit disable [switch_hp-isp-opennac] state active [switch_hp-isp-opennac] idle-cut disable [switch_hp-isp-opennac] self-service-url disable
8021X
To configure the 802.1x and MAB functionality, we must define the operating mode as port security and each of the ports must be defined in hybrid mode.
Global Configuration:
[switch_hp] port-security enable
[switch_hp] dot1x authentication-method eap
Interface Configuration:
[switch_hp] interface GigabitEthernet x/y/z
[switch_hp-GigabitEthernetx/y/z] port link-type hybrid
[switch_hp-GigabitEthernetx/y/z] port hybrid vlan <VLAN_ID_LIST> tagged
[switch_hp-GigabitEthernetx/y/z] port hybrid vlan <VLAN_ID_LIST> untagged
[switch_hp-GigabitEthernetx/y/z] mac-vlan enable
[switch_hp-GigabitEthernetx/y/z] stp edged-port enable
[switch_hp-GigabitEthernetx/y/z] port-security port-mode userlogin-secure-or-mac-ext
[switch_hp-GigabitEthernetx/y/z] dot1x re-authenticate
[switch_hp-GigabitEthernetx/y/z] undo dot1x handshake
[switch_hp-GigabitEthernetx/y/z] undo dot1x multicast-trigger
MAC Authentication
To enable the MAC-Authentication functionality (used to perform MAB), it will be necessary to define the domain to use and the authentication order in the interface configuration.
Global Configuration:
[switch_hp] mac-authentication domain opennac
Interface Configuration:
[switch_hp] interface GigabitEthernet x/y/z
[switch_hp-GigabitEthernetx/y/z] port-security port-mode userlogin-secure-or-mac-ext
9.2.3.12.1.2. Dot1x Features
Default VLAN
The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC policy.
Interface Configuration:
[switch_hp] interface GigabitEthernet x/y/z
[switch_hp-GigabitEthernetx/y/z] undo port hybrid vlan 1
[switch_hp-GigabitEthernetx/y/z] port hybrid pvid vlan 310
Critical VLAN
The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization.
Interface Configuration:
[switch_hp] interface GigabitEthernet x/y/z
[switch_hp-GigabitEthernetx/y/z] dot1x critical vlan 310
[switch_hp-GigabitEthernetx/y/z] dot1x critical recovery-action reinitialize
Voice VLAN
Global Configuration:
undo voice vlan security enable
Interface Configuration:
[switch_hp] interface GigabitEthernet x/y/z
[switch_hp-GigabitEthernetx/y/z] undo voice vlan mode auto
[switch_hp-GigabitEthernetx/y/z] voice vlan <VLAN_ID> enable
9.2.3.12.1.3. Security Profiles (ACL’s)
Static
Static security profiles refer to the process of defining, from OpenNAC Enterprise, the specific Access Control Lists (ACLs) previously created on the network device that will be applied to any established connection.
Comware switches must receive the ACL number and not its name to make it effective.
To define an ACL on the switch, example:
[switch_hp] acl number 3001
[switch_hp-acl-adv-3001] rule 0 deny icmp destination 10.10.36.40 0
[switch_hp-acl-adv-3001] rule 15 permit ip
Dynamic
The dynamic security profiles involve sending an Access Control List (ACL) from OpenNAC Enterprise that has not been previously defined in the network device.
This network device does not support dynamic assignment of security profiles from OpenNAC Enterprise.
9.2.3.12.1.4. SNMP
To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:
[switch_hp] snmp-agent
[switch_hp] snmp-agent community read <community>
[switch_hp] snmp-agent community write <community>
[switch_hp] snmp-agent sys-info version v2c
9.2.3.12.2. 2510, 2530, 2610 and 2620
Firmware: Accredited release J9085A #R.11.98
Administration Portal > ON CMDB > Network Devices Brand/Model: HP/2510 - HP/Generic - HP/2610 - HP/2620
9.2.3.12.2.1. RADIUS Global Configuration
Define the RADIUS servers to be used for authentications and their format:
HP-2530-24G-PoEP-2SFPP# configure HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> key <Radius_Shared_Key> HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> time-window 0 HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> auth-port 1812 HP-2530-24G-PoEP-2SFPP(config)# radius-server host <Radius_Server_IP> acct-port 1813 HP-2530-24G-PoEP-2SFPP(config)# aaa server-group radius "opennac" host <Radius_Server_IP> HP-2530-24G-PoEP-2SFPP(config)# aaa accounting network start-stop radius server-group "opennac"
8021X
HP-2530-24G-PoEP-2SFPP(config)# aaa authentication port-access eap-radius server-group "opennac" HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> tx-period 10 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator <port-range> client-limit 2 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator active
MAC Authentication
HP-2530-24G-PoEP-2SFPP(config)# aaa authentication mac-based chap-radius server-group "opennac" HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> addr-limit 4 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based <port-range> reauth-period 144
9.2.3.12.2.2. Dot1x Features
Default VLAN
The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC Enterprise policy.
HP-2530-24G-PoEP-2SFPP(config)# primary-vlan 17 "vlan-id" HP-2530-24G-PoEP-2SFPP(config)# vlan 17 name default_vlan
In addition, we can apply an interface configuration and configure the auth-vid parameter. auth-vid: Configures the VLAN where to move a port after successful authentication (it is not configured by default).
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based 1-24 auth-vid 200
Critical VLAN
The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. Once we have configured an authentication method, we will be able to configure the critical VLAN. unauth-vid: Configures the VLAN where to keep a port while there is an unauthenticated client connected (it is not configured by default).
In addition, we can set the timeout that the switch waits for authentication before moving the port to the VLAN for unauthenticated clients with the unauth-period parameter.
For 802.1x:
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator 1-24 unauth-vid 200 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access authenticator 1-24 unauth-period 20
For MAB:
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based 1-24 unauth-vid 200 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based 1-24 unauth-period 20
Voice VLAN
The voice VLAN will be used to separate the voice traffic from the data traffic.
HP-2530-24G-PoEP-2SFPP(config)# vlan 100 voice
9.2.3.12.2.3. Security Profiles (ACL’s)
Static
HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based 1-24 unauth-vid 200 HP-2530-24G-PoEP-2SFPP(config)# aaa port-access mac-based 1-24 unauth-period 20
9.2.3.12.2.4. SNMP
In order to perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:
HP-2530-24G-PoEP-2SFPP(config)# snmp-server community "public" HP-2530-24G-PoEP-2SFPP(config)# snmp-server community "private" operator unrestricted
9.2.3.12.2.5. CLI authentication
You can use OpenNAC Enterprise for RADIUS CLI authentication on the 2500 Series.
radius-server host 192.168.1.5 key Testing123 aaa authentication ssh login radius local aaa authentication telnet login radius local
9.2.3.12.2.6. Troubleshooting & Monitoring
RADIUS Debug:
HP-2530-24G-PoEP-2SFPP# debug security radius-server HP-2530-24G-PoEP-2SFPP# debug security port-access HP-2530-24G-PoEP-2SFPP# debug security port-security HP-2530-24G-PoEP-2SFPP# debug destination session
Display connected users:
Dot1x:
HP-2530-24G-PoEP-2SFPP# display dot1x sessions interface X HP-2530-24G-PoEP-2SFPP# display dot1x interface X - MAC-Authentication (MAB):HP-2530-24G-PoEP-2SFPP# display mac-authentication interface X HP-2530-24G-PoEP-2SFPP# display mac-authentication interface X HP-2530-24G-PoEP-2SFPP# display mac-address interface X
9.2.3.12.3. 3400cl Series
Firmware: Accredited release 11.72
Administration Portal > ON CMDB > Network Devices Brand/Model: HP/Generic
9.2.3.12.3.1. RADIUS Global Configuration
To enable RADIUS MAC authentication on the ports, you first need to join the ports to either the registration or the MAC detection VLAN (as a security measure).
radius-server host <Radius_Server_IP> key <Radius_Shared_Key> radius-server host <Radius_Server_IP> time-window 0 radius-server host <Radius_Server_IP> auth-port 1812 radius-server host <Radius_Server_IP> acct-port 1813 aaa server-group radius "opennac" host <Radius_Server_IP> aaa accounting network start-stop radius server-group "opennac" aaa authentication mac-based chap-radius server-group "openNAC"
Optionally, you can configure the SSH and telnet authentication to point to OpenNAC Enterprise (make sure you also follow instructions in the Administration Guide to activate the CLI access):
aaa authentication ssh login radius server-group openNAC local aaa authentication telnet login radius server-group openNAC local
MAC Authentication
aaa authentication mac-based chap-radius server-group "opennac" aaa port-access mac-based <port-range> aaa port-access mac-based <port-range> addr-limit 4 aaa port-access mac-based <port-range> reauth-period 144
9.2.3.12.3.2. SNMP
Port-Security
linkUp/linkDown traps are enabled by default so we disable them and enable Port Security only.
Global configuration:
snmp-server community public manager unrestricted snmp-server host 192.168.1.5 "public" Not-INFO no snmp-server enable traps link-change 1-26
Interface configuration:
port-security xx learn-mode configured action send-alarm where xx stands for the interface index
9.2.3.12.4. ProCurve
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: HP/Generic
openNAC supports ProCurve switches without VoIP using two different trap types:
linkUp/linkDown
Port Security (with static MACs)
We recommend to enable Port Security only.
Important
Don’t forget to update the startup configuration!
HP ProCurve sends only one security trap to OpenNAC Enterprise per security violation. For this reason, make sure OpenNAC Enterprise runs when you configure port-security. Also, because of the above limitation, it is considered good practice to reset the intrusion flag as a first troubleshooting step. If you want to learn more about intrusion flag and port-security, please refer to the ProCurve documentation.
If you configure a switch that is already in production, be careful because enabling port-security makes active MAC addresses to be automatically added to the intrusion list without sending a security trap to OpenNAC Enterprise. This is undesired because OpenNAC Enterprise will not be notified that it needs to configure the port. As a work-around, unplug clients before activating port-security or remove the intrusion flag after you enabled port-security with: port-security <port> clear-intrusion-flag.
9.2.3.12.5. Procurve 5400 Series
Firmware:KB.16.01.0007
Administration Portal > ON CMDB > Network Devices Brand/Model: HP/Generic
Port-Security
linkUp/linkDown traps are enabled by default
9.2.3.12.5.1. RADIUS Global Configuration
On global configuration mode we need to apply the following configuration:
HP Switch(config )# radius-server host <Radius_Server_IP> key <PreSharedKeys>
HP Switch(config )# aaa authentication port-access eap-radius
802.1X (with VoIP)
Like the MAC Authentication, you need to ensure that the Voice VLAN is tagged on all ports when using 802.1X. You also need to activate lldp notification on all ports that will handle VoIP. In the default configuration, LLDP is globally enabled on the switch. Finally, make sure to change the value of the $VOICEVLANAME variable in the Procurve 5400 module’s source code.
HP Switch(config )# vlan 1
HP Switch(vlan?1) # untagged <initport-endport>
HP Switch(vlan?1) # vlan 2
HP Switch(vlan?2) # voice
HP Switch(vlan?2) # tagged <initport-endport>
HP Switch(vlan?2) # exit
HP Switch(config )# aaa port-access authenticator <initport-endport>
HP Switch(config )# aaa port-access authenticator <initport-endport> client-limit 2
HP Switch(config )# aaa port-access authenticator active
MAC Authentication (with VoIP):
To have the MAC Authentication working with VoIP, you need to ensure that the Voice VLAN is tagged on all ports. You also need to activate lldp notification on all ports that will handle VoIP. In the default configuration, LLDP is globally enabled on the switch. Finally, make sure to change the value of the $VOICEVLANAME variable in the Procurve 5400 module’s source code.
HP Switch(config )# vlan 1
HP Switch(vlan?1) # untagged <initport-endport>
HP Switch(vlan?1) # vlan 2
HP Switch(vlan?2) # voice
HP Switch(vlan?2) # tagged <initport-endport>
HP Switch(vlan?2) # exit
HP Switch(config ) # aaa port-access mac-based <initport-endport>
HP Switch(config ) # aaa port-access mac-based <initport-endport> addr-limit 2
HP Switch(config ) # aaa port-access <initport-endport> controlled-direction in
9.2.3.12.5.2. SNMP
SNMP Traps Basic Configuration*
HP Switch(config )# snmp-server enable
HP Switch(config )# snmp-server community <community-name> restricted
HP Switch(config )# snmp-server host <Radius_Server_IP>
HP Switch(config )# snmp-server enable traps link-change [initport-endport|all]
Configuring SNMP v3
To activate SNMP v3 in a HP Procurve, several modes can be configured. In this section, we will describe the configuration you need for three of them.
AuthPriv: This method provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
HP Switch(config )# snmpv3 enable
HP Switch(config )# snmpv3 group managerpriv user <username> sec-model ver3
HP Switch(config )# snmpv3 user <username> auth [md5|sha] <preSharedKeyPriv-string> priv [des|aes] <preSharedKeyPriv-string>
AuthNoPriv: This method provides authentication based on the Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms. “preSharedKeyAuth” is the keyword to authenticate. There is not encryption in this method.
HP Switch(config )# snmpv3 enable
HP Switch(config )# snmpv3 group managerauth user <username> sec-model ver3
HP Switch(config )# snmpv3 user <username> auth sha/md5 <preSharedKeyPriv-string>
NoAuthNoPriv: This method provides no authentication and privacy.
HP Switch(config )# snmpv3 enable
HP Switch(config )# snmpv3 group operatornoauth user <username> sec-model ver3
HP Switch(config )# snmpv3 user <username>
The next step is to configure traps receptors with minimum privilege (recommended).
HP Switch(config )# ip authorized-managers <opennac_IP> <opennac_mask> access operator access-method snmp
HP Switch(config )# snmpv3 notify <notify_name> tagvalue <tag_name>
HP Switch(config )# snmpv3 targetaddress [<ipv4-addr|ipv6-addr>] <name>
HP Switch(config )# snmpv3 params <params_name> user <user_name>