Manuals / GE / Computer Equipment / Switch

GE Multilink ML1200 Managed Field Switch Access Using Radius, Introduction to

Models: ML1200

1 344

Download 344 pages 51.98 Kb

Page 125

Digital Energy

Multilin

Multilink ML1200

Managed Field Switch

Chapter 7: Access Using RADIUS

7.1Introduction to 802.1x

7.1.1 Description

The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP (User Datagram Protocol) based access control protocol originally developed by BBN for the MILNET (Military Network). Later the enhancements were called TACACS+. TACACS+ is a TCP (Transmission Control Protocol) based access control protocol. TCP offers a connection- oriented transport, while UDP offers best-effort delivery making the access authentication reliable.

Remote Authentication Dial-In User Service or RADIUS is a server that has been traditionally used by many Internet Service Providers (ISP) as well as Enterprises to authenticate dial in users. Today, many businesses use the RADIUS server for authenticating users connecting into a network. For example, if a user connects PC into the network, whether the PC should be allowed access or not provides the same issues as to whether or not a dial in user should be allowed access into the network or not. A user has to provide a user name and password for authenticated access. A RADIUS server is well suited for controlling access into a network by managing the users who can access the network on a RADIUS server. Interacting with the server and taking corrective action(s) is not possible on all switches. This capability is provided on the MultiLink ML1200 Managed Field Switch.

RADIUS servers and its uses are also described by one or more RFCs.

7.1.2802.1x Protocol

There are three major components of 802.1x: - Supplicant, Authenticator and Authentication Server (RADIUS Server). In the figure below, the PC acts as the supplicant. The supplicant is an entity being authenticated and desiring access to the services. The switch is the authenticator. The authenticator enforces authentication before allowing

MULTILINK ML1200 MANAGED FIELD SWITCH – INSTRUCTION MANUAL

7–1

Image 125

GE instruction manual Multilink ML1200 Managed Field Switch Access Using Radius, Introduction to, 2 802.1x Protocol

Contents

GE Multilin MultiLink ML1200 Managed Field SwitchCanadian Emissions Statement Electrical Safety requirementsTable of Contents Access 10-5 10-110-3 10-12 10-710-13 10-1915-1 14-915-4 15-517-16 17-1418-1 18-3Inspecting the Package and Product Multilink ML1200 Managed Field Switch IntroductionGetting Started ML1200 Order CodesPerformance SpecificationsAlarm Relay Contacts Sinusoidal Vibration DNV To 4 G InterruptsCE Compliance Low voltage directive EN60950-1 EMC Directive Applicable Council Directive According toNorth America CULus UL60950-1 C22.2 No ISO9001Console Connection Command Line Interface FirmwareConsole Setup Logging In for the First Time Automatic IP Address ConfigurationConsole Screen Step Setting the IP Parameters Using Console PortML1200# reboot Ipconfig ip=ip-address mask=subnet-mask dgw=gatewayAn example is shown below ML1200# savePrivilege Levels Enable user-nameUser Management Command Enter Help command stringCommand string TAB First character of the command TAB HelpExiting Following example, the TAB key completes the commandLogout Following example illustrates logging out from a sessionEnerVista Secure Web Management Secure site will issue the certificate check shown belowMake sure you use Https secure Http and not Http in the URL Example shown in the previous section, the URL isLogin screen To add a user, use the add button Select the Administration User Mgmt User Accounts menu itemIntroduction Introduction Introduction Modifying the Privilege Level To exit or logout, click on the logout button Confirm the logout by selecting OK in the pop-up window Updating through the Command Line ML1200 Firmware UpdatesUpdating Multilink ML1200 Firmware Selecting the Proper VersionML1200# xmodem get type=app Https//IP address of the switch Introduction Introduction Overview Multilink ML1200 Managed Field Switch Product DescriptionProduct Description Product Description Four-Port Copper Module, C1 Module Mdix PoE power pass-through, C2 Module MDIX, 10/100Mb 4-portTwo -Port 10 Mb mm Fiber ST Modules Two-Port Fiber Modules, 2@ 100Mb fiberPacket Prioritization, 802.1p QOS SFP Gigabit 1000Mbps port modulesManaged Network Firmware for Multilink ML1200-Series Frame Buffering and Flow ControlManaged switching for high performance Ethernet LANs Features and BenefitsFeatures Fiber-Built-In Management Software includedProduct Description Applications Example Example Preparation Multilink ML1200 Managed Field Switch InstallationLocating Multilink ML1200 Switches Copper Connecting Ethernet MediaFiber Twisted Pair CAT Twisted Pair CAT 3, 4Gigabit SFP Small Form-factor Pluggable Optical Transceivers HK Module H7 Module H8 HD ModuleHE HJ Module DIN-Rail Mounting the Multilink ML1200 Mechanical InstallationInstallation Powering the Multilink ML1200 Managed Field Switch Electrical Installation3 ML1200 Port Module PM Installation Request to Send Pinout information for above connectorTransceiver Data GroundFunctionality Multilink ML1200 Managed Field Switch OperationSwitching Functionality For Multilink ML1200 models /ML1200 Status LEDsAuto-Cross Mdix and Auto-negotiation, for RJ-45 ports Flow-control, Ieee 802.3x standard Typical Power Budget Calculations for ML1200 PM’s with Fiber MediaH4, HH Mb FX 2 ML1200 Modules Multilink ML1200 Managed Field Switch Port Modules2.2 C7 Module, 2@10Mb multi-mode FX-ST twist lock Module CB Module, 2 Ports @100Mbps single-mode FX-SC-type, Sgl.M CC Module, 4 @100Mb multi-mode FX , Mtrj Small-Form-factor 2.10 C1 Module Twisted Pair, 10/100Mb, 4-Port PoE LEDs Summary SFPs, Gigabit 1000Mbps port modules Before Calling for Assistance Operation Overview Multilink ML1200 Managed Field Switch IP AddressingIP Address and System Information Edit the IP address information Bootp Database Dhcp and bootpConfiguring DHCP/bootp/Manual/AUTO Importance of an IP AddressClick Edit Select the Administration System menu itemTelnet enabledisable Using TelnetML1200access## telnet enable ML1200access## exit ML1200#Default port for telnet is Select the Administration Telnet menu itemTelnet ipaddress port=port number Show session Kill session id=sessionML1200# show session For exampleSystem Parameters Setting ParametersSetting Serial Port Parameters Snmp Date and TimeSetvar sysnamesyscontactsyslocation =string Set timezone GMT=+ or hour=0-14 min=0-59Following command sequence sets the daylight location Syntax for other date and time commands areNetwork Time Set timeformat format=1224ML1200sntp## exit ML1200sntp## sync hour=5 ML1200sntp## sntp enableML1200# sntp IP Addressing IP Addressing Config file System ConfigurationSaving and Loading Command Line # Restricted Rights System Syntax show config module=module-name Displaying configurationWhere module-name can be Names, passwordsMore ’show config’ command outputML1200# show config module=snmp Hardware Select N Saving ConfigurationSelect Y. The ML1200 will prompt Save format=v2v3 Show host command displays the host table entries# Restricted Rights Script FileSaving and Loading EnerVista Software IP Addressing Host Names IP Addressing Kill Config option using SWM Erasing ConfigurationIP Addressing Port/Tag Vlan settings STP, Rstp settingsIP-Access and Host Table settings Lacp settingsML1200# kill config What’s changed in IPV6? IPv6Introduction to IPv6 3 IPv6 Addressing Syntax ping6 IPv6 address pings an IPv6 station Configuring IPv6Syntax show ipv6 displays the IPv6 information Syntax ftp IPv6 address ftp to an IPv6 stationSyntax telnet IPv6 address telnet to an IPv6 station List of commands in this chapterSecuring Access Multilink ML1200 Managed Field Switch Access ConsiderationsPasswords DescriptionPort Security Feature For example, using the configure port-securitycommand CommandsLearn port=number-list enabledisable show port-security Ps enabledisableML1200port-security## ps disable ML1200port-security## ps enableAllowing MAC Addresses ML1200port-security## allowML1200port-security## learn port=3 enable Example 6-1 Viewing the port security settingsTo deny a mac address, use the following Example 6-2 Enabling learning on a portExample 6-4 Removing MAC addresses from specific ports Save the port-security configuration use the save commandML1200port-security## signal port=3 logandtrap Access Considerations Security Logs Example 6-5 Configuring port securityML1200# show log Example 6-6 Security log commandsSet logsize size=1-1000 Show ip-access AccessAuthorized Managers RemoveallExample 6-7 Allowing/blocking specific IP addresses ML1200# accessML1200access## exit After enabling the EnerVista Secure Web Management software Configuring Port Security with EnerVista SoftwareAccess Considerations Access Considerations Logs Authorized Managers Access Considerations Access Considerations 2 802.1x Protocol Multilink ML1200 Managed Field Switch Access Using RadiusIntroduction to 802.1x network components 802.1x authentication details Show auth configports Configuring 802.1x through the Command Line InterfaceAuth enabledisable AuthTrigger-reauthport=numlistrange Show-statscommand displays 802.1x related statisticsShow-stats port=num On following Example 7-1 Setting port control parametersExample ML1200auth## show-port backend Setting port control parametersML1200auth## ML1200auth## shoW-port reauthCommands To edit the port settings, click on the edit icon Select the Configuration Radius Port Access menu item Access Using Radius Access Using Radius After all the port characteristics are enabled Introduction to TACACS+ Multilink ML1200 Managed Field Switch Access using TACACS+TACACS+ Packet TACACS+ FlowTacacs packet format Packet type Possible values areTacplus enabledisable Configuring TACACS+ through the Command Line InterfaceExample 8-1 below, illustrates how to configure TACACS+ Show tacplus statusserversML1200user## tacplus disable Example 8-1 Configuring TACACS+ML1200user## tacplus enable Access Using TACACS+ Access Using TACACS+ Access Using TACACS+ Port Mirroring Multilink ML1200 Managed Field Switch Port Mirroring SetupPrtmr enabledisable Port Mirroring using the Command Line InterfaceShow port-mirror Port-mirrorDevice command enters the device configuration mode Port SetupSetport command configures the port characteristics DeviceML1200# device Example 9-1 Port setupML1200device## show port ML1200device## exit ML1200#Flow Control Where the rxthreshold value can be from 4 to 30 default isBack Pressure Flowcontrol xonlimit=value xofflimit=valueML1200device## show port=11 Back pressure and flow controlBroadcast Storms Show broadcast-protect Broadcast-protect enabledisableRate-thresholdport=portlistrange rate=frames/sec Example 9-3 Preventing broadcast storms Link Loss AlertML1200device## show port=3 Example 9-4 Link loss alertSelect the Configuration Port Mirroring menu item Port Setup Port Mirroring and Setup Port Mirroring and Setup Broadcast Storm menu Port Mirroring and Setup Vlan Description Multilink ML1200 Managed Field Switch VlanVlan Tag Vlan vs. Port Vlan Multilink ML1200 supports up to 32 VLANs per switch10-4 Add id=vlan Id name=vlan name port=numberlistrange Configuring Port VLANs through the Command Line InterfaceSet vlan type=porttagnone Save Start vlan=namenumberlistrangeEdit id=vlan Id name=vlan name port=numberlistrange Show vlan type=porttag id=vlanidVlan VID=1 Currently assigned Port VLANs are displayed as follows Select the Configuration Vlan Port-Based menu item10-9 10-10 10-11 Show-port port=portlistrange Configuring Tag VLANs through the Command Line Interface10-13 Example 10-1 Converting Port Vlan to Tag Vlan ML1200tag-vlan##add id=20 name=marketing port=3-5 Converting Port Vlan to Tag VlanML1200tag-vlan##set-port port=3-5 filter status=enable Name engineering Status Active Port Mode Status Tagged 10-19 Next step is to define the VLANs needed. To do that Click On Configuration vlan tag-based Menu10-21 Select the Configuration Vlan Tag-Based Tagging menu 10-23 10-24 Gvrp Concepts Vlan Registration over GarpVlan Registration Over Garp Gvrp OperationsVlan assignment in Gvrp enabled switches Static vlan=VID Port settings for Gvrp operationsShow-vlan Example 11-1 Converting a dynamic Vlan to a static Vlan Gvrp optionsML1200# gvrp ML1200gvrp## show-vlan ML1200gvrp## static vlan=10 ML1200gvrp## show-vlan11-6 Gvrp Operation Notes Configuring Gvrp through the Command Line InterfaceShow gvrp Show-forbidExample 11-2 Configuring Gvrp Gvrp options on To configure GvrpSelect the Configuration Vlan Gvrp menu item 11-10 Features and Operation Spanning Tree Protocol STP STP default valuesShow stp configports Configuring STPExample 12-2 Viewing STP ports Example 12-1 Viewing STP configurationStp Stp enabledisableSet stp type=stprstp Show active-stpExample 12-3 Enabling STP Example 12-3shows how to enable STP using the above commandsTimers forward-delay=4-30 hello=1-10 age=6-40 ML1200stp##show stp ports Example 12-4 Configuring STP parametersConfiguring STP parameters ML1200stp##cost port=2 value=20 ML1200stp##port port=1 status=enable Designated Root Priority 15535 Rstp concepts Rapid Spanning Tree Protocol Transition from STP to Rstp13-3 Rstp enabledisable Configuring Rstp through the Command Line InterfaceNormal Rstp Rstp13-5 Example 13-2 Reviewing the Rstp port parameters Show-forceversion Path cost as defined in Ieee 802.1d / 802.1wForceversion stprstp Port port=numberlistrange status=enabledisable Show-timersML1200rstp##show stp config Example 13-4 Configuring RstpConfiguring Rstp ML1200rstp##priority port=2 value=100 ML1200rstp##port port=1 status=disable Romode add port=portlistrange romode del port=portlistrange Syntax for the romode command on Rstp is shown belowML1200rstp##romode add port=1,2 Example 13-5 Configuring smart RSTP, ring-only mode13-15 Status Indicates whether STP or Rstp is enabled 13-17 Path cost defined in Ieee 802.1d and 802.1w 13-19 Click the Edit button to configure Rstp Then Save Enable Status 13-22 QoS Concepts Multilink ML1200 Managed Field Switch Quality of ServiceQoS Overview IP Precedence DiffServ and QoSIP Precedence ToS Field in an IP Packet Header Set-weightweight=0-7 Configuring QoS through the Command Line InterfaceShow-portweight QosShow qos command displays the QoS settings Port weight settingsShow qos type=porttagtos port=portlistrange Set-untagport=portlistrange priority=highlow tag=0-7Example 14-1 Configuring QoS Following example shows how to configure QoSConfiguring QoS ML1200qos##set-weight weight=4 ML1200qos##show-portweight 14-9 14-10 14-11 14-12 Igmp Concepts Multilink ML1200 Managed Field Switch IgmpIgmp Figure below shows a network running Igmp Isolating multicast traffic in a network IP Multicast FiltersIgmp Support Reserved Addresses Excluded from IP Multicast Igmp FilteringIgmp enable/disable Configuring Igmp through the Command Line InterfaceShow igmp command displays the Igmp status IgmpShow-router Show-groupShow-port Example 15-1 Configuring Igmp Following example shows how to configure IgmpML1200igmp## show-port ML1200igmp## show-routerConfiguring Igmp ML1200igmp## mcast enable ML1200igmp## mcast disable15-11 15-12 Snmp Concepts Multilink ML1200 Managed Field Switch SnmpSnmp Standards TrapsEnterprise Traps Intruder SNMPv1 standardsRFC 2271-2275 SNMPv3 Configuring Snmp through the Command Line Interface Show-trap id=id# Following example shows how to configure SnmpShow-group id=id Show-view id=idExample 16-1 Configuring Snmp Configuring Snmp ML1200snmpv3## show-group id=1 ML1200snmpv3## show-groupML1200snmpv3## show-view ML1200snmpv3## show-view id=1ML1200snmpv3## show-access id=1 ML1200snmpv3## show-accessML1200snmpv3## show-user ML1200snmpv3## show-user id=216-11 Multiple managers can be added as shown below 16-13 16-14 Rmon Configuring RmonML1200rmon## exit ML1200# ML1200rmon## show rmon eventMail Multilink ML1200 Managed Field Switch MiscellaneousSmtp Smtp enabledisableShow smtp configrecipients Server ip=ip-addr port=1-65535 retry=0-3 domain=domain Server command configures the global Smtp server settingsDelete id=1-5 ML1200smtp##show smtp config Statistics Following figure displays the port statistics for group Optimizing serial connection in HyperTerminal Serial ConnectivityShow version HistoryShow history Ping through EnerVista Secure Web Management software Ping through the Command Line InterfacePing Set prompt prompt string Changing the Command Line PromptPrompt System Events Command Line Interface ExampleFollowing example illustrates a typical event log Example 17-2 Typical system event logEnerVista Example Select the Configuration Statistics Log Statistics menu item17-13 Main Commands Command ReferenceSet timeout sets the system inactivity time out Set commands are listed belowSet password sets the current user password Snmp enables or disables Snmp Configuration commandsAlarm commands are shown below Authorization commands are shown belowVlan Registration over Garp for details Device commands are shown belowRapid Spanning Tree Protocol for additional details Setqos configures QOS configuration usageSpanning Tree Protocol STP for additional details Passwd change the user password17-20 Modbus Configuration Multilink ML1200 Managed Field Switch Modbus ProtocolCommand Line Interface Settings Following command-line interface settings are availableML1200access## modbus port=602 ML1200# access ML1200access## modbus enableML1200access## show modbus Select the Configuration Access Modbus menu item EnerVista SettingsModbus memory map Sheet 1 Memory MappingModbus Memory Map Modbus memory map Sheet 2 Modbus memory map Sheet 3 Modbus memory map Sheet 4 Modbus memory map Sheet 5 Modbus memory map Sheet 6 Modbus memory map Sheet 7 Modbus memory map Sheet 8 Modbus memory map Sheet 9 Modbus memory map Sheet 10 Modbus memory map Sheet 11 Modbus memory map Sheet 12 Modbus memory map Sheet 13 Modbus memory map Sheet 14 Modbus memory map Sheet 15 Modbus memory map Sheet 16 Modbus memory map Sheet 17 Modbus memory map Sheet 18 Modbus memory map Sheet 19 Modbus memory map Sheet 20 Modbus memory map Sheet 21 Modbus memory map Sheet 22 Modbus memory map Sheet 23 Modbus memory map Sheet 24 Modbus memory map Sheet 25 Modbus memory map Sheet 26 Modbus memory map Sheet 27 Modbus memory map Sheet 28 Modbus memory map Sheet 29 Modbus memory map Sheet 30 Modbus memory map Sheet 31 Modbus memory map Sheet 32 Modbus memory map Sheet 33 Format Codes 18-38 Revision History Multilink ML1200 Managed Field Switch Appendix aChange Notes Changes to the ManualGE Multilin Warranty Statement WarrantyMultilin Power Consumption 48 V DC, 24 V DC and 125 V DC Power, Theory of Operation Applications for DC Powered Ethernet Switches ML1200, -48 V, 24 V, 125 V DC Installation UL Requirements for DC-powered units Operation DC Power Input Appendix C Internal DC Dual- Source Power Input Power Supply Internal, -48VDC Dual-Source Specifications for Multilink ML1200 Field SwitchChapter C Internal DC DUAL-SOURCE Power Input Option Dual-Source Option Theory of Operation Features and Benefits of the Dual-Source Design Installation