Manuals / Blade ICE / Computer Equipment / Computer Accessories

Blade ICE G8000 manual 802.1X authentication process, Port Unauthorized, Port Authorized

Models: G8000

1 145

Download 145 pages 21.85 Kb

Page 41

Image 41

RackSwitch G8000 Application Guide

802.1X authentication process

The clients and authenticators communicate using Extensible Authentication Protocol (EAP), which was originally designed to run over PPP, and for which the IEEE 802.1X Standard has defined an encapsulation method over Ethernet frames, called EAP over LAN (EAPOL).

Figure 2-1shows a typical message exchange initiated by the client.

802.1X Client			RADIUS
802.1X Client				Server
	EAPOL	G8000	RADIUS-EAP
	EAPOL	G8000	RADIUS-EAP
		(Authenticator)
		(Authenticator)
	Ethernet	(RADIUS Client)	UDP/IP
	Ethernet	(RADIUS Client)	UDP/IP

Port Unauthorized

EAPOL-Start

EAP-Request (Identity)

EAP-Response (Identity)

EAP-Request (Credentials)

EAP-Response (Credentials)

EAP-Success

Radius-Access-Request

Radius-Access-Challenge

Radius-Access-Request

Radius-Access-Accept

Port Authorized

Figure 2-1Authenticating a Port Using EAPoL

BMD00041, November 2008

Chapter 2: Port-based Network Access Control 41

Page 41

Image 41

Blade ICE G8000 manual 802.1X authentication process, Port Unauthorized, Port Authorized

Contents

Application Guide RackSwitch G8000Version Part Number BMD00041, NovemberRackSwitch G8000 Application Guide Chapter 1 Accessing the Switch ContentsChapter 2 Port-based Network Access Control PrefaceChapter 5 Spanning Tree Chapter 4 Ports and TrunkingChapter 7 Remote Monitoring Chapter 6 Quality of ServiceChapter 8 Basic IP Routing Appendix A TroubleshootingChapter 9 IGMP Chapter 10 High AvailabilityFigures BMD00041, November RackSwitch G8000 Application GuideTables BMD00041, November RackSwitch G8000 Application GuideWho Should Use This Guide PrefaceWhat You’ll Find in This Guide RackSwitch G8000 Application Guide Typographic ConventionsSymbol Table 1 Typographic ConventionsHow to Get Help CHAPTER Accessing the Switch„ “Configuring an IP Interface” on page „ “Using Telnet” on page „ “Using the Browser-Based Interface” on page „ “Using SNMP” on page1. Log on to the switch 2. Enter IP interface mode Configuring an IP Interface4. Configure the default gateway. Enable the gateway Command ReferenceUsing Telnet Configuring BBI access via HTTPS Using the Browser-Based InterfaceConfiguring BBI access via HTTP The BBI is organized at a high level as follows Default configuration Using SNMPSNMP v1 SNMPUser configuration RS G8000 config# snmp-server group 5 user-name admin RackSwitch G8000 Application GuideRS G8000 config# snmp-server group 5 group-name admingrp 22 „ Chapter 1 Accessing the SwitchSNMPv2 trap host configuration Configuring SNMP Trap HostsSNMPv1 trap host 1. Configure an entry in the notify tableSNMPv3 trap host configuration „ “RADIUS Authentication and Authorization” on page Securing Access to the Switch„ “TACACS+ Authentication” on page „ “End User Access Control” on pageHow RADIUS authentication works RADIUS Authentication and Authorization2. Configure the RADIUS secret and enable the feature Configuring RADIUSRADIUS authentication features in Blade OS RADIUS Attributes for G8000 user privileges Switch User AccountsVendor-supplied Vendor-suppliedHow TACACS+ authentication works TACACS+ AuthenticationRS G8000 config# tacacs-server privilege-mapping TACACS+ authentication features in Blade OSAuthorization RS G8000 config# tacacs-server command-authorization Command authorization and loggingAccounting RS G8000 config# tacacs-server command-logging Configuring TACACS+ Authentication2. Configure the TACACS+ secret and second secret 4. Configure the number of retry attempts, and the timeout periodSSH encryption of management messages Configuring SSH features on the switchSecure Shell SSH Integration with RADIUS/TACACS+ Authentication Generating RSA Host and Server Keys for SSH accessRS G8000 config# ssh generate-host-key RS G8000 config# ssh generate-server-keyConsiderations for configuring End User Accounts End User Access ControlUser Access Control Setting up User IDsListing current Users Defining a User’s access levelLogging into an End User account Enabling or Disabling a UserBMD00041, November RackSwitch G8000 Application Guide38 „ Chapter 1 Accessing the Switch „ “Extensible Authentication Protocol over LAN” on page Port-based Network Access Control„ “802.1X authentication process” on page „ “Configuration guidelines” on pageExtensible Authentication Protocol over LAN Port Authorized 802.1X authentication processPort Unauthorized EAPoL message exchange „ Unauthorized 802.1X port states„ Authorized „ Force UnauthorizedRackSwitch G8000 Application Guide Supported RADIUS attributes44 „ Chapter 2 Port-based Network Access Control Table 2 Support for RADIUS AttributesConfiguration guidelines BMD00041, November RackSwitch G8000 Application Guide46 „ Chapter 2 Port-based Network Access Control CHAPTER VLANs„ “VLANs and Port VLAN ID Numbers” on page „ “VLAN Tagging” on page „ “VLAN Topologies and Design Considerations” on pageOverview Viewing VLANs VLANs and Port VLAN ID NumbersVLAN numbers PVID numbers Viewing and Configuring PVIDsVLAN Tagging BS45010A Figure 3-1 Default VLAN settingsBefore Figure 3-2 Port-based VLAN assignmentFigure 3-3 802.1Q tagging after port-based VLAN assignment Figure 3-5 802.1Q tagging after 802.1Q tag assignment Figure 3-4 802.1Q tag assignmentuntagged packet 16 bitsVLAN Topologies and Design Considerations VLAN configuration rulesDescription Multiple VLANs with Tagging AdaptersComponent Description Component1. Enable VLAN tagging on server ports that support multiple VLANs VLAN configuration example2. Enable tagging on uplink ports that support multiple VLANs 3. Configure the VLANs and their member portsPrivate VLAN ports Private VLANs1. Select a VLAN and define the Private VLAN type as primary Configuration exampleConfiguration guidelines 3. Verify the configuration 2. Configure a secondary VLAN and map it to the primary VLANRackSwitch G8000 Application Guide enableBMD00041, November RackSwitch G8000 Application Guide62 „ Chapter 3 VLANs „ “Configurable Trunk Hash Algorithm” on page Ports and TrunkingCHAPTER „ ““Overview” on page 64” „ “Port Trunking Example” on pageOverview Built-In fault toleranceStatistical load distribution Static trunk group configuration rules Before you configure static trunks„ All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs Trunk 3 Ports 2, 23, and Port Trunking ExampleTrunk 1 Ports 1, 7, and 1. Follow these steps on the G80003. Connect the switch ports that will be members in the trunk group 2. Repeat the process on the other switch4. Examine the trunking information on each switch RS G8000 config# portchannel 1 member 1,7,32Configurable Trunk Hash Algorithm Admin key Link Aggregation Control ProtocolEach port on the switch can have one of the following LACP modes 3. Set the LACP mode LACP configuration guidelinesConfiguring LACP CHAPTER Spanning Tree„ “Overview” on page „ “Rapid Spanning Tree Protocol” on page „ “Per VLAN Rapid Spanning Tree” on pageTable 5-1 Ports, Trunk Groups, and VLANs OverviewBridge Priority Bridge Protocol Data Units BPDUsDetermining the Path for Forwarding BPDUs Changing the Spanning Tree mode Spanning Tree Group configuration guidelinesPort Priority Port Path CostAssigning a VLAN to a Spanning Tree Group Adding and removing ports from STGs Creating a VLANRules for VLAN Tagged ports Chapter 5 Spanning Tree „ RackSwitch G8000 Application GuideBMD00041, November Port state changes Rapid Spanning Tree ProtocolPort Type and Link Type RSTP configuration guidelinesEdge Port Link TypeConfigure Rapid Spanning Tree RSTP configuration example1. Configure port and VLAN membership on the switch 2. Set the Spanning Tree mode to Rapid Spanning TreePer VLAN Rapid Spanning Tree Default Spanning Tree configurationFigure 5-2 Two VLANs, each on a different Spanning Tree Group Why do we need multiple Spanning Trees?Figure 5-1 Two VLANs on one Spanning Tree Group 1. Set the Spanning-tree mode to PVRST+ PVRST configuration guidelinesConfiguring PVRST Common Internal Spanning Tree Multiple Spanning Tree ProtocolMSTP Region MSTP configuration guidelines Blocking VLAN Passing VLANRackSwitch G8000 Application Guide Blocking VLAN2. Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groupsenable RackSwitch G8000 Application Guidemember memberFast Uplink Convergence Configuration GuidelinesConfiguring Fast Uplink Convergence BMD00041, November RackSwitch G8000 Application Guide92 „ Chapter 5 Spanning Tree „ “Overview” on page „ “Using ACL Filters” on page Quality of Service„ “Using Storm Control Filters” on page „ “Using DSCP Values to Provide QoS” on pageFilter Permit/DenyCOS Queue OverviewMAC Extended ACLs Using ACL FiltersIP Extended ACLs IP Standard ACLsRS G8000 config# access-list ip extended RackSwitch G8000 Application GuideRS G8000 config# no access-list ip extended Table 6-1 Well-known protocol typesAssigning ACLs to a port Understanding ACL priorityPort 1 access group ACL IP Extended ACL IP ExtendedViewing ACL statistics Example ACL configuration examples1. Configure an Access Control List 3. Verify the configuration1. Configure an Access Control List Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is deniedExample 2. Assign the ACL to port1. Configure an Access Control List 1. Configure an Access Control ListRackSwitch G8000 Application Guide config# ip access-list ip extendedExample 2. Configure IP ACLs to deny all other traffic4. Configure a MAC ACL to deny all other traffic RS G8000 config# interface port RackSwitch G8000 Application GuideRS G8000 config-if# ip access-group 1103 inBroadcast storms Using Storm Control FiltersConfiguring storm control 7 6 5 4 Using DSCP Values to Provide QoSDifferentiated Services Concepts The switch can perform the following actions to the DSCP Per Hop Behavior Default QoS Service Levels QoS LevelsRackSwitch G8000 Application Guide Service LevelDSCP-to-802.1p mapping Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet Using 802.1p Priority to Provide QoS1. Configure a port’s default 802.1p priority value to 802.1p configuration exampleQueuing and Scheduling CHAPTER Remote MonitoringOverview RMON group 1-Statistics Configuring RMON statistics1. Enable RMON on a port 2. Configure the RMON statistics on a portRS G8000# show rmon history RMON group 2-HistoryHistory MIB Object ID Configuring RMON History RMON group 3-Alarms1. Enable RMON on a port 2. Configure the RMON History parameters for a portExample Alarm MIB objectsConfiguring RMON Alarms RMON group 9-Events Configure RMON events1. Configure the RMON Alarm parameters to track ICMP messages 1. Configure the RMON event parameters„ “Dynamic Host Configuration Protocol” on page Basic IP RoutingCHAPTER „ “IP Routing Benefits” on pageIP Routing Benefits Figure 8-1 The Router Legacy Network Routing Between IP Subnets„ Traffic to the router increases, increasing congestion Figure 8-2 Switch-Based Routing Topology Example of Subnet RoutingConfiguration example Using VLANs to segregate Broadcast Domains2. Assign an IP interface for each subnet attached to the switch Table 8-1 Subnet Routing Example IP Address AssignmentsRackSwitch G8000 Application Guide 4. Add the switch ports to their respective VLANsenable enable7. Enable IP routing 6. Configure the default gateway to the routers’ addresses8. Verify the configuration 5. Assign a VLAN to each IP interfaceDynamic Host Configuration Protocol BMD00041, November RackSwitch G8000 Application Guide128 „ Chapter 8 Basic IP Routing CHAPTER IGMP„ “IGMP Snooping” on page „ “IGMPv3 Snooping” on page „ “Static Multicast Router” on pageRS G8000 config# no ip igmp flood IGMP SnoopingRS G8000 config# ip igmp fastleave VLAN number FastLeaveIGMPv3 Snooping Configure IGMP Snooping IGMP Snooping configuration exampleRS G8000 config# no ip igmp snoop igmpv3 exclude RS G8000 config# ip igmp snoop igmpv3 sources5. View dynamic IGMP information RackSwitch G8000 Application GuideRS G8000# show ip igmp groups RS G8000# show ip igmp mrouter2. Verify the configuration Configure a Static Multicast RouterStatic Multicast Router CHAPTER High Availability„ “Uplink Failure Detection” on page BMD00041, NovemberFigure 10-1 Uplink Failure Detection example Uplink Failure DetectionSpanning Tree Protocol with UFD Failure Detection PairConfiguration guidelines „ Link to Monitor LtMMonitoring UFD Configuring UFD1. Configure Network Adapter Teaming on the servers 2. Assign the Link to Monitor LtM portsAPPENDIX A Troubleshooting„ “Monitoring Ports” on page BMD00041, NovemberFigure A-1 Monitoring Ports Monitoring PortsPort Mirroring behavior Configuring Port Mirroring2. Enable port mirroring 3. View the current configurationBMD00041, November RackSwitch G8000 Application Guide142 „ Appendix A Troubleshooting Numerics SymbolsIndex