User Manual User Manual
Table Of Contents
- INTRODUCTION
- INSTALLATION
- SWITCH MANAGEMENT
- WEB CONFIGURATION
- Main Web Page
- System
- System Information
- IP Configuration
- IPv6 Configuration
- Users Configuration
- Users Privilege Levels
- NTP Configuration
- UPnP Configuration
- DHCP Relay
- DHCP Relay Statistics
- CPU Load
- _
- System Log
- Detailed Log
- Remote Syslog
- SMTP Configure
- Web Firmware Upgrade
- TFTP Firmware Upgrade
- Configuration Backup
- Configuration Upload
- _
- Factory Default
- _
- System Reboot
- Simple Network Management Protocol
- Port Management
- Link Aggregation
- VLAN
- Spanning Tree Protocol
- Multicast
- Quality of Service
- Access Control Lists
- Access Control List Status
- Access Control List Configuration
- ACE Configuration
- ACL Ports Configuration
- ACL Rate Limiter Configuration
- Understanding IEEE 802.1X Port-Based Authentication
- Authentication Configuration
- Network Access Server Configuration
- Network Access Overview
- Network Access Statistics
- _
- Authentication Server Configuration
- RADIUS Overview
- _
- RADIUS Details
- Windows Platform RADIUS Server Configuration
- 4.11.10 802.1X Client Configuration
- Security
- Address Table
- _
- LLDP
- Network Diagnostics
- Power over Ethernet (GE-DSSG-244-POE / NS3601-24P/4S)
- _
- COMMAND LINE INTERFACE
- Command Line Mode
- _
- System Command
- Stack
- IP Command
- Port Management Command
- MAC Address Table Command
- VLAN Configuration Command
- _
- Private VLAN Configuration Command
- Security Command
- Security Switch User Configuration
- Security Switch User Add
- Security Switch User Delete
- Security Switch Privilege Level Configuration
- Security Switch Privilege Level Group
- Security Switch Privilege Level Current
- Security Switch Auth Configuration
- Security Switch Auth Method
- Security Switch SSH Configuration
- Security Switch SSH Mode
- Security Switch HTTPs Configuration
- Security Switch HTTPs Mode
- Security Switch HTTPs Redirect
- Security Switch Access Configuration
- Security Switch Access Mode
- Security Switch Access Add
- Security Switch Access IPv6 Add
- Security Switch Access Delete
- Security Switch Access Lookup
- Security Switch Access Clear
- Security Switch Access Statistics
- Security Switch SNMP Configuration
- Security Switch SNMP Mode
- Security Switch SNMP Version
- Security Switch SNMP Read Community
- Security Switch SNMP Write Community
- Security Switch SNMP Trap Mode
- Security Switch SNMP Trap Version
- Security Switch SNMP Trap Community
- Security Switch SNMP Trap Destination
- Security Switch SNMP Trap IPv6 Destination
- Security Switch SNMP Trap Authentication Failure
- Security Switch SNMP Trap Link-up
- Security Switch SNMP Trap Inform Mode
- Security Switch SNMP Trap Inform Timeout
- Security Switch SNMP Trap Inform Retry Times
- Security Switch SNMP Trap Probe Security Engine ID
- Security Switch SNMP Trap Security Engine ID
- Security Switch SNMP Trap Security Name
- Security Switch SNMP Engine ID
- Security Switch SNMP Community Add
- Security Switch SNMP Community Delete
- Security Switch SNMP Community Lookup
- Security Switch SNMP User Add
- Security Switch SNMP User Delete
- Security Switch SNMP User Changekey
- Security Switch SNMP User Lookup
- Security Switch SNMP Group Add
- Security Switch SNMP Group Delete
- Security Switch SNMP Group Lookup
- Security Switch SNMP View Add
- Security Switch SNMP View Delete
- Security Switch SNMP View Lookup
- Security Switch SNMP Access Add
- Security Switch SNMP Access Delete
- Security Switch SNMP Access Lookup
- Security Network Psec Switch
- Security Network Psec Port
- Security Network Limit Configuration
- Security Network Limit Mode
- Security Network Limit Aging
- Security Network Limit Agetime
- Security Network Limit Port
- Security Network Limit Limit
- Security Network Limit Action
- Security Network Limit Reopen
- Security Network NAS Configuration
- Security Network NAS Mode
- Security Network NAS State
- Security Network NAS Reauthentication
- Security Network NAS ReauthPeriod
- Security Network NAS EapolTimeout
- Security Network NAS Agetime
- Security Network NAS Holdtime
- Security Network NAS RADIUS_QoS
- Security Network NAS RADIUS_VLAN
- Security Network NAS Guest_VLAN
- Security Network NAS Authenticate
- Security Network NAS Statistics
- Security Network ACL Configuration
- Security Network ACL Action
- Security Network ACL Policy
- Security Network ACL Rate
- Security Network ACL Add
- Security Network ACL Delete
- Security Network ACL Lookup
- Security Network ACL Clear
- Security Network ACL Status
- Security Network DHCP Relay Configuration
- Security Network DHCP Relay Mode
- Security Network DHCP Relay Server
- Security Network DHCP Relay Information Mode
- Security Network DHCP Relay Information Policy
- Security Network DHCP Relay Statistics
- Security Network DHCP Snooping Configuration
- Security Network DHCP Snooping Mode
- Security Network DHCP Snooping Port Mode
- Security Network DHCP Snooping Statistics
- Security Network IP Source Guard Configuration
- Security Network IP Source Guard Mode
- Security Network IP Source Guard Port Mode
- Security Network IP Source Guard Limit
- Security Network IP Source Guard Entry
- Security Network IP Source Guard Status
- Security Network ARP Inspection Configuration
- Security Network ARP Inspection Mode
- Security Network ARP Inspection Port Mode
- Security Network ARP Inspection Entry
- Security Network ARP Inspection Status
- Security AAA Configuration
- Security AAA Timeout
- Security AAA Deadtime
- Security AAA RADIUS
- Security AAA ACCT_RADIUS
- Security AAA TACACS+
- Security AAA Statistics
- Security Switch User Configuration
- Spanning Tree Protocol Command
- STP Configuration
- STP Version
- STP Tx Hold
- STP MaxHops
- STP MaxAge
- STP FwdDelay
- STP CName
- STP BPDU Filter
- STP BPDU Guard
- STP Recovery
- STP Status
- STP MSTI Priority
- STP MSTI Map
- STP MSTI Add
- STP Port Configuration
- STP Port Mode
- STP Port Edge
- STP Port AutoEdge
- STP Port P2P
- STP Port RestrictedRole
- STP Port RestrictedTcn
- STP Port bpduGuard
- STP Port Statistic
- STP Port Mcheck
- STP MSTI Port Configuration
- STP MSTI Port Cost
- STP MSTI Port Priority
- STP Configuration
- Multicast Configuration Command
- Link Aggregation Command
- Link Aggregation Control Protocol Command
- LLDP Command
- LLDPMED Command
- Power over Ethernet Command
- Quality of Service Command
- Mirror Command
- Configuration Command
- Firmware Command
- UPnP Command
- MVR Command
- Voice VLAN Command
- SMTP Command
- Show Command
- Show ACL Configuration
- Show Link Aggregation Configuration
- Show IGMP Configuration
- Show IP Configuration
- Show LACP Configuration
- Show LLDP Configuration
- Show MAC Configuration
- Show Mirror Configuration
- Show PoE Configuration
- Show Port Configuration
- Show Private VLAN Configuration
- Show QoS Configuration
- Show SNMP Configuration
- Show Stack Configuration
- Show System Configuration
- Show VLAN Configuration
- Show STP Configuration
- Show ACL Configuration
- SWITCH OPERATION
- POWER OVER ETHERNET OVERVIEW
- TROUBLE SHOOTING
- APPENDEX A
- APPENDEX B : GLOSSARY
- APPENDIX C: Local User Privilege Level Table
IFS NS3601-24P/4S GE-DSSG-244 and 244-POE User Manual
181
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC
address, which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant. An exception to this is when no supplicants
are attached. In this case, the switch sends EAPOL Request Identity frames
using the BPDU multicast MAC address as destination - to wake up any
supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the
Port Security Limit Control functionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant on
behalf of clients. The initial frame (any kind of frame) sent by a client is snooped
by the switch, which in turn uses the client's MAC address as both username and
password in the subsequent EAP exchange with the RADIUS server. The 6-byte
MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",
that is, a dash (-) is used as separator between the lower-cased hexadecimal
digits. The switch only supports the
MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the clients
don't need special supplicant software to authenticate. The advantage of
MAC-based authentication over 802.1X-based authentication is that the clients
don't need special supplicant software to authenticate. The disadvantage is that
MAC addresses can be spoofed by malicious users - equipment whose MAC
address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can
be attached to a port can be limited using the
Port Security Limit Control
functionality.
• RADIUS-Assigned QoS
Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked)
for a given port, the switch reacts to QoS Class information carried in the
RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, traffic received on
the supplicant's port will be classified to the given QoS Class. If
(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a
QoS Class or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without affecting
the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes
needed in order to successfully identify a QoS Class. The User-Priority-Table
attribute defined in
RFC4675 forms the basis for identifying the QoS Class in an
Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to
be valid, it must follow this rule:
All 8 octets in the attribute's value must be identical and consist of ASCII
characters in the range '0' - '3', which translates into the desired QoS Class in the
range [0; 3].