Manuals / GE / Computer Equipment / Switch

GE Multilink ML1200 Managed Field Switch Access using TACACS+, Introduction to TACACS+

Models: ML1200

1 344

Download 344 pages 51.98 Kb

Page 139

Digital Energy

Multilin

Multilink ML1200

Managed Field Switch

Chapter 8: Access using TACACS+

8.1Introduction to TACACS+

8.1.1 Overview

The TACACS+ protocol (short for Terminal Access Controller Access Control System) provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon (server) or simply TACACSD. This server was normally a program running on a host. The host would determine whether to accept or deny the request and sent a response back.

The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP based access control protocol originally developed by BBN for the MILNET (Military Network). XTACACS is now replaced by TACACS+. TACACS+ is a TCP based access control protocol. TCP offers a reliable connection-oriented transport, while UDP offers best-effort delivery.

TACACS+ improves on TACACS and XTACACS by separating the functions of authentication, authorization and accounting and by encrypting all traffic between the Network Access Server (NAS) and the TACACS+ clients or services or daemon. It allows for arbitrary length and content authentication exchanges, which allows any authentication mechanism to be utilized with TACACS+ clients. The protocol allows the TACACS+ client to request very fine- grained access control by responding to each component of a request.

The MultiLink ML1200 Managed Field Switch implements a TACACS+ client.

1.TACACS+ servers and daemons use TCP port 49 for listening to client requests. Clients connect to this port to send authentication and authorization packets.

2.There can be more than one TACACS+ server on the network. The MultiLink Switch Software supports a maximum of five TACACS+ servers.

MULTILINK ML1200 MANAGED FIELD SWITCH – INSTRUCTION MANUAL

8–1

Image 139

GE instruction manual Multilink ML1200 Managed Field Switch Access using TACACS+, Introduction to TACACS+

Contents

GE Multilin MultiLink ML1200 Managed Field SwitchCanadian Emissions Statement Electrical Safety requirementsTable of Contents Access 10-3 10-110-5 10-19 10-710-12 10-1315-5 14-915-1 15-418-3 17-1417-16 18-1Getting Started Multilink ML1200 Managed Field Switch IntroductionInspecting the Package and Product ML1200 Order CodesPerformance SpecificationsAlarm Relay Contacts Sinusoidal Vibration DNV To 4 G InterruptsISO9001 Applicable Council Directive According toCE Compliance Low voltage directive EN60950-1 EMC Directive North America CULus UL60950-1 C22.2 NoConsole Setup Command Line Interface FirmwareConsole Connection Console Screen Automatic IP Address ConfigurationLogging In for the First Time Step Setting the IP Parameters Using Console PortML1200# save Ipconfig ip=ip-address mask=subnet-mask dgw=gatewayML1200# reboot An example is shown belowPrivilege Levels Enable user-nameUser Management Help Help command stringCommand Enter Command string TAB First character of the command TABFollowing example illustrates logging out from a session Following example, the TAB key completes the commandExiting LogoutExample shown in the previous section, the URL is Secure site will issue the certificate check shown belowEnerVista Secure Web Management Make sure you use Https secure Http and not Http in the URLLogin screen To add a user, use the add button Select the Administration User Mgmt User Accounts menu itemIntroduction Introduction Introduction Modifying the Privilege Level To exit or logout, click on the logout button Confirm the logout by selecting OK in the pop-up window Selecting the Proper Version ML1200 Firmware UpdatesUpdating through the Command Line Updating Multilink ML1200 FirmwareML1200# xmodem get type=app Https//IP address of the switch Introduction Introduction Overview Multilink ML1200 Managed Field Switch Product DescriptionProduct Description Product Description Four-Port Copper Module, C1 Module Mdix PoE power pass-through, C2 Module MDIX, 10/100Mb 4-portTwo -Port 10 Mb mm Fiber ST Modules Two-Port Fiber Modules, 2@ 100Mb fiberPacket Prioritization, 802.1p QOS SFP Gigabit 1000Mbps port modulesManaged Network Firmware for Multilink ML1200-Series Frame Buffering and Flow ControlManagement Software included Features and BenefitsManaged switching for high performance Ethernet LANs Features Fiber-Built-InProduct Description Applications Example Example Locating Multilink ML1200 Switches Multilink ML1200 Managed Field Switch InstallationPreparation Fiber Connecting Ethernet MediaCopper Twisted Pair CAT Twisted Pair CAT 3, 4Gigabit SFP Small Form-factor Pluggable Optical Transceivers HE HJ Module H7 Module H8 HD ModuleHK Module DIN-Rail Mounting the Multilink ML1200 Mechanical InstallationInstallation Powering the Multilink ML1200 Managed Field Switch Electrical Installation3 ML1200 Port Module PM Installation Ground Pinout information for above connectorRequest to Send Transceiver DataSwitching Functionality Multilink ML1200 Managed Field Switch OperationFunctionality Auto-Cross Mdix and Auto-negotiation, for RJ-45 ports Status LEDsFor Multilink ML1200 models /ML1200 Flow-control, Ieee 802.3x standard Typical Power Budget Calculations for ML1200 PM’s with Fiber MediaH4, HH Mb FX 2 ML1200 Modules Multilink ML1200 Managed Field Switch Port Modules2.2 C7 Module, 2@10Mb multi-mode FX-ST twist lock Module CB Module, 2 Ports @100Mbps single-mode FX-SC-type, Sgl.M CC Module, 4 @100Mb multi-mode FX , Mtrj Small-Form-factor 2.10 C1 Module Twisted Pair, 10/100Mb, 4-Port PoE LEDs Summary SFPs, Gigabit 1000Mbps port modules Before Calling for Assistance Operation IP Address and System Information Multilink ML1200 Managed Field Switch IP AddressingOverview Edit the IP address information Importance of an IP Address Dhcp and bootpBootp Database Configuring DHCP/bootp/Manual/AUTOClick Edit Select the Administration System menu itemML1200access## exit ML1200# Using TelnetTelnet enabledisable ML1200access## telnet enableShow session Kill session id=session Select the Administration Telnet menu itemDefault port for telnet is Telnet ipaddress port=port numberML1200# show session For exampleSetting Serial Port Parameters Setting ParametersSystem Parameters Set timezone GMT=+ or hour=0-14 min=0-59 Date and TimeSnmp Setvar sysnamesyscontactsyslocation =stringSet timeformat format=1224 Syntax for other date and time commands areFollowing command sequence sets the daylight location Network TimeML1200# sntp ML1200sntp## sync hour=5 ML1200sntp## sntp enableML1200sntp## exit IP Addressing IP Addressing Saving and Loading Command Line System ConfigurationConfig file # Restricted Rights System Names, passwords Displaying configurationSyntax show config module=module-name Where module-name can beMore ’show config’ command outputML1200# show config module=snmp Hardware Select Y. The ML1200 will prompt Saving ConfigurationSelect N Save format=v2v3 Show host command displays the host table entries# Restricted Rights Script FileSaving and Loading EnerVista Software IP Addressing Host Names IP Addressing Kill Config option using SWM Erasing ConfigurationIP Addressing Lacp settings STP, Rstp settingsPort/Tag Vlan settings IP-Access and Host Table settingsML1200# kill config Introduction to IPv6 IPv6What’s changed in IPV6? 3 IPv6 Addressing Syntax ftp IPv6 address ftp to an IPv6 station Configuring IPv6Syntax ping6 IPv6 address pings an IPv6 station Syntax show ipv6 displays the IPv6 informationSyntax telnet IPv6 address telnet to an IPv6 station List of commands in this chapterDescription Multilink ML1200 Managed Field Switch Access ConsiderationsSecuring Access PasswordsPort Security Feature Ps enabledisable CommandsFor example, using the configure port-securitycommand Learn port=number-list enabledisable show port-securityML1200port-security## allow ML1200port-security## ps enableML1200port-security## ps disable Allowing MAC AddressesExample 6-2 Enabling learning on a port Example 6-1 Viewing the port security settingsML1200port-security## learn port=3 enable To deny a mac address, use the followingML1200port-security## signal port=3 logandtrap Save the port-security configuration use the save commandExample 6-4 Removing MAC addresses from specific ports Access Considerations Security Logs Example 6-5 Configuring port securitySet logsize size=1-1000 Example 6-6 Security log commandsML1200# show log Removeall AccessShow ip-access Authorized ManagersML1200access## exit ML1200# accessExample 6-7 Allowing/blocking specific IP addresses After enabling the EnerVista Secure Web Management software Configuring Port Security with EnerVista SoftwareAccess Considerations Access Considerations Logs Authorized Managers Access Considerations Access Considerations Introduction to Multilink ML1200 Managed Field Switch Access Using Radius2 802.1x Protocol 802.1x network components 802.1x authentication details Auth Configuring 802.1x through the Command Line InterfaceShow auth configports Auth enabledisableShow-stats port=num Show-statscommand displays 802.1x related statisticsTrigger-reauthport=numlistrange Example Example 7-1 Setting port control parametersOn following ML1200auth## show-port backend Setting port control parametersML1200auth## ML1200auth## shoW-port reauthCommands To edit the port settings, click on the edit icon Select the Configuration Radius Port Access menu item Access Using Radius Access Using Radius After all the port characteristics are enabled Introduction to TACACS+ Multilink ML1200 Managed Field Switch Access using TACACS+TACACS+ Packet TACACS+ FlowTacacs packet format Packet type Possible values areShow tacplus statusservers Configuring TACACS+ through the Command Line InterfaceTacplus enabledisable Example 8-1 below, illustrates how to configure TACACS+ML1200user## tacplus enable Example 8-1 Configuring TACACS+ML1200user## tacplus disable Access Using TACACS+ Access Using TACACS+ Access Using TACACS+ Port Mirroring Multilink ML1200 Managed Field Switch Port Mirroring SetupPort-mirror Port Mirroring using the Command Line InterfacePrtmr enabledisable Show port-mirrorDevice Port SetupDevice command enters the device configuration mode Setport command configures the port characteristicsML1200device## exit ML1200# Example 9-1 Port setupML1200# device ML1200device## show portFlowcontrol xonlimit=value xofflimit=value Where the rxthreshold value can be from 4 to 30 default isFlow Control Back PressureML1200device## show port=11 Back pressure and flow controlBroadcast Storms Rate-thresholdport=portlistrange rate=frames/sec Broadcast-protect enabledisableShow broadcast-protect Example 9-3 Preventing broadcast storms Link Loss AlertML1200device## show port=3 Example 9-4 Link loss alertSelect the Configuration Port Mirroring menu item Port Setup Port Mirroring and Setup Port Mirroring and Setup Broadcast Storm menu Port Mirroring and Setup Vlan Description Multilink ML1200 Managed Field Switch VlanVlan Tag Vlan vs. Port Vlan Multilink ML1200 supports up to 32 VLANs per switch10-4 Set vlan type=porttagnone Configuring Port VLANs through the Command Line InterfaceAdd id=vlan Id name=vlan name port=numberlistrange Show vlan type=porttag id=vlanid Start vlan=namenumberlistrangeSave Edit id=vlan Id name=vlan name port=numberlistrangeVlan VID=1 Currently assigned Port VLANs are displayed as follows Select the Configuration Vlan Port-Based menu item10-9 10-10 10-11 Show-port port=portlistrange Configuring Tag VLANs through the Command Line Interface10-13 Example 10-1 Converting Port Vlan to Tag Vlan ML1200tag-vlan##add id=20 name=marketing port=3-5 Converting Port Vlan to Tag VlanML1200tag-vlan##set-port port=3-5 filter status=enable Name engineering Status Active Port Mode Status Tagged 10-19 Next step is to define the VLANs needed. To do that Click On Configuration vlan tag-based Menu10-21 Select the Configuration Vlan Tag-Based Tagging menu 10-23 10-24 Gvrp Concepts Vlan Registration over GarpVlan Registration Over Garp Gvrp OperationsVlan assignment in Gvrp enabled switches Show-vlan Port settings for Gvrp operationsStatic vlan=VID ML1200gvrp## static vlan=10 ML1200gvrp## show-vlan Gvrp optionsExample 11-1 Converting a dynamic Vlan to a static Vlan ML1200# gvrp ML1200gvrp## show-vlan11-6 Show-forbid Configuring Gvrp through the Command Line InterfaceGvrp Operation Notes Show gvrpExample 11-2 Configuring Gvrp Select the Configuration Vlan Gvrp menu item To configure GvrpGvrp options on 11-10 Features and Operation Spanning Tree Protocol STP STP default valuesShow stp configports Configuring STPExample 12-2 Viewing STP ports Example 12-1 Viewing STP configurationShow active-stp Stp enabledisableStp Set stp type=stprstpExample 12-3 Enabling STP Example 12-3shows how to enable STP using the above commandsTimers forward-delay=4-30 hello=1-10 age=6-40 ML1200stp##show stp ports Example 12-4 Configuring STP parametersConfiguring STP parameters ML1200stp##cost port=2 value=20 ML1200stp##port port=1 status=enable Designated Root Priority 15535 Rstp concepts Rapid Spanning Tree Protocol Transition from STP to Rstp13-3 Rstp Configuring Rstp through the Command Line InterfaceRstp enabledisable Normal Rstp13-5 Example 13-2 Reviewing the Rstp port parameters Forceversion stprstp Path cost as defined in Ieee 802.1d / 802.1wShow-forceversion Port port=numberlistrange status=enabledisable Show-timersML1200rstp##show stp config Example 13-4 Configuring RstpConfiguring Rstp ML1200rstp##priority port=2 value=100 ML1200rstp##port port=1 status=disable Romode add port=portlistrange romode del port=portlistrange Syntax for the romode command on Rstp is shown belowML1200rstp##romode add port=1,2 Example 13-5 Configuring smart RSTP, ring-only mode13-15 Status Indicates whether STP or Rstp is enabled 13-17 Path cost defined in Ieee 802.1d and 802.1w 13-19 Click the Edit button to configure Rstp Then Save Enable Status 13-22 QoS Overview Multilink ML1200 Managed Field Switch Quality of ServiceQoS Concepts IP Precedence DiffServ and QoSIP Precedence ToS Field in an IP Packet Header Qos Configuring QoS through the Command Line InterfaceSet-weightweight=0-7 Show-portweightSet-untagport=portlistrange priority=highlow tag=0-7 Port weight settingsShow qos command displays the QoS settings Show qos type=porttagtos port=portlistrangeExample 14-1 Configuring QoS Following example shows how to configure QoSConfiguring QoS ML1200qos##set-weight weight=4 ML1200qos##show-portweight 14-9 14-10 14-11 14-12 Igmp Concepts Multilink ML1200 Managed Field Switch IgmpIgmp Figure below shows a network running Igmp Isolating multicast traffic in a network IP Multicast FiltersIgmp Support Reserved Addresses Excluded from IP Multicast Igmp FilteringIgmp Configuring Igmp through the Command Line InterfaceIgmp enable/disable Show igmp command displays the Igmp statusShow-port Show-groupShow-router ML1200igmp## show-router Following example shows how to configure IgmpExample 15-1 Configuring Igmp ML1200igmp## show-portConfiguring Igmp ML1200igmp## mcast enable ML1200igmp## mcast disable15-11 15-12 Snmp Concepts Multilink ML1200 Managed Field Switch SnmpSnmp SNMPv1 standards TrapsStandards Enterprise Traps IntruderRFC 2271-2275 SNMPv3 Configuring Snmp through the Command Line Interface Show-view id=id Following example shows how to configure SnmpShow-trap id=id# Show-group id=idExample 16-1 Configuring Snmp Configuring Snmp ML1200snmpv3## show-view id=1 ML1200snmpv3## show-groupML1200snmpv3## show-group id=1 ML1200snmpv3## show-viewML1200snmpv3## show-user id=2 ML1200snmpv3## show-accessML1200snmpv3## show-access id=1 ML1200snmpv3## show-user16-11 Multiple managers can be added as shown below 16-13 16-14 Rmon Configuring RmonML1200rmon## exit ML1200# ML1200rmon## show rmon eventMail Multilink ML1200 Managed Field Switch MiscellaneousShow smtp configrecipients Smtp enabledisableSmtp Delete id=1-5 Server command configures the global Smtp server settingsServer ip=ip-addr port=1-65535 retry=0-3 domain=domain ML1200smtp##show smtp config Statistics Following figure displays the port statistics for group Optimizing serial connection in HyperTerminal Serial ConnectivityShow history HistoryShow version Ping Ping through the Command Line InterfacePing through EnerVista Secure Web Management software Prompt Changing the Command Line PromptSet prompt prompt string Example 17-2 Typical system event log Command Line Interface ExampleSystem Events Following example illustrates a typical event logEnerVista Example Select the Configuration Statistics Log Statistics menu item17-13 Main Commands Command ReferenceSet password sets the current user password Set commands are listed belowSet timeout sets the system inactivity time out Authorization commands are shown below Configuration commandsSnmp enables or disables Snmp Alarm commands are shown belowVlan Registration over Garp for details Device commands are shown belowRapid Spanning Tree Protocol for additional details Setqos configures QOS configuration usageSpanning Tree Protocol STP for additional details Passwd change the user password17-20 Following command-line interface settings are available Multilink ML1200 Managed Field Switch Modbus ProtocolModbus Configuration Command Line Interface SettingsML1200access## show modbus ML1200# access ML1200access## modbus enableML1200access## modbus port=602 Select the Configuration Access Modbus menu item EnerVista SettingsModbus Memory Map Memory MappingModbus memory map Sheet 1 Modbus memory map Sheet 2 Modbus memory map Sheet 3 Modbus memory map Sheet 4 Modbus memory map Sheet 5 Modbus memory map Sheet 6 Modbus memory map Sheet 7 Modbus memory map Sheet 8 Modbus memory map Sheet 9 Modbus memory map Sheet 10 Modbus memory map Sheet 11 Modbus memory map Sheet 12 Modbus memory map Sheet 13 Modbus memory map Sheet 14 Modbus memory map Sheet 15 Modbus memory map Sheet 16 Modbus memory map Sheet 17 Modbus memory map Sheet 18 Modbus memory map Sheet 19 Modbus memory map Sheet 20 Modbus memory map Sheet 21 Modbus memory map Sheet 22 Modbus memory map Sheet 23 Modbus memory map Sheet 24 Modbus memory map Sheet 25 Modbus memory map Sheet 26 Modbus memory map Sheet 27 Modbus memory map Sheet 28 Modbus memory map Sheet 29 Modbus memory map Sheet 30 Modbus memory map Sheet 31 Modbus memory map Sheet 32 Modbus memory map Sheet 33 Format Codes 18-38 Changes to the Manual Multilink ML1200 Managed Field Switch Appendix aRevision History Change NotesGE Multilin Warranty Statement WarrantyMultilin Power Consumption 48 V DC, 24 V DC and 125 V DC Power, Theory of Operation Applications for DC Powered Ethernet Switches ML1200, -48 V, 24 V, 125 V DC Installation UL Requirements for DC-powered units Operation DC Power Input Appendix C Internal DC Dual- Source Power Input Power Supply Internal, -48VDC Dual-Source Specifications for Multilink ML1200 Field SwitchChapter C Internal DC DUAL-SOURCE Power Input Option Dual-Source Option Theory of Operation Features and Benefits of the Dual-Source Design Installation