Quidway S3000 series User manual

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 802.1x Configuration...................................................................................................1-1

1.1 802.1x Overview................................................................................................................1-1

1.1.1 802.1x Standard Overview......................................................................................1-1

1.1.2 802.1x System Architecture....................................................................................1-1

1.1.3 802.1x Authentication Process................................................................................1-2

1.1.4 Implement 802.1x on Ethernet Switch ....................................................................1-3

1.2 Configure 802.1x................................................................................................................1-3

1.2.1 Enable/Disable 802.1x ............................................................................................1-4

1.2.2 Set the Port Access Control Mode..........................................................................1-4

1.2.3 Set Port Access Control Method.............................................................................1-5

1.2.4 Check the Users that Log on the Switch via Proxy.................................................1-5

1.2.5 Set Supplicant Number on a Port............................................................................1-6

1.2.6 Set to Enable DHCP to Launch Authentication.......................................................1-6

1.2.7 Configure Authentication Method for 802.1x User..................................................1-7

1.2.8 Set the Maximum times of authentication request message retransmission..........1-7

1.2.9 Set the handshake period of 802.1x .......................................................................1-8

1.2.10 Configure Timers...................................................................................................1-8

1.2.11 Enable/Disable quiet-period Timer........................................................................1-9

1.3 Display and Debug 802.1x.................................................................................................1-9

1.4 802.1x Configuration Example.........................................................................................1-10

Chapter 2 AAA and RADIUS Protocol Configuration ................................................................2-1

2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1

2.1.1 AAA Overview.........................................................................................................2-1

2.1.2 RADIUS Protocol Overview ....................................................................................2-1

2.1.3 Implement AAA/RADIUS on Ethernet Switch.........................................................2-2

2.2 Configure AAA...................................................................................................................2-3

2.2.1 Create/Delete ISP Domain......................................................................................2-3

2.2.2 Configure Relevant Attributes of ISP Domain.........................................................2-4

2.2.3 Create a Local User ................................................................................................ 2-5

2.2.4 Set Attributes of Local User ....................................................................................2-5

2.2.5 Disconnect a User by Force....................................................................................2-6

2.3 Configure RADIUS Protocol ..............................................................................................2-7

2.3.1 Create/Delete a RADIUS server Group..................................................................2-8

2.3.2 Set IP Address and Port Number of RADIUS Server .............................................2-8

2.3.3 Set RADIUS Packet Encryption Key.......................................................................2-9

2.3.4 Set Response Timeout Timer of RADIUS Server.................................................2-10

2.3.5 Set Retransmission Times of RADIUS Request Packet.......................................2-10

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Table of Contents

2.3.6 Set a Real-time Accounting Interval......................................................................2-11

2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded2-12

2.3.8 Enable/Disable Stopping Accounting Request Buffer...........................................2-12

2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request ..........2-13

2.3.10 Set the Supported Type of RADIUS Server........................................................2-14

2.3.11 Set RADIUS Server State ...................................................................................2-14

2.3.12 Set Username Format Transmitted to RADIUS Server ...................................... 2-15

2.3.13 Set the Unit of Data Flow that Transmitted to RADIUS Server...........................2-15

2.3.14 Configure Local RADIUS Server Group.............................................................. 2-16

2.4 Display and Debug AAA and RADIUS Protocol..............................................................2-16

2.5 AAA and RADIUS Protocol Configuration Examples ......................................................2-17

2.5.1 Configuring FTP/Telnet User Authentication at Remote RADIUS Server ............2-17

2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server ................ 2-19

2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-19

Chapter 3 HABP Configuration....................................................................................................3-1

3.1 HABP Overview.................................................................................................................3-1

3.2 HABP configuration ...........................................................................................................3-1

3.2.1 Configuring HABP Server .......................................................................................3-1

3.2.2 Configuring HABP Client.........................................................................................3-2

3.3 Displaying and Debugging HABP Attribute .......................................................................3-2

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-1

Chapter 1 802.1x Configuration

1.1 802.1x Overview

1.1.1 802.1x Standard Overview

IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control

protocol. IEEE issued it in 2001 and suggested the related manufacturers should use

the protocol as the standard protocol for LAN user access authentication. The 802.1x

originated from the IEEE 802.11 standard, which is the standard for wireless LAN user

access. The initial purpose of 802.1x was to implement the wireless LAN user access

authentication. Since its principle is commonly applicable to all the LANs complying

with the IEEE 802 standards, the protocol finds wide application in wired LANs.

In the LANs complying with the IEEE 802 standards, the user can access the devices

and share the resources in the LAN through connecting the LAN access control device

like the LAN Switch. However, in telecom access, commercial LAN (a typical example

is the LAN in the office building) and mobile office etc., the LAN providers generally

hope to control the user’s access. In these cases, the requirement on the

above-mentioned “Port Based NetworkAccess Control” originates.

As the name implies, “Port Based NetworkAccess Control” means to authenticate and

control all the accessed devices on the port of LAN access control device. If the user’s

device connected to the port can pass the authentication, the user can access the

resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It

equals that the user is physically disconnected.

802.1x defines port based network access control protocol and only defines the

point-to-point connection between the access device and the access port. The port can

be either physical or logical. The typical application environment is as follows: Each

physical port of the LAN Switch only connects to one user workstation (based on the

physical port) and the wireless LAN access environment defined by the IEEE 802.11

standard (based on the logical port), etc.

1.1.2 802.1x System Architecture

The system using the 802.1x is the typical C/S (Client/Server) system architecture. It

contains three entities, which are illustrated in the following figure: Supplicant System,

Authenticator System and Authentication Sever System.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-2

The LAN access control device needs to provide the Authenticator System of 802.1x.

The devices at the user side such as the computersneed to be installed with the 802.1x

client Supplicant software, for example, the 802.1x client provided by Huawei

Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1xAuthentication Sever

system normally stays in the carrier’sAAA center.

Authenticator and Authentication Severexchange information through EAP (Extensible

Authentication Protocol) frames. The Supplicant and the Authenticator exchange

information through the EAPoL (Extensible Authentication Protocol over LANs) frame

defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which

is to be encapsulated in the packets of other AAAupper layer protocols (e.g. RADIUS)

so as to go through the complicated network to reach the Authentication Server. Such

procedure is called EAP Relay.

There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the

other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection

state. The user can access and share the network resources any time through the ports.

The Controlled Port will be in connecting state only after the user passes the

authentication. Then the user is allowed to access the network resources.

Supplicant Authenticator

PAE

Authenticator

Server

Supplicant

System

Authenticator System Authenticator

Server

System

EAP protocol

exchanges

carried in

higher layer

protocol

EAPoL

Controlled

Port

unauthorized

LAN

Uncontrolled

Port

Services

offered

Authenticators

System

Figure 1-1 802.1x system architecture

1.1.3 802.1x Authentication Process

802.1x configures EAP frame to carry the authentication information. The Standard

defines the following types of EAP frames:

zEAP-Packet: Authentication information frame, used to carry the authentication

information.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-3

zEAPoL-Start: Authentication originating frame, actively originated by the

Supplicant.

zEAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.

zEAPoL-Key: Key information frame, supporting to encrypt the EAP packets.

zEAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard

Forum (ASF).

The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant

and the Authenticator. The EAP-Packet information is re-encapsulated by the

Authenticator System and then transmitted to the Authentication Server System. The

EAPoL-Encapsulated-ASF-Alert is related to the network management information and

terminated by the Authenticator.

From the above fundamentals we can see that 802.1x provides an implementation

solution of user ID authentication. However, 802.1x itself is not enough to implement

the scheme. The administrator of the access device should configure the AAA scheme

by selecting RADIUS or local authentication so as to assist 802.1x to implement the

user ID authentication. For detailed description ofAAA, refer to the corresponding AAA

configuration.

1.1.4 Implement 802.1x on Ethernet Switch

Quidway Series Ethernet Switches not only support the port access authentication

method regulated by 802.1x, but also extend and optimize it in the following way:

zSupport to connect several End Stations in the downstream via a physical port.

zThe access control (or the user authentication method) can be based on port or

MAC address.

In this way, the system becomes much securer and easier to manage.

1.2 Configure 802.1x

The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet

switch. When the global 802.1x is not enabled, the user can configure the 802.1x state

of the port. The configured items will take effect after the global 802.1x is enabled.

Note:

1) Do not enable 802.1x and RSTP( or MSTP) simultaneously, otherwise switch may not work normally.

2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the

command mac-address max-mac-count cannot be configured on the port, and vice versa.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-4

The Main 802.1x configuration includes:

zEnable/Disable 802.1x

zSet the port access control mode

zSet port access control method

zCheck the users that log on the switch via proxy

zSet maximum number of users via each port

zSet to enable DHCP to launch authentication

zconfigure authentication method for 802.1x user

zSet the Maximum times of authentication request message retransmission

zSet the handshake period of 802.1x

zConfigure timers

zEnable/Disable quiet-period Timer

Among the above tasks, the first one is compulsory, otherwise 802.1x will not take any

effect. The other tasks are optional. You can perform the configurations at

requirements.

1.2.1 Enable/Disable 802.1x

The following commands can be used to enable/disable the 802.1x on the specified

port. When no port is specified in system view, the 802.1x is enabled/disabled globally.

Perform the following configurations in system view or Ethernet port view.

Table 1-1 Enable/Disable 802.1x

Operation Command

Enable the 802.1x dot1x [ interface interface-list ]

Disable the 802.1x undo dot1x [ interface interface-list ]

User can configure 802.1x on individual port, but it is not enabled yet. The configuration

will take effect right after 802.1x is enabled globally.

By default, 802.1x authentication has not been enabled globally and on any port.

1.2.2 Set the Port Access Control Mode.

The following commands can be used for setting 802.1x access control mode on the

specified port. When no port is specified, the access control mode of all ports is

configured.

Perform the following configurations in system view or Ethernet port view.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-5

Table 1-2 Set the port access control mode.

Operation Command

Set the port access control mode. dot1x port-control { authorized- force |

unauthorized-force | auto } [ interface interface-list ]

Restore the default access control mode

of the port. undo dot1x port-control [ interface interface-list ]

By default, the mode of 802.1x performing access control on the port is auto (automatic

identification mode, which is also called protocol control mode). That is, the initial state

of the port is unauthorized. It only permits EAPoL packets receiving/transmitting and

does not permit the user to access the network resources. If the authentication flow is

passed, the port will be switched to the authorized state and permit the user to access

the network resources. This is the most common case.

1.2.3 Set Port Access Control Method

The following commands are used for setting 802.1x access control method on the

specified port. When no port is specified in system view, the access control method of

port is configured globally.

Perform the following configurations in system view or Ethernet port view.

Table 1-3 Set port access control method

Operation Command

Set port access control method dot1x port-method { macbased | portbased }

[ interface interface-list ]

Restore the default port access control

method undo dot1x port-method [ interface interface-list ]

By default, 802.1x authentication method on the port is macbased. That is,

authentication is performed based on MAC addresses.

1.2.4 Check the Users that Log on the Switch via Proxy

The following commands are used for checking the users that log on the switch via

proxy.

Perform the following configurations in system view or Ethernet port view.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-6

Table 1-4 Check the users that log on the switch via proxy

Operation Command

Enable the check for access users via

proxy

dot1x supp-proxy-check { logoff | trap } [ interface

interface-list ]

Cancel the check for access users via

proxy

undo dot1x supp-proxy-check { logoff | trap }

[ interface interface-list ]

By default, cancel the control method set for access 802.1x users via proxy.

1.2.5 Set Supplicant Number on a Port

The following commands are used for setting number of users allowed by 802.1x on

specified port. When no port is specified, all the ports accept the same number of

supplicants.

Perform the following configurations in system view or Ethernet port view.

Table 1-5 Set maximum number of users via specified port

Operation Command

Set maximum number of users via

specified port dot1x max-user user-number [ interface interface-list ]

Restore the maximum number of

users on the port to the default value undo dot1x max-user [ interface interface-list ]

By default, 802.1x allows up to 256 supplicants on each port for S3000 Series Ethernet

switches (except 64 for S3026).

1.2.6 Set to Enable DHCP to Launch Authentication

The following commands are used for setting whether 802.1x enables the Ethernet

switch to launch the user ID authentication when the user runs DHCP and applies for

dynamic IP addresses.

Perform the following configurations in system view.

Table 1-6 Set to enable DHCP to launch authentication

Operation Command

Enable DHCP to launch authentication dot1x dhcp-launch

Disable DHCP to launch authentication undo dot1x dhcp-launch

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-7

By default, authentication will not be launched when the user runs DHCP and applies

for dynamic IP addresses.

1.2.7 Configure Authentication Method for 802.1x User

The following commands can be used to configure the authentication method for

802.1x user. Three kinds of methods are available: PAP authentication (RADIUS server

must support PAP authentication), CHAP authentication (RADIUS server must support

CHAP authentication), EAP relay authentication (switch send authentication

information to RADIUS server in the form of EAP packets directly and RADIUS server

must support EAP authentication).

Perform the following configurations in system view.

Table 1-7 Configure authentication method for 802.1x user

Operation Command

Configure authentication method for

802.1x user

dot1x authentication-method {chap |pap |eap

md5-challenge}

Restore the default authentication

method for 802.1x user undo dot1x authentication-method

By default, CHAP authentication is used for 802.1x user authentication.

1.2.8 Set the Maximum times of authentication request message

retransmission

The following commands are used for setting the maximum retransmission times of the

authentication request message that the switch sends to the supplicant.

Perform the following configurations in system view.

Table 1-8 Set the maximum times of the authentication request message retransmission

Operation Command

Set the maximum times of the authentication request

message retransmission dot1x retry max-retry-value

Restore the default maximum retransmission times undo dot1x retry

By default, the max-retry-value is 3. That is, the switch can retransmit the

authentication request message to a supplicant for 3 times at most.

Operation Manual - Security

Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration

1-8

1.2.9 Set the handshake period of 802.1x

The following commands are used to set the handshake period of 802.1x. After setting

handshake-period, system will send the handshake packet by the period. Suppose the

dot1x retry time is configured as N, the system will consider the user having logged off

and set the user as logoff state if system doesn’t receive the response of user for

consecutive N times.

Perform the following configurations in system view.

Table 1-9 Set the handshake period of 802.1x

Operation Command

Set the handshake period of 802.1x dot1x timer handshake-period interval

Restore the handshake period to default value undo dot1x timer handshake-period

By default, handshake period is 15s.

1.2.10 Configure Timers

The following commands are used for configuring the 802.1x timers.

Perform the following configurations in system view.

Table 1-10 Configure timers

Operation Command

Configure timers

dot1x timer { quiet-period quiet-period-value | tx-period

tx-period-value | supp-timeout supp-timeout-value |

server-timeout server-timeout-value }

Restore default settings of the

timers

undo dot1x timer { quiet-period | tx-period | supp-timeout |

server-timeout }

quiet-period: Specify the quiet timer. If an 802.1x user has not passed the

authentication, the Authenticator will keep quiet for a while (which is specified by

quiet-period timer) before launching the authentication again. During the quiet period,

the Authenticator does not do anything related to 802.1x authentication.

quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to

120 in units of second.

server-timeout: Specify the timeout timer of an Authentication Server. If an

Authentication Server has not responded before the specified period expires, the

Authenticator will resend the authentication request.

Table of contents

Other Quidway Switch manuals

Quidway

Quidway S5012G User manual

Quidway

Quidway S5012G-DC User manual

Quidway

Quidway V100R006C00 User manual

Quidway

Quidway S3500-EA Series User manual

Popular Switch manuals by other brands

SMC Networks

SMC Networks SMC6224M Technical specifications

Aeotec

Aeotec ZWA003-S operating manual

TRENDnet

TRENDnet TK-209i Quick installation guide

Planet

Planet FGSW-2022VHP user manual

Avocent

Avocent AutoView 2000 AV2000BC AV2000BC Installer/user guide

Moxa Technologies

Moxa Technologies PT-7728 Series user manual

Intos Electronic

Intos Electronic inLine 35392I operating instructions

Cisco

Cisco Catalyst 3560-X-24T Technical specifications

Asante

Asante IntraCore IC3648 Specifications

Siemens

Siemens SIRIUS 3SE7310-1AE Series Original operating instructions

Edge-Core

Edge-Core DCS520 quick start guide

RGBLE

RGBLE S00203 user manual

Thrustmaster

Thrustmaster FLIGHT SIMULATOR X quick guide

Southwire

Southwire SURGE GUARD 41390 RVC troubleshooting guide

Buhler

Buhler Nivotemp NT 61 Brief instructions

Kramer

Kramer VS-41HDCP user manual

Techly

Techly IDATA AU-270 user manual

Belkin

Belkin F1U109 user manual

Quidway S3000 Series User manual

Popular Switch manuals by other brands