Port-Based Network Access Control | Allied Telesis AT-9724TS

Port-Based Network Access Control

AT-9724TS Switch

Uncontrolled Port

Controlled Port - port blocked

802.1X Client	802.1X Client 802.1X Client 802.1X Client	RADIUS
		Server

Figure 6- 73. Example of Typical Port-Based Configuration

Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in this situation is open to attack.

MAC-Based Network Access Control

Uncontrolled Port

Controlled Port - port blocked

AT-9724TS Switch

RADIUS

Server

802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X	802.1X
Client	Client	Client	Client	Client	Client	Client	Client	Client

Figure 6- 74. Example of Typical MAC-Based Configuration

In order to successfully make use of 802.1X in a shared media LAN segment, it would be necessary to create “logical” Ports, one for each attached device that
required access to the LAN.The Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct
logical Ports, each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state.The Switch learns each
attached devices’ individual MAC addresses, and effectively creates a logical Port that the attached device can then use to communicate with the LAN via the
Switch.	85
Allied Telesyn AT-9724TS High-Density Layer 3 Stackable Gigabit Ethernet Switch	85

Image 86

Allied Telesis AT-9724TS specifications Port-Based Network Access Control, MAC-Based Network Access Control, Switch

Contents

AT-9724TS Electrical Safety and Emission Statement Table of Contents RIP 133 How This Guide is Organized PrefacePurpose of This Guide Document Conventions Bold font European Support Numbers Returning Products FTP Server Regional Locations Tell Us What You Think Ethernet Technology Fast Ethernet Switching TechnologyIntroduction Gigabit Ethernet Technology Switch Description Features Front Panel Components Installing the SFP portsPorts RFC1493 Bridge Rear Panel Components LED IndicatorsLED Description Side-Panel Components Installing the Switch without a Rack InstallationPackage Contents Before You Connect to the Network Installing the Switch in a Rack Prepare Switch for installation on a desktop or shelf Power Failure Mounting the Switch in a Standard 19 RackPower On External Redundant Power System Switch to Hub or Switch Connecting the SwitchSwitch To End Node Connecting To Network Backbone or Server Stacking and the AT-9724TS Stacking Limitations Utilizing a Ring Topology Stacking in a Ring Architecture Introduction to Switch Management First Time Connecting to the Switch Password Protection Snmp Settings IP Address Assignment TrapsMIBs Connecting Devices to the Switch Assigning the Switch an IP Address Introduction Introduction to Web-based Switch ConfigurationLogin to Web Manager AreaFunction Web-based User InterfaceAreas of the User Interface Web Pages Click the Switch Information link in the Configuration menu Configuring The SwitchSwitch Information Dhcp BootpIP Address Vlan Name Setting the Switchs IP Address using the Console InterfaceAdvanced Settings Specified or Management Station IP Addresses are assigned Box Information To configure switch ports Port ConfigurationLowest priority number in the stack is the Master switch Priority Stack Speed/Duplex Port DescriptionParameter Description State Flow Control Link Aggregation Understanding Port Trunk Groups To configure a mirror portPort Mirroring 10. Link Aggregation Group Configuration window Add Lacp Port Setting 12. Lacp Port Setting and Lacp Port Information window Specified.The default setting is MAC Notification Global SettingsHistory size Setting is 1 second MAC Notification Igmp Versions 1 MAC Notification Port SettingsIgmp Parameter Description Unit Type Meaning Igmp Snooping Vlan ID Static Router Ports Following parameters can be set Spanning Tree802.1s Mstp VID Vlan ID Port Transition States STP Bridge Global Settings802.1w Rapid Spanning Tree Edge Port 21. STP Bridge Global Settings STP compatible MST Configuration Table Msti ID Msti Parameter Msti ID of the Cist is 0 and cannot be alteredDisplays the Msti ID previously set by the user Internal cost 0=Auto Msti Port InformationParameter Description Instance ID Priority Instance Status STP Instance SettingsParameter Description Instance Type Instance Priority External Root Cost Forward DelayParameter Description Designated Root Bridge Regional Root Bridge STP Port Settings MAC Address Forwarding & Filtering Unicast ForwardingVlan ID VID Multicast MAC Address Static Multicast ForwardingVID Not be a member of the Static Multicast Group Ieee 802.1Q VLANs Some relevant terms VLANs Understanding Ieee 802.1p PriorityVlan Description Filtering 802.1Q Vlan TagsIngress Transmit Bits 39.Adding an Ieee 802.1Q Tag Tagging and Untagging Default VLANsPort Vlan ID Ingress Filtering Vlan Segmentation Switch PortsPort-based VLANs Vlan and Trunk Groups Static Vlan Entry Protocol Type Header in Hexadecimal FormPage Advertisement Protocol ID Gvrp Setting Port Settings Tag None Egress Forbidden Ingress Check Traffic ControlGvrp Acceptable Frame Type Max. Learning Addr Admin StatePort Security Mode Vlan Name MAC Address SwitchPort Lock Entries Be deleted Understanding QoS 18 QoSAdvantages of QoS Nolimit Disables the limitBandwidth Control Packets Output Scheduling Weight fairQoS Scheduling Mechanism Parameter Description Strict Be specified Configuring the Combination QueueParameter Description Max. Packets 802.1p Default Priority 802.1p User Priority 55. Setup Forwarding Ports window Traffic Segmentation System Log Server 57. System Log Servers Add Following parameters can be set Server IP Status Choose Enabled or Disabled to activate or deactivateParameter Description Index Severity Sntp Settings Current Time Settings Minutes +/- Hhmm DST Repeating SettingsTime Zone and DST Enter the month DST will start on, each year Access Profile Table Configuring the Access Profile Table 61.Access Profile Table Ethernet Vlan Dscp Shown below is the Packet Content Mask configuration windowSource IP Mask Destination IP Mask Protocol Port Offset Source IP Access IDReplace Dscp Destination IPPage Source MAC Source Destination MAC Destination 71.Access Rule Configuration Packet Content Mask 72.Access Rule Display window Packet Content Mask Priority Offset Switch Port-Based Network Access ControlMAC-Based Network Access Control Configure Authenticator 75 .1X Authenticator Settings window Local Users Capability PAE System ControlFrom and To Auth PAE State Initializing Ports for Port BasedFrom Backend State Reauthenticate Ports for Port Based Initializing Ports for MAC Based Reauthenticate Ports for MAC Based Radius Server Layer 3 IP Networking Layer 3 Global Advanced Settings Setting Up IP Interfaces To setup IP Interfaces on the Switch Network Number IP Address Subnet Mask MD5 Key Table ConfigurationParameter Description Interface Name Secondary Route Redistribution Settings Route Source Metric Type Following parameters may be set or viewed Static/Default RouteIP address of the Static/Default Route ParameterDescription Dest Protocol Src Protocol Type Metric Route Type Validity Range Default Value Route Preference SettingsBackup State IP address above Permanently set on the switch and unconfigurable Static Parameter Description RIPOspf Intra Ospf Inter IP address of the ARP entry Static ARP TableParameter Description IP Address MAC address of the ARP entry RIP Version 1 Message Format RIP Command CodesRIP Configuration RIP 1 Message Setting Up RIP 102 Ospf Cost Link-State AlgorithmShortest Path Algorithm Ospf Shortest Path Tree 104 105 Areas and Border RoutersLink-State Packets Simple Password Authentication Ospf AuthenticationMessage Digest Authentication MD-5 Backbone and Area Building Adjacency AdjacenciesDesignated Router Election Adjacencies on Point-to-Point Interfaces Hello Packet On the network Backup Designated Router Interface address on the networkDatabase Description Packet 109 Bit Link-State Request PacketField Description Options MS bit 111 Link-State Update PacketOctets Version No 112 Link-State Acknowledgment PacketLink-State Advertisement Formats Link State ID ASBR,AS External Link Link State Advertisement HeaderRouter Links Advertisements Link State Checksum Successive Link State Sequence numbers Field Description Type Field Description BitArea Link ID Summary Link Advertisements IP Type of Service that this metric refers toNetwork Links Advertisements Field Description Field Description Network Mask Type of Service that the following cost is relevant toAutonomous Systems External Link Advertisements Parameter Description Ospf Route ID General Ospf SettingsOspf Area ID Setting Current Route ID Parameter Description Area ID Ospf Interface SettingsStub Default Cost Stub Import Summary LSA Metric Type, as specified in the previous parameter Auth TypeAuth. Key ID Router Retransmit Time Seconds Ospf Virtual Interface Settings Network Number Ospf Area Aggregation SettingsOspf Host Route Settings Lsdb Type Following fields are configured for Ospf host route Dhcp / Bootp RelayDhcp / Bootp Relay Information Ospf domain DHCP/BootP Relay Settings DNS Relay DNS Relay Static Settings Domain Name ResolutionConfiguring DNS Relay Information Mapping Domain Names to Addresses 125 Vrrp ConfigurationNon-owner response Ping Display Vrrp Interface SettingsVrid Vrid Admin. StatePreempt Mode Critical IP Address Virtual Router State Virtual IP AddressVirtual MAC Address Master IP Address 129 Igmp Interface ConfigurationIP Multicast Routing Protocol Dvmrp Interface Settings Dvmrp Interface ConfigurationDvmrp Global Setting 130 Neighbor Timeout Interval PIM-DM Interface ConfigurationPIM-DM Configuration Probe Interval Join/Prune Interval Previously defined IP interfaceDisplays the IP address for the IP interface named above Seconds User Accounts Security ManagementSecurity IP 133 User Account Management Admin and User PrivilegesManagement Admin User 134 135 Access Authentication ControlPolicy & Parameters Login Method List Applications Authentication SettingsAuthentication Server Group Settings Enable Method List 137 Retransmit Authentication Server HostsTimeout Login Method Lists 139 Enable Method Lists 140 Method 1, 2, 3 Local Enable PasswordParameter Description Method List Name Method list ParameterDescription Enable AdminLocal Enabled field will result in a fail message 142 Parameter Description Certificate Type Secure Socket Layer SSLDownload Certificate Key File Name Cert.der Configuration 144 SSH Algorithm SSH ConfigurationSecure Shell SSH AES192-CBC 3DES-CBCAES128-CBC AES256-CBC HMAC-MD5 SSH User AuthenticationHMAC-SHA1 HMAC-RSA Host Name Auth. ModeParameter Description User Name Host IP Snmp Manager Snmp User Table Auth-Protocol Group NameSnmp Version Priv-Protocol Snmp View Table 151 Subtree OID Snmp Group TableParameter Description View Name 152 Snmp Community Table Configuration Snmp Host Table Access RightContents of the MIBs on the Switch Parameter Description Community Name Community String or Snmp Engine IDParameter Description Host IP Address Snmp V3 User Name CPU Utilization MonitoringPort Utilization Parameter Description Time Interval 157 PacketsReceived RX 158 UMB Cast RX 159 Transmitted TX 160 Tx Packets Analysis window table for Bytes and Packets 161 Errors 162 Under Size Crc ErrorRecord Number Over Size 164 ExColl Packet SizeLateColl Because the medium was busy SingColl Stacking Information Runtime Version Device StatusProm Version A Star topology Version Illustrations MAC Address 168 Address Switch History LogFind Down menus Vlan ID of the Vlan the port is a member Parameter Description Sequence Igmp Snooping GroupIgmp Snooping Forwarding 170 Browse Router Port Port Access ControlAuthenticator State Parameter Description Auth PAE State Authenticator StatisticsCapability is disabled 802.1x Following fields can be viewed Rx Invalid AuthenticatorRx Error Recognized 173 Authenticator Session Statistics Authenticator Diagnostics Radius Authentication Radius Accounting 177 178 Layer 3 FeatureBrowse IP Address Browse IP Multicast Forwarding Table Browse Routing TableBrowse ARP Table 179 Browse Ospf Lsdb Table Browse Igmp Group TableOspf Monitoring 180 Browse Ospf Neighbor Table Ospf Virtual Neighbor Browse Dvmrp Neighbor Address Table Dvmrp MonitoringBrowse Dvmrp Routing Table PIM Neighbor Address Table Browse Dvmrp Routing Next Hop TablePIM Monitoring 183 Download Configuration File Switch MaintenanceTftp Service Download Firmware Upload Log Upload ConfigurationMultiple Image Services Firmware Information BOX Config Firmware ImageUpdate Time Size Active Ping TestParameter Description Image Save Changes ResetParameter Description Save Only save config 188 Logout Reboot DeviceFollowing menu is used to restart the Switch 189 Physical & Environmental Appendix a Technical SpecificationsGeneral EMC Performance 191 Geräte DER Klasse Lightning Danger Electrical Type Class 1 EquipmentGefahr Durch Blitzschlag Vorsicht Elektrische Toestellen VAN Klasse Fare Under UvejrElektrisk Klasse 1-UDSTYR Pericolo DI Fulmini Métalliques accessibles à l’utilisateurSalamaniskuvaara Elettricità Dispositivi DI Classe Peligro DE Rayos Fare for LynnedslagFare Arbeid Ikke på utstyr eller Kabler i Tordenvær Electrico Equipo DEL Tipo Clase 196 Fara FÖR BlixtnedslagElektriskt TYP Klass 1 Utrustning