SMC Networks 10/100/1000 SMCGS8P-Smart , S, 2-130

C

ONFIGURING

THE

S

WITCH

2-130

The IEEE 802.1x (dot1x) standard defines a port-based access

control procedure that prevents unauthorized access to a network

by requiring users to first enter a user ID and password for

authentication. Access to all switch ports in a network can be

centrally controlled from a server, which means that authorized

users can use a single user ID and password for authentication

from any point within the network.

This switch uses the Extensible Authentication Protocol over LAN

(EAPOL) with MD5 authentication to exchange authentication

protocol messages with the client, and a remote login

authentication server (i.e., RADIUS) to verify user identity and

access rights. When a client (i.e., Supplicant) connects to a switch

port, the switch (i.e., Authenticator) responds with an identity

request. The client provides its identity to the switch, which it

forwards to the authentication server. The authentication server

verifies the client identity and sends this information back to the

switch. The switch then issues an MD5 access challenge to the

client, and the client returns an MD5 response to the switch based

on its user ID and password. If authentication is successful, the

switch allows the client to access the network. Otherwise, network

access is denied and the port remains blocked.

The operation of dot1x on the switch requires the following:

• The switch must have an IP address assigned.

• RADIUS authentication must be enabled on the switch and the

IP address of the RADIUS server specified.

• Each switch port that will be used must be set to dot1x “Auto”

mode.

• Each client requiring authentication must have 802.1x client

software installed and be properly configured. The

configuration includes specifying the client identity (user ID)

b_mgmt.book Page 130 Tuesday, July 8, 2003 5:24 PM

Contents

Main TigerSwitch 10/100/1000 Gigabit Ethernet Switch Managemen t Guide Page Page Page L W IMITED v ARRANTY W IMITED ARRANTY vi vii ONTENTS 1 Switch Management 1-1 2 Configuring the Switch 2-1 viii ix 3 Command Line Interface 3-1 x xi xii xiii Page 1-1 1 S M WITCH ANAGEMENT Connecting to the Switch M 1-2 Page M 1-4 Remote Connections C 1-5 Basic Configuration Console Connection M 1-6 Setting Passwords C 1-7 Setting an IP Address M 1-8 C 1-9 M 1-10 Enabling SNMP Management Access C 1-11 M 1-12 Saving Configuration Settings S F Managing System Files M 1-14 System Defaults D 1-15 M 1-16 D 1-17 Page 2-1 2 S THE ONFIGURING Navigating the Web Browser Interface Page S 2-4 Panel Display M 2-5 Main Menu S 2-6 M 2-7 S 2-8 Basic Configuration Displaying System Information C 2-9 Page C 2-11 Setting the IP Address S 2-12 C 2-13 Manual Configuration Using DHCP/BOOTP Security Configuring the Logon Password 2-15 S 2-16 Configuring RADIUS/TACACS+ Logon Authentication 2-17 S 2-18 2-19 Page 2-21 Configuring HTTPS S 2-22 2-23 Replacing the Default Secure-site Certificate S 2-24 Configuring SSH ECURITY 2-25 CLI Enter the following commands to configure the SSH service. S 2-26 Managing Firmware Downloading System Software from a Server Page S 2-28 Saving or Restoring Configuration Settings F 2-29 Page F 2-31 Displaying Bridge Extension Capabilities Page F ANAGING IRMWARE 2-33 Web Click System, Bridge Extension. Page F ANAGING IRMWARE 2-35 Web Click System, Switch Information. Port Configuration C ORT ONFIGURATION 2-37 CLI This example shows the connection status for Port 13. S 2-38 Configuring Interface Connections C 2-39 Page C 2-41 Setting Broadcast Storm Thresholds Page Page S 2-44 Configuring Port Security C 2-45 Port Security Action S 2-46 Port Security Configuration Address Table Settings Page Page Page Spanning Tree Protocol Configuration S 2-52 T C P 2-53 STP Information S 2-54 Page S THE ONFIGURING WITCH T C P 2-57 STP Configuration S 2-58 T C P 2-59 Page T C P 2-61 STP Port and Trunk Information S 2-62 T C P 2-63 Page T C P 2-65 STP Port and Trunk Configuration S 2-66 T C P 2-67 S 2-68 Page S 2-70 VLAN Configuration 2-71 Assigning Ports to VLANs S 2-72 2-73 Forwarding Tagged/Untagged Frames S 2-74 Displaying Basic VLAN Information 2-75 Displaying Current VLANs Command Attributes for Web Interface Page 2-77 Creating VLANs S 2-78 2-79 Adding Interfaces Based on Membership Type S 2-80 2-81 Page 2-83 Configuring VLAN Behavior for Interfaces S 2-84 2-85 Page Class of Service Configuration Page Page Page C S 2-91 Page C S 2-93 Mapping Layer 3/4 Priorities to CoS Values Page Page Page C S 2-97 Mapping DSCP Priority Page Page S 2-100 Port Trunk Configuration T C 2-101 Page Page S 2-104 Statically Configuring a Trunk Page S 2-106 Configuring SNMP Page Page Page Page SNMP 2-111 Page C 2-113 Multicast Configuration Configuring IGMP Parameters S 2-114 C 2-115 S THE ONFIGURING WITCH Page S 2-118 Specifying Interfaces Attached to a Multicast Router C 2-119 Displaying Port Members of Multicast Services Command Attribute Page C 2-121 Adding Multicast Addresses to VLANs Command Attribute Showing Device Statistics D S 2-123 Statistical Values S 2-124 D S 2-125 S 2-126 Page Page 801.1X P A ORT UTHENTICATION 801.1X Port Authentication S 2-130 801.1X P A 2-131 802.1x Port Configuration S 2-132 Page S 2-134 802.1x Statistics The 802.1x protocol includes statistics for 802.1x protocol exchanges for any port. Page Page 3-1 3 I INE L OMMAND L I 3-2 Telnet Connection Page Entering Commands Page L I 3-6 The command show interfaces ? will display the following information: Partial Keyword Lookup Page L I 3-8 Exec Commands E C 3-9 Configuration Commands L I 3-10 Command Line Processing Page L I 3-12 Command Groups The system commands can be broken down into the functional groups shown be low G 3-13 L I 3-14 General Commands enable C 3-15 disable L I 3-16 configure C 3-17 show history Page C 3-19 exit quit L Flash/File Commands C 3-21 copy L I 3-22 C 3-23 delete L I 3-24 dir C 3-25 whichboot L I 3-26 boot system M System Management Commands L I 3-28 M C 3-29 hostname L I 3-30 username M C 3-31 enable password L I 3-32 jumbo frame M C 3-33 ip http port L I 3-34 ip http server M C 3-35 ip http secure-server L I 3-36 ip http secure-port M C 3-37 ip ssh L I 3-38 ip ssh server M C 3-39 disconnect ssh Page M C 3-41 logging on L I 3-42 logging history M C 3-43 Page Page L I 3-46 Messages sent include the selected level up through level 0. Default Setting Level 3 - 0 Command Mode Global Configuration Example M C 3-47 clear logging show logging L I 3-48 show startup-config M C 3-49 L I 3-50 Example Related Commands show running-config (3-51) M C 3-51 show running-config L I 3-52 show system M C 3-53 show users L I 3-54 show version C Authentication Commands L I 3-56 authentication login C 3-57 Page C 3-59 radius-server key L I 3-60 radius-server retransmit radius-server timeout C 3-61 show radius-server tacacs-server host L I 3-62 tacacs-server port Page L I 3-64 Example SNMP Commands 3-65 snmp-server community Page 3-67 snmp-server host L I 3-68 3-69 snmp-server enable traps L I 3-70 snmp ip filter 3-71 show snmp L I 3-72 3-73 IP Commands L I 3-74 ip address 3-75 ip dhcp restart L I 3-76 ip default-gateway 3-77 show ip interface Page 3-79 L I 3-80 Line Commands C 3-81 line L I 3-82 login C 3-83 password L I 3-84 exec-timeout C 3-85 password-thresh L I 3-86 silent-time C 3-87 databits L I 3-88 parity C 3-89 speed Page C 3-91 Interface Commands L I 3-92 interface C 3-93 description L I 3-94 speed-duplex C 3-95 negotiation L I 3-96 capabilities C 3-97 flowcontrol L I 3-98 C 3-99 shutdown L I 3-100 switchport broadcast C 3-101 port security L I 3-102 clear counters C 3-103 show interfaces status L I 3-104 show interfaces counters C 3-105 L I 3-106 show interfaces switchport T Address Table Commands L I 3-108 mac-address-table static T C 3-109 show mac-address-table L I 3-110 Page Page T C 3-113 Spanning Tree Commands L I 3-114 spanning-tree T C 3-115 spanning-tree mode L I 3-116 spanning-tree forward-time T C 3-117 spanning-tree hello-time L I 3-118 spanning-tree max-age T C 3-119 spanning-tree priority L I 3-120 spanning-tree pathcost method Page L I 3-122 spanning-tree cost T C 3-123 spanning-tree port-priority L I 3-124 spanning-tree portfast T C 3-125 spanning-tree edge-port L I 3-126 spanning-tree protocol-migration T C 3-127 spanning-tree link-type L I 3-128 show spanning-tree T C REE PANNING OMMANDS VLAN Commands 3-131 vlan database L I 3-132 vlan 3-133 interface vlan L I 3-134 switchport mode 3-135 switchport acceptable-frame-types L I 3-136 switchport ingress-filtering 3-137 switchport native vlan L I 3-138 switchport allowed vlan 3-139 switchport forbidden vlan L I 3-140 show vlan GVRP GVRP and Bridge Extension Commands L I 3-142 switchport gvrp Page L I 3-144 garp timer Page L I 3-146 bridge-ext gvrp Page L I 3-148 IGMP Snooping Commands C 3-149 ip igmp snooping L I 3-150 ip igmp snooping vlan static C 3-151 ip igmp snooping version L I 3-152 show ip igmp snooping show mac-address-table multicast C 3-153 ip igmp snooping querier L I 3-154 ip igmp snooping query-count C 3-155 ip igmp snooping query-interval L I 3-156 ip igmp snooping query-max-response-time C 3-157 ip igmp snooping router-port-expire-time L I 3-158 ip igmp snooping vlan mrouter C 3-159 show ip igmp snooping mrouter L I Priority Commands C 3-161 switchport priority default L I 3-162 queue bandwidth C 3-163 queue cos-map L I 3-164 C 3-165 show queue bandwidth L I 3-166 show queue cos-map map ip precedence (Global Configuration) C 3-167 map ip precedence (Interface Configuration) L I 3-168 C 3-169 map ip dscp (Global Configuration) L I 3-170 map ip dscp (Interface Configuration) C 3-171 show map ip precedence L I 3-172 show map ip dscp C 3-173 L I 3-174 Mirror Port Commands port monitor P C 3-175 show port monitor L I 3-176 T C Port Trunking Commands L I 3-178 channel-group T C 3-179 lacp L I 3-180 A PPENDIX A-1 A T ROUBLESHOOTING A-2 Page U P S F B-3 Page G Glossary-1 LOSSARY Glossary-2 Glossary-3 Glossary-4 Glossary-5 Glossary-6 Glossary-7 Page I NDEX Index-2 P R S T U