Manuals / Juniper Networks / Computer Equipment / Switch

Juniper Networks manual Switch User Accounts, Radius Attributes for EX2500 User Privileges

Models: EX2500

1 102

Download 102 pages 52.15 Kb

Page 27

Chapter 1: Accessing the Switch

Switch User Accounts

The user accounts listed in Table 4 can be defined in the RADIUS server dictionary file.

Table 4: User Access Levels

User Account	Description and Tasks Performed	Password

User	The User has no direct responsibility for switch management.	user
	He or she can view all switch status information and statistics
	but cannot make any configuration changes to the switch.

Operator	The Operator manages all functions of the switch. The	oper
	Operator can reset ports, except the management port.

Administrator	The super-user Administrator has complete access to all	admin
	commands, information, and configuration commands on the
	switch, including the ability to change both the user and
	administrator passwords.

RADIUS Attributes for EX2500 User Privileges

When the user logs in, the switch authenticates his or her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server.

If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access. The administrator has an option to allow secure backdoor access via Telnet, SSH, or the Web Device Manager. Secure backdoor provides switch access when the RADIUS servers cannot be reached. You always can access the switch via the console port, by using noradius and the administrator password, whether secure backdoor is enabled or not.

NOTE: To obtain the RADIUS backdoor password for your EX2500 switch, contact technical support.

All user privileges, other than those assigned to the Administrator, have to be defined in the RADIUS dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The filename of the dictionary is RADIUS vendor-dependent. Table 5 shows the RADIUS attributes defined for EX2500 user privilege levels.

Table 5: EX2500-Proprietary Attributes for RADIUS

Username/Access	User-Service-Type	Value

User	Vendor-supplied	255

Operator	Vendor-supplied	252

Admin	Vendor-supplied	6

Securing Access to the Switch 13

Image 27

Juniper Networks manual Switch User Accounts, Radius Attributes for EX2500 User Privileges

Contents

North Mathilda Avenue Sunnyvale, CA Configuration GuideIi „ Table of Contents Chapter VLANs Rmon Overview Rmon Group 1-Statistics Rmon Group 2-History Chapter Ports and TrunkingPort Mirroring Overview Configuring Port Mirroring AppendixesIndexes Port-Based Vlan Assignment Default Vlan SettingsPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables Supported Platforms About This GuideObjectives AudienceIcon Meaning Description Documentation ConventionsList of Technical Publications Documentation FeedbackRequesting Technical Support Opening a Case with Jtac Self-Help Online Tools and ResourcesEX2500 Ethernet Switch Applications Page Configuring the Management Interface Accessing the SwitchConfigure the default gateway. Enable the gateway Dynamic Host Configuration ProtocolUsing the EX2500 Web Device Manager Using TelnetConfiguring EX2500 Web Device Manager Access via Https Configuring EX2500 Web Device Manager Access via HttpSNMPv1, SNMPv2 Using SnmpDefault Configuration User ConfigurationSNMPv3 Configure an entry in the notify table Configuring Snmp Trap HostsSNMPv1 Trap Host Configuration SNMPv2 Trap Host ConfigurationSNMPv3 Trap Host Configuration Securing Access to the SwitchConfigure the Radius secret Radius Authentication and AuthorizationHow Radius Authentication Works Configuring Radius on the SwitchRadius Authentication Features in the EX2500 Switch Radius Attributes for EX2500 User Privileges Switch User AccountsTACACS+ Authentication How TACACS+ Authentication WorksTACACS+ Authentication Features in the EX2500 Switch „ starttime „ stoptime „ elapsedtime „ disccause Command Authorization and Logging Configuring TACACS+ Authentication on the SwitchConfigure the TACACS+ secret and second secret SSH Encryption of Management Messages Configuring SSH Features on the SwitchGenerating RSA Host and Server Keys for SSH Access Secure ShellSSH Integration with Radius and TACACS+ Authentication End User Access ControlUser Access Control Considerations for Configuring End User AccountsLogging In to an End User Account Listing Current UsersVlan Overview VLANsPvid Numbers „ Port configurationVLANs and Port Vlan ID Numbers Vlan NumbersVlan Tagging Illustrates the default Vlan settings on the switchDefault Vlan Settings Port-Based Vlan Assignment Vlan Topologies and Design Considerations Vlan Configuration RulesMultiple VLANs example in is described in Table Multiple VLANs Configuration ExampleEnable tagging on uplink ports that support multiple VLANs Private Vlan Ports Private VLANsVerify the configuration Private Vlan Configuration GuidelinesPrivate Vlan Configuration Example Configure a secondary Vlan and map it to the primary VlanSpanning Tree Overview Spanning Tree ProtocolBridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Port Path Cost Spanning Tree Group Configuration GuidelinesChanging the Spanning Tree Mode Port PriorityCreating a Vlan Rules for Vlan Tagged PortsAdding and Removing Ports from STGs Port State Changes Rapid Spanning Tree ProtocolEdge Port Rstp Configuration GuidelinesRstp Configuration Example Port Type and Link TypeDefault Spanning Tree Configuration Why Do We Need Multiple Spanning Trees?Per Vlan Rapid Spanning Tree Configuring Pvrst Pvrst Configuration GuidelinesCommon Internal Spanning Tree Mstp Configuration GuidelinesMultiple Spanning Tree Protocol Mstp RegionImplementing Multiple Spanning Tree Groups Multiple Spanning Tree Groups Configuration ExampleVlan Fast Uplink ConvergenceConfiguring Fast Uplink Convergence Configuration GuidelinesPorts and Trunking Trunking OverviewStatistical Load Distribution Built-In Fault Tolerance Before Configuring Static TrunksTrunk Group Configuration Rules Port Trunk Group Configuration Example Port Trunking Configuration ExampleFollow these steps on the EX2500 switch Define a trunk group „ Destination IP DIP Configurable Trunk Hash AlgorithmLink Aggregation Control Protocol „ Destination MAC Dmac48 „ Link Aggregation Control Protocol Set the Lacp mode Lacp Configuration GuidelinesConfiguring Lacp Optionally Reducing Lacp TimeoutEx2500config-if# lacp timeout short ex2500config-if# exit QoS Overview Quality of ServiceCOS Using ACL FiltersTo delete an IP Standard ACL MAC Extended ACLsIP Standard ACLs To delete a MAC Extended ACLTo delete an IP Extended ACL IP Extended ACLsTCP/UDP Understanding ACL PriorityACL Example 1-Blocking Traffic to a Host ACL Configuration ExamplesAssigning ACLs to a Port Viewing ACL StatisticsAdd the ACL to a port ACL Example 3-Blocking Http TrafficAssign the ACLs to a port ACL Example 4-Blocking All Except Certain PacketsUsing Storm Control Filters Configuring Storm ControlBroadcast Storms Differentiated Services Concepts Using Dscp Values to Provide QoSAssured Forwarding Drop Precedence Class Per Hop BehaviorUse the following command to perform Dscp mapping QoS LevelsDscp Mapping Shows the priority bits in a VLAN-tagged packet Using 802.1p Priority to Provide QoSQueuing and Scheduling Rmon Overview Remote MonitoringRmon Group 1-Statistics Configure the Rmon statistics on a portRmon Group 2-History Configuring Rmon HistoryConfigure the Rmon History parameters for a port This configuration enables Rmon History collection on portConfigure the Rmon Alarm parameters to track Icmp messages Rmon Group 3-AlarmsAlarm MIB Objects Configuring Rmon AlarmsRmon Group 9-Events Ex2500config# rmon event 110 type log-onlyPage Igmp Snooping IgmpFastLeave IGMPv3 Snooping Igmp Snooping Configuration ExampleEx2500# show ip igmp groups Static Multicast RouterHigh Availability Overview High Availability Through Uplink Failure DetectionFailure Detection Pair Spanning Tree Protocol with UFD UFD Configuration GuidelinesMonitoring UFD UFD Configuration ExamplePage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes Port Mirroring Overview „ Port Mirroring Overview on „ Configuring Port Mirroring onConfiguring Port Mirroring „ Index on IndexesEX2500 Ethernet Switch Configuration Guide 84 „ Indexes Numerics IndexInternet Group Management Protocol. See Igmp Management interface, configuringMulti-links between switches, port trunking Physical. See switch portsSegmentation. See IP subnets Segments. See IP subnets Quality of Service. See QoSQoS SecurityExample showing multiple VLANs Virtual Local Area Networks. See VLANs