Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3200-10 » Manual Viewer

D-Link DGS-3200-10 Product Manual - Page 166

Access Authentication Control, TACACS, Extended TACACS XTACACS

UPC - 790069306310

Add to My Manuals
Save this manual to your list of manuals

Page 166 highlights

xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch Access Authentication Control The TACACS / XTACACS / TACACS+ / RADI US commands allow users to secure access to the Switch using the TACAC S / XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user is verified, he or she is granted access to the Switch. There are curren tly three versions of the TACACS security protocol, each a separate entity. The Switch's software supports the following versions of TACACS:  TACACS (Terminal A ccess Controller A ccess Con trol System) - Provides p assword ch ecking an d au thentication, and notification of u ser action s fo r secu rity pu rposes u tilizing via o ne or m ore cen tralized TACACS serv ers, u tilizing the UDP protocol for packet transmission.  Extended TA CACS ( XTACACS) - An ex tension of the TACACS protocol with the ability to p rovide more typ es o f authentication requests and more typ es of resp onse codes than T ACACS. This protocol al so us es U DP t o t ransmit packets.  TACACS+ (Terminal Ac cess Controll er A ccess Contr ol System plus ) - Provides detailed access c ontrol for authentication for n etwork d evices. TAC ACS+ is facilitate d th rough Au thentication co mmands via one or mo re centralized servers. The T ACACS+ protocol encrypts all traffic betwee n the Switch and the TACACS+ daemon, using the TCP protocol to ensure reliable delivery In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS / TACACS+ / RADIUS server must be co nfigured on a device other than the Switch, called an Authentication Server Host and it must i nclude usernames and pass words f or aut hentication. When t he user i s p rompted by t he S witch t o e nter usernames and passwords for authentication, th e Switch con tacts th e TACACS / XTACA CS / TA CACS+ / RADIU S server to ver ify, and the server will respond with one of three messages: The server verifies the username and password, and the user is granted normal user privileges on the Switch. The server will not accept the username and password and the user is denied access to the Switch. The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list. The Switch has four built-in Authentication Server Groups, one for each of t he TACACS, XTACACS, TACACS+ and RADIUS protocols. These built-in Authentication Server Groups a re used to aut henticate users trying to access the Switch. The users will set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and wh en a user tries to gain access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the second server host in the list will b e queried, and so on. The built-in Authentication Server Groups can only have hosts that are running the specified protocol. For example, the TACACS Authentication Server Groups can only have TACACS Authentication Server Hosts. The ad ministrator fo r the Switch m ay set up six different au thentication tech niques per user-defined m ethod list (TAC ACS / XTACACS / TACACS+ / R ADIUS / lo cal / n one) for authentication. These techniques will b e listed in an order preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight authentication techniques. When a user attempts to access the Switch, t he Switch will select the first tec hnique listed for authentication. If t he first technique goes through its Auth entication Server Hosts and no au thentication is returned, the Switch will then go to th e next technique listed in the server group for authentication, until the authentication has been verified or denied, or the list is exhausted. Please note that users granted access to t he Switch will be grante d normal user pri vileges on the Switch. To gai n access to administrator level privileges, the user must access the Enable Admin window and then enter a password, which was previously configured by the administrator of the Switch. NOTE: TACACS, XTACACS and TACACS+ are separate entities and are not compatible. The Switch and the server must be configured exactly the same, using the same protocol. (For example, if the Switch is set up for TACACS authentication, so must be the host server.) 153

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	10
Safety Cautions	10
General Precautions for Rack-Mountable Products	11
Lithium Battery Precaution	13
Protecting Against Electrostatic Discharge	13
Introduction	14
Logging onto the Web Manager	14
Web-Based User Interface	14
Introduction	14
Logging onto the Web Manager	14
Web-based User Interface	15
Areas of the User Interface	15
Web Pages	16
Device Information	18
System Information	18
Serial Port Settings	18
IP Address	18
IPv6 Interface Settings	18
IPv6 Route Table	18
IPv6 Neighbor Settings	18
Port Configuration	18
Static ARP Settings	18
User Accounts	18
System Log Configuration	18
System Severity Settings	18
DHCP/BOOTP Relay	18
DHCP Local Relay Settings	18
DHCP Auto Configuration Settings	18
MAC Address Aging Time	18
Web Settings	18
Telnet Settings	18
Password Encryption	18
CLI Paging Settings	18
Firmware Information	18
Power Saving Settings	18
Dual Configuration Settings	18
SMTP Settings	18
Ping Test	18
SNTP Settings	18
MAC Notification Settings	18
SNMP Settings	18
CPU Filter L3 Control Packet Settings	18
Single IP Management	18
SD Card FS Settings (DGS-3200-24 only)	18
Device Information	19
System Information	20
Serial Port Settings	21
IP Address	21
Setting the Switch’s IP Address using the Console Interface	23
IPv6 Interface Settings	23
IPv6 Route Table	25
IPv6 Neighbor Settings	26
Port Configuration	27
Port Settings	27
Port Description	28
Port Error Disabled	29
Static ARP Settings	29
User Accounts	31
Admin and User Privileges	31
System Log Configuration	32
System Log Settings	32
System Log Host	33
System Severity Settings	33
DHCP/BOOTP Relay	34
DHCP/BOOTP Relay Global Settings	34
Implementation of DHCP Relay Agent Information Option 82	36
DHCP/BOOTP Relay Interface Settings	37
DHCP Local Relay Settings	37
DHCP Auto Configuration Settings	38
MAC Address Aging Time	39
Web Settings	39
Telnet Settings	40
Password Encryption	40
CLI Paging Settings	41
Firmware Information	41
Power Saving Settings	43
Dual Configuration Settings	44
SMTP Settings	46
Ping Test	47
SNTP Settings	48
Time Settings	48
Time Zone Settings	49
MAC Notification Settings	50
MAC Notification Global Settings	50
MAC Notification Port Settings	51
SNMP Settings	52
Traps	52
MIBs	52
SNMP Global State Settings	53
SNMP Linkchange Trap Settings	53
SNMP View Table	54
SNMP Group Table	55
SNMP User Table	56
SNMP Community Table	57
SNMP Host Table	58
SNMP v6Host Table	59
SNMP Engine ID	60
SNMP Trap Configuration	60
RMON	61
CPU Filter L3 Control Packet Settings	61
Single IP Management	61
Upgrade to v1.61	63
Single IP Settings	63
Topology	65
Tool Tips	67
Right-Click	67
Group Icon	68
Commander Switch Icon	69
Member Switch Icon	69
Candidate Switch Icon	69
Menu Bar	70
File	70
Group	70
Device	70
View	70
Help	70
Firmware Upgrade	71
Configuration File Backup/Restore	71
Upload Log File	71
SD Card FS Settings	72
Jumbo Frame	74
Egress Filter Settings	74
802.1Q VLAN	74
Private VLAN Settings	74
802.1v Protocol VLAN	74
MAC-based VLAN Settings	74
GVRP Settings	74
PVID Auto Assign Settings	74
Port Trunking	74
VLAN Trunk Settings	74
LACP Port Settings	74
Traffic Segmentation	74
IGMP Snooping	74
MLD Snooping Settings	74
Port Mirroring	74
Loopback Detection Settings	74
Spanning Tree	74
Forwarding & Filtering	74
Jumbo Frame	74
Egress Filter Settings	75
802.1Q VLAN	75
Understanding IEEE 802.1p Priority	75
VLAN Description	76
Notes about VLANs on the Switch	76
IEEE 802.1Q VLANs	76
802.1Q VLAN Tags	77
Port VLAN ID	78
Tagging and Untagging	79
Ingress Filtering	79
Default VLANs	79
Port-based VLANs	80
VLAN Segmentation	80
VLAN and Trunk Groups	80
Private VLAN Settings	84
802.1v Protocol VLAN	89
802.1v Protocol Group Settings	89
802.1v Protocol VLAN Settings	90
MAC-based VLAN Settings	91
GVRP Settings	91
PVID Auto Assign Settings	92
Port Trunking	93
Understanding Port Trunk Groups	93
VLAN Trunk Settings	96
LACP Port Settings	97
Traffic Segmentation	98
IGMP Snooping	98
IGMP Snooping Settings	98
Data Driven Learning Settings	102
ISM VLAN Settings	103
Restrictions and Provisos	103
ISM Profile Settings	106
IP Multicast Profile Settings	107
Limited Multicast Address Range Settings	108
Max Multicast Group Settings	109
MLD Snooping Settings	109
MLD Control Messages	110
Port Mirroring	113
Loopback Detection Settings	114
Spanning Tree	115
802.1Q-2005 MSTP	115
802.1D-2004 Rapid Spanning Tree	116
Port Transition States	116
Edge Port	116
P2P Port	116
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	116
STP Bridge Global Settings	118
STP Port Settings	120
MST Configuration Identification	121
STP Instance Settings	122
MSTP Port Information	123
Forwarding & Filtering	124
Unicast Forwarding	124
Multicast Forwarding	124
Multicast Filtering Mode	125
Bandwidth Control	126
Traffic Control	126
802.1p Default Priority	126
802.1p User Priority	126
QoS Scheduling Mechanism	126
Understanding QoS	127
Bandwidth Control	128
Traffic Control	129
802.1p Default Priority	131
802.1p User Priority	131
QoS Scheduling Mechanism	132
Safeguard Engine	133
Trusted Host	133
IP-MAC-Port Binding (IMPB)	133
Port Security	133
DHCP Server Screening	133
Guest VLAN	133
802.1X	133
SSL Settings	133
SSH	133
Access Authentication Control	133
MAC-based Access Control (MAC)	133
Web-based Access Control (WAC)	133
Japanese Web-based Access Control (JWAC)	133
Multiple Authentication	133
IGMP Access Control Settings	133
ARP Spoofing Prevention Settings	133
Safeguard Engine	133
Trusted Host	135
IP-MAC-Port Binding (IMPB)	136
General Overview	136
Common IP Management Security Issues	136
Solutions to Improve IP Management Security	136
ARP Mode	136
ACL Mode	137
Strict and Loose State	137
DHCP Snooping Option	137
IMPB Global Settings	138
IMPB Port Settings	139
IMPB Entry Settings	141
DHCP Snooping Entries	142
MAC Block List	143
Port Security	144
Port Security Settings	144
Port Lock Entries	145
DHCP Server Screening	146
DHCP Screening Port Settings	146
DHCP Offer Filtering	147
Guest VLAN	148
Limitations Using the Guest VLAN	148
802.1X (Port-based and Host-based Access Control)	149
Authentication Server	150
Authenticator	150
Client	151
Authentication Process	151
Understanding 802.1X Port-based and Host-based Network Access Control	152
Port-based Network Access Control	152
Host-based Network Access Control	153
802.1X Settings	154
802.1X User	155
Initialize Port(s)	156
Reauthenticate Port(s)	157
Authentic RADIUS Server	158
SSL Settings	159
SSH	161
SSH Configuration	162
SSH Authmode and Algorithm Settings	163
SSH User Authentication Mode	165
Access Authentication Control	166
Authentication Policy and Parameter Settings	167
Application Authentication Settings	167
Authentication Server Group	168
Authentication Server Host	170
Login Method Lists	171
Enable Method Lists	172
Configure Local Enable Password	173
Enable Admin	173
MAC-based Access Control (MAC)	174
Notes about MAC-based Access Control	174
MAC Settings	174
MAC Local Settings	177
Web-based Access Control (WAC)	177
Conditions and Limitations	179
WAC Global Settings	179
WAC User Settings	180
WAC Port Settings	182
Japanese Web-based Access Control (JWAC)	183
JWAC Global Settings	183
JWAC Port Settings	185
JWAC User Settings	186
JWAC Customize Page Language	186
JWAC Customize Page	187
Multiple Authentication	187
Any (MAC, 802.1X or WAC) Mode	188
Any (MAC, 802.1X or JWAC) Mode	188
802.1X & IMPB Mode	189
IMPB & WAC/JWAC Mode	189
Authorization Network State Settings	190
Multiple Authentication Settings	190
Guest VLAN	191
IGMP Access Control Settings (IGMP Authentication)	192
ARP Spoofing Prevention Settings	193
ACL Configuration Wizard	194
Access Profile List	194
CPU Access Profile List	194
Time Range Settings	194
ACL Configuration Wizard	194
Access Profile List	195
CPU Access Profile List	211
Time Range Settings	223
Device Environment (DGS-3200-16 and DGS-3200-24 only)	225
Cable Diagnostics	225
CPU Utilization	225
Port Utilization	225
Packet Size	225
Packets	225
Errors	225
Port Access Control	225
Browse ARP Table	225
Browse VLAN	225
Browse Router Port	225
Browse MLD Router Port	225
Browse Session Table	225
IGMP Snooping Group	225
MLD Snooping Group	225
WAC Authenticating State	225
JWAC Host Table	225
MAC Address Table	225
System Log	225
MAC Authentication State	225
Device Environment	225
Cable Diagnostics	226
Cable Diagnostics Notes	226
CPU Utilization	227
Port Utilization	228
Packet Size	229
Packets	231
Received (RX)	231
UMB_Cast (RX)	233
Transmitted (TX)	234
Errors	236
Received (RX)	236
Transmitted (TX)	238
Port Access Control	240
RADIUS Authentication	240
RADIUS Account Client	241
Authenticator State	243
Authenticator Statistics	245
Authenticator Session Statistics	248
Authenticator Diagnostics	251
Browse ARP Table	254
Browse VLAN	254
Browse Router Port	255
Browse MLD Router Port	255
Browse Session Table	256
IGMP Snooping Group	256
MLD Snooping Group	257
WAC Authenticating State	258
JWAC Host Table	259
MAC Address Table	260
System Log	261
MAC Authentication State	262
Save Configuration	263
Save Log	263
Save All	263
Download Configuration File/Download Configuration File to NV-RAM (DGS-3200-24 only)	263
Download Configuration File to SD Card (DGS-3200-24 only)	263
Download Firmware/Download Firmware to NV-RAM (DGS-3200-24 only)	263
Download Firmware to SD Card (DGS-3200-24 only)	263
Upload Configuration File/Upload Configuration File to TFTP	263
Upload Log File/Upload Log File to TFTP	263
Reset	263
Reboot System	263
Save Configuration	264
Save Log	264
Save All	265
Download Configuration File/Download Configuration File to NV-RAM	265
Download Configuration File to SD Card	266
Download Firmware/Download Firmware to NV-RAM	266
Download Firmware to SD Card	267
Upload Configuration File/Upload Configuration File to TFTP	267
Upload Log File/Upload Log File to TFTP	268
Reset	268
Reboot System	269
How ARP Spoofing Attacks a Network	273
Prevent ARP Spoofing via Packet Content ACL	274
Log Information	277

Match case Limit results 1 per page

xStack

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

153

Access Authentication Control

The TACACS / XTACACS / TACACS+ / RADIUS commands allow users to secure access to the Switch using the TACACS /

XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level privilege,

he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is enabled on the Switch, it

will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user is verified, he or she is granted

access to the Switch.

There are currently three versions of the TACACS security protocol, each a separate entity. The Switch's software supports the

following versions of TACACS:



TACACS

(Terminal Access Controller Access Control System) - Provides password checking and authentication, and

notification of u ser action s fo r secu rity pu rposes u tilizing via o ne or m ore cen tralized TACACS serv ers, u tilizing the

UDP protocol for packet transmission.



Extended TACACS (XTACACS)

- An extension of the TACACS protocol with the ability to provide more types of

authentication requests and more typ es of resp onse codes than T ACACS. This protocol al so us es U DP t o t ransmit

packets.



TACACS+

(Terminal Ac cess Controll er A ccess Contr ol System plus

) - Provides

detailed access c ontrol for

authentication for n etwork d evices. TAC ACS+ is facilitate d th rough Au thentication co mmands via one or mo re

centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon, using

the TCP protocol to ensure reliable delivery

In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS /

TACACS+ / RADIUS server must be configured on a device other than the Switch, called an Authentication Server Host and it

must i nclude usernames and pass words f or aut hentication. When t he user i s p rompted by t he S witch t o e nter usernames and

passwords for authentication, th e Switch con tacts th e TACACS / XTACA CS / TA CACS+ / RADIU S server to ver ify, and the

server will respond with one of three messages:

The server verifies the username and password, and the user is granted normal user privileges on the Switch.

The server will not accept the username and password and the user is denied access to the Switch.

The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the server and then moves

to the next method of verification configured in the method list.

The Switch has four built-in Authentication Server Groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS

protocols. These built-in Authentication Server Groups are used to authenticate users trying to access the Switch. The users will

set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and when a user tries to gain

access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the

second server host in the list will be queried, and so on. The built-in Authentication Server Groups can only have hosts that are

running the specified protocol. For example, the TACACS Authentication Server Groups can only have TACACS Authentication

Server Hosts.

The ad ministrator fo r the Switch m ay set up six

different au thentication tech niques per user-defined m ethod list (TAC ACS /

XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order preferable, and

defined by the user for normal user authentication on the Switch, and may contain up to eight authentication techniques. When a

user attempts to access the Switch, t

he Switch will select the first tec

hnique listed for authentication. If the first technique goes

through its Auth entication Server Hosts and no au thentication is returned, the Switch will then go to th e next technique listed in

the server group for authentication, until the authentication has been verified or denied, or the list is exhausted.

Please note that users

granted access to t

he Switch will be grante d normal user pri

vileges on the Switch. To gai

n access to

administrator level privileges, the user must access the

Enable Admin

window and then enter a password, which was previously

configured by the administrator of the Switch.

NOTE:

TACACS, XTACACS and TACACS+ are separate entities and are not

compatible. The Switch and the server must be configured exactly the same, using the

same protocol. (For example, if the Switch is set up for TACACS authentication, so

must be the host server.)