Host Access Control Authentication Haca | Enterasys Networks 2H252

Overview of Security Methods

3.4.1Host Access Control Authentication (HACA)

To use HACA, the embedded Radius Client on the switch must be configured to communicate with the Radius Server, and the Radius Server must be configured with the password information. The software used for this application provides the ability to centralize the Authentication, Authorization, and Accounting (AAA) of the network resources. For more information, refer to the RFC 2865 (Radius Authentication) and RFC 2866 (Radius Accounting) for a description of the protocol.

Each switch has its own Radius Client. The client can be configured via the Radius Configuration screen described in Section 3.7.

The IP address of the Radius Server and shared secret text string must be configured on the Radius Client. The client uses the Password Authentication Protocol (PAP) to communicate the user name and encrypted password to the Radius Server.

On the Radius Server, each user is configured with the following:

•name

•password

•access level

The access level can be set to one of the following levels for each user name:

•super-user

•read-write

•read-only

To support multiple access levels per user name, it involves sending back a different “FilterID” attribute using some server feature to differentiate between the same user name with different prefixes/suffixes. For example, “username@engineering” and “username@home” could each return different access levels.

NOTE: This is a server-dependent feature.

3-12Accessing Local Management

Image 50

Enterasys Networks 2H252, 2E253, 2H253, 2H258 manual Host Access Control Authentication Haca

Contents

SmartSwitch 2200 Series Page Page Enterasys NETWORKS, INC Program License Agreement Page Page Contents Device Configuration Menu Screens Port Configuration Menu Screens Configuration Menu Screens Layer 3 Extensions Menu Screens Network Tools Screens Generic Attribute Registration Protocol Garp Figures Xiii Xiv Tables Xvi Tables Using this Guide About This Guide Structure of this Guide Xix Related Documents Document Conventions Typographical and Keystroke Conventions Bold typePage Introduction Overview Management Agent Local Management Requirements In-Band vs. Out-of-BandNavigating Local Management Screens Local Management Screen Elements None Defined Input Fields Event Message FieldDisplay Fields Selection Fields Command Fields Local Management Keyboard Conventions Getting Help Your email addressPage Management Terminal Setup Local Management Requirements 2H252-25R SmartSwitch device is shown in -1as an example Console Cable Connection Management Terminal Setup Parameters VT100ID Monitoring AN Uninterruptible Power Supply Telnet Connections DB9 Port RJ45 COM Port Page Accessing Local Management 802.1Q Switching Mode, LM Screen Hierarchy Selecting Local Management Menu Screen Items Using the Exit CommandUsing the Return Command Exiting Local Management Screens Password Screen Using the Next and Previous CommandsUsing the Clear Counters Command When to Use How to Access Screen Example Enter Device Menu Screen Screen Navigation Path Device ConfigurationMenu Descriptions Menu Security NetworkTools Cont’d Section Overview of Security Methods Host Access Control Authentication Haca Overview of Security Methods 14Accessing Local Management 2 802.1X Port Based Network Access Control Definitions of Terms and Abbreviations 2.2 802.1X Security Overview Authentication Method Sequence MAC Authentication OverviewAuthentication Method Selection Concurrent Operation of 802.1X and MAC Authentication MAC 20Accessing Local Management MAC Authentication Control Security Menu Screen Refer to -4for a functional description of each menu item Authentication PasswordsName Services Radius Passwords Screen Module Login Passwords Screen Switch Field Descriptions Setting the Module Login Password Radius Configuration Screen Timeout Retries Radius Client Last Resort Action/Local SelectableLast Resort Action/Remote Toggle IP Address Setting the Last Resort Authentication Setting the Local and Remote Servers Name Services Configuration Screen Name Services Configuration Screen Web Authentication Switch Name ModifiableName Services Secure Harbour IP System Authentication Configuration Screen System Authentication Configuration Screen System AuthenticationAuthenticated , or Unauthenticated Port # EAP Port Configuration Screen EAP Port Configuration Screen Port Authentication State Backend State Port Control Maximum Requests Initialize PortForce Reauth EAP Statistics Menu Screen 10 EAP Statistics Menu Screen EAP Session AuthenticatorEAP Diagnostic EAP Session Statistics Screen When to Use 11 EAP Session Statistics Screen SessionOctetsRx Authenticate Server or a local Authentication Server MethodSessionID SessionOctetsTx Session User Name EAP Authenticator Statistics Screen When to UseClear Counters Command Port Number 12 EAP Authenticator Statistics Screen Clear Counters EAP Diagnostic Statistics Screen When to Use 13 EAP Diagnostic Statistics Screen Authenticating Enters ConnectingLogoffs Connecting Timeouts Backend Statistics Responses AuthenticatedAccess Challenges Other Requests To Counters MAC Port Configuration ScreenClear Port Enable 14 MAC Port Configuration Screen MAC Supplicant Configuration Screen SET ALL Ports Duration MAC Address Plicant Reauthenticate SupInitialize Supplicant False Device Configuration Menu Screens Device Configuration Menu Screen General Configuration Resources GeneralSnmp Information General Configuration Screen 0.0 Tftp Gateway IP Default GatewaySubnet Mask Addr Screen Refresh Operational ModeDevice Time Time IP Fragmentation Agg ModeClear Nvram WebView Setting the IP Address Configuration Warning Screen, IP Address Setting the Subnet Mask Configuration Warning Screen, Subnet Mask Setting the Default Gateway Setting the Tftp Gateway IP Address Setting the Module Name Setting the Device Date Entering a New Screen Refresh Time Setting the Device TimeSetting the Screen Lockout Time Configuring the COM Port Changing the COM Port Application COM Port Warning Clearing Nvram UPS Enabling/Disabling IP Fragmentation Clear Nvram Warning Snmp Configuration Menu Screen Snmp Configuration Menu Screen Snmp Community Names Configuration Screen Snmp Community Names Configuration Screen Establishing Community Names Snmp Traps Configuration Screen Snmp Traps Configuration Screen Trap Destination Configuring the Trap TableEnable Traps Trap Community Access Control List Screen 10 Access Control List Screen Access Control Lists IP Addr Mask Entering IP AddressesEntering Single Addresses Entering Ranges of Addresses Enable/Disable ACL System Resources Information Screen XX KB Setting the Reset Peak Switch Utilization Flash Download Configuration Screen 12 Flash Download Configuration Screen Flash Download Configuration Screen Field Descriptions Download Server IP Reboot AfterDownload Download File Image File Download Using Runtime Configuration File Download Using Tftp Configuration File Upload Using Tftp 36Device Configuration Menu Screens Port Configuration Menu Screens Port Configuration Menu Screen Port Configuration Menu Screen in Agg Mode, Huntgroup HSIM/VHSIM EthernetInterface Redirect Ethernet Interface Configuration Screen Intf Port Type Speed ConfigLink Duplex Ethernet Port Configuration Screen HDX FC Refer to -3for a functional description of each screen field Interface Default SpeedDefault Duplex Physical Port 10Port Configuration Menu Screens Half Duplex Flow Full Duplex FlowControl Save to ALL Selecting Field Settings Setting the Advertised Ability Configuration Menu HSIM/VHSIM Configuration ScreenRedirect Configuration Menu Screen Redirect Configuration Menu Screen Port Redirect Configuration Screen Source Port Destination Port Source Port n Redirect ErrorsFrame Format Status Changing Source and Destination Ports Vlan Redirect Configuration Screen Vlan Redirect Configuration Screen Source Vlan Source Vlan n Changing Source Vlan and Destination Ports Usage Notes Aggregation Menu Rapid Reconfiguration Spanning Tree Definitions to Know Link Aggregation 802.3ad Main Menu Screen 1 802.3ad Port Screen When to Use Aggregator 802.3ad Port Screen OperKey Viewing and Editing 802.3ad Port ParametersAggregator MUX 1.1 802.3ad Port Details Screen When to Use 10 802.3ad Port Details Screen ActorSystemPriority Port Instance PartnerAdminSysID ActorOperState PartnerOperState Stats Displaying Port StatisticsLagid 1.2 802.3ad Port Statistics Screen When to Use 11 802.3ad Port Statistics Screen MarkerPDUsRx LACPDUsRxIllegalRx LACPDUsTx PartnerChurnState LastRxTimedeltaActorChurnState ActorChurnCount 2 802.3ad Aggregator Screen When to Use 12 802.3ad Aggregator Screen AggInst Viewing and Editing 802.3ad Aggregator ParametersDisplaying Aggregator Details SysPri 2.1 802.3ad Aggregator Details Screen When to Use 13 802.3ad Aggregator Details Screen Instance Partner 3 802.3ad System Screen When to Use 14 802.3ad System Screen Number of Ports Broadcast Suppression Configuration ScreenSystem Identifier Number Port # Total RX Setting the Threshold Setting the Reset Peak Configuration Menu Screens 802.1 Configuration Menu Screen 802.1 Configuration Menu Screen 802.1p Spanning Tree802.1Q Vlan Spanning Tree Configuration Menu Screen Tree Configuration Menu Spanning Tree Configuration Screen Vlan AgeTime Priority Current STP ModeConfigured Operation Configuring a Vlan Spanning Tree Spanning Tree Port Configuration Screen Spanning Tree Port Configuration Screen STP Vlan ID Switch AddressAge Time Viewing Status of Spanning Tree Ports Enabling/Disabling the Default Spanning Tree PortsPvst Port Configuration Screen Port Designated CorrespondingPort Designated Root Port State Port PriorityPort Designated Cost Port Designated PortPage 802.1Q Vlan Configuration Menu Screens Vlan Configuration Menu Preparing for Vlan Configuration Summary of Vlan Local Management 802.1Q Vlan Configuration Menu Screen 802.1Q Vlan Configuration Menu Screen Vlan Port Static VlanCurrent Vlan Static Vlan Configuration Screen Classification Vlan ID FDB ID ADD Creating a Static VlanVlan Name DEL Marked Displaying the Current Static Vlan Port Egress List Renaming a Static Vlan Deleting a Static Vlan Paging Through the Vlan List Static Vlan Egress Configuration Screen Static Vlan Egress Configuration Screen Egress Setting the Same Egress Type on All Ports Simultaneously Setting Egress Types on PortsSetting the Egress Type on One or More Ports Individually Current Vlan Configuration Screen Displaying the Next Group of Ports Vlan Type Read-Only An example of a dynamic Vlan is a Gvrp Vlan Current Vlan Egress Configuration Screen Current Vlan Egress Configuration Screen Vlan Port Configuration Screen Policy Pvid Override is Pvid Changing the Port Mode Configuring the Vlan Ports Vlan Classification Configuration Screen Admit Tagged Frames only VID VID DEL ALL/DEL ClassificationDescription Marked 0x0000 0x00000000 000000.000.000.000 Tftp Http DNS Smtp Src TCP Port FTP Data Nlsp IPX WAN Custom 00-00-00-00-00-00 Classification Precedence Rules Layer Classification Precedence Example Displaying the Current Classification Rule Assignments Assigning a Classification to a VID Deleting All Classification Rules Protocol Port Configuration ScreenDeleting Line Items Deleting One or More Classification Rules Protocol Port Configuration Screen Classify Classification RuleField Assigning All Ports Simultaneously Assigning Ports to a VID/ClassificationAssigning One or More Ports Individually SET Ports to Assigning VID/Classification to Port Vlan Lists 802.1p Configuration Menu Screen Navigation Paths 802.1p Configuration Menu Screen When to Use Port Priority Configuration Transmit Port PriorityTraffic Class Queues Port Priority Configuration Screen Port Priority Configuration Screen Set Setting Switch Port Priority Port-by-PortPolicy Override Setting Switch Port Priority on All Ports Traffic Class Information Screen Traffic Class Information Screen Traffic Class Information Screen Field Descriptions Traffic Class Configuration Screen Traffic Class Configuration Screen Save Assigning the Traffic Class to Port PriorityTraffic Class Transmit Queues Configuration Screen Transmit Queues Configuration Screen Mode Weights Q0, Q1Current Queueing Q2, Q3 Setting the Current Queueing Mode Priority Classification Configuration Screen PID PID 18802.1p Configuration Menu Screens No Change TOS=PID Custom TCP No Change TOS=PID Custom Dest IP Address Mask New IP TOS Tftp Src TCP Port New IP TOS FTP Data IP Fragments New IP TOS IP Fragments2 Start End New IP TOS 00000 Dest TCP Port Start End New IP TOS 00000 SAP 28802.1p Configuration Menu Screens Layer About the IP TOS Rewrite Function Displaying the Current PID/Classification Assignments Assigning a Classification to a PID Deleting One or More Line Items Deleting PID/Classification/Description Line ItemsDeleting All Line Items Protocol Port Configuration Screen See which ports are set to the PID/Classification indicated Assigning Ports to a PID/Classification Solving the Problem Switch Rate Limiting Configuration Screen Priority List Maximum Feature Port Number Modifiable Port Type Direction Configuring a Port 42802.1p Configuration Menu Screens Changing/Deleting Port Line Items Changing One or More Line Items More About Rate Limiting Rate Limiting Configuration Screen Page Layer 3 Extensions Menu Screens Layer 3 Extensions Menu Screen IGMP/VLAN Layer 3 Extensions Menu Screen IGMP/VLAN Configuration Screen Igmp Version 120 Robustness Query IntervalQuery Response Last Member Query Querier Address Switch Query IPMcastMartPoolSize Querier Uptime IGMP/VLAN Configuration Procedure Igmp StatePage Device Statistics Menu Screens Device Statistics Menu Screen Lists the number of frames received, transmitted, filtered, Switch Statistics Screen Rmon Frames Fltrd Frames RcvdFrames Txmtd Interface Statistics Screen Frames Frwded InOctets Interface Statistics Screen InUnicast InErrorsOutErrors InNonUnicast Displaying Interface Statistics MTU Rmon Statistics Screen Rmon Statistics Screen Data Source CRC Align ErrorsRmon Index Owner Jabbers Oversized PktsFragments Total Packets Index nn Displaying Rmon Statistics1024 1518 Octets Network Tools Screens Screen ExampleNetwork Tools Help Screen Refer to -1for a list of the commands Command Alias Examples Alias Stats Arp Arp-a Bridge Syntax Bridge ENABLE/DISABLE IFNUM/ALL OptionsArplearn Syntax Arplearn normal limited status Options Defroute Syntax Cdp enable/disable/status OptionsCdp Vid DynamicegressSyntax dynamicegress action vid Options action Syntax Enable Group Disable Group Trap #ALL Commands for Listing Events Igmpv3drop Syntax igmpv3drop enable disable statusGigabitportmode Syntax gigabitportmode active redundant status Lgframeadmin Linktrap Syntax linktrap enable/disable/status PORT/allSyntax loopbackdetect enable disable state Loopbackdetect Maclock Syntax maclock show port# all Maclock set macaddress port# all create enable disable Syntax Maclock set enable port# all globalMaclock set disable port# all global Maclock set trap port# all enable disable Maclock show Stations Maclock set enable global Netstat Nonbridgeifnum Syntax nonbridgeifnum 0 9999 status PassiveStp Ping Policy show port portnumberorrangeorall PolicySyntax policy show profile profileindex Policy set port portnumberorrangeorall profileindex Examples Contiued Policy show port Radius 11-24Network Tools Screens Character string for the shared secret code. For security Radius client Examples Cont’d Syntax ratelimitmode status highrange default lowrangeRatelimitmode Reset Syntax reset Options None Example -reset Syntax Satsize 8 16 status Options SatsizeShow Show Appletalk interfaces StpEdgePort SoftresetSyntax softreset Options None Syntax stpEdgePort status StpForceVersion Syntax StpForceVersion 0 2 status Options Recommended Syntax stpLegacyPathCost enable disable statusStpLegacyPathCost Value StpPointToPointMAC StpRealTimeMsgAge Syntax stpRealTimeMsgAge enable disable statusStpPort Telnet Syntax Suppresstopologytraps enable disable OptionsSuppresstopologytraps Syntax Telnet IP address Port # Options Syntax timedsoftreset status t seconds resetnv dontresetnv TimedsoftresetTimedreset Syntax timedreset status t seconds resetnv dontresetnv Traceroute Syntax Traceroute IP address Options VrrpPort EXAMPLE, Effects of Aging Time on Dynamic Egress Done, quit, exit Options None Example -done Vlan Operation and Network Applications Defining VLANs Example of a Vlan Other Vlan Strategies Types of VLANs12.2.1 802.1Q VLANs Ingress Benefits and RestrictionsVlan Terms Identifier FDB ID Default VlanFiltering Database Tagged Frame Gvrp QcstpGarp Garp Vlan Gmrp Configuration Process Vlan Operation Classifying Frames to a Vlan Vlan Switch OperationDefining a Vlan Customizing the Vlan Forwarding List FID Tagged Frames Receiving Frames from Vlan PortsUntagged Frames Forwarding Decisions Known Unicasts Vlan ConfigurationManaging the Switch Switch Without VLANs Switch with VLANs Switch Management with VLANs 12-14VLAN Operation and Network Applications 3069162 Quick Vlan Walkthrough Assigning a Vlan ID and Vlan Name Walkthrough Stage One, Static Vlan Configuration Screen Assigning Ports to the Vlan Egress list Walkthrough Stage Two, Port 3 Egress Setting Configuring the Port Parameters Walkthrough Stage Three, Port 10 Egress Setting Walkthrough Stage Four, Vlan Port Configuration Example 1, Single Switch Operation Examples For the Red Vlan 11 Switch Configured for VLANs Frame Handling Example 2, VLANs Across Multiple Switches Redco Blue Industries 12-26VLAN Operation and Network Applications Switch 12-28VLAN Operation and Network Applications Redco Blue Industries User a Blue Industries Redco 15 Transmitting to Bridge Switches 1 Finance Department Example 5, Using Dynamic Egress to Control Traffic PCs 00.00.00.00.00.0A Switch SET ALL Ports no Vlan Operation and Network Applications Page Generic Attribute Registration Protocol Garp HOW IT Works About Igmp Supported Features and Functions Detecting Multicast Routers Page Index Numerics Index-2 Index-3 Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11