Home » Cisco Manuals » Hubs & Switches » Cisco WS-C4003 » Manual Viewer

Cisco WS-C4003 Software Guide - Page 361

Understanding How 802.1x Authentication Works

Add to My Manuals
Save this manual to your list of manuals

Page 361 highlights

Chapter 27 Configuring Switch Access Using AAA Understanding How Authentication Works Note A non-Kerberized login can be performed through a modem or terminal server through the in-band management port. Telnet does not support non-Kerberized login. If a non-Kerberized login is launched, the following process takes place: 1. The switch prompts you for a username and password. 2. The switch requests a TGT from the KDC so that you can be authenticated to the switch. 3. The KDC sends an encrypted TGT to the switch, which contains your identity, KDC's identity, and TGT's expiration time. 4. The switch tries to decrypt the TGT with the password that you entered. If the decryption is successful, you are authenticated to the switch. 5. If you want to access other network services, the KDC must be contacted directly for authentication. To obtain the TGT, you can run the program "kinit," the client software provided with the Kerberos package. Figure 27-2 illustrates the non-Kerberized login process. Figure 27-2 Non-Kerberized Telnet Connection Host (Telnet client) Kerberos server (contains KDC) 1 2 3 55510 Catalyst switch Understanding How 802.1x Authentication Works IEEE 802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports. 802.1x authenticates each user device connected to a switch port before making available any services offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. 802.1x controls network access by the creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device connected to the port has been authorized by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass. 78-12647-02 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-7

Section	Page
Software Configuration Guide	1
contents	3
Preface	23
Audience	23
Organization	23
Related Documentation	25
Conventions	26
Obtaining Documentation	27
World Wide Web	27
Documentation CD-ROM	27
Ordering Documentation	27
Documentation Feedback	28
Obtaining Technical Assistance	28
Cisco.com	28
Technical Assistance Center	28
Getting Started	31
Product Overview	33
Catalyst 4000 Family Switches	33
Catalyst 2948G Switch	34
Catalyst 2980G Switch	34
Supervisor Engine Software	35
Using the Command-Line Interface	37
Overview of the Switch CLI	37
Accessing the Switch CLI	38
Accessing the CLI through the Console Port	38
Accessing the CLI Through Telnet	38
Switch CLI Command Modes	39
Accessing Help	40
Command-Line Editing	41
History Substitution	41
Abbreviating a Command	42
Completing a Partial Command	42
Scrolling Down a Line or a Screen	43
Using Command Aliases	43
Specifying Modules, Ports, and VLANs	43
Specifying MAC Addresses	44
Specifying IP Addresses, Host Names, and IP Aliases	44
ROM Monitor Command-Line Interface	45
Catalyst4003 Bootup Display Example	45
Configuring the Switch IP Address and Default Gateway	47
Understanding the Switch Management Interfaces	47
Understanding Automatic IP Configuration	48
Automatic IP Configuration Overview	48
Understanding How DHCP Works	49
Understanding How RARP Works	50
Preparing to Configure the IP Address and Default Gateway	50
Default IP Address and Default Gateway Configuration	51
Setting the In-Band (sc0) Interface IP Address	51
Setting the Management Ethernet (me1) Interface IP Address	52
Configuring Default Gateways	53
Configuring the SLIP (sl0) Interface on the Console Port	54
Using DHCP or RARP to Obtain an IP Address Configuration	56
Renewing and Releasing a DHCP-Assigned IP Address	57
Configuring Ethernet Switching	59
Configuring Ethernet and Fast Ethernet Switching	61
Understanding How Ethernet Works	61
Ethernet Overview	61
Switching Frames Between Segments	62
Building the Address Table	62
Default Ethernet and Fast Ethernet Configuration	62
Configuring Ethernet and Fast Ethernet Ports	63
Setting the Port Name	63
Setting the Port Priority Level	64
Setting the Port Speed	64
Setting the Port Duplex Mode	65
Configuring a Timeout Period for Ports in errdisable State	66
Checking Connectivity	67
Configuring Gigabit Ethernet Switching	69
Understanding How Gigabit Ethernet Works	69
Understanding How Gigabit Ethernet Flow Control Works	69
Understanding How Port Negotiation Works	71
Understanding How Oversubscribed Gigabit Ethernet Works	71
Default Gigabit Ethernet Configuration	74
Configuring Gigabit Ethernet	74
Setting the Port Name	75
Setting the Port Priority Level	75
Configuring Flow Control on Gigabit Ethernet Ports	76
Configuring Port Negotiation on Gigabit Ethernet Ports	76
Configuring a Timeout Period for Ports in errdisable State	77
Checking Connectivity	77
Configuring Fast EtherChannel and Gigabit EtherChannel	79
Understanding How EtherChannel Works	79
EtherChannel Overview	80
Understanding Administrative Groups and EtherChannel IDs	80
Understanding the Port Aggregation Protocol	80
Understanding Frame Distribution	81
Default EtherChannel Configuration	82
Hardware Support for EtherChannel	82
EtherChannel Configuration Guidelines and Restrictions	82
Configuring EtherChannel	83
Creating an EtherChannel	83
Defining an EtherChannel Administrative Group	84
Setting the EtherChannel Spanning Tree Port Cost	85
Setting the EtherChannel Spanning Tree Port VLAN Cost	85
Removing an EtherChannel Bundle	86
Displaying EtherChannel Configuration Information	87
Displaying EtherChannel Traffic Statistics	88
Displaying EtherChannel PAgP Statistics	89
EtherChannel Configuration Examples	89
Four-Port Fast EtherChannel Configuration Example	89
Two-Port Gigabit EtherChannel Configuration Example	91
Spanning Tree	95
Configuring Spanning Tree	97
How Spanning Tree Protocols Work	97
How a Topology Is Created	98
How a Switch or Port Becomes the Root Switch or Root Port	99
How Bridge Protocol Data Units Work	99
Calculating and Assigning Port Costs	100
Spanning Tree Port States	101
Understanding PVST+ and MISTP Modes	107
PVST+ Mode	108
MISTP Mode	108
MISTP-PVST+ Mode	108
Bridge Identifiers	109
MAC Address Allocation	109
MAC Address Reduction	109
Using PVST+	109
Default PVST+ Configuration	110
Configuring PVST+ Bridge ID Priority	110
Configuring PVST+ Port Cost	112
Configuring PVST+ Port Priority	112
Configuring PVST+ Default Port Cost Mode	113
Configuring PVST+ Port VLAN Cost	113
Configuring PVST+ Port VLAN Priority	114
Disabling the PVST+ Mode on a VLAN	115
Using MISTP-PVST+ or MISTP	115
Default MISTP Configuration	116
Enabling MISTP-PVST+ or MISTP	116
Configuring a MISTP Instance	118
Enabling a MISTP Instance	121
Mapping VLANs to a MISTP Instance	122
Disabling MISTP-PVST+ or MISTP	123
Configuring a Root Switch	124
Configuring a Primary Root Switch	124
Configuring a Secondary Root Switch	125
Configuring a Root Switch to Improve Convergence	126
Using Root Guard—Preventing Switches from Becoming Root	127
Configuring Spanning Tree Timers	127
Configuring Hello Time	128
Configuring Forward Delay Time	128
Configuring Maximum Aging Time	129
Understanding How BPDU Skewing Works	130
Configuring Spanning Tree BPDU Skewing	130
Configuring Spanning Tree PortFast, UplinkFast, and BackboneFast, and Loop Guard	133
Understanding How PortFast Works	133
Configuring PortFast	134
Enabling Spanning Tree PortFast	134
Disabling Spanning Tree PortFast	135
Understanding How PortFast BPDU Guard Works	135
Configuring PortFast BPDU Guard	135
Enabling PortFast BPDU Guard	136
Disabling PortFast BPDU Guard	137
Understanding How PortFast BPDU Filtering Works	138
Configuring PortFast BPDU Filtering	138
Enabling PortFast BPDU Filtering	138
Disabling PortFast BPDU Filtering	139
Understanding How UplinkFast Works	140
Configuring UplinkFast	141
Enabling UplinkFast	141
Disabling UplinkFast	142
Understanding How BackboneFast Works	143
Configuring BackboneFast	145
Enabling BackboneFast	145
Displaying BackboneFast Statistics	146
Disabling BackboneFast	146
Understanding How Loop Guard Works	147
Configuring Loop Guard	149
Enabling Loop Guard	149
Disabling Loop Guard	149
Configuring VLANs and VLANTrunks	151
Configuring VTP	153
Understanding How VTP Works	153
VTP Domain	154
VTP Modes	154
VTP Advertisements	154
VTP Version 2	155
VTP Pruning	155
Default VTP Configuration	157
VTP Configuration Guidelines	157
Configuring VTP	157
Configuring a VTP Server	158
Configuring a VTP Client	158
Disabling VTP (VTP Transparent Mode)	159
Enabling VTP Version 2	159
Disabling VTP Version 2	160
Configuring VTP Pruning	161
Disabling VTP Pruning	162
Monitoring VTP	162
Configuring VLANs	163
Understanding How VLANs Work	163
VLAN Default Configuration	165
VLAN Configuration Guidelines	165
Configuring VLANs	165
Creating or Modifying an Ethernet VLAN	166
Assigning Switch Ports to a VLAN	166
Mapping 802.1Q VLANs to ISL VLANs	167
Clearing 802.1Q-to-ISL VLAN Mappings	168
Deleting a VLAN	169
Configuring Private VLANs	169
Understanding How Private VLANs Work	169
Private VLAN Configuration Guidelines	171
Creating a Private VLAN	172
Viewing the Port Capability of a Private VLAN Port	175
Deleting a Private VLAN	175
Deleting an Isolated or Community VLAN	176
Deleting a Private VLAN Mapping	176
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports	177
Understanding How VLAN Trunks Work	177
Trunking Overview	177
Trunking Modes and Encapsulation Types	178
Trunking Support	180
802.1Q Trunk Restrictions	180
Default Trunk Configuration	181
Configuring a Trunk Link	181
Configuring an 802.1Q Trunk	181
Defining the Allowed VLANs on a Trunk	182
Disabling a Trunk Port	183
Example VLAN Trunk Configurations	183
802.1Q Trunk over Gigabit EtherChannel Link Example	184
Load-Sharing VLAN Traffic over Parallel Trunks Example	187
802.1Q Nonegotiate Trunk Configuration Example	194
Disabling VLAN 1 on a Trunk Link	197
Configuring Dynamic Port VLAN Membership with VMPS	199
Understanding How VMPS Works	199
VMPS and Dynamic Port Hardware and Software Requirements	200
Default VMPS and Dynamic Port Configuration	200
Dynamic Port VLAN Membership and VMPS Configuration Guidelines	201
Configuring VMPS and Dynamic Port VLAN Membership	201
Creating the VMPS Database	201
Configuring VMPS	202
Configuring Dynamic Ports on VMPS Clients	203
Configuring Static VLAN Port Membership	204
Troubleshooting VMPS and Dynamic Port VLAN Membership	204
Troubleshooting VMPS	204
Troubleshooting Dynamic Port VLAN Membership	205
Dynamic Port VLAN Membership with VMPS Configuration Examples	205
VMPS Database Configuration File Example	205
Dynamic Port VLAN Membership Configuration Example	206
Dynamic Port VLAN Membership with Auxiliary VLANs	208
Configuration Guidelines	209
Configuring Dynamic Port VLAN Membership with Auxiliary VLANs	209
Configuring GVRP	211
Understanding How GVRP Works	211
GVRP Hardware and Software Requirements	211
Default GVRP Configuration	212
GVRP Configuration Guidelines	212
Configuring GVRP	212
Enabling GVRP Globally	213
Enabling GVRP on Individual 802.1Q Trunk Ports	213
Enabling GVRP Dynamic VLAN Creation	214
Configuring GVRP Registration	215
Sending GVRP VLAN Declarations from Blocking Ports	216
Setting the GARP Timers	216
Displaying GVRP Statistics	217
Clearing GVRP Statistics	218
Disabling GVRP on Individual 802.1Q Trunk Ports	218
Disabling GVRP Globally	218
Directing and Filtering Traffic	221
Configuring QoS	223
Understanding How QoS Works	223
Overview of QoS	223
QoS Terminology	224
Understanding Classification and Marking at the Ingress Port	225
Understanding Scheduling	225
Software Requirements	226
QoS Default Configuration	226
Configuring QoS	226
Enabling QoS Globally	227
Configuring the Default CoS Value for the Switch	227
Reverting to the Default Switch CoS Value	227
Mapping CoS Values to Transmit Queues and Drop Thresholds	228
Reverting to the Default CoS-to-Transmit Queue and Drop Threshold Mapping	228
Displaying QoS Information	229
Reverting to QoS Defaults	229
Disabling QoS	229
Configuring Multicast Services	231
Understanding How Multicasting Works	231
Understanding Multicasting and Multicast Services Operation	231
Joining a Multicast Group	232
Leaving a Multicast Group	232
Understanding GMRP Operation	233
Configuring CGMP	234
CGMP Hardware and Software Requirements	234
Default CGMP Configuration	234
Enabling CGMP	234
Enabling CGMP Fast-Leave Processing	235
Displaying Multicast Router Information	236
Displaying Multicast Group Information	237
Checking CGMP Statistics	237
Disabling CGMP Fast-Leave Processing	238
Disabling CGMP	238
Configuring GMRP	238
GMRP Software Requirements	239
Default GMRP Configuration	239
Enabling GMRP Globally	239
Enabling GMRP on Individual Switch Ports	240
Disabling GMRP on Individual Switch Ports	240
Enabling GMRP Forward-All Option	241
Disabling GMRP Forward-All Option	241
Configuring GMRP Registration	242
Setting the GARP Timers	243
Displaying GMRP Statistics	244
Clearing GMRP Statistics	245
Disabling GMRP on the Switch	245
Configuring Multicast Router Ports and Group Entries	246
Specifying Multicast Router Ports	246
Configuring Multicast Groups	246
Clearing Multicast Router Ports	247
Clearing Multicast Group Entries	247
Configuring Port Security	249
Understanding How Port Security Works	249
Allowing Traffic Based on the Host MAC Address	249
Restricting Traffic Based on the Host MAC Address	251
Port Security Configuration Guidelines	251
Configuring Port Security	251
Enabling Port Security	252
Specifying the Maximum Number of Secure MAC Addresses	253
Specifying the Port Security Age Time	253
Clearing MAC Addresses	254
Specifying Security Violation Action	254
Specifying Shutdown Time	255
Disabling Port Security	255
Restricting Traffic Based on Host MAC Address	256
Monitoring Port Security	256
Configuring the IP Permit List	259
Understanding How the IP Permit List Works	259
IP Permit List Default Configuration	260
Configuring the IP Permit List	260
Adding IP Addresses to the IP Permit List	260
Enabling IP Permit List	261
Disabling the IP Permit List	262
Clearing an IP Permit List Entry	262
Configuring Protocol Filtering	265
Understanding How Protocol Filtering Works	265
Default Protocol Filtering Configuration	266
Configuring Protocol Filtering	266
Configuring Protocol Filtering	267
Disabling Protocol Filtering	267
Monitoring and Managing theSwitch	269
Checking Port Status and Connectivity	271
Checking Module Status	271
Checking Port Status	272
Checking Port Capabilities	274
Using Telnet	275
Changing the Login Timer	276
Using Secure Shell Encryption for Telnet Sessions	276
Monitoring User Sessions	277
Using Ping	278
Understanding How Ping Works	278
Using Layer 2 Traceroute	280
Usage Guidelines	280
Identifying a Layer2 Path	281
Using IP Traceroute	281
Understanding How IP Traceroute Works	281
Executing IP Traceroute	282
Configuring CDP	283
Understanding How CDP Works	283
Default CDP Configuration	283
Configuring CDP	284
Setting the CDP Global Enable State	284
Setting the CDP Enable State on a Port	285
Setting the CDP Message Interval	286
Setting the CDP Holdtime	286
Displaying CDP Neighbor Information	286
Using Switch TopN Reports	289
Understanding How Switch TopN Reports Works	289
Overview of Switch TopN Reports	289
Running Switch TopN Reports without the Background Option	290
Running Switch TopN Reports with the Background Option	290
Running and Viewing Switch TopN Reports	291
Configuring UDLD	295
Understanding How UDLD Works	295
UDLD Software and Hardware Requirements	296
Default UDLD Configuration	297
Configuring UDLD	297
Enabling UDLD Globally	297
Enabling UDLD on Individual Ports	298
Disabling UDLD on Individual Ports	298
Disabling UDLD Globally	298
Specifying the UDLD Message Interval	299
Enabling UDLD Aggressive Mode	299
Displaying the UDLD Configuration	300
Configuring SNMP	303
SNMP Terminology	303
Understanding How SNMP Works	305
Secuirty Models and Levels	305
SNMP ifindex Persistence Feature	306
Understanding How SNMPv1 and SNMPv2c Work	306
SNMPv1 and SNMPv2c Default Configuration	307
Configuring SNMPv1 and SNMPv2c from an NMS	307
Configuring SNMPv1 and SNMPv2c from the CLI	308
Understanding SNMPv3	309
Benefits	309
SNMP Entity	309
Configuring SNMPv3 from an NMS	312
Configuring SNMPv3 from the CLI	312
Using CiscoWorks2000	315
Configuring RMON	317
Understanding How RMON Works	317
Enabling RMON	318
Viewing RMON Data	318
Supported RMON and RMON2 MIB Objects	318
Configuring SPAN and RSPAN	321
Understanding How SPAN and RSPAN Work	321
SPAN Session	321
Destination Port	322
Source Port	322
Reflector Port	323
Ingress SPAN	323
Egress SPAN	323
VSPAN	323
Trunk VLAN Filtering	324
SPAN Traffic	324
SPAN and RSPAN Session Limits	324
Configuring SPAN	324
Understanding How SPAN Works	324
SPAN Configuration Guidelines	325
Configuring SPAN	326
Configuring RSPAN	328
RSPAN Software and Hardware Requirements	328
Understanding How RSPAN Work	328
RSPAN Configuration Guidelines	329
Configuring RSPAN	330
RSPAN Configuration Examples	334
Administering the Switch	337
Administering the Switch	339
Setting the System Name and System Prompt	339
Configuring a Static System Name and Prompt	340
Setting the System Contact and Location	341
Setting the System Clock	342
Creating a Login Banner	342
Configuring a Login Banner	342
Clearing the Login Banner	343
Defining and Using Command Aliases	343
Defining and Using IP Aliases	345
Configuring Permanent and Static ARP Entries	345
Configuring Static Routes	347
Scheduling a System Reset	348
Scheduling a Reset at a Specific Time	348
Scheduling a Reset Within a Specified Amount of Time	349
Power Management	349
Power Redundancy	350
Setting the Power Budget	353
Generating System Status Reports for Tech Support	354
Configuring Switch Access Using AAA	355
Understanding How Authentication Works	355
Authentication Overview	356
Understanding How Login Authentication Works	356
Understanding How Local Authentication Works	356
Understanding How TACACS+ Authentication Works	357
Understanding How RADIUS Authentication Works	358
Understanding How Kerberos Authentication Works	358
Understanding How 802.1x Authentication Works	361
Configuring Authentication	363
Authentication Default Configuration	364
Authentication Configuration Guidelines	365
Configuring Login Authentication	366
Configuring Local Authentication	367
Configuring TACACS+ Authentication	371
Configuring RADIUS Authentication	377
Configuring Kerberos Authentication	384
Configuring 802.1x Authentication	393
Authentication Example	401
Understanding How Authorization Works	403
Authorization Overview	403
Authorization Events	403
TACACS+ Primary Options and Fallback Options	403
TACACS+ Command Authorization	404
RADIUS Authorization	404
Configuring Authorization	405
Authorization Default Configuration	405
TACACS+ Authorization Configuration Guidelines	405
Configuring TACACS+ Authorization	405
Authorization Example	408
Understanding How Accounting Works	409
Accounting Overview	410
Accounting Events	410
Specifying When to Create Accounting Records	411
Specifying RADIUS Servers	411
Updating the Server	412
Suppressing Accounting	412
Configuring Accounting	412
Accounting Default Configuration	412
Accounting Configuration Guidelines	413
Configuring Accounting	413
Accounting Example	416
Modifying the Switch Boot Configuration	419
Understanding How the Switch Boot Configuration Works	419
Understanding the Boot Process	419
Understanding the ROM Monitor	420
Understanding the Configuration Register	420
Understanding the BOOT Environment Variable	421
Understanding the CONFIG_FILE Environment Variable	421
Default Switch Boot Configuration	422
Setting the Configuration Register	422
Setting the Boot Field in the Configuration Register	422
Setting CONFIG_FILE Recurrence	423
Setting the Switch to Ignore the NVRAM Configuration	424
Setting the BOOT Environment Variable	425
Setting the BOOT Environment Variable	425

Match case Limit results 1 per page

27-7

Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4

78-12647-02

Chapter 27

Configuring Switch Access Using AAA

Understanding How Authentication Works

Note

A non-Kerberized login can be performed through a modem or terminal server through the in-band

management port. Telnet does not support non-Kerberized login.

If a non-Kerberized login is launched, the following process takes place:

The switch prompts you for a username and password.

The switch requests a TGT from the KDC so that you can be authenticated to the switch.

The KDC sends an encrypted TGT to the switch, which contains your identity, KDC’s identity, and

TGT’s expiration time.

The switch tries to decrypt the TGT with the password that you entered. If the decryption is

successful, you are authenticated to the switch.

If you want to access other network services, the KDC must be contacted directly for authentication.

To obtain the TGT, you can run the program “kinit,” the client software provided with the Kerberos

package.

Figure 27-2

illustrates the non-Kerberized login process.

Figure 27-2

Non-Kerberized Telnet Connection

Understanding How 802.1x Authentication Works

IEEE 802.1x is a client-server-based access control and authentication protocol that restricts

unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports.

802.1x authenticates each user device connected to a switch port before making available any services

offered by the switch or the LAN. Until the device is authenticated, 802.1x access control allows only

Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is

connected. After authentication is successful, normal traffic can pass through the port.

802.1x controls network access by the creating two distinct virtual access points at each port. One access

point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available

to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is

always open. The controlled port is open

only

when the device connected to the port has been authorized

by 802.1x. After this authorization takes place, the controlled port opens, allowing normal traffic to pass.

Host

(Telnet client)

Kerberos server

(contains KDC)

Catalyst switch

55510