Manuals / D-Link / Computer Equipment / Switch

D-Link DES-3018 manual 802.1X Port-Based and MAC-Based Access Control

Models: DES-3018

1 260

Download 260 pages 53.54 Kb

Page 153

DES-3010F/DES-3010FL/DES-3010G/DES-3016/DES-3018/DES-3026 Fast Ethernet Switch Manual

802.1X

802.1X Port-Based and MAC-Based Access Control

The IEEE 802.1X standard is a security measure for authorizing and authenticating users to gain access to various wired or wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPOL) packets between the Client and the Server. The following figure represents a basic EAPOL packet:

Figure 10- 4. The EAPOL Packet

Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is connected. EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is granted. The 802.1X Access Control method has three roles, each of which are vital to creating and maintaining a stable and working Access Control security method.

Figure 10- 5. The three roles of 802.1X

The following section will explain the three roles of Client, Authenticator and Authentication Server in greater detail.

140

Image 153

D-Link DES-3018 manual 802.1X Port-Based and MAC-Based Access Control

Contents

Manual Copyright 2008. All rights reserved Table of Contents Introduction to Web-based Switch Configuration AdministrationSnmp Manager Tool Tips L2 FeaturesCoS 109 CPU Interface Filtering 122Security 133 Monitoring 165 Appendix C 204 Appendix a 200 Appendix B 203Appendix D 209 Glossary 210Preface Typographical Conventions Intended ReadersBold font ConventionDescriptionSafety Cautions Safety InstructionsGeneral Precautions for Rack-Mountable Products Protecting Against Electrostatic Discharge Switch Description FeaturesIntroduction If MIB Ethernet Technology Switching TechnologyFast Ethernet Gigabit Ethernet TechnologyPage DES-3010F Front Panel Front-Panel Components and LED IndicatorsLED or Button Power Console Link/Act Speed Description DES-3026 LED indicatorsRear panels of these switches contain an AC power connector Rear Panel DescriptionSide Panel Description Installation Package ContentsBefore You Connect to the Network Installing the Switch in a Rack Installing the Switch without the RackMounting the Switch in a Standard 19 Rack Power OnDEM-301T Optional Module Optional ModulesOptional Module Slots Upgraded DES-3018 / DES-3026 are now ready for useSwitch to End Node Connecting the SwitchSwitch connected to switch using fiber-optic cabling Switch to Hub or SwitchUplink Connection to a server, PC or switch stack Command Line Console Interface through the Serial Port Introduction to Switch ManagementManagement Options Web-based Management InterfaceTo connect a terminal to the console port Initial screen, first time connecting to the Switch First Time Connecting to the SwitchSnmp Settings Password ProtectionMIBs TrapsIP Address Assignment Show switch commandAssigning the Switch an IP Address Connecting Devices to the SwitchIntroduction to Web-based Switch Configuration IntroductionLogging on to the Web Manager Areas of the User Interface Web-based User InterfaceArea Area FunctionArea Web Pages Administration Device Information screen Device InformationParameter Description IP AddressClick Apply to implement changes made Setting the Switchs IP Address using the Console Interface Port Settings Port ConfigurationClick Apply to implement the new settings on the Switch Following parameters can be configuredParameter Description State Speed/DuplexPort Description Port Description Setting and Port Description TableFollowing information can be viewed in the preceding window Port Error DisabledPort ConnectionUser Accounts window User AccountsAdmin and User Privileges Management Admin UserUser Account Management Cable Diagnostics Password Encryption12. Port Mirroring window Port MirroringFollowing parameters can be set System Log SettingsParameter Description Index1-4 Host IP Severity Facility Numerical Facility CodeUDP Port 514 or Status Time Settings Sntp SettingsParameterDescription Time Settings Current Time Time Source Time Settings Set Current Time Year Month DayTime Zone and DST Click Apply to implement your changesTime in HH MM SS DST Annual Settings DST Repeating SettingsMAC Notification Settings Global SettingsFollowing parameters may be viewed and modified Tftp Services Ping TestTest Snmp Settings Snmp ManagerMIBs Snmp User Table Snmp Trap SettingsFollowing parameters are displayed ParameterDescription User NameGroup Name Snmp Version Auth-Protocol Priv-Protocol Following parameters can setSnmp View Table Snmp View TableParameterDescription View Name Subtree OIDSnmp Group Table Manager Snmp Group TableView Type 28. Snmp Group Table Configuration Add window Snmp Community Table ParameterDescription Community Name View Name Access RightSnmp Host Table Use the Snmp Host Table to set up Snmp trap recipientsSnmp Engine ID 31. Snmp Engine ID Configuration windowIP-MAC-Port Binding Impb IP-MAC-Port Binding Impb32. IP-MAC Binding Ports window IP-MAC Binding Table33. IP-MAC Binding Table menu IP-MAC Binding Blocked IP-MAC Binding BlockedSingle IP Management SIM Overview Link Single IP ManagementSingle IP Settings SIM Settings SIM Using the Web InterfaceTopology HoldtimeParameterDescription Device Name Local Port Icon Description Speed Remote Port MAC Address Model Name39. Device Information Utilizing the Tool Tip Tool Tips40. Port Speed Utilizing the Tool Tip Following options may appear for the user to configure Commander Switch IconRight Click Group Icon44. Property window Member Switch Icon46. Property window Candidate Switch IconThis window holds the following information Menu BarClick Close to close the Property window Five menus on the menu bar are as followsDevice Configuration File Backup/Restore Firmware UpgradeIP Setting Upload Log File Upload Log File55. Upload Log File window Unicast Forwarding Forwarding & FilteringUnicast Forwarding ParameterDescriptionMulticast Forwarding Multicast MAC Address Port Settings59. Configure Multicast Filtering Mode Multicast Filtering ModeSmtp Service Smtp Server Settings ParameterDescription Subject Content Smtp ServiceDHCP/BOOTP Relay DHCP/BOOTP Relay Global SettingsFollowing fields can be set Dhcp Relay Agent Information Option State Check Policy Click Apply to implement any changes that have been madeImplementation of Dhcp Information Option 82 on the Switch DHCP/BOOTP Relay Interface SettingsRelay Interface Settings Circuit ID sub-option formatFollowing parameters may be configured or viewed Dhcp Relay Option 60 Default SettingsRelay Option 60 Default Settings ParameterDescription Relay IP Address ModeDhcp Relay Option 60 Settings Following parameters may be configuredParameterDescription String Server IP Match Type Dhcp Relay Option 61 Settings Dhcp Relay Option 61 Default SettingsFollowing parameters may be set ParameterDescription Client IDRelay Rule VLANs L2 FeaturesVlan Description Ieee 802.1Q VLANsIeee 802.1Q Packet Forwarding 802.1Q Vlan TagsIngress Filtering Tagging and UntaggingSwitch Ports Default VLANsVlan Segmentation Vlan and Trunk Groups1Q Static VLANs window Static Vlan Entry1Q Static VLANs Modify Vlan Name Port Settings Tag None EgressUnderstanding Port Trunk Groups Link AggregationPage Parameter Description Vlan Trunk Status From…To Vlan Trunk SettingsTrunking Link Aggregation Link AggregationLacp Port Settings Lacp Port SettingsClick Apply to implement changes made 12. Current Igmp Snooping Group Entries Igmp SnoopingVlan ID Following parameters may be viewed or modifiedVlan Name Member Ports Static Router Ports SettingsIgmp Snooping Igmp Access Control Settings Igmp Access Control SettingsClick Apply to implement the new settings ParameterDescription From…To Status802.1w Rapid Spanning Tree Spanning TreePort Transition States 802.1w Rstp 802.1D STP Forwarding LearningEdge Port STP Bridge Global SettingsP2P Port 802.1D and 802.1w CompatibilitySpanning Tree Protocol 17. STP Bridge Global Settings104 STP can be set up on a port per port basis STP Port SettingsPriority From/ToMigration EdgeLoopback Detection Following fields may be configuredLoopback Detection ParameterDescription Loopdetect Status IntervalRecover Time From… To State CoS CoSIeee 802.1p Priority Advantages of CoS An Example of the Default CoS Mapping on the SwitchUnderstanding CoS Port Bandwidth Bandwidth Settings and Port Bandwidth Table windowParameterDescription From/To Type No Limit Rate 1p Default Priority and the 802.1p Default Priority window 802.1p Default PriorityCoS Scheduling Mechanism 802.1p User PriorityScheduling Mechanism has the following parameters ParameterDescription StrictParameterDescription Weights Weight fairCoS Output Scheduling Click Apply to let your changes take effectPriority Setting Priority SettingsTOS Priority Settings Configure the following Priority Setting parametersParameterDescription From/To MainSelect Dscp Priority Setting Dscp Priority Settings10. Port Mapping Priority CoS Port Mapping Priority Settings11. MAC Priority Setting MAC Priority SettingsCPU Interface Filtering CPU Interface Filtering State SettingsCPU Interface Filtering Table Interface Filtering CPU Interface Filtering StateSource MAC Profile IDDestination MAC 802.1pSource IP Mask Destination IP Mask Ethernet typeProtocol Click Apply to set this entry in the Switch’s memoryParameter Description Profile ID Type Offset Shown below is the Packet Content Mask configuration windowCPU Interface Filtering Table Ethernet Parameters Description Access ID10. CPU Interface Filtering Rule Table IP Parameter Description Profile ID Mode Access ID Type12. CPU Interface Filtering Rule Display IP Vlan Name Source IP Destination IP DSCP0-63 PortParametersDescription Profile ID Mode Access ID Type Offset 15. CPU Interface Filtering Rule Display Packet Content Traffic Control SecurityTraffic Control Settings window Click Apply to implement the settings of each field 136 Port Security Port Security Settings and Table windowAdmin State Max. Addr0-10 Lock Address Mode Port Lock Entries Lock EntriesDelete 802.1X 802.1X Port-Based and MAC-Based Access ControlAuthenticator Authentication ServerClient Client802.1X Authentication Process Authentication Process10. Example of Typical Port-Based Configuration Port-Based Network Access Control11. Example of Typical MAC-Based Configuration MAC-Based Network Access Control12 .1X Authenticator Settings window 802.1X Authenticator SettingsThis screen allows you to set the following parameters ServerTimeout SuppTimeoutMaxReq ReAuthPeriodLocal Users Settings to view the following window 802.1X Capability SettingsClick Security 802.1X 802.1X Capability ParameterDescription From and To CapabilityGuest VLANs Limitations Using the Guest VlanConfigure 802.1X Guest Vlan OperationPort List 18. Initialize Port window Initializing Ports for Port BasedInitializing Ports for MAC Based Reauthenticate Ports for Port BasedPorts Reauthenticate Ports for MAC-basedParameter Description Port Auth StateRadius Server To view the Trusted Host table, click Security Trusted Host Trusted Host24. Current Traffic Segmentation Table Traffic SegmentationSecure Shell SSH 25. Setup Forwarding Ports windowSSH Server Configuration SSH Authentication Mode and Algorithm Settings Algorithm SettingsFollowing algorithms may be set Cast128-CBC Twofish128 Twofish192 Twofish256 Blow-fish CBCEncryption Algorithm Data Integrity Algorithm28. SSH User Authentication Mode window SSH User Authentication ModeAuth. Mode User may set the following parametersParameter Description User Name CPU Utilization MonitoringPort Utilization window Port UtilizationParameterDescription Time Interval Record Number Packets Received RXReceived RX Rx Packets Analysis Table Following fields may be set or viewedPackets UMB CastRX UMB Cast RX171 TransmittedTX Transmitted TXTx Packets Analysis window table for Bytes and Packets Rx Error Analysis window line graph Packet Errors10. Rx Error Analysis window table 11. Tx Error Analysis window line graph 12. Tx Error Analysis window table Packet Size Packet SizeFollowing fields can be set or viewed 15. Vlan Status window Vlan StatusMAC Address MAC AddressFollowing fields can be viewed or set ParameterDescription Vlan Name MAC Address Port FindParameterDescription Sequence Time Log Text Switch LogParameterDescription Log Mode Time Interval Log SettingsMulticast Group MAC Address Reports Port Map Igmp Snooping GroupBrowse Router Port Browse ARP TableSession Table Radius Authentication Port Access ControlRadius Authentication ParameterDescription Server187 Accounting Radius AccountingBadAuthenticators UnknownTypes PacketsDropped Auth DiagnosticsEapLogOffsConnecting EntersConnectingEntersAuthenticating SuccessAuthenticatingResponsesFromSupplicant AuthSuccesses AuthFails Auth Session StatisticsAuth Statistics 27. Authenticator Statistics window Rx Invalid Rx Error Last Version Last Source Auth State Monitoring Port Access Control Auth State29. Authenticator State window MAC-Based 30. Factory Reset to Default Value window ResetReboot System Following menu is used to restart the SwitchSave Changes Logout 33. Reboot System windowPhysical and Environmental Appendix aCSMA/CD GeneralPerformance Appendix 1- 2. The standard RJ-45 pin assignments Appendix BSystem Log Entries Appendix C205 206 207 208 Appendix D Cable LengthsStandard Media Type Maximum Distance Glossary Page Warranties and Registration Limited WarrantyWhat Is Not Covered FCC Warning TrademarksCopyright Statement Page Page Product Registration Technical Support Tech SupportTechnical Support Technische Unterstützung Assistance technique Asistencia Técnica Supporto tecnico Technical Support Pomoc techniczna Technická podpora Technikai Támogatás Teknisk Support Teknisk Support Teknistä tukea asiakkaille Suomessa Teknisk Support Suporte Técnico Τεχνική Υποστήριξη Tehnička podrška Tehnična podpora Suport tehnica Technical Support Technical Support Техническая поддержка Asistencia Técnica Suporte Técnico Link友訊科技台灣分公司技術支援資訊 Dukungan Teknis 技术支持 Germany Spain Egypt International OfficesAll Countries and Regions excluding USA Registration Card247