Home » ZyXEL Manuals » Hubs & Switches » ZyXEL XS1920 Series » Manual Viewer

ZyXEL XS1920 Series User Guide - Page 148

Port Authentication

View all ZyXEL XS1920 Series manuals

Add to My Manuals
Save this manual to your list of manuals

Page 148 highlights

CHAPTER 18 Port Authentication 18.1 Port Authentication Overview This chapter describes the IEEE 802.1x authentication method. Port authentication is a way to validate access to ports on the Switch to clients based on an external server (authentication server). The Switch supports the following methods for port authentication: • IEEE 802.1x1 - An authentication server validates access to a port based on a username and password provided by the user. • MAC - An authentication server validates access to a port based on the MAC address and password of the client. Both types of authentication use the RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) protocol to validate users. If you enable IEEE 802.1x authentication and MAC authentication on the same port, the Switch performs IEEE 802.1x authentication first. If a user fails to authenticate via the IEEE 802.1x method, then access to the port is denied. 18.1.1 What You Need to Know IEEE 802.1x authentication uses the RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) protocol to validate users. See RADIUS and TACACS+ for more information on configuring your RADIUS server settings. IEEE 802.1x Authentication The following figure illustrates how a client connecting to a IEEE 802.1x authentication enabled port goes through a validation process. The Switch prompts the client for login information in the form of a user name and password. When the client provides the login credentials, the Switch sends an authentication request to a RADIUS server. The RADIUS server validates whether this client is allowed access to the port. 1. At the time of writing, IEEE 802.1x is not supported by all operating systems. See your operating system documentation. If your operating system does not support 802.1x, then you may need to install 802.1x client software. XS1920 Series User's Guide 148

Section	Page
XS1920 Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	17
Getting to Know Your Switch	18
1.1 Introduction	18
1.1.1 Backbone Application	18
1.1.2 Bridging Example	19
1.1.3 High Performance Switching Example	19
1.1.4 IEEE 802.1Q VLAN Application Examples	20
1.2 Ways to Manage the Switch	21
1.3 Good Habits for Managing the Switch	21
Hardware Installation and Connection	22
2.1 Installation Scenarios	22
2.2 Desktop Installation Procedure	22
2.3 Mounting the Switch on a Rack	22
2.3.1 Rack-mounted Installation Requirements	22
2.3.2 Attaching the Mounting Brackets to the Switch	23
2.3.3 Mounting the Switch on a Rack	23
Hardware Panels	25
3.1 Front Panel	25
3.1.1 Gigabit Ethernet Ports	25
3.1.2 SFP/SFP+ Slots	26
3.2 Rear Panel	28
3.2.1 Power Connector	28
3.3 LEDs	29
3.4 Reset to Factory Defaults	29
Technical Reference	31
The Web Configurator	32
4.1 Overview	32
4.2 System Login	32
4.3 The Status Screen	33
4.3.1 Change Your Password	37
4.4 Saving Your Configuration	37
4.5 Switch Lockout	37
4.6 Resetting the Switch	38
4.7 Logging Out of the Web Configurator	38
4.8 Help	38
Initial Setup Example	39
5.1 Overview	39
5.1.1 Creating a VLAN	39
5.1.2 Setting Port VID	40
5.2 Configuring Switch Management IP Address	41
Tutorials	43
6.1 Overview	43
6.2 How to Use DHCP Snooping on the Switch	43
6.3 How to Use DHCP Relay on the Switch	47
6.3.1 DHCP Relay Tutorial Introduction	47
6.3.2 Creating a VLAN	47
6.3.3 Configuring DHCP Relay	49
6.3.4 Troubleshooting	50
ZON Utility, ZON Neighbor Management and Port Status	51
7.1 Overview	51
7.1.1 What You Can Do	51
7.2 ZyXEL One Network (ZON) Utility Screen	51
7.3 Neighbor Screen	52
7.4 Port Status Summary	53
7.4.1 Status: Port Details	54
Basic Setting	58
8.1 Overview	58
8.1.1 What You Can Do	58
8.2 System Information	58
8.3 General Setup	60
8.4 Introduction to VLANs	62
8.5 Switch Setup Screen	63
8.6 IP Setup	65
8.6.1 IP Status	65
8.6.2 IP Status Details	65
8.6.3 IP Configuration	67
8.7 Port Setup	69
8.8 Interface Setup	71
8.9 IPv6	72
8.9.1 IPv6 Interface Status	72
8.9.2 IPv6 Configuration	75
8.9.3 IPv6 Global Setup	76
8.9.4 IPv6 Interface Setup	76
8.9.5 IPv6 Link-Local Address Setup	77
8.9.6 IPv6 Global Address Setup	78
8.9.7 IPv6 Neighbor Discovery Setup	79
8.9.8 IPv6 Router Discovery Setup	80
8.9.9 IPv6 Prefix Setup	82
8.9.10 IPv6 Neighbor Setup	83
8.9.11 DHCPv6 Client Setup	84
VLAN	86
9.1 Overview	86
9.1.1 What You Can Do	86
9.1.2 What You Need to Know	86
9.2 VLAN Status	89
9.2.1 VLAN Details	90
9.3 Private VLAN Status	91
9.4 VLAN Configuration	92
9.5 Configure a Static VLAN	92
9.6 Configure VLAN Port Settings	94
9.7 Subnet Based VLANs	96
9.7.1 Configuring Subnet Based VLAN	97
9.8 Protocol Based VLANs	98
9.8.1 Configuring Protocol Based VLAN	99
9.9 Voice VLAN	100
9.10 MAC-based VLAN	102
9.11 Port-based VLAN Setup	103
9.12 Port-based VLAN	104
9.13 Technical Reference	106
9.13.1 Create an IP-based VLAN Example	106
Static MAC Forward Setup	108
10.1 Overview	108
10.1.1 What You Can Do	108
10.2 Configuring Static MAC Forwarding	108
Static Multicast Forward Setup	110
11.1 Static Multicast Forward Setup Overview	110
11.1.1 What You Can Do	110
11.1.2 What You Need To Know	110
11.2 Configuring Static Multicast Forwarding	111
Filtering	113
12.1 Filtering Overview	113
12.1.1 What You Can Do	113
12.2 Configure a Filtering Rule	113
Spanning Tree Protocol	115
13.1 Spanning Tree Protocol Overview	115
13.1.1 What You Can Do	115
13.1.2 What You Need to Know	115
13.2 Spanning Tree Protocol Status Screen	118
13.3 Spanning Tree Configuration	118
13.4 Configure Rapid Spanning Tree Protocol	119
13.4.1 Rapid Spanning Tree Protocol Status	121
13.5 Configure Multiple Rapid Spanning Tree Protocol	122
13.5.1 Multiple Rapid Spanning Tree Protocol Status	124
13.6 Configure Multiple Spanning Tree Protocol	125
13.6.1 Multiple Spanning Tree Port Configuration	128
13.6.2 Multiple Spanning Tree Protocol Status	129
13.7 Technical Reference	131
13.7.1 MSTP Network Example	131
13.7.2 MST Region	132
13.7.3 MST Instance	133
13.7.4 Common and Internal Spanning Tree (CIST)	133
Bandwidth Control	134
14.1 Overview	134
14.1.1 What You Can Do	134
14.2 Bandwidth Control Setup	134
Broadcast Storm Control	136
15.1 Broadcast Storm Control Overview	136
15.1.1 What You Can Do	136
15.2 Broadcast Storm Control Setup	136
Mirroring	138
16.1 Mirroring Overview	138
16.1.1 What You Can Do	138
16.2 Port Mirroring Setup	138
Link Aggregation	140
17.1 Overview	140
17.1.1 What You Can Do	140
17.1.2 What You Need to Know	140
17.2 Link Aggregation Status	141
17.3 Link Aggregation Setting	142
17.4 Link Aggregation Control Protocol	144
17.5 Technical Reference	146
17.5.1 Static Trunking Example	146
Port Authentication	148
18.1 Port Authentication Overview	148
18.1.1 What You Need to Know	148
18.1.2 MAC Authentication	149
18.2 Port Authentication Configuration	150
18.3 Activate IEEE 802.1x Security	150
18.3.1 Guest VLAN	151
18.3.2 Activate MAC Authentication	153
Port Security	156
19.1 Port Security Overview	156
19.1.1 What You Can Do	156
19.2 Port Security Setup	156
19.3 VLAN MAC Address Limit	158
Time Range	160
20.1 About Time Range	160
20.2 Time Range Setup	160
Classifier	162
21.1 Overview	162
21.1.1 What You Can Do	162
21.1.2 What You Need to Know	162
21.2 Classifier Status	162
21.3 Classifier Configuration	163
21.3.1 Viewing and Editing Classifier Configuration	167
21.3.2 Classifier Global Setting	168
21.4 Classifier Example	169
Policy Rule	171
22.1 Policy Rules Overview	171
22.1.1 What You Can Do	171
22.2 Configuring Policy Rules	171
22.2.1 Viewing and Editing Policy Configuration	174
Queuing Method	175
23.1 Queuing Method Overview	175
23.1.1 What You Can Do	175
23.1.2 What You Need to Know	175
23.2 Configuring Queuing	176
Multicast	178
24.1 Multicast Overview	178
24.1.1 What You Can Do	178
24.1.2 What You Need to Know	178
24.2 Multicast Setup	182
24.3 IPv4 Multicast Status	182
24.3.1 IGMP Snooping	183
24.4 IGMP Snooping VLAN	185
24.4.1 IGMP Filtering Profile	187
24.5 IPv6 Multicast Status	188
24.5.1 MLD Snooping-proxy	189
24.5.2 MLD Snooping-proxy VLAN	189
24.5.3 MLD Snooping-proxy VLAN Port Role Setting	191
24.5.4 MLD Snooping-proxy VLAN Filtering	193
24.5.5 MLD Snooping-proxy VLAN Filtering Profile	194
24.6 General MVR Configuration	195
24.6.1 MVR Group Configuration	197
24.6.2 MVR Configuration Example	199
AAA	201
25.1 AAA Overview	201
25.1.1 What You Can Do	201
25.1.2 What You Need to Know	201
25.2 AAA Screens	202
25.3 RADIUS Server Setup	202
25.4 TACACS+ Server Setup	204
25.5 AAA Setup	206
25.6 Technical Reference	208
25.6.1 Vendor Specific Attribute	208
25.6.2 Supported RADIUS Attributes	210
25.6.3 Attributes Used for Authentication	210
IP Source Guard	212
26.1 Overview	212
26.1.1 What You Can Do	212
26.1.2 What You Need to Know	213
26.2 IP Source Guard	213
26.3 IP Source Guard Static Binding	214
26.4 DHCP Snooping	215
26.5 DHCP Snooping Configure	218
26.5.1 DHCP Snooping Port Configure	220
26.5.2 DHCP Snooping VLAN Configure	221
26.5.3 DHCP Snooping VLAN Port Configure	222
26.6 ARP Inspection Status	223
26.7 ARP Inspection VLAN Status	224
26.8 ARP Inspection Log Status	225
26.9 ARP Inspection Configure	227
26.9.1 ARP Inspection Port Configure	228
26.9.2 ARP Inspection VLAN Configure	230
26.10 Technical Reference	231
26.10.1 DHCP Snooping Overview	231
26.10.2 ARP Inspection Overview	233
Loop Guard	235
27.1 Loop Guard Overview	235
27.1.1 What You Can Do	235
27.1.2 What You Need to Know	235
27.2 Loop Guard Setup	237
Layer 2 Protocol Tunneling	239
28.1 Layer 2 Protocol Tunneling Overview	239
28.1.1 What You Can Do	239
28.1.2 What You Need to Know	239
28.2 Configuring Layer 2 Protocol Tunneling	240
PPPoE	243
29.1 PPPoE Intermediate Agent Overview	243
29.1.1 What You Can Do	243
29.1.2 What You Need to Know	243
29.2 The PPPoE Screen	246
29.3 PPPoE Intermediate Agent	246
29.3.1 PPPoE IA Per-Port	247
29.3.2 PPPoE IA Per-Port Per-VLAN	249
29.3.3 PPPoE IA for VLAN	250
Error Disable	252
30.1 Error Disable Overview	252
30.2 The Error Disable Screens Overview	252
30.3 Error-Disable Status	252
30.4 CPU Protection Configuration	254
30.5 Error-Disable Detect Configuration	255
30.6 Error-Disable Recovery Configuration	256
MAC Pinning	258
31.1 MAC Pinning Overview	258
31.2 MAC Pinning Configuration	258
Private VLAN	260
32.1 Private VLAN Overview	260
32.1.1 Configuration	262
Green Ethernet	264
33.1 Green Ethernet Overview	264
33.2 Configuring Green Ethernet	264
Link Layer Discovery Protocol (LLDP)	266
34.1 LLDP Overview	266
34.2 LLDP-MED Overview	267
34.3 LLDP Screens	268
34.4 LLDP Local Status	269
34.4.1 LLDP Local Port Status Detail	270
34.5 LLDP Remote Status	274
34.5.1 LLDP Remote Port Status Detail	275
34.6 LLDP Configuration	281
34.6.1 LLDP Configuration Basic TLV Setting	283
34.6.2 LLDP Configuraion Basic Org-specific TLV Setting	284
34.7 LLDP-MED Configuration	285
34.8 LLDP-MED Network Policy	286
34.9 LLDP-MED Location	287
Static Route	291
35.1 Static Route Overview	291
35.1.1 What You Can Do	291
35.2 Static Routing	291
35.3 Configuring Static Routing	292
35.4 Configuring IPv6 Static Routing	294
Differentiated Services	296
36.1 Differentiated Services Overview	296
36.1.1 What You Can Do	296
36.1.2 What You Need to Know	296
36.2 Activating DiffServ	297
36.3 DSCP-to-IEEE 802.1p Priority Settings	298
36.3.1 Configuring DSCP Settings	299
DHCP	300
37.1 DHCP Overview	300
37.1.1 What You Can Do	300
37.1.2 What You Need to Know	300
37.2 DHCP Configuration	301
37.3 DHCPv4 Status	302
37.4 DHCPv4 Relay	302
37.4.1 DHCPv4 Relay Agent Information	302
37.4.2 DHCPv4 Option 82 Profile	303
37.4.3 Configuring DHCPv4 Global Relay	305
37.4.4 DHCPv4 Global Relay Port Configure	306
37.4.5 Global DHCP Relay Configuration Example	307
37.5 Configuring DHCPv4 VLAN Settings	308
37.5.1 DHCPv4 VLAN Port Configure	309
37.5.2 Example: DHCP Relay for Two VLANs	310
37.6 DHCPv6 Relay	311
ARP Setup	313
38.1 ARP Overview	313
38.1.1 How ARP Works	313
38.1.2 ARP Learning Mode	313
38.2 ARP Setup	315
38.2.1 ARP Learning	315
38.2.2 Static ARP	316
Maintenance	318
39.1 Overview	318
39.2 The Maintenance Screen	318
39.2.1 Firmware Upgrade	319
39.2.2 Restore a Configuration File	320
39.2.3 Backup a Configuration File	321
39.2.4 Erase Running-Configuration	321
39.2.5 Save Configuration	322
39.2.6 Reboot System	322
39.2.7 Factory Default	322
39.3 Tech-Support	323
39.4 Technical Reference	324
39.4.1 FTP Command Line	324
39.4.2 Filename Conventions	324
39.4.3 FTP Command Line Procedure	325
39.4.4 GUI-based FTP Clients	325
39.4.5 FTP Restrictions	326
Access Control	327
40.1 Access Control Overview	327
40.1.1 What You Can Do	327
40.2 The Access Control Main Screen	327
40.3 Configuring SNMP	328
40.3.1 Configuring SNMP Trap Group	329
40.3.2 Enabling/Disabling Sending of SNMP Traps on a Port	330
40.3.3 Configuring SNMP User	331
40.4 Setting Up Login Accounts	332
40.5 Service Port Access Control	334
40.6 Remote Management	335
40.7 Technical Reference	336
40.7.1 About SNMP	336
40.7.2 Introduction to HTTPS	339
Diagnostic	344
41.1 Overview	344
41.2 Diagnostic	344
Syslog	346
42.1 Syslog Overview	346
42.1.1 What You Can Do	346
42.2 Syslog Setup	346
42.3 Syslog Server Setup	347
Cluster Management	349
43.1 Cluster Management Overview	349
43.1.1 What You Can Do	350
43.2 Cluster Management Status	350
43.3 Clustering Management Configuration	351
43.4 Technical Reference	353
43.4.1 Cluster Member Switch Management	353
MAC Table	355
44.1 MAC Table Overview	355
44.1.1 What You Can Do	355
44.1.2 What You Need to Know	355
44.2 Viewing the MAC Table	356
IP Table	358
45.1 IP Table Overview	358
45.2 Viewing the IP Table	359
ARP Table	360
46.1 Overview	360
46.1.1 What You Can Do	360
46.1.2 What You Need to Know	360
46.2 Viewing the ARP Table	360
Routing Table	362
47.1 Overview	362
47.2 Viewing the Routing Table Status	362
Path MTU Table	363
48.1 Path MTU Overview	363
48.2 Viewing the Path MTU Table	363
Configure Clone	364
49.1 Overview	364
49.2 Configure Clone	364
Neighbor Table	367
50.1 IPv6 Neighbor Table Overview	367
50.2 Viewing the IPv6 Neighbor Table	367
Troubleshooting	369
51.1 Power, Hardware Connections, and LEDs	369
51.2 Switch Access and Login	370
51.3 Switch Configuration	372
Customer Support	373
Common Services	379
IPv6	382
Legal Information	390

Match case Limit results 1 per page

XS1920 Series User’s Guide

148

HAPTER

Port Authentication

18.1

Port Authentication Overview

This chapter describes the IEEE 802.1x authentication method. Port authentication is a way to

validate access to ports on the Switch to clients based on an external server (authentication

server). The Switch supports the following methods for port authentication:

•

IEEE 802.1x

- An authentication server validates access to a port based on a username and

password provided by the user.

•

MAC

- An authentication server validates access to a port based on the MAC address and

password of the client.

Both types of authentication use the RADIUS (Remote Authentication Dial In User Service, RFC

2138, 2139) protocol to validate users.

If you enable IEEE 802.1x authentication and MAC authentication on the same port, the

Switch performs IEEE 802.1x authentication first. If a user fails to authenticate via the

IEEE 802.1x method, then access to the port is denied.

18.1.1

What You Need to Know

IEEE 802.1x authentication uses the RADIUS (Remote Authentication Dial In User Service, RFC

2138, 2139) protocol to validate users. See

RADIUS and TACACS+

for more information on

configuring your RADIUS server settings.

IEEE 802.1x Authentication

The following figure illustrates how a client connecting to a IEEE 802.1x authentication enabled port

goes through a validation process. The Switch prompts the client for login information in the form of

a user name and password. When the client provides the login credentials, the Switch sends an

authentication request to a RADIUS server. The RADIUS server validates whether this client is

allowed access to the port.

At the time of writing, IEEE 802.1x is not supported by all operating systems. See your operating system documentation. If

your operating system does not support 802.1x, then you may need to install 802.1x client software.