Configuring Dynamic, Vlan Assignment, With Radius | 3Com 4200G

	Configuring Dynamic VLAN Assignment with RADIUS Authentication 171
	primary authentication 10.110.91.164
	key authentication aabbcc
	server-type extended
	user-name-format with-domain
	quit
	#
	domain cams
	scheme radius-scheme cams
Precautions	The Telnet user needs to enter the username with the domain name cams, in the
	format userid@cams, so that the user is authenticated according to the
	configuration of the domain cams.

Configuring Dynamic	With the dynamic VLAN assignment function, a switch can dynamically assign an
VLAN Assignment	authenticated user to a specific VLAN according to the attributes issued by the
with RADIUS	RADIUS server, thus restricting the user to specific network resources.
Authentication
Network Diagram	Figure 44 Network diagram for configuring dynamic VLAN assignment with RADIUS
	authentication

	Update server	Authentication server
	Eth1/0/1	Eth1/0/4
	VLAN 10	VLAN 2
	VLAN 10
	Eth1/0/3	Eth1/0/2
	Eth1/0/3	VLAN 100
	VLAN 1	VLAN 100
	VLAN 1

Internet

Supplicant

Networking and You are required to configure the switch so that users logging into the switch are Configuration authenticated and restricted to specific network resources. The detailed Requirements requirements are as follows:

■All users must pass authentication to access the network.

■Users can access only VLAN 10 before passing authentication.

■Users passing authentication can access VLAN 100.

Applicable Products

Product series	Software version	Hardware version

Switch 5500	Release V03.02.04	All versions
Switch 5500G	Release V03.02.04	All versions
Switch 4500	Release V03.03.00	All versions

Image 171

3Com 4200G, 5500G Configuring Dynamic, Vlan Assignment, With Radius, Authentication, Configuration of the domain cams

Contents

3Com Stackable Switch Family 3Com Corporation Campus Drive Marlborough, MA USA Contents Port Binding Configuration Guide 17 802.1X Configuration Guide XRN Configuration Guide VLAN-VPN Configuration Guide 3COM Stackable Switches Advanced Configuration Guide Documentation About this GuideConventions Related SKU Products Supported by this Document Products Supported by this Document About this Guide Applicable Products Login Configuration Guide# Enable the Telnet service on VTY Is manage level level # Enter VTY 0 user interface view # Set the history command buffer size to 20 for VTY# Set the idle-timeout time of VTY 0 to 6 minutes # Set the authentication password to 123456 in plain text Telnet Precautions None Requirements Applicable Products # Set the history command buffer size to 20 for AUX# Set the idle-timeout time of AUX 0 to 6 minutes Configure the authentication mode for console login # Enter AUX 0 user interface view # Set the authentication mode to scheme for console login Configuring Login Access Control Configuration for WEB login control by source IP address Configuration for Snmp login control by source IP address Login Configuration Guide Port-Based Vlan Vlan Configuration GuideConfiguring Network Diagram Configuration on Switch B Complete Configuration Configuration on Switch a Assign packets to a Vlan by protocol PrecautionsProtocol-Based Vlan Be disconnected Vlan 200 is numbered Create Vlan 200 and add Ethernet 1/0/12 to Vlan Configuring Protocol-Based Vlan Vlan Configuration Guide IP Address Configuration Guide Configuration GuideIP Address # Ping Host B on Host a to verify the connectivity Interface has obtained an IP address through Bootp or DhcpThat they can communicate with each other To 172.16.2.1 on the hosts in subnet 172.16.2.0/24 Voice Vlan Voice Vlan Configuration GuideConfiguring Voice Packet with the voice Vlan ID automatically # Enable voice Vlan on Ethernet 1/0/1 Configuration Procedure # Create Vlan 2 and Vlan# Configure Vlan 2 as the voice Vlan # Configure Ethernet 1/0/1 as a trunk port Traffic # Enable voice Vlan on Ethernet 1/0/2 Precautions Networking Configuration Requirements Gvrp Configuration Guide Configuration Procedure Configure Switch a # Display the dynamic Vlan information on Switch E Configure Switch D# Create Vlan Configure Switch E # Display the dynamic Vlan information on Switch B SwitchE-Ethernet1/0/1 gvrp registration forbidden Configuration on Switch C Configuration on Switch DConfiguration on Switch E Gvrp Configuration Guide Configuring the Basic Functions of an Ethernet Port Port Basic Configuration Guide # Configure Vlan 100 as the default Vlan of Ethernet 1/0/1 Complete Configuration ## Enter Ethernet port view of Ethernet 1/0/1 Networking Link Aggregation Configuration GuideConfiguring Link Aggregation Manual aggregation mode # Create manual aggregation group Configuration Procedure Dynamic Lacp aggregation mode Complete ConfigurationManual aggregation mode Static Lacp aggregation mode Link Aggregation Configuration Guide Isolation Port Isolation Configuration GuideConfiguring Port Networking Configuration Requirements Applicable Products Need to perform the configuration manually for each of them Isolation group automaticallyIsolation group that they have joined if any Mode Port Security Configuration GuideConfiguration Procedure # Enter system view Security autolearn Security Mac-authentication Mode # Create a Radius scheme named radius1 Configure Radius parameters # Create a domain named aabbcc.net and enter its view # Set aabbcc.net as the default user domain# Specify the ISP domain for MAC authentication # Set the port security mode to mac-authentication Unique identifier OUI value to pass the port Userlogin-withouiSecurity Mirroring, fabric port, or link aggregation Applicable Products # Create a local user Configure port security # Enable port security# Set the port security mode to userlogin-withoui # Set the maximum number of users of the ISP domain to # Configure port security trapping Configuring Port Security mac-else-userlogin-secure-ext Mode 3Com-isp-aabbcc.net scheme radius-scheme radius1 # Set the maximum number of concurrent 802.1x users # Set the NeedToKnow mode of the port to ntkonly Port Security Configuration Guide # Enter Ethernet 1/0/1 port view on switch a Port Binding Configuration Guide Complete Configuration 3Com MAC Address Table Management Configuration Guide Command. Otherwise, the entry will not be added # Add a static MAC address entryMAC address entry will make the Vlan become a static Vlan Dldp Configuration Guide Configuring DldpBoth of the switches support Dldp # Set the interval for sending Dldp packets to 15 seconds # Enable Dldp globally# Configure Dldp to operate in enhanced mode # Restore the ports brought down by Dldp Configuring Dldp Dldp Configuration Guide Static Routing Auto Detect Configuration Guide # Configure a static route to Switch C Configure Switch C # Enter system view# Create detected group Implementation Auto Detect SwitchA system-view SwitchA detect-group # Configure an IP address for VLAN-interface # Set the Vrrp priority of Switch B toComplete Configuration Configure Switch a Vlan Interface Auto Detect Implementation in Vlan Interface Backup Must already exist on Switch C Ip address 10.1.1.4 Auto Detect Configuration Guide Configuring Mstp Mstp Configuration Guide Configuration on Switch B # Enter MST region view Configuration on Switch a # Enter MST region view# Activate the MST region configuration manually # Specify Switch a as the root bridge of Msti Configuration on Switch C # Configure the MST region # Specify Switch C as the root bridge of MstiConfiguration on Switch D # Enter MST region view VLAN-VPN Tunneling Network diagram for VLAN-VPN tunneling configuration # Enable VLAN-VPN tunneling Configuration on Switch a # Enable MstpConfiguration on Switch B # Enable Mstp Configuration on Switch C # Enable Mstp # Add Ethernet 1/0/2 to Vlan Configuration on Switch D # Enable MstpConfiguration on Switch a # Add the trunk port Ethernet 1/0/2 to all the VLANs Configuring Rstp Network topology to become stableForwarded along the same spanning tree Switch 8800 or Switch # Enable the TC-BPDU attack guard function on Switch a # Enable the root guard function on each designated port 3Com interface Ethernet 1/0/3 3Com-Ethernet1/0/3 stp disable Configuring Digest Snooping and Rapid Transition # Set the priority of Switch B to # Enable digest snooping on Switch B# Enable digest snooping on the root port Ethernet 1/0/1 # Enable digest snooping on the root port Ethernet 1/0/2 # Enable rapid transition on the root port Ethernet 1/0/1# Set the priority of Switch C to # Enable digest snooping on Switch C Configuring Digest Snooping and Rapid Transition Mstp Configuration Guide To the peer on each device Routing Configuration GuideConfiguring Static Routes Configure the hosts Configuration Procedure Configure the switches Routing protocols Configuring RIP # Configure RIP Configure Switch B # Configure RIPConfigure Switch C # Configure RIP Perform the following configuration on Switch B Configuring Ospf # Enable the interfaces in the specified areas to run Ospf # Disable the interfaces from sending Ospf packets Perform the following configuration on Switch B Perform the following configuration on Switch D Network diagram for DR/BDR election Network Diagram Figure # Assign a DR priority to the Vlan interface # Assign a router ID to Switch a# Configure an IP address for the Vlan interface Configure Switch B # Assign a router ID to Switch B Configure Switch D # Assign a router ID to Switch D Configure Switch C # Assign a router ID to Switch C Area Network 196.1.1.0 Nssa area Configuration Routing table size RequirementsBackbone area Totally Stub area # Configure Ospf for the backbone area ABRs/ASBRs Perform the following configuration on Switch a Perform the following configuration on Switch B Configuration information when area 1 is a stub area Nssa Area Configuration information when area 1 is a totally stub area Network diagram for totally Nssa area configuration Nssa area configuration 1 area 1 is an Nssa area Configuration procedure is omitted # Configure area 1 as an Nssa area Nssa area configuration 2 area 1 is an Nssa areaNssa area configuration 3 area 1 is an Nssa area Vlan Interface Vlan-interface100 Ip address 10.1.1.2 Perform the following configuration on Switch C Routers ConfigurationRoute Summarization Single route and distribute it to other areas Routes through route summarization Network diagram for route summarization configuration # Redistribute the static routes ABR route summarization configuration From being advertised to any other area Asbr route summarization configurationBased on Ospf basic configuration and area configuration on Perform the following configuration Network 20.1.1.0 0.0.0.255 nssa Area Network 10.1.1.0 Configure Asbr route summarization on Switch D Configure Switch C Ip route-static 1.1.7.0 255.255.255.0 30.1.2.2 preference Configure Switch D Virtual Link This case, configuring Ospf virtual links is a solution Configure Ospf basic functions # Configure Switch a # Configure Switch BConfigure a virtual link # Configure Switch a Perform the following configuration on Switch B # Configure three static routes # Configure an ACL # Configure a routing policy# Configure the IP address of the interface # Redistribute static routes # Apply ACL 2000 to filter the advertised routes SwitchA-ospf-1 asbr-summary 30.0.0.0 255.0.0.0 not-advertise Ip address 10.0.0.2 Ospf Area Network 10.0.0.0 Routing Configuration Guide Control multicast groups Multicast Configuration GuideConfiguring Igmp Snooping Verifying the configuration Configuring Router aConfiguring Switch a # Enable Igmp Snooping globally System view otherwise the configuration will not succeed Configuration on Switch a Querier Configuring Igmp Snooping Only Configuring Switch C # Enable Igmp Snooping querier in Vlan# Enable dropping unknown multicast packets Configuring Switch B Verifying the configuration Complete Configuration Configuration on Switch a Configuration on Switch C Configuration on Switch B Receive multicast packets through Vlan OstA OstB Configure Switch B # Enable Igmp Snooping globally SwitchB-vlan10 igmp-snooping enable SwitchB-vlan10 quit Configuring PIM-SM plus Igmp plus Igmp Snooping Configuring PIM-SM plus Igmp plus Igmp Snooping Requirement Analysis Mode may vary depending on user requirementsConfiguration Plan Configuring multicast protocols Two switches # On Switch F, enable Igmp Snooping globally and in VlanHost C and verify the configurations made on the switches # View the PIM routing table on Switch a # View the PIM neighboring relationships on Switch E# View the BSR information on Switch E # View the RP information on Switch E # View the PIM routing table on Switch E As shown above, Host a and Host C can receive multicast data Configuring simulated joining Complete Configuration Configuration on Switch a Configuration on Switch D Configuration on Switch EConfiguration on Switch F Configuring PIM-DM plus Igmp Network Diagram Network diagram for PIM-DM configuration Dense mode Verifying the configuration Multicast routing-enable Interface Vlan-interface101 Configuring Anycast RP Application Network Diagram Network diagram for anycast RP configuration Configuring Anycast RP Application # View the brief Msdp peer information on Switch F Configuring Msdp peers# Configure an Msdp peer on Switch C # Configure an Msdp peer on Switch F Complete Configuration Configuration on Switch C # View the PIM routing information on Switch F again Configuration on Switch F Access Control 802.1X Configuration Guide # Enable 802.1x on Ethernet 1/0/1 Configuration Procedure # Enable 802.1x globally # Specify the maximum number of users of the user domain to Precautions Telnet Users AAA Configuration GuideConfiguring Radius Authentication for # Configure an ISP domain # Configure a Radius scheme# Associate the ISP domain with the Radius scheme Vlan Assignment Configuring DynamicAuthentication Configuration of the domain cams # Enable 802.1x in interface view # Configure the ISP domain abc as the default ISP domain# Enable guest Vlan on the port # Enabled Hardware capacity Configuring Local Users through communicating with Tacacs servers # Configure a local user named telnetSystem domain Telnet users # Configure domain hwtacacs to use Hwtacacs scheme hwtac Configuration Procedure # Configure a Hwtacacs scheme According to the source IP addresses of the packets Configuring EADDynamically control their access rights Entire network # Specify the IP address of the security policy server Quit Domain system Radius-scheme cams MAC Authentication Configuration Guide Configuring MACUsernameasmacaddress usernameformat command to set the MAC Set the service type to lan-access # Enable MAC authentication globally# Create an ISP domain named aabbcc.net Configuring MAC Authentication MAC Authentication Configuration Guide LSW B Vrrp Configuration Guide Configure Switch B # Configure Vlan Configure Switch a # Configure Vlan# Set the priority of Switch a in the Vrrp group to # Configure preemptive mode for the Vrrp group Configurations on Switch B Host a Host C # Set the priority of Switch a in Vrrp group 1 to # Set the priority of Switch B in Vrrp group 2 to# Create Vrrp group Tracking Vrrp Interface Vrrp Interface Tracking # Set the interface to be tracked Network Diagram Network diagram for Vrrp port tracking # Configure VLAN-interface Complete Configuration On the master Vrrp Configuration Guide Dhcp Configuration Guide # Enable unauthorized Dhcp server detection Configuration Procedure # Enable Dhcp Dhcp Server Global Address Pool Configuration Guide Dhcp Server Interface Address Pool Configuration Guide SwitchA-Vlan-interface1 dhcp select interface # Map VLAN-interface 1 to Dhcp server group Requirements Dhcp Snooping # Specify Ethernet 1/0/5 as a trusted port Configuration Procedure # Enable Dhcp snooping on the switch Configuration Procedure # Create Vlan Configuration Guide # Create an address pool on the Dhcp server # Enable Dhcp accounting# Enter Ethernet 1/0/1 view and add the port to Vlan # Enter Ethernet 1/0/2 view and add the port to Vlan Dhcp Client Configuration Requirements Applicable Products Interface Vlan-interface1 Ip address dhcp-alloc Numbers of basic ACLs range from 2000 to ACL Configuration GuideConfiguring Basic ACLs Rules conflict, the last assigned rule takes effective # Apply ACL 3000 to Ethernet 1/0/1 # Apply ACL 4000 to Ethernet 1/0/1 Configuring Are numbered from Offset1 to Offset8 # Apply ACL 5000 to Ethernet 1/0/1Specific fields of packets Cannot be greater than 79 bytes ARP ACL Configuration Guide Configuring Traffic Policing and LR QOS/QOS Profile Configuration Guide Kbps, and drop the packets exceeding the rate limit Configure traffic policing and LRPolicing action issued the last takes effect # Define a rule to match the packets with source IP address Configuring Priority Marking and Queue Scheduling 3Com qos cos-local-precedence-map 0 1 2 3 4 5 6 Precautions Note that Configuring Traffic Redirection and Traffic Accounting Configuring Traffic Redirection and Traffic Accounting Configuring QoS Profile Configuring QoS Profile Cannot be applied in the user-based mode # EnablePassed authentication Default mode Cache Redirection WEB Cache Redirection Configuration Guide WEB Cache Redirection Configuration Guide Configuring Web Cache Redirection WEB Cache Redirection Configuration Guide Mirroring Configuration Guide # Create a local mirroring group Configuration Procedure Configure Switch C Remote port mirroring application Network Diagram Network diagram for remote port mirroring # Configure Vlan 10 as the remote-probe Vlan Configuration on the intermediate switch Switch B Configuration on the source switch Switch a Configuration on the destination switch Switch C Traffic Mirroring Configuration 237 Mirroring Configuration Guide Configuration XRN Configuration Guide Fabric cable connection mode of Switch 5500s Fabric cable connection mode of Switch 5500Gs switchesFabric Cable Connection Configure Switch a # Bring up the fabric ports # Configure the unit ID as# Configure the unit name as Unit1 # Configure the fabric name as hello Configure Switch B # Bring up the fabric ports# Configure the unit name as Unit2 XRN fabric configuration on Switch 5500Gs switches Complete Configuration Complete configuration on the Switch Complete configuration on Switch 5500Gs switchesConfigurations on Switch a XRN Fabric Configuration XRN Configuration Guide Cluster Configuration Guide # Disable NDP on Ethernet 1/0/1 of the management device # Enable Ntdp globally and on Ethernet 1/0/1# Enable the cluster function # Configure the IP address for VLAN-interface 2 as # Set the topology collection interval to three minutes # Enable NDP on Ethernet 1/0/2 and Ethernet 1/0/3# Set the holdtime of NDP information to 200 seconds # Set the topology collection range to two hops # Name and build a cluster Precautions Configurations on the management device Connection information of the management switch # Configure the IP address of VLAN-interface 3 as # Configure the IP address of VLAN-interface 2 as Cluster # Enable Ntdp globally Member switchesSwitch B is connected to Switch E through Ethernet 1/0/3 Switch B is connected to Switch F through Ethernet 1/0/4 # Set the holdtime of NDP information to 300 seconds Aaa0.3Com-cluster tftp-server Aaa0.3Com-cluster snmp-host Complete Configuration POE/POE Profile Configuration Guide PoE ConfigurationImplement power supply and data transmission simultaneously SwitchA poe power-management auto PoE Profile Features of PoE profile SwitchA system-view SwitchA poe-profile Profile1 # Create Profile2 and enter PoE profile view Precautions Processing UDP Helper Configuration Guide# Enable UDP Helper on Switch a UDP Helper # Specify the destination server on VLAN-interface Addressing Configuration and IP Performance ConfigurationDefault ports Broadcasts containing the destination UDP port number Configuration Procedure Configuring the switch Snmp agent SNMP-RMON Configuration Guide Configuring the NMS 3Com rmon event 1 log 3Com rmon event 2 trap Precautions None NTP Configuration Guide Mode ConfigurationNTP Client/Server NTP Symmetric Peers Mode Configuration Configuration Procedure Configure Device C# Set Device a as the time server NTP Broadcast Mode Configuration Configuration on Device a Configuration on Device D# View NTP session information of Device D NTP Multicast Mode Configuration Multicast through its VLAN-interfaceRespectively Configuration Level Requirements NTP Client/Server Mode with Authentication Configuration Configuration Procedure Configure Device B Configuration on Device a SSH Configuration Guide Configuration Procedure Configure the SSH server# Generate an RSA key pair # Enable the user interfaces to support SSH # Set the authentication mode for the user interfaces to AAA SSH client configuration interface SSH client configuration interface RSA authentication # Set the client’s command privilege level to Client key pair generation interface # Assign the public key Switch001 to client client001 Client key pair generation interface Client key pair generation interface SSH client configuration interface SSH client configuration interface SSH client configuration interface Configuration Procedure Configure Switch B # Establish a connection to the server Complete Configuration Configure Switch B Authentication-mode scheme Protocol inbound ssh # Configure the client public key Switch001 # Display the host public key SSH server SSH client # Generate an RSA key pair # Display the client host public key # Display the server host public key # Disable first-time authentication # Configure the server public key Switch002 on the client# Specify the server public key on the client 2BE0F7AD Configuring Sftp # Configure the authentication method as password# Create a local user named client001 # Enable the Sftp server # Specify the service type as Sftp # Exit Sftp Interface Vlan-interface1 Ip address 192.168.0.2 SSH Configuration Guide Configuration Procedure Configure the switch FTP and Tftp Configuration Guide # Download file config.cfg # Switch data transfer mode to binary Complete Configuration Configure the switch 3Com ftp Ftp Menu to remove them Configuring a SwitchAs Tftp Client Flash memory before downloading the file Vlan Interface Vlan-interface1 Ip address 1.1.1.1 Outputting Log Information to a Unix Log Host Information Center Configuration Guide Configuration on the log host # Execute the following commands as a root userComplete Configuration Configuration on the switch Outputting Log Information to a Linux Log Host Through the same channel 3Com undo info-center source default channel channel6 Complete Configuration # Configuration Procedure # Enable the information center # Enable terminal displayOutputting Log Information to Console Displaying the Time Stamp with the UTC Time Zone Use of the Facility Argument in Log Information Output SwitchAinfo-center enable VLAN-VPN Configuration Guide Inner tag will be used for packet forwardingSimple way Gvrp Ntdp STP Configuration Procedure # Set the Tpid value of Ethernet 1/0/22 to # Set the Tpid value of Ethernet 1/0/12 to Packets of all VLANs Tunnel # Enable Bpdu tunnel for NDP BPDUs on Ethernet 1/0/4 Configuration Procedure Configure Provide# Disable NDP on Ethernet 1/0/1 Configure Provide # Disable NDP on Ethernet 1/0/4 Configure Provider Complete Configuration Configure Provider Remote-ping REMOTE-PING Configuration GuideIcmp Test Network diagram Networking and configuration requirements # Configure the number of probes in one test as # Enable the Remote-ping client# Configure the test type as Icmp # Configure the destination IP address as DNS Configuration Guide Translate them into correct IP addresses Name Resolution# Configure com as the DNS suffix Dynamic Domain DNS server. The DNS server works normally Configurations are done on the devices DNS Configuration Guide Access Management Configuration Guide Configuring AccessManagement # Enable access management on Switch a Vlan to which the port belongsCan take effect Configuring Access Management with Port Isolation Precautions Refer to Precautions on page 334 for details # Add Ethernet 1/0/1 to the isolation group# Add Ethernet 1/0/2 to the isolation group