Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3324SR » Manual Viewer

D-Link DGS-3324SR Product Manual - Page 230

Access Authentication Control, TACACS, Extended TACACS XTACACS

UPC - 790069262067

Add to My Manuals
Save this manual to your list of manuals

Page 230 highlights

xStack DGS/DXS-3300 Series Layer 3 Stackable Gigabit Ethernet Switch User Manual Access Authentication Control The TACACS / XTACACS / TACACS+ / RADIUS commands allows secure access to the Switch using the TACACS / XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user is verified, he or she is granted access to the Switch. There are currently three versions of the TACACS security protocol, each a separate entity. The Switch's software supports the following versions of TACACS: • TACACS (Terminal Access Controller Access Control System) - Provides password checking and authentication, and notification of user actions for security purposes utilizing via one or more centralized TACACS servers, utilizing the UDP protocol for packet transmission. • Extended TACACS (XTACACS) - An extension of the TACACS protocol with the ability to provide more types of authentication requests and more types of response codes than TACACS. This protocol also uses UDP to transmit packets. • TACACS+ (Terminal Access Controller Access Control System plus) - Provides detailed access control for authentication for network devices. TACACS+ is facilitated through Authentication commands via one or more centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon, using the TCP protocol to ensure reliable delivery In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS / TACACS+ / RADIUS server must be configured on a device other than the Switch, called an Authentication Server Host and it must include usernames and passwords for authentication. When the user is prompted by the Switch to enter usernames and passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS server to verify, and the server will respond with one of three messages: • The server verifies the username and password, and the user is granted normal user privileges on the Switch. • The server will not accept the username and password and the user is denied access to the Switch. • The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list. The Switch has four built-in Authentication Server Groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS protocols. These built-in Authentication Server Groups are used to authenticate users trying to access the Switch. The users will set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and when a user tries to gain access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the second server host in the list will be queried, and so on. The built-in Authentication Server Groups can only have hosts that are running the specified protocol. For example, the TACACS Authentication Server Groups can only have TACACS Authentication Server Hosts. The administrator for the Switch may set up six different authentication techniques per user-defined method list (TACACS / XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight authentication techniques. When a user attempts to access the Switch, the Switch will select the first technique listed for authentication. If the first technique goes through its Authentication Server Hosts and no authentication is returned, the Switch will then go to the next technique listed in the server group for authentication, until the authentication has been verified or denied, or the list is exhausted. Please note that users granted access to the Switch will be granted normal user privileges on the Switch. To gain access to administrator level privileges, the user must access the Enable Admin window and then enter a password, which was previously configured by the administrator of the Switch. NOTE: TACACS, XTACACS and TACACS+ are separate entities and are not compatible. The Switch and the server must be configured exactly the same, using the same protocol. (For example, if the Switch is set up for TACACS authentication, so must be the host server.) 215

Section	Page
Table of Contents	3
	11
Intended Readers	12
Typographical Conventions	12
Notes, Notices, and Cautions	12
Safety Instructions	13
Safety Cautions	13
General Precautions for Rack-Mountable Products	14
Protecting Against Electrostatic Discharge	15
Switch Description	16
Gigabit Combo Ports	16
Ethernet Technology	16
Fast Ethernet	16
Gigabit Ethernet Technology	16
Switching Technology	17
Switch Description	17
Features	18
Ports	19
Installing the SFP ports	20
Front-Panel Components	20
DGS-3324SR	20
DXS-3326GSR	20
DXS-3350SR	20
LED Indicators	21
Rear Panel Description	22
DGS-3324SRi	22
DGS-3324SR	22
DXS-3326GSR	22
Side Panel Description	23
DGS-3324SRi & DGS-3324SR	23
	23
DXS-3326GSR & DXS-3350SR	23
Package Contents	24
Before Connecting to the Network	24
Installing the Switch without the Rack	25
Installing the Switch in a Rack	25
Mounting the Switch in a Standard 19\	26
Power On	26
Power Failure	26
The Optional Module	26
The Media Accessory	28
External Redundant Power System	29
Switch to End Node	30
Switch to Hub or Switch	31
Connecting To Network Backbone or Server	32
Stacking and the xStack DGS/DXS-3300 Series	33
Stacking Limitations Utilizing a Ring or Star Topology	35
Token Cost * Number of Switches ≤ 32	35
Stacking In a Star Topology	37
Management Options	38
Web-based Management Interface	38
SNMP-Based Management	38
Command Line Console Interface through the Serial Port	38
Connecting the Console Port (RS-232 DCE)	38
First Time Connecting to the Switch	40
Password Protection	42
SNMP Settings	43
Traps	43
MIBs	43
IP Address Assignment	44
Connecting Devices to the Switch	45
Introduction	46
Logging on to the Web Manager	46
Web-based User Interface	48
Areas of the User Interface	48
Web Pages	49
Switch Information	51
IP Address	52
Advanced Settings	55
Box Information	57
Port Configuration	58
Port Description	60
Port Mirroring	61
Link Aggregation	62
Understanding Port Trunk Groups	62
LACP Port Setting	66
MAC Notification	67
MAC Notification Global Settings	67
MAC Notification Port Settings	68
IGMP Snooping	69
Static Router Ports	71
Spanning Tree	72
802.1s MSTP	72
802.1w Rapid Spanning Tree	72
Port Transition States	72
Edge Port	73
P2P Port	73
802.1d / 802.1w / 802.1s Compatibility	73
STP Bridge Global Settings	74
MST Configuration Table	76
MSTP Port Information	79
STP Instance Settings	80
STP Port Settings	83
Forwarding & Filtering	85
Unicast Forwarding	85
Multicast Forwarding	86
VLANs	87
Understanding IEEE 802.1p Priority	87
VLAN Description	87
Notes about VLANs in the xStack DGS/DXS-3300 Series	87
IEEE 802.1Q VLANs	88
802.1Q VLAN Tags	89
Port VLAN ID	90
Tagging and Untagging	90
Ingress Filtering	90
Default VLANs	91
Port-based VLANs	91
VLAN Segmentation	91
VLAN and Trunk Groups	92
Protocol VLANs	92
Static VLAN Entry	93
GVRP Settings	97
Traffic Control	99
Port Security	100
Port Lock Entries	101
QoS	102
The Advantages of QoS	102
Understanding QoS	103
Bandwidth Control	104
QoS Scheduling Mechanism	105
QoS Output Scheduling	106
Configuring the Combination Queue	107
802.1p Default Priority	108
802.1p User Priority	109
Traffic Segmentation	109
System Log Host	111
SNTP Settings	113
Time Settings	113
Time Zone and DST	114
Access Profile Table	116
Configuring the Access Profile Table	116
CPU Access Profile	133
CPU Access Profile Table	133
System Severity Settings	147
Port Access Entity (802.1X)	148
802.1x Port-Based and MAC-Based Access Control	148
Authentication Server	149
Authenticator	149
Client	150
Authentication Process	150
Understanding 802.1x Port-based and MAC-based Network Access Control	151
Port-Based Network Access Control	151
MAC-Based Network Access Control	152
Configure Authenticator	153
802.1X User	155
PAE System Control	156
Port Capability	156
Initializing Ports for Port Based 802.1x	157
Initializing Ports for MAC Based 802.1x	158
Reauthenticate Port(s) for Port Based 802.1x	158
Reauthenticate Port(s) for MAC-based 802.1x	159
RADIUS Server	160
Layer 3 IP Networking	161
Layer 3 Global Advanced Settings	161
IP Multinetting	162
IP Interface Setup	162
MD5 Key Table Configuration	165
Route Redistribution Settings	165
Static/Default Route Settings	167
Route Preference Settings	169
Static ARP Table	171
RIP	172
RIP Version 1 Message Format	173
RIP Command Codes	173
RIP 1 Message	173
RIP 1 Route Interpretation	173
RIP Version 2 Extensions	173
RIP2 Message Format	174
RIP Timers	174
RIP Global Settings	174
RIP Settings	175
OSPF	177
Link-State Algorithm	177
Shortest Path Algorithm	177
OSPF Cost	177
Shortest Path Tree	178
Areas and Border Routers	179
Link-State Packets	179
OSPF Authentication	180
Message Digest Authentication (MD-5)	180
Simple Password Authentication	180
Backbone and Area 0	180
Virtual Links	180
Areas Not Physically Connected to Area 0	180
Partitioning the Backbone	181
Neighbors	181
Adjacencies	181
Designated Router Election	181
Building Adjacency	181
Adjacencies on Point-to-Point Interfaces	182
OSPF Packet Formats	182
OSPF Packet Header	183
Hello Packet	184
Database Description Packet	185
Link-State Request Packet	186
Link-State Update Packet	186
Link-State Acknowledgment Packet	187
Link-State Advertisement Formats	187
Link State Advertisement Header	188
Router Links Advertisements	189
Network Links Advertisements	191
Summary Link Advertisements	192
Autonomous Systems External Link Advertisements	193
OSPF Global Settings	194
OSPF Area Setting	194
OSPF Interface Settings	196
OSPF Virtual Link Settings	198
OSPF Area Aggregation Settings	200
OSPF Host Route Settings	201
DHCP / BOOTP Relay	202
DHCP / BOOTP Relay Information	202
DHCP/BOOTP Relay Interface Settings	203
DNS Relay	204
Mapping Domain Names to Addresses	204
Domain Name Resolution	204
Configuring DNS Relay Information	204
DNS Relay Static Settings	205
VRRP	206
VRRP Global Settings	206
VRRP Virtual Router Settings	207
VRRP Authentication Settings	210
IP Multicast Routing Protocol	212
IGMP	212
IGMP Versions 1 and 2	212
IGMP Version 3	213
IGMP Interface Configuration	215
DVMRP Interface Configuration	217
DVMRP Global Settings	217
DVMRP Interface Settings	217
PIM Protocol	219
PIM-SM	219
Discovering and Joining the Multicast Group	219
Distribution Trees	219
Register and Register Suppression Messages	219
Assert Messages	220
PIM-DM Interface Configuration	220
PIM Global Settings	220
PIM Interface Settings	220
PIM Candidate BSR Settings	222
PIM Parameter Settings	223
PIM Candidate RP Global Settings	224
PIM Candidate RP Settings	224
PIM Register Checksum Settings	225
PIM Static RP Settings	226
Security IP	227
User Accounts	228
Admin and User Privileges	229
Access Authentication Control	230
Authentication Policy & Parameters	231
Application's Authentication Settings	232
Authentication Server Group	233
Authentication Server Host	234
Login Method Lists	236
Enable Method Lists	238
Configure Local Enable Password	240
Enable Admin	241
Secure Socket Layer (SSL)	242
Download Certificate	243
Configuration	244
Secure Shell (SSH)	246
SSH Server Configuration	246
SSH Authentication Mode and Algorithm Settings	248
SSH User Authentication Mode	250
	250
SNMP Settings	251
Traps	251
MIBs	251
SNMP User Table	252
SNMP View Table	254
SNMP Group Table	255
SNMP Community Table	257
SNMP Host Table	258
SNMP Engine ID	259
Port Utilization	261
CPU Utilization	262
Packets	263
Received (RX)	263
UMB Cast (RX)	265
Transmitted (TX)	267
Errors	269
Received (RX)	269
Transmitted (TX)	271
Size	273
Stacking Information	275
Module Information	277
Device Status	278
MAC Address	279
Switch History Log	281
IGMP Snooping Group	282
IGMP Snooping Forwarding	283
Browse Router Port	284
Port Access Control	285
Authenticator State	285
Authenticator Statistics	287
Authenticator Session Statistics	288
Authenticator Diagnostics	290
RADIUS Authentication	292
RADIUS Accounting	293
Layer 3 Feature	295
Browse IP Address Table	295
Browse Routing Table	296
Browse ARP Table	296
Browse IP Multicast Forwarding Table	297
Browse IGMP Group Table	298
OSPF Monitoring	300
Browse OSPF LSDB Table	300
Browse OSPF Neighbor Table	302
OSPF Virtual Neighbor	302
DVMRP Monitoring	303
Browse DVMRP Routing Table	303
Browse DVMRP Neighbor Table	304
Browse DVMRP Routing Next Hop Table	304
PIM Monitoring	305
Browse PIM Neighbor Table	305
PIM IP MRoute Table	305
Browse PIM RP Set Table	306
TFTP Services	307
Download Firmware	307
Download Configuration File	308
Download PROM	308
Upload Configuration	308
Upload Log	309
Multiple Image Services	310
Firmware Information	310
Config Firmware Image	311
CompactFlash Services	312
CF Card Information	312
Download Firmware from CF	313
Download Configuration from CF	313
Upload Firmware to CF	314
Upload Config to CF	314
Upload Log to CF	315
FS Commands	316
Format	316
Copy	316
Md/Mkdir	317
Rd/Rmdir	317
Dir	317
Rename	317
Ping Test	318
Save Changes	318
Reset	319
Reboot System	320
Logout	320
Single IP Management (SIM) Overview	321
The Upgrade to v1.6.	322
SIM Using the Web Interface	324
Topology	325
Tool Tips	327
Right Click	329
Group Icon	329
Commander Switch Icon	330
Member Switch Icon	330
Candidate Switch Icon	331
Menu Bar	333
File	333
Group	333
Device	333
View	333
Firmware Upgrade	334
Configuration File Backup/Restore	334
Upload Log File	334
Cables and Connectors	337
Cable Lengths	351
LIMITED WARRANTY	356
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2004 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	359
FCC Statement: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential environment is likely to cause harmful interference to radio or television reception. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:	359
D-Link Europe Limited Lifetime Warranty	361
Warranty beneficiary	361
Duration of Limited Lifetime Warranty	361
Replacement, Repair or Refund Procedure for Hardware	361
	362
	362
D-Link Limited Lifetime Warranty	362

Match case Limit results 1 per page

xStack DGS/DXS-3300 Series Layer 3 Stackable Gigabit Ethernet Switch User Manual

215

Access Authentication Control

The TACACS / XTACACS / TACACS+ / RADIUS commands allows secure access to the Switch using the TACACS /

XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level

privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is

enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user

is verified, he or she is granted access to the Switch.

There are currently three versions of the TACACS security protocol, each a separate entity. The Switch's software supports

the following versions of TACACS:

•

TACACS

(Terminal Access Controller Access Control System) - Provides password checking and

authentication, and notification of user actions for security purposes utilizing via one or more centralized

TACACS servers, utilizing the UDP protocol for packet transmission.

•

Extended TACACS (XTACACS)

- An extension of the TACACS protocol with the ability to provide more

types of authentication requests and more types of response codes than TACACS. This protocol also uses UDP

to transmit packets.

•

TACACS+

(Terminal Access Controller Access Control System plus

) - Provides detailed access control for

authentication for network devices. TACACS+ is facilitated through Authentication commands via one or more

centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon,

using the TCP protocol to ensure reliable delivery

In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS /

XTACACS / TACACS+ / RADIUS server must be configured on a device other than the Switch, called an Authentication

Server Host and it must include usernames and passwords for authentication. When the user is prompted by the Switch to

enter usernames and passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS

server to verify, and the server will respond with one of three messages:

•

The server verifies the username and password, and the user is granted normal user privileges on the Switch.

•

The server will not accept the username and password and the user is denied access to the Switch.

•

The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the

server and then moves to the next method of verification configured in the method list.

The Switch has four built-in

Authentication Server Groups

, one for each of the TACACS, XTACACS, TACACS+ and

RADIUS protocols. These built-in Authentication Server Groups are used to authenticate users trying to access the Switch.

The users will set

Authentication Server Hosts

in a preferable order in the built-in Authentication Server Groups and when

a user tries to gain access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no

authentication is made, the second server host in the list will be queried, and so on. The built-in Authentication Server

Groups can only have hosts that are running the specified protocol. For example, the TACACS Authentication Server

Groups can only have TACACS Authentication Server Hosts.

The administrator for the Switch may set up six different authentication techniques per user-defined method list (TACACS

/ XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order

preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight

authentication techniques. When a user attempts to access the Switch, the Switch will select the first technique listed for

authentication. If the first technique goes through its Authentication Server Hosts and no authentication is returned, the

Switch will then go to the next technique listed in the server group for authentication, until the authentication has been

verified or denied, or the list is exhausted.

Please note that users granted access to the Switch will be granted normal user privileges on the Switch. To gain access to

administrator level privileges, the user must access the

Enable Admin

window and then enter a password, which was

previously configured by the administrator of the Switch.

NOTE:

TACACS, XTACACS and TACACS+ are separate entities and are

not compatible. The Switch and the server must be configured exactly the

same, using the same protocol. (For example, if the Switch is set up for

TACACS authentication, so must be the host server.)