1. Manuals
  2. Brands
  3. Quidway Manuals
  4. Switch
  5. S3000 Series
  6. Operation manual

Quidway S3000 Series Operation Manual

Security
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Operation Manual - Security
Quidway S3000 Series Ethernet Switches
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 802.1x Overview ................................................................................................................ 1-1
1.1.1 802.1x Standard Overview...................................................................................... 1-1
1.1.2 802.1x System Architecture .................................................................................... 1-1
1.1.3 802.1x Authentication Process................................................................................ 1-2
1.1.4 Implement 802.1x on Ethernet Switch .................................................................... 1-3
1.2 Configure 802.1x................................................................................................................ 1-3
1.2.1 Enable/Disable 802.1x ............................................................................................ 1-4
1.2.2 Set the Port Access Control Mode. ......................................................................... 1-4
1.2.3 Set Port Access Control Method ............................................................................. 1-5
1.2.4 Check the Users that Log on the Switch via Proxy ................................................. 1-5
1.2.5 Set Supplicant Number on a Port............................................................................ 1-6
1.2.6 Set to Enable DHCP to Launch Authentication....................................................... 1-6
1.2.7 Configure Authentication Method for 802.1x User .................................................. 1-7
1.2.9 Set the handshake period of 802.1x ....................................................................... 1-8
1.2.10 Configure Timers................................................................................................... 1-8
1.2.11 Enable/Disable quiet-period Timer........................................................................ 1-9
1.3 Display and Debug 802.1x................................................................................................. 1-9
1.4 802.1x Configuration Example......................................................................................... 1-10
Chapter 2 AAA and RADIUS Protocol Configuration ................................................................ 2-1
2.1 AAA and RADIUS Protocol Overview................................................................................ 2-1
2.1.1 AAA Overview ......................................................................................................... 2-1
2.1.2 RADIUS Protocol Overview .................................................................................... 2-1
2.1.3 Implement AAA/RADIUS on Ethernet Switch ......................................................... 2-2
2.2 Configure AAA ................................................................................................................... 2-3
2.2.1 Create/Delete ISP Domain...................................................................................... 2-3
2.2.2 Configure Relevant Attributes of ISP Domain......................................................... 2-4
2.2.3 Create a Local User ................................................................................................ 2-5
2.2.4 Set Attributes of Local User .................................................................................... 2-5
2.2.5 Disconnect a User by Force.................................................................................... 2-6
2.3 Configure RADIUS Protocol .............................................................................................. 2-7
2.3.1 Create/Delete a RADIUS server Group .................................................................. 2-8
2.3.2 Set IP Address and Port Number of RADIUS Server ............................................. 2-8
2.3.3 Set RADIUS Packet Encryption Key ....................................................................... 2-9
2.3.4 Set Response Timeout Timer of RADIUS Server ................................................. 2-10
2.3.5 Set Retransmission Times of RADIUS Request Packet....................................... 2-10

Table of Contents

i
Table of Contents

Advertisement

Table of Contents
loading

Related Manuals for Quidway S3000 Series

Summary of Contents for Quidway S3000 Series

  • Page 1: Table Of Contents

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 802.1x Configuration ....................1-1 1.1 802.1x Overview ........................ 1-1 1.1.1 802.1x Standard Overview..................1-1 1.1.2 802.1x System Architecture ..................1-1 1.1.3 802.1x Authentication Process................1-2 1.1.4 Implement 802.1x on Ethernet Switch ..............
  • Page 2 Operation Manual - Security Quidway S3000 Series Ethernet Switches Table of Contents 2.3.6 Set a Real-time Accounting Interval..............2-11 2.3.7 Set Maximum Times of Real-time Accounting Request Failing to be Responded 2-12 2.3.8 Enable/Disable Stopping Accounting Request Buffer........... 2-12 2.3.9 Set the Maximum Retransmitting Times of Stopping Accounting Request ..2-13 2.3.10 Set the Supported Type of RADIUS Server............

  • Page 3: Chapter 1 802.1X Configuration

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration 1.1 802.1x Overview 1.1.1 802.1x Standard Overview IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication.

  • Page 4: 802.1X Authentication Process

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration The LAN access control device needs to provide the Authenticator System of 802.1x. The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by Huawei...

  • Page 5: Implement 802.1X On Ethernet Switch

    1.1.4 Implement 802.1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way: Support to connect several End Stations in the downstream via a physical port.

  • Page 6: Enable/Disable 802.1X

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration The Main 802.1x configuration includes: Enable/Disable 802.1x Set the port access control mode Set port access control method Check the users that log on the switch via proxy...

  • Page 7: Set Port Access Control Method

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration Table 1-2 Set the port access control mode. Operation Command dot1x port-control { authorized- force | Set the port access control mode. unauthorized-force | auto } [ interface interface-list ]...

  • Page 8: Set Supplicant Number On A Port

    [ interface interface-list ] users on the port to the default value By default, 802.1x allows up to 256 supplicants on each port for S3000 Series Ethernet switches (except 64 for S3026). 1.2.6 Set to Enable DHCP to Launch Authentication The following commands are used for setting whether 802.1x enables the Ethernet...

  • Page 9: Configure Authentication Method For 802.1X User

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration By default, authentication will not be launched when the user runs DHCP and applies for dynamic IP addresses. 1.2.7 Configure Authentication Method for 802.1x User The following commands can be used to configure the authentication method for 802.1x user.

  • Page 10: Set The Handshake Period Of 802.1X

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration 1.2.9 Set the handshake period of 802.1x The following commands are used to set the handshake period of 802.1x. After setting handshake-period, system will send the handshake packet by the period. Suppose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response of user for...

  • Page 11: Enable/Disable Quiet-Period Timer

    You can use the following commands to enable/disable a quiet-period timer of an Authenticator (which can be a Quidway Series Ethernet Switch). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by dot1x timer quiet-period command) before launching the authentication again.

  • Page 12: 802.1X Configuration Example

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration Table 1-12 Display and debug 802.1x Operation Command Display the configuration, running and statistics display dot1x [ sessions | statistics ] information of 802.1x [ interface interface-list ] Reset the 802.1x statistics information...
  • Page 13 # Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.) [Quidway] dot1x port-method macbased interface ethernet 0/1 # Create the RADIUS group radius1 and enters its configuration mode. [Quidway] radius scheme radius1 #Set IP address of the primary authentication/accounting RADIUS servers.
  • Page 14 Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration [Quidway-radius-radius1] secondary authentication 10.11.1.2 [Quidway-radius-radius1] secondary accounting 10.11.1.1 # Set the encryption key when the system exchanges packets with the authentication RADIUS server. [Quidway-radius-radius1] key authentication name # Set the encryption key when the system exchanges packets with the accounting RADIUS server.
  • Page 15 Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 1 802.1x Configuration [Quidway-luser-localuser] service-type lan-access [Quidway-luser-localuser] password simple localpass # Enable the 802.1x globally. [Quidway] dot1x 1-13...

  • Page 16: Chapter 2 Aaa And Radius Protocol Configuration

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration Chapter 2 AAA and RADIUS Protocol Configuration 2.1 AAA and RADIUS Protocol Overview 2.1.1 AAA Overview Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.

  • Page 17: Implement Aaa/Radius On Ethernet Switch

    2.1.3 Implement AAA/RADIUS on Ethernet Switch By now, we understand that in the above-mentioned AAA/RADIUS framework, Quidway Series Ethernet Switches, serving as the user access device or NAS, is the client end of RADIUS. In other words, the AAA/RADIUS concerning client-end is implemented on Quidway Series Ethernet Switches.

  • Page 18: Configure Aaa

    ISP. Generally, for a username in the userid@isp-name format, taking gw20010608@huawei163.net as an example, the isp-name (i.e. huawei163.net) following the @ is the ISP domain name. When Quidway Series Ethernet Switches control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name.

  • Page 19: Configure Relevant Attributes Of Isp Domain

    Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration Quidway Series Ethernet Switches ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy ( RADIUS server group applied etc.) For Quidway Series Ethernet Switches, each supplicant belongs to an ISP domain.

  • Page 20: Create A Local User

    { lan-access | ftp | telnet | ssh } ] } By default, there is no local user in the system. Please note that all S3000 series switches support SSH except S3026. 2.2.4 Set Attributes of Local User The attributes of a local user include its password, state, service type and some other settings.

  • Page 21: Disconnect A User By Force

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration Table 2-4 Set the method that a local user uses to set password Operation Command Set the method that a local user uses to set...

  • Page 22: Configure Radius Protocol

    By default, no online user will be disconnected by force. 2.3 Configure RADIUS Protocol For the Quidway Series Ethernet Switches, the RADIUS protocol is configured on the per RADIUS server group basis. In real networking environment, a RADIUS server group can be an independent RADIUS server or a set of primary/second RADIUS servers with the same configuration but two different IP addresses.

  • Page 23: Create/Delete A Radius Server Group

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration 2.3.1 Create/Delete a RADIUS server Group As mentioned above, RADIUS protocol configurations are performed on the per RADIUS server group basis. Therefore, before performing other RADIUS protocol configurations, it is compulsory to create the RADIUS server group and enter its view to set its IP address.

  • Page 24: Set Radius Packet Encryption Key

    (Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on Quidway Series Ethernet Switches are supposed to be consistent with the port settings on RADIUS server.

  • Page 25: Set Response Timeout Timer Of Radius Server

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration end and give response. You can use the following commands to set the encryption key for RADIUS packets. Perform the following configurations in RADIUS server group view.

  • Page 26: Set A Real-Time Accounting Interval

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration You can use the following command to set retransmission times of RADIUS request packet. Perform the following configurations in RADIUS server group view. Table 2-11 Set retransmission times of RADIUS request packet...

  • Page 27: Set Maximum Times Of Real-Time Accounting Request Failing To Be Responded

    Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists. Quidway Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

  • Page 28: Set The Maximum Retransmitting Times Of Stopping Accounting Request

    Chapter 2 AAA and RADIUS Protocol Configuration shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from Quidway Series Ethernet Switches to RADIUS accounting server has not been responded, switch shall save it in the local buffer and retransmit it until the server responds or discards the messages after transmitting for specified times.

  • Page 29: Set The Supported Type Of Radius Server

    Chapter 2 AAA and RADIUS Protocol Configuration 2.3.10 Set the Supported Type of RADIUS Server Quidway Series Ethernet Switches support the standard RADIUS protocol and the extended RADIUS service platforms, such as IP Hotel, 201+ and Portal, independently developed by Huawei.

  • Page 30: Set Username Format Transmitted To Radius Server

    2.3.12 Set Username Format Transmitted to RADIUS Server As mentioned above, the supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. Quidway Series Ethernet Switches will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name.

  • Page 31: Configure Local Radius Server Group

    2.3.14 Configure Local RADIUS Server Group RADIUS service, which adopts authentication/authorization/accounting servers to manage users, is widely used in Huawei Quidway series switches. Besides, local authentication/authorization/accounting service is also used in these products and it is called local RADIUS function, i.e. realize basic RADIUS function on the switch.

  • Page 32: Aaa And Radius Protocol Configuration Examples

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration Operation Command Display the configuration information of all the RADIUS server groups or a display radius [ radius-server-name ] specified one Display the statistics information of...
  • Page 33 Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration II. Networking Topology Authentication Servers ( IP address:10.110.91.164 ) Switch Internet Internet telnet user Figure 2-2 Configuring remote RADIUS authentication for Telnet users III. Configurtion Schedule # Add a Telnet user.

  • Page 34: Configuring Ftp/Telnet User Authentication At Local Radius Server

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration [Quidway-radius-cams] service-type Huawei [Quidway-radius-cams] user-name-format without-domain # Configuration association between domain and RADIUS. [Quidway-radius-cams] quit [Quidway] domain cams [Quidway-isp-cams] radius-scheme cams 2.5.2 Configuring FTP/Telnet User Authentication at Local RADIUS Server Local RADIUS authentication of Telnet/FTP users is similar to remote RADIUS authentication.
  • Page 35 Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 2 AAA and RADIUS Protocol Configuration The encryption keys of RADIUS server and NAS may be different. Please check carefully and make sure that they are identical. There might be some communication fault between NAS and RADIUS server, which can be discovered through pinging RADIUS from NAS.

  • Page 36: Chapter 3 Habp Configuration

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 3 HABP Configuration Chapter 3 HABP Configuration 3.1 HABP Overview If 802.1x attribute is configured at a switch, on a switch, 802.1x will run authentication at those ports where 802.1x is enabled. Only those which pass the authentication are able to forward packets.

  • Page 37: Configuring Habp Client

    Operation Manual - Security Quidway S3000 Series Ethernet Switches Chapter 3 HABP Configuration Please perform the following operations in system view. Table 3-1 Configuring HABP server Operation Command Enable HABP attribute habp enable Restore HABP attribute to the default value...

Table of Contents