Siemens RUGGEDCOM ROX II User Manual page 178

Chapter 6
Security
Section 6.6.1.4
Assigning VLANS with Tunnel Attributes
RUGGEDCOM ROX II supports assigning a VLAN to an authorized port using tunnel attributes, as defined in
3580 [http://tools.ietf.org/html/rfc3580], when the Port Security mode is set to 802.1x or 802.1x/MAC-Auth.
In some cases, it may be desirable to allow a port to be placed into a particular VLAN, based on the authentication
result. For example:
• To allow a particular device, based on its MAC address, to remain on the same VLAN as it moves within a
network, configure the switches for 802.1X/MAC-Auth mode
• To allow a particular user, based on the user's login credentials, to remain on the same VLAN when the user logs
in from different locations, configure the switches for 802.1X mode
If the RADIUS server wants to use this feature, it indicates the desired VLAN by including tunnel attributes in the
Access-Accept message. The RADIUS server uses the following tunnel attributes for VLAN assignment:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
Note that VLANID is 12-bits and takes a value between 1 and 4094, inclusive. The Tunnel-Private-Group-ID is a
string as defined in
string.
If the tunnel attributes are not returned by the authentication server, the VLAN assigned to the switch port
remains unchanged.
Section 6.6.2
Configuring Port Security
To configure port security for a switched Ethernet port, do the following:
1. Make sure the CLI is in Configuration mode.
Navigate to interface » switch » {slot} » {port} » port-security, where {slot} is the module and {port} is the
2.
switched Ethernet port.
3. Configure the port security settings by configuring the following parameter(s) as required:
NOTE
If shutdown-enable is enabled and shutdown-time is not defined, the port will remain
disabled following a security violation until manually reset.
Parameter
security-mode { security-mode }
132
RFC 2868 [http://tools.ietf.org/html/rfc2868], so the VLANID integer value is encoded as a
Synopsis: { dot1x_mac_auth, dot1x, per_macaddress, off }
Default: off
The security mode for the port. Options include:
• dot1x_mac_auth - IEEE 802.1X with MAC authentication protocols are applied to
• dot1x - IEEE 802.1X authentication protocols are applied to the port. Until the client
the port. Until the client is authenticated by an IEEE 802.1X server, only EAPoL packets
or packets from other network control protocols are forwarded. If the client does not
support IEEE 802.1X supplicant functionality, the router sends the client's MAC address
to server as the username and password for authentication.
is authenticated by an IEEE 802.1X server, only EAPoL packets or packets from other
network control protocols are forwarded.
Description
Assigning VLANS with Tunnel Attributes
RUGGEDCOM ROX II
CLI User Guide
RFC