MAC-based Access Control | D-Link DGS-3700 instruction

DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

Figure 5 - 43 RADIUS Accounting Settings window

MAC-based Access Control

MAC-based Access Control is a method to authenticate and authorize access using either a port or host. For port- based MAC, the method decides port access rights, while for host-based MAC, the method determines the MAC access rights.

A MAC user must be authenticated before being granted access to a network. Both local authentication and remote RADIUS server authentication methods are supported. In MAC-based Access Control, MAC user information in a local database or a RADIUS server database is searched for authentication. Following the authentication result, users achieve different levels of authorization.

Notes About MAC-based Access Control

There are certain limitations and regulations regarding the MAC-based Access Control:

1.Once this feature is enabled for a port, the Switch will clear the FDB of that port.

2.If a port is granted clearance for a MAC address in a VLAN that is not a Guest VLAN, other MAC addresses on that port must be authenticated for access and otherwise will be blocked by the switch.

3.A port accepts a maximum of sixteen authenticated MAC addresses per physical port of a VLAN that is not a Guest VLAN. Other MAC addresses attempting authentication on a port with the maximum number of authenticated MAC addresses will be blocked.

4.Ports that have been enabled for Link Aggregation, stacking, 802.1X authentication, 802.1X Guest VLAN, Port Security, GVRP or Web-based authentication cannot be enabled for the MAC-based Authentication.

MAC-based Access Control Settings

The following window is used to set the parameters for the MAC-based Access Control function on the Switch. Here the user can set the running state, method of authentication, RADIUS password and view the Guest VLAN configuration to be associated with the MAC-based Access Control function of the Switch.MAC-based Access Control Global Settings

To view this window, click Security > MAC-based Access Control > MAC-based Access Control Settings as shown below:

180

Image 191

D-Link DGS-3700 user manual MAC-based Access Control Settings

Contents

Copyright 2009. All rights reserved Page Table of Contents DDM L2 Features QoS Security ACL Save Services and Tools 258 Preface Typographical Conventions Intended Readers Introduction Login to Web Manager Areas of the User Interface Web-based User Interface Area Function Web PagesArea Page Configuration System Information Device Information Auto Logout Serial Port SettingsFields that can be configured are described below Parameter Description Baud Rate IP Address IP Address Settings window Dhcp Bootp Setting the Swith’s IP Address using the Console Interface Interface Settings IPv6 State Parameter Description Interface NameIPv6 Network Address Automatic Link Local Address IPv6 Route SettingsIPv6 Neighbor Settings Address Link Layer MAC Port ConfigurationPort Settings Neighbor IPv6 Port Description Port Error Disabled Static ARP Settings User Accounts Management Admin Operator User Admin, Operator and User PrivilegesNew Password Password User Account Management Admin, Operator and User Privileges System Log Server System Log ConfigurationSystem Log Settings 514 or Severity Parameter Description Server IDServer IP Address UDP Port Severity Level System Severity SettingsParameter Description System Severity Dhcp Relay Dhcp Relay Global Settings Policy Dhcp Relay AgentInformation Option Check Remote ID sub-option format Implementation of Dhcp Information Option 82 on the SwitchCircuit ID sub-option format Mode Dhcp Relay Interface SettingsDhcp Relay Option 60 Default Settings Parameter Description Relay IP Address Dhcp Relay Option 61 Default Settings Dhcp Relay Option 60 Settings Relay Rule Out of Band Management SettingsDhcp Relay Option 61 Settings Parameter Description Client ID Link Status External Alarm SettingsDhcp Auto Configuration Settings Parameter Description IP Address MAC Address Aging Time Web SettingsTelnet Settings Parameter Description Password EncryptionClipaging Settings Firmware Information Size Bytes Dual Configuration SettingsUpdate Time Version Ping Test Size Local Loopback Ports SettingsTimeout IPv6 Ping Test Vlan Counter Settings Time Settings Sntp Settings Hhmm TimeZone Settings MAC Notification Global Settings MAC Notification Settings ParameterDescription MAC Notification Port Settings MIBs Snmp SettingsTraps Subtree OID Snmp Global State SettingsSnmp View Table Parameter Description View Name Snmp Group Table Snmp User Table Parameter Description Community Name Snmp Community Table Snmp v6Host Table Snmp Host Table Name Snmp Engine IDCommunity String/SNMPv3 User Hours Time Range SettingsSnmp Trap Configuration Parameter Description Range Name ParameterDescription Analyzer Server ID SFlow Global State SettingsSFlow Analyzer Server Settings SFlow SFlow Flow Sampler Settings Following parameters can be configured SFlow Counter Poller Settings Single IP Management Upgrade to Single IP Settings Topology Local Port Parameter Description Device NameRemote Port Speed Icon Description 62 Topology view 63 Device Information Utilizing the Tool Tip Tool Tips Group Icon Right-Click Candidate Switch Icon Commander Switch IconMember Switch Icon Menu Bar Configuration File Backup/Restore Firmware Upgrade Browse DDM Status List DDM SettingsUpload Log File DDM Temperature Threshold Settings DDM Bias Current Threshold Settings DDM Voltage Threshold Settings DDM Rx Power Threshold Settings DDM Tx Power Threshold Settings Parameter Description From Port / To Port Jumbo Frame window Jumbo Frame Vlan Description VLANsUnderstanding Ieee 802.1p Priority Ieee 802.1Q Packet Forwarding Ieee 802.1Q VLANs Ieee 802.1Q Tag 802.1Q Vlan Tags Ingress Filtering Port Vlan IDTagging and Untagging VID Default VLANsPort-based VLANs Vlan Segmentation Spvlan Tpid + Double VLANsVlan and Trunk Groups Destination Source Double Vlan Example Regulations for Double VLANs Current 802.1Q Static VLANs Entries window 802.1Q Vlan 802.1Q Vlan window Add/Edit Vlan Tab Untagged Port SettingsAdvertisement Tagged 10 802.1Q Vlan window Vlan Batch Settings window Vlan ID Subnet Vlan SettingsVlan Precedence Settings Subnet Vlan Vlan Precedence In-Q SettingsIn-Q Vlan Translation Settings For ingress tagged packets at UNI ports In-Q and Vlan Translation RulesFor ingress untagged packets at UNI ports 802.1v Protocol Vlan 802.1v Protocol Group Settings Search Port List 802.1v Protocol Vlan Settings802.1p Priority Check the Select All Ports box Gvrp Settings Rspan Settings Pvid Gvrp Global SettingsGvrp NNI Bpdu MAC-based Vlan SettingsPvid Auto Assign Settings Leave All Time Understanding Port Trunk Groups Port Trunking Member Ports Parameter Description AlgorithmMaster Port Active Port Activity Lacp Port Settings Forward Portlist Traffic Segmentation 27 Bpdu Tunneling window Bpdu Tunneling Settings Querier IP Igmp Snooping SettingsIgmp Snooping Rate Limit 255 Time Query IntervalMax Response Robustness Value Igmp Snooping Static Group Settings Igmp Snooping Rate Limit Settings Following fields can be set Igmp Multicast Group Profile SettingsIgmp Snooping Multicast Vlan Settings IPv4 Multicast Profile Settings IPv4 Max Multicast Group Settings IPv4 Limited Multicast Range Settings MLD Control Messages MLD Snooping SettingsMLD Snooping 25 sec Query Expiry TimeQuery Interval 1-65535 sec Max Response Time 43 MLD Snooping Router IP Settings Modify window MLD Snooping Rate Limit Settings IPv6 Address MLD Snooping Static Group SettingsMLD Multicast Group Profile Settings 1,6 MLD Snooping Multicast Vlan Settings1,6 Source Port Tagged Member Port e.g.1-4,6 IPv6 Multicast Profile Settings IPv6 Max Multicast Group Settings IPv6 Limited Multicast Range Settings 55 Port Mirror window Port Mirror Trap Status Loopback Detection SettingsRecover Time Parameter Description LBD State Edge Port Spanning Tree802.1w Rapid Spanning Tree Port Transition States 802.1D and 802.1w Compatibility P2P Port STP Bridge Global Settings NNI Bpdu Address Max Hops External Cost 0=Auto STP Port Settings P2P MST Configuration Identification Msti ID STP Instance SettingsParameter Description Configuration Name Revision Level 200000000 Mstp Port InformationInstance ID Internal Path cost Multicast Forwarding Forwarding & FilteringUnicast Forwarding Multicast MAC Multicast Filtering Mode Lldp Global Settings Notification Lldp Port SettingsAdmin Status Parameter Description From Port /To Port Parameter Description Address Lldp Basic TLVs SettingsLldp Management Address List Vlan Lldp Dot1 TLVs Settings MAC/PHY Lldp Dot3 TLVs SettingsLldp Statistics System 72 Lldp Statistics System window Lldp Local Port Information Lldp Remote Port Information CFM Port Settings CFM Mipccm List CFM CCM PDUs Forwarding ModeCFM MPs Reply LTRs Parameter Description CFM State Connectivity Fault Management SettingsConnectivity Fault Management CreateMD Connectivity Fault Management SettingsMD LBM CFM Loopback SettingsMIP MEP CFM Linktrace Settings Received Remote Ethernet OAM SettingsEthernet OAM Remote Loopback Ethernet OAM Configuration Settings Advantages of QoS QoS Understanding QoS Mapping QoS on the SwitchPage No Limit HOL Blocking PeventionBandwidth Control Traffic Control window Traffic Control Time Interval Traffic Trap Setting Traffice TrapSettings Count Down 802.1p Default Priority window 802.1p Default Priority QoS Scheduling Mechanism 802.1p User Priority Mechanism QoS SchedulingScheduling Class ID Band Manage Settings Band Manage Settings Sred Settings Click Apply to implement changes 141 Sred Drop Counter Dscp Trust SettingsDscp Map Settings Dscp List0-63 Dscp Map Color 802.1p Map SettingsPriority List0-7 Security Safeguard Engine Safeguard Engine window IP-MAC-Port Binding IMP Binding Global SettingsTrusted Host Parameter ACL Mode Trap / Log Dhcp Snoop State IMP Binding Port Settings Max Entry Allow Zero IPForward Dhcp Packet Ports IMP Binding Entry Settings MAC Block List Port Security Port SettingsPort Security Dhcp Snooping Entries Max. Learning Port Security Vlan SettingsAdmin State Lock Address Max Learning Dhcp Server Screening SettingsPort Security Entries Vlan ID e.g.1,4-6 ParameterDescription Server IP Address Dhcp Screening Port SettingsDhcp Offer Filtering Client’s MAC Address 802.1X Port-Based and Host-Based Access ControlAuthentication Server 802.1X 16 The Authentication Server Authenticator Client Authentication Process 20 Example of Typical Port-Based Configuration Port-Based Network Access Control 21 Example of Typical Host-Based Configuration Host-Based Network Access Control PDU 802.1X Global Settings802.1X Port Settings QuietPeriod SuppTimeoutServerTimeout ReAuthentication 802.1X User Authentication Radius Server Confirm Key Reauthenticate PortsInitialize Ports Limitations Using the Guest Vlan Guest Vlan Configuration Guest Vlan SSL Settings Ciphersuite Download Certificate EDE CBC SHA CBC SHA SSH Settings SSH Authmode and Algorithm Settings HMAC-RSA SSH User Authentication ListsHMAC-SHA1 HMAC-MD5 Host Name Access Authentication ControlPage Application Authentication Settings Authentication Policy Settings 37 Authentication Server Group Settings window Authentication Server Group 38 Authentication Server Group Settings Edit window Authentication Server Login Method Lists Priority 1, 2, 3 Enable Method ListsParameterDescription Method List Name 41 Enable Method List window Local Enable Password Settings 42 Local Enable Password window Radius Accounting Settings MAC-based Access Control Settings MAC-based Access Control Guest Vlan ID Parameter Description Settings MBA Global StateMethod Guest Vlan Name Hold Time MAC-based Access Control Local Settings Web Authentication ParameterDescription State Web-based Access Control SettingsConditions and Limitations Redirection Web-based Access Control User SettingsLogout Timer 1440 Authentication Confirmation NetBIOS FilteringNetBIOS Filtering Settings ParameterDescription Type ACL Configuration WizardAccess ID Apply To Access Profile ListOption Add Access Profile Ethernet Mask Select ACL Type Parameter Description Ethernet ACLSource MAC Mask Destination MAC Ethernet Type Access Profile List Ethernet Replace Dscp Parameter Description Access IDVlan Mask Replace Priority Counter PrecedenceTime Range Rx Rate Icmp Type DscpSource IP Mask Destination IP Mask 11 Access Profile List IPv4 12 Access Profile Details IPv4 Time Range Name Icmp IPv6 UDP Parameter Description IPv6 ClassIPv6 Flow Label IPv6 TCP 17 Access Profile List IPv6 Flow Label Class 20 Access Rule List IPv6 Parameter Description Chunk 22 Add Packet Content ACL Profile 23 Access Profile List Packet Content 25 Access Profile Packet Content CPU Interface Filtering 26 Access Rule List Packet Content 28 CPU Access Profile List window CPU Access Profile List Mask 802.1Q Vlan Source MACMask Destination MAC IPv4 Dscp Parameter Description Select Profile ID 209 33 Add CPU ACL Profile window for IPv6 Offset Parameter Description Select ProfileSelect ACL 37 CPU Access Rule List window for Ethernet 39 CPU Access Rule Detail Information window for Ethernet 40 CPU Access Rule List window for IP 42 CPU Access Rule Detail Information window for IP 45 CPU Access Rule Detail Information window for IPv6 ACL Flow Meter ACL Finder 50 ACL Flow Meter window Mode Device Status Cable Diagnostic Show/Hide CPU UtilizationParameter Description Time Interval Record Number Packet Size Port Utilization Packet Size window Received RX Memory UtilizationPackets Received RX window for Bytes and Packets UMBcast RX Transmitted TX 12 Transmitted TX window for Bytes and Packets Bytes 14 Received RX window for errors Errors OverSize CRCErrorSymbol UnderSize ExDefer 16 Transmitted TX window for errors Radius Authentication Port Access Control Radius Account Client Responses ServerAddressRequests Retransmissions Backend State Authenticator StateParameter Description MAC Address Auth PAE State 22 Authenticator Statistics window for MAC-based Authenticator Statistics Authenticator Session Statistics Authenticator Diagnostics Auth Enter Auth TimeoutConnect Enter Connect LogOff Browse ARP Table 27 Browse ARP Table window Browse Vlan Igmp Snooping Group Show Vlan PortsBrowse Igmp Router Port Browse Igmp Snooping Counter Igmp Snooping Forwarding Table MLD Snooping Group Browse MLD Router Port 35 MLD Snooping Group window MLD Snooping Forwarding Table CFM Packet Counter List Browse Session TableBrowse MLD Snooping Counter Browse CFM Port MP List Browse CFM Fault MEPCFM Packet Counter CCM List Functions used in the MAC address table are described below MAC Address TableBrowse Vlan Counter Statistics Browse Ethernet OAM Statistics Browse Ethernet OAM Event Log 46 Browse Ethernet OAM Statistics window Minutes/1 Day Packet/ErrorHistorical Counter & Utilization Browse Historical Counter Browse Historical Utilization System Log Log Text Parameter Description Log TypeDate-Time Save Configuration ID 1 window Save Configuration ID Save All Save Log Upload Log File Configuration File Backup & RestoreReset Download Firmware Reboot System ARP FCS ARP Forwarding Table Ethernet frame format Port2 00-20-5C-01-22-22 Destination address Source address Ether-type How ARP spoofing attacks a network Ethernet Gratuitous ARP Example topology Prevent ARP spoofing via packet content ACL Offset Chunk Ethernet 266 Category Event Description Log Information Severity System Log Entries SSL AAA Page Page Page IP-MAC DOS DDM Trap Name/OID Variable Bind Format MIB Name Severity DGS-3700 Series Trap ListProprietary Trap List Equipment Glossary Page Command Parameters Password Recovery Procedure Command Parameters