SMC Networks 10/100 manual 101

Page 133

CONFIGURING 802.1X PORT AUTHENTICATION

The IEEE 802.1x (dot1x) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first enter a user ID and password for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use a single user ID and password for authentication from any point within the network.

This switch uses the Extensible Authentication Protocol over LAN (EAPOL) with MD5 authentication to exchange authentication protocol messages with the client, and a remote login authentication server (i.e., RADIUS) to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an identity request. The client provides its identity to the switch, which it forwards to the authentication server. The authentication server verifies the client identity and sends this information back to the switch. The switch then issues an MD5 access challenge to the client, and the client returns an MD5 response to the switch based on its user ID and password. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.

The operation of dot1x on the switch requires the following:

The switch must have an IP address assigned.

RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified.

Each switch port that will be used must be set to dot1x “Auto” mode.

Each client that needs to be authenticated must have dot1x client software installed and properly configured.

2-101

Page 132 Page 134
Image 133
Page 132 Page 134
Contents TigerSwitch 10/100 Page TigerSwitch 10/100 Management Guide Trademarks Limited Warranty Limited Warranty Contents Contents Iii Command Line InterfaceContents Contents Contents Vii Glossary Index Upgrading Firmware via the Serial Port . . . . . . .B-1Viii Configuration Options Connecting to the SwitchSwitch Management Required Connections Remote Connections Console Connection Basic ConfigurationSetting Passwords Manual Configuration Setting an IP AddressDynamic Configuration Basic Configuration Community Strings Enabling Snmp Management AccessBasic Configuration Trap Receivers Saving Configuration SettingsEnter the name of the start-up file. Press Enter Managing System FilesFunction Parameter Default System DefaultsSnmp Function Parameter Default Pvid Switch Management Using the Web Interface Configuring the SwitchNavigating the Web Browser Interface Home Button Action Panel DisplayMenu Description Main MenuMenu Description Private Vlan Igmp Displaying System Information Configuring the Switch CLI Specify the hostname, location and contact information Setting the IP AddressCommand Attributes Manual Configuration Configuring the Switch Configuring the Logon Password Configuring User AuthenticationCommand Attributes Command Usage Configuring Radius Logon AuthenticationCommand Attributes Configuring User Authentication Downloading System Software from a Server Managing FirmwareManaging Firmware Downloading Configuration Settings from a Server Saving or Restoring Configuration SettingsManaging Firmware Displaying Bridge Extension Capabilities Resetting the SystemDisplaying Bridge Extension Capabilities 145 Enabling or Disabling Gvrp Global SettingDisplaying Switch Hardware/Software Versions Displaying Switch HARDWARE/SOFTWARE Versions Displaying Connection Status Port ConfigurationWeb Click Port, Port Information or Trunk Information CLI This example shows the connection status for Port Configuring Interface ConnectionsPort Configuration Setting Broadcast Storm Thresholds Command Usage 102 Configuring Port Mirroring Address Table Settings Setting Static Addresses Displaying the Address Table 109 Changing the Aging Time Spanning Tree Algorithm ConfigurationManaging Global Settings Configuring the Switch Displaying the Global Settings for STA 119 Managing STA Interface Settings Configuring the Global Settings for STACommand Attributes Spanning Tree Algorithm Configuration Configuring the Switch Displaying the Interface Settings for STA Configuring the Interface Settings for STA Vlan ConfigurationAssigning Ports to VLANs Configuring the Switch Vlan Configuration Forwarding Tagged/Untagged Frames Displaying Basic Vlan InformationDisplaying Current VLANs Command Attributes WebCommand Attributes CLI 131 Creating VLANs122 Adding Static Members to VLANs Vlan Index Configuring the Switch 130 Adding Static Members to VLANs Port Index CLI This example adds Port 3 to Vlan 1 as a tagged port Configuring Vlan Behavior for InterfacesConfiguring the Switch Vlan Configuration Configuring Private VLANs Displaying Current Private VLANs Command Attributes Configuring Private VLANs Associating Community VLANs Displaying Private Vlan Interface Information Command Attributes Configuring Private Vlan Interfaces Configuring the Switch 137 Class of Service ConfigurationSetting the Queue Mode Port Trunk Configuration Command Usage Group Number Ports 152 Configuring SnmpAccess Mode Setting Community Access StringsSpecifying Trap Managers and Trap Types Command Usage Multicast Configuration Configuring Igmp Parameters Command Attributes Interfaces Attached to a Multicast Router Displaying Interfaces Attached to a Multicast Router Command AttributesSpecifying Interfaces Attached to a Multicast Router Command Attribute Displaying Port Members of Multicast Services158 Adding Multicast Addresses to VLANs 156 Showing Port Statistics Showing Port Statistics CLI This example shows statistics for port Rate Limit ConfigurationOption 100 Configuring 802.1x Port Authentication101 102 Displaying 802.1x Global Settings103 Configuring 802.1x Global Settings104 105 Configuring a Port for AuthorizationAuthorized 106107 Displaying 802.1x Statistics108 CLI This example displays the dot1x statistics for port 109110 Accessing the CLI Using the Command Line InterfaceTelnet Connection Using the Command Line Interface Keywords and Arguments Entering CommandsMinimum Abbreviation Getting Help on Commands Command CompletionUsing Command History Negating the Effect of CommandsPartial Keyword Lookup Exec Commands Understanding Command ModesConfiguration Commands Mode Command Prompt Command Line Processing Command GroupsIgmp Command Description Group Enable General CommandsSyntax Enable level Disable Configure Show history End ReloadExit Quit Flash/File CommandsCopy Command Usage Syntax DeleteDir Syntax Dir boot-rom config opcode filenameColumn Heading Description WhichbootSyntax Boot system boot-romconfig opcode filename Boot systemSystem Management Commands Username HostnameSyntax Hostname name no hostname Username Access-level Password Guest Admin Enable password Ip http port Default Setting Command ModeSyntax Ip http port port-numberno ip http port Ip http server Show startup-config Show running-config Show running-config Show startup-config Show system Show version Show usersAuthentication Commands Command Function Mode Authentication loginRadius-server host Syntax Radius-server port portnumber no radius-server port Radius-server portRadius-server retransmit Radius-server keySyntax Radius-server key keystring no radius-server key Show radius-server Radius-server timeoutPort Authentication Commands Authentication dot1x Syntax Dot1x default Command Mode Dot1x defaultDefault Command Mode Dot1x max-reqCommand Mode Interface Configuration Example DefaultDot1x port-control Dot1x re-authentication Dot1x re-authenticateSyntax Dot1x re-authenticate interface Ethernet unit/portDot1x timeout re-authperiod Dot1x timeout quiet-periodDot1x timeout tx-period Syntax Show dot1x statistics interface interface Show dot1xReauthentication State Machine Console#show dot1x Snmp-server community Snmp CommandsSyntax Snmp-server contact string no snmp-server contact Snmp-server contactSyntax Snmp-server location text no snmp-server location Snmp-server locationNo snmp-server host host-addr Snmp-server hostSnmp-server enable traps Show snmp Normal Exec, Privileged Exec Ip igmp snooping Igmp Snooping CommandsSyntax Ip igmp snooping no ip igmp snooping Ip igmp snooping query-count Ip igmp snooping query-max-response-time Ip igmp snooping router-port-expire-time Ip igmp snooping version Show ip igmp snooping Following shows the current Igmp snooping configurationShow mac-address-table multicast Line Commands Syntax Line console vty LineSyntax Login local no login LoginSyntax Password 0 7 password no password PasswordSyntax Exec-timeout seconds no exec-timeout Exec-timeoutSyntax Password-thresh threshold no password-thresh Password-threshSyntax Silent-time seconds no silent-time Silent-timeSyntax Databits 7 8 no databits DatabitsSyntax Parity none even odd no parity ParitySyntax Speed bps no speed SpeedShow line StopbitsSyntax Stopbits 1 Syntax Show line console vtyTo show all lines, enter this command IP CommandsIp address Ip dhcp restart Syntax Ip default-gateway gateway no ip default-gateway Ip default-gatewayShow ip interface Ping Show ip redirectsSyntax Ping host count countsize size Press Esc to stop pinging Queue hol-prevention HOL Blocking Prevention CommandsShow queue hol-prevention Interface Commands Port-channel channel-idRange InterfaceSpeed-duplex DescriptionSyntax Description string no description Negotiation 3-92 capabilities Negotiation Syntax Negotiation no negotiation Default SettingCapabilities Default SettingFlowcontrol Syntax Flowcontrol no flowcontrol Default SettingNegotiation Capabilities flowcontrol, symmetric Shutdown Switchport broadcast percent Clear counters Port-channel channel-idRange Default SettingSyntax Clear counters interface Syntax Show interfaces status interface Show interfaces statusSyntax Show interfaces counters interface Show interfaces counters101 Syntax Show interfaces switchport interface Show interfaces switchport103 Rate Limit Commands Rate-limit Address Table Commands Mac-address-table static Clear mac-address-table dynamic Show mac-address-table Mac-address-table aging-time Show mac-address-table aging-time Spanning Tree Commands111 Spanning-tree Syntax Spanning-tree no spanning-tree Default Setting112 113 Spanning-tree forward-time114 Spanning-tree hello-time115 Spanning-tree max-ageSpanning-tree cost Spanning-tree priority116 Syntax Spanning-tree cost cost no spanning-tree cost117 Spanning-tree port-priority118 Spanning-tree portfast119 Show spanning-treeSyntax Show spanning-tree interface 120 121 Vlan Commands122 Vlan database123 Vlan124 Interface vlanSyntax Interface vlan vlan-id Syntax Switchport mode trunk access no switchport mode Switchport mode125 126 Switchport acceptable-frame-types127 Switchport ingress-filtering128 Switchport native vlan129 Switchport allowed vlan130 Switchport forbidden vlan131 Show vlanSyntax Show vlan id vlan-idname vlan-name 132 Private Vlan Commands133 134 Private-vlanSyntax Private-vlan vlan-idcommunity primary 135 Private vlan associationNo private-vlan primary-vlan-idassociation 136 Switchport mode private-vlan137 Switchport private-vlan host-association138 Switchport private-vlan mapping139 Show vlan private-vlanSyntax Show vlan private-vlan community primary Switchport gvrp Gvrp and Bridge Extension CommandsSyntax Switchport gvrp no switchport gvrp 140Syntax Show gvrp configuration interface Show gvrp configuration141 142 Garp timerSyntax Show garp timer interface Show garp timer143 Bridge-ext gvrp Syntax Bridge-ext gvrp no bridge-ext gvrp Default Setting144 145 Show bridge-ext146 Priority CommandsShow queue mode Queue modeSyntax Queue mode strict wrr no queue mode 147Port monitor Mirror Port Commands148 149 Show port monitorSyntax Show port monitor interface 150 Port Trunking CommandsGuidelines for Creating Trunks 151152 Port-group153 154 Troubleshooting Chart Appendix a TroubleshootingTroubleshooting Appendix B Upgrading Firmware VIA Serial Port Upgrading Firmware VIA the Serial Port Page Restoring Switch Defaults Enter q and then x to return to the main menu Enter G to boot the system Glossary-1 Glossary-2 Glossary-3 Glossary-4 Glossary-5 Glossary-6 Glossary-7 Virtual LAN Vlan Glossary-8XModem Figure C-1. DB-9 Console Port Pin Numbers Console Port Pin AssignmentsConsole Port to 9-Pin DTE Port on PC DB-9 Port Pin AssignmentsConsole Port to 25-Pin DTE Port on PC Index-1 IndexIndex-2 Page For Technical SUPPORT, Call
Related manuals
Manual 26 pages 52.66 Kb
Top Page Image Contents