Home » D-Link Manuals » Hubs & Switches » D-Link DGS-1510-20 » Manual Viewer

D-Link DGS-1510-20 User Manual - Page 289

Port-based Access Control, Understanding 802.1X Port-based and Host-based Network Access Control

Add to My Manuals
Save this manual to your list of manuals

Page 289 highlights

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Figure 9-9 The 802.1X Authentication Process The D-Link implementation of 802.1X allows network administrators to choose between two types of Access Control used on the Switch, which are: • Port-based Access Control - This method requires only one user to be authenticated per port by a remote RADIUS server to allow the remaining users on the same port access to the network. • Host-based Access Control - Using this method, the Switch will automatically learn up to a maximum of 448 MAC addresses by port and set them in a list. Each MAC address must be authenticated by the Switch using a remote RADIUS server before being allowed access to the Network. Understanding 802.1X Port-based and Host-based Network Access Control The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any single LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port. The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of authenticating the attached device if the Port is unauthorized. This is the Port-based Network Access Control. Port-based Network Access Control Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in this situation is open to attack. 281

Section	Page
Table of Contents	3
1. Introduction	9
Audience	9
Other Documentation	9
Conventions	9
Notes, Notices, and Cautions	9
2. Web-based Switch Configuration	11
Management Options	11
Connecting using the Web User Interface	11
Logging onto the Web Manager	11
Smart Wizard	12
Web User Interface (Web UI)	16
Areas of the User Interface	16
3. System	17
Device Information	17
System Information Settings	17
Peripheral Settings	18
Port Configuration	19
Port Settings	19
Port Status	20
Port Auto Negotiation	21
Error Disable Settings	22
Jumbo Frame	23
PoE (DGS-1510-28P Only)	24
PoE System	24
PoE Status	25
PoE Configuration	26
PoE Statistics	27
PoE Measurement	28
PoE LLDP Classification	29
System Log	30
System Log Settings	30
System Log Discriminator Settings	31
System Log Server Settings	32
System Log	33
System Attack Log	33
Time and SNTP	34
Clock Settings	34
Time Zone Settings	34
SNTP Settings	36
Time Range	37
4. Management	39
User Account Settings	39
Password Encryption	40
Login Method	41
SNMP	42
SNMP Global Settings	43
SNMP Linkchange Trap Settings	44
SNMP View Table Settings	45
SNMP Community Table Settings	46
SNMP Group Table Settings	47
SNMP Engine ID Local Settings	49
SNMP User Table Settings	49
SNMP Host Table Settings	50
RMON	51
RMON Global Settings	51
RMON Statistics Settings	52
RMON History Settings	53
RMON Alarm Settings	53
RMON Event Settings	54
Telnet/Web	55
Session Timeout	56
DHCP	57
Service DHCP	57
DHCP Class Settings	57
DHCP Relay	59
DHCP Relay Global Settings	59
DHCP Relay Pool Settings	59
DHCP Relay Information Settings	61
DHCP Relay Information Option Format Settings	62
DHCP Local Relay VLAN	64
DHCPv6 Relay	64
DHCPv6 Relay Global Settings	64
DHCPv6 Relay Interface Settings	65
DHCP Auto Configuration	66
DNS	66
DNS Global Settings	67
DNS Name Server Settings	68
DNS Host Settings	68
IP Source Interface	69
File System	69
Physical Stacking	71
Virtual Stacking (SIM)	76
Single IP Settings	78
Topology	79
Firmware Upgrade	86
Configuration File Backup/Restore	87
Upload Log File	87
D-Link Discovery Protocol	88
5. Layer 2 Features	90
FDB	90
Static FDB	90
Unicast Static FDB	90
Multicast Static FDB	91
MAC Address Table Settings	91
MAC Address Table	92
MAC Notification	93
VLAN	95
802.1Q VLAN	95
GVRP	96
GVRP Global	96
GVRP Port	96
GVRP Advertise VLAN	97
GVRP Forbidden VLAN	98
GVRP Statistics Table	99
Asymmetric VLAN	99
VLAN Interface	100
Auto Surveillance VLAN	103
Auto Surveillance Properties	103
MAC Settings and Surveillance Device	105
Voice VLAN	106
Voice VLAN Global	106
Voice VLAN Port	106
Voice VLAN OUI	107
Voice VLAN Device	108
Voice VLAN LLDP-MED Device	109
Spanning Tree	109
STP Global Settings	111
STP Port Settings	113
MST Configuration Identification	114
STP Instance	115
MSTP Port Information	116
Loopback Detection	116
Link Aggregation	118
L2 Multicast Control	120
IGMP Snooping	121
IGMP Snooping Settings	121
IGMP Snooping Groups Settings	123
IGMP Snooping Mrouter Settings	124
IGMP Snooping Statistics Settings	125
MLD Snooping	126
MLD Snooping Settings	127
MLD Snooping Groups Settings	130
MLD Snooping Mrouter Settings	131
MLD Snooping Statistics Settings	132
Multicast Filtering	133
LLDP	134
LLDP Global Settings	134
LLDP Port Settings	135
LLDP Management Address List	137
LLDP Basic TLVs Settings	137
LLDP Dot1 TLVs Settings	138
LLDP Dot3 TLVs Settings	139
LLDP-MED Port Settings	140
LLDP Statistics Information	141
LLDP Local Port Information	142
LLDP Neighbor Port Information	144
6. Layer 3 Features	145
ARP	145
ARP Aging Time	145
Static ARP	145
Proxy ARP	146
ARP Table	147
Gratuitous ARP	147
IPv4 Interface	148
IPv4 Static/Default Route	150
IPv4 Route Table	151
IPv6 Interface	152
IPv6 Neighbor	154
IPv6 Static/Default Route	155
IPv6 Route Table	155
7. Quality of Service (QoS)	157
Basic Settings	157
Port Default CoS	157
Port Scheduler Method	157
Queue Settings	159
CoS to Queue Mapping	160
Port Rate Limiting	160
Queue Rate Limiting	161
Advanced Settings	163
DSCP Mutation Map	163
Port Trust State and Mutation Binding	164
DSCP CoS Mapping	164
CoS Color Mapping	165
DSCP Color Mapping	166
Class Map	167
Aggregate Policer	169
Policy Map	172
Policy Binding	175
8. Access Control List (ACL)	177
ACL Configuration Wizard	177
ACL Access List	210
Standard IP ACL	211
Extended IP ACL	214
Standard IPv6 ACL	233
Extended IPv6 ACL	237
Extended MAC ACL	249
Extended Expert ACL	253
ACL Interface Access Group	278
ACL VLAN Access Map	279
ACL VLAN Filter	281
9. Security	283
Port Security	283
Port Security Global Settings	283
Port Security Port Settings	284
Port Security Address Entries	285
802.1X	286
802.1X Global Settings	291
802.1X Port Settings	291
Authentication Session Information	293
Authenticator Statistics	293
Authenticator Session Statistics	294
Authenticator Diagnostics	294
AAA	295
AAA Global Settings	295
Application Authentication Settings	295
Application Accounting Settings	296
Authentication Settings	297
Accounting Settings	299
RADIUS	300
RADIUS Global Settings	300
RADIUS Server Settings	301
RADIUS Group Server Settings	302
RADIUS Statistic	303
TACACS	304
TACACS Server Settings	304
TACACS Group Server Settings	304
TACACS Statistic	305
IMPB	306
IPv4	306
DHCPv4 Snooping	306
DHCP Snooping Global Settings	306
DHCP Snooping Port Settings	307
DHCP Snooping VLAN Settings	308
DHCP Snooping Database	308
DHCP Snooping Binding Entry	309
Dynamic ARP Inspection	310
ARP Access List	310
ARP Inspection Settings	312
ARP Inspection Port Settings	313
ARP Inspection VLAN	314
ARP Inspection Statistics	314
ARP Inspection Log	315
IP Source Guard	315
IP Source Guard Port Settings	315
IP Source Guard Binding	316
IP Source Guard HW Entry	317
Advanced Settings	317
IP-MAC-Port Binding Settings	317
IP-MAC-Port Binding Blocked Entry	319
IPv6	319
IPv6 Snooping	319
IPv6 ND Inspection	320
IPv6 RA Guard	321
IPv6 DHCP Guard	322
IPv6 Source Guard	323
IPv6 Source Guard Settings	323
IPv6 Neighbor Binding	324
DHCP Server Screening	325
DHCP Server Screening Global Settings	325
DHCP Server Screening Port Settings	326
ARP Spoofing Prevention	327
BPDU Attack Protection	327
MAC Authentication	329
Web-based Access Control	330
Web Authentication	333
WAC Port Settings	334
WAC Customize Page	334
Japanese Web-based Access Control	335
JWAC Global Settings	335
JWAC Port Settings	338
JWAC Customize Page Language	339
JWAC Customize Page	339
Network Access Authentication	340
Guest VLAN	340
Network Access Authentication Global Settings	341
Network Access Authentication Port Settings	343
Network Access Authentication Sessions Information	344
Safeguard Engine	345
Safeguard Engine Settings	346
CPU Protect Counters	347
CPU Protect Sub-Interface	348
CPU Protect Type	348
Trusted Host	349
Traffic Segmentation Settings	350
Storm Control	350
DoS Attack Prevention Settings	353
SSH	354
SSH Global Settings	355
Host Key	355
SSH Server Connection	356
SSH User Settings	356
SSL	357
SSL Global Settings	358
Crypto PKI Trustpoint	359
SSL Service Policy	360
10. OAM	361
Cable Diagnostics	361
DDM	361
DDM Settings	362
DDM Temperature Threshold Settings	362
DDM Voltage Threshold Settings	363
DDM Bias Current Threshold Settings	364
DDM TX Power Threshold Settings	364
DDM RX Power Threshold Settings	365
DDM Status Table	366
11. Monitoring	367
Utilization	367
Port Utilization	367
Statistics	368
Port	368
Port Counters	369
Counters	371
Mirror Settings	373
Device Environment	375
12. Green	376
Power Saving	376
EEE	377
13. Save and Tools	379
Save Configuration	379
Firmware Upgrade & Backup	379
Firmware Upgrade from HTTP	379
Firmware Upgrade from TFTP	380
Firmware Backup to HTTP	380
Firmware Backup to TFTP	381
Configuration Restore & Backup	381
Configuration Restore from HTTP	381
Configuration Restore from TFTP	382
Configuration Backup to HTTP	383
Configuration Backup to TFTP	383
Log Backup	384
Log Backup to HTTP	384
Log Backup to TFTP	384
Ping	385
Trace Route	387
Language Management	389
Reset	389
Reboot System	390
Appendix A - System Log Entries	391
802.1X	391
AAA	391
Auto Surveillance VLAN	394
BPDU Attack Protection	394
Configuration/Firmware	394
DAI	396
DDM	397
DHCPv6 Client	398
DHCPv6 Relay	400
DNS Resolver	400
DOS Prevention	400
Interface	401
JWAC	401
LACP	402
LBD	402
LLDP-MED	403
Login/Logout CLI	404
MAC-based Access Control	406
MSTP Debug Enhancement	407
Peripheral	409
PoE	410
Port Security	410
Safeguard	410
SNMP	411
SSH	411
Stacking	411
Storm Control	412
Voice-VLAN	413
Web	413
Web-Authentication	414
Appendix B - Trap Entries	415
802.1X	415
Authentication Fail	415
BPDU Attack Protection	415
DDM	416
DHCP Server Screen Prevention	416
DOS Prevention	416
ErrDisable	416
General Management	417
Gratuitous ARP Function	417
IMPB	417
LACP	417
LBD	418
LLDP	418
MAC-based Access Control	419
MAC-notification	419
MSTP	419
Peripheral	420
PoE	420
Port	421
Port Security	421
RMON	421
Safeguard	422
Stack	422
SIM	423
Start	424
Storm Control	424
System File	424
Web-Authentication	424
Appendix C - RADIUS Attributes Assignment	426

Match case Limit results 1 per page

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide

281

Figure 9-9 The 802.1X Authentication Process

The D-Link implementation of 802.1X allows network administrators to choose between two types of

Access Control used on the Switch, which are:

•

Port-based Access Control

–

This method requires only one user to be authenticated per port

by a remote RADIUS server to allow the remaining users on the same port access to the network.

•

Host-based Access Control

–

Using this method, the Switch will automatically learn up to a

maximum of 448 MAC addresses by port and set them in a list. Each MAC address must be

authenticated by the Switch using a remote RADIUS server before being allowed access to the

Network.

Understanding 802.1X Port-based and Host-based Network Access Control

The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point

in LANs. As any single LAN segment in such infrastructures has no more than two devices attached to it,

one of which is a Bridge Port. The Bridge Port detects events that indicate the attachment of an active

device at the remote end of the link, or an active device becoming inactive. These events can be used to

control the authorization state of the Port and initiate the process of authenticating the attached device if

the Port is unauthorized. This is the Port-based Network Access Control.

Port-based Network Access Control

Once the connected device has successfully been authenticated, the Port then becomes Authorized, and

all subsequent traffic on the Port is not subject to access control restriction until an event occurs that

causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN

segment with more than one attached device, successfully authenticating one of the attached devices

effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered

in this situation is open to attack.