Manuals / Brands / Computer Equipment / Network Card / Enterasys Networks / Computer Equipment / Network Card

Enterasys Networks 2E253, 2H252, 2H253, 2H258 3.4.2 802.1X Port Based Network Access Control, 3.4.2.1 Definitions of Terms and Abbreviations

1 390

Download 390 pages, 3.53 Mb

Overview of Security Methods

Accessing Local Management 3-15

3.4.2 802.1X Port Based Network Access Control

This section provides

•a brief description of 802.1X Port Based Network Access Control,

•definitions of common terms and abbreviations, and

•an overview of the tasks that may be accomplished using the 802.1X and EAP security and

authentication features.

When using the physical access characteristics of IEEE 802 LAN infrastructures, the 802.1X

standard provides a mechanism for administrators to securely authenticate and grant appropriate

access to end user devices directly attached to switch ports. When configured in conjunction with

NetSight Policy Manager and Radius server(s), Enterasys Networks’ switchs can dynamically

administer user based policy that is specifically tailored to the end user’s needs.

3.4.2.1 Definitions of Terms and Abbreviations

Tabl e 3-2 provides an explanation of authentication terms and abbreviations used when describing

the 802.1X and EAP security and authentication features.

Table 3-2 Authentication Terms and Abbreviations

Term Definition

EAP Extensible Authentication Protocol (e.g., Microsoft IAS

Server and Funk Steel Belted Radius).

PAE Port Access Entity, device firmware that implements or

participates in the protocol.

PWA Port Web Authentication, an enterprise specific

authentication process using a web browser user-login

process to gain access to ports.

RADIUS Remote Authentication Dial In User Service.

Authenticator The entity that sits between a supplicant and the

authentication server. The authenticator’s job is to pass

authenticating information between the supplicant and

authentication server until an authentication decision is

made.

Contents

Main Page NOTICE Version: Information in this guide refers to SmartSwitch 2200 Series firmware version 5.05.xx. ENTERASYS NETWORKS, INC. PROGRAM LICENSE AGREEMENT Page Page Contents ABOUT THIS GUIDE 1 2 3 4 5 6 7 8 9 10 11 12 A B Figures Page Page Tables Page About This Guide USING THIS GUIDE STRUCTURE OF THIS GUIDE Page RELATED DOCUMENTS DOCUMENT CONVENTIONS TYPOGRAPHICAL AND KEYSTROKE CONVENTIONS Page Introduction 1.1 OVERVIEW 1.1.1 The Management Agent 1.1.2 In-Band vs. Out-of-Band 1.2 NAVIGATING LOCAL MANAGEMENT SCREENS 1.3 LOCAL MANAGEMENT REQUIREMENTS Local Management Screen Elements 1-4 Introduction 1.4 LOCAL MANAGEMENT SCREEN ELEMENTS Event Message Field Display Field Input Fields Display Fields See Note Event Message Field Display Fields Input Fields Selection Fields Command Fields 1.5 LOCAL MANAGEMENT KEYBOARD CONVENTIONS 1.6 GETTING HELP Page Local Management Requirements 2.1 MANAGEMENT TERMINAL SETUP Management Terminal Setup 2-2 Local Management Requirements 2.1.1 Console Cable Connection FAST ETHERNET WORKGROUP SWITCH 30691_02 Figure 2-1 Management Terminal Connection RJ45 COM Port 2.1.2 Management Terminal Setup Parameters 2.2 TELNET CONNECTIONS 2.3 MONITORING AN UNINTERRUPTIBLE POWER SUPPLY Monitoring an Uninterruptible Power Supply Local Management Requirements 2-5 Figure 2-2 Uninterruptible Power Supply (UPS) Connection RJ45 COM Port UPS Device RJ45-to-DB9 UPS Adapter DB9 Port UTP Cable with RJ45 Connectors Page Accessing Local Management 3.1 NAVIGATING LOCAL MANAGEMENT SCREENS Navigating Local Management Screens B * Refer to the SmartTrunk Users Guide for the screen hierarchy. Does not apply to MATRIX E7. 3-2 Accessing Local Management Figure 3-1 802.1Q Switching Mode, LM Screen Hierarchy B 3.1.3 Using the NEXT and PREVIOUS Commands 3.1.4 Using the CLEAR COUNTERS Command 3.2 PASSWORD SCREEN Page Page Page Page Page Page 3.4 OVERVIEW OF SECURITY METHODS 3.4.1 Host Access Control Authentication (HACA) Page 3.4.2 802.1X Port Based Network Access Control 3.4.2.1 Definitions of Terms and Abbreviations 3.4.2.2 802.1X Security Overview 3.4.3 MAC Authentication Overview 3.4.3.1 Authentication Method Selection 3.4.3.3 Concurrent Operation of 802.1X and MAC 3.4.3.2 Authentication Method Sequence Authentication Page Page 3.4.4 MAC Authentication Control 3.5 SECURITY MENU SCREEN Refer to Tabl e 3-4 for a functional description of each menu item. Page Page Page 3.6.1 Setting the Module Login Password 3.7 RADIUS CONFIGURATION SCREEN Page Page 3.7.1 Setting the Last Resort Authentication 3.7.2 Setting the Local and Remote Servers Page Page 3.9 SYSTEM AUTHENTICATION CONFIGURATION SCREEN Page EAP (Port) Configuration Screen Accessing Local Management 3-35 3.10 EAP (PORT) CONFIGURATION SCREEN To configure authentication settings for each port. Figure 3-9 EAP Port Configuration Screen Page Page Page Page Page Page Page Page 3.11.2 EAP Authenticator Statistics Screen Page Page 3.11.3 EAP Diagnostic Statistics Screen Page Page 3.12 MAC PORT CONFIGURATION SCREEN Page 3.13 MAC SUPPLICANT CONFIGURATION SCREEN Page Page Device Configuration Menu Screens Page Page General Configuration Screen 4-4 Device Configuration Menu Screens 4.2 GENERAL CONFIGURATION SCREEN Figure 4-2 General Configuration Screen Page Page Page 4.2.1 Setting the IP Address 4.2.2 Setting the Subnet Mask 4.2.3 Setting the Default Gateway 4.2.4 Setting the TFTP Gateway IP Address 4.2.5 Setting the Module Name 4.2.6 Setting the Device Date 4.2.7 Setting the Device Time 4.2.8 Entering a New Screen Refresh Time 4.2.9 Setting the Screen Lockout Time 4.2.10 Configuring the COM Port 4.2.10.1 Changing the COM Port Application WARNING 4.2.11 Clearing NVRAM 4.2.12 Enabling/Disabling IP Fragmentation WARNING Page 4.4 SNMP COMMUNITY NAMES CONFIGURATION SCREEN Page 4.4.1 Establishing Community Names SNMP Traps Configuration Screen Device Configuration Menu Screens 4-21 4.5 SNMP TRAPS CONFIGURATION SCREEN Refer to Tabl e 4-6 for a functional description of each screen field. Figure 4-9 SNMP Traps Configuration Screen 4.5.1 Configuring the Trap Table Access Control List Screen Device Configuration Menu Screens 4-23 4.6 ACCESS CONTROL LIST SCREEN Figure 4-10 Access Control List Screen Page 4.6.1 Entering IP Addresses Entering Single Addresses Entering Ranges of Addresses 4.6.2 Enable/Disable ACL 4.7 SYSTEM RESOURCES INFORMATION SCREEN 4.7.1 Setting the Reset Peak Switch Utilization 4.8 FLASH DOWNLOAD CONFIGURATION SCREEN FLASH Download Configuration Screen Device Configuration Menu Screens 4-31 Figure 4-12 Flash Download Configuration Screen Page Page 4.8.1 Image File Download Using Runtime 4.8.2 Configuration File Download Using TFTP 4.8.3 Configuration File Upload Using TFTP Page Port Configuration Menu Screens Page Page 5.2 ETHERNET INTERFACE CONFIGURATION SCREEN Ethernet Interface Configuration Screen Port Configuration Menu Screens 5-5 Figure 5-3 Ethernet Interface Configuration Screen Refer to Tabl e 5-2 for a functional description of each screen field. Table 5-2 Ethernet Interface Configuration Screen Field Descriptions Page 5.3 ETHERNET PORT CONFIGURATION SCREEN Page Page Page Page 5.3.1 Selecting Field Settings 5.3.2 Setting the Advertised Ability Page Page 5.6 PORT REDIRECT CONFIGURATION SCREEN Port Redirect Configuration Screen 5-16 Port Configuration Menu Screens Figure 5-6 Port Redirect Configuration Screen only one destination port associated with one or more VLANs. Refer to Tabl e 5-5 for a functional description of each screen field. Table 5-5 Port Redirect Configuration Screen Field Descriptions Source Port (Read-Only) See the VLAN ID of the VLANs that are currently set as source Page 5.6.1 Changing Source and Destination Ports 5.7 VLAN REDIRECT CONFIGURATION SCREEN VLAN Redirect Configuration Screen 5-20 Port Configuration Menu Screens Figure 5-7 VLAN Redirect Configuration Screen Page 5.7.1 Changing Source VLAN and Destination Ports 5.8 LINK AGGREGATION MENU SCREEN (802.3ad MAIN MENU SCREEN) Usage Notes Definitions to Know Page Page 5.8.1 802.3ad Port Screen 5-28 Port Configuration Menu Screens Figure 5-9 802.3ad Port Screen Refer to Tabl e 5-8 for a functional description of each screen field. Viewing and Editing 802.3ad Port Parameters 5-30 Port Configuration Menu Screens 5.8.1.1 802.3ad Port Details Screen Figure 5-10 802.3ad Port Details Screen Page Page ActorOperState Page Viewing and Editing 802.3ad Port Parameters Displaying Port Statistics 5-36 Port Configuration Menu Screens 5.8.1.2 802.3ad Port Statistics Screen Refer to Tabl e 5-10 for a functional description of each screen field. Figure 5-11 802.3ad Port Statistics Screen Page Page Port Configuration Menu Screens 5-39 5.8.2 802.3ad Aggregator Screen Refer to Tabl e 5-11 for a functional description of each screen field. Figure 5-12 802.3ad Aggregator Screen Viewing and Editing 802.3ad Aggregator Parameters Displaying Aggregator Details 5.8.2.1 802.3ad Aggregator Details Screen Page Page 5.9 BROADCAST SUPPRESSION CONFIGURATION SCREEN Broadcast Suppression Configuration Screen Port Configuration Menu Screens 5-45 Figure 5-15 Broadcast Suppression Configuration Screen Refer to Tabl e 5-14 for a functional description of each screen field. Table 5-14 Broadcast Suppression Configuration Screen Field Descriptions 5.9.1 Setting the Threshold 5.9.2 Setting the Reset Peak 802.1 Configuration Menu Screens Page Page Page 6.3 SPANNING TREE CONFIGURATION SCREEN Page Page 6.3.1 Configuring a VLAN Spanning Tree Spanning Tree Port Configuration Screen 802.1 Configuration Menu Screens 6-9 6.4 SPANNING TREE PORT CONFIGURATION SCREEN Figure 6-4 Spanning Tree Port Configuration Screen Page Page Page Page Page 802.1Q VLAN Configuration Menu Screens 7.1 SUMMARY OF VLAN LOCAL MANAGEMENT 7.1.1 Preparing for VLAN Configuration 7.2 802.1Q VLAN CONFIGURATION MENU SCREEN Page Page 7.3 STATIC VLAN CONFIGURATION SCREEN Page 7.3.1 Creating a Static VLAN 7.3.2 Displaying the Current Static VLAN Port Egress List 7.3.3 Renaming a Static VLAN 7.3.4 Deleting a Static VLAN information. 7.3.5 Paging Through the VLAN List Static VLAN Egress Configuration Screen 802.1Q VLAN Configuration Menu Screens 7-11 7.4 STATIC VLAN EGRESS CONFIGURATION SCREEN to configure a port connected to an end user device. with the VLAN. This setting is usually to configure a port as a trunk port to another switch. Figure 7-4 Static VLAN Egress Configuration Screen Page 7.4.1 Setting Egress Types on Ports Setting the Egress Type on One or More Ports Individually Setting the Same Egress Type on All Ports Simultaneously Page Page 7.6 CURRENT VLAN EGRESS CONFIGURATION SCREEN 7.7 VLAN PORT CONFIGURATION SCREEN VLAN Port Configuration Screen 7-18 802.1Q VLAN Configuration Menu Screens Figure 7-7 VLAN Port Configuration Screen Refer to Tabl e 7-6 for a functional description of each screen field. Table 7-6 VLAN Port Configuration Screen Field Descriptions Policy PVID Override is (Read-Only) Page 7.7.1 Changing the Port Mode 7.7.2 Configuring the VLAN Ports 7.8 VLAN CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page Page 7.8.1 Classification Precedence Rules - - - - Page Page 7.8.2 Displaying the Current Classification Rule Assignments 7.8.3 Assigning a Classification to a VID 7.8.4 Deleting Line Items Deleting All Classification Rules Deleting One or More Classification Rules 7.9 PROTOCOL PORT CONFIGURATION SCREEN Page Page 7.9.1 Assigning Ports to a VID/Classification Assigning One or More Ports Individually Assigning All Ports Simultaneously Assigning VID/Classification to Port VLAN Lists 802.1p Configuration Menu Screens Screen Navigation Paths Page Page Page Port Priority Configuration Screen Refer to Tabl e 8-2 for a functional description of each screen field. 802.1p Configuration Menu Screens 8-5 Figure 8-2 Port Priority Configuration Screen 8.2.1 Setting Switch Port Priority Port-by-Port 8.2.2 Setting Switch Port Priority on All Ports 8.3 TRAFFIC CLASS INFORMATION SCREEN Traffic Class Information Screen 8-8 802.1p Configuration Menu Screens Figure 8-3 Traffic Class Information Screen Page Traffic Class Configuration Screen 8-10 802.1p Configuration Menu Screens 8.4 TRAFFIC CLASS CONFIGURATION SCREEN Figure 8-4 Traffic Class Configuration Screen Number of port selected in the Traffic Class Information screen. 8.4.1 Assigning the Traffic Class to Port Priority 8.5 TRANSMIT QUEUES CONFIGURATION SCREEN Transmit Queues Configuration Screen 802.1p Configuration Menu Screens 8-13 Figure 8-5 Transmit Queues Configuration Screen Page 8.5.1 Setting the Current Queueing Mode 8.6 PRIORITY CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page Page Page Page 8.6.1 Classification Precedence Rules - - - - Page 8.6.2 About the IP TOS Rewrite Function Layer 2 Layer 3 8.6.3 Displaying the Current PID/Classification Assignments 8.6.4 Assigning a Classification to a PID 8.6.5 Deleting PID/Classification/Description Line Items Deleting All Line Items Deleting One or More Line Items 8.7 Page Page 8.7.2 Solving the Problem Switch 2 8.8 RATE LIMITING CONFIGURATION SCREEN Rate Limiting Configuration Screen 8-38 802.1p Configuration Menu Screens Figure 8-10 Rate Limiting Configuration Screen Maximum Refer to Tabl e 8-10 for a functional description of each screen field. Table 8-10 Rate Limiting Configuration Screen Field Descriptions See the priorities associated with each port entry. Port # (Read-Only) See the number of each configured port. The same port number may appear four times, but with different priorities assigned. Page Page 8.8.1 Configuring a Port Page 8.8.2 Changing/Deleting Port Line Items Changing One or More Line Items Deleting All Line Items Deleting One or More Line Items 8.8.3 More About Rate Limiting Page Page Layer 3 Extensions Menu Screens Page 9.2 IGMP/VLAN CONFIGURATION SCREEN Page Page Page 9.2.1 IGMP/VLAN Configuration Procedure Page Device Statistics Menu Screens 10.1 DEVICE STATISTICS MENU SCREEN Page 10.2 SWITCH STATISTICS SCREEN Switch Statistics Screen 10-4 Device Statistics Menu Screens Figure 10-2 Switch Statistics Screen Refer to Table10-2 for a functional description of each screen field. Table 10-2 Switch Statistics Screen Field Descriptions Port # (Read-Only) Identify the port number. The total number of ports is dependent on the Frames Txmtd (Read-Only) See the number of frames transmitted by the interface since the last Frames Fltrd (Read-Only) See the number of frames filtered by the interface since the last 10.3 INTERFACE STATISTICS SCREEN Page Page 10.3.1 Displaying Interface Statistics RMON Statistics Screen Device Statistics Menu Screens 10-9 10.4 RMON STATISTICS SCREEN To obtain RMON statistics for each interface, on an interface-by-interface basis. Refer to Table10-4 for a functional description of each screen field. Figure 10-4 RMON Statistics Screen Page Page 10.4.1 Displaying RMON Statistics Network Tools Screens Network Tools 11-2 Network Tools Screens Screen ExampleNetwork Tools Help Screen Page 11.2 BUILT-IN COMMANDS command alias Built-in Commands alias (Continued) Network Tools Screens 11-5 Examples: arp arp_learn bridge cdp defroute dynamic_egress ev dynamic_egress (Continued) ev (Continued) gigabit_port_mode igmpv3_drop lg_frame_admin link_trap loopback_detect maclock loopback_detect (Continued) Page Page netstat non_bridge_if_num netstat (Continued) Page policy Built-in Commands policy (Continued) 11-2 2 Network Tools Screens Examples: (Contiued) radius Page Page rate_limit_mode reset rate_limit_mode (Continued) sat_size show show (Continued) soft_reset stpEdgePort stpForceVersion stpLegacyPathCost stpPointToPointMAC stpLegacyPathCost (Continued) stpPort stpRealTimeMsgAge suppress_topology_traps stpRealTimeMsgAge (Continued) telnet timed_soft_reset timed_reset traceroute timed_reset (Continued) vrrpPort 11.3 EXAMPLE, EFFECTS OF AGING TIME ON DYNAMIC EGRESS 11.4 EXAMPLE, USING DYNAMIC EGRESS TO CONTROL TRAFFIC PCs S1 Web Server Solving the Problem 11.5 SPECIAL COMMANDS done, quit, exit VLAN Operation and Network Applications 12.1 DEFINING VLANs A B 12.2 TYPES OF VLANs 12.2.1 802.1Q VLANs 12.2.2 Other VLAN Strategies 12.3 BENEFITS AND RESTRICTIONS 12.4 VLAN TERMS Page Page Page 12.6.1 Defining a VLAN 12.6.2 Classifying Frames to a VLAN 12.6.3 Customizing the VLAN Forwarding List 12.7 VLAN SWITCH OPERATION Page Page 12.7.2.2 Known Unicasts 12.8 VLAN CONFIGURATION 12.8.1 Managing the Switch 12.8.2 Switch Without VLANs 3 6 12.8.3 Switch with VLANs 802.1Q Switch 1 3 6 2 7 4 5 802.1Q Switch Page 12.9 SUMMARY OF VLAN LOCAL MANAGEMENT For details about each screen and how to use them, refer to Chapter 7. 12.9.1 Preparing for VLAN Configuration 12.10 QUICK VLAN WALKTHROUGH Assigning a VLAN ID and VLAN Name Assigning Ports to the VLAN Egress list Quick VLAN Walkthrough 12-18 VLAN Operation and Network Applications Figure 12-7 Walkthrough Stage Two, Port 3 Egress Setting NOTE: For the purposes of this walkthrough, port 10 will be configured as the trunk port. Configuring the Port Parameters Quick VLAN Walkthrough 12-20 VLAN Operation and Network Applications Figure 12-9 Walkthrough Stage Four, VLAN Port Configuration 12.11 EXAMPLES 12.12 EXAMPLE 1, SINGLE SWITCH OPERATION 12.12.1 Solving the Problem For the Red VLAN 3 6 B3 12.12.2 Frame Handling B2 B1 R1 R2 R2 12.13 EXAMPLE 2, VLANs ACROSS MULTIPLE SWITCHES Page 12.13.1 Solving the Problem Switch 4 Switch 2 Page 12.13.2 Frame Handling Page Page 12.14 EXAMPLE 3, FILTERING TRAFFIC ACCORDING TO A LAYER 4 CLASSIFICATION RULE 12.14.1 Solving the Problem Switches 1 and 2 S1 12.15 EXAMPLE 4, SECURING SENSITIVE INFORMATION ACCORDING TO SUBNET 12.15.1 Solving the Problem Switch 1 12.16 EXAMPLE 5, USING DYNAMIC EGRESS TO CONTROL TRAFFIC Solving the Problem 12.17 EXAMPLE 6, LOCKING A MAC ADDRESS TO A PORT USING CLASSIFICATION RULES 00.00.00.00.00.0A 00.00.00.00.00.0B 12.17.1 Solving the Problem Page Page Page Page A Generic Attribute Registration Protocol (GARP) A.1 OVERVIEW Page B About IGMP Page Page Page Index Numerics A B C D E F G H I K L M N P Q R S Page T U V W