How it Works
Quidway
Loading...
S3000 Series
Operation Manual
37 pgs330.47 Kb0

Quidway S3000 Series Operation Manual

Download
Operation Manual - Security Quidway S3000 Series Ethernet Switches Table of Contents
i
Table of Contents
Chapter 1 802.1x Configuration...................................................................................................1-1
1.1 802.1x Overview................................................................................................................1-1
1.2 Configure 802.1x................................................................................................................1-3
1.3 Display and Debug 802.1x................................................................................................. 1-9
1.4 802.1x Configuration Example.........................................................................................1-10
Chapter 2 AAA and RADIUS Protocol Configuration ................................................................ 2-1
2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1
2.2 Configure AAA...................................................................................................................2-3
2.3 Configure RADIUS Protocol .............................................................................................. 2-7
Operation Manual - Security Quidway S3000 Series Ethernet Switches Table of Contents
ii
2.4 Display and Debug AAA and RADIUS Protocol..............................................................2-16
2.5 AAA and RADIUS Protocol Configuration Examples...................................................... 2-17
2.6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting.................................. 2-19
Chapter 3 HABP Configuration....................................................................................................3-1
3.1 HABP Overview.................................................................................................................3-1
3.2 HABP configuration ...........................................................................................................3-1
3.3 Displaying and Debugging HABP Attribute .......................................................................3-2
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-1
Chapter 1 802.1x Configuration
1.1 802.1x Overview
1.1.1 802.1x Standard Overview
IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication. The 802.1x originated from the IEEE 802.11 standard, which is the standard for wirel ess LAN use r access. The initial purpose of 802.1x was to implement the wireless LAN user access authentication. Since its principle is commonly applicable to all the LANs complying with the IEEE 802 standards, the protocol finds wide application in wired LANs.
In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch. However, in telecom access, commercial LAN (a typical example is the LAN in the office building) and mobile office etc., the LAN providers generally hope to control the user’s access. In these cases, the requirement on the above-mentioned “Port Based Network Access Control” originates.
As the name implies, “Port Based Network A ccess Cont rol” means t o authenticate and control all the accessed devices on the port of LAN access control device. If the user’s device connected to the port can pass the authentication, the user can access the resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the user is physically disconnected.
802.1x defines port based network access control protocol and only defines the point-to-point connection between the access device and the access port. The port can be either physical or logical. The typical application environment is as follows: Each physical port of the LAN Switch only connects to one user workstation (based on the physical port) and the wireless LAN access environment defined by the IEEE 802.11 standard (based on the logical port), etc.
1.1.2 802.1x System Architecture
The system using the 802.1x is the typical C/S (Client/Server) system architecture. It contains three entities, which are illustrated in the following figure: Supplicant System, Authenticator System and Authentication Sever System.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-2
The LAN access control device needs to provide the Authenticator System of 802.1x. The devices at the user side such as the computers need to be in stalled with the 802.1x client Supplicant software, for example, the 802.1x client provided by Huawei Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1x Authentication Sever system normally stays in the carrier’s AAA center.
Authenticator and Authentication Sever exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS) so as to go through the complicated network to reach the Authentication Server. Such procedure is called EAP Relay.
There are two types of ports for the Authenticator . One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the port s. The Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources.
Supplicant
Authenticator
PAE
Authenticator
Server
Supplicant
System
Authenticator System
Authenticator
Server System
EAP protocol
exchanges
carried in
higher layer
protocol
EAPoL
Controlled
Port
Port
unauthorized
LAN
Uncontrolled
Port
Services offered by Authenticators System
Figure 1-1 802.1x system architecture
1.1.3 802.1x Authentication Process
802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames:
z EAP-Packet: Authentication information frame, used to carry the authentication
information.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-3
z EAPoL-Start: Authentication originating frame, actively originated by the
Supplicant.
z EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state. z EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. z EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard
Forum (ASF).
The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network manage ment information and terminated by the Authenticator.
From the above fundamentals we can see that 802.1x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication so as to assist 802.1x to implement the user ID authentication. For detailed description of AAA, refer to the corresponding AAA configuration.
1.1.4 Implement 802.1x on Ethernet Switch
Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way:
z Support to connect several End Stations in the downstream via a physical port. z The access control (or the user authentication method) can be based on port or
MAC address.
In this way, the system becomes much securer and easier to manage.
1.2 Configure 802.1x
The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet switch. When the global 802.1x is not enabled, the user can configure the 802.1x st at e of the port. The configured items will take ef fect after the global 802.1x is enabled.
Note:
1) Do not enable 802.1x and RSTP( or MSTP) simultaneously, otherwise switch may not work normally.
2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the
command mac-address max-mac-count cannot be configured on the port, and vice versa.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-4
The Main 802.1x configuration includes:
z Enable/Disable 802.1x z Set the port access control mode z Set port access control method z Check the users that log on the switch via proxy z Set maximum number of users via each port z Set to enable DHCP to launch authentication z configure authentication method for 802.1x user z Set the Maximum times of authentication request message retransmission z Set the handshake period of 802.1x z Configure timers z Enable/Disable quiet-period Timer
Among the above tasks, the first one is compulsory, otherwise 802.1x will not take any effect. The other tasks are optional. You can perform the configurations at requirements.
1.2.1 Enable/Disable 802.1x
The following commands can be used to enable/disable the 802.1x on the specified port. When no port is specified in system view, the 802.1x is enabled/disabled globally.
Perform the following configurations in system view or Ethernet port view.
Table 1-1 Enable/Disable 802.1x
Operation Command
Enable the 802.1x dot1x [ interface interface-list ] Disable the 802.1x undo dot1x [ interface interface-list ]
User can configure 802.1x on individual port, but it is not enabled yet. The configuration will take effect right after 802.1x is enabled globally.
By default, 802.1x authentication has not been enabled globally and on any port.
1.2.2 Set the Port Access Control Mode.
The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured.
Perform the following configurations in system view or Ethernet port view.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-5
Table 1-2 Set the port access control mode.
Operation Command
Set the port access control mode.
dot1x port-control { authorized- force | unauthorized-force | auto } [ interface interface-list ]
Restore the default access control mode of the port.
undo dot1x port-control [ interface interface-list ]
By default, the mode of 802.1x performing access control on the port is auto (automatic identification mode, which is also called protocol control mode). That is, the initial state of the port is unauthorized. It only permits EAPoL packets receiving/transmitting and does not permit the user to access the network resources. If the authentication flow is passed, the port will be switched to the authorized state and permit the user to access the network resources. This is the most common case.
1.2.3 Set Port Access Control Method
The following commands are used for setting 802.1x access control method on the specified port. When no port is specified in system view, the access control method of port is configured globally.
Perform the following configurations in system view or Ethernet port view.
Table 1-3 Set port access control method
Operation Command
Set port access control method
dot1x port-method { macbased | portbased } [ interface interface-list ]
Restore the default port access control method
undo dot1x port-method [ interface interface-list ]
By default, 802.1x authentication method on the port is macbased. That is, authentication is performed based on MAC addresses.
1.2.4 Check the Users that Log on the Switch via Proxy
The following commands are used for checking the users that log on the switch via proxy.
Perform the following configurations in system view or Ethernet port view.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-6
Table 1-4 Check the users that log on the switch via proxy
Operation Command
Enable the check for access users via proxy
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
Cancel the check for access users via proxy
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
By default, cancel the control method set for access 802.1x users via proxy.
1.2.5 Set Supplicant Number on a Port
The following commands are used for setting number of users allowed by 802.1x on specified port. When no port is specified, all the ports accept the same number of supplicants.
Perform the following configurations in system view or Ethernet port view.
Table 1-5 Set maximum number of users via specified port
Operation Command
Set maximum number of users via specified port
dot1x max-user user-number [ interface interface-list ]
Restore the maximum number of users on the port to the default value
undo dot1x max-user [ interface interface-list ]
By default, 802.1x allows up to 256 supplicants on each port for S3000 Series Ethernet switches (except 64 for S3026).
1.2.6 Set to Enable DHCP to Launch Authentication
The following commands are used for setting whether 802.1x enables the Ethernet switch to launch the user ID authentication when the user runs DHCP and applies for dynamic IP addresses.
Perform the following configurations in system view .
Table 1-6 Set to enable DHCP to launch authentication
Operation Command
Enable DHCP to launch authentication dot1x dhcp-launch Disable DHCP to launch authentication undo dot1x dhcp-launch
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-7
By default, authentication will not be launched when the user runs DHCP and applies for dynamic IP addresses.
1.2.7 Configure Authentication Method for 802.1x User
The following commands can be used to configure the authentication method for
802.1x user. Three ki nds of methods are available: PAP authentication (RADIUS server must support P AP authentication), CHA P authentication (RADIUS se rver must support CHAP authentication), EAP relay authentication (switch send authentication information to RADIUS server in the form of EAP packets directly and RADIUS server must support EAP authentication).
Perform the following configurations in system view .
Table 1-7 Configure authentication method for 802.1x user
Operation Command
Configure authentication method for
802.1x user
dot1x authentication-method { chap | pap | eap
md5-challenge}
Restore the default authentication method for 802.1x user
undo dot1x authentication-method
By default, CHAP authentication is used for 802.1x user authentication.
1.2.8 Set the Maximum times of authentication request message retransmission
The following commands are used for setting the maximum retransmission times of the authentication request message that the switch sends to the supplicant.
Perform the following configurations in system view .
Table 1-8 Set the maximum times of the authentication request message retransmission
Operation Command
Set the maximum times of the authentication request message retransmission
dot1x retry max-retry-value
Restore the default maximum retransmission times undo dot1x retry
By default, the max-retry-value is 3. That is, the switch can retransmit the authentication request message to a supplicant for 3 times at most.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-8
1.2.9 Set the handshake period of 802.1x
The following commands are used to set the handshake period of 802.1x. Af ter setting handshake-period, system will send the handshake packet by the period. Supp ose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response of user for consecutive N times.
Perform the following configurations in system view .
Table 1-9 Set the handshake period of 802.1x
Operation Command
Set the handshake period of 802.1x dot1x timer handshake-period interval Restore the handshake period to default value undo dot1x timer handshake-period
By default, handshake period is 15s.
1.2.10 Configure Timers
The following commands are used for configuring the 802.1x timers. Perform the following configurations in system view .
Table 1-10 Configure timers
Operation Command
Configure timers
dot1x timer { quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value |
server-timeout server-timeout-value }
Restore default settings of the timers
undo dot1x timer { quiet-period | tx-period | supp-timeout | server-timeout }
quiet-period: Specify the quiet timer. If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802. 1x authentication.
quiet-period-value: Specify how long the quiet period is. The value ranges from 10 to 120 in units of second.
server-timeout: Specify the timeout timer of an Authentication Server. If an Authentication Server has not responded before the specified period expires, the Authenticator will resend the authentication request.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-9
server-timeout-value: Specify how long the duration of a timeout timer of an Authentication Server is. The value ranges from 100 to 300 in units of second.
supp-timeout: Specify the authentication timeout tim er of a Supplicant. If a Sup plicant has not responded before the specified period expires, Authenticator will resend the authentication request.
supp-timeout-value: Specif y how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second.
tx-period: Specify the transmission timeout timer. If a Supplicant has not responded before the specified period expires, Authenticator will resend the authentication request.
tx-period-value: S pecify how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second.
By default, the quiet-period-value is 60s, the tx-period-value is 30s, the supp-timeout-value is 30s, the server-timeout-value is 100s .
1.2.11 Enable/Disable quiet-period Timer
You can use the following commands to enable/disable a quiet-period timer of an Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by dot1x timer quiet-period command) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.
Perform the following configuration in system view.
Table 1-11 Enable/Disable a quiet-period timer
Operation Command
Enable a quiet-period timer. dot1x quiet-period Disable a quiet-period timer undo dot1x quiet-period
1.3 Display and Debug 802.1x
After the above configuration, execute display command in any view to display the running of the VLAN configuration, and to verify the effect of the configuration. Execute reset command in user view to reset 802.1x statistics information. Execute debugging command in user view to debug the 802.1x module.
Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration
1-10
Table 1-12 Display and debug 802.1x
Operation Command
Display the configuration, running and statistics information of 802.1x
display dot1x [ sessions | statistics ] [ interface interface-list ]
Reset the 802.1x statistics information reset dot1x statistics [ interface interface-list ]
Enable the error/event/packet/all debugging of
802.1x
debugging dot1x { error | event | packet | all }
Disable the error/event/packet/all debugging of
802.1x.
undo debugging dot1x { error | event | packet | all }
1.4 802.1x Configuration Example
I. Networking requirements
As shown in the following figure, the workstation of a user is connected to the port Ethernet 0/1 of the Switch.
The switch administrator will enable 802.1x on all the ports to authenticate the supplicants so as to control their access to the Internet. The access control mode is configured as based on the MAC address
All the supplicants belong to the default domain hu awei163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server, local authentication will be performed. For accounting, if the RADIUS server fails to account, the user will be disconnected. In addition, when the user is accessed, the domain name does not follow the user name. Normally, if the user ’s traffic is less than 2kbps consistently over 20 minutes, he will be disconnected.
A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting se rver . Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server and “money” when the system exchanges packets with the accounting RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADI US server after removing the user domain name.
The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled.
Loading...
+ 25 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use