Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3426P » Manual Viewer

D-Link DGS-3426P Product Manual - Page 321

Access Authentication Control, Parameter, Description, Gateway IP Address, Gateway MAC, Address, Ports

UPC - 790069291982

Add to My Manuals
Save this manual to your list of manuals

Page 321 highlights

xStack® DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch Parameter Description Gateway IP Address Enter the gateway IP address. Gateway MAC Address Enter the gateway MAC address. Ports Enter the port or range of ports to be configured. Alternatively, tick the All Ports check box to configure all of the ports. Click Apply to implement the changes. Access Authentication Control The TACACS / XTACACS / TACACS+ / RADIUS commands allow users to secure access to the Switch using the TACACS / XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user is verified, he or she is granted access to the Switch. There are currently three versions of the TACACS security protocol, each a separate entity. The Switch's software supports the following versions of TACACS: TACACS (Terminal Access Controller Access Control System) - Provides password checking and authentication, and notification of user actions for security purposes utilizing via one or more centralized TACACS servers, utilizing the UDP protocol for packet transmission. Extended TACACS (XTACACS) - An extension of the TACACS protocol with the ability to provide more types of authentication requests and more types of response codes than TACACS. This protocol also uses UDP to transmit packets. TACACS+ (Terminal Access Controller Access Control System plus) - Provides detailed access control for authentication for network devices. TACACS+ is facilitated through Authentication commands via one or more centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon, using the TCP protocol to ensure reliable delivery In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS / TACACS+ / RADIUS server must be configured on a device other than the Switch, called an Authentication Server Host and it must include usernames and passwords for authentication. When the user is prompted by the Switch to enter usernames and passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS server to verify, and the server will respond with one of three messages: The server verifies the username and password, and the user is granted normal user privileges on the Switch. The server will not accept the username and password and the user is denied access to the Switch. The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the server and then moves to the next method of verification configured in the method list. The Switch has four built-in Authentication Server Groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS protocols. These built-in Authentication Server Groups are used to authenticate users trying to access the Switch. The users will set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and when a user tries to gain access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the second server host in the list will be queried, and so on. The built-in Authentication Server Groups can only have hosts that are running the specified protocol. For example, the TACACS Authentication Server Groups can only have TACACS Authentication Server Hosts. The administrator for the Switch may set up six different authentication techniques per user-defined method list (TACACS / XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight authentication techniques. When a user attempts to access the Switch, the Switch will select the first technique listed for authentication. If the first technique goes through its Authentication Server Hosts and no authentication is returned, the Switch will then go to the next technique listed in the server group for authentication, until the authentication has been verified or denied, or the list is exhausted. Please note that users granted access to the Switch will be granted normal user privileges on the Switch. To gain access to administrator level privileges, the user must access the Enable Admin window and then enter a password, which was previously configured by the administrator of the Switch. 312

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	9
Web-based Switch Configuration	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	10
Web Pages	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	11
Areas of the User Interface	11
Area 2	11
Area 1	11
Area 3	11
Web Pages	12
Administration	13
DGS-3400 Web Management Tool	13
IP Address	13
Interface Settings	13
Stacking	13
Port Configuration	13
User Accounts	13
Password Encryption	13
Mirror	13
System Log	13
System Severity Settings	13
Command Logging Settings	13
SNTP Settings	13
MAC Notification Settings	13
TFTP Services	13
Multiple Image Services	13
RCP	13
Ping Test	13
IPv6 Neighbor	13
Route Redistribution Settings	13
Static/Default Route Settings	13
Route Preference Settings	13
Gratuitous ARP Settings	13
Static ARP Settings	13
DHCP Auto Configuration Settings	13
DHCP/BOOTP Relay	13
DHCP/BOOTP Local Relay Settings	13
DHCPv6 Relay	13
DHCP Server	13
DHCPv6 Server	13
Filter DHCP Server	13
Layer 2 Protocol Tunneling Settings	13
RSPAN	13
DNS Relay	13
DNS Resolver	13
SNMP Manager	13
Trap Source Interface Settings	13
PoE	13
sFlow	14
IP Multicast VLAN Replication	14
Single IP Management (SIM) Overview	14
RIP	14
IP Tunnel Settings	14
Device Information	14
IPv6	16
Overview	16
Packet Format	18
IPv6 Header	18
Extension Headers	19
Packet Fragmentation	19
Address Format	19
Types	20
ICMPv6	21
Neighbor Discovery	21
Neighbor Unreachability Detection	21
Duplicate Address Detection (DAD)	22
Assigning IP Addresses	22
IP Interface Setup	22
IP Address	23
Setting the Switch's IP Address using the Console Interface	24
Interface Settings	25
IPv4 Interface Settings	25
IPv6 Interface Settings	27
Stacking	30
Stack Switch Swapping	32
Stacking Mode Settings	32
Force Master Role Settings	33
Box Information	33
Port Configuration	34
Port Configuration	34
Port Error Disabled	35
Port Description	36
Port Auto Negotiation Information	37
Port Details	38
Port Media Type	39
Cable Diagnostics	40
User Accounts	41
Password Encryption	42
Mirror	43
Port Mirror Global Settings	43
Port Mirror Settings	43
Mirroring within the Switch Stack	45
System Log	45
System Log Host	45
System Log Save Mode Settings	47
System Log Source Interface Settings	48
System Severity Settings	48
Command Logging Settings	49
SNTP Settings	49
Time Settings	49
Time Zone and DST	50
MAC Notification Settings	53
TFTP Services	53
Global Settings	53
Port Settings	53
Multiple Image Services	55
Firmware Information	55
Config Firmware Image	56
RCP	57
RCP Server Settings	57
RCP Services	58
Ping Test	59
IPv4 Ping Test	59
IPv6 Ping Test	60
IPv6 Neighbor	61
IPv6 Neighbor Settings	61
Route Redistribution Settings	62
Static/Default Route Settings	63
IPv4 Static/Default Route Settings	63
IPv6 Static/Default Route Settings	65
Route Preference Settings	66
Gratuitous ARP Settings	67
Static ARP Settings	68
DHCP Auto Configuration Settings	69
DHCP/BOOTP Relay	69
DHCP / BOOTP Relay Global Settings	69
The Implementation of DHCP Information Option 82	72
DHCP/BOOTP Relay Interface Settings	73
DHCP Relay Option 60 Default Settings	73
DHCP Relay Option 60 Settings	74
DHCP Relay Option 61 Default Settings	75
DHCP Relay Option 61 Settings	75
DHCP/BOOTP Local Relay Settings	76
DHCPv6 Relay	77
DHCPv6 Relay Global Settings	77
DHCPv6 Relay Interface Settings	77
DHCP Server	79
DHCP Server Global Settings	79
DHCP Server Exclude Address Settings	80
DHCP Server Pool Settings	80
DHCP Server Dynamic Binding	83
DHCP Server Manual Binding	84
DHCPv6 Server	85
DHCPv6 Server Global Settings	85
DHCPv6 Server Pool Settings	86
DHCPv6 Server Manual Binding Settings	87
DHCPv6 Server Dynamic Binding Settings	88
DHCPv6 Server Interface Settings	89
DHCPv6 Server Excluded Address Settings	90
Filter DHCP Server	91
Filter DHCP Server Global Settings	91
Filter DHCP Server Port Settings	92
Layer 2 Protocol Tunneling Settings	93
RSPAN	94
RSPAN State Settings	94
RSPAN Settings	95
DNS Relay	97
Mapping Domain Names to Addresses	97
Domain Name Resolution	97
DNS Relay Global Settings	98
DNS Relay Static Settings	98
DNS Resolver	99
DNS Resolver Global Settings	99
DNS Resolver Static Name Server Settings	99
DNS Resolver Dynamic Name Server Table	100
DNS Resolver Static Host Name Settings	100
DNS Resolver Dynamic Host Name Table	101
SNMP Manager	102
SNMP Settings	102
Traps	102
MIBs	102
SNMP Trap Settings	103
SNMP User Table	104
SNMP View Table	106
SNMP Group Table	107
SNMP Community Table	108
SNMP Host Table	109
SNMP Engine ID	111
Trap Source Interface Settings	111
PoE	112
PoE System Settings	112
PoE Port Settings	114
sFlow	116
sFlow Global Settings	117
sFlow Analyzer Settings	117
sFlow Sampler Settings	119
sFlow Poller Settings	121
IP Multicast VLAN Replication	123
IP Multicast VLAN Replication Global Settings	123
IP Multicast VLAN Replication Settings	124
Single IP Management (SIM) Overview	127
The Upgrade to v1.61	128
Single IP vs. Switch Stacking	129
SIM Settings	129
Topology	130
Tool Tips	133
Right-click	135
Group Icon	135
Commander Switch Icon	136
Member Switch Icon	136
Candidate Switch Icon	136
Menu Bar	137
File	137
Group	137
Device	137
View	137
Help	138
Firmware Upgrade	138
Configuration Backup/Restore	138
Upload Log	139
RIP	139
RIP Version 1 Message Format	140
RIP Command Codes	140
RIP 1 Message	140
RIP 1 Route Interpretation	140
RIP Version 2 Extensions	140
RIP2 Message Format	140
RIP	140
RIP Global Settings	141
RIP Interface Settings	141
RIPng	142
RIPng Global Settings	142
RIPng Interface Settings	143
IP Tunnel Settings	144
L2 Features	146
VLANs	146
Trunking	146
IGMP Snooping	146
MLD Snooping	146
Loop-back Detection Global Settings	146
Spanning Tree	146
Forwarding & Filtering	146
LLDP	146
Q-in-Q	146
ERPS	146
DULD Settings	146
NLB Multicast FDB Settings	146
VLANs	146
VLAN Description	146
Notes about VLANs on the DGS-3400 Series	146
IEEE 802.1Q VLANs	146
802.1Q VLAN Tags	148
Port VLAN ID	149
Tagging and Untagging	150
Ingress Filtering	150
Default VLANs	150
Port-based VLANs	151
VLAN Segmentation	151
VLAN and Trunk Groups	151
Protocol VLANs	151
Static VLAN Entry	151
VLAN Trunk	153
GVRP Settings	155
Double VLANs	156
Regulations for Double VLANs	157
Double VLAN Settings	158
PVID Auto Assign	160
MAC-based VLAN Settings	161
Protocol VLAN	161
Protocol VLAN Group Settings	162
Protocol VLAN Port Settings	163
Subnet VLAN	164
Subnet VLAN Settings	165
VLAN Precedence Settings	165
Trunking	167
Understanding Port Trunk Groups	167
Link Aggregation	168
LACP Port Settings	171
IGMP Snooping	173
IGMP Snooping Settings	173
Router Port Settings	175
IGMP Snooping Static Group Settings	177
ISM VLAN Settings	178
Restrictions and Provisos	179
Limited IP Multicast Address Range Settings	181
MLD Snooping	183
MLD Control Messages	183
MLD Snooping Settings	183
MLD Router Port Settings	186
Loop-back Detection Global Settings	188
Spanning Tree	190
802.1Q-2005 MSTP	190
802.1D-2004 Rapid Spanning Tree	190
Port Transition States	191
Edge Port	191
P2P Port	191
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	191
STP Bridge Global Settings	192
MST Configuration Identification	194
MSTP Port Information	197
STP Instance Settings	199
STP Port Settings	200
Forwarding & Filtering	202
Unicast Forwarding	202
Multicast Forwarding	202
Multicast Filtering Mode	203
LLDP	204
LLDP Global Settings	205
Basic LLDP Port Settings	206
802.1 Extension LLDP Port Settings	207
802.3 Extension LLDP Port Settings	209
LLDP Management Address Settings	211
LLDP Statistics	213
LLDP Management Address Table	214
LLDP Local Port Table	214
LLDP Remote Port Table	217
Q-in-Q	219
Q-in-Q Settings	219
VLAN Translation Settings	220
ERPS	221
ERPS Global Settings	221
ERPS RAPS VLAN Settings	222
DULD Settings	225
NLB Multicast FDB Settings	227
QoS	229
802.1p Settings	229
Bandwidth Control	229
HOL Prevention Settings	229
Schedule Settings	229
QoS	229
The Advantages of QoS	229
Understanding QoS	230
Understanding IEEE 802.1p Priority	232
802.1p Settings	232
802.1p Default Priority Settings	233
802.1p User Priority Settings	234
Bandwidth Control	235
Bandwidth Control Settings	235
Per Queue Bandwidth Control Settings	237
HOL Prevention Settings	239
Schedule Settings	239
QoS Output Scheduling Settings	239
Configuring the Combination Queue	241
QoS Scheduling Mechanism Settings	241
ACL (Access Control List)	244
Time Range	244
Access Profile Table	244
ACL Flow Meter	244
CPU Interface Filtering	244
Time Range	244
Access Profile Table	245
ACL Flow Meter	263
CPU Interface Filtering	267
CPU Interface Filtering State	267
CPU Interface Filtering Table	268
Security	284
Authorization Attributes State Settings	284
Traffic Control	284
Port Security	284
IP-MAC-Port Binding	284
802.1X	284
Web-based Access Control (WAC)	284
Trust Host	284
BPDU Attack Protection Settings	284
ARP Spoofing Prevention Settings	284
Access Authentication Control	284
MAC-based Access Control (MAC)	284
Safeguard Engine	284
Traffic Segmentation	284
Secure Socket Layer (SSL)	284
Secure Shell (SSH)	284
Compound Authentication	284
Japanese Web-based Access Control (JWAC)	284
Authorization Attributes State Settings	284
Traffic Control	285
Port Security	287
Port Security Settings	287
Port Security Entries	288
IP-MAC-Port Binding	289
IMPB Global Settings	291
IMPB Port Settings	292
IMPB Entry Settings	294
DHCP Snoop Entries	295
MAC Block List	296
ND Snoop Entries	296
802.1X	297
802.1X Port-based and Host-based Access Control	297
Authentication Server	297
Authenticator	298
Client	298
Authentication Process	299
Understanding 802.1X Port-based and MAC-based Network Access Control	299
Port-based Network Access Control	300
MAC-Based Network Access Control	301
Guest VLANs	302
Limitations Using the Guest VLAN	302
802.1X Port Settings	302
Guest VLAN Settings	305
Authentication RADIUS Server Settings	306
802.1X User Settings	307
Initialize Port(s)	308
Reauthenticate Port(s)	309
Web-based Access Control (WAC)	311
Conditions and Limitations	311
WAC Global Settings	312
WAC Port Settings	313
WAC User Account	315
WAC Authentication State	316
Trust Host	317
BPDU Attack Protection Settings	319
ARP Spoofing Prevention Settings	320
Access Authentication Control	321
Authentication Policy and Parameter Settings	323
Application's Authentication Settings	323
Authentication Server Group	324
Authentication Server Host	325
Login Method Lists	327
Enable Method Lists	328
Configure Local Enable Password	330
Enable Admin	331
RADIUS Accounting Settings	332
MAC-based Access Control (MAC)	334
Notes about MAC-based Access Control	334
MAC-based Access Control Global Settings	334
MAC-based Access Control Local MAC Settings	337
Safeguard Engine	338
Safeguard Engine Settings	339
Traffic Segmentation	340
Secure Socket Layer (SSL)	341
SSL	342
Secure Shell (SSH)	343
SSH Server Configuration	344
SSH Authentication Mode and Algorithm Settings	345
SSH User Authentication Mode	347
Compound Authentication	348
Any (MAC, 802.1X, WAC or JWAC) Mode	348
802.1X + IMPB Mode	349
IMPB + JWAC Mode	349
Compound Authentication Global Settings	349
Compound Authentication Settings	350
Authentication Guest VLAN Settings	352
Japanese Web-based Access Control (JWAC)	353
JWAC Global Settings	353
JWAC Port Settings	356
JWAC User Account	359
JWAC Authentication State	360
JWAC Customize Page Language Settings	361
JWAC Customize Page	362
Monitoring	363
Device Status	363
Stacking Information	363
Stacking Device	363
Module Information	363
DRAM & Flash Utilization	363
CPU Utilization	363
Port Utilization	363
Packets	363
Errors	363
Packet Size	363
Browse Router Port	363
Browse MLD Router Port	363
VLAN Status	363
VLAN Status Port	363
Port Access Control	363
MAC Address Table	363
IGMP Snooping Group	363
IGMP Snooping Data Driven Group	363
MLD Snooping Group	363
MLD Snooping Data Driven Group	363
Trace Route	363
Switch Logs	363
Browse ARP Table	363
Session Table	363
IP Forwarding Table	363
Routing Table	363
MAC-based Access Control Authentication Status	363
Device Status	363
Stacking Information	364
Stacking Device	365
Module Information	365
DRAM & Flash Utilization	366
CPU Utilization	367
Port Utilization	368
Packets	369
Received (RX)	369
UMB Cast (RX)	371
Transmitted (TX)	373
Errors	375
Received (RX)	375
Transmitted (TX)	377
Packet Size	379
Browse Router Port	381
Browse MLD Router Port	382
VLAN Status	382
VLAN Status Port	383
Port Access Control	383
Authenticator State	383
Authenticator Statistics	384
Authenticator Session Statistics	384
Authenticator Diagnostics	385
RADIUS Authentication	385
RADIUS Account Client	385
MAC Address Table	387

Match case Limit results 1 per page

xStack

DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch

312

Parameter

Description

Gateway IP Address

Enter the gateway IP address.

Gateway MAC

Address

Enter the gateway MAC address.

Ports

Enter the port or range of ports to be configured. Alternatively, tick the

All Ports

check box

to configure all of the ports.

Click

Apply

to implement the changes.

Access Authentication Control

The TACACS / XTACACS / TACACS+ / RADIUS commands allow users to secure access to the Switch using the TACACS /

XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the administrator level

privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS authentication is enabled on the

Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the user. If the user is verified, he or she

is granted access to the Switch.

There are currently three versions of the TACACS security protocol, each a separate entity. The Switch's software supports the

following versions of TACACS:

TACACS

(Terminal Access Controller Access Control System) - Provides password checking and authentication, and

notification of user actions for security purposes utilizing via one or more centralized TACACS servers, utilizing the UDP

protocol for packet transmission.

Extended TACACS (XTACACS)

- An extension of the TACACS protocol with the ability to provide more types of

authentication requests and more types of response codes than TACACS. This protocol also uses UDP to transmit packets.

TACACS+

(Terminal Access Controller Access Control System plus

) - Provides detailed access control for authentication for

network devices. TACACS+ is facilitated through Authentication commands via one or more centralized servers. The TACACS+

protocol encrypts all traffic between the Switch and the TACACS+ daemon, using the TCP protocol to ensure reliable delivery

In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS /

TACACS+ / RADIUS server must be configured on a device other than the Switch, called an Authentication Server Host and it

must include usernames and passwords for authentication. When the user is prompted by the Switch to enter usernames and

passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS server to verify, and the

server will respond with one of three messages:

The server verifies the username and password, and the user is granted normal user privileges on the Switch.

The server will not accept the username and password and the user is denied access to the Switch.

The server doesn't respond to the verification query. At this point, the Switch receives the timeout from the server and then moves

to the next method of verification configured in the method list.

The Switch has four built-in Authentication Server Groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS

protocols. These built-in Authentication Server Groups are used to authenticate users trying to access the Switch. The users will

set Authentication Server Hosts in a preferable order in the built-in Authentication Server Groups and when a user tries to gain

access to the Switch, the Switch will ask the first Authentication Server Hosts for authentication. If no authentication is made, the

second server host in the list will be queried, and so on. The built-in Authentication Server Groups can only have hosts that are

running the specified protocol. For example, the TACACS Authentication Server Groups can only have TACACS Authentication

Server Hosts.

The administrator for the Switch may set up six different authentication techniques per user-defined method list (TACACS /

XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order preferable, and

defined by the user for normal user authentication on the Switch, and may contain up to eight authentication techniques. When a

user attempts to access the Switch, the Switch will select the first technique listed for authentication. If the first technique goes

through its Authentication Server Hosts and no authentication is returned, the Switch will then go to the next technique listed in

the server group for authentication, until the authentication has been verified or denied, or the list is exhausted.

Please note that users granted access to the Switch will be granted normal user privileges on the Switch. To gain access to

administrator level privileges, the user must access the

Enable Admin

window and then enter a password, which was previously

configured by the administrator of the Switch.