Home » D-Link Manuals » Hubs & Switches » D-Link DES-3028 » Manual Viewer

D-Link DES-3028 Product Manual - Page 212

X, 802.1X Port-Based and Host-Based Access Control, 1X

UPC - 790069305375

Add to My Manuals
Save this manual to your list of manuals

Page 212 highlights

DES-3028 DES-3028P DES-3028G DES-3052 DES-3052P Layer 2 Fast Ethernet Managed Switch 802.1X 802.1X Port-Based and Host-Based Access Control The IEEE 802.1X standard is a security measure for authorizing and authenticating users to gain access to various wired or wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPOL) packets between the Client and the Server. The following figure represents a basic EAPOL packet: NOTE: If the client is authenticated with 802.1X authentication it allows the user to force down the authenticated client via SNMP on R2 with the Radius command item in auth.mib(OID: 1.3.6.1.4.1.171.12.3.7) by port based or Host-based. NOTE: If the session timeout attribute on the radius server is set, the client will be off-line when the client authenticated over the timeout value has been configured on the radius server. Figure 10- 14. The EAPOL Packet Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is connected. EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is granted. The 802.1X Access Control method consists of three roles, each of which are vital to creating and maintaining a stable and working Access Control security method. Figure 10- 15. The three roles of 802.1X The following section will explain the three roles of Client, Authenticator and Authentication Server in greater detail. 198

Section	Page
Table of Contents	3
Preface	9
Intended Readers	10
Typographical Conventions	10
Bold font	10
Notes, Notices, and Cautions	10
Safety Instructions	11
Safety Cautions	11
General Precautions for Rack-Mountable Products	12
Protecting Against Electrostatic Discharge	13
DES-3028/28P/28G/52/52P Switch Description	14
Features	14
Ports	14
LED Indicators	14
Front-Panel Description	14
Rear Panel Description	14
Side Panel Description	14
Installing SFP ports	14
DES-3028/28P/28G/52/52P	14
Features	14
Ports	16
LED Indicators	17
Front-Panel Description	19
DES-3028/DES-3028P	19
DES-3052P/DES-3052	19
DES-3028G	19
Rear Panel Description	20
Side Panel Description	20
Gigabit Combo Ports	21
Installing the SFP ports	22
Package Contents	23
Before You Connect to the Network	23
Installing the Switch without the Rack	23
Rack Installation	23
Power On	23
Package Contents	23
Before You Connect to the Network	23
Installing the Switch without the Rack	24
Installing the Switch in a Rack	24
Mounting the Switch in a Standard 19\	25
Power on AC Power	25
Power Failure	25
Switch to End Node	26
Switch to Hub or Switch	26
Connecting to Network Backbone or Server	26
Switch to End Node	26
Switch to Hub or Switch	27
Management Options	28
Web-based Management Interface	28
SNMP-Based Management	28
Managing User Accounts	28
Command Line Console Interface through the Serial Port	28
Connecting the Console Port (RS-232 DCE)	28
First Time Connecting to the Switch	28
Password Protection	28
SNMP Settings	28
IP Address Assignment	28
Management Options	28
Web-based Management Interface	28
SNMP-Based Management	28
Connecting the Console Port (RS-232 DCE)	28
First Time Connecting to the Switch	30
Password Protection	30
SNMP Settings	31
Traps	32
MIBs	32
IP Address Assignment	32
Introduction	35
Login to Web manager	35
Web-Based User Interface	35
Basic Setup	35
Reboot	35
Basic Switch Setup	35
Network Management	35
Switch Utilities	35
Network Monitoring	35
IGMP Snooping Status	35
Introduction	35
Login to Web Manager	35
Web-based User Interface	36
Areas of the User Interface	36
Web Pages	38
IP Address	39
Port Configuration	39
DHCP/BOOTP Relay	39
User Accounts	39
Cable Diagnostics	39
Port Mirroring	39
System Log Settings	39
Log Settings	39
SNTP Settings	39
MAC Notification Settings	39
TFTP Services	39
Multiple Image Services	39
Ping Test	39
Safeguard Engine	39
SNMP Manager	39
PoE System	39
Single IP Settings	39
Forwarding & Filtering	39
SMTP Service	39
Device Information	40
IP Address	42
Setting the Swith’s IP Address using the Console Interface	44
Port Configuration	45
Port Settings	45
Port Description	47
Port Error Disabled	47
DHCP/BOOTP Relay	49
DHCP/BOOTP Relay Global Settings	49
The Implementation of DHCP Information Option 82 in the DES-3028/28P/28G/52/52P switches	51
DHCP/BOOTP Relay Interface Settings	52
DHCP Local Relay Settings	52
User Accounts	54
Cable Diagnostics	56
Port Mirroring	58
System Log Settings	59
Log Settings	61
SNTP Settings	62
Time Settings	62
Time Zone and DST	63
MAC Notification Settings	65
TFTP Services	66
Multiple Image Services	67
Firmware Information	67
Config Firmware Image	67
Ping Test	68
Safeguard Engine	68
SNMP Manager	71
SNMP Settings	71
Traps	71
MIBs	71
SNMP Traps Settings	72
SNMP User Table	72
SNMP View Table	74
SNMP Group Table	75
SNMP Community Table Configuration	76
SNMP Host Table	77
SNMP Engine ID	78
PoE System	79
PoE System Configuration	79
PoE Port Configuration	80
Single IP Settings	82
The Upgrade to v1.6	83
SIM Settings	83
Topology	85
Tool Tips	87
Right-Click	88
Group Icon	88
Commander Switch Icon	89
Member Switch Icon	89
Candidate Switch Icon	89
Menu Bar	90
File	90
Group	90
Device	90
View	90
Help	91
Firmware Upgrade	91
Configuration Backup/Restore	91
Upload Log	92
Forwarding & Filtering	92
Unicast Forwarding	92
Multicast Forwarding	93
Multicast Filtering Mode	95
SMTP Service	96
SMTP Server Settings	97
SMTP Service	97
VLAN	99
QinQ	99
Trunking	99
IGMP Snooping	99
MLD Snooping	99
Spanning Tree	99
Loopback Detection	99
LLDP	99
VLANs	99
Notes about VLANs on the Switch	99
IEEE 802.1Q VLANs	99
802.1Q VLAN Tags	100
Tagging and Untagging	101
Ingress Filtering	101
Default VLANs	102
VLAN Segmentation	102
Asymmetric VLANs	103
VLAN and Trunk Groups	104
Static VLAN Entry	104
GVRP Settings	106
VLAN Trunk Settings	108
QinQ	110
Trunking	112
Link Aggregation	113
LACP Port Settings	113
IGMP Snooping	115
Router Ports Settings	117
IGMP Authentication	119
Dynamic IP Multicast Learning	121
ISM VLAN Settings	122
Restrictions and Provisos	122
IP Multicast Filter Profile Settings	124
Limited Multicast Range Settings	125
Max Multicast Group Settings	127
MLD Snooping	128
MLD Control Messages	128
MLD Snooping Settings	128
MLD Snooping Router Port Settings	130
Spanning Tree	131
802.1Q MSTP	131
802.1w Rapid Spanning Tree	132
Port Transition States	132
Edge Port	133
P2P Port	133
802.1D/802.1w/802.1s Compatibility	133
STP LoopBack Prevention	133
Setting the LoopBack Timer	133
Regulations and Restrictions for the LoopBack Detection Function	133
STP Bridge Global Settings	134
STP Port Settings	137
MST Configuration Identification	139
STP Instance Settings	141
MSTP Port Information	142
Loopback Detection Settings	144
LLDP	145
LLDP Global Settings	145
Basic LLDP Port Settings	147
802.1 Extension LLDP Port Settings	148
802.3 Extension LLDP Port Settings	150
LLDP Management Address Settings	152
LLDP Statistics	153
LLDP Management Address Table	154
LLDP Local Port Table	154
LLDP Remote Port Table	156
Port Bandwidth	157
802.1p Default Priority	157
802.1p User Priority	157
CoS Scheduling Mechanism	157
CoS Output Scheduling	157
Priority Settings	157
TOS Priority Settings	157
DSCP Priority Settings	157
Port Mapping Priority Settings	157
MAC Priority	157
Understanding IEEE 802.1p Priority	157
Advantages of CoS	157
Understanding CoS	158
Port Bandwidth	160
802.1p Default Priority	161
802.1p User Priority	163
CoS Scheduling Mechanism	163
CoS Output Scheduling	164
Priority Settings	165
TOS Priority Settings	167
DSCP Priority Settings	168
Port Mapping Priority Settings	169
MAC Priority	170
Time Range	171
Access Profile Table	171
CPU Interface Filtering	171
Time Range	171
Access Profile Table	171
CPU Interface Filtering	183
CPU Interface Filtering State	183
CPU Interface Filtering Profile Table	183
Traffic Control	195
Port Security	195
Port Lock Entries	195
IP-MAC-Port Binding	195
SSL	195
SSH	195
802.1X	195
Trusted Host	195
Access Authentication Control	195
Traffic Segmentation	195
DoS Attack Prevention	195
Traffic Control	195
Port Security	199
Port Lock Entries	200
IP-MAC-Port Binding	201
IMP Global Settings	201
IMP Port Settings	201
IMP Entry Settings	203
DHCP Snooping Entries	204
MAC Block List	204
SSL	205
Download Certificate	205
Ciphersuite	205
SSH	208
SSH Server Configuration	208
SSH Authentication Mode and Algorithm Settings	209
SSH User Authentication	211
802.1X	212
802.1X Port-Based and Host-Based Access Control	212
Authentication Server	213
Authenticator	213
Client	214
Authentication Process	214
Understanding 802.1X Port-based and Host-based Access Control	214
802.1X Port-based Access Control	215
802.1X Host-based Access Control	216
RADIUS Attributes Assignment	216
Guest VLANs	217
Limitations Using the Guest VLAN	218
802.1X Authenticator Settings	219
Local Users	222
802.1X Capability Settings	223
Configure 802.1X Guest VLAN	223
Initializing Ports for Port Based 802.1X	224
Initializing Ports for Host Based 802.1X	225
Reauthenticate Port(s) for Port Based 802.1X	226
Reauthenticate Port(s) for Host-based 802.1X	227
RADIUS Server	227
Trusted Host	228
Access Authentication Control	229
Authentication Policy and Parameter Settings	230
Application Authentication Settings	230
Authentication Server Group	231
Authentication Server Host	232
Login Method Lists	235
Enable Method Lists	236
Configure Local Enable Password	239
Enable Admin	239
Traffic Segmentation	240
DoS Attack Prevention	241
Port Access Control	246
CPU Utilization	246
Port Utilization	247
Packets	248
Received (RX)	249
UMB Cast (RX)	251
Transmitted (TX)	253
Packet Errors	255
Received (RX)	255
Transmitted (TX)	257
Packet Size	259
MAC Address	261
Switch Log	263
IGMP Snooping Group	264
Browse Router Port	265
VLAN Status	265
MLD Snooping Group	265
Browse MLD Snooping Router Port	266
Static ARP Settings	267
ARP-FDB	267
Gratuitous ARP Settings	269
Session Table	270
Port Access Control	270
RADIUS Authentication	270
RADIUS Accounting	272
Reset	273
Reboot System	274
Save Changes	274
Logout	275
LED indicators	279
Detailed Description	280
Detailed Description	280
Detailed Description	280
Standard Trap List	292
Proprietary Trap List	293
Proprietary Trap List (project dependent)	293
Configuration:	305
LIMITED WARRANTY	310
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2004 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	313

Match case Limit results 1 per page

DES-3028 DES-3028P DES-3028G DES-3052 DES-3052P Layer 2 Fast Ethernet Managed Switch

802.1X

802.1X Port-Based and Host-Based Access Control

The IEEE 802.1X standard is a security measure for authorizing and authenticating users to gain access to various wired or

wireless devices on a specified Local Area Network by using a Client and Server based access control model. This is

accomplished by using a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication

Protocol over LAN (EAPOL) packets between the Client and the Server.

The following figure represents a basic EAPOL packet:

NOTE:

If the client is authenticated with 802.1X authentication it allows the user to force down the

authenticated client via SNMP on R2 with the Radius command item in auth.mib(OID:

1.3.6.1.4.1.171.12.3.7) by port based or Host-based.

NOTE:

If the session timeout attribute on the radius server is set, the client will be off-line

when the client authenticated over the timeout value has been configured on the radius

server.

Figure 10- 14. The EAPOL Packet

Utilizing this method, unauthorized devices are restricted from connecting to a LAN through a port to which the user is connected.

EAPOL packets are the only traffic that can be transmitted through the specific port until authorization is granted. The 802.1X

Access Control method consists of three roles, each of which are vital to creating and maintaining a stable and working Access

Control security method.

Figure 10- 15. The three roles of 802.1X

The following section will explain the three roles of Client, Authenticator and Authentication Server in greater detail.

198