Manuals / Blade ICE / Computer Equipment / Computer Accessories

Blade ICE G8000 manual RADIUS Authentication and Authorization, How RADIUS authentication works

Models: G8000

1 145

Download 145 pages 21.85 Kb

Page 26

RackSwitch G8000 Application Guide

RADIUS Authentication and Authorization

Blade OS supports the RADIUS (Remote Authentication Dial-in User Service) method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.

RADIUS authentication consists of the following components:

A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)

A centralized server that stores all the user authorization information

A client, in this case, the switch

The G8000—acting as the RADIUS client—communicates to the RADIUS server to authenti- cate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end RADIUS server.

How RADIUS authentication works

1.Remote administrator connects to the switch and provides user name and password.

2.Using Authentication/Authorization protocol, the switch sends request to authentication server.

3.Authentication server checks the request against the user ID database.

4.Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.

26 Chapter 1: Accessing the Switch

BMD00041, November 2008

Image 26

Blade ICE G8000 manual RADIUS Authentication and Authorization, How RADIUS authentication works

Contents

Version RackSwitch G8000Application Guide Part Number BMD00041, NovemberRackSwitch G8000 Application Guide Chapter 2 Port-based Network Access Control ContentsChapter 1 Accessing the Switch PrefaceChapter 4 Ports and Trunking Chapter 5 Spanning TreeChapter 6 Quality of Service Chapter 7 Remote MonitoringChapter 9 IGMP Appendix A TroubleshootingChapter 8 Basic IP Routing Chapter 10 High AvailabilityFigures RackSwitch G8000 Application Guide BMD00041, NovemberTables RackSwitch G8000 Application Guide BMD00041, NovemberPreface Who Should Use This GuideWhat You’ll Find in This Guide Symbol Typographic ConventionsRackSwitch G8000 Application Guide Table 1 Typographic ConventionsHow to Get Help „ “Configuring an IP Interface” on page „ “Using Telnet” on page Accessing the SwitchCHAPTER „ “Using the Browser-Based Interface” on page „ “Using SNMP” on page4. Configure the default gateway. Enable the gateway Configuring an IP Interface1. Log on to the switch 2. Enter IP interface mode Command ReferenceUsing Telnet Configuring BBI access via HTTPS Using the Browser-Based InterfaceConfiguring BBI access via HTTP The BBI is organized at a high level as follows SNMP v1 Using SNMPDefault configuration SNMPUser configuration RS G8000 config# snmp-server group 5 group-name admingrp RackSwitch G8000 Application GuideRS G8000 config# snmp-server group 5 user-name admin 22 „ Chapter 1 Accessing the SwitchSNMPv1 trap host Configuring SNMP Trap HostsSNMPv2 trap host configuration 1. Configure an entry in the notify tableSNMPv3 trap host configuration „ “TACACS+ Authentication” on page Securing Access to the Switch„ “RADIUS Authentication and Authorization” on page „ “End User Access Control” on pageRADIUS Authentication and Authorization How RADIUS authentication worksConfiguring RADIUS 2. Configure the RADIUS secret and enable the featureRADIUS authentication features in Blade OS Vendor-supplied Switch User AccountsRADIUS Attributes for G8000 user privileges Vendor-suppliedTACACS+ Authentication How TACACS+ authentication worksRS G8000 config# tacacs-server privilege-mapping TACACS+ authentication features in Blade OSAuthorization RS G8000 config# tacacs-server command-authorization Command authorization and loggingAccounting 2. Configure the TACACS+ secret and second secret Configuring TACACS+ AuthenticationRS G8000 config# tacacs-server command-logging 4. Configure the number of retry attempts, and the timeout periodSSH encryption of management messages Configuring SSH features on the switchSecure Shell RS G8000 config# ssh generate-host-key Generating RSA Host and Server Keys for SSH accessSSH Integration with RADIUS/TACACS+ Authentication RS G8000 config# ssh generate-server-keyUser Access Control End User Access ControlConsiderations for configuring End User Accounts Setting up User IDsLogging into an End User account Defining a User’s access levelListing current Users Enabling or Disabling a UserBMD00041, November RackSwitch G8000 Application Guide38 „ Chapter 1 Accessing the Switch „ “802.1X authentication process” on page Port-based Network Access Control„ “Extensible Authentication Protocol over LAN” on page „ “Configuration guidelines” on pageExtensible Authentication Protocol over LAN Port Authorized 802.1X authentication processPort Unauthorized EAPoL message exchange „ Authorized 802.1X port states„ Unauthorized „ Force Unauthorized44 „ Chapter 2 Port-based Network Access Control Supported RADIUS attributesRackSwitch G8000 Application Guide Table 2 Support for RADIUS AttributesConfiguration guidelines BMD00041, November RackSwitch G8000 Application Guide46 „ Chapter 2 Port-based Network Access Control „ “VLANs and Port VLAN ID Numbers” on page „ “VLAN Tagging” on page VLANsCHAPTER „ “VLAN Topologies and Design Considerations” on pageOverview Viewing VLANs VLANs and Port VLAN ID NumbersVLAN numbers Viewing and Configuring PVIDs PVID numbersVLAN Tagging Figure 3-1 Default VLAN settings BS45010ABefore Figure 3-2 Port-based VLAN assignmentFigure 3-3 802.1Q tagging after port-based VLAN assignment untagged packet Figure 3-4 802.1Q tag assignmentFigure 3-5 802.1Q tagging after 802.1Q tag assignment 16 bitsVLAN configuration rules VLAN Topologies and Design ConsiderationsDescription Multiple VLANs with Tagging AdaptersComponent Component Description2. Enable tagging on uplink ports that support multiple VLANs VLAN configuration example1. Enable VLAN tagging on server ports that support multiple VLANs 3. Configure the VLANs and their member portsPrivate VLANs Private VLAN ports1. Select a VLAN and define the Private VLAN type as primary Configuration exampleConfiguration guidelines RackSwitch G8000 Application Guide 2. Configure a secondary VLAN and map it to the primary VLAN3. Verify the configuration enableBMD00041, November RackSwitch G8000 Application Guide62 „ Chapter 3 VLANs CHAPTER Ports and Trunking„ “Configurable Trunk Hash Algorithm” on page „ ““Overview” on page 64” „ “Port Trunking Example” on pageOverview Built-In fault toleranceStatistical load distribution Before you configure static trunks Static trunk group configuration rules„ All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs Trunk 1 Ports 1, 7, and Port Trunking ExampleTrunk 3 Ports 2, 23, and 1. Follow these steps on the G80004. Examine the trunking information on each switch 2. Repeat the process on the other switch3. Connect the switch ports that will be members in the trunk group RS G8000 config# portchannel 1 member 1,7,32Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Admin keyEach port on the switch can have one of the following LACP modes 3. Set the LACP mode LACP configuration guidelinesConfiguring LACP „ “Overview” on page „ “Rapid Spanning Tree Protocol” on page Spanning TreeCHAPTER „ “Per VLAN Rapid Spanning Tree” on pageOverview Table 5-1 Ports, Trunk Groups, and VLANsBridge Priority Bridge Protocol Data Units BPDUsDetermining the Path for Forwarding BPDUs Port Priority Spanning Tree Group configuration guidelinesChanging the Spanning Tree mode Port Path CostAssigning a VLAN to a Spanning Tree Group Adding and removing ports from STGs Creating a VLANRules for VLAN Tagged ports Chapter 5 Spanning Tree „ RackSwitch G8000 Application GuideBMD00041, November Rapid Spanning Tree Protocol Port state changesEdge Port RSTP configuration guidelinesPort Type and Link Type Link Type1. Configure port and VLAN membership on the switch RSTP configuration exampleConfigure Rapid Spanning Tree 2. Set the Spanning Tree mode to Rapid Spanning TreeDefault Spanning Tree configuration Per VLAN Rapid Spanning TreeFigure 5-2 Two VLANs, each on a different Spanning Tree Group Why do we need multiple Spanning Trees?Figure 5-1 Two VLANs on one Spanning Tree Group 1. Set the Spanning-tree mode to PVRST+ PVRST configuration guidelinesConfiguring PVRST Common Internal Spanning Tree Multiple Spanning Tree ProtocolMSTP Region MSTP configuration guidelines RackSwitch G8000 Application Guide Passing VLANBlocking VLAN Blocking VLANConfiguring Multiple Spanning Tree Groups 2. Configure Multiple Spanning Tree Protocolmember RackSwitch G8000 Application Guideenable memberFast Uplink Convergence Configuration GuidelinesConfiguring Fast Uplink Convergence BMD00041, November RackSwitch G8000 Application Guide92 „ Chapter 5 Spanning Tree „ “Using Storm Control Filters” on page Quality of Service„ “Overview” on page „ “Using ACL Filters” on page „ “Using DSCP Values to Provide QoS” on pageCOS Queue Permit/DenyFilter OverviewUsing ACL Filters MAC Extended ACLsIP Standard ACLs IP Extended ACLsRS G8000 config# no access-list ip extended RackSwitch G8000 Application GuideRS G8000 config# access-list ip extended Table 6-1 Well-known protocol typesPort 1 access group ACL IP Extended Understanding ACL priorityAssigning ACLs to a port ACL IP ExtendedViewing ACL statistics 1. Configure an Access Control List ACL configuration examplesExample 3. Verify the configurationExample Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied1. Configure an Access Control List 2. Assign the ACL to portRackSwitch G8000 Application Guide 1. Configure an Access Control List1. Configure an Access Control List config# ip access-list ip extendedExample 2. Configure IP ACLs to deny all other traffic4. Configure a MAC ACL to deny all other traffic RS G8000 config-if# RackSwitch G8000 Application GuideRS G8000 config# interface port ip access-group 1103 inBroadcast storms Using Storm Control FiltersConfiguring storm control 7 6 5 4 Using DSCP Values to Provide QoSDifferentiated Services Concepts The switch can perform the following actions to the DSCP Per Hop Behavior RackSwitch G8000 Application Guide QoS LevelsDefault QoS Service Levels Service LevelDSCP-to-802.1p mapping Using 802.1p Priority to Provide QoS Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet1. Configure a port’s default 802.1p priority value to 802.1p configuration exampleQueuing and Scheduling CHAPTER Remote MonitoringOverview 1. Enable RMON on a port Configuring RMON statisticsRMON group 1-Statistics 2. Configure the RMON statistics on a portRS G8000# show rmon history RMON group 2-HistoryHistory MIB Object ID 1. Enable RMON on a port RMON group 3-AlarmsConfiguring RMON History 2. Configure the RMON History parameters for a portExample Alarm MIB objectsConfiguring RMON Alarms 1. Configure the RMON Alarm parameters to track ICMP messages Configure RMON eventsRMON group 9-Events 1. Configure the RMON event parametersCHAPTER Basic IP Routing„ “Dynamic Host Configuration Protocol” on page „ “IP Routing Benefits” on pageIP Routing Benefits Routing Between IP Subnets Figure 8-1 The Router Legacy Network„ Traffic to the router increases, increasing congestion Example of Subnet Routing Figure 8-2 Switch-Based Routing Topology2. Assign an IP interface for each subnet attached to the switch Using VLANs to segregate Broadcast DomainsConfiguration example Table 8-1 Subnet Routing Example IP Address Assignmentsenable 4. Add the switch ports to their respective VLANsRackSwitch G8000 Application Guide enable8. Verify the configuration 6. Configure the default gateway to the routers’ addresses7. Enable IP routing 5. Assign a VLAN to each IP interfaceDynamic Host Configuration Protocol BMD00041, November RackSwitch G8000 Application Guide128 „ Chapter 8 Basic IP Routing „ “IGMP Snooping” on page „ “IGMPv3 Snooping” on page IGMPCHAPTER „ “Static Multicast Router” on pageIGMP Snooping RS G8000 config# no ip igmp floodRS G8000 config# ip igmp fastleave VLAN number FastLeaveIGMPv3 Snooping RS G8000 config# no ip igmp snoop igmpv3 exclude IGMP Snooping configuration exampleConfigure IGMP Snooping RS G8000 config# ip igmp snoop igmpv3 sourcesRS G8000# show ip igmp groups RackSwitch G8000 Application Guide5. View dynamic IGMP information RS G8000# show ip igmp mrouter2. Verify the configuration Configure a Static Multicast RouterStatic Multicast Router „ “Uplink Failure Detection” on page High AvailabilityCHAPTER BMD00041, NovemberUplink Failure Detection Figure 10-1 Uplink Failure Detection exampleConfiguration guidelines Failure Detection PairSpanning Tree Protocol with UFD „ Link to Monitor LtM1. Configure Network Adapter Teaming on the servers Configuring UFDMonitoring UFD 2. Assign the Link to Monitor LtM ports„ “Monitoring Ports” on page TroubleshootingAPPENDIX A BMD00041, NovemberMonitoring Ports Figure A-1 Monitoring Ports2. Enable port mirroring Configuring Port MirroringPort Mirroring behavior 3. View the current configurationBMD00041, November RackSwitch G8000 Application Guide142 „ Appendix A Troubleshooting Numerics SymbolsIndex