Manuals / Brands / Computer Equipment / Switch / Enterasys Networks / Computer Equipment / Switch

Enterasys Networks 6E2xx, 6G3xx, 6H2xx, 6H3xx 3.6.2.2 802.1X Security Overview

1 430

Download 430 pages, 4.49 Mb

Overview of Security Methods

3-20 Accessing Local Management

3.6.2.2 802.1X Security Overview

The Enterasys Networks’ 6000 Series and Matrix E7 modules support the following 802.1X

security and authentication features to:

•Authenticate hosts that are connected to dedicated switch ports.

•Authenticate based on single-user hosts. (If a host is a time-shared Unix or VMS system,

successful authentication by any user will allow all users access to the network.)

•Allow users to authenticate themselves by logging in with user names and passwords, token

cards, or other high-level identification. Thus, a system manager does not need to spend hours

setting low-level MAC address filters on every edge switch to simulate user-level access

controls.

•Divide system functionality between supplicants (user machines), authenticators, and

authentication servers. Authenticators reside in edge switches. They shuffle messages and tell

the switch when to grant or deny access, but do not validate logins. User validation is the job of

authentication servers. This separation of functions allows network managers to put

authentication servers on central servers.

•Use the 802.1X protocol to communicate between the authenticator and the supplicant. The

frame format using 802.1X includes extra data fields within a LAN frame. Note that 802.1X

does not allow routing.

•Use 802.1X to communicate between the authenticator and the authentication server. The

specific protocol that runs between these components (e.g., RADIUS-encapsulated EAP) is not

specified and is implementation-dependent.

Authentication Server Provides authentication service to an authenticator. This

service determines, by the credentials the supplicant

provides, whether a supplicant is authorized to access

services provided by the authenticator. The authentication

server can be co-located with an authenticator or can be

accessed remotely.

Supplicant The entity (user machine) that is trying to be authenticated

by an authenticator attached to the other end of that link.

Table 3-4 Authentication Terms and Abbreviations (Continued)

Term Definition

Contents

Main Page NOTICE ENTERASYS NETWORKS, INC. PROGRAM LICENSE AGREEMENT Page Page Contents ABOUT THIS GUIDE 1 2 3 4 5 6 7 8 9 10 11 12 13 A B INDEX Figures Page Page Tab le s Page Page Page About This Guide USING THIS GUIDE STRUCTURE OF THIS GUIDE Page RELATED DOCUMENTS DOCUMENT CONVENTIONS TYPOGRAPHICAL AND KEYSTROKE CONVENTIONS Page Introduction 1.1 OVERVIEW Page 1.1.1 The Management Agent 1.1.2 In-Band vs. Out-of-Band 1.2 NAVIGATING LOCAL MANAGEMENT SCREENS 1.3 LOCAL MANAGEMENT REQUIREMENTS 1.4 LOCAL MANAGEMENT SCREEN ELEMENTS Local Management Screen Elements Introduction 1-5 Figure 1-1 Example of a Local Management Screen Event Message Field Heading Field Module Type and Slot Number Fields Page 1.5 LOCAL MANAGEMENT KEYBOARD CONVENTIONS 1.6 GETTING HELP Page Local Management Requirements 2.1 MANAGEMENT TERMINAL SETUP Management Terminal Setup 2-2 Local Management Requirements 2.1.1 Console Cable Connection 6H252-17 CPU 12345 4046-01 2.1.2 Management Terminal Setup Parameters 2.2 TELNET CONNECTIONS 2.3 MONITORING AN UNINTERRUPTIBLE POWER SUPPLY Monitoring an Uninterruptible Power Supply Local Management Requirements 2-5 Figure 2-2 Uninterruptible Power Supply (UPS) Connection COM Port UPS Device RJ45-to-DB9 UPS Adapter DB9 Port UTP Cable With RJ45 Connectors Page Accessing Local Management 3.1 NAVIGATING LOCAL MANAGEMENT SCREENS Page Navigating Local Management Screens B Accessing Local Management 3-3 Figure 3-2 802.1Q Switching Mode, Module, LM Screen Hierarchy (Page 2 of 3) * 3.1.1 Selecting Local Management Menu Screen Items B Using the RETURN Command 3.1.3 Using the NEXT and PREVIOUS Commands 3.1.4 Using the CLEAR COUNTERS Command 3.2 PASSWORD SCREEN Page Page 3.4 MODULE SELECTION SCREEN Module Selection Screen 3-10 Accessing Local Management Figure 3-6 Module Selection Screen 3.4.1 Selecting a Module Page Page 3.6 OVERVIEW OF SECURITY METHODS 3.6.1 Host Access Control Authentication (HACA) Page Page 3.6.2 802.1X Port Based Network Access Control 3.6.2.1 Definitions of Terms and Abbreviations 3.6.2.2 802.1X Security Overview 3.6.3 MAC Authentication Overview 3.6.3.1 Authentication Method Selection 3.6.3.2 Authentication Method Sequence 3.6.3.3 Concurrent Operation of 802.1X and MAC Authentication Page Page 3.6.4 MAC Authentication Control 3.7 SECURITY MENU SCREEN Page Page Page Page 3.8.1 Setting the Module Login Password 3.9 RADIUS CONFIGURATION SCREEN Page Page 3.9.1 Setting the Last Resort Authentication 3.9.2 Setting the Local and Remote Servers Page Page 3.11 SYSTEM AUTHENTICATION CONFIGURATION SCREEN Page EAP (Port) Configuration Screen Accessing Local Management 3-39 3.12 EAP (PORT) CONFIGURATION SCREEN To configure authentication settings for each port. Figure 3-13 EAP Port Configuration Screen Page Page Page Page Page Page Page Page 3.13.2 EAP Authenticator Statistics Screen Page Page 3.13.3 EAP Diagnostic Statistics Screen Page Page 3.14 MAC PORT CONFIGURATION SCREEN Page 3.15 MAC SUPPLICANT CONFIGURATION SCREEN Page Page Chassis Menu Screens Page Page Chassis Configuration Screen 4-4 Chassis Menu Screens 4.2 CHASSIS CONFIGURATION SCREEN Figure 4-2 Chassis Configuration Screen Page 4.2.1 Setting the IP Address 4.2.2 Setting the Subnet Mask 4.2.3 Setting the Chassis Date 4.2.4 Setting the Chassis Time 4.2.5 Setting a New Screen Refresh Time 4.2.6 Setting the Screen Lockout Time Page Page 4.4 SNMP COMMUNITY NAMES CONFIGURATION SCREEN 4.4.1 Establishing Community Names 4.5 SNMP TRAPS CONFIGURATION SCREEN Page 4.5.1 Configuring the Trap Table 4.6 CHASSIS ENVIRONMENTAL INFORMATION SCREEN Page Page 4.8 PORT REDIRECT CONFIGURATION SCREEN Page Page 4.8.1 Changing Source and Destination Ports 4.9 VLAN REDIRECT CONFIGURATION SCREEN VLAN Redirect Configuration Screen 4-24 Chassis Menu Screens Figure 4-9 VLAN Redirect Configuration Screen Refer to Tabl e 4-9 for a functional description of each screen field. Table 4-9 VLAN Redirect Configuration Screen Field Descriptions Source Module See which modules are currently set as source modules. Source VLAN ID See the VLAN ID of the VLANs that are currently set as source VLANs. Page 4.9.1 Changing Source VLAN and Destination Ports Module Configuration Menu Screens Page Page General Configuration Screen 5-4 Module Configuration Menu Screens 5.2 GENERAL CONFIGURATION SCREEN Figure 5-2 General Configuration Screen Page Page Page 5.2.1 Setting the IP Address 5.2.2 Setting the Subnet Mask 5.2.3 Setting the Default Gateway 5.2.4 Setting the TFTP Gateway IP Address 5.2.5 Setting the Module Name 5.2.6 Setting the Module Date 5.2.7 Setting the Module Time 5.2.8 Entering a New Screen Refresh Time 5.2.9 Setting the Screen Lockout Time 5.2.10 Configuring the COM Port WARNING 5.2.10.1 Changing the COM Port Application 5.2.11 Clearing NVRAM 5.2.12 Enabling/Disabling IP Fragmentation WARNING Page Page 5.4 SNMP COMMUNITY NAMES CONFIGURATION SCREEN Page 5.4.1 Establishing Community Names SNMP Traps Configuration Screen Module Configuration Menu Screens 5-23 5.5 SNMP TRAPS CONFIGURATION SCREEN Figure 5-9 SNMP Traps Configuration Screen Trap Community Name Trap Destination Enable Traps 5.5.1 Configuring the Trap Table 5.6 ACCESS CONTROL LIST SCREEN Access Control List Screen Refer to Tabl e 5-7 for a functional description of each screen field. 5-26 Module Configuration Menu Screens Figure 5-10 Access Control List Screen Page 5.6.1 Entering IP Addresses 5.6.2 Enable/Disable ACL 5.7 SYSTEM RESOURCES INFORMATION SCREEN 5.7.1 Setting the Reset Peak Switch Utilization 5.8 FLASH DOWNLOAD CONFIGURATION SCREEN Important Notice FLASH Download Configuration Screen Module Configuration Menu Screens 5-33 Refer to Table 5 -9 for a functional description of each screen field. Page Page 5.8.1 Image File Download Using Runtime 5.8.2 Configuration File Download Using TFTP 5.8.3 Configuration File Upload Using TFTP Port Configuration Menu Screens Page Page 6.2 ETHERNET INTERFACE CONFIGURATION SCREEN Ethernet Interface Configuration Screen Port Configuration Menu Screens 6-5 Figure 6-3 Ethernet Interface Configuration Screen Refer to Table 6 -2 for a functional description of each screen field. Table 6-2 Ethernet Interface Configuration Screen Field Descriptions Intf See the interface number. Port Page Page 6.3 ETHERNET PORT CONFIGURATION SCREEN Page Page Page 6.3.1 Selecting Field Settings 6.3.2 Setting the Advertised Ability Page Page Page 6.6 PORT REDIRECT CONFIGURATION SCREEN When to Use (for 6C105 Chassis) When to Use (for 6C107 Chassis) Port Redirect Configuration Screen Port Configuration Menu Screens 6-17 Ethernet ports. Page 6.6.1 Changing Source and Destination Ports 6.7 VLAN REDIRECT CONFIGURATION SCREEN VLAN Redirect Configuration Screen Port Configuration Menu Screens 6-21 Figure 6-7 VLAN Redirect Configuration Screen Page 6.7.1 Changing Source VLAN and Destination Ports 6.8 LINK AGGREGATION SCREEN (802.3ad MAIN MENU SCREEN) Usage Notes Definitions to Know Page Page Page 6.8.1 802.3ad Port Screen Page Page 6-32 Port Configuration Menu Screens Figure 6-10 802.3ad Port Details Screen Refer to Tabl e 6-9 for a functional description of each screen field. Table 6-9 802.3ad Port Details Screen Field Descriptions ActorSystemPriority ActorPort See the identifier for this port (identical to Port Instance). ActorSystemID See the System Identifier for the system in which this port resides. Page Page ActorOperState PartnerAdminKey PartnerAdminState (hex) PartnerOperKey PartnerOperState Viewing and Editing 802.3ad Port Parameters Displaying Port Statistics SelectedAggID AttachedAggID Port Configuration Menu Screens 6-37 6.8.1.2 802.3ad Port Statistics Screen Refer to Table 6 -10 for a functional description of each screen field. Figure 6-11 802.3ad Port Statistics Screen Page Page 6-40 Port Configuration Menu Screens 6.8.2 802.3ad Aggregator Screen Refer to Tabl e 6-11 for a functional description of each screen field. Figure 6-12 802.3ad Aggregator Screen Viewing and Editing 802.3ad Aggregator Parameters Displaying Aggregator Details 6.8.2.1 802.3ad Aggregator Details Screen Page Page Page Broadcast Suppression Configuration Screen 6-46 Port Configuration Menu Screens 6.9 BROADCAST SUPPRESSION CONFIGURATION SCREEN Figure 6-15 Broadcast Suppression Configuration Screen To set a limit for the receive broadcast frames that are switched out to the other ports. NOTE: Broadcast frames received above the threshold setting are dropped. 6.9.1 Setting the Threshold Page 802.1 Configuration Menu Screens Page Page Page Page 7.3 SPANNING TREE CONFIGURATION SCREEN Page Page 7.3.1 Configuring a VLAN Spanning Tree Spanning Tree Port Configuration Screen 7-10 802.1 Configuration Menu Screens 7.4 SPANNING TREE PORT CONFIGURATION SCREEN Figure 7-4 Spanning Tree Port Configuration Screen Page Page Page Page 802.1Q VLAN Configuration Menu Screens 8.1 SUMMARY OF VLAN LOCAL MANAGEMENT 8.1.1 Preparing for VLAN Configuration 8.2 802.1Q VLAN CONFIGURATION MENU SCREEN Page Page 8.3 STATIC VLAN CONFIGURATION SCREEN Page 8.3.1 Creating a Static VLAN 8.3.2 Displaying the Current Static VLAN Port Egress List 8.3.3 Renaming a Static VLAN 8.3.4 Deleting a Static VLAN information. 8.3.5 Paging Through the VLAN List 8.4 STATIC VLAN EGRESS CONFIGURATION SCREEN Page 8.4.1 Setting Egress Types on Ports 8.4.2 Displaying the Next Group of Ports Current VLAN Configuration Screen 8-14 802.1Q VLAN Configuration Menu Screens 8.5 CURRENT VLAN CONFIGURATION SCREEN Figure 8-5 Current VLAN Configuration Screen Page 8.6 CURRENT VLAN EGRESS CONFIGURATION SCREEN 8.7 VLAN PORT CONFIGURATION SCREEN VLAN Port Configuration Screen 8-18 802.1Q VLAN Configuration Menu Screens Figure 8-7 VLAN Port Configuration Screen Page 8.7.1 Changing the Port Mode 8.7.2 Configuring the VLAN Ports 8.8 VLAN CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page 8.8.1 Classification Precedence Rules Page Page 8.8.2 Displaying the Current Classification Rule Assignments 8.8.3 Assigning a Classification to a VID 8.8.4 Deleting Line Items 8.9 PROTOCOL PORT CONFIGURATION SCREEN Page 8.9.1 Assigning Ports to a VID/Classification Page 802.1p Configuration Menu Screens Page Page Page Port Priority Configuration Screen 802.1p Configuration Menu Screens 9-5 Figure 9-2 Port Priority Configuration Screen 9.2.1 Setting Switch Port Priority Port-by-Port 9.2.2 Setting Switch Port Priority on All Ports 9.3 TRAFFIC CLASS INFORMATION SCREEN Traffic Class Information Screen 9-8 802.1p Configuration Menu Screens Figure 9-3 Traffic Class Information Screen Page Traffic Class Configuration Screen 9-10 802.1p Configuration Menu Screens 9.4 TRAFFIC CLASS CONFIGURATION SCREEN Figure 9-4 Traffic Class Configuration Screen Number of port selected in the Traffic Class Information screen. 9.4.1 Assigning the Traffic Class to Port Priority 9.5 TRANSMIT QUEUES CONFIGURATION SCREEN Transmit Queues Configuration Screen 802.1p Configuration Menu Screens 9-13 Figure 9-5 Transmit Queues Configuration Screen Page 9.5.1 Setting the Current Queueing Mode 9.6 PRIORITY CLASSIFICATION CONFIGURATION SCREEN Page Page Page Page Page Page Page Page Page 9.6.1 Classification Precedence Rules Page Page 9.6.2 About the IP TOS Rewrite Feature Layer 2 Layer 3 9.6.3 Displaying the Current PID/Classification Assignments 9.6.4 Assigning a Classification to a PID 9.6.5 Deleting PID/Classification/Description Line Items 9.7 Page 9.7.1 Assigning Ports to a PID/Classification 9.7.2 Example, Prioritizing Traffic According to Classification Rule 9.7.2.1 Solving the Problem S1 S2 Page 9.8 RATE LIMITING CONFIGURATION SCREEN Rate Limiting Configuration Screen 9-38 802.1p Configuration Menu Screens Figure 9-10 Rate Limiting Configuration Screen Maximum Refer to Tabl e 9-10 for a functional description of each screen field. Table 9-10 Rate Limiting Configuration Screen Field Descriptions See the priorities associated with each port entry. Port # Priority List top of screen Page Page 9.8.1 Configuring a Port Page 9.8.2 Changing/Deleting Port Line Items 9.8.3 More About Rate Limiting Page Page Layer 3 Extensions Menu Screens Page 10.2 IGMP/VLAN CONFIGURATION SCREEN Page Page 10.2.1 IGMP/VLAN Configuration Procedure Page Module Statistics Menu Screens 11.1 MODULE STATISTICS MENU SCREEN Page 11.2 SWITCH STATISTICS SCREEN Switch Statistics Screen Module Statistics Menu Screens 11-5 Figure 11-2 Switch Statistics Screen Refer to Table11-2 for a functional description of each screen field. Table 11-2 Switch Statistics Screen Field Descriptions Port # See the number of frames received by the interface since the last power-up or reset. Frames Txmtd See the number of frames transmitted by the interface since the last power-up or reset. 11.3 INTERFACE STATISTICS SCREEN Page Page 11.3.1 Displaying Interface Statistics RMON Statistics Screen 11-10 Module Statistics Menu Screens 11.4 RMON STATISTICS SCREEN Figure 11-4 RMON Statistics Screen To obtain RMON statistics for each interface, on an interface-by-interface basis. Page Page 11.4.1 Displaying RMON Statistics Page Page Page Network Tools Screens Network Tools 12-2 Network Tools Screens Figure 12-1 Network Tools Help Screen Page 12.2 BUILT-IN COMMANDS command alias Built-in Commands alias (Continued) Network Tools Screens 12-5 Example: arp arp_learn bridge cdp defroute dynamic_egress ev dynamic_egress (Continued) ev (Continued) gigabit_port_mode lg_frame_admin link_trap loopback_detect MAC_lock disable MAC_lock enable MAC_lock status MAC_lock trap disable MAC_lock trap enable netstat non_bridge_if_num Page radius Page Page Example: (Contd) rate_limit_mode reset sat_size suppress_topology_traps show show mac soft_reset stpEdgePort stpForceVersion stpPointToPointMAC set spantree legacypathcost stpPort set spantree legacypathcost (Continued) stpRealTimeMsgAge stpStandby telnet timed_reset timed_soft_reset traceroute vrrpPort 12.3 EXAMPLE, EFFECTS OF AGING TIME ON DYNAMIC EGRESS 12.4 EXAMPLE, USING DYNAMIC EGRESS TO CONTROL TRAFFIC S1 Solving the Problem 12.5 SPECIAL COMMANDS done, quit, exit VLAN Operation and Network Applications 13.1 DEFINING VLANs A B Building One Building Two 13.2 TYPES OF VLANs 13.2.1 802.1Q VLANs 13.2.2 Other VLAN Strategies 13.3 BENEFITS AND RESTRICTIONS 13.4 VLAN TERMS Page 13.5 VLAN OPERATION 13.5.1 Description 13.5.2 VLAN Components Stations Switches 13.6 CONFIGURATION PROCESS 13.6.1 Defining a VLAN 13.6.2 Classifying Frames to a VLAN 13.6.3 Customizing the VLAN Forwarding List 13.7 VLAN SWITCH OPERATION 13.7.1 Receiving Frames from VLAN Ports Untagged Frames Tagged Frames 13.7.2 Forwarding Decisions 13.7.2.1 Broadcasts, Multicasts, and Unknown Unicasts 13.7.2.2 Known Unicasts 13.8 VLAN CONFIGURATION 13.8.1 Managing the Switch 13.8.2 Switch Without VLANs Page 1 3 6 2 7 4 5 802.1Q Switch 13.9 SUMMARY OF VLAN LOCAL MANAGEMENT 13.9.1 Preparing for VLAN Configuration 13.10 QUICK VLAN WALKTHROUGH Assigning a VLAN ID and VLAN Name Assigning Ports to the VLAN Egress list Page Quick VLAN Walkthrough VLAN Operation and Network Applications 13-19 Figure 13-8 Walkthrough Stage Three, Port 10 Egress Setting Configuring the Port Parameters Page Examples VLAN Operation and Network Applications 13-21 Figure 13-9 Walkthrough Stage Four, VLAN Port Configuration 13.11 EXAMPLES 13.12 EXAMPLE 1, SINGLE SWITCH OPERATION 13.12.1 Solving the Problem For the Red VLAN B2 B1 B3R1 R2 R3 802.1Q Switch 3 6 2 4 5 1 13.12.2 Frame Handling 13.13 EXAMPLE 2, VLANs ACROSS MULTIPLE SWITCHES Example 2, VLANs Across Multiple Switches User 802.1D Legacy Bridge VLAN Operation and Network Applications 13-25 Figure 13-12 Example 2, VLANs Across Multiple Switches File Server 802.1Q VLAN Aware Switch 13.13.1 Solving the Problem Switch 4 Switch 2 Page 13.13.2 Frame Handling Page Page 13.14 EXAMPLE 3, FILTERING TRAFFIC ACCORDING TO A LAYER 4 CLASSIFICATION RULE Users Users 13.14.1 Solving the Problem Switches 1 and 2 R2 R1 S1 S2 S1 13.15 EXAMPLE 4, SECURING SENSITIVE INFORMATION ACCORDING TO SUBNET Finance Server 13.15.1 Solving the Problem Switch 1 13.16 EXAMPLE 5, USING DYNAMIC EGRESS TO CONTROL TRAFFIC Solving the Problem S1 Web Server 13.17 EXAMPLE 6, LOCKING A MAC ADDRESS TO A PORT USING CLASSIFICATION RULES 00.00.00.00.00.0A S1 00.00.00.00.00.0B 13.17.1 Solving the Problem Switch 1 Page A Generic Attribute Registration Protocol (GARP) A.1 OPERATION A.2 HOW IT WORKS B About IGMP Page Page Page Index Numerics A B C D E F G H I K L M N P Q R S Page Page T U V W