Manuals / Brands / Computer Equipment / Switch / SMC Networks / Computer Equipment / Switch

SMC Networks SMC6824M , S, 3-88, Configuring 802.1X Port Authentication

1 608

Download 608 pages, 7.06 Mb

C

ONFIGURING

THE

S

WITCH

3-88

Configuring 802.1X Port Authentication

Network switches can provide open and easy access to network resources

by simply attaching a client PC. Although this automatic configuration and

access is a desirable feature, it also allows unauthorized personnel to easily

intrude and possibly gain access to sensitive network data.

The IEEE 802.1X (dot1x) standard defines a port-based access control

procedure that prevents unauthorized access to a network by requiring

users to first submit credentials for authentication. Access to all switch

ports in a network can be centrally controlled from a server, which means

that authorized users can use the same credentials for authentication from

any point within the network.

This switch uses the

Extensible

Authentication

Protocol over LANs

(EAPOL) to exchange

authentication

protocol messages

with the client, and a

remote RADIUS

authentication server

to verify user identity and access rights. When a client (i.e., Supplicant)

connects to a switch port, the switch (i.e., Authenticator) responds with an

EAPOL identity request. The client provides its identity (such as a user

name) in an EAPOL response to the switch, which it forwards to the

RADIUS server. The RADIUS server verifies the client identity and sends

an access challenge back to the client. The EAP packet from the RADIUS

server contains not only the challenge, but the authentication method to be

used. The client can reject the authentication method and request another,

depending on the configuration of the client software and the RADIUS

server. The authentication method must be MD5. The client responds to

the appropriate method with its credentials, such as a password or

certificate. The RADIUS server verifies the client credentials and responds

with an accept or reject packet. If authentication is successful, the switch

802.1x

client

RADIUS

server

1. Client attempts to access a switch port.

2. Switch sends client an identity request.

3. Client sends back identity information.

4. Switch forwards this to authentication server.

5. Authentication server challenges client.

6. Client responds with proper credentials.

7. Authentication server approves access.

8. Switch grants client access to this port.

Contents

Main TigerStack III 10/100 Port Fast Ethernet Swi 24- tch Management Guide Page Page Page L W IMITED ARRANTY W IMITED ARRANTY ii ABLE OF iii ONTENTS 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 C iv C v C vi C vii 4 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . 4-1 C viii C ix C x C xi C xii C xiii C xiv C xv C xvi A Page xix ABLES xx xxi Page F xxiii IGURES xxiv xxv Page 1-1 NTRODUCTION Key Features 1-2 Description of Software Features Table 1-1 Key Features F S 1-3 1-4 F S 1-5 1-6 D 1-7 System Defaults 1-8 D 1-9 1-10 NITIAL 2-1 ONFIGURATION Connecting to the Switch Configuration Options C 2-2 S 2-3 Required Connections C 2-4 Remote Connections O 2-5 Stack Operations Selecting the Stack Master Recovering from Stack Failure or Topology Change C 2-6 Basic Configuration Console Connection C 2-7 Setting Passwords Setting an IP Address C 2-8 C 2-9 C 2-10 Enabling SNMP Management Access C 2-11 C 2-12 C 2-13 Saving Configuration Settings C 2-14 Managing System Files P E 2-15 Configuring Power over Ethernet Page 3-1 CHAPTER 3 CONFIGURING THE SWITCH Using the Web Interface Page Navigating the Web Browser Interface Page Page S 3-6 Main Menu Table 3-2 Switch Main Menu I B W 3-7 S 3-8 I B W 3-9 S 3-10 I B W 3-11 S 3-12 C 3-13 Basic Configuration Displaying System Information Page C ASIC 3-15 CLI Specify the hostname, location and contact information. Displaying Switch Hardware/Software Versions S 3-16 C ASIC 3-17 Web Click System, Switch Information. S 3-18 Displaying Bridge Extension Capabilities C 3-19 Setting the IP Address S 3-20 Page S 3-22 Using DHCP/BOOTP C 3-23 Managing Firmware S 3-24 Downloading System Software from a Server Page S 3-26 Saving or Restoring Configuration Settings C 3-27 Page C 3-29 S 3-30 Console Port Settings C 3-31 S 3-32 C 3-33 Telnet Settings S 3-34 Page S 3-36 C 3-37 Remote Log Configuration S 3-38 C 3-39 Displaying Log Messages S 3-40 Sending Simple Mail Transfer Protocol Alerts Page S 3-42 Resetting the System C 3-43 Setting the System Clock Configuring SNTP S 3-44 Setting the Time Zone N Simple Network Management Protocol S 3-46 N P M 3-47 Table 3-4 SNMPv3 Security Models and Levels Page Page S 3-50 Specifying Trap Managers and Trap Types N P M 3-51 S 3-52 Page S 3-54 Specifying a Remote Engine ID N P M 3-55 Configuring SNMPv3 Users Page Page S 3-58 Configuring Remote SNMPv3 Users N P M 3-59 Page N P M 3-61 Configuring SNMPv3 Groups S 3-62 Notify View The configured view for notifications. (Range: 1-64 characters) Table 3-5 Supported Notification Messages N P M 3-63 S 3-64 N P M 3-65 Page N P M 3-67 Setting SNMPv3 Views Page A 3-69 User Authentication Page Page S 3-72 Configuring Local/Remote Logon Authentication A 3-73 Page A SER UTHENTICATION 3-75 CLI Specify all the required parameters to enable logon authentication. S 3-76 A 3-77 Replacing the Default Secure-site Certificate S 3-78 Configuring the Secure Shell A 3-79 S 3-80 A 3-81 Generating the Host Key Pair Page A 3-83 Configuring the SSH Server S 3-84 A 3-85 Configuring Port Security S 3-86 Page S 3-88 Configuring 802.1X Port Authentication A 3-89 Displaying 802.1X Global Settings Command Attributes S 3-90 Configuring 802.1X Global Settings A 3-91 Configuring Port Settings for 802.1X S 3-92 A SER UTHENTICATION 3-93 S 3-94 Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. A 3-95 S 3-96 Filtering IP Addresses for Management Access A 3-97 S 3-98 Access Control Lists Configuring Access Control Lists C L 3-99 Setting the ACL Name and Type S 3-100 Configuring a Standard IP ACL C L 3-101 Configuring an Extended IP ACL S 3-102 Page S 3-104 Configuring a MAC ACL Page Page Page S 3-108 Configuring an IP ACL Mask Page S 3-110 Configuring a MAC ACL Mask Page S 3-112 Binding a Port to an Access Control List Page S 3-114 Port Configuration Displaying Connection Status Command Attributes (Web) C 3-115 Field Attributes (CLI) Basic information: Configuration: S 3-116 Current status: C 3-117 Configuring Interface Connections S 3-118 C 3-119 S 3-120 Creating Trunk Groups C } 3-121 Statically Configuring a Trunk Page C } 3-123 Enabling LACP on Selected Ports } S 3-124 C 3-125 Configuring LACP Parameters Dynamically Creating a Port Channel S 3-126 Page S 3-128 C 3-129 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Figure 3-55 Displaying LACP Port Counters Information S 3-130 CLI The following example displays LACP counters for port channel 1. Displaying LACP Settings and Status for the Local Side C 3-131 Table 3-9 LACP Internal Configuration Information (Continued) S 3-132 C 3-133 Displaying LACP Settings and Status for the Remote Side Table 3-10 LACP Neighbor Configuration Information S 3-134 C 3-135 Setting Broadcast Storm Thresholds S 3-136 Configuring Port Mirroring C 3-137 Page C 3-139 Showing Port Statistics S 3-140 C 3-141 S 3-142 C 3-143 Page O S E 3-145 Power Over Ethernet Settings S 3-146 Switch Power Status Page Page O S E 3-149 Configuring Port PoE Power S 3-150 T S Address Table Settings Setting Static Addresses Page Page Spanning Tree Algorithm Configuration T C A 3-155 x x S 3-156 Displaying Global Settings T C A 3-157 S 3-158 T C LGORITHM A REE S 3-160 Configuring Global Settings T C A 3-161 S 3-162 T C A 3-163 Page T C A 3-165 Displaying Interface Settings S 3-166 T x x C A 3-167 S 3-168 T C A 3-169 Configuring Interface Settings S 3-170 T C A 3-171 S 3-172 Configuring Multiple Spanning Trees Page S 3-174 CLI This displays STA settings for instance 1, followed by settings for each port. Page S 3-176 T C A 3-177 Configuring Interface Settings for MSTP S 3-178 3-179 VLAN Configuration IEEE 802.1Q VLANs S 3-180 Assigning Ports to VLANs 3-181 S 3-182 Forwarding Tagged/Untagged Frames 3-183 Enabling or Disabling GVRP (Global Setting) S 3-184 Displaying Basic VLAN Information 3-185 Displaying Current VLANs Command Attributes (Web) S 3-186 Command Attributes (CLI) Creating VLANs 3-187 S 3-188 Adding Static Members to VLANs (VLAN Index) 3-189 S 3-190 Adding Static Members to VLANs (Port Index) 3-191 Configuring VLAN Behavior for Interfaces S 3-192 3-193 Page 3-195 Displaying Current Private VLANs S 3-196 3-197 Configuring Private VLANs S 3-198 Associating Community VLANs 3-199 Displaying Private VLAN Interface Information S 3-200 Configuring Private VLAN Interfaces 3-201 S 3-202 Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces C ERVICE S OF S 3-204 Mapping CoS Values to Egress Queues C S 3-205 S 3-206 Selecting the Queue Mode Page S 3-208 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values C S 3-209 Mapping IP Precedence S 3-210 C S 3-211 Mapping DSCP Priority Page C S 3-213 Mapping IP Port Priority Page C S 3-215 Copy Settings Page Page S 3-218 Changing Priorities Based on ACL Rules Page S 3-220 Multicast Filtering IGMP Protocol F 3-221 Layer 2 IGMP (Snooping and Query) S 3-222 Configuring IGMP Snooping and Query Parameters F 3-223 S Displaying Interfaces Attached to a Multicast Route 3-224 r F 3-225 Specifying Interfaces Attached to a Multicast Router S 3-226 Displaying Port Members of Multicast Services Command Attribute F 3-227 S 3-228 Assigning Ports to Multicast Services D Configuring Domain Name Service Configuring General DNS Server Parameters S 3-230 Page S 3-232 Configuring Static DNS Host to Address Entries Page S 3-234 Displaying the DNS Cache Page Page 4-1 4 I INE L OMMAND I L C 4-2 Entering Commands Keywords and Arguments C 4-4 Minimum Abbreviation Command Completion Getting Help on Commands L I The command show interfaces ? will display the following information: 4-5 C 4-6 Partial Keyword Lookup Negating the Effect of Commands Using Command History L I 4-7 Exec Commands C 4-8 Configuration Commands L I 4-9 Table 4-2 Configuration Command Modes C 4-10 Command Line Processing L I Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Group Index G 4-12 Table 4-4 Command Group Index (Continued) L I Line Commands Table 4-5 Line Commands C 4-14 line L I 4-15 login C 4-16 password L I 4-17 timeout login response C 4-18 exec-timeout L I 4-19 password-thresh C 4-20 silent-time databits L I 4-21 parity C 4-22 speed L I 4-23 stopbits disconnect C 4-24 show line L I General Commands enable C 4-26 disable L I 4-27 configure show history C 4-28 reload L I 4-29 end exit C 4-30 quit L I System Management Commands Table 4-7 System Management Commands M C 4-32 Device Designation Commands prompt L I 4-33 hostname light unit M C 4-34 User Access Commands username L I 4-35 M C 4-36 enable password L I 4-37 IP Filter Commands management M C 4-38 show management L I Web Server Commands 4-39 Table 4-12 Web Server Commands M C 4-40 ip http port ip http server L I 4-41 ip http secure-server M C 4-42 ip http secure-port L I 4-43 Telnet Server Commands ip telnet server M C 4-44 Secure Shell Commands L I 4-45 Table 4-15 Secure Shell Commands M C 4-46 L I 4-47 ip ssh server M C 4-48 ip ssh timeout L I 4-49 ip ssh authentication-retries M C 4-50 ip ssh server-key size delete public-key L I 4-51 ip ssh crypto host-key generate M C 4-52 ip ssh crypto zeroize ip ssh save host-key L I 4-53 show ip ssh show ssh M C 4-54 Table 4-16 show ssh - display description L I 4-55 show public-key M C Event Logging Commands 4-56 Table 4-17 Event Logging Commands L I 4-57 logging on logging history M C 4-58 L I 4-59 logging host logging facility M C 4-60 logging trap L I 4-61 clear log show logging M C 4-62 L I 4-63 show log M C 4-64 SMTP Alert Commands logging sendmail host L I 4-65 logging sendmail level M C 4-66 logging sendmail source-email L I 4-67 logging sendmail destination-email logging sendmail M C 4-68 show logging sendmail Time Commands L I 4-69 sntp client M C 4-70 sntp server L I 4-71 sntp poll M C 4-72 show sntp L I 4-73 clock timezone M C 4-74 calendar set show calendar L I 4-75 System Status Commands show startup-config M C 4-76 L I 4-77 show running-config M C ANAGEMENT YSTEM 4-78 L I 4-79 show system M C 4-80 show users show version Flash/File Commands Table 4-24 Flash/File Commands C 4-82 copy L I 4-83 C LASH ILE 4-84 The following example shows how to copy the running configuration to a startup file. L I 4-85 C 4-86 delete L I 4-87 dir C 4-88 whichboot L I 4-89 boot system Power over Ethernet Commands L I 4-91 power mainpower maximum allocation power inline compatible C E 4-92 L I 4-93 power inline power inline maximum allocation C E 4-94 power inline priority L I 4-95 show power inline status C E 4-96 show power mainpower Authentication Commands Table 4-29 Authentication Commands Table 4-30 Authentication Sequence Command C 4-98 authentication login L I 4-99 authentication enable C 4-100 RADIUS Client L I 4-101 radius-server host C 4-102 radius-server port radius-server key L I 4-103 radius-server retransmit radius-server timeout C 4-104 show radius-server L I 4-105 TACACS+ Client tacacs-server host C 4-106 tacacs-server port tacacs-server key L I 4-107 show tacacs-server Port Security Commands C 4-108 port security L I 4-109 C 4-110 802.1X Port Authentication Table 4-34 802.1X Port Authentication Commands L I 4-111 dot1x system-auth-control dot1x default C 4-112 dot1x port-control L I 4-113 dot1x operation-mode C 4-114 dot1x re-authenticate dot1x re-authentication L I 4-115 dot1x timeout quiet-period dot1x timeout re-authperiod C 4-116 dot1x timeout tx-period show dot1x L I 4-117 C 4-118 L I 4-119 Access Control List Commands C L 4-120 L I 4-121 C L 4-122 IP ACLs Table 4-36 IP ACL Commands L I 4-123 access-list ip C L 4-124 access-list ip extended fragment-auto-mask permit, deny (Standard ACL) L I 4-125 permit, deny (Extended ACL) C L 4-126 L I 4-127 C L 4-128 show ip access-list L I 4-129 access-list ip mask-precedence C L 4-130 mask (IP ACL) L I 4-131 C IST L ONTROL CCESS L I 4-133 show access-list ip mask-precedence C L 4-134 ip access-group L I 4-135 show ip access-group map access-list ip C L 4-136 show map access-list ip L I 4-137 match access-list ip C MAC ACLs L 4-138 show marking L I 4-139 access-list mac C L 4-140 permit, deny (MAC ACL) L I 4-141 C L 4-142 show mac access-list L I 4-143 access-list mac mask-precedence C L 4-144 mask (MAC ACL) L I This example creates an Egress MAC ACL. 4-145 C L 4-146 show access-list mac mask-precedence mac access-group L I 4-147 show mac access-group map access-list mac C L 4-148 show map access-list mac L I 4-149 match access-list mac C L 4-150 ACL Information show access-list L SNMP Commands 4-152 snmp-server L I 4-153 show snmp 4-154 snmp-server community snmp-server contact L I 4-155 snmp-server location 4-156 snmp-server host L I 4-157 4-158 L I 4-159 snmp-server enable traps 4-160 snmp-server engine-id L I 4-161 show snmp engine-id 4-162 snmp-server view L I 4-163 show snmp view 4-164 snmp-server group L I 4-165 show snmp group 4-166 Table 4-44 show snmp group - display description L I 4-167 snmp-server user 4-168 L I 4-169 show snmp user This command shows information on SNMP users. Command Mode Interface Commands Table 4-46 Interface Commands L I 4-171 interface description C 4-172 speed-duplex L I 4-173 negotiation C 4-174 capabilities L I 4-175 flowcontrol C 4-176 shutdown L I 4-177 switchport broadcast packet-rate C 4-178 clear counters L I 4-179 show interfaces status C 4-180 show interfaces counters L I 4-181 C 4-182 show interfaces switchport L I 4-183 Table 4-47 show interfaces switchport - display description P Mirror Port Commands port monitor L I 4-185 show port monitor R Rate Limit Commands L I 4-187 rate-limit A Link Aggregation Commands L I 4-189 A C 4-190 channel-group lacp L I 4-191 A C 4-192 lacp system-priority L I 4-193 lacp admin-key (Ethernet Interface) A C 4-194 lacp admin-key (Port Channel) L I 4-195 lacp port-priority A C 4-196 show lacp L I 4-197 Table 4-52 show lacp internal - display description Table 4-51 show lacp counters - display description (Continued) A C 4-198 Table 4-52 show lacp internal - display description (Continued) L I 4-199 Table 4-53 show lacp neighbors - display description T Address Table Commands Table 4-54 show lacp sysid - display description Table 4-55 Address Table Commands L I 4-201 mac-address-table static T C 4-202 clear mac-address-table dynamic show mac-address-table L I 4-203 mac-address-table aging-time T Spanning Tree Commands L I 4-205 Table 4-56 Spanning Tree Commands (Continued) T C 4-206 spanning-tree L I 4-207 spanning-tree mode T C 4-208 spanning-tree forward-time L I 4-209 spanning-tree hello-time T C 4-210 spanning-tree max-age L I 4-211 spanning-tree default priority spanning-tree priority T C 4-212 spanning-tree pathcost method L I 4-213 spanning-tree transmission-limit T C 4-214 spanning-tree backup-root spanning-tree mst-configuration L I 4-215 mst vlan T C 4-216 mst priority L I 4-217 name T C 4-218 revision max-hops L I 4-219 spanning-tree spanning-disabled T C 4-220 spanning-tree cost L I 4-221 spanning-tree port-priority spanning-tree edge-port T C 4-222 spanning-tree portfast L I 4-223 spanning-tree link-type T C 4-224 spanning-tree mst cost L I 4-225 spanning-tree mst port-priority T C 4-226 spanning-tree protocol-migration L I 4-227 show spanning-tree T C 4-228 L I 4-229 show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode VLAN Commands Editing VLAN Groups vlan database L I 4-231 vlan 4-232 Configuring VLAN Interfaces L I 4-233 interface vlan 4-234 switchport mode L I 4-235 switchport acceptable-frame-types 4-236 switchport ingress-filtering L I 4-237 switchport native vlan 4-238 switchport allowed vlan L I 4-239 switchport forbidden vlan 4-240 Displaying VLAN Information show vlan L I 4-241 Example The following example shows how to display information for VLAN 1: Configuring Private VLANs 4-242 L I 4-243 private-vlan 4-244 private-vlan association L I 4-245 switchport mode private-vlan 4-246 switchport private-vlan host-association switchport private-vlan mapping L I 4-247 show vlan private-vlan GVRP GVRP and Bridge Extension Commands Table 4-62 GVRP and Bridge Extension Commands L I 4-249 bridge-ext gvrp show bridge-ext GVRP C E B 4-250 L I 4-251 garp timer GVRP C E B 4-252 Priority Commands C 4-254 Priority Commands (Layer 2) queue mode L I 4-255 queue bandwidth C 4-256 switchport priority default L I 4-257 queue cos-map C 4-258 L I 4-259 show queue mode show queue bandwidth C 4-260 show queue cos-map Priority Commands (Layer 3 and 4) L I 4-261 map ip port (Global Configuration) C 4-262 map ip port (Interface Configuration) map ip precedence (Global Configuration) L I 4-263 map ip precedence (Interface Configuration) C 4-264 map ip dscp (Global Configuration) L I 4-265 map ip dscp (Interface Configuration) C 4-266 show map ip port L I 4-267 show map ip precedence C 4-268 show map ip dscp L I Multicast Filtering Commands Table 4-69 Multicast Filtering Commands Table 4-70 IGMP Snooping Commands F C 4-270 ip igmp snooping ip igmp snooping vlan static L I 4-271 ip igmp snooping version F C 4-272 show ip igmp snooping show mac-address-table multicast L I 4-273 IGMP Query Commands (Layer 2) ip igmp snooping querier F C 4-274 ip igmp snooping query-count L I 4-275 ip igmp snooping query-interval F C 4-276 ip igmp snooping query-max-response-time L I 4-277 ip igmp snooping router-port-expire-time F C 4-278 Static Multicast Routing Commands ip igmp snooping vlan mrouter L I 4-279 show ip igmp snooping mrouter C IP Interface Commands ip address L I 4-281 C 4-282 ip default-gateway ip dhcp restart L I 4-283 show ip interface C 4-284 show ip redirects ping L I 4-285 4-286 DNS Commands L I 4-287 ip host 4-288 clear host ip domain-name L I 4-289 ip domain-list 4-290 ip name-server L I 4-291 ip domain-lookup 4-292 show hosts L I 4-293 show dns show dns cache 4-294 clear dns cache PPENDIX A-1 A S S OFTWARE PECIFICATIONS Software Features Management Features S A-3 SNMPv3 RMON Standards S A-4 Management Information Bases PPENDIX B-1 B ROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software B-2 Table B-1 Troubleshooting Chart S L B-3 Using System Logs Page G Glossary-1 LOSSARY Glossary-2 Glossary-3 Glossary-4 Glossary-5 Glossary-6 Glossary-7 Page NDEX Numerics A B C H I L M P R S T U V W