Allied Telesis Layer 3 Switches manual Using 802.1x port authentication, Using ARP security

Page 17

Identifying the user

Using DHCP snooping to track clients

If your DHCP server supports it, you can use “option 82” to record more information about DHCP clients. This enhances your ability to track users. The switch can pass option 82 information to the DHCP server so that the server can record the switch MAC, switch port, VLAN number and subscriber-ID that the client is a member of.

Example To pass option 82 information to the server, including the information that port 1 is room 101, use the following commands in addition to the configuration given in “Setting up DHCP snooping” on page 16.

enable dhcpsnooping option82

set dhcpsnooping port=1 subscriberid="Room 101"

Using ARP security

When you enable ARP security, the switch drops ARP packets received on non-trusted (client) ports unless the packets originate from an IP address that is registered in the DHCP snooping database.

ARP security stops clients that are directly attached to the switch from using IP spoofing or ARP poisoning. It also protects directly-attached clients from IP spoofing and ARP poisoning.

Example To turn on ARP security, use the following command in addition to the configuration given in “Setting up DHCP snooping”, above.

enable dhcpsnooping arpsecurity

Using 802.1x port authentication

With 802.1x port authentication, hosts must authenticate themselves when they attempt to access a network through an Ethernet port.

Unlike DHCP snooping, 802.1x only authenticates users when they access the port. It cannot track them afterwards.

Products

All switches listed on page 2

Software Versions

2.6.1 and later

A network controller, such as a RADIUS server, controls the authentication. The Allied Telesis switch facilitates the host to server communication and takes note of success or failure. Essentially, the host is completely denied access to the Ethernet until the switch sees the host successfully authenticate with the server. After that, the switch allows packets to and from the host to pass through the 802.1x controlled port.

802.1x can also dynamically assign the host to a VLAN.

Examples For examples of 802.1x authentication, see the following How To Notes:

zHow to Configure A Secure School Network Based On 802.1x

zHow To Use 802.1x VLAN Assignment

zHow To Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

zHow To Use 802.1x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux’s freeRADIUS and Xsupplicant

Most of the above Notes describe how to configure the authentication server and the host, as well as the switch.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

17

Image 17
Contents Introduction ContentsEdge switch Access Router Protecting against packet flooding Securing the deviceProtecting the network Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficIgmp throttling Configuration For each portIgmp filtering Managing the device securely Using Secure Shell SSHConfiguration Configuration 1. Enable Snmp Using SSL for secure web accessUsing SNMPv3 Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Trouble with ARP Identifying the userIP spoofing and tracking Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing ARP security Using 802.1x port authenticationUsing Dhcp snooping to track clients Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a