3Com 4200G, 4210, 5500, 5500G 17

17 802.1X CONFIGURATION GUIDE

nThe following configurations involve most AAA/RADIUS configuration commands.

Refer to “AAA Configuration” in the Configuration Guide for your product for

information about the commands. Configurations on the user host and the

RADIUS servers are omitted.

Configuring 802.1x

Access Control

As a port-based access control protocol, 802.1x authenticates and controls access

of users at the port level. A user host connected to an 802.1x-enabled port of an

access control device can access the resources on the LAN only after passing

authentication.

Network Diagram Figure42 Network diagram for configuring 802.1x access control

Networking and

Configuration

Requirements

■The switch authenticate supplicants on the port Ethernet 1/0/1 to control their

access to the Internet by using the MAC-based access control method.

■All supplicants belong to the default domain named aabbcc.net, which can

accommodate up to 30 users. When authenticating a supplicant, the switch

tries the RADIUS scheme first and then the local scheme if the RADIUS server is

not available. A supplicant is disconnected by force if accounting fails. In

addition, the username of a supplicant is not suffixed with the domain name. A

connection is terminated if the total size of the data passes through it during a

period of 20 minutes is less than 2000 bytes.

■The switch is connected to a server group comprising of two RADIUS servers

whose IP addresses are 10.11.1.1 and 10.11.1.2 respectively. The former

operates as the primary authentication server and the secondary accounting

server, while the latter operates as the secondary authentication server and the

primary accounting server. The shared key for authentication message

exchange is name, and that for accounting message exchange is money. If the

switch sends a packet to the RADIUS server but receives no response in 5

IP networ k

Supplicant Authenticator

Eth1/0/1

Authentication servers

(IP address:

10.11.1.1

10.11.1.2)

Switch

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 C 1 2 3 4 9 10 11 12 13 17 18 19 20 21 25 26 27 28 29 34 35 36 37 38 Page ABOUT THIS GUIDE n c Conventions Related Documentation Products Supported by this Document Page Page 1 n Logging In from the Console Port Page Complete Configuration Telnet login configuration with the authentication mode being none You can telnet to your switch to manage and maintain it remotely. Logging In Through Tel ne t Page Page Configuring Login Access Control # Reference ACL 2000 to control Telnet login by source IP address. # Reference ACL 2000 to control SNMP login by source IP address. # Reference ACL 2000 to control WEB login by source IP address. Complete Configuration Configuration for Telnet login control by source IP address Page 2 Configuring Port-Based VLAN # Create VLAN 101 on Switch B, and add Ethernet 1/0/11 to VLAN 101. # Create VLAN 201 on Switch B, and add Ethernet 1/0/12 to VLAN 201. Complete Configuration Configuration on Switch A Configuring Protocol-Based VLAN n Page Page 3 IP Address Page 4 Configuring Voice VLAN Page n Precautions 5 Configuring GVRP Page n Page Page Page 6 Configuring the Basic Functions of an Ethernet Port n 7 Configuring Link Aggregation n Page Page 8 Configuring Port Isolation Page 9 Configuring Port Security autolearn Configuring Port Security mac-authentication Page Page Configuring Port Security userlogin-withoui Page Page # Configure port security trapping. Configuring Port Security mac-else-userlogin-sec ure-ext Mode Page Page Page 10 Configuring a Port Binding Page 11 MAC Address Table Management Page 12 Configuring DLDP Page Page Page 13 Auto Detect Implementation in Static Routing Page n Auto Detect Implementation in VRRP Page n Auto Detect Implementation in VLAN Interface Backup Page Page Page Page 14 Configuring MSTP Page Page Configuring VLAN-VPN Tunneling Page Page Configuring RSTP n Page Page Page Configuring Digest Snooping and Rapid Tran sit ion Page Page Page Page 15 Configuring Static Routes Page Configuring RIP Configuration Procedure Configure Switch A. Page Configuring OSPF Page Page Page Configuring OSPF DR Election Page Page Page Configuring a (Totally) Stub Area Page n Page Configuration information when area 1 is a stub area: Refer to the configuration of Switch B when area 1 is a non-backbone area. Configuring a (Totally) NSSA Area Page Page Page n Page Configuring OSPF Route Summarization Page Page n Page ASBR route summarization configuration 1 n Page ASBR route summarization configuration 2 n translated from Type-7 LSAs. Page Configuring OSPF Virtual Link Configuration Procedure 1Configure OSPF basic functions. # Configure Switch A. # Configure Switch B. 2Configure a virtual link. # Configure Switch A. # Configure Switch B. Precautions Both ends of a virtual link must be ABRs configured with the vlink-peer command. Configuring Routing Policies Page Page Page Page Page Page 16 Configuring IGMP Snooping Page Page Configuring IGMP Snooping Only c Page Page Configuring Multicast VLAN Page Page Page Configuring PIM-SM plus IGMP plus IGMP Snooping Page Page n # View the BSR information on Switch E. # View the RP information on Switch E. # View the PIM routing table on Switch A. # View the PIM routing table on Switch E. # View multicast group entries created by IGMP Snooping on Switch F. Page Page Configuration on Switch E Configuration on Switch F Configuring PIM-DM plus IGMP Page Page Complete Configuration Configuration on Switch A Configuring Anycast RP Application Page Page Page # View the PIM routing information on Switch F again. Complete Configuration Configuration on Switch C Configuration on Switch F 17 n Configuring 802.1x Access Control Page Page Page 18 Configuring RADIUS Authentication for Telnet Users Page Configuring Dynamic VLAN Assignment with RADIUS Page Configuring Local Authentication for Telnet Users Configuring HWTACACS Authentication for Teln et Use rs Page Configuring EAD Page Page 19 Configuring MAC Page Page Page 20 Single VRRP Group n Page Multiple VRRP Groups Page VRRP Interface Trac kin g Page Page VRRP Port Tracking Page Page Page 21 DHCP Server Global Address Pool Page Page DHCP Server Interface Address Pool DHCP Relay Agent Page DHCP Snooping Page DHCP Accounting Page DHCP Client Page 22 Configuring Basic ACLs Configuring Advanced ACLs Configuring Ethernet Frame Header ACLs Page Configuring User-Defined ACLs Page Page Page 23 Configuring Traffic Policing and LR n Page Configuring Priority Marking and Queue Scheduling n Page Page Configuring Traffic Redirection and Traffic Accounting Page Configuring QoS Profile Page Page 24 Configuring Web Cache Redirection Page Page Page 25 Local Port Mirroring Page Remote Port Mirroring Page Page # Configure the destination port and remote-probe VLAN for the remote destination mirroring group. # Configure Ethernet 1/0/1 as a Trunk port, allowing packets of VLAN 10 to pass. Complete Configuration 1Configuration on the source switch (Switch A) 2Configuration on the intermediate switch (Switch B) Page Traffic Mirroring Page Page 26 XRN Fabric Page Page Page Page n Page Page 27 Cluster Configuration n Page Page Network Management Interface Page Page n Cluster Configuration in Real Networking Cluster Page n Page Complete Configuration 1Configuration on Switch A 28 PoE Configuration Network Page PoE Profile Page # Create Profile2 and enter PoE profile view. # Apply the configured Profile1 to Ethernet 1/0/1 through Ethernet 1/0/5. # Apply the configured Profile2 to Ethernet 1/0/6 through Ethernet 1/0/10. Page 29 UDP Helper Page 30 SNMP Configuration Page RMON Configuration Page 31 NTP Client/Server Mode Configuration NTP Symmetric Peers Mode Configuration NTP Broadcast Mode Page NTP Multicast Mode NTP Client/Server Mode with Authentication Page Page 32 Configuring the Switch to Act as the SSH Server and Use Password Page Page Page Configuring the Switch to Act as the SSH Server and Use RSA Authentication n Page Page Page Page Page Configuring the Switch to Act as the SSH Client and Use Password # Specify the authentication method of user client001 as password. Configuring the Switch to Act as the SSH Client and Use RSA Authentication n # Display the host public key. n Configuring the Switch to Act as the SSH Client and Not to Support First-Time n # Display the server host public key. # Generate an RSA key pair. # Display the client host public key. 298 CHAPTER 32: SSH CONFIGURATION GUIDE n [3Com] undo ssh client first-time n # Specify the server public key on the client. [3Com] ssh client 10.165.87.136 assign rsa-key Switch002 Page Configuring SFTP Page # Add a directory named new1, and then check that the new directory has been successfully created. # Rename the directory to new2, and then verify the operation. # Download the file pubkey2 from the server, renaming it to public. # Upload file pu to the server and rename it to puk, and then verify the operation. # Exit SFTP. Page Page 33 Configuring a Switch as FTP Server SFTP serv er SFTP cli ent Switch B Switch A Vlan-int1 192.168.0 .1/24 Vlan-int1 192.168.0.2/ 24 n Configuring a Switch as FTP Client n Configuring a Switch as TFTP Client Page 34 Outputting Log Information to a Unix Log Host Page Outputting Log Information to a Linux Log Host Outputting Log and Trap Information to a Log Host Through the Same Channel Page Page Outputting Log Information to the Console Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output Page 35 Configuring VLAN-VPN n Page Configuring BPDU Tunnel Network Page Complete Configuration Configure Provider 1 36 Page 37 Static Domain Name Resolution Dynamic Domain Name Resolution Page Page 38 Configuring Access Management Internet Page Configuring Access Management with Port Isolation