H3C S3100-52P Manual
Hide thumbs
Also See for S3100-52P:
- Operation manual (955 pages) ,
- Command manual (55 pages) ,
- Installation manual (54 pages)
Table of Contents
Advertisement
Quick Links
Operation Manual - 802.1x and System Guard
H3C S3100-52P Ethernet switch
Chapter 1 802.1x Configuration ................................................................................................... 1-1
1.1 Introduction to 802.1x ........................................................................................................ 1-1
1.1.1 Architecture of 802.1x Authentication ..................................................................... 1-2
1.1.2 The Mechanism of an 802.1x Authentication System............................................. 1-3
1.1.3 Encapsulation of EAPoL Messages ........................................................................ 1-4
1.1.4 802.1x Authentication Procedure ............................................................................ 1-7
1.1.5 Timers Used in 802.1x .......................................................................................... 1-10
1.1.6 802.1x Implementation on an S3100-52P Switch ................................................. 1-11
1.2 Introduction to 802.1x Configuration................................................................................ 1-15
1.3 Basic 802.1x Configuration.............................................................................................. 1-16
1.3.1 Configuration Prerequisites................................................................................... 1-16
1.3.2 Configuring Basic 802.1x Functions...................................................................... 1-16
1.3.3 Timer and Maximum User Number Configuration ................................................ 1-18
1.4 Advanced 802.1x Configuration....................................................................................... 1-20
1.4.1 Configuring Proxy Checking.................................................................................. 1-20
1.4.2 Configuring Client Version Checking .................................................................... 1-21
1.4.3 Enabling DHCP-triggered Authentication.............................................................. 1-22
1.4.4 Configuring Guest VLAN....................................................................................... 1-22
1.4.5 Configuring 802.1x Re-Authentication .................................................................. 1-23
1.4.6 Configuring the 802.1x Re-Authentication Timer .................................................. 1-23
1.5 Displaying and Maintaining 802.1x Configuration ........................................................... 1-24
1.6 Configuration Example .................................................................................................... 1-24
1.6.1 802.1x Configuration Example .............................................................................. 1-24
Chapter 2 Quick EAD Deployment Configuration...................................................................... 2-1
2.1 Introduction to Quick EAD Deployment ............................................................................. 2-1
2.1.1 Quick EAD Deployment Overview .......................................................................... 2-1
2.1.2 Operation of Quick EAD Deployment...................................................................... 2-1
2.2 Configuring Quick EAD Deployment.................................................................................. 2-2
2.2.1 Configuration Prerequisites..................................................................................... 2-2
2.2.2 Configuration Procedure ......................................................................................... 2-2
2.2.3 Displaying and Maintaining Quick EAD Deployment .............................................. 2-4
2.3 Quick EAD Deployment Configuration Example ............................................................... 2-4
2.4 Troubleshooting ................................................................................................................. 2-5
Chapter 3 HABP Configuration .................................................................................................... 3-1
3.1 Introduction to HABP ......................................................................................................... 3-1
3.2 HABP Server Configuration ............................................................................................... 3-1
3.3 HABP Client Configuration ................................................................................................ 3-2
Table of Contents
i
Table of Contents
Advertisement
Table of Contents
Related Manuals for H3C S3100-52P
Summary of Contents for H3C S3100-52P
-
Page 1: Table Of Contents
1.1.3 Encapsulation of EAPoL Messages ................ 1-4 1.1.4 802.1x Authentication Procedure ................1-7 1.1.5 Timers Used in 802.1x ..................1-10 1.1.6 802.1x Implementation on an S3100-52P Switch ..........1-11 1.2 Introduction to 802.1x Configuration................1-15 1.3 Basic 802.1x Configuration....................1-16 1.3.1 Configuration Prerequisites................... - Page 2 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Table of Contents 3.4 Displaying and Maintaining HABP Configuration .............. 3-2 Chapter 4 System Guard Configuration..................4-1 4.1 System Guard Overview....................4-1 4.1.1 Guard Against IP Attacks ..................4-1 4.1.2 Guard Against TCN Attacks ..................
-
Page 3: Chapter 1 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration Note: The online user handshaking function is added. See Configuring Basic 802.1x Functions. The configuration of 802.1x re-authentication is added. See Configuring 802.1x... -
Page 4: Architecture Of 802.1X Authentication
The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN. -
Page 5: The Mechanism Of An 802.1X Authentication System
By default, a controlled port is a unidirectional port. IV. The way a port is controlled A port of a H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication. -
Page 6: Encapsulation Of Eapol Messages
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Figure 1-2 The mechanism of an 802.1x authentication system EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets. - Page 7 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 00: Indicates that the packet is an EAP-packet, which carries authentication information. 01: Indicates that the packet is an EAPoL-start packet, which initiates the authentication.
- Page 8 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Figure 1-5 shows the format of the Data field of a Request packet or a Response packet. Figure 1-5 The format of the Data field of a Request packet or a Response packet The Type field indicates the EAP authentication type.
-
Page 9: 802.1X Authentication Procedure
H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 1.1.4 802.1x Authentication Procedure A H3C S3100-52P Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. I. EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. - Page 10 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity)
- Page 11 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
-
Page 12: Timers Used In 802.1X
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request... -
Page 13: 802.1X Implementation On An S3100-52P Switch
1.1.6 802.1x Implementation on an S3100-52P Switch In addition to the earlier mentioned 802.1x features, an S3100-52P switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.) - Page 14 Chapter 1 802.1x Configuration Note: H3C's CAMS Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as switches) in the network, a CAMS server can implement the AAA functions and rights management.
- Page 15 Note: The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. III. The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
- Page 16 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration to the user. To connect to the switch again, the user needs to initiate 802.1x authentication with the client software again. Note: When re-authenticating a user, a switch goes through the complete authentication process.
-
Page 17: Introduction To 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: 802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting. -
Page 18: Basic 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 1.3 Basic 802.1x Configuration 1.3.1 Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. - Page 19 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration To do… Use the command… Remarks dot1x port-method { macbased | portbased } quit Optional Set authentication dot1x By default, a switch performs method for 802.1x...
-
Page 20: Timer And Maximum User Number Configuration
With the support of the H3C proprietary client, handshake packets are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshake acknowledgement packets from them in handshaking periods. - Page 21 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration To do… Use the command... Remarks Optional By default, the maximum retry times to send a Set the maximum retry request packet is 2. That...
-
Page 22: Advanced 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: As for the dot1x max-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view. -
Page 23: Configuring Client Version Checking
Remarks quit Note: The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first. -
Page 24: Enabling Dhcp-Triggered Authentication
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. -
Page 25: Configuring 802.1X Re-Authentication
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Caution: The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. -
Page 26: Displaying And Maintaining 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration The switch uses the value of the Session-timeout attribute field of the Access-Accept packet sent by the RADIUS server as the re-authentication interval. The switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users. - Page 27 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration All supplicant systems that pass the authentication belong to the default domain named “aabbcc.net”. The domain can accommodate up to 30 users. As for authentication, a supplicant system is authenticated locally if the RADIUS server fails.
- Page 28 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation for the information about these commands. Configuration on the client and the RADIUS servers is omitted.
- Page 29 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration # Configure to send the user name to the RADIUS server with the domain name truncated. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create the domain named “aabbcc.net” and enter its view.
-
Page 30: Chapter 2 Quick Ead Deployment Configuration
In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S3100-52P provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment. -
Page 31: Configuring Quick Ead Deployment
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration Note: The quick EAD deployment feature takes effect only when the access control mode of an 802.1x-enabled port is set to auto. 2.2 Configuring Quick EAD Deployment 2.2.1 Configuration Prerequisites... - Page 32 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration Caution: You must configure the URL for HTTP redirection before configuring a free IP range. A URL must start with http:// and the segment where the URL resides must be in the free IP range.
-
Page 33: Displaying And Maintaining Quick Ead Deployment
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration 2.2.3 Displaying and Maintaining Quick EAD Deployment To do... Use the command... Remarks Display configuration display dot1x [ sessions information about quick | statistics ] [ interface... -
Page 34: Troubleshooting
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch. -
Page 35: Chapter 3 Habp Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration Chapter 3 HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration 3.1 Introduction to HABP... -
Page 36: Habp Client Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration To do... Use the command... Remarks Optional Enable HABP habp enable By default, HABP is enabled. Required By default, a switch operates as an HABP... - Page 37 Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration To do... Use the command... Remarks Display statistics on HABP Available in any view display habp traffic packets...
-
Page 38: Chapter 4 System Guard Configuration
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration Chapter 4 System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration 4.1 System Guard Overview... -
Page 39: Configuring System Guard Against Tcn Attacks
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration Configuring parameters related to MAC address learning Follow these steps to configure System Guard against IP attacks: To do... Use the command... Remarks Enter system view system-view —... -
Page 40: Enabling Layer 3 Error Control
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration To do... Use the command... Remarks Required Enable System Guard system-guard tcn against TCN attacks enable Disabled by default Set the threshold of system-guard tcn...
Need help?
Do you have a question about the S3100-52P and is the answer not in the manual?
Questions and answers