H3C S3600 Series Operation Manual
Hide thumbs
Also See for S3600 Series:
- Command manual (1277 pages) ,
- Operation manual (966 pages) ,
- Installation manual (98 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - 802.1x
H3C S3600 Series Ethernet Switches-Release 1510
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 Introduction to 802.1x ........................................................................................................ 1-1
1.1.1 Architecture of 802.1x Authentication ..................................................................... 1-1
1.1.2 The Mechanism of an 802.1x Authentication System............................................. 1-3
1.1.3 Encapsulation of EAPoL Messages ........................................................................ 1-3
1.1.4 802.1x Authentication Procedure ............................................................................ 1-6
1.1.5 Timers Used in 802.1x ............................................................................................ 1-9
1.1.6 802.1x Implementation on an S3600 Series Switch ............................................. 1-10
1.2 802.1x Configuration........................................................................................................ 1-12
1.3 Basic 802.1x Configuration.............................................................................................. 1-13
1.3.1 Prerequisites ......................................................................................................... 1-13
1.3.2 Configuring Basic 802.1x Functions...................................................................... 1-13
1.4 Timer and Maximum User Number Configuration ........................................................... 1-15
1.5 Advanced 802.1x Configuration....................................................................................... 1-16
1.5.1 Prerequisites ......................................................................................................... 1-16
1.5.2 Configuring Proxy Checking.................................................................................. 1-16
1.5.3 Configuring Client Version Checking .................................................................... 1-17
1.5.4 Enabling DHCP-triggered Authentication.............................................................. 1-18
1.5.5 Configuring Guest VLAN....................................................................................... 1-18
1.6 Displaying and Debugging 802.1x ................................................................................... 1-19
1.7 Configuration Example .................................................................................................... 1-19
1.7.1 802.1x Configuration Example .............................................................................. 1-19
Chapter 2 HABP Configuration .................................................................................................... 2-1
2.1 Introduction to HABP ......................................................................................................... 2-1
2.2 HABP Server Configuration ............................................................................................... 2-1
2.3 HABP Client Configuration ................................................................................................ 2-2
2.4 Displaying HABP................................................................................................................ 2-2
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for H3C S3600 Series
Summary of Contents for H3C S3600 Series
-
Page 1: Table Of Contents
1.1.3 Encapsulation of EAPoL Messages ................ 1-3 1.1.4 802.1x Authentication Procedure ................1-6 1.1.5 Timers Used in 802.1x .................... 1-9 1.1.6 802.1x Implementation on an S3600 Series Switch ..........1-10 1.2 802.1x Configuration......................1-12 1.3 Basic 802.1x Configuration....................1-13 1.3.1 Prerequisites ......................1-13 1.3.2 Configuring Basic 802.1x Functions.............. -
Page 2: Chapter 1 802.1X Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration 1.1 Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems. - Page 3 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration The authenticator system is an entity residing at one end of a LAN segment. It authenticates the supplicant systems connecting to the other end of the LAN segment.
-
Page 4: The Mechanism Of An 802.1X Authentication System
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration By default, a controlled port is a unidirectional port. IV. The way a port is controlled A port of a H3Cseries switch can be controlled in the following two ways. - Page 5 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration through LANs, EAP protocol packets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoL packet. PAE Ethernet type PAE Ethernet type...
- Page 6 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration In an EAP packet: The Code field indicates the EAP packet type, which can be Request, Response, Success, or Failure. The Identifier field is used to match a Response packets with the corresponding Request packet.
-
Page 7: 802.1X Authentication Procedure
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. type=80 type=80 length=18 length=18 Figure 1-7 The format of an Message-authenticator fiel 1.1.4 802.1x Authentication Procedure A H3C3600 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. - Page 8 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration EAPoR EAPoR EAPoR EAPoR EAPoR EAPoR EAPoR EAPoL EAPoL EAPoL EAPoL EAPoL EAPoL EAPoL Supplicant Supplicant RADIUS server RADIUS server RADIUS server RADIUS server RADIUS server...
- Page 9 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
-
Page 10: Timers Used In 802.1X
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration EAPOL EAPOL EAPOL RADIUS RADIUS RADIUS RADIUS ser ver RADIUS ser ver RADIUS ser ver Supplicant Supplicant Supplicant Switc h Switc h Switc h syst em... -
Page 11: 802.1X Implementation On An S3600 Series Switch
1.1.6 802.1x Implementation on an S3600 Series Switch In addition to the earlier mentioned 802.1x features, an S3600 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.) - Page 12 Note: The client-checking function needs the support of H3C’s 802.1x client program. To implement the proxy detecting function, you need to enable the function on both the 802.1x client program and the CAMS server in addition to enabling the client version detecting function on the switch by using the dot1x version-check command.
-
Page 13: 802.1X Configuration
H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Note: The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. III. The Guest VLAN function The Guest VLAN function enables supplicant systems that that are not authenticated to access network resources in a restrained way. -
Page 14: Basic 802.1X Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration If you specify to adopt the RADIUS scheme, the supplicant systems are authenticated by a remote RADIUS server. In this case, you need to configure user names and passwords on the RADIUS server and perform RADIUS client-related configuration on the switches. - Page 15 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Operation Command Description Optional dot1x port-control port access authorized-force By default, an 802.1x-enabled control mode for unauthorized-force | auto } port operates in the auto specified ports [ interface interface-list ] mode.
-
Page 16: Timer And Maximum User Number Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration 1.4 Timer and Maximum User Number Configuration Table 1-2 Configure 802.1x timers and the maximum number of users Operation Command Description Enter system view — system-view... -
Page 17: Advanced 802.1X Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Note: As for the dot1x max-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view. -
Page 18: Configuring Client Version Checking
{ logoff | trap } Note: The proxy checking function needs the cooperation of H3C's 802.1x client program. The configuration listed in Table 1-3 takes effect only when it is performed on CAMS as well as on the switch. In addition, the client version checking function needs to be enabled on the switch too (by using the dot1x version-check command). -
Page 19: Enabling Dhcp-Triggered Authentication
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Note: As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. -
Page 20: Displaying And Debugging 802.1X
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration Caution: The Guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one Guest VLAN can be configured for each switch. - Page 21 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration primary accounting server. The password for the switch and the authentication RADIUS servers to exchange message is “name”. And the password for the switch and the accounting RADIUS servers to exchange message is “money”. The...
- Page 22 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration # Set the access control method to be MAC-address-based (This operation can be omitted, as MAC-address-based is the default). [H3C] dot1x port-method macbased interface Ethernet 1/0/1 # Create a RADIUS scheme named “radius1”...
- Page 23 Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 1 802.1x Configuration [H3C-isp-aabbcc.net] idle-cut enable 20 2000 [H3C-isp-aabbcc.net] quit # Set the default user domain to be “aabbcc.net”. [H3C] domain default enable aabbcc.net # Create a local access user account.
-
Page 24: Chapter 2 Habp Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 2 HABP Configuration Chapter 2 HABP Configuration 2.1 Introduction to HABP With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. For ports connected to the switch and are not authenticated and authorized by 802.1x, their received packets will be... -
Page 25: Habp Client Configuration
Operation Manual – 802.1x H3C S3600 Series Ethernet Switches-Release 1510 Chapter 2 HABP Configuration Operation Command Description Optional Configure interval send The default interval for an HABP server habp timer interval HABP request to send HABP request packets is 20 packets.
Need help?
Do you have a question about the S3600 Series and is the answer not in the manual?
Questions and answers