14Accessing Local Management | Enterasys Networks 2E253, 2H253

Overview of Security Methods

If the server returns an “access-accept” response (the user successfully authenticated), it must also return a Radius “FilterID” attribute containing an ASCII string with the following fields in the specified format:

“Enterasys:version=V:mgmt=M:policy=N”

Where:

V is the version number (currently V=1)

M is the access level for management, one of the following strings:

“su” for super-user access

“rw” for read-write access

“ro” for read-only access

N is the policy profile string (refer to the policy profile MIB)

NOTES:

1. Quotation marks (“ ”) are used for clarification only, and are not part of the command strings.

2.If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an unrecognizable value, access to Local Management is denied.

3.Policy profiles are not yet deployed and the “policy=N” part may be omitted.

The secondary server is always consulted if it is configured. Note that the minimum additional information that must be configured to use a server is its IP and Shared Secret.

A backup secondary server is always consulted if it has been configured with its IP and Shared Secret. If communication is lost to all servers, and the user is connected to the local console serial port, the authorization screen will change to allow access to the switch by using the Local Management Module password.

If the user is connected remotely via TELNET or WebView, the switch will continue to deny access until communication with the Radius Server is operational again. Optionally, if the switch has been configured to allow remote access, the switch can be configured to use the Local Management Module password in the event of a Radius failure.

3-14Accessing Local Management

Image 52

Enterasys Networks 2E253, 2H253, 2H252, 2H258 manual 14Accessing Local Management

Contents

SmartSwitch 2200 Series Page Page Enterasys NETWORKS, INC Program License Agreement Page Page Contents Device Configuration Menu Screens Port Configuration Menu Screens Configuration Menu Screens Layer 3 Extensions Menu Screens Network Tools Screens Generic Attribute Registration Protocol Garp Figures Xiii Xiv Tables Xvi Tables Using this Guide About This Guide Structure of this Guide Xix Related Documents Document Conventions Typographical and Keystroke Conventions Bold typePage Introduction Overview Management Agent Navigating Local Management Screens In-Band vs. Out-of-BandLocal Management Requirements Local Management Screen Elements None Defined Event Message Field Display FieldsInput Fields Selection Fields Command Fields Local Management Keyboard Conventions Getting Help Your email addressPage Management Terminal Setup Local Management Requirements 2H252-25R SmartSwitch device is shown in -1as an example Console Cable Connection Management Terminal Setup Parameters VT100ID Monitoring AN Uninterruptible Power Supply Telnet Connections DB9 Port RJ45 COM Port Page Accessing Local Management 802.1Q Switching Mode, LM Screen Hierarchy Using the Exit Command Using the Return CommandSelecting Local Management Menu Screen Items Exiting Local Management Screens Using the Next and Previous Commands Using the Clear Counters CommandPassword Screen When to Use How to Access Screen Example Enter Device Menu Screen Screen Navigation Path Configuration Menu DescriptionsDevice Menu Tools NetworkSecurity Cont’d Section Overview of Security Methods Host Access Control Authentication Haca Overview of Security Methods 14Accessing Local Management 2 802.1X Port Based Network Access Control Definitions of Terms and Abbreviations 2.2 802.1X Security Overview MAC Authentication Overview Authentication Method SelectionAuthentication Method Sequence Concurrent Operation of 802.1X and MAC Authentication MAC 20Accessing Local Management MAC Authentication Control Security Menu Screen Refer to -4for a functional description of each menu item Passwords Name ServicesAuthentication Radius Passwords Screen Module Login Passwords Screen Switch Field Descriptions Setting the Module Login Password Radius Configuration Screen Timeout Retries Last Resort Action/Local Selectable Last Resort Action/Remote ToggleRadius Client IP Address Setting the Last Resort Authentication Setting the Local and Remote Servers Name Services Configuration Screen Name Services Configuration Screen Switch Name Modifiable Name ServicesWeb Authentication Secure Harbour IP System Authentication Configuration Screen System Authentication Configuration Screen Authentication Authenticated , or UnauthenticatedSystem Port # EAP Port Configuration Screen EAP Port Configuration Screen Port Authentication State Backend State Port Control Force Reauth Initialize PortMaximum Requests EAP Statistics Menu Screen 10 EAP Statistics Menu Screen EAP Diagnostic AuthenticatorEAP Session EAP Session Statistics Screen When to Use 11 EAP Session Statistics Screen Authenticate Server or a local Authentication Server Method SessionIDSessionOctetsRx SessionOctetsTx EAP Authenticator Statistics Screen When to Use Clear Counters CommandSession User Name Port Number 12 EAP Authenticator Statistics Screen Clear Counters EAP Diagnostic Statistics Screen When to Use 13 EAP Diagnostic Statistics Screen Enters Connecting Logoffs ConnectingAuthenticating Timeouts Authenticated Access ChallengesBackend Statistics Responses Other Requests To Clear MAC Port Configuration ScreenCounters Port Enable 14 MAC Port Configuration Screen MAC Supplicant Configuration Screen SET ALL Ports Duration MAC Address Reauthenticate Sup Initialize SupplicantPlicant False Device Configuration Menu Screens Device Configuration Menu Screen General Configuration General SnmpResources Information General Configuration Screen 0.0 Default Gateway Subnet MaskTftp Gateway IP Addr Operational Mode Device TimeScreen Refresh Time Agg Mode Clear NvramIP Fragmentation WebView Setting the IP Address Configuration Warning Screen, IP Address Setting the Subnet Mask Configuration Warning Screen, Subnet Mask Setting the Default Gateway Setting the Tftp Gateway IP Address Setting the Module Name Setting the Device Date Setting the Screen Lockout Time Setting the Device TimeEntering a New Screen Refresh Time Configuring the COM Port Changing the COM Port Application COM Port Warning Clearing Nvram UPS Enabling/Disabling IP Fragmentation Clear Nvram Warning Snmp Configuration Menu Screen Snmp Configuration Menu Screen Snmp Community Names Configuration Screen Snmp Community Names Configuration Screen Establishing Community Names Snmp Traps Configuration Screen Snmp Traps Configuration Screen Configuring the Trap Table Enable TrapsTrap Destination Trap Community Access Control List Screen 10 Access Control List Screen Access Control Lists IP Addr Entering Single Addresses Entering IP AddressesMask Entering Ranges of Addresses Enable/Disable ACL System Resources Information Screen XX KB Setting the Reset Peak Switch Utilization Flash Download Configuration Screen 12 Flash Download Configuration Screen Flash Download Configuration Screen Field Descriptions Reboot After DownloadDownload Server IP Download File Image File Download Using Runtime Configuration File Download Using Tftp Configuration File Upload Using Tftp 36Device Configuration Menu Screens Port Configuration Menu Screens Port Configuration Menu Screen Port Configuration Menu Screen in Agg Mode, Huntgroup Ethernet InterfaceHSIM/VHSIM Redirect Ethernet Interface Configuration Screen Intf Port Type Config LinkSpeed Duplex Ethernet Port Configuration Screen HDX FC Refer to -3for a functional description of each screen field Default Speed Default DuplexInterface Physical Port 10Port Configuration Menu Screens Full Duplex Flow ControlHalf Duplex Flow Save to ALL Selecting Field Settings Setting the Advertised Ability Redirect Configuration Menu Screen HSIM/VHSIM Configuration ScreenConfiguration Menu Redirect Configuration Menu Screen Port Redirect Configuration Screen Source Port Destination Port Redirect Errors Frame FormatSource Port n Status Changing Source and Destination Ports Vlan Redirect Configuration Screen Vlan Redirect Configuration Screen Source Vlan Source Vlan n Changing Source Vlan and Destination Ports Usage Notes Aggregation Menu Rapid Reconfiguration Spanning Tree Definitions to Know Link Aggregation 802.3ad Main Menu Screen 1 802.3ad Port Screen When to Use Aggregator 802.3ad Port Screen Viewing and Editing 802.3ad Port Parameters AggregatorOperKey MUX 1.1 802.3ad Port Details Screen When to Use 10 802.3ad Port Details Screen ActorSystemPriority Port Instance PartnerAdminSysID ActorOperState PartnerOperState Lagid Displaying Port StatisticsStats 1.2 802.3ad Port Statistics Screen When to Use 11 802.3ad Port Statistics Screen LACPDUsRx IllegalRxMarkerPDUsRx LACPDUsTx LastRxTimedelta ActorChurnStatePartnerChurnState ActorChurnCount 2 802.3ad Aggregator Screen When to Use 12 802.3ad Aggregator Screen Viewing and Editing 802.3ad Aggregator Parameters Displaying Aggregator DetailsAggInst SysPri 2.1 802.3ad Aggregator Details Screen When to Use 13 802.3ad Aggregator Details Screen Instance Partner 3 802.3ad System Screen When to Use 14 802.3ad System Screen Broadcast Suppression Configuration Screen System IdentifierNumber of Ports Number Port # Total RX Setting the Threshold Setting the Reset Peak Configuration Menu Screens 802.1 Configuration Menu Screen 802.1 Configuration Menu Screen 802.1Q Vlan Spanning Tree802.1p Spanning Tree Configuration Menu Screen Tree Configuration Menu Spanning Tree Configuration Screen Vlan AgeTime Current STP Mode ConfiguredPriority Operation Configuring a Vlan Spanning Tree Spanning Tree Port Configuration Screen Spanning Tree Port Configuration Screen Age Time Switch AddressSTP Vlan ID Pvst Port Configuration Screen Enabling/Disabling the Default Spanning Tree PortsViewing Status of Spanning Tree Ports Port Designated Root CorrespondingPort Designated Port Priority Port Designated CostPort State Port Designated PortPage 802.1Q Vlan Configuration Menu Screens Vlan Configuration Menu Preparing for Vlan Configuration Summary of Vlan Local Management 802.1Q Vlan Configuration Menu Screen 802.1Q Vlan Configuration Menu Screen Current Vlan Static VlanVlan Port Static Vlan Configuration Screen Classification Vlan ID FDB ID Creating a Static Vlan Vlan NameADD DEL Marked Displaying the Current Static Vlan Port Egress List Renaming a Static Vlan Deleting a Static Vlan Paging Through the Vlan List Static Vlan Egress Configuration Screen Static Vlan Egress Configuration Screen Egress Setting the Egress Type on One or More Ports Individually Setting Egress Types on PortsSetting the Same Egress Type on All Ports Simultaneously Current Vlan Configuration Screen Displaying the Next Group of Ports Vlan Type Read-Only An example of a dynamic Vlan is a Gvrp Vlan Current Vlan Egress Configuration Screen Current Vlan Egress Configuration Screen Vlan Port Configuration Screen Policy Pvid Override is Pvid Changing the Port Mode Configuring the Vlan Ports Vlan Classification Configuration Screen Admit Tagged Frames only VID VID Classification DescriptionDEL ALL/DEL Marked 0x0000 000.000.000.000 0000x00000000 Tftp Http DNS Smtp Src TCP Port FTP Data Nlsp IPX WAN Custom 00-00-00-00-00-00 Classification Precedence Rules Layer Classification Precedence Example Displaying the Current Classification Rule Assignments Assigning a Classification to a VID Protocol Port Configuration Screen Deleting Line ItemsDeleting All Classification Rules Deleting One or More Classification Rules Protocol Port Configuration Screen Field Classification RuleClassify Assigning Ports to a VID/Classification Assigning One or More Ports IndividuallyAssigning All Ports Simultaneously SET Ports to Assigning VID/Classification to Port Vlan Lists 802.1p Configuration Menu Screen Navigation Paths 802.1p Configuration Menu Screen When to Use Port Priority Configuration Port Priority Traffic ClassTransmit Queues Port Priority Configuration Screen Port Priority Configuration Screen Policy Override Setting Switch Port Priority Port-by-PortSet Setting Switch Port Priority on All Ports Traffic Class Information Screen Traffic Class Information Screen Traffic Class Information Screen Field Descriptions Traffic Class Configuration Screen Traffic Class Configuration Screen Traffic Class Assigning the Traffic Class to Port PrioritySave Transmit Queues Configuration Screen Transmit Queues Configuration Screen Weights Q0, Q1 Current QueueingMode Q2, Q3 Setting the Current Queueing Mode Priority Classification Configuration Screen PID PID 18802.1p Configuration Menu Screens No Change TOS=PID Custom TCP No Change TOS=PID Custom Dest IP Address Mask New IP TOS Tftp Src TCP Port New IP TOS FTP Data IP Fragments New IP TOS IP Fragments2 Start End New IP TOS 00000 Dest TCP Port Start End New IP TOS 00000 SAP 28802.1p Configuration Menu Screens Layer About the IP TOS Rewrite Function Displaying the Current PID/Classification Assignments Assigning a Classification to a PID Deleting All Line Items Deleting PID/Classification/Description Line ItemsDeleting One or More Line Items Protocol Port Configuration Screen See which ports are set to the PID/Classification indicated Assigning Ports to a PID/Classification Solving the Problem Switch Rate Limiting Configuration Screen Priority List Maximum Feature Port Number Modifiable Port Type Direction Configuring a Port 42802.1p Configuration Menu Screens Changing/Deleting Port Line Items Changing One or More Line Items More About Rate Limiting Rate Limiting Configuration Screen Page Layer 3 Extensions Menu Screens Layer 3 Extensions Menu Screen IGMP/VLAN Layer 3 Extensions Menu Screen IGMP/VLAN Configuration Screen Igmp Version 120 Query Interval Query ResponseRobustness Last Member Query Switch Query IP McastMartPoolSizeQuerier Address Querier Uptime IGMP/VLAN Configuration Procedure Igmp StatePage Device Statistics Menu Screens Device Statistics Menu Screen Lists the number of frames received, transmitted, filtered, Switch Statistics Screen Rmon Frames Txmtd Frames RcvdFrames Fltrd Interface Statistics Screen Frames Frwded InOctets Interface Statistics Screen InErrors OutErrorsInUnicast InNonUnicast Displaying Interface Statistics MTU Rmon Statistics Screen Rmon Statistics Screen CRC Align Errors Rmon IndexData Source Owner Oversized Pkts FragmentsJabbers Total Packets 1024 1518 Octets Displaying Rmon StatisticsIndex nn Network Tools Screens Screen ExampleNetwork Tools Help Screen Refer to -1for a list of the commands Command Alias Examples Alias Stats Arp Arp-a Syntax Bridge ENABLE/DISABLE IFNUM/ALL Options ArplearnBridge Syntax Arplearn normal limited status Options Cdp Syntax Cdp enable/disable/status OptionsDefroute Syntax dynamicegress action vid Options action DynamicegressVid Syntax Enable Group Disable Group Trap #ALL Commands for Listing Events Syntax igmpv3drop enable disable status GigabitportmodeIgmpv3drop Syntax gigabitportmode active redundant status Lgframeadmin Syntax linktrap enable/disable/status PORT/all Syntax loopbackdetect enable disable stateLinktrap Loopbackdetect Maclock Syntax maclock show port# all Syntax Maclock set enable port# all global Maclock set disable port# all globalMaclock set macaddress port# all create enable disable Maclock set trap port# all enable disable Maclock show Stations Maclock set enable global Netstat Nonbridgeifnum Syntax nonbridgeifnum 0 9999 status PassiveStp Ping Policy Syntax policy show profile profileindexPolicy show port portnumberorrangeorall Policy set port portnumberorrangeorall profileindex Examples Contiued Policy show port Radius 11-24Network Tools Screens Character string for the shared secret code. For security Radius client Ratelimitmode Syntax ratelimitmode status highrange default lowrangeExamples Cont’d Reset Syntax reset Options None Example -reset Show SatsizeSyntax Satsize 8 16 status Options Show Appletalk interfaces Softreset Syntax softreset Options NoneStpEdgePort Syntax stpEdgePort status StpForceVersion Syntax StpForceVersion 0 2 status Options Syntax stpLegacyPathCost enable disable status StpLegacyPathCostRecommended Value StpPointToPointMAC StpPort Syntax stpRealTimeMsgAge enable disable statusStpRealTimeMsgAge Syntax Suppresstopologytraps enable disable Options SuppresstopologytrapsTelnet Syntax Telnet IP address Port # Options Timedsoftreset TimedresetSyntax timedsoftreset status t seconds resetnv dontresetnv Syntax timedreset status t seconds resetnv dontresetnv Traceroute Syntax Traceroute IP address Options VrrpPort EXAMPLE, Effects of Aging Time on Dynamic Egress Done, quit, exit Options None Example -done Vlan Operation and Network Applications Defining VLANs Example of a Vlan 12.2.1 802.1Q VLANs Types of VLANsOther Vlan Strategies Vlan Terms Benefits and RestrictionsIngress Default Vlan Filtering DatabaseIdentifier FDB ID Tagged Frame Qcstp Garp Garp VlanGvrp Gmrp Configuration Process Vlan Operation Vlan Switch Operation Defining a VlanClassifying Frames to a Vlan Customizing the Vlan Forwarding List FID Receiving Frames from Vlan Ports Untagged FramesTagged Frames Forwarding Decisions Managing the Switch Vlan ConfigurationKnown Unicasts Switch Without VLANs Switch with VLANs Switch Management with VLANs 12-14VLAN Operation and Network Applications 3069162 Quick Vlan Walkthrough Assigning a Vlan ID and Vlan Name Walkthrough Stage One, Static Vlan Configuration Screen Assigning Ports to the Vlan Egress list Walkthrough Stage Two, Port 3 Egress Setting Configuring the Port Parameters Walkthrough Stage Three, Port 10 Egress Setting Walkthrough Stage Four, Vlan Port Configuration Example 1, Single Switch Operation Examples For the Red Vlan 11 Switch Configured for VLANs Frame Handling Example 2, VLANs Across Multiple Switches Redco Blue Industries 12-26VLAN Operation and Network Applications Switch 12-28VLAN Operation and Network Applications Redco Blue Industries User a Blue Industries Redco 15 Transmitting to Bridge Switches 1 Finance Department Example 5, Using Dynamic Egress to Control Traffic PCs 00.00.00.00.00.0A Switch SET ALL Ports no Vlan Operation and Network Applications Page Generic Attribute Registration Protocol Garp HOW IT Works About Igmp Supported Features and Functions Detecting Multicast Routers Page Index Numerics Index-2 Index-3 Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11