MAC Authentication Control | Enterasys Networks 2H258, 2E253, 2H253

Overview of Security Methods

Table 3-3 MAC / 802.1X Precedence States (Continued)

				Autho-
802.1X	MAC		Default	rized
Port	Port	Authen-	Policy	Policy
Control	Control	ticated?	Exists?	Exists?	Action

Force	Enabled	No	No	Don’t	•	MAC performs authentication.
Unauthoriz				Care	•	Frames are discarded.
ation					•	Frames are discarded.
ation

Force	Disabled	Don’t	Don’t	Don’t	•	Neither method performs
Unauthoriz		Care	Care	Care		authentication.
ation					•	Frames are discarded.
					•	Frames are discarded.

3.4.4MAC Authentication Control

This global variable can be set to enabled or disabled.

If set to enabled, then

a.MAC Authentication is active on those ports whose individual port-enabled variable is set to enabled.

b.All session and statistic information is reset to defaults.

c.Any MAC addresses currently locked to ports are unlocked.

If set to disabled, then

a.MAC Authentication stops for all ports.

b.All active sessions are terminated with the cause portAdminDisabled.

c.All policies are applied to ports as a result of a MAC Authentication reverting to the ports default policy, if any.

d.All ports currently authenticated using 802.1X, are unaffected.

e.Any 802.1X ports, which were set to forced-unauth, revert back to discarding all frames regardless of the MAC Authentication state.

Accessing Local Management 3-21

Image 59

Enterasys Networks 2H258, 2E253, 2H253, 2H252 manual MAC Authentication Control

Contents

SmartSwitch 2200 Series Page Page Enterasys NETWORKS, INC Program License Agreement Page Page Contents Device Configuration Menu Screens Port Configuration Menu Screens Configuration Menu Screens Layer 3 Extensions Menu Screens Network Tools Screens Generic Attribute Registration Protocol Garp Figures Xiii Xiv Tables Xvi Tables About This Guide Using this Guide Structure of this Guide Xix Document Conventions Related Documents Bold type Typographical and Keystroke ConventionsPage Overview Introduction Management Agent Local Management Requirements In-Band vs. Out-of-BandNavigating Local Management Screens None Defined Local Management Screen Elements Selection Fields Event Message FieldDisplay Fields Input Fields Local Management Keyboard Conventions Command Fields Your email address Getting HelpPage Local Management Requirements Management Terminal Setup Console Cable Connection 2H252-25R SmartSwitch device is shown in -1as an example VT100ID Management Terminal Setup Parameters Telnet Connections Monitoring AN Uninterruptible Power Supply DB9 Port RJ45 COM Port Page Accessing Local Management 802.1Q Switching Mode, LM Screen Hierarchy Exiting Local Management Screens Using the Exit CommandUsing the Return Command Selecting Local Management Menu Screen Items When to Use Using the Next and Previous CommandsUsing the Clear Counters Command Password Screen Screen Example How to Access Enter Screen Navigation Path Device Menu Screen Menu ConfigurationMenu Descriptions Device Security NetworkTools Section Cont’d Overview of Security Methods Host Access Control Authentication Haca Overview of Security Methods 14Accessing Local Management Definitions of Terms and Abbreviations 2 802.1X Port Based Network Access Control 2.2 802.1X Security Overview Concurrent Operation of 802.1X and MAC MAC Authentication OverviewAuthentication Method Selection Authentication Method Sequence Authentication MAC 20Accessing Local Management MAC Authentication Control Security Menu Screen Refer to -4for a functional description of each menu item Radius PasswordsName Services Authentication Module Login Passwords Screen Passwords Screen Field Descriptions Switch Radius Configuration Screen Setting the Module Login Password Retries Timeout IP Address Last Resort Action/Local SelectableLast Resort Action/Remote Toggle Radius Client Setting the Local and Remote Servers Setting the Last Resort Authentication Name Services Configuration Screen Name Services Configuration Screen Secure Harbour IP Switch Name ModifiableName Services Web Authentication System Authentication Configuration Screen System Authentication Configuration Screen Port # AuthenticationAuthenticated , or Unauthenticated System EAP Port Configuration Screen EAP Port Configuration Screen Port Backend State Authentication State Port Control Maximum Requests Initialize PortForce Reauth 10 EAP Statistics Menu Screen EAP Statistics Menu Screen EAP Session AuthenticatorEAP Diagnostic 11 EAP Session Statistics Screen EAP Session Statistics Screen When to Use SessionOctetsTx Authenticate Server or a local Authentication Server MethodSessionID SessionOctetsRx Port Number EAP Authenticator Statistics Screen When to UseClear Counters Command Session User Name 12 EAP Authenticator Statistics Screen Clear Counters 13 EAP Diagnostic Statistics Screen EAP Diagnostic Statistics Screen When to Use Timeouts Enters ConnectingLogoffs Connecting Authenticating Other Requests To AuthenticatedAccess Challenges Backend Statistics Responses Counters MAC Port Configuration ScreenClear 14 MAC Port Configuration Screen Port Enable SET ALL Ports MAC Supplicant Configuration Screen MAC Address Duration False Reauthenticate SupInitialize Supplicant Plicant Device Configuration Menu Screens General Configuration Device Configuration Menu Screen Information GeneralSnmp Resources 0.0 General Configuration Screen Addr Default GatewaySubnet Mask Tftp Gateway IP Time Operational ModeDevice Time Screen Refresh WebView Agg ModeClear Nvram IP Fragmentation Configuration Warning Screen, IP Address Setting the IP Address Configuration Warning Screen, Subnet Mask Setting the Subnet Mask Setting the Tftp Gateway IP Address Setting the Default Gateway Setting the Device Date Setting the Module Name Entering a New Screen Refresh Time Setting the Device TimeSetting the Screen Lockout Time Configuring the COM Port COM Port Warning Changing the COM Port Application UPS Clearing Nvram Clear Nvram Warning Enabling/Disabling IP Fragmentation Snmp Configuration Menu Screen Snmp Configuration Menu Screen Snmp Community Names Configuration Screen Snmp Community Names Configuration Screen Establishing Community Names Snmp Traps Configuration Screen Snmp Traps Configuration Screen Trap Community Configuring the Trap TableEnable Traps Trap Destination 10 Access Control List Screen Access Control List Screen IP Addr Access Control Lists Mask Entering IP AddressesEntering Single Addresses Entering Ranges of Addresses Enable/Disable ACL XX KB System Resources Information Screen Setting the Reset Peak Switch Utilization Flash Download Configuration Screen 12 Flash Download Configuration Screen Flash Download Configuration Screen Field Descriptions Download File Reboot AfterDownload Download Server IP Configuration File Download Using Tftp Image File Download Using Runtime Configuration File Upload Using Tftp 36Device Configuration Menu Screens Port Configuration Menu Screens Port Configuration Menu Screen in Agg Mode, Huntgroup Port Configuration Menu Screen Redirect EthernetInterface HSIM/VHSIM Ethernet Interface Configuration Screen Port Type Intf Duplex ConfigLink Speed HDX FC Ethernet Port Configuration Screen Refer to -3for a functional description of each screen field Physical Port Default SpeedDefault Duplex Interface 10Port Configuration Menu Screens Save to ALL Full Duplex FlowControl Half Duplex Flow Setting the Advertised Ability Selecting Field Settings Configuration Menu HSIM/VHSIM Configuration ScreenRedirect Configuration Menu Screen Redirect Configuration Menu Screen Port Redirect Configuration Screen Destination Port Source Port Status Redirect ErrorsFrame Format Source Port n Changing Source and Destination Ports Vlan Redirect Configuration Screen Vlan Redirect Configuration Screen Source Vlan n Source Vlan Changing Source Vlan and Destination Ports Aggregation Menu Usage Notes Definitions to Know Rapid Reconfiguration Spanning Tree Link Aggregation 802.3ad Main Menu Screen Aggregator 1 802.3ad Port Screen When to Use 802.3ad Port Screen MUX Viewing and Editing 802.3ad Port ParametersAggregator OperKey 10 802.3ad Port Details Screen 1.1 802.3ad Port Details Screen When to Use Port Instance ActorSystemPriority PartnerAdminSysID ActorOperState PartnerOperState Stats Displaying Port StatisticsLagid 11 802.3ad Port Statistics Screen 1.2 802.3ad Port Statistics Screen When to Use LACPDUsTx LACPDUsRxIllegalRx MarkerPDUsRx ActorChurnCount LastRxTimedeltaActorChurnState PartnerChurnState 12 802.3ad Aggregator Screen 2 802.3ad Aggregator Screen When to Use SysPri Viewing and Editing 802.3ad Aggregator ParametersDisplaying Aggregator Details AggInst 13 802.3ad Aggregator Details Screen 2.1 802.3ad Aggregator Details Screen When to Use Partner Instance 14 802.3ad System Screen 3 802.3ad System Screen When to Use Number Broadcast Suppression Configuration ScreenSystem Identifier Number of Ports Total RX Port # Setting the Reset Peak Setting the Threshold Configuration Menu Screens 802.1 Configuration Menu Screen 802.1 Configuration Menu Screen 802.1p Spanning Tree802.1Q Vlan Tree Configuration Menu Spanning Tree Configuration Menu Screen Spanning Tree Configuration Screen AgeTime Vlan Operation Current STP ModeConfigured Priority Configuring a Vlan Spanning Tree Spanning Tree Port Configuration Screen Spanning Tree Port Configuration Screen STP Vlan ID Switch AddressAge Time Viewing Status of Spanning Tree Ports Enabling/Disabling the Default Spanning Tree PortsPvst Port Configuration Screen Port Designated CorrespondingPort Designated Root Port Designated Port Port PriorityPort Designated Cost Port StatePage Vlan Configuration Menu 802.1Q Vlan Configuration Menu Screens Summary of Vlan Local Management Preparing for Vlan Configuration 802.1Q Vlan Configuration Menu Screen 802.1Q Vlan Configuration Menu Screen Vlan Port Static VlanCurrent Vlan Classification Static Vlan Configuration Screen FDB ID Vlan ID DEL Marked Creating a Static VlanVlan Name ADD Renaming a Static Vlan Displaying the Current Static Vlan Port Egress List Paging Through the Vlan List Deleting a Static Vlan Static Vlan Egress Configuration Screen Static Vlan Egress Configuration Screen Egress Setting the Same Egress Type on All Ports Simultaneously Setting Egress Types on PortsSetting the Egress Type on One or More Ports Individually Displaying the Next Group of Ports Current Vlan Configuration Screen Read-Only An example of a dynamic Vlan is a Gvrp Vlan Vlan Type Current Vlan Egress Configuration Screen Current Vlan Egress Configuration Screen Vlan Port Configuration Screen Override is Policy Pvid Pvid Configuring the Vlan Ports Changing the Port Mode Admit Tagged Frames only Vlan Classification Configuration Screen VID VID Marked ClassificationDescription DEL ALL/DEL 0x0000 0x00000000 000000.000.000.000 Tftp Http DNS Smtp Src TCP Port FTP Data 00-00-00-00-00-00 Nlsp IPX WAN Custom Classification Precedence Rules Layer Classification Precedence Displaying the Current Classification Rule Assignments Example Assigning a Classification to a VID Deleting One or More Classification Rules Protocol Port Configuration ScreenDeleting Line Items Deleting All Classification Rules Protocol Port Configuration Screen Classify Classification RuleField SET Ports to Assigning Ports to a VID/ClassificationAssigning One or More Ports Individually Assigning All Ports Simultaneously Assigning VID/Classification to Port Vlan Lists Screen Navigation Paths 802.1p Configuration Menu Port Priority Configuration 802.1p Configuration Menu Screen When to Use Queues Port PriorityTraffic Class Transmit Port Priority Configuration Screen Port Priority Configuration Screen Set Setting Switch Port Priority Port-by-PortPolicy Override Traffic Class Information Screen Setting Switch Port Priority on All Ports Traffic Class Information Screen Traffic Class Information Screen Field Descriptions Traffic Class Configuration Screen Traffic Class Configuration Screen Save Assigning the Traffic Class to Port PriorityTraffic Class Transmit Queues Configuration Screen Transmit Queues Configuration Screen Q2, Q3 Weights Q0, Q1Current Queueing Mode Setting the Current Queueing Mode Priority Classification Configuration Screen PID PID 18802.1p Configuration Menu Screens No Change TOS=PID Custom TCP No Change TOS=PID Custom Dest IP Address Mask New IP TOS Tftp Src TCP Port New IP TOS FTP Data IP Fragments New IP TOS IP Fragments2 Start End New IP TOS 00000 Dest TCP Port Start End New IP TOS 00000 SAP 28802.1p Configuration Menu Screens About the IP TOS Rewrite Function Layer Assigning a Classification to a PID Displaying the Current PID/Classification Assignments Deleting One or More Line Items Deleting PID/Classification/Description Line ItemsDeleting All Line Items Protocol Port Configuration Screen See which ports are set to the PID/Classification indicated Assigning Ports to a PID/Classification Solving the Problem Switch Rate Limiting Configuration Screen Maximum Priority List Port Number Modifiable Port Type Feature Direction Configuring a Port 42802.1p Configuration Menu Screens Changing One or More Line Items Changing/Deleting Port Line Items More About Rate Limiting Rate Limiting Configuration Screen Page Layer 3 Extensions Menu Screen Layer 3 Extensions Menu Screens Layer 3 Extensions Menu Screen IGMP/VLAN IGMP/VLAN Configuration Screen 120 Igmp Version Last Member Query Query IntervalQuery Response Robustness Querier Uptime Switch Query IPMcastMartPoolSize Querier Address Igmp State IGMP/VLAN Configuration ProcedurePage Device Statistics Menu Screen Device Statistics Menu Screens Lists the number of frames received, transmitted, filtered, Rmon Switch Statistics Screen Frames Fltrd Frames RcvdFrames Txmtd Frames Frwded Interface Statistics Screen Interface Statistics Screen InOctets InNonUnicast InErrorsOutErrors InUnicast MTU Displaying Interface Statistics Rmon Statistics Screen Rmon Statistics Screen Owner CRC Align ErrorsRmon Index Data Source Total Packets Oversized PktsFragments Jabbers Index nn Displaying Rmon Statistics1024 1518 Octets Network Tools Screens Screen ExampleNetwork Tools Help Screen Refer to -1for a list of the commands Alias Command Alias Stats Examples Arp-a Arp Syntax Arplearn normal limited status Options Syntax Bridge ENABLE/DISABLE IFNUM/ALL OptionsArplearn Bridge Defroute Syntax Cdp enable/disable/status OptionsCdp Vid DynamicegressSyntax dynamicegress action vid Options action Syntax Enable Group Disable Group Trap #ALL Commands for Listing Events Syntax gigabitportmode active redundant status Syntax igmpv3drop enable disable statusGigabitportmode Igmpv3drop Lgframeadmin Loopbackdetect Syntax linktrap enable/disable/status PORT/allSyntax loopbackdetect enable disable state Linktrap Syntax maclock show port# all Maclock Maclock set trap port# all enable disable Syntax Maclock set enable port# all globalMaclock set disable port# all global Maclock set macaddress port# all create enable disable Maclock show Stations Netstat Maclock set enable global Syntax nonbridgeifnum 0 9999 status Nonbridgeifnum Ping PassiveStp Policy set port portnumberorrangeorall profileindex PolicySyntax policy show profile profileindex Policy show port portnumberorrangeorall Policy show port Examples Contiued Radius 11-24Network Tools Screens Radius client Character string for the shared secret code. For security Examples Cont’d Syntax ratelimitmode status highrange default lowrangeRatelimitmode Syntax reset Options None Example -reset Reset Syntax Satsize 8 16 status Options SatsizeShow Show Appletalk interfaces Syntax stpEdgePort status SoftresetSyntax softreset Options None StpEdgePort Syntax StpForceVersion 0 2 status Options StpForceVersion Value Syntax stpLegacyPathCost enable disable statusStpLegacyPathCost Recommended StpPointToPointMAC StpRealTimeMsgAge Syntax stpRealTimeMsgAge enable disable statusStpPort Syntax Telnet IP address Port # Options Syntax Suppresstopologytraps enable disable OptionsSuppresstopologytraps Telnet Syntax timedreset status t seconds resetnv dontresetnv TimedsoftresetTimedreset Syntax timedsoftreset status t seconds resetnv dontresetnv Syntax Traceroute IP address Options Traceroute VrrpPort EXAMPLE, Effects of Aging Time on Dynamic Egress Options None Example -done Done, quit, exit Vlan Operation and Network Applications Example of a Vlan Defining VLANs Other Vlan Strategies Types of VLANs12.2.1 802.1Q VLANs Ingress Benefits and RestrictionsVlan Terms Tagged Frame Default VlanFiltering Database Identifier FDB ID Gmrp QcstpGarp Garp Vlan Gvrp Vlan Operation Configuration Process Customizing the Vlan Forwarding List Vlan Switch OperationDefining a Vlan Classifying Frames to a Vlan FID Forwarding Decisions Receiving Frames from Vlan PortsUntagged Frames Tagged Frames Known Unicasts Vlan ConfigurationManaging the Switch Switch with VLANs Switch Without VLANs Switch Management with VLANs 12-14VLAN Operation and Network Applications 3069162 Assigning a Vlan ID and Vlan Name Quick Vlan Walkthrough Assigning Ports to the Vlan Egress list Walkthrough Stage One, Static Vlan Configuration Screen Walkthrough Stage Two, Port 3 Egress Setting Walkthrough Stage Three, Port 10 Egress Setting Configuring the Port Parameters Walkthrough Stage Four, Vlan Port Configuration Examples Example 1, Single Switch Operation For the Red Vlan Frame Handling 11 Switch Configured for VLANs Example 2, VLANs Across Multiple Switches Redco Blue Industries 12-26VLAN Operation and Network Applications Switch 12-28VLAN Operation and Network Applications Redco Blue Industries User a Blue Industries Redco 15 Transmitting to Bridge Switches 1 Finance Department Example 5, Using Dynamic Egress to Control Traffic PCs 00.00.00.00.00.0A Switch SET ALL Ports no Vlan Operation and Network Applications Page Generic Attribute Registration Protocol Garp HOW IT Works About Igmp Supported Features and Functions Detecting Multicast Routers Page Numerics Index Index-2 Index-3 Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11