Configuration Guide Vol. 2

AX1250S / AX1240S Software Manual
Configuration Guide Vol. 2
For Version 2.2
AX1240S-S002-40X
„ Relevant Products
This manual applies to the AX1250S and AX1240S series of switches. The manual describes the functionality of
software version 2.2 for AX1250S and AX1240S switches supported by the OS-LT3 and OS-LT2 software and
optional licenses.
„ Export Restrictions
If you export this product, please check all restrictions of the Japan's Foreign Exchange and Foreign Trade Law,
USA export control laws and regulations, and complete all required procedures. If you require more information,
please contact your Hitachi sales representative.
„ Trademarks
Ethernet is a product name of Xerox Corporation in the United States.
Microsoft is a registered trademark of Microsoft Corporation in the United States and other countries.
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
RSA and RSA SecurID are trademarks or registered trademarks of RSA Security Inc. in the United States and other
countries.
Other product and company names in this document are the trademarks or registered trademarks of their respective
owners.
„ Reading and storing this manual
Before you use the equipment, carefully read the manual and be sure you understand all safety precautions.
After reading the manual, store it in a convenient place for easy reference.
„ Note
Information in this document is subject to change without notice.
„ Edition history
January 2010 (Edition 5) AX1240S-S002-40X
„ Copyright
Copyright (c) 2008, 2010, ALAXALA Networks Corporation. All rights reserved.
History of Amendments
For Version 2.2 (Edition 5)
Table Summary of amendments
Location and title
Changes
Adding series
The description of AX1250S switches has been added.
16 Uplink Redundancy
The description related to active port locking at Switch startup has been
added.
In addition to the above changes, minor editorial corrections have been made.
Version 2.2 (Edition 4)
Table Summary of amendments
Location and title
Changes
Overview of Layer 2 authentication
The authentication method has been changed to the authentication
method group, and a description of the equipment defaults and
authentication method list has been added.
A description of specifying authentication method list (authentication
method by port, authentication method by user ID) has been added.
A description of the RADIUS server group has been added.
A description of the RADIUS account functionality has been added.
Description of IEEE 802.1X
A description specifying the authentication method list (authentication
method by port) has been added.
A description of the RADIUS account functionality has been added.
The RADIUS attributes used for RADIUS authentication have been
standardized.
Setting and operating IEEE 802.1X
A description specifying the authentication method list (authentication
method by port) has been added.
A description of the RADIUS account functionality has been added.
Description of Web authentication
A description of the user switching option has been added.
A description specifying the authentication method list (authentication
method by port, authentication method by user ID) has been added.
A description of the RADIUS account functionality has been added.
A description of the Web authentication page by port has been added.
The RADIUS attributes used for RADIUS authentication have been
standardized.
Setting and operating Web
authentication
A description of the user switch option has been added.
A description specifying the authentication method list (authentication
method by port, authentication method by user ID) has been added.
A description of the RADIUS accounting functionality has been added.
A description of the Web authentication page by port has been added.
Location and title
Changes
Description of MAC-based
authentication
A description specifying the authentication method list (authentication
method by port) has been added.
A description of the RADIUS accounting functionality has been added.
The RADIUS attributes used for RADIUS authentication have been
standardized.
Setting and operating MAC-based
authentication
A description specifying the authentication method list (authentication
method by port) has been added.
A description of the RADIUS accounting functionality has been added.
Multistep authentication
A description of the terminal authentication dot1x option for terminal
authentication with IEEE 802.1X has been added.
Secure Wake-on-LAN [OP-WOL]
English indications on the page have been changed.
Japanese indications on the page have been added
CFM
This chapter has been added.
Log output functionality
A description of the HEADER part when outputting to the syslog server
has been added.
Version 2.1 (Edition 3)
Table Summary of amendments
Location and title
Changes
Filter
Notes on using with other functionality have been added to the Notes on
using a filter.
Flow control
A list of frames that cannot be changed by determination of priority has
been changed.
The self-generated frame type and the setting range table of user priority
have been changed.
The user priority settings for the self-generating frame and the mapping
table of CoS values have been changed.
Overview of Layer 2 authentication
The following descriptions have been added as the functionality
common to the Layer 2 authentication:
- Priority setting for the local authentication method and the RADIUS
authentication method
- General-purpose RADIUS server information and RADIUS server
information dedicated to authentication
- Automatic VLAN allocation for a MAC VLAN
- Authentication of tagged frames at the MAC port (dot1q vlan
setting)
- Forced authentication common to the authentications
The following descriptions have been moved from Chapter 12 to
Chapter 5 as the functionality common to Layer 2 authentication
(functionality descriptions and configurations):
- Permitting communication by unauthenticated terminals (IPv4 access
list dedicated to authentication)
- Specifying attached VLANs by VLAN name
Location and title
Changes
- Selecting RADIUS Server and Recovering RADIUS Server has been
moved from Login security and RADIUS in the Configuration Guide
Vol. 1, and a description has been added as dead-interval Function of
RADIUS Server Communication.
The description of the coexistence of the Layer 2 authentication
functionality has been moved from Chapter 12 to Chapter 5
(functionality description and configuration).
A list of operation commands has been added as an operation common
to Layer 2 authentications.
Description of IEEE 802.1X
auto has been added to the terminal detection behavior switching
option.
A non-communication terminal monitoring functionality has been
added.
Description of MAC-based
authentication
A regular re-authentication request functionality has been added to
fixed VLAN mode.
Multistep authentication
This chapter has been added.
Secure Wake-on-LAN [OP-WOL]
The description of the page of sending Web browser selection has been
changed.
Uplink redundancy
A description of the MAC address updating functionality has been
added.
Stream control
A description of flow restriction has been added.
Port mirroring
The table of the ability of transmit mirroring has been changed.
In addition to the above changes, minor editorial corrections have been made.
Version 2.0 (Edition 2)
Table Summary of amendments
Location and title
One-time password authentication
[OP-OTP]
Changes
The figure in the overview description has been corrected.
In addition to the above changes, minor editorial corrections have been made.
Preface
„ Applicable products and software versions
This manual applies to the AX1250S and AX1240S series of switches. The manual describes the functionality of
software version 2.2 for the AX1250S and AX1240S switches supported by the OS-LT3 and OS-LT2 and optional
licenses. Before you operate the equipment, carefully read the manual and be sure you understand all instructions
and notes. After reading the manual, store it in a convenient place for easy reference. Unless otherwise noted, this
manual describes the functionality applicable to both AX1250S and AX1240S switches. The functionalities
specific to either model are indicated as follows:
[AX1250S]:
The description applies to AX1250S switches.
[AX1240S]:
The description applies to AX1240S switches. In addition, unless otherwise noted, this manual describes the
functionality applicable to both OS-LT3 and OS-LT2. The functionality supported by optional licenses are
indicated as follows:
[OP-WOL]:
The description applies to the functionality supported by the optional license OP-WOL.
[OP-OTP]:
The description applies to the functionality supported by the optional license OP-OTP.
„ Corrections to the manual
Corrections to this manual are contained in the Release Notes and Manual Corrections that come with the software.
„ Intended readers
This manual is intended for system administrators who wish to configure and operate a network system that uses
the Switch.
Readers must have an understanding of the following:
y Basics of network system management
„ Manual URL
You can view this manual on the ALAXALA Networks Corporation website:
http://www.alaxala.com
„ Reading sequence for the manuals
The following shows the manuals you need to consult according to your requirements determined from the
I
workflow for installing, setting up, and starting regular operation of the Switch:
„ Abbreviations used in the manual
AC
ACK
ADSL
ALG
ANSI
ARP
AS
AUX
BGP
BGP4
BGP4+
II
Alternating current
Acknowledge
Asymmetric Digital Subscriber Line
Application Level Gateway
American National Standards Institute
Address Resolution Protocol
Autonomous system
Auxiliary
Border Gateway Protocol
Border Gateway Protocol - version 4
Multiprotocol Extensions for Border Gateway Protocol - version 4
bit/s
BPDU
BRI
CC
CDP
CFM
CIDR
CIR
CIST
CLNP
CLNS
CONS
CRC
CSMA/CD
CSNP
CST
DA
DC
DCE
DHCP
DIS
DNS
DR
DSAP
DSCP
DTE
DVMRP
E-Mail
EAP
EAPOL
EFM
ES
FAN
FCS
FDB
FQDN
FTTH
GBIC
GSRP
HMAC
IANA
ICMP
ICMPv6
ID
IEC
IEEE
IETF
IGMP
IP
IPCP
IPv4
IPv6
IPV6CP
IPX
ISO
ISP
IST
L2LD
Bits per second (can also appear as bps)
Bridge Protocol Data Unit
Basic Rate Interface
Continuity check
Cisco Discovery Protocol
Connectivity Fault Management
Classless Inter-Domain Routing
Committed Information Rate
Common and Internal Spanning Tree
Connectionless-mode Network Protocol
Connectionless-mode Network service
Connection-Oriented Network System
Cyclic redundancy check
Carrier sense multiple access with collision detection
Complete sequence numbers PDU
Common Spanning Tree
Destination address
Direct current
Data circuit-terminating equipment
Dynamic Host Configuration Protocol
Draft International Standard/Designated Intermediate System
Domain Name System
Designated router
Destination Service Access Point
Differentiated Services Code Point
Data terminal equipment
Distance Vector Multicast Routing Protocol
Electronic Mail
Extensible Authentication Protocol
EAP over LAN
Ethernet in the First Mile
End System
Fan unit
Frame check sequence
Filtering database
Fully qualified domain name
Fiber to the Home
Gigabit interface converter
Gigabit Switch Redundancy Protocol
Keyed-Hashing for Message Authentication
Internet Assigned Numbers Authority
Internet Control Message Protocol
Internet Control Message Protocol version 6
Identifier
International Electrotechnical Commission
Institute of Electrical and Electronics Engineers
Internet Engineering Task Force
Internet Group Management Protocol
Internet Protocol
Internet Protocol Control Protocol
Internet Protocol version 4
Internet Protocol version 6
Internet Protocol version 6 Control Protocol
Internetwork Packet Exchange
International Organization for Standardization
Internet service provider
Internal Spanning Tree
Layer 2 Loop Detection
III
LAN
LCP
LED
LLC
LLDP
LLQ+3WFQ
LSP
LSP
LSR
MA
MAC
MC
MD5
MDI
MDI-X
MEP
MIB
MIP
MRU
MSTI
MSTP
MTU
NAK
NAS
NAT
NCP
NDP
NET
NLA ID
NPDU
NSAP
NSSA
NTP
OADP
OAM
OSPF
OUI
PAD
PAE
PC
PCI
PDU
PICS
PID
PIM
PIM-DM
PIM-SM
PIM-SSM
PoE
PRI
PS
PSNP
QoS
RA
RADIUS
RDI
REJ
RFC
IV
Local area network
Link Control Protocol
Light-emitting diode
Logical Link Control
Link Layer Discovery Protocol
Low Latency Queuing + 3 Weighted Fair Queuing
Label Switched Path
Link State PDU
Label Switched Router
Maintenance Association
Media Access Control
Memory card
Message-Digest algorithm 5
Medium dependent interface
Medium dependent interface crossover
Maintenance association end point
Management information base
Maintenance Domain Intermediate Point
Maximum Receive Unit
Multiple Spanning Tree Instance
Multiple Spanning Tree Protocol
Maximum Transfer Unit
Not acknowledge
Network Access Server
Network address translation
Network Control Protocol
Neighbor Discovery Protocol
Network Entity Title
Next-Level Aggregation Identifier
Network Protocol Data Unit
Network Service Access Point
Not-So-Stubby Area
Network Time Protocol
Octpower Auto Discovery Protocol
Operations, Administration, and Maintenance
Open Shortest Path First
Organizationally Unique Identifier
Padding
Port Access Entity
Personal computer
Protocol control information
Protocol data unit
Protocol Implementation Conformance Statement
Protocol identifier
Protocol Independent Multicast
Protocol Independent Multicast - Dense Mode
Protocol Independent Multicast - Sparse Mode
Protocol Independent Multicast - Source Specific Multicast
Power over Ethernet
Primary Rate Interface
Power supply
Partial Sequence Numbers PDU
Quality of service
Router advertisement
Remote Authentication Dial In User Service
Remote Defect Indication
Reject
Request for Comments
RIP
RIPng
RMON
RPF
RQ
RSTP
SA
SD
SDH
SDU
SEL
SFD
SFP
SMTP
SNAP
SNMP
SNP
SNPA
SPF
SSAP
STP
TA
TACACS+
TCP/IP
TLA ID
TLV
TOS
TPID
TTL
UDLD
UDP
ULR
UPC
UPC-RED
VAA
VLAN
VRRP
WAN
WDM
WFQ
WRED
WS
WWW
XFP
Routing Information Protocol
Routing Information Protocol next generation
Remote Network Monitoring MIB
Reverse path Forwarding
Request
Rapid Spanning Tree Protocol
Source address
Secure Digital
Synchronous Digital Hierarchy
Service data Unit
NSAP Selector
Start Frame Delimiter
Small form-factor pluggable
Simple Mail Transfer Protocol
Subnetwork Access Protocol
Simple Network Management Protocol
Sequence Numbers PDU
Subnetwork Point of Attachment
Shortest Path First
Source Service Access Point
Spanning Tree Protocol
Terminal adapter
Terminal Access Controller Access Control System Plus
Transmission Control Protocol/Internet Protocol
Top-Level Aggregation Identifier
Type, Length, and Value
Type of Service
Tag Protocol Identifier
Time to live
Unidirectional Link Detection
User Datagram Protocol
Uplink redundancy
Usage Parameter Control
Usage Parameter Control - Random Early Detection
VLAN Access Agent
Virtual local area network
Virtual Router Redundancy Protocol
Wide area network
Wavelength division multiplexing
Weighted fair queuing
Weighted random early detection
Workstation
World Wide Web
10 Gigabit Small Form Factor Pluggable
V
„ Conventions: The terms "Switch" and "switch"
The term Switch (upper-case "S") is an abbreviation for any or all of the following models:
y AX1250S series switch
y AX1240S series switch
The term switch (lower-case "s") might refer to a Switch, another type of switch from the current vendor, or a
switch from another vendor. The context decides the meaning.
„ Conventions such as KB (kilobytes)
This manual uses the following conventions:
1 KB (kilobyte) is 1,024 bytes.
1 MB (megabyte) is 1,0242 bytes.
1 GB (gigabyte) is 1,0243 bytes.
1 TB (terabyte) is 1,0244 bytes.
VI
Contents
Part 1
1.
Filters.........................................................................................................................1
Filters ...................................................................................................................................1
1.1
Description............................................................................................................................................... 2
1.1.1 Overview of filtering ........................................................................................................................... 2
1.1.2 Flow detection ..................................................................................................................................... 3
1.1.3 Flow detection modes .......................................................................................................................... 3
1.1.4 Flow detection conditions.................................................................................................................... 4
1.1.5 Access lists........................................................................................................................................... 6
1.1.6 Implicit discarding ............................................................................................................................... 7
1.1.7 Notes on using filters ........................................................................................................................... 7
1.2
Configuration ......................................................................................................................................... 10
1.2.1 List of configuration commands ........................................................................................................ 10
1.2.2 Frame forwarding and discarding by MAC header............................................................................ 10
1.2.3 Frame forwarding and discarding by IP header and TCP/UDP header ............................................. 11
1.2.4 Setting multiple interface filters......................................................................................................... 13
1.3
Operations.............................................................................................................................................. 14
1.3.1 List of operation commands............................................................................................................... 14
1.3.2 Checking filters.................................................................................................................................. 14
Part 2
2.
QoS...........................................................................................................................16
Overview of QoS Control .................................................................................................16
2.1
Structure of QoS control ........................................................................................................................ 17
2.2
Description of common processing........................................................................................................ 19
2.2.1 User priority mapping........................................................................................................................ 19
2.3
Configurations common to QoS control ................................................................................................ 21
2.3.1 List of configuration commands ........................................................................................................ 21
2.4
Operations common to QoS control....................................................................................................... 22
2.4.1 List of operation commands............................................................................................................... 22
3.
Flow Control......................................................................................................................23
3.1
Description of flow detection................................................................................................................. 24
3.1.1 Flow detection modes ........................................................................................................................ 24
3.1.2 Flow detection conditions.................................................................................................................. 25
3.1.3 QoS flow lists .................................................................................................................................... 27
3.1.4 Notes on using flow detection............................................................................................................ 28
3.2
Configuring flow detection .................................................................................................................... 30
3.2.1 Setting the flow detection mode ........................................................................................................ 30
3.2.2 Configuring QoS control for multiple interfaces ............................................................................... 30
3.3
Flow detection operations ...................................................................................................................... 32
3.3.1 Checking QoS control operation when IPv4 packets are set as the flow detection condition............ 32
3.4
Description of marking .......................................................................................................................... 33
3.4.1 User priority updating........................................................................................................................ 33
3.4.2 DSCP updating .................................................................................................................................. 34
3.5
Configuring marking.............................................................................................................................. 36
3.5.1 Setting user priority updating............................................................................................................. 36
3.5.2 Setting DSCP updating ...................................................................................................................... 36
3.6
Marking operation.................................................................................................................................. 38
3.6.1 Checking user priority updating......................................................................................................... 38
3.6.2 Checking DSCP updating .................................................................................................................. 38
i
Description of priority determination..................................................................................................... 39
3.7
3.7.1 CoS values ......................................................................................................................................... 39
3.7.2 CoS mapping functionality ................................................................................................................ 40
3.7.3 Note on using priority determination ................................................................................................. 41
3.8
Priority determination configuration...................................................................................................... 42
3.8.1 Setting the CoS value......................................................................................................................... 42
3.9
Priority operations.................................................................................................................................. 43
3.9.1 Checking the priority ......................................................................................................................... 43
3.10 Description of user priority for self-generated frames ........................................................................... 44
3.11 Configuring user priority for self-generated frames............................................................................... 46
3.11.1 Setting user priority for self-generated frames................................................................................... 46
4.
Send Control......................................................................................................................47
4.1
Overview of the shaper .......................................................................................................................... 48
4.1.1 Overview of the legacy shaper........................................................................................................... 48
4.1.2 Specifying the send queue length ...................................................................................................... 49
4.1.3 Scheduling ......................................................................................................................................... 49
4.1.4 Port bandwidth control....................................................................................................................... 52
4.1.5 Notes on using the shaper .................................................................................................................. 53
4.2
Shaper configuration.............................................................................................................................. 54
4.2.1 PQ configuration................................................................................................................................ 54
4.2.2 WRR configuration............................................................................................................................ 54
4.2.3 2PQ+6WRR configuration ................................................................................................................ 55
4.2.4 WFQ configuration ............................................................................................................................ 55
4.2.5 Using port bandwidth control ............................................................................................................ 56
4.3
Shaper operations................................................................................................................................... 57
4.3.1 Checking scheduling.......................................................................................................................... 57
4.3.2 Checking port bandwidth control....................................................................................................... 57
Part 3
5.
Layer 2 Authentication ..........................................................................................58
Overview of Layer 2 Authentication...............................................................................58
5.1
Overview of Layer 2 authentication methods ........................................................................................ 59
5.1.1 Layer 2 authentication types .............................................................................................................. 59
5.1.2 Authentication modes of each authentication method ....................................................................... 60
5.1.3 Authentication method groups........................................................................................................... 64
5.2
Authentication method group................................................................................................................. 66
5.2.1 Overview ........................................................................................................................................... 66
5.2.2 Authentication method lists ............................................................................................................... 66
5.2.3 Authentication method list configuration .......................................................................................... 73
5.3
RADIUS authentication ......................................................................................................................... 80
5.3.1 RADIUS server information used with the Layer 2 authentication method ...................................... 80
5.3.2 Dead-interval functionality of RADIUS server communication........................................................ 85
5.3.3 Configuring the priority for device default local authentication and RADIUS authentication.......... 88
5.3.4 RADIUS account functionality.......................................................................................................... 90
5.4
Functionality common to all Layer 2 authentication methods ............................................................... 94
5.4.1 Permitting communication by unauthenticated terminals (Authentication IPv4 access list) ............. 94
5.4.2 Specifying VLAN accommodation by VLAN name ......................................................................... 95
5.4.3 Auto MAC VLAN assignment .......................................................................................................... 96
5.4.4 Auto authentication mode accommodation at the same MAC port ................................................... 98
5.4.5 Tagged frame authentication on a MAC port (dot1q vlan configuration)........................................ 101
5.4.6 Forced authentication common to all authentication modes............................................................ 102
5.4.7 Terminal control when authentication fails ..................................................................................... 108
5.5
Configuration commands common to all Layer 2 authentication modes............................................. 110
5.5.1 List of configuration commands ...................................................................................................... 110
5.5.2 Configuring the authentication IPv4 access list ............................................................................... 110
ii
5.5.3 Specifying the VLAN to accommodate by a VLAN name.............................................................. 112
5.5.4 Forced authentication configuration common to all authentication modes...................................... 115
5.6
Operations common to all Layer 2 authentication methods................................................................. 118
5.6.1 List of operation commands............................................................................................................. 118
5.7
Interoperability of Layer 2 authentication with other functionality ..................................................... 119
5.7.1 Interoperability on the Switch.......................................................................................................... 119
5.7.2 Interoperability on the same port ..................................................................................................... 121
5.8
Configuration for interoperability of Layer 2 authentication ............................................................... 129
5.8.1 Configuration where a tagged frame is authenticated on a MAC port............................................. 129
5.9
Notes on using Layer 2 authentication methods .................................................................................. 132
5.9.1 Notes on using common Layer 2 authentication methods ............................................................... 132
5.9.2 Interoperability of several Layer 2 authentication methods............................................................. 133
5.9.3 Using with other functionality ......................................................................................................... 133
6.
Description of IEEE 802.1X...........................................................................................135
6.1
Overview of IEEE 802.1X ................................................................................................................... 136
6.1.1 Basic functionality ........................................................................................................................... 137
6.1.2 Overview of the extended functionality........................................................................................... 138
6.2
Port-based authentication (static)......................................................................................................... 143
6.2.1 Authentication submode and the authentication mode option ......................................................... 143
6.2.2 Authentication functionality ............................................................................................................ 145
6.2.3 Collaboration with the NAP quarantine system............................................................................... 155
6.3
Port-based authentication (dynamic).................................................................................................... 158
6.3.1 Authentication submode and the authentication mode option ......................................................... 159
6.3.2 Authentication functionality ............................................................................................................ 161
6.4
VLAN-based authentication (dynamic) ............................................................................................... 164
6.4.1 Authentication submode and the authentication mode option ......................................................... 165
6.4.2 Authentication functionality ............................................................................................................ 167
6.5
EAPOL forwarding functionality......................................................................................................... 172
6.6
Account functionality........................................................................................................................... 173
6.7
Preparation ........................................................................................................................................... 176
6.8
Notes on IEEE 802.1X......................................................................................................................... 183
6.8.1 Operations when using IEEE 802.1X with other functionality........................................................ 183
6.8.2 Notes on using IEEE 802.1X ........................................................................................................... 183
7.
IEEE 802.1X Configuration and Operation.................................................................187
7.1
Configuring IEEE 802.1X.................................................................................................................... 188
7.1.1 List of configuration commands ...................................................................................................... 188
7.1.2 Configuration procedure for IEEE 802.1X ...................................................................................... 192
7.2
Configuration common to all authentication modes ............................................................................ 194
7.2.1 Configuring the authentication method group and RADIUS server information ............................ 194
7.2.2 Configuring the transmission of accounting information ................................................................ 196
7.2.3 Enabling IEEE 802.1X .................................................................................................................... 196
7.3
Configuring port-based authentication (static)..................................................................................... 197
7.3.1 Configuring port-based authentication (static)................................................................................. 198
7.3.2 Configuring authentication mode options........................................................................................ 200
7.3.3 Configuration related to authentication processing.......................................................................... 202
7.4
Configuring port-based authentication (dynamic) ............................................................................... 208
7.4.1 Configuring port-based authentication (dynamic) ........................................................................... 209
7.4.2 Configuring authentication mode options........................................................................................ 211
7.4.3 Configuration related to authentication processing.......................................................................... 212
7.5
Configuring VLAN-based authentication (dynamic)........................................................................... 215
7.5.1 Configuring VLAN-based authentication (dynamic)....................................................................... 216
7.5.2 Configuring authentication mode options........................................................................................ 217
7.5.3 Configuration related to authentication processing.......................................................................... 219
7.6
IEEE 802.1X operations ...................................................................................................................... 223
iii
7.6.1
7.6.2
7.6.3
8.
List of operation commands............................................................................................................. 223
Displaying the IEEE 802.1X status ................................................................................................. 223
Modifying the IEEE 802.1X authentication status .......................................................................... 225
Description of Web Authentication...............................................................................227
8.1
Overview.............................................................................................................................................. 228
8.2
Fixed VLAN mode .............................................................................................................................. 234
8.2.1 Authentication methods group......................................................................................................... 234
8.2.2 Authentication functionality ............................................................................................................ 237
8.2.3 Authentication operations ................................................................................................................ 248
8.3
Dynamic VLAN mode ......................................................................................................................... 250
8.3.1 Authentication methods group......................................................................................................... 250
8.3.2 Authentication functionality ............................................................................................................ 252
8.3.3 Authentication operations ................................................................................................................ 256
8.4
Legacy mode........................................................................................................................................ 259
8.4.1 Authentication method group .......................................................................................................... 259
8.4.2 Authentication functionality ............................................................................................................ 261
8.4.3 Authentication operations ................................................................................................................ 265
8.5
Accounting functionality...................................................................................................................... 267
8.6
Preparation ........................................................................................................................................... 271
8.6.1 For local authentication ................................................................................................................... 271
8.6.2 For RADIUS authentication ............................................................................................................ 273
8.7
Authentication error messages ............................................................................................................. 280
8.8
Notes on Web authentication ............................................................................................................... 285
8.8.1 Notes common to the authentication modes .................................................................................... 285
8.8.2 Notes on using fixed VLAN mode .................................................................................................. 289
8.8.3 Notes on using dynamic VLAN mode and legacy mode ................................................................. 289
8.9
Replacing Web authentication pages ................................................................................................... 290
8.9.1 Replacing Web authentication pages ............................................................................................... 290
8.9.2 Notes on using Web authentication page replacement functionality ............................................... 293
8.10 Procedure for creating Web authentication pages................................................................................ 294
8.10.1 Login page (login.html) ................................................................................................................... 294
8.10.2 Logout page (logout.html) ............................................................................................................... 297
8.10.3 Authentication error message file (webauth.msg) ........................................................................... 299
8.10.4 Tags specific to Web authentication ................................................................................................ 301
8.10.5 Examples of other pages .................................................................................................................. 303
8.11 Description of the internal DHCP server functionality. ....................................................................... 308
8.11.1 Support specification ....................................................................................................................... 308
8.11.2 Information sent to clients ............................................................................................................... 308
8.11.3 Preventing duplicate assignments of IP addresses ........................................................................... 309
8.11.4 Notes on using a DHCP server ........................................................................................................ 309
9.
Web Authentication Configuration and Operation.....................................................310
9.1
Web authentication configuration ........................................................................................................ 311
9.1.1 List of configuration commands ...................................................................................................... 311
9.1.2 Procedure of configuration for Web authentication......................................................................... 315
9.2
Configuration common to all authentication modes ............................................................................ 319
9.2.1 Authentication method group and RADIUS server information configuration ............................... 319
9.2.2 Web authentication IP address configuration .................................................................................. 322
9.2.3 Auto logout condition configuration common to all authentication modes ..................................... 322
9.2.4 Configuration of sending accounting information ........................................................................... 322
9.2.5 User switching option configuration................................................................................................ 323
9.2.6 Enabling Web authentication........................................................................................................... 323
9.3
Fixed VLAN mode configuration ........................................................................................................ 324
9.3.1 Fixed VLAN mode configuration.................................................................................................... 325
9.3.2 Configuration related to authentication............................................................................................ 327
iv
Dynamic VLAN mode configuration................................................................................................... 333
9.4
9.4.1 Dynamic VLAN mode configuration .............................................................................................. 334
9.4.2 Configuration related to authentication............................................................................................ 336
9.5
Legacy mode configuration ................................................................................................................. 342
9.5.1 Legacy mode configuration ............................................................................................................. 343
9.5.2 Configuration related to authentication............................................................................................ 345
9.6
Internal DHCP server configuration .................................................................................................... 348
9.7
Operation of Web authentication ......................................................................................................... 351
9.7.1 List of operation commands............................................................................................................. 351
9.7.2 Registering the internal Web authentication DB ............................................................................. 352
9.7.3 Backing up and restoring the internal Web authentication DB........................................................ 354
9.7.4 Displaying configuration status of Web authentication ................................................................... 355
9.7.5 Displaying the status of Web authentication.................................................................................... 357
9.7.6 Displaying the status of Web authentication sessions...................................................................... 357
9.7.7 Registering Web authentication page files....................................................................................... 358
9.7.8 Displaying information about registered Web authentication page files ......................................... 360
9.7.9 Deleting the registered individual Web authentication page custom file set ................................... 360
9.7.10 Retrieving the running Web authentication page custom file set..................................................... 361
9.7.11 Checking the DHCP server.............................................................................................................. 362
9.7.12 Authentication procedure from terminal.......................................................................................... 363
10. Description of MAC-based Authentication ..................................................................369
10.1 Overview.............................................................................................................................................. 370
10.2 Fixed VLAN mode .............................................................................................................................. 375
10.2.1 Authentication method group .......................................................................................................... 375
10.2.2 Authentication functionality ............................................................................................................ 378
10.3 Dynamic VLAN mode ......................................................................................................................... 386
10.3.1 Authentication method group .......................................................................................................... 386
10.3.2 Authentication functionality ............................................................................................................ 388
10.4 Legacy mode........................................................................................................................................ 392
10.4.1 Authentication method group .......................................................................................................... 392
10.4.2 Authentication functionality ............................................................................................................ 394
10.5 Accounting functionality...................................................................................................................... 400
10.6 Preparation ........................................................................................................................................... 404
10.6.1 Preparing for local authentication.................................................................................................... 404
10.6.2 RADIUS authentication................................................................................................................... 406
10.7 Notes on using MAC-based authentication.......................................................................................... 418
10.7.1 Notes for common to the authentication modes............................................................................... 418
10.7.2 Notes on use of fixed VLAN mode ................................................................................................. 421
10.7.3 Notes on use of legacy mode ........................................................................................................... 421
11. MAC-based authentication Configuration and Operation.........................................423
11.1 Configuring MAC-based authentication .............................................................................................. 424
11.1.1 List of configuration commands ...................................................................................................... 424
11.1.2 Configuration procedure for MAC-based authentication................................................................. 426
11.2 Configuration common to all authentication modes ............................................................................ 430
11.2.1 Configuring the authentication method group and RADIUS server information ............................ 430
11.2.2 Restrictions on MAC addresses for authentication.......................................................................... 433
11.2.3 Configuring the maximum connection time .................................................................................... 433
11.2.4 Configuring authentication requests to the RADIUS server............................................................ 434
11.2.5 Configuring the transmission of accounting information ................................................................ 436
11.2.6 Enabling MAC-based authentication functionality.......................................................................... 436
11.3 Configuring fixed VLAN mode ........................................................................................................... 438
11.3.1 Configuring fixed VLAN mode....................................................................................................... 439
11.3.2 Settings for authentication processing ............................................................................................. 441
11.4 Configuring dynamic VLAN mode ..................................................................................................... 446
v
11.4.1 Configuring dynamic VLAN mode ................................................................................................. 447
11.4.2 Settings for authentication processing ............................................................................................. 449
11.5 Configuring legacy mode..................................................................................................................... 453
11.5.1 Configuring legacy mode................................................................................................................. 454
11.5.2 Settings for authentication processing ............................................................................................. 455
11.6 MAC-based authentication operations................................................................................................. 460
11.6.1 List of operation commands............................................................................................................. 460
11.6.2 Registering an internal MAC-based authentication DB................................................................... 461
11.6.3 Backing up and restoring the internal MAC-based authentication DB............................................ 463
11.6.4 Displaying the status of MAC-based authentication settings........................................................... 464
11.6.5 Displaying status of MAC-based authentication.............................................................................. 465
11.6.6 Displaying the authentication status of MAC-based authentication ................................................ 466
12. Multistep Authentication ...............................................................................................468
12.1 Overview.............................................................................................................................................. 469
12.1.1 Scope of support .............................................................................................................................. 470
12.1.2 Authentication behavior................................................................................................................... 473
12.1.3 Preparation....................................................................................................................................... 490
12.1.4 Notes on using multistep authentication .......................................................................................... 490
12.2 Configuration ....................................................................................................................................... 492
12.2.1 List of configuration commands ...................................................................................................... 492
12.2.2 Structure of multistep authentication ............................................................................................... 492
12.2.3 Configuring basic multistep authentication ports ............................................................................ 493
12.2.4 Configuring ports for the authorized user authentication option ..................................................... 505
12.2.5 Configuring ports with the terminal authentication dot1x option .................................................... 519
12.3 Operation ............................................................................................................................................. 528
12.3.1 List of operation commands............................................................................................................. 528
12.3.2 Displaying the multistep authentication status................................................................................. 528
13. Secure Wake-on-LAN [OP-WOL] ................................................................................529
13.1 Overview.............................................................................................................................................. 530
13.1.1 Preparation for using the Switch...................................................................................................... 530
13.1.2 Notes on using Secure Wake-on-LAN............................................................................................. 535
13.2 Configuration ....................................................................................................................................... 536
13.2.1 List of configuration commands ...................................................................................................... 536
13.2.2 Enabling the HTTP server functionality .......................................................................................... 536
13.3 Operation ............................................................................................................................................. 537
13.3.1 List of operation commands............................................................................................................. 537
13.3.2 Registering, changing, and deleting on the WOL Terminal DB ...................................................... 538
13.3.3 Backing up and restoring the WOL Terminal DB ........................................................................... 540
13.3.4 Registering, changing, and deleting on the WOL User DB ............................................................. 541
13.3.5 Backing up and restoring the WOL User DB .................................................................................. 544
13.3.6 Displaying information of a user by using the Secure Wake-on-LAN ............................................ 545
13.3.7 Command direct sending functionality ............................................................................................ 546
13.3.8 Procedure for selecting/sending commands in a Web browser........................................................ 546
14. One-time Password Authentication [OP-OTP]............................................................558
14.1 Overview.............................................................................................................................................. 559
14.1.1 Scope of support .............................................................................................................................. 561
14.1.2 Screen files displaying Reply-Message ........................................................................................... 562
14.1.3 Using with other Web authentication functionality ......................................................................... 568
14.2 Configuration ....................................................................................................................................... 569
14.3 Operation ............................................................................................................................................. 570
14.3.1 List of operation commands............................................................................................................. 570
vi
Part 4
High Reliability Based on Redundant Configurations .....................................571
15. Description of the GSRP Aware Functionality ............................................................571
15.1 Overview of GSRP .............................................................................................................................. 572
15.1.1 Overview ......................................................................................................................................... 572
15.1.2 Supported specifications .................................................................................................................. 573
15.2 GSRP switchover control..................................................................................................................... 574
15.3 Configuration ....................................................................................................................................... 576
15.4 Operation ............................................................................................................................................. 577
15.4.1 List of operation commands............................................................................................................. 577
15.4.2 Confirming GSRP aware information ............................................................................................. 577
16. Uplink Redundancy ........................................................................................................578
16.1 Description........................................................................................................................................... 579
16.1.1 Uplink redundancy operation........................................................................................................... 580
16.1.2 Switchover and preemption between primary and secondary ports................................................. 582
16.1.3 Functionality for sending and receiving flush control frames.......................................................... 585
16.1.4 MAC address update functionality .................................................................................................. 586
16.1.5 Functionality to fix the active port at Switch startup ....................................................................... 589
16.1.6 Operation logs, MIBs and traps ....................................................................................................... 590
16.1.7 Using with other functionality ......................................................................................................... 590
16.1.8 Notes on using uplink redundancy................................................................................................... 591
16.2 Configuration ....................................................................................................................................... 593
16.2.1 List of configuration commands ...................................................................................................... 593
16.2.2 Specifying the primary and secondary ports and timer preemption wait time................................. 593
16.2.3 Setting the functionality to send/receive flush control frames to upstream switches....................... 594
16.2.4 Setting the MAC address update functionality to upstream switches .............................................. 595
16.3 Operation ............................................................................................................................................. 597
16.3.1 List of operation commands............................................................................................................. 597
16.3.2 Displaying the status of uplink redundancy..................................................................................... 597
16.3.3 Manually switching over the primary and secondary ports ............................................................. 600
Part 5
High Reliability Based on Network Failure Detection......................................601
17. Storm Control .................................................................................................................601
17.1 Description........................................................................................................................................... 602
17.1.1 Overview of storm control............................................................................................................... 602
17.1.2 Functionality to limit flow rate ........................................................................................................ 602
17.1.3 Notes on using the storm control functionality ................................................................................ 604
17.2 Configuration ....................................................................................................................................... 605
17.2.1 List of configuration commands ...................................................................................................... 605
17.2.2 Basic settings ................................................................................................................................... 605
17.2.3 Extended setting: Limiting flow rate ............................................................................................... 606
17.3 Operation ............................................................................................................................................. 608
17.3.1 List of operation commands............................................................................................................. 608
17.3.2 Checking the status of storm control ............................................................................................... 608
18. IEEE 802.3ah/UDLD ......................................................................................................610
18.1 Description........................................................................................................................................... 611
18.1.1 Overview ......................................................................................................................................... 611
18.1.2 Supported specifications .................................................................................................................. 611
18.1.3 Notes on using IEEE 802.3ah/UDLD .............................................................................................. 612
18.2 Configuration ....................................................................................................................................... 613
18.2.1 List of configuration commands ...................................................................................................... 613
18.2.2 Configuring IEEE 802.3ah/UDLD .................................................................................................. 613
18.3 Operation ............................................................................................................................................. 615
vii
18.3.1 List of operation commands............................................................................................................. 615
18.3.2 Displaying IEEE 802.3ah/OAM information .................................................................................. 615
19. L2 Loop Detection...........................................................................................................617
19.1 Description........................................................................................................................................... 618
19.1.1 Overview ......................................................................................................................................... 618
19.1.2 Overview of the operation ............................................................................................................... 619
19.1.3 Use with Layer 2 functionality ........................................................................................................ 622
19.1.4 Operation logs and traps .................................................................................................................. 623
19.1.5 Application example ........................................................................................................................ 624
19.1.6 Notes on using the L2 loop detection functionality ......................................................................... 626
19.2 Configuration ....................................................................................................................................... 629
19.2.1 List of configuration commands ...................................................................................................... 629
19.2.2 Configuring the L2 loop detection functionality.............................................................................. 629
19.3 Operation ............................................................................................................................................. 632
19.3.1 List of operation commands............................................................................................................. 632
19.3.2 Checking the L2 loop detection status ............................................................................................. 632
20. CFM ................................................................................................................................634
20.1 Description........................................................................................................................................... 635
20.1.1 Overview ......................................................................................................................................... 635
20.1.2 CFM components............................................................................................................................. 636
20.1.3 Designing domains .......................................................................................................................... 642
20.1.4 Continuity Check ............................................................................................................................. 647
20.1.5 Loopback ......................................................................................................................................... 649
20.1.6 Linktrace .......................................................................................................................................... 650
20.1.7 Common behavior ........................................................................................................................... 653
20.1.8 Databases used in CFM ................................................................................................................... 654
20.1.9 Notes on using CFM ........................................................................................................................ 656
20.2 Configuration ....................................................................................................................................... 659
20.2.1 List of configuration commands ...................................................................................................... 659
20.2.2 Configuring CFM (multiple domains) ............................................................................................. 659
20.2.3 Configuring CFM (multiple MAs in one domain)........................................................................... 662
20.3 Operation ............................................................................................................................................. 664
20.3.1 List of operation commands............................................................................................................. 664
20.3.2 Confirming connection between MPs.............................................................................................. 664
20.3.3 Confirming the route between MPs ................................................................................................. 665
20.3.4 Confirming the state of MPs on a route ........................................................................................... 665
20.3.5 Confirming the state of CFM........................................................................................................... 666
20.3.6 Confirming detailed failure information .......................................................................................... 666
Part 6
Remote Network Management ...........................................................................667
21. Using SNMP to Manage Networks................................................................................667
21.1 Description........................................................................................................................................... 668
21.1.1 SNMP overview............................................................................................................................... 668
21.1.2 MIB overview.................................................................................................................................. 669
21.1.3 SNMPv1 and SNMPv2c operations................................................................................................. 671
21.1.4 Traps ................................................................................................................................................ 678
21.1.5 RMON MIB..................................................................................................................................... 679
21.2 Configuration ....................................................................................................................................... 681
21.2.1 List of configuration commands ...................................................................................................... 681
21.2.2 Configuring MIB access permissions in SNMPv1 and SNMPv2c .................................................. 681
21.2.3 Configuring the sending of traps in SNMPv1 and SNMPv2c ......................................................... 682
21.2.4 Suppressing link traps...................................................................................................................... 682
21.2.5 Configuring control information for the RMON Ethernet history group......................................... 683
viii
21.2.6 Threshold check for specific MIB values by RMON ...................................................................... 684
21.2.7 Confirmation of communication with the SNMP manager ............................................................. 685
22. Log Output Functionality ..............................................................................................686
22.1 Description........................................................................................................................................... 687
22.2 Configuration ....................................................................................................................................... 689
22.2.1 List of configuration commands ...................................................................................................... 689
22.2.2 Configuring output of the log to syslog ........................................................................................... 689
22.2.3 Configuring addition of the HEADER part to log data output to syslog ......................................... 689
Part 7
Management of Neighboring Device Information.............................................690
23. LLDP................................................................................................................................690
23.1 Description........................................................................................................................................... 691
23.1.1 Overview ......................................................................................................................................... 691
23.1.2 Supported specifications .................................................................................................................. 691
23.1.3 Notes on using LLDP ...................................................................................................................... 694
23.2 Configuration ....................................................................................................................................... 696
23.2.1 List of configuration commands ...................................................................................................... 696
23.2.2 LLDP settings .................................................................................................................................. 696
23.3 Operation ............................................................................................................................................. 698
23.3.1 List of operation commands............................................................................................................. 698
23.3.2 Display of LLDP information.......................................................................................................... 698
Part 8
Port Mirroring......................................................................................................700
24. Port Mirroring ................................................................................................................700
24.1 Description........................................................................................................................................... 701
24.1.1 Overview of port mirroring.............................................................................................................. 701
24.1.2 Notes on using port mirroring.......................................................................................................... 702
24.2 Configuration ....................................................................................................................................... 706
24.2.1 List of configuration commands ...................................................................................................... 706
24.2.2 Configuring port mirroring .............................................................................................................. 706
Appendix ................................................................................................................................708
A. Relevant Standards ...................................................................................................................................... 709
A.1 IEEE 802.1X.......................................................................................................................................... 709
A.2 Web authentication ................................................................................................................................ 709
A.3 DHCP server functionality..................................................................................................................... 709
A.4 MAC-based authentication .................................................................................................................... 710
A.5 IEEE 802.3ah/UDLD............................................................................................................................. 710
A.6 CFM....................................................................................................................................................... 710
A.7 SNMP .................................................................................................................................................... 710
A.8 SYSLOG................................................................................................................................................ 711
A.9 LLDP ..................................................................................................................................................... 712
Index
................................................................................................................................713
ix
Part 1
Filters
1. Filters
Filtering is functionality used for forwarding and discarding received frames. This chapter
provides an overview of filtering and describes its use.
1.1 Description
1.2 Configuration
1.3 Operation
1
1.1
Description
Filtering is functionality used to forward and discard certain types of received frames. This
functionality is used to strengthen network security. Filtering can be used to limit each user's
access to the network. For example, you can forward Web data between an internal network and
an external network while at the same time discarding any Telnet and FTP data to prevent
unauthorized access from the external network and the leakage of information from the internal
network to the external network. The following figure shows an example of a network
configuration that uses filtering.
Figure 1-1: Example of a network configuration that uses filtering
1.1.1
Overview of filtering
The following figure shows the functional blocks for filtering on Switches.
Figure 1-2: Functional blocks for filtering on the Switches
The following table provides an overview of the functional blocks shown in the figure.
2
Table 1-1: Overview of functional blocks for filtering
Functional section
Flow control
section
Overview
Flow
detection
block
This block detects a flow (specific frames) that matches a
condition, such as MAC address, protocol type, IP address, or
TCP/UDP port number.
Forwarding
and discard
blocks
These blocks forward and discard frames found by the flow
detection block.
To use filtering on a Switch, create a filter entry that defines a combination of flow detection
conditions (such as MAC address, protocol type, IP address, or TCP/UDP port number) and an
operation (forward or discard).
The following describes how a filter works on a Switch.
1.
The filter entries set for each interface are searched in the order of priority specified by the
user.
2.
The search terminates when a filter entry matching the frame is found.
3.
Whether the frame is forwarded or discarded is determined according to the operation
specified for the filter entry.
4.
If the frame does not match any filter entry, the frame is discarded. For details about
discarding, see 1.1.6 Implicit discarding.
1.1.2
Flow detection
The flow detection functionality detects the sequence of frames, based on conditions, such as the
MAC header, IP header, and TCP header, specified in access lists. For details about access lists,
see 1.1.5 Access lists.
Switches can perform flow detection for Ethernet V2 format frames and IEEE 802.3 SNAP/RFC
1042 format frames on receiving-side Ethernet and VLAN interfaces. The interface that can be
set depends on the flow detection mode. Note that the self-generated frames sent by a Switch are
not subject to flow detection.
1.1.3
Flow detection modes
Switches provide two flow detection modes for defining the network configuration and
operation pattern. Select the mode appropriate for your operating requirements. To specify the
flow detection mode, use the configuration command flow detection mode. The selected
flow detection mode applies to both filtering and QoS. If you do not specify the flow detection
mode, Layer 2-2 is set as the default mode.
3
Table 1-2: Relationship between flow detection modes and flow operations
Flow
detection
mode
name
1.1.4
Purpose
Flow operation
Applicable
interfaces
Layer 2-1
Use this mode to perform flow
control for IP packets and other
frames.
Frames are detected based
on MAC header
information, such as MAC
address and Ethernet type.
Ethernet and
VLAN
Layer 2-2
Use this mode to perform fine-tuned
flow control specialized for IPv4
packets.
For IPv4 packets, frames
are detected based on the IP
header and TCP/UDP
header.
Ethernet and
VLAN
Flow detection conditions
To perform flow detection, specify the conditions for identifying the flow in the configuration.
The following table describes the flow detection conditions that can be specified for each flow
detection mode.
Table 1-3: Flow detection conditions that can be specified
Type
MAC
conditions
IPv4
conditions
4
Items set
Layer 2-1
Layer 2-2
Ethernet
VLAN
Ethernet
VLAN
Configuration
VLAN ID#1
Yes
No
No
No
MAC header
Sender MAC address
Yes
Yes
No
No
Destination MAC
address
Yes
Yes
No
No
Ethernet type
Yes
Yes
No
No
User priority#2
Yes
Yes
No
No
Configuration
VLAN ID#1
No
No
Yes
No
MAC header
User priority#2
No
No
Yes
Yes
IPv4 header#3
Upper layer protocol
No
No
Yes
Yes
Sender IP address
No
No
Yes
Yes
Destination IP
address
No
No
Yes
Yes
Type
IPv4-TCP
header
IPv4-UDP
header
Items set
Layer 2-1
Layer 2-2
Ethernet
VLAN
Ethernet
VLAN
TOS
No
No
Yes
Yes
DSCP
No
No
Yes
Yes
Precedence
No
No
Yes
Yes
Sender port number
No
No
Yes
Yes
Destination port
number
No
No
Yes
Yes
TCP control flag#4
No
No
Yes
Yes
Sender port number
No
No
Yes
Yes
Destination port
number
No
No
Yes
Yes
Legend Yes: Can be specified; No: Cannot be specified
#1
VLAN IDs that can be detected by flow detection on the Switch are the values assigned to
VLANs entered during VLAN configuration. The ID of the VLAN to which the received
frames belong will be detected.
#2
The user priority cannot be detected for frames that do not have a VLAN tag on the Switch.
Therefore, user priority "3" is always detected. The user priority for a frame that has
multiple VLAN tags is detected by counting from the MAC address side. The first VLAN
tag encountered will be detected. The following figure shows an example of a frame that
has multiple VLAN tags.
#3
Supplementary note for the ToS field specification
TOS: The values from bit 3 to bit 6 of the ToS field
Precedence: The values of the three highest-order bits of the ToS field
5
DSCP: The values of the six highest-order bits of the ToS field
#4
Packets whose ack, fin, psh, rst, syn, or urg flag is set to 1 are detected.
1.1.5
Access lists
To perform flow detection for the filter, set access lists in the configuration. The access list
you need to set depends on the flow detection condition. The type of detectable frames
depends on the flow detection conditions. The following table describes the relationship
between the access lists for flow detection conditions and detectable frame types.
Table 1-4: Relationship between the access lists for flow detection conditions and
detectable frame types
Flow
detection
conditions
Access list
Flow detection
mode
Detectable frame type
Non-IP
IPv4
IPv6
MAC
conditions
mac access-list
Layer 2-1
Yes
Yes#
Yes#
IPv4
conditions
ip access-list
Layer 2-2
No
Yes
No
Legend Yes: Can be detected; No: Cannot be detected
#: Can be detected only when specified for the Ethernet interface type.
An access list is applied to an interface by using the access group command. The application
order is determined by the sequence number specified as a parameter of an access list. Because
filter entry search is executed independently for each access list, a frame might match multiple
filter entries. If the frame matches multiple filter entries, only one filter entry is actually used.
(1)
Operation when filter entries match the Ethernet interface
and VLAN interface at the same time
When filter entries are set for an Ethernet interface and the VLAN interface to which the
6
Ethernet interface belongs to filter frames received from the Ethernet interface, a frame might
match multiple filter entries. In such cases, a filter entry that specifies discarding (including an
implicit discard entry) has precedence. If both the Ethernet interface and the VLAN interface
match a filter entry that specifies forwarding, the filter entry on the Ethernet interface has
precedence. The following table describes the operation performed when a frame matches
multiple filter entries.
Table 1-5: Operation when a frame matches multiple filter entries
Combinations for which multiple filter entries
match
Ethernet
Filter entry that takes effect
VLAN
Interface
Operation
Forward
Forward
Ethernet
Forward
Forward
Discard
VLAN
Discard
Discard
Forward
Ethernet
Discard
Discard
Discard
Ethernet
Discard
Flow detection modes to which this condition applies are Layer 2-1 and Layer 2-2.
1.1.6
Implicit discarding
Frames that do not match any flow detection conditions are discarded on an interface where
filtering is specified. A filter entry for implicit discarding is automatically generated when an
access list is generated. If an access list is not set, all frames are forwarded.
1.1.7
Notes on using filters
(1)
Operation when multiple filter entries match
If a frame matches multiple filter entries, statistics are collected for the matched filter entries.
(2)
Filtering of fragmented IPv4 packets
If the filter uses a TCP/UDP header specified as a flow detection condition for a fragmented
IPv4 packet, the second and subsequent fragments cannot be detected because the TCP/UDP
header is not in those packets. To filter packets including fragmented packets, specify the MAC
header or IP header in the flow detection conditions.
(3)
Operation when filter entries are applied
When filter entries are applied# to a Switch interface, an implicit discard entry is applied first.
Therefore, frames that match the implicit discard condition are temporarily discarded until the
7
user-specified filter entries are applied. In addition, statistics for the implicit discard entry are
collected.
#
y When an access list containing one or more entries is applied to the interface by using
the access group command
y When an access list is applied by using the access group command and the first entry is
added.
(4)
Operation when a filter entry changes
If a filter entry applied to an interface is changed on a Switch, frames to be detected cannot be
detected until the change has been applied. Consequently, such frames are temporarily detected
by another filter entry or the implicit discard entry.
(5)
Coexistence with other functionalities
(a) Concurrent use with other functionalities
The following table describes the operation when the filter functionality is used concurrently
with the following functionality.
Table 1-6: Concurrent use of filter and other functionality
Functionality
Operation
DHCP snooping
Operating DHCP snooping on a port with filter conditions disables the filter
functionality for DHCP frames (and ARP frames when dynamic ARP
inspection is valid), so that these frames are forwarded.
IGMP snooping
Operating IGMP snooping on a port with filter conditions disables the filter
functionality for IGMP frames, so that these frames are forwarded.
MLD snooping
Operating MLD snooping on a port with filter conditions disables the filter
functionality for MLD frames, so that these frames are forwarded.
CFM
On a port with a MAC access list, CCM and other frames become implicit
deny targets and are discarded.
(b) Statistics for concurrent operation with other functionality
If any of the conditions listed below is satisfied for a frame, it is discarded. However, if a frame
matches a filter entry specified for the interface, statistics for that filter entry are collected.
•
A frame is received from a target VLAN port whose data transfer status is Blocking (data
transfer is stopped).
•
8
A frame that has a VLAN tag is received via either a protocol VLAN or a MAC VLAN.
•
A frame is received from a port specified for inter-port relay-blocking functionality.
•
A frame that does not have a VLAN tag is received when the native VLAN is not set as a
VLAN that uses a trunk port for sending and receiving frames.
•
A received frame that has a VLAN tag is not set for a VLAN that uses a trunk port for sending
and receiving frames.
(6)
Restrictions when applying filter conditions
For frames to be received in a channel group, only filter conditions for an access group set to a
VLAN interface are applied.
9
1.2
1.2.1
Configuration
List of configuration commands
The following table describes the commands used to configure filtering.
Table 1-7: List of configuration commands
Command
1.2.2
Description
deny
Specifies the condition in MAC or IPv4 filtering for discarding access.
flow detection mode
Sets the flow detection mode for the filter and QoS control.
ip access-group
Applies an IPv4 filter to an Ethernet interface or VLAN interface and
enables IPv4 filtering.
ip access-list extended
Sets an access list to be used for IPv4 packet filtering.
ip access-list
resequence
Resets the sequence number for the order in which the filter conditions
are applied for IPv4 address filtering or IPv4 packet filtering.
ip access-list standard
Sets an access list to be used IPv4 address filtering.
mac access-group
Applies a MAC filter to an Ethernet interface or VLAN interface and
enables MAC filtering.
mac access-list
resequence
Resets the sequence number for the order in which the filter conditions
are applied for MAC filtering.
mac access-list
extended
Sets an access list to be used for MAC filtering.
permit
Specifies the condition in MAC or IPv4 filtering for forwarding access.
remark
Specifies supplementary information for filtering.
Frame forwarding and discarding by MAC header
(1)
Setting the flow detection mode
The following is an example of specifying the flow detection mode for filtering.
Overview
First set the flow detection mode to determine the basic operating conditions of the
hardware.
Configuration command example
1. (config)# flow detection mode layer2-1
10
Enables Layer 2-1 as the flow detection mode.
(2)
Example of using MAC headers as the flow detection
condition
The following is an example of specifying frame forwarding and discarding based on a MAC
header specification as the flow detection condition.
Overview
When frames are received, flow detection is performed based on the MAC header. The
frames that match the filter entry are either discarded or forwarded.
Configuration command example
1. (config)# mac access-list extended IPX_DENY
Creates mac access-list (IPX_DENY), and then switches to MAC filtering mode.
2. (config-ext-macl)# deny any any ipx
Sets a MAC filter that discards frames whose Ethernet type is IPX.
3. (config-ext-macl)# permit any any
Sets a MAC filter that forwards all frames.
4. (config-ext-macl)# exit
Returns from MAC filtering mode to global configuration mode.
5. (config)# interface fastethernet 0/1
Switches to the interface mode for port 0/1.
6. (config-if)# mac access-group IPX_DENY in
(config-if)# exit
Enables the MAC filtering on the receiving side.
1.2.3
Frame forwarding and discarding by IP header and TCP/UDP
header
(1)
Setting the flow detection mode
The following is an example of specifying the flow detection mode for filtering.
Overview
11
First set the flow detection mode to determine the basic operating conditions of the
hardware.
Configuration command example
1. (config)# flow detection mode layer2-2
Enables Layer 2-2 as the flow detection mode.
(2)
Using IPv4 addresses as the flow detection condition
The following is an example of specifying frame forwarding and discarding based on an IPv4
address specification as the flow detection condition.
Overview
When frames are received, flow detection is performed based on the sender IPv4 address.
The frames that match the filter entry are forwarded. All IP packets that do not match the
filter entry are discarded.
Configuration command example
1.
(config)# ip access-list standard FLOOR_A_PERMIT
Creates ip access-list (FLOOR_A_PERMIT), and then switches to IPv4 address
filtering mode.
2.
(config-std-nacl)# permit 192.168.0.0 0.0.0.255
Sets an IPv4 address filter that forwards frames whose sender IP address is the
192.168.0.0/24 network.
3.
(config-std-nacl)# exit
Returns from IPv4 address filtering mode to global configuration mode.
4.
(config)# interface vlan 10
Switches to the interface mode for VLAN10.
5.
(config-if)# ip access-group FLOOR_A_PERMIT in
(config-if)# exit
Enables IPv4 filtering on the receiving side.
(3)
Using IPv4 packets as the flow detection condition
The following is an example of specifying frame forwarding and discarding based an IPv4
Telnet packet specification as the flow detection condition.
Overview
When frames are received, flow detection is performed based on the IP header or
TCP/UDP header, and the frames that match the filter entry are discarded.
Configuration command example
12
1.
(config)# ip access-list extended TELNET_DENY
Creates ip access-list (TELNET_DENY), and then switches to IPv4 packet filtering
mode.
2.
(config-ext-nacl)# deny tcp any any eq telnet
Sets an IPv4 packet filter that discards Telnet packets.
3.
(config-ext-nacl)# permit ip any any
Sets an IPv4 packet filter that forwards all frames.
4.
(config-ext-nacl)# exit
Returns from IPv4 packet filtering mode to global configuration mode.
5.
(config)# interface vlan 10
Switches to the interface mode for VLAN10.
6.
(config-if)# ip access-group TELNET_DENY in
(config-if)# exit
Enables IPv4 filtering on the receiving side.
1.2.4
Setting multiple interface filters
The following is an example of specifying a filter on multiple Ethernet interfaces.
Overview
A filter can be set for multiple Ethernet interfaces in config-if-range mode.
Configuration command example
1.
(config)# ip access-list standard HOST_IP
(config-std-nacl)# permit host 192.168.0.1
(config-std-nacl)# exit
Sets an IPv4 address filter that forwards only frames from the host 192.168.0.1.
2.
(config)# interface range fastethernet 0/1-4
Switches to the interface mode for port 0/1-4.
3.
(config-if-range)# ip access-group HOST_IP in
(config-if-range)# exit
Enables IPv4 filtering on the receiving side.
13
1.3
Operations
To make sure that the information you have set is applied, use the operation command show
access-filter.
1.3.1
List of operation commands
The following table describes the operation commands used for filtering.
Table 1-8: List of operation commands
Command
1.3.2
Description
show
access-filter
Displays statistics on the access lists (mac access-list and ip access-list)
set by the access group commands (mac access-group and ip
access-group).
clear
access-filter
Clears statistics on the access lists (mac access-list and ip access-list)
set by the access group commands (mac access-group and ip
access-group).
Checking filters
(1)
Checking the entries set for an Ethernet interface
The following shows how to check operation when a filter is set for an Ethernet interface.
Figure 1-3: Checking operation when a filter is set for an Ethernet interface
> show access-filter 0/1
Date 2008/09/19 15:11:21 UTC
Using Port: interface fastethernet 0/1 in
Extended MAC access-list: acl-mac
remark "permit of mac access-list extended" in
10 permit host 001b.7888.1ffa any
matched packets
:
0
implicitly denied packets :
20
>
Make sure that Extended MAC access-list is displayed for the filter for the specified port.
(2)
Checking the entries set for a VLAN interface
The following shows how to check operation when a filter is set for a VLAN interface.
Figure 1-4: Checking operation when a filter is set for a VLAN interface
> show access-filter interface vlan 1
Date 2008/09/18 12:56:14 UTC
14
Using Port: interface vlan 1 in
Extended IP access-list: acl-ext
remark "permit of ip access-list extended"
10 permit tcp 172.16.89.29 0.0.0.255 any
matched packets
:
0
implicitly denied packets :
14
>
Make sure that Extended IP access-list is displayed for the filter for the specified VLAN.
15
Part 2
QoS
2. Overview of QoS Control
The QoS control functionality provides marking, determination of priority, and bandwidth
control as a means of controlling communications quality and ensuring the efficient use of
limited network resources, such as line bandwidth and queue buffer capacity. This chapter
describes QoS control on the Switches.
2.1 Structure of QoS control
2.2 Description of common processing
2.3 Configuration common to QoS control
2.4 Operations common to QoS control
16
2.1
Structure of QoS control
Along with best-effort traffic, which does not require guaranteed communications quality, the
growing diversification of network services has meant an increase in real-time and guaranteed
bandwidth traffic. Use QoS control on Switches to provide communications quality appropriate
for the type of traffic. QoS control on the Switches ensures the efficient use of limited network
resources, such as line bandwidth and queue buffer capacity. To satisfy the many types of
communications quality required for applications, use QoS control to distribute network
resources in the most appropriate manner.
The following figure shows the functional blocks for QoS control on the Switches.
Figure 2-1 Functional blocks for QoS control on the Switches
The following table provides an overview of the functional blocks shown in the figure.
Table 2-1: Overview of the functional blocks for QoS control
Sections and functional
blocks
Overview
Receive
processing
section
Frame reception
Receives frames and searches the MAC address table.
Common
processing
section
User priority
mapping
Determines priority based on the user priority in the VLAN tag of
received frames.
Flow control
section
Flow detection
Detects a frame matching a condition, such as MAC address,
protocol type, IP address, and port number.
Marking
Updates the user priority in the DSCP or VLAN tag in the IP header.
Priority
determination
Determines the priority of frames.
Send control
section
Shaper
Controls the output order of frames from queues and the output
bandwidth.
Send
Frame sending
Sends frames controlled by the shaper.
17
Sections and functional
blocks
Overview
processing
section
QoS control on the Switch uses user priority mapping or flow control to determine the priority of
received frames. User priority mapping determines the priority based on user priority in the
VLAN tag of a received frame. Use flow control to determine the priority based on whether the
frame matches a specific condition, such as the MAC address or IP address, rather than based on
the user priority.
The priority determined by flow control has precedence over user priority mapping. You can
also use flow control to employ marking in addition to priority determination. Marking and
priority determination can operate concurrently for the frames detected by flow detection. Send
control uses the shaper based on the priority determined by user priority mapping or flow
control.
18
2.2
Description of common processing
The following figure shows the positioning of user priority mapping described in this section.
Figure 2-2 Positioning of user priority mapping
2.2.1
User priority mapping
The user priority mapping functionality determines priority based on the user priority in the
VLAN tags of received frames. User priority mapping is always running on the Switch to
determine the priority for all received frames. CoS values that indicate the priority on the Switch
are used as priority values. The user priority value of the received frame is mapped to a CoS
value, and the send queue is determined based on the CoS value. For details about the
correspondence between the CoS values and send queues, see 3.7.2 CoS mapping functionality.
The user priority is the three highest-order bits of the tag information (tag control) in the VLAN
tag header. Note that CoS value 3 is always used for frames without a VLAN tag.
When running, priority determination by flow control has precedence over user priority
mapping.
Table 2-2: Mapping of user priority values to CoS values
Frame type
VLAN tag
User priority value
Mapped CoS values
Without VLAN tag
--
3
With VLAN tag
0
0
1
1
2
2
19
Frame type
VLAN tag
User priority value
Mapped CoS values
3
3
4
4
5
5
6
6
7
7
Legend --: Not applicable
20
2.3
Configurations common to QoS control
2.3.1
List of configuration commands
The following table describes the configuration commands used to configure QoS control.
Table 2-3: List of configuration commands
Command
Description
flow detection mode
Sets the flow detection mode for the filter and QoS control.
ip qos-flow-group
Applies an IPv4 QoS flow list to an Ethernet interface or VLAN and
enables IPv4 QoS control.
ip qos-flow-list
Sets the QoS flow list used for IPv4 QoS flow detection.
ip qos-flow-list
resequence
Resets the sequence number for the order where the conditions in the
IPv4 QoS flow list are applied.
limit-queue-length
Sets the queue length of a physical port for the Switch.
mac qos-flow-group
Applies a MAC QoS flow list to an Ethernet interface or VLAN and
enables MAC QoS control.
mac qos-flow-list
Sets the QoS flow list used for MAC QoS flow detection.
mac qos-flow-list
resequence
Resets the sequence number for the order where the conditions in the
MAC QoS flow list are applied.
qos
Sets the flow detection condition and operation to be performed in the
QoS flow list.
qos-queue-group
Applies QoS queue list information to an Ethernet interface and
enables the legacy shaper.
qos-queue-list
Sets the scheduling mode in QoS queue list information.
remark
Specifies supplementary information for QoS.
traffic-shaper rate
Sets port bandwidth control for an Ethernet interface.
control-packet
user-priority
Sets the user priority in the VLAN tags of frames spontaneously sent
by the Switch.
21
2.4
2.4.1
Operations common to QoS control
List of operation commands
The following table describes the operation commands common to QoS control.
Table 2-4: List of operation commands
Command
22
Description
show qos-flow
Displays statistics on the QoS flow lists (mac qos-flow-list and ip
qos-flow-list) set by the QoS flow group commands (mac
qos-flow-group and ip qos-flow-group).
clear qos-flow
Clears statistics on the QoS flow lists (mac qos-flow-list and ip
qos-flow-list) set by the QoS flow group commands (mac
qos-flow-group and ip qos-flow-group).
show qos
queueing
Displays statistics on send queues for the Ethernet interface.
clear qos
queueing
Clears statistics on send queues for the Ethernet interface.
3. Flow Control
This chapter describes flow control (flow detection, marking, and priority determination) for
Switches.
3.Description of flow detection
3.2Configuring flow detection
3.3 Flow detection operations
3.4 Description of marking
3.5 Configuring marking
3.6 Marking operation
3.7 Description of priority determination
3.8 Priority determination configuration
3.9 Priority operations
3.10 Description of user priority for self-generated frames
3.11 Configuring user priority for self-generated frames
23
3.1
Description of flow detection
The flow detection functionality detects the sequence of frames based on conditions, such as the
MAC header, IP header, and TCP header. QoS flow lists are used to set up flow detection. For
details about the QoS flow lists, see 3.1.3 QoS flow lists. Switches can perform flow detection
for Ethernet V2 format frames and IEEE 802.3 SNAP/RFC 1042 format frames on
receiving-side Ethernet and VLAN interfaces. The interface that can be set depends on the flow
detection mode. Note that the self-generated frames sent by a Switch are not subject to flow
detection.
The following figure shows the positioning of the flow detection block described in this section.
Figure 3-1: Positioning of the flow detection block
3.1.1
Flow detection modes
Switches provide two flow detection modes for defining the network configuration and
operation pattern. Select the mode appropriate for your operating requirements. To specify the
flow detection mode, use the configuration command flow detection mode. The selected flow
detection mode applies to both filtering and QoS. If you do not specify the flow detection mode,
Layer 2-2 is set as the default mode.
Table 3-1: Relationship between the flow detection modes and flow operations
Flow
detection
mode name
24
Purpose
Flow operation
Applicable
interfaces
Layer 2-1
Use this mode to perform flow
control for IP packets and other
frames.
Frames are detected based
on MAC header
information, such as MAC
address and Ethernet type.
Ethernet and
VLAN
Layer 2-2
Use this mode to perform
fine-tuned flow control
specialized for IPv4 packets.
For IPv4 packets, frames
are detected based on the IP
header and TCP/UDP
header.
Ethernet and
VLAN
3.1.2
Flow detection conditions
To perform flow detection, specify the conditions for identifying the flow in the configuration.
The following table describes the flow detection conditions that can be specified for each flow
detection mode.
Table 3-2: Flow detection conditions that can be specified
Type
MAC
conditions
IPv4
conditions
Items set
Layer 2-1
Layer 2-2
Ethernet
VLAN
Ethernet
VLAN
Configuration
VLAN ID#1
Yes
No
No
No
MAC header
Sender MAC
address
Yes
Yes
No
No
Destination MAC
address
Yes
Yes
No
No
Ethernet type
Yes
Yes
No
No
User priority#2
Yes
Yes
No
No
Configuration
VLAN ID#1
No
No
Yes
No
MAC header
User priority#2
No
No
Yes
Yes
IPv4 header#3
Upper layer
protocol
No
No
Yes
Yes
Sender IP address
No
No
Yes
Yes
Destination IP
address
No
No
Yes
Yes
TOS
No
No
Yes
Yes
DSCP
No
No
Yes
Yes
Precedence
No
No
Yes
Yes
Sender port number
No
No
Yes
Yes
Destination port
number
No
No
Yes
Yes
TCP control flag#4
No
No
Yes
Yes
Sender port number
No
No
Yes
Yes
Destination port
No
No
Yes
Yes
IPv4-TCP header
IPv4-UDPheader
25
Type
Items set
Layer 2-1
Ethernet
VLAN
Layer 2-2
Ethernet
VLAN
number
Legend Yes: Can be specified; No: Cannot be specified
#1
VLAN IDs that can be detected by flow detection on the Switch are the values assigned to
VLANs entered during VLAN configuration. The ID of the VLAN to which the input
frames belong will be detected.
#2
The user priority cannot be detected for frames that do not have a VLAN tag on the Switch.
Therefore user priority "3" is always detected. The user priority for a frame that has
multiple VLAN tags is detected by counting from the MAC address side. The first VLAN
tag encountered will be detected. The following figure shows an example of a frame that
has multiple VLAN tags.
#3
Supplementary note for the ToS field specification
TOS: The values of bit 3 to bit 6 of the ToS field
Precedence: The values of the three highest-order bits of the ToS field
DSCP: The values of the six highest-order bits of the ToS field
#4
Packets whose ack, fin, psh, rst, syn, or urg flag is set to 1 are detected.
26
3.1.3
QoS flow lists
To perform QoS flow detection, specify QoS flow lists in the configuration. The QoS flow list
you need to configure depends on the flow detection conditions. The type of detectable frames
also depends on the flow detection conditions. The following table describes the relationship
between the QoS flow lists for flow detection conditions and detectable frame types.
Table 3-3: Relationship between QoS flow lists for flow detection conditions and
detectable frame types
Flow detection
conditions
QoS flow list
Flow detection mode
Detectable frame type
Non-I
P
IPv4
IPv6
MAC conditions
mac qos-flow-list
Layer 2-1
Yes
Yes#
Yes#
IPv4 conditions
ip qos-flow-list
Layer 2-2
No
Yes
No
Legend Yes: Can be detected; No: Cannot be detected
# Can be detected only when specified for the Ethernet interface type.
Use a QoS flow group command to apply the QoS flow lists to an interface. The order in which
the flow lists are applied is determined by the sequence number specified as a parameter of the
QoS flow list. Because QoS entry searching is performed independently for each QoS flow list,
a frame might match multiple QoS entries. If a frame matches multiple QoS entries, only one
QoS entry is actually used.
(1)
Operation when QoS entries match on the Ethernet interface
and VLAN interface at the same time
If QoS entries for an Ethernet interface and the VLAN interface to which the Ethernet interface
belongs are set to perform QoS flow detection for frames received from the Ethernet interface, a
frame might match multiple QoS entries. In such cases, the QoS entry on the Ethernet interface
has precedence. The following table describes the operation performed when a frame matches
multiple QoS entries.
27
Table 3-4: Operation performed when a frame matches multiple QoS entries
Combination for which multiple filter entries match
QoS entry applied
Ethernet
VLAN
Yes
No
Ethernet
No
Yes
VLAN
Yes
Yes
Ethernet
Legend Yes: Matches; No: Does not match
Flow detection modes to which this condition applies are Layer 2-1 and Layer 2-2.
3.1.4
Notes on using flow detection
(1)
Operation when multiple QoS entries are matched
If a frame matches multiple QoS entries, statistics for the matching QoS entries are collected.
(2)
QoS flow detection for fragmented IPv4 packets
If QoS flow detection uses a TCP/UDP header specified as a flow detection condition for a
fragmented IPv4 packet, the second and subsequent fragments cannot be detected because the
TCP/UDP header is not in those packets. To perform QoS flow detection for frames that include
fragmented packets, specify the MAC header or IP header in the flow detection conditions.
(3)
Operation when a QoS entry changes
If a QoS entry applied to an interface is changed on a Switch, frames to be detected cannot be
detected until the change has been applied. Consequently, such frames are detected as if they
matched another QoS entry.
(4)
Concurrent operation with other functionalities
If any of the conditions listed below is satisfied for a frame, it is discarded. However, if a frame
matches a QoS entry specified for the interface, statistics for that QoS entry are collected.
•
A frame is received from a target VLAN port whose data transfer status is Blocking (data
transfer is stopped).
•
A frame that has a VLAN tag is received via a protocol VLAN or a MAC VLAN.
•
A frame is received from a port specified for inter-port relay-blocking functionality.
•
A frame that does not have a VLAN tag is received when the native VLAN is not set as a
VLAN that uses a trunk port for sending and receiving frames.
•
28
A received frame that has a VLAN tag is not set for a VLAN that uses a trunk port for sending
and receiving frames.
•
A frame matching a filter entry specifying discarding (including an implicit discard entry) is
received.
(5)
Restrictions when applying QoS flow detection conditions
For frames to be received in a channel group, only QoS flow detection conditions are applied for
a QoS flow group set to a VLAN interface.
29
3.2
3.2.1
Configuring flow detection
Setting the flow detection mode
The following is an example of specifying the flow detection mode for QoS control.
Overview
First set the flow detection mode to determine the basic operating conditions of the
hardware.
Configuration command example
1.
(config)# flow detection mode layer2-2
Enables Layer 2-2 as the flow detection mode.
3.2.2
Configuring QoS control for multiple interfaces
The following is an example of specifying QoS control on multiple Ethernet interfaces.
Overview
By enabling QoS control in config-if-range mode, you can set QoS control for
multiple Ethernet interfaces.
Configuration command example
1.
(config)# ip qos-flow-list QOS-LIST1
Creates an IPv4 QoS flow list (QOS-LIST1), and then switches to IPv4 QoS flow list
mode.
2.
(config-ip-qos)# qos ip any host 192.168.100.10 action cos 6
Configures the QoS flow list for destination IP address 192.168.100.10, and then sets a
CoS value of 6.
3.
(config-ip-qos)# exit
Returns from IPv4 QoS flow list mode to global configuration mode.
4.
(config)# interface range fastethernet 0/1-4
Switches to the interface mode for ports 0/1-4.
5.
(config-if-range)# ip qos-flow-group QOS-LIST1 in
(config-ip-range)# exit
30
Enables the IPv4 QoS flow list on the receiving side.
31
3.3
Flow detection operations
To make sure that the set information is applied, use the operation command show qos-flow.
3.3.1
Checking QoS control operation when IPv4 packets are set
as the flow detection condition
The following figure shows how to check QoS control operation when IPv4 packets are set as
the flow detection condition.
Figure 3-2: Checking QoS control operation when IPv4 packets are set as the flow
detection condition
> show qos-flow 0/1
Date 2008/09/18 18:47:48 UTC
Using Port: interface fastethernet 0/1 in
IP qos-flow-list:QOS-LIST1
remark "cos 6"
10 qos tcp any host 10.10.10.2 eq 80 action cos 6
matched packets
:
0
>
Make sure that IP qos-flow-list is displayed for the QoS control for the specified port.
32
3.4
Description of marking
Marking is functionality used for updating the user priority in a VLAN tag and the DSCP in an
IP header for frames detected by flow detection. The following figure shows the positioning of
the marking block described in this section.
Figure 3-3: Positioning of the marking block
3.4.1
User priority updating
User priority updating is functionality that updates the user priority in the VLAN tag of a frame
detected by flow detection. The user priority is the three highest-order bits of the Tag Control
field shown in the following figure.
Figure 3-4: Header format of a VLAN tag
When the user priority is updated for frames that have multiple VLAN tags, the user priority in
the first VLAN tag encountered when counting from the MAC address side is updated. The
following figure shows the format of a frame that has multiple VLAN tags.
33
Figure 3-5: Overview of the format of a frame that has multiple VLAN tags
If user priority updating and priority determination are specified at the same time, the user
priority is determined by the CoS value determined by the priority determination functionality.
The following table shows user priority when priority determination and user priority updating
are specified at the same time.
Table 3-5: User priority when priority determination and user priority updating are
specified at the same time
3.4.2
CoS value determined by the priority determination
User priority
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
DSCP updating
DSCP updating is functionality that is used to update the DSCP, which is the six highest-order
bits of the TOS field in the IPv4 header. The following figure shows the format of the TOS field.
34
Figure 3-6: Format of the TOS field
As shown, the six highest-order bits of the TOS field of the detected frame are updated.
35
3.5
3.5.1
Configuring marking
Setting user priority updating
The following is an example of setting up the configuration when the user priority is updated for
certain types of flows.
Overview
When frames are received, flow detection is first performed based on the destination IP
address, and then the user priority is updated.
Configuration command example
1.
(config)# ip qos-flow-list QOS-LIST1
Creates an IPv4 QoS flow list (QOS-LIST1), and then switches to IPv4 QoS flow list
mode.
2.
(config-ip-qos)# qos ip any host 192.168.100.10 action
replace-user-priority 6
Configures the IPv4 QoS flow list for destination IP address 192.168.100.10 and then
changes the current user priority to 6.
3.
(config-ip-qos)# exit
Returns from IPv4 QoS flow list mode to global configuration mode.
4.
(config)# interface fastethernet 0/1
Switches to the interface mode for port 0/1.
5.
(config-if)# ip qos-flow-group QOS-LIST1 in
(config-if)# exit
Enables the IPv4 QoS flow list (QOS-LIST1) on the receiving side.
3.5.2
Setting DSCP updating
The following is an example of setting up the configuration when the DSCP is to be updated for
certain types of flows.
Overview
When frames are received, flow detection is first performed based on the destination IP
36
address, and then the DSCP value is updated.
Configuration command example
1.
(config)# ip qos-flow-list QOS-LIST2
Creates an IPv4 QoS flow list (QOS-LIST2), and then switches to IPv4 QoS flow list
mode.
2.
(config-ip-qos)# qos ip any host 192.168.100.10 action replace-dscp
63
Configures the IPv4 QoS flow list for destination IP address 192.168.100.10 and then
sets that the DSCP value is to be updated to 63.
3.
(config-ip-qos)# exit
Returns from IPv4 QoS flow list mode to global configuration mode.
4.
(config)# interface fastethernet 0/3
Switches to the interface mode for port 0/3.
5.
(config-if)# ip qos-flow-group QOS-LIST2 in
(config-if)# exit
Enables the IPv4 QoS flow list (QOS-LIST2) on the receiving side.
37
3.6
Marking operation
To make sure that the set information is applied, use the operation command show qos-flow.
3.6.1
Checking user priority updating
The following figure shows how to check user priority updating.
Figure 3-7: Checking user priority updating
> show qos-flow 0/2
Date 2008/09/18 18:55:30 UTC
Using Port: interface fastethernet 0/2 in
IP qos-flow-list: QOS-LIST10
remark "cos 4"
10 qos ip any host 192.168.100.10 action replace-user-priority 6
matched packets
:
0
>
Make sure that replace-user-priority 6 is displayed in the information for QOS-LIST1.
3.6.2
Checking DSCP updating
The following figure shows how to check the DSCP updating.
Figure 3-8: Checking DSCP updating
> show qos-flow 0/3
Date 2008/09/18 18:57:25 UTC
Using Port: interface fastethernet 0/3 in
IP qos-flow-list: QOS-LIST20
remark "cos 4"
10 qos ip any host 192.168.100.10 action replace-dscp 63
matched packets
:
0
>
Make sure that replace-dscp 63 is displayed in the information for QOS-LIST2.
38
3.7
Description of priority determination
Priority determination is functionality that uses CoS values to specify the priority of frames
detected by flow detection in order to determine the send queue. The following figure shows the
positioning of the priority determination block described in this section.
Figure 3-9: Positioning of the priority determination block
3.7.1
CoS values
CoS values are used as an index for showing the priority of frames on a Switch.
The following table describes the specifiable range of CoS values.
Table 3-6: Specifiable range of CoS values
Item
Range
CoS value
0-7
If priority determination is not set for flow control, the following default CoS values are used.
Table 3-7 Default CoS values
Frame type
- Frames that do not match priority determination for flow control
- Frames that match priority determination for flow control and
whose priority determination is not set
CoS value
Conforms to the result of user
priority mapping
Note that the CoS values are fixed for the frames indicated in the table below regardless of
whether priority determination for flow control is set. The following table indicates the frames
whose values cannot be changed by priority determination.
39
Table 3-8: Frames whose values cannot be changed by priority determination
Frame type
CoS value
#1
Self-generated frames sent by a Switch
(IP packets: ping, Telnet, FTP, etc.)#2
Self-generated frames sent by a Switch
(other than IP packets: BPDU, LLDP, LACP, etc.)
#3
7
The following frames received on a Switch:
• Spanning tree (BPDU)
• Link aggregation
• LLDP
• GSRP (GSRP aware)
• CFM
7
The following frames received on a Switch:
• System
• Port MAC
• Flush control frame (for uplink redundancy)
6
The following frames received on a Switch:
• IGMP/MLD snooping
• Frame working as a MAC-based authentication trigger received from a port on
MAC-based authentication legacy mode
• EAPOL
5
#1
You cannot change the value with propriety determination by flow control, but it is mapped
with a setting of the configuration command control-packet user-priority. For details, see
3.10 Description of user priority for self-generated frames.
#2
The IGMP and MLD cannot be changed.
#3
The BPDU that has a VLAN tag, L2 loop detection, and flush control frame for uplink
redundancy are classified into here.
3.7.2
CoS mapping functionality
The CoS mapping functionality determines the send queue based on the CoS value determined
by either user priority mapping or priority determination for flow control.
The following table shows the mapping of CoS values to send queues.
40
Table 3-9: Mapping of CoS values and send queues
Queue number for sending
CoS value
Send queue length:
32
Send queue length:
128
Send queue length:
728
0
1
1
1
1
2
1
1
2
3
2
1
3
4
2
1
4
5
3
1
5
6
3
1
6
7
4
1
7
8
4
2
For the send queue length, see also 4.1.2 Specifying send queue length.
3.7.3
Note on using priority determination
(1)
Priority determination for frames sent to a Switch
On a Switch, frames to be forwarded and frames sent to the Switch are subject to QoS flow
detection. Therefore, when the priority of frames sent to a Switch is set to the value equivalent or
higher than the CoS value of received frames shown in Table 3-8, a higher load to frames
received by the Switch might interfere with the reception of protocol control frames. If this
problem occurs, specify an operation that lowers the priority of the frame to the Switch.
41
3.8
3.8.1
Priority determination configuration
Setting the CoS value
The following is an example of setting the CoS value for certain types of flows.
Overview
When frames are received, first flow detection is performed based on the destination IP
address, and then the CoS value is set.
Configuration command example
1.
(config)# ip qos-flow-list QOS-LIST1
Creates an IPv4 QoS flow list (QOS-LIST1), and then switches to IPv4 QoS flow list
mode.
2.
(config-ip-qos)# qos ip any host 192.168.100.10 action cos 6
Configures the IPv4 QoS flow list for destination IP address 192.168.100.10 and then
sets a CoS value of 6.
3.
(config-ip-qos)# exit
Returns from IPv4 QoS flow list mode to global configuration mode.
4.
(config)# interface fastethernet 0/1
Switches to the interface mode for port 0/1.
5.
(config-if)# ip qos-flow-group QOS-LIST1 in
(config-if)# exit
Enables the IPv4 QoS flow list (QOS-LIST1).
42
3.9
3.9.1
Priority operations
Checking the priority
When traffic (frames whose destination IP address is 192.168.100.10) flows into a line, use the
operation command show qos queuing to check the queue number. The target Ethernet
interface is port 0/1.
Figure 3-10: Checking the priority
> show qos queuing 0/1
Date 2008/11/21 12:07:46 UTC
Port 0/1 (outbound)
Status : Active
Max_Queue=8, Rate_limit=10Mbit/s, Qmode=wfq/tail_drop
Queue 1: Qlen=
0, Limit_Qlen=
32
Queue 2: Qlen=
0, Limit_Qlen=
32
Queue 3: Qlen=
0, Limit_Qlen=
32
Queue 4: Qlen=
0, Limit_Qlen=
32
Queue 5: Qlen=
0, Limit_Qlen=
32
Queue 6: Qlen=
1, Limit_Qlen=
32
Queue 7: Qlen=
0, Limit_Qlen=
32
Queue 8: Qlen=
0, Limit_Qlen=
32
discard packets
HOL1=
0, HOL2=
0, Tail_drop=
0
>
Make sure that the Qlen value for Queue 6 has a count value.
43
3.10 Description of user priority for self-generated frames
You can change the user priority of frames generated by a Switch itself to an arbitrary value
using the configuration command control-packet user-priority. The user priority can be specified
by Layer 2 and Layer 3 of self-generated frames. Frames on the same layer whose user priority is
specified operate using the same user priority value. In case that configuration is not set, the user
priority of self-generated frames is 7. Because this setting is applied after the setting value is
entered, you do not have to restart the Switch. The following table describes the frame type in
each protocol and user priority setting range.
Table 3-10: Self-generated frame types and user priority setting ranges
Setting range of control-packet user-priority
Self-generated frame type
BPDU #
L2 loop detection#
Flush control frame (for uplink
redundancy)#
MAC address update frame (for uplink
redundancy)#
CFM#
Layer
User priority
(default)
Layer to
specify user
priority
User priority
setting range
2
7
Layer 2
0-7
3
7
Layer 3
0-7
ICMP
ARP
Telnet
FTP
NTP
SNMP
syslog
IGMP
MLD
Start command (for secure Wake on LAN)
#
The user priority cannot be set for Layer 2 self-generated frames other than those shown in
44
the above table, because they do not have VLAN tags.
When the user priority of self-generated frames is set, the CoS value of self-generated frames are
mapped as shown in the following table. The CoS value of BPDU/L2 loop detection/flush
control frame for uplink redundancy/ IGMP/MLD/CFM is always mapped to 7 and that of other
frames is mapped according to the setting value of the user priority.
Table 3-11: Mapping of user priority of self-generated frames to CoS values
Self-generated frame type
BPDU
L2 loop detection
Flush control frame (for unlink
redundancy)
MAC address update frame (for uplink
redundancy)
CFM
Setting value of control-packet
user-priority
Mapped CoS values
0-7
7
ICMP
0
0
ARP
1
1
Telnet
2
2
3
3
NTP
4
4
SNMP
5
5
syslog
6
6
Start command (for secure Wake on LAN)
7
7
IGMP
MLD
FTP
Layer 2
Layer 3
Layer 3
45
3.11 Configuring user priority for self-generated frames
3.11.1
Setting user priority for self-generated frames
Overview
The user priority value of self-generated frames is set by layer.
Configuration command example
1.
(config)# control-packet user-priority layer-2 5
Sets the user priority of Layer 2 self-generated frames to 5.
The user priority of Layer 3 self-generated frames that are not specified is 7.
Overview
The user priority values of both Layer 2 and Layer 3 self-generated frames are set.
Configuration command example
1.
(config)# control-packet user-priority layer-2 5 layer-3 2
Sets the user priority of Layer 2 self-generated frames to 5 and Layer 3 self-generated
frames to 2.
46
4. Send Control
This chapter describes send control (shaper and drop control) used on the Switch.
4.1 Overview of the shaper
4.2 Shaper configuration
4.3 Shaper operations
47
4.1
4.1.1
Overview of the shaper
Overview of the legacy shaper
The shaper functionality is used to control the output order of frames from each queue and the
output order and output bandwidth for each port. The following figure shows the positioning of
the shaper block described in this section.
Figure 4-1 Positioning of the shaper block
As shown in the figure below, the legacy shaper consists of scheduling, which determines the
queue from which the next frame will be sent, and port bandwidth control, which shapes the
Ethernet interface bandwidth. This figure provides an overview of the legacy shaper.
Figure 4-2 Concept of the legacy shaper
48
4.1.2
Specifying the send queue length
You can change the send queue length on the Switch so that it is appropriate for the network
configuration and operation mode. To do so, use the limit-queue-length configuration
command. Increasing the send queue length can reduce queue overflows caused by burst traffic.
Note that the specified send queue length is in effect for all Ethernet interfaces on the Switch. If
you do not specify the send queue length, a default queue length of 32 is used.
Table 4-1: Send queue lengths and their purposes
Queue no.
Send queue length:
32
Send queue length:
128
Send queue length:
728
1
32
128
728
2
32
128
32
3
32
128
0
4
32
128
0
5
32
0
0
6
32
0
0
7
32
0
0
8
32
0
0
For details about send queue length and CoS mapping, see Table 3-9 Mapping of CoS values and
send queues.
4.1.3
Scheduling
Scheduling is a functionality to control the order of sending frames in each queue. The Switch
provides four scheduling types, shown in the table below.
49
Table 4-2: Scheduling operations
Scheduling
type
Conceptual diagram
Operation
Application
PQ
Priority queuing. When frames
are queued in multiple queues,
frames from queue 8 (Q#8 in
the figure on the left), which
has the highest priority, are
always given priority.
When traffic
priority must be
strictly
observed
WRR
When there are frames in
multiple queues, while looking
at the queues in order,
depending on the set weights
(z, y, x, w, v, u, t, s), frames are
sent from queues 8 to 1 (Q#8 to
Q#1 in the figure on the left).
When there is a
request for all
traffic to be
sent, and
prioritized
traffic and
non-prioritized
traffic are
mixed together
2PQ+6WRR
Top-priority queues and
weighted (number of frames)
round robin. Frames in
top-priority queue 8 (Q#8 in
the figure on the left) are
always given priority. Frames
in queue 7 (Q#7 in the figure
on the left), which is given
priority after queue 8, are then
sent. If there are no frames to
be sent from queues 8 and 7,
then frames are sent from
queues 6-1 (Q#6 to Q#1 in the
figure on the left), based on the
set weights (z, y, x, w, v, u).
Video or audio
traffic in the
top-priority
queue, and data
traffic in WRR
queue
WFQ
Weighted fair queuing. When a
weight (minimum bandwidth
is specified) is set for all
queues, frames corresponding
to the minimum bandwidth are
sent from each queue.
When the
minimum
bandwidth is
requested for all
traffic
The table below shows the scheduling specifications.
50
Table 4-3: Scheduling specifications
Item
Specification
No. of queues
8 queues
2PQ+6WRR
Setting range for the weight of queues 1-6
1-15
WFQ
Setting range for the weight of queues 1-8
See Table 4-4 WFQ configuration
range. Set this so that the total
minimum bandwidth will be equal to or
less than the line bandwidth.
The range of frames subject to the
minimum bandwidth
From the MAC header to the FCS
header
Table 4-4: WFQ configuration range
Line speed
1 Gbit/s
Bandwidth
64 Kbit/s-1 Gbit/s
100 Mbit/s
10 Mbit/s
64 Kbit/s-100 Mbit/s
64 Kbit/s-10 Mbit/s
Auto Negotiation
64 Kbit/s-1 Gbit/s
Configuration range
Step value
Mbit/s
1M-1000M
1 Mbit/s#1
Kbit/s
1000-1000000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-100M
1 Mbit/s#1
Kbit/s
1000-100000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-10M
1 Mbit/s#1
Kbit/s
1000-10000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-1000M
1 Mbit/s#1
Kbit/s
1000-1000000
100 Kbit/s#2
64-960
64 Kbit/s#3
#1: 1M = 1000 K.
#2: For values greater than 1000 K, set them in 100 K increments (1000 K, 1100 K,
1200 K...10000000 K).
#3: For values that are less than 1000 K, set them in 64 K increments (64 K, 128 K, 192
51
K...960 K).
4.1.4
Port bandwidth control
The port bandwidth control functionality shapes the total-line send bandwidth to the specified
bandwidth after scheduling is performed. By using this control, wide-area Ethernet services can
be connected to. For example, if the line bandwidth is 1 Gbit/s and the contract bandwidth with
the ISP is 400 Mbit/s, the port bandwidth control functionality can be used to suppress the
bandwidth to 400 Mbit/s or less to send frames. This prevents port congestion caused by a
difference between the Ethernet interface bandwidth and the contracted bandwidth.
The table below shows bandwidths and units for port bandwidth control by line type. This
specification depends on a line type.
Table 4-5: Configuration values for port bandwidth control
Line speed
1 Gbit/s
Bandwidth
64 Kbit/s-1 Gbit/s
100 Mbit/s
10 Mbit/s
64 Kbit/s-100 Mbit/s
64 Kbit/s-10 Mbit/s
Auto Negotiation
64 Kbit/s-1 Gbit/s
Configuration range
Step value
Mbit/s
1M-1000M
1 Mbit/s#1
Kbit/s
1000-1000000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-100M
1 Mbit/s#1
Kbit/s
1000-100000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-10M
1 Mbit/s#1
Kbit/s
1000-10000
100 Kbit/s#2
64-960
64 Kbit/s#3
Mbit/s
1M-1000M
1 Mbit/s#1
Kbit/s
1000-1000000
100 Kbit/s#2
64-960
64 Kbit/s#3
#1: 1 M = 1000 K.
#2: For values greater than 1000 K, set them in 100 K increments (1000 K, 1100 K,
1200 K...10000000 K).
52
#3: For values that are less than 1000 K, set them in 64 K increments (64 K, 128 K, 192
K...960 K).
The range of frames for port bandwidth control is from the MAC header to the FCS. For more
details, see Figure 4-3 Range subject to port bandwidth control.
Figure 4-3: Range subject to port bandwidth control
4.1.5
Notes on using the shaper
(1)
Notes on specifying the send queue length
•
After changing the send queue length, restart the Switch to set basic operating conditions.
•
Set the scheduling mode PQ before setting the send queue length. The send queue length
cannot be set in other modes.
•
If the configuration command limit-queue-length has not been input, any scheduling
mode is available.
•
To set 728 for the send queue length, set "Send pause packets" via the flowcontrol
configuration command.
(2)
Notes on scheduling when there are buffer shortages
When the Switch receives traffic over the bandwidth of an output line, the packet buffer will
become full. Because of this, received frames might be discarded without being queued, thus
causing the frames to not be sent as they are scheduled. To check the packet buffer, execute the
show qos queuing operation command, and check whether the HOL1 and HOL2 counters are
incrementing. If the packet buffer frequently becomes full, re-evaluate your network design.
53
4.2
4.2.1
Shaper configuration
PQ configuration
Overview
The example below shows how to create QoS queue list information that sets PQ (priority
queuing) for legacy shaper mode, and then applies that information to the corresponding
lines.
Configuration command example
1.
(config)# qos-queue-list QUEUE-PQ pq
Sets priority queuing for legacy shaper mode of the QoS queue list QoS name
(QUEUE-PQ).
2.
(config)# interface fastethernet 0/11
Moves to port 0/11 interface mode.
3.
(config-if)# qos-queue-group QUEUE-PQ
(config-if)# exit
Enables the QoS queue list (QUEUE-PQ).
4.2.2
WRR configuration
Overview
The example below shows how to create QoS queue list information that sets WRR
(weighted round robin) for legacy shaper mode, and then applies that information to the
corresponding lines.
Configuration command example
1.
(config)# qos-queue-list QUEUE-WRR wrr 1 2 3 4 6 8 10 12
Sets WRR for legacy shaper mode of the QoS queue list QoS name (QUEUE-WRR).
2.
(config)# interface fastethernet 0/14
Moves to port 0/14 interface mode.
3.
(config-if)# qos-queue-group QUEUE-WRR
(config-if)# exit
54
Enables the QoS queue list (QUEUE-WRR).
4.2.3
2PQ+6WRR configuration
Overview
The example below shows how to create QoS queue list information that sets 2PQ+6WRR
(priority queuing + weighted (number of frames) round robin) for legacy shaper mode, and
then applies that information to the corresponding lines.
Configuration command example
1.
(config)# qos-queue-list QUEUE-PQ-WRR 2pq+6wrr 1 2 4 4 8 12
Sets 2pq+6wrr for legacy shaper mode of the QoS queue list QoS name
(QUEUE-PQ-WRR).
2.
(config)# interface fastethernet 0/16
Moves to port 0/16 interface mode.
3.
(config-if)# qos-queue-group QUEUE-PQ-WRR
(config-if)# exit
Enables the QoS queue list (QUEUE-PQ-WRR).
4.2.4
WFQ configuration
Overview
The example below shows how to create QoS queue list information that sets WFQ
(weighted fair queuing) for legacy shaper mode, and then applies that information to the
corresponding lines.
Configuration command example
1.
(config)# qos-queue-list QUEUE-WFQ wfq min-rate1 2M min-rate2 2M
min-rate3 2M min-rate4 4M min-rate5 10M min-rate6 10M min-rate7 10M
min-rate8 20M
Sets WFQ for legacy shaper mode of the QoS queue list QoS name (QUEUE-WFQ).
2.
(config)# interface fastethernet 0/6
Moves to port 0/6 interface mode.
55
3.
(config-if)# qos-queue-group QUEUE-WFQ
(config-if)# exit
Enables the QoS queue list (QUEUE-WFQ).
4.2.5
Using port bandwidth control
Use port bandwidth control to decrease the output bandwidth of a line.
Overview
The example below shows how to use port bandwidth control to decrease the bandwidth of
a 100 Mbit/s line to 20 Mbit/s.
Configuration command example
1.
(config)# interface fastethernet 0/3
Moves to port 0/3 interface mode.
2.
(config-if)# traffic-shape rate 20M
(config-if)# exit
Sets the port bandwidth to 20 Mbit/s.
56
4.3
Shaper operations
Use the show qos queuing operation command to view the information about the legacy
shaper set for an Ethernet interface.
4.3.1
Checking scheduling
The figure below shows how to check scheduling.
Figure 4-4: Checking scheduling
> show qos queuing 0/11
Date 2008/11/21 12:08:10 UTC
Port 0/11 (outbound)
Status : Active
Max_Queue=8, Rate_limit=100 Mbit/s, Qmode=pq/tail_drop
Queue 1: Qlen=
0, Limit_Qlen=
32
Queue 2: Qlen=
0, Limit_Qlen=
32
Queue 3: Qlen=
0, Limit_Qlen=
32
Queue 4: Qlen=
0, Limit_Qlen=
32
Queue 5: Qlen=
0, Limit_Qlen=
32
Queue 6: Qlen=
0, Limit_Qlen=
32
Queue 7: Qlen=
0, Limit_Qlen=
32
Queue 8: Qlen=
0, Limit_Qlen=
32
discard packets
HOL1=
0, HOL2=
0, Tail_drop=
0
>
Confirm that the Qmode parameter is pq/tail_drop.
4.3.2
Checking port bandwidth control
The figure below shows how to check port bandwidth control.
Figure 4-5: Checking port bandwidth control
> show qos queuing 0/3
Date 2008/11/21 12:15:23 UTC
Port 0/3 (outbound)
Status : Active
Max_Queue=8, Rate_limit=20 Mbit/s, Qmode=pq/tail_drop
Queue 1: Qlen=
0, Limit_Qlen=
32
Queue 2: Qlen=
0, Limit_Qlen=
32
Queue 3: Qlen=
0, Limit_Qlen=
32
Queue 4: Qlen=
0, Limit_Qlen=
32
Queue 5: Qlen=
0, Limit_Qlen=
32
Queue 6: Qlen=
0, Limit_Qlen=
32
Queue 7: Qlen=
0, Limit_Qlen=
32
Queue 8: Qlen=
0, Limit_Qlen=
32
discard packets
HOL1=
0, HOL2=
0, Tail_drop=
0
>
Confirm that the Rate_limit parameter is 20Mbit/s.
57
Part 3
Layer 2 Authentication
5. Overview of Layer 2 Authentication
These Switches support Layer 2 authentication methods such as IEEE 802.1X, Web
authentication, and MAC-based authentication. This chapter describes the Layer 2
authentication method types supported by the Switches, common Layer 2 authentication
methods, and interoperability of Layer 2 authentication.
Note that the term authentication functionality is sometimes used instead of the term
authentication method.
5.1 Overview of Layer 2 authentication
5.2 Authentication method group
5.3 RADIUS authentication
5.4 Common Layer 2 authentication methods
5.5 Common configuration of Layer 2 authentication
5.6 Common operation of Layer 2 authentication
5.7 Interoperability of Layer 2 authentication methods
5.8 Configuration for interoperability of Layer 2 authentication
5.9 Notes on using Layer 2 authentication
58
5.1
Overview of Layer 2 authentication methods
5.1.1
Layer 2 authentication types
The Switches support the Layer 2 authentication methods in the table below.
Table 5-1: Supported Layer 2 authentication methods
Authenticati
on type
Authentication
method
Single
authenticatio
n
Authentication
method group
Authentication mode
• Switch default#
• Authentication
method list
• Port-based
authentication (static)
• Port-based
authentication
(dynamic)
• Single mode
• Terminal
authentication
mode
Switch default#
VLAN-based
authentication mode
(dynamic)
--
• Switch default
• Authentication
method list
• Fixed VLAN mode
• Dynamic VLAN mode
--
Switch default
Legacy mode
--
• Switch default
• Authentication
method list
• Fixed VLAN mode
• Dynamic VLAN mode
--
Switch default
Legacy mode
--
• Switch default#
• Authentication
method list
• Fixed VLAN mode
• Dynamic VLAN mode
IEEE 802.1X is
used in terminal
authentication
mode
MAC-based
authentication +
Web
authentication
• Fixed VLAN mode
• Dynamic VLAN mode
--
IEEE 802.1X +
Web
authentication
• Fixed VLAN mode
• Dynamic VLAN mode
IEEE 802.1X is
used in terminal
authentication
mode
IEEE 802.1X
Web
authentication
MAC-based
authentication
Multistep
authenticatio
n
MAC-based
authentication +
IEEE 802.1X
Authentication
submode
Legend
-- : None
#
Switch default IEEE 802.1X works with RADIUS authentication.
59
•
Single authentication
IEEE 802.1X, Web authentication and MAC-based authentication work independently.
•
Multistep authentication
Authentication is conducted in two steps. After the first authentication is finished, the second
one starts. This Switch conducts IEEE 802.1X or Web authentication after completing
MAC-based authentication. Web authentication can be conducted after IEEE 802.1X
authentication is completed by using the terminal authentication dot1x option.
For multistep authentication, see 12. Multistep Authentication.
•
IEEE 802.1X
This method includes port-based authentication based on the IEEE 802.1 X port and
VLAN-based authentication (dynamic) based on the VLAN MAC address.
Both methods can use a general RADIUS server for authentication, which is suitable for
relatively small or medium systems. They can also use terminals including IEEE 802.1X's
Supplicant software.
•
Web authentication
With this method, the user enters a user ID and password in a general Web browser from a
terminal, and then authentication is performed through an internal authentication database
(internal Web authentication DB) or general RADIUS server to permit or deny access to a
VLAN specified by a MAC address. This method can be used from terminals with Web
browsers such as Internet Explorer.
•
MAC-based authentication
This method performs authentication by using the MAC addresses of frames received from
terminals through an internal authentication database (internal MAC-based authentication
DB) or general RADIUS server to permit or deny access to a VLAN specified by a MAC
address. This enables authentication without the need to install special software on terminals.
This functionality authenticates terminals (for example, printers or IP telephones) without
IEEE 802.1X's Supplicant software, or for which user IDs or passwords cannot be entered.
5.1.2
Authentication modes of each authentication method
Each authentication method works in fixed VLAN mode, dynamic VLAN mode, or legacy
mode. The following figure shows the mutual relationships between authentication methods and
authentication modes.
60
Figure 5-1: Mutual relationships between authentication methods and authentication
modes
(1)
Fixed VLAN mode
Fixed VLAN mode does not perform VLAN switching to a VLAN to which an
authentication-requesting terminal belongs before and after authentication. The VLAN to which
the terminal belongs is the VLAN to which the connection port of the terminal belongs.
Figure 5-2: Overview of fixed VLAN mode (for RADIUS authentication)
61
1.
A user accesses the Switch from an authentication-requesting terminal (PC in the figure
above) connected via a hub.
2.
This system identifies the ID of a VLAN associated with the terminal based on its
connection port or VLAN ID.
3.
After the identified VLAN ID information is added to the terminal information and an
authentication request is made to the RADIUS server, the VLANs for which authentication
is possible can be limited.
4.
In the case of Web authentication, if authentication is successful, the successful
authentication page is displayed on the terminal.
5.
(2)
The authenticated terminal can connect to a server of the post-authentication VLAN.
Dynamic VLAN mode
In dynamic VLAN mode, VLANs are switched after authentication through MAC VLANs. The
MAC address and VLAN ID of a successfully authenticated terminal are registered in the MAC
VLAN and MAC address table.
Figure 5-3: Overview of dynamic VLAN mode (for RADIUS authentication)
1.
A user accesses the Switch from an authentication-requesting terminal (PC in the figure
above) connected via a hub.
62
2.
Authentication is conducted by an external RADIUS server.
3.
In the case of Web authentication, if authentication is successful, a successful
authentication page is displayed on the terminal.
4.
Based on the VLAN ID information sent by a RADIUS server, the authenticated terminal
gains access to the post-authentication VLAN and can connect to the server.
(3)
Legacy mode
In legacy mode, the Switch authenticates and inspects each authentication-requesting terminal
by using the MAC VLAN functionality, and dynamically assigns VLANs to them to separate
networks before and after authentication.
Figure 5-4: Overview of legacy mode (for RADIUS authentication)
5.
A user accesses the Switch from an authentication-requesting terminal (PC in the figure
above) connected via a hub.
6.
Authentication is conducted by an external RADIUS server.
7.
In the case of Web authentication, if authentication is successful, a successful
authentication page is displayed on the terminal.
8.
Based on VLAN ID information sent by a RADIUS server and the post-authentication
information specified in the configuration, the authenticated terminal gains access to the
post-authentication VLAN.
63
(4)
Access conditions and mixed usage for authentication
methods
For access conditions for each authentication method, see 3.2 Switch capacities in the
Configuration Guide Vol. 1.
Authentication methods can be mixed and used within a Switch or on the same port. For more
details, see 5.7 Interoperability of Layer 2 authentication with other functionality.
For more details about authentication methods, see the later chapters.
5.1.3
Authentication method groups
For each authentication method, you can select Switch default, which is the standard for the
entire Switch, or authentication method list, which applies to different RADIUS servers based
on what conditions are met.
Table 5-2: Authentication method groups for Switches
Authentication
method group
Switch default
Selection range
Authentication request destination
Local authentication
Internal authentication database
RADIUS authentication
Host of authentication RADIUS server
information
Host of general RADIUS server information
Authentication
method list
(1)
RADIUS server group
Server host in a specified RADIUS server group
Switch default
For each authentication method, you can specify the type of authentication method for Switch
default. There are two types of authentication methods: local authentication and RADIUS
authentication. In addition, they can be configured separately or together. For details, see 5.3.3
Configuring the priority for device default local authentication and RADIUS authentication.
(a) Local authentication method
This method checks the user ID and password against an internal database on the Switch
(internal Web authentication or MAC-based authentication DB) and permits authentication
when they match. The internal databases are registered on the Switch via operation commands.
(b) RADIUS authentication method
This method sends the user ID and password, or MAC address, of a terminal to a RADIUS
server and permits authentication when they match. An external general RADIUS server is used.
64
Information about users (or terminals) subject to authentication is registered on the RADIUS
server. For the registration procedures for user information on a RADIUS server, see the
documentation for your RADIUS server.
In addition, RADIUS server information, such as the IP address and RADIUS key of the
RADIUS authentication server, is registered on the Switch. The configured information includes
general RADIUS server information and information about the dedicated RADIUS
authentication server. For more details, see 5.3.1 RADIUS server information used with the
Layer 2 authentication method.
(2)
Authentication method list
For each authentication method, you can specify an authentication method list that applies to
different RADIUS servers based on what conditions are met. Only RADIUS server groups can
be configured for an authentication method list. Up to four entries for each authentication
method can be registered in an authentication method list. For more details, see 5.2
Authentication method group.
Up to four RADIUS server groups can be configured for the entire Switch. For more details, see
5.3.1 RADIUS server information used with the Layer 2 authentication method in this manual
and 8. Login Security and RADIUS in the Configuration Guide Vol. 1.
65
5.2
5.2.1
Authentication method group
Overview
This section uses Web authentication as an example to describe a correlation diagram between
the Switch default configuration, and the authentication method list configuration for RADIUS
servers under certain conditions. Normally, the Switch executes local authentication or
RADIUS authentication based on the Switch default configuration.
•
Switch default
When RADIUS authentication is executed with Switch default, a general RADIUS server or
authentication RADIUS server can be used. Up to four authentication RADIUS servers can be
configured for each Layer 2 authentication method.
•
Authentication method list
Set specific conditions when using the authentication method list functionality. If the specific
conditions are met, the Switch uses the RADIUS server group name registered in the
authentication method list. To determine a RADIUS server group name, specify and use the
IP address of a general RADIUS server.
Figure 5-5: Correlation diagram of authentication method list configuration
5.2.2
Authentication method lists
The authentication method list uses the following conditions:
66
•
Port-based authentication method
•
User ID-based authentication method
The following table shows authentication modes for this method.
Table 5-3: Supported authentication modes of authentication method lists
Authentication
method
IEEE 802.1X
Web
authentication
MAC-based
authentication
Authentication mode
Port-based
authentication
method
User ID-based
authentication
method
Port-based authentication
(static)
Y
N
Port-based authentication
(dynamic)
Y
N
VLAN-based authentication
(dynamic)
N
N
Fixed VLAN mode
Y
Y
Dynamic VLAN mode
Y
Y
Legacy mode
N
N
Fixed VLAN mode
Y
N
Dynamic VLAN mode
Y
N
Legacy mode
N
N
Legend
Y: Operable
N: Not operable
(1)
Port-based authentication method
This method uses an individual RADIUS server for authentication for each authentication port.
The method performs RADIUS authentication for a RADIUS server group specified in the
authentication method list by specifying the authentication method list name for any
authentication port.
The following figure shows an operational overview of the port-based authentication method.
67
Figure 5-6: Operational overview of the port-based authentication method
If an authentication method list name is configured for an authentication port:
1.
When an authentication port receives an authentication request, the Switch checks
whether the name of an authentication method list has been specified for the port by using
an appropriate authentication method.
2.
The Switch checks whether the authentication method list name (List_example2 in the
figure) is registered in the authentication method lists in the Switch.
3.
If the name corresponds with an authentication method list in the Switch, the RADIUS
server group specified in the authentication method list (ra-group221 in the figure) is
referenced.
4.
The Switch checks the IP address of a general RADIUS registered in the RADIUS server
group it accessed (server-host2 in the figure).
5.
The Switch sends an authentication request to the target RADIUS server.
If an authentication method list name is not configured for an authentication port:
6.
If no authentication method list name has been specified for a port, the Switch references
the IP address for the authentication RADIUS server for the appropriate authentication
method. If no authentication RADIUS server has been specified, the Switch references the
general RADIUS server information.
7.
68
The Switch sends an authentication request to the target RADIUS server.
A RADIUS server group used for the port-based authentication method is a group of server IP
addresses for general RADIUS server information. Therefore, if the server IP address from the
RADIUS server group does not correspond with the general RADIUS server information in an
authentication method list, authentication fails.
When all RADIUS servers specified for a RADIUS server group in an authentication method list
do not respond or request transmission fails, the Switch works based on the forced
authentication configuration (authentication fails if the forced authentication configuration has
been disabled).
The Switch performs Switch default authentication in the following cases:
•
If no authentication method list name has been configured for a port
•
If the name of the authentication method list for a port does not correspond with that of an
authentication method group
•
If the name of the authentication method list for a port is not found in an authentication
method group,
For details about configuration, see the following:
•
Example of port-based authentication method configuration: 5.2.3 Authentication method list
configuration (2) Example of port-based authentication method configuration
•
IEEE 802.1X: 7. IEEE 802.1X Configuration and Operation
•
Web authentication: 9. Web Authentication Configuration and Operation
•
MAC-based authentication: 11. MAC-based authentication Configuration and Operation
(a) Port transfer
If this functionality is enabled, authentication is canceled if the following conditions are met:
•
IEEE 802.1X: Authentication is canceled when port transfer is detected.
•
Web authentication: Authentication is canceled if the authentication method list names before
and after port transfer are different, regardless of the roaming settings.
•
MAC-based authentication: Authentication is canceled the authentication method list names
before and after port transfer are different, regardless of the roaming settings.
(2)
User ID-based authentication method
This method uses individual RADIUS servers to perform authentication by user ID when
performing Web authentication.
If the user ID authentication method is enabled for Web authentication, when a user logs in by
using user-ID@authentication-method-list-name, RADIUS authentication is performed with a
RADIUS server group in the authentication method list specified after the at mark (@ character).
The following table describes the conditions for separating a user ID and authentication method
69
list name. In the table, userID is the user ID and List1 is the authentication method list name.
Table 5-4: Conditions for separating a user ID and authentication method list name
Entered combination of
user ID and
authentication method list
name#
Success or
failure of
separation
Remarks
userID@List1
Successfully
separates
userID@group1@List1
Successfully
separates
Multiple @ characters are included, but the string is
separated at the second @ character.
userID
Separation fails
Separation fails because no @ character is
included.
userID@
Separation fails
Separation fails because no characters have been
entered after the @ character.
@List1
Separation fails
Separation fails because no characters have been
entered before the @ character.
userID@...(33 or more
characters)
Separation fails
Separation fails because there are more than 33
characters after the @ character.
#
Up to 128 characters can be entered for the user ID (including the @ character and the
following characters).
The following figure shows the operational overview of the user ID-based authentication
method.
70
Figure 5-7: Operational overview of the user ID-based authentication method
If the user ID-based authentication method is enabled and separation of the user ID and list name
succeeds
1.
When the Switch receives an authentication request with
user-ID@authentication-method-list-name (userBBB@List_example2 in the figure), it
separates the string at the @ character (the string preceding the @ character is the user ID
and the string following the @ character is the authentication method list name).
2.
If separation succeeds, the Switch checks whether the separated authentication method list
name (List_example2 in the figure) has been registered.
3.
If the name corresponds to a list on the Switch, the switch references the RADIUS server
group specified in the authentication method list (ra-group221 in the figure).
4.
The Switch checks the IP address of the general RADIUS server registered in the
RADIUS server group (server-host2 in the figure).
5.
The Switch sends an authentication request to the target RADIUS server (because
separation was successful, it sends the user ID userBBB).
If the user ID-based authentication method is disabled or separation of the user ID and list name
fails
6.
If the user ID-based authentication method is disabled or separation fails, the device
references the IP address of the authentication RADIUS server information for the
authentication method in use. If an authentication RADIUS server has not been configured,
information about the general RADIUS server is referenced.
71
7.
The Switch sends an authentication request to the target RADIUS server (because
separation has failed, it sends the user ID userAAA@).
The RADIUS server group used with the user ID-based authentication method groups any server
IP addresses in the general RADIUS server information. Therefore, authentication fails if the
server IP address from the RADIUS server group does not correspond with the general RADIUS
server information in the authentication method list.
When all RADIUS servers specified for a RADIUS server group in the authentication method
list do not respond or request transmission fails, the Switch works based on the forced
authentication configuration. Authentication fails if the forced authentication configuration has
been disabled.
The Switch executes Switch default authentication in the following cases:
•
If the authentication method list name (following the @ character after the user ID) does not
correspond with an authentication method list for an authentication method group of the
authentication method in use
•
When the user ID and the authentication method list name are not separated by an @ character
For the configuration, see the following:
•
5.2.3 Authentication method list configuration (3) Example of user ID-based authentication
method configuration
(3)
Exclusive relationship of authentication method list
configuration
Port-based authentication method, user ID-based authentication method and legacy mode are
not interoperable on the Switch. Select any one of these.
The following table describes the interoperability conditions of the authentication method list
configuration.
Table 5-5: Interoperability conditions of the authentication method list configuration
Port-based authentication
method configuration
72
User ID-based
authentication method
configuration
Legacy mode configuration
• dot1x authentication
• web-authentication
authentication
• mac-authentication
authentication
web-authentication
user-group
See Table 5-6
One of the above is configured
N
N
None of the above is configured
Configured
N
Port-based authentication
method configuration
User ID-based
authentication method
configuration
Not configured
Legacy mode configuration
Y
Legend
Y: Supported
N: Not supported
Table 5-6: Legacy mode configuration not interoperable with other methods
Authentication method
Configuration command
IEEE 802.1X
• dot1x vlan dynamic enable
• dot1x vlan dynamic radius-vlan
Web authentication
• web-authentication vlan
MAC-based authentication
• mac-authentication interface
• mac-authentication vlan
Authentication method lists are unavailable in legacy mode. Therefore, the configuration in
legacy mode shown above is not interoperable with the port-based and user ID-based
authentication methods.
5.2.3
Authentication method list configuration
(1)
List of configuration commands
This section describes authentication method configuration using authentication method lists.
Table 5-7: Configuration commands and target authentication method lists
Command
aaa authentication dot1x
<list-name>
dot1x authentication
<list-name>
Description
Authentication method
list
Port-base
d
authentic
ation
method
User
ID-based
authentic
ation
method
Configures the Switch default and
authentication method list with an
authentication method group for IEEE
802.1X authentication.
Y
Y
Configures the authentication method list
name of the port-based authentication
Y
N
73
Command
Description
Authentication method
list
Port-base
d
authentic
ation
method
User
ID-based
authentic
ation
method
Configures the Switch default and
authentication method list with the
authentication method group for Web
authentication.
Y
Y
web-authentication
authentication <list-name>
Configures an authentication method list
name for the port-based authentication
method used with Web authentication.
Y
Y
web-authentication
user-group
Enables the user ID-based authentication
method for Web authentication.
N
Y
aaa authentication
mac-authentication
Configures the Switch default and
authentication method list with the
authentication method group for
MAC-based authentication.
Y
Y
mac-authentication
authentication <list-name>
Configures the authentication method list
name of the port-based authentication
method used with MAC-based
authentication.
Y
N
radius-server host
Configures general RADIUS server
information.
Y
Y
aaa group server radius
Configures the RADIUS server group
name.
Y
Y
Registers general RADIUS server
information in the RADIUS server group.
Y
Y
method. Used with IEEE 802.1X
authentication.
aaa authentication
web-authentication
<list-name>
<group-name>
server
Legend
Y: Supported
N: Not supported
(2)
Example of port-based authentication method configuration
This is an example of triple authentication using the port-based authentication method. The
following target port numbers and RADIUS subgroup names are used:
•
Port 0/10-0/14: Authentication is performed using the RADIUS server group Office-A
•
Port 0/20-0/24: Authentication is performed using the RADIUS server group Office-B
For configuration of authentication methods other than the port-based authentication method,
74
see the following:
•
IEEE 802.1X: 7.IEEE 802.1X Configuration and Operation
•
Web authentication: 9. Web Authentication Configuration and Operation
•
MAC-based authentication: 11. MAC-based authentication Configuration and Operation
The following figure shows a configuration example of the port-based authentication method.
Figure 5-8: Configuration example of the port-based authentication method
Overview
1.
The example below shows how to specify the following:
RADIUS server configuration
y
Configure general RADIUS server information used with the authentication
method lists.
y
2.
Group general RADIUS server information.
Authentication method configuration
y
Associate authentication method lists and RADIUS server groups for each
authentication method.
y
Configure authentication method lists by port for Web authentication.
Configuration command example
1.
(config)# radius-server host 192.168.0.200 key AuthKey
75
(config)# radius-server host 192.168.0.201 key AuthKey
(config)# radius-server host 192.168.1.200 key AuthKey
(config)# radius-server host 192.168.1.201 key AuthKey
Configures information of four general RADIUS servers.
2.
(config)# aaa group server radius Office-A
(config-group)# server 192.168.0.200
(config-group)# server 192.168.0.201
(config-group)# exit
Registers IP addresses of the RADIUS server group name Office-A and the general
RADIUS server used with this group.
3.
(config)# aaa group server radius Office-B
(config-group)# server 192.168.1.200
(config-group)# server 192.168.1.201
(config-group)# exit
Registers the IP addresses of the RADIUS server group name Office-B and the general
RADIUS server used with this group.
4.
(config)# aaa authentication dot1x DList-1 group Office-A
(config)# aaa authentication dot1x DList-2 group Office-B
(config)# aaa authentication web-authentication WList-1 group
Office-A
(config)# aaa authentication web-authentication WList-2 group
Office-B
(config)# aaa authentication mac-authentication MList-1 group
Office-A
(config)# aaa authentication mac-authentication MList-2 group
Office-B
Associates authentication method lists and RADIUS server groups for each authentication.
5.
(config)# interface range fastethernet 0/10-14
(config-if-range)# dot1x authentication DList-1
(config-if-range)# web-authentication authentication WList-1
(config-if-range)# mac-authentication authentication Mlist-1
(config-if-range)# exit
Configures authentication method list names, DList-1, WList-1 and MList-1 used in
each authentication method to port 0/10-0/14.
6.
(config)# interface range fastethernet 0/20-24
(config-if-range)# dot1x authentication DList-2
(config-if-range)# web-authentication authentication WList-2
76
(config-if-range)# mac-authentication authentication Mlist-2
(config-if-range)# exit
Configures authentication method list names, DList-2, WList-2 and MList-2 used in
each authentication method to port 0/20-0/24.
Notes:
1.
The Switch conducts Switch default authentication if the port-based authentication
method has not been configured.
2.
If the names of the authentication method list configured for a port and of the
authentication method group do not correspond, the Switch executes Switch default
authentication.
3.
The user ID-based authentication method for Web authentication and Legacy mode
cannot be set up for joint use. For more details, see 5.2.2 Authentication method lists.
(3)
Example of user ID-based authentication method
configuration
This section describes a structural example for Web authentication using the user ID-based
authentication method. The following user IDs subject to Web authentication and the RADIUS
server group names are used:
y User tanaka: Port 0/10 and RADIUS server group Group-A are used for
authentication.
y User suzuki: Port 0/10 and RADIUS server group Group-B are used for
authentication.
For other Web authentication method configuration, see 9. Web Authentication Configuration
and Operation.
The following figure shows a configuration example of the user ID-based authentication
method.
77
Figure 5-9: Configuration example of the user ID-based authentication method
Overview
1.
The example below shows how to configure the following:
RADIUS server configuration
y
Configure general RADIUS server information used with authentication method
lists.
y
2.
Group general RADIUS server information.
Web authentication method configuration
y
Associate authentication method lists and RADIUS server groups for Web
authentication.
y
Configure authentication method lists by user ID for Web authentication.
Configuration command example
1.
(config)# radius-server host 192.168.10.200 key AuthKey
(config)# radius-server host 192.168.10.201 key AuthKey
(config)# radius-server host 192.168.11.200 key AuthKey
(config)# radius-server host 192.168.11.201 key AuthKey
Configures information of four general RADIUS servers.
2.
78
(config)# aaa group server radius Group-A
(config-group)# server 192.168.10.200
(config-group)# server 192.168.10.201
(config-group)# exit
Registers IP addresses of the RADIUS server group name Group-A and the general
RADIUS server used with this group.
3.
(config)# aaa group server radius Group-B
(config-group)# server 192.168.11.200
(config-group)# server 192.168.11.201
(config-group)# exit
Registers IP addresses of the RADIUS server group name Group-B and the general
RADIUS server used with this group.
4.
(config)# aaa authentication web-authentication Class-1 group Group-A
(config)# aaa authentication web-authentication Class-2 group Group-B
Associates authentication method lists and RADIUS server groups for Web authentication.
5.
(config)# web-authentication user-group
Configures user ID-based authentication method for Web authentication.
Notes:
1.
The Switch executes Switch default authentication if the user ID-based authentication
method has not been configured.
2.
Authentication is canceled for all Web authentication terminals when the user ID-based
authentication method configuration is changed.
3.
If the names of the authentication method list specified following the @ character and the
authentication method group do not correspond, the Switch executes Switch default
authentication
4.
The port-based authentication method and legacy mode cannot be configured together.
For more details, see 5.2.2 Authentication method lists.
79
5.3
RADIUS authentication
This section describes the following items used with RADIUS authentication among Layer 2
authentication methods:
•
RADIUS server information used with the Layer 2 authentication method
•
Dead-interval functionality of RADIUS server communication
•
Priority configuration for the Switch default local and RADIUS authentication
•
Account functionality for the RADIUS server
5.3.1
RADIUS server information used with the Layer 2
authentication method
(1)
RADIUS server information configurable on the Switch
The following RADIUS server information is configurable on the Switch.
Table 5-8: RADIUS server information configurable on the Switch
RADIUS server information type
Configuration information
Functionality to use
General RADIUS server information
RADIUS server host information
Auto recovery time (dead-interval
time)
Login security
functionality
IEEE 802.1X
Web authentication
MAC-based
authentication
IEEE 802.1X authentication RADIUS
server information
RADIUS server host information
Auto recovery time (dead-interval
time)
IEEE 802.1X
Web authentication RADIUS server
information
RADIUS server host information
Auto recovery time (dead-interval
time)
Web authentication
MAC-based authentication RADIUS
server information
RADIUS server host information
Auto recovery time (dead-interval
time)
MAC-based
authentication
RADIUS server group information
RADIUS server host information#
IEEE 802.1X
Web authentication
MAC-based
authentication
Note:
Any configured general RADIUS server information (radius-server host) is assigned
to the RADIUS server group. Set the same IP address as that of the general RADIUS server
information, the port number for server authentication, and the port number for server
accounting. Auto recovery time follows that of radius-server dead-interval in the
80
general RADIUS server information.
You can configure the server IP address, port number for server authentication, port number for
server accounting, RADIUS key, number of retransmissions, and response timeout period for
the RADIUS server information. When the RADIUS key, number of retransmissions, and
response timeout period are not configured, behavior follows the settings of the following
configuration commands:
•
RADIUS key: radius-server key
•
Number of retransmissions: radius-server retransmit
•
Response timeout period: radius-server timeout
If the specification of a port number for server authentication has been omitted, the system uses
1812. If the specification of a port number for accounting has been omitted, the system uses
1813.
For details on settings for RADIUS server information, see the following:
•
For settings for general RADIUS server information, see 8. Login Security and RADIUS in
the Configuration Guide Vol. 1
•
For settings for authentication RADIUS server information, see the following:
•
IEEE 802.1X: 7.2.1 Configuring the authentication method group and RADIUS server
information
•
Web authentication: 9.2.1 Authentication method group and RADIUS server information
configuration
•
MAC-based authentication: 11.2.1 Configuring the authentication method group and
RADIUS server information
•
For settings for RADIUS server group information, see 8. Login Security and RADIUS in the
Configuration Guide Vol. 1.
(a) Auto recovery time (dead-interval time)
The settings for the auto recovery time operate on the various types of RADIUS server
information. Other authentication RADIUS server information is not affected.
For details on the operation of auto recovery time, see 5.3.2 Dead-interval functionality of
RADIUS server communication.
(2)
Handling the same IP address settings among the
information of each RADIUS server
Information about each RADIUS server can be configured simultaneously. However, if the
same IP address has been configured for them, they are considered the same RADIUS server.
Therefore, the same RADIUS key, number of retransmissions, and response timeout periods are
applied in the communication between the same RADIUS servers.
81
Because of this, the following tasks are performed when any configuration command is entered:
1.
Specifying the same IP address for general RADIUS servers.
If the IP address matches the settings of an existing RADIUS server, replace the entered
commands with ones with all parameters renewed.
2.
If parameters are omitted when entering the new commands, the defaults are returned.
Specifying the same IP address in the information of the same type of authentication
RADIUS server.
3.
This is the same as for general RADIUS server information.
Specifying the same IP address in the information of the same type of general RADIUS
servers and authentication RADIUS servers.
4.
This is the same as for general RADIUS server information.
Specifying the same IP address for RADIUS servers of different types.
This is the same as for general RADIUS server information.
•
Example when the same IP address is configured for RADIUS servers of different types:
After configuring general RADIUS servers, MAC-authentication RADIUS servers are
configured with the same IP address:
• (config)# radius-server host 192.168.7.7 retransmit 10 key aaaaa
General RADIUS server configuration (Default)
• (config)# mac-authentication radius-server host 192.168.7.7 key bbbbb
MAC-authentication RADIUS server configuration
When following the procedures above, the number of retransmissions of general RADIUS
servers is automatically returned to the default (3) and the RADIUS key is restored to bbbbb
as entered on the MAC- authentication RADIUS server.
Automatically changed results are also reflected in the operation command show
running-config.
•
Result displayed by the show running-config operation command:
• radius-server host 192.168.7.7 key bbbbb
(After automatically changed results
are applied)
• mac-authentication radius-server host 192.168.7.7 key bbbbb
After that, general RADIUS server information is not restored to the default configuration
even if the MAC-authentication RADIUS server information is deleted.
(3)
Operation when configuring joint use of RADIUS server
information
If the port-based authentication method or the user ID-based authentication method for Web
authentication is enabled, RADIUS server group information registered in the authentication
method list is used.
82
If the port-based authentication method or the user ID-based authentication method for Web
authentication is disabled, the Switch default is used. In the Switch default, general RADIUS
server information or authentication RADIUS server information is used. When both of the two
items of information above are enabled, authentication RADIUS server information for each
authentication method is used.
The following table shows the operational relationship between the general RADIUS server and
authentication RADIUS server.
Table 5-9: Operational relationship between the general RADIUS server and
authentication RADIUS server information
Authentication RADIUS
server information
One or more servers are
configured
No server is configured
General RADIUS server
information
Action
One or more servers are
configured
Authentication RADIUS server
information is used for operation.
No server is configured
Authentication RADIUS server
information is used for operation.
One or more servers are
configured
General RADIUS server information is
used for operation.
No server is configured
RADIUS authentication is unavailable.
The following describes the operational relationship between the general RADIUS server and
authentication RADIUS server, using MAC-based authentication as an example:
1.
When using MAC-authentication RADIUS server information for operation:
If the mac-authentication radius-server host configuration command has been
configured for at least one server, only the MAC-authentication RADIUS server
configured with that command is used.
In this case, authentication-requested RADIUS server selection and auto recovery
(dead-interval) do not affect other authentication methods.
2.
When using general RADIUS server information for operation:
If the mac-authentication radius-server host configuration command has not
been configured for any server, the general RADIUS server configured with the
radius-server host configuration command is used. In this case,
authentication-requested RADIUS server selection and auto recovery (dead-interval)
are common among all authentication methods using the general RADIUS server.
The following figure shows the operation when configuring joint use of RADIUS server
information.
83
Figure 5-10: Operation when configuring joint use of RADIUS server information
(4)
Selecting an authentication-request destination RADIUS
server
Multiple RADIUS server hosts can be configured in general RADIUS server information,
authentication RADIUS server information, and the RADIUS server group (for the maximum
number, see 3.2 Switch capacities in the Configuration Guide Vol. 1.
If this system cannot communicate with one server and receives no authentication service, it
tries to connect to other configured servers in sequence. The following figure shows the
RADIUS server selection sequence.
Figure 5-11: RADIUS server selection sequence
In this figure, when the Switch receives a new frame from the terminal subject to authentication,
the Switch requests RADIUS authentication from RADIUS server 1. If it fails to communicate
with RADIUS server 1, it requests RADIUS authentication from RADIUS server 2. When
84
authentication is successful, the Switch can communicate with the authenticated network. The
RADIUS server in operation as an authentication request destination is called the current server.
(5)
Maximum time before RADIUS authentication becomes
unavailable
You can configure a response timeout period to determine whether communication with a
RADIUS server is possible. The default is 5 seconds. When a timeout occurs at each RADIUS
server, the Switch tries to connect again. The number of retries can also be configured. The
default is 3 times. Because of this, the maximum time before the system decides that RADIUS
authentication is unavailable is as follows: response-timeout-period x (first-try +
number-of-retries) x number-of-N-RADIUS-servers-configured
Figure 5-12: Sequence before RADIUS authentication becomes unavailable (when the
maximum number of RADIUS servers is configured)
The Switch can permit authentication using the forced authentication method if a configured
RADIUS server is unavailable. For more details, see 5.4.6 Forced authentication common to all
authentication modes.
5.3.2
Dead-interval functionality of RADIUS server communication
RADIUS authentication used by the Switch detects an effective RADIUS server when it detects
a RADIUS authentication request by receiving a frame from a terminal subject to authentication.
The following terminals always use the effective RADIUS server. In this method, time to
authentication is reduced, but it cannot be automatically restored to a load-distributed state when
a RADIUS server is used in a load-distributed structure and a failure occurs on a RADIUS
85
server.
The Switch supports the dead-interval functionality provided by the monitoring timer as a
method of auto recovery for the first RADIUS server. The RADIUS servers used by this
functionality are as follows:
•
Primary RADIUS server: The first effective RADIUS server
•
Secondary RADIUS server: The second effective RADIUS server
•
Current server: RADIUS server in operation as an authentication request destination
The following figure shows the sequence of recovery to the primary RADIUS server. Command
names for MAC-based authentication RADIUS servers are explained below.
Figure 5-13: Sequence of recovery to the primary RADIUS server (1)
1.
The RADIUS authentication request starts, using the primary RADIUS server#1 as the
current server.
2.
A failure occurs in the primary RADIUS server. The system switches to the next effective
server (secondary RADIUS server).
3.
The monitoring timer starts as soon as the current server switches to the secondary
RADIUS server.
4.
Authentication fails#2 if an authentication request cannot be sent to the last effective
RADIUS server. Using this status as the current server#3, the monitoring timer starts#4 (if
the timer has already started, the timer continues).
86
5.
When the monitoring timer expires, the current server recovers to the primary RADIUS
server.
6.
Even if the recovery to the primary RADIUS server occurs after the monitoring timer
expires, if the primary RADIUS server has not recovered from the failure, the effective
RADIUS server is selected again. As soon as the current server switches to the secondary
RADIUS server, the monitoring timer restarts.
#1
A RADIUS server configured using the mac-authentication radius-server
host configuration command is effective when one of the following conditions is
y
met:
The key parameter of mac-authentication radius-server host has been
configured.
y
Even though the key parameter for the mac-authentication radius-server
host has not been configured, the radius-server key parameter has been
configured.
A RADIUS server that has not met any of the conditions above is disabled and, even
if it was configured first, it does not become the primary RADIUS server.
#2
When the login security functionality is used, authentication fails.
When a Layer 2 authentication method is used, forced authentication or
authentication fails. For forced authentication of Layer 2 authentication methods to be
used in common, see 5.4.6 Forced authentication common to all authentication
modes. For individual use, see the description of each authentication method.
#3
The operation command show radius-server displays * hold down.
#4
The Switch decides that authentication has failed (forced authentication or
authentication of a Layer 2 authentication method failed) without sending an
authentication request to a RADIUS server before the monitoring time expires. (If the
mac-authentication radius-server dead-interval 0 configuration
command has been configured, the primary RADIUS server is restored without
starting the monitoring timer.)
Once the monitoring timer starts, it will not be reset before expiration, in principle.
As shown below, after the monitoring timer starts in an environment in which three or more
RADIUS servers are configured, when the current server switches to another RADIUS server,
87
the monitoring timer continues until expiry without resetting.
The following figure shows the sequence with three or more RADIU servers configured.
Figure 5-14: Sequence of recovery to the primary RADIUS server (2)
As exceptions, the monitoring timer is reset before it expires in the following cases:
•
When mac-authentication dead-interval 0 is configured using the configuration
command
•
When information of the RADIUS server operating as the current server is deleted using the
mac-authentication radius-server host configuration command
•
When the clear radius-server operation command is executed
5.3.3
Configuring the priority for device default local
authentication and RADIUS authentication
The device default configured as described in 5.2 Authentication method group can be set in the
configuration for the local authentication method, or the RADIUS authentication method, or
both. When configured for both, the second specified method is used for authentication if the
first specified method fails.
The following table shows the supported range of priority settings for local authentication
methods and RADIUS authentication methods.
88
Table 5-10: Supported range of priority settings for local authentication methods and
RADIUS authentication method
Authentication
method
IEEE 802.1X
Web
authentication
MAC-based
authentication
Authentication method
Authentication mode
Local
RADIUS
Priority
configuratio
n
Port-based authentication
(static)
N
Y
N
Port-based authentication
(dynamic)
N
Y
N
VLAN-based authentication
(dynamic)
N
Y
N
Fixed VLAN mode
Y
Y
Y
Dynamic VLAN mode
Y
Y
Y
Legacy mode
Y
Y
Y
Fixed VLAN mode
Y
Y
Y
Dynamic VLAN mode
Y
Y
Y
Legacy mode
Y
Y
Y
Legend
Y: Supported
N: Not supported
The following figure shows the relations among authentication method configuration types and
authentication results.
89
Figure 5-15: Relations among authentication method configuration types and
authentication results
For details on authentication method configurations, see the following:
•
IEEE 802.1X: 7.2.1 Configuring the authentication method group and RADIUS server
information
•
Web authentication: 9.2.1 Authentication method group and RADIUS server information
configuration
•
MAC-based authentication: 11.2.1 Configuring the authentication method group and
RADIUS server information
5.3.4
RADIUS account functionality
(1)
Overview
The Switch supports account functionality that uses RADIUS servers (RADIUS account
functionality).
The RADIUS account functionality of the Switch is used only for Layer 2 authentication
methods. The following table shows the functionality supported by the RADIUS account
functionality.
90
Table 5-11: Functionality supported by the RADIUS account functionality
Account method group
Target
functionality
Issuing timing
Accounting server
type
Switch
default
Account
method list
start-stop
stop-only
group radius
Login
N
N
N
N
N
IEEE
802.1X
Y
N
Y
N
Y
Web
authenticatio
n
Y
N
Y
N
Y
MAC-based
authenticatio
n
Y
N
Y
N
Y
Legend
Y: Supported
N: Not supported
(2)
Destination of accounting information
Accounting information is sent to a RADIUS server operating as the device default of the
authentication method (authentication RADIUS server or general RADIUS server). It is not
applied to a RADIUS server group. Therefore, even when authentication is performed by a
RADIUS server group using the port-based authentication method or the Web-based user
ID-based authentication method, accounting information is sent to the authentication RADIUS
server or the general RADIUS server. In addition, for local authentication, the information is
sent to the authentication RADIUS server or the general RADIUS server.
The following figure shows the selection of the RADIUS server that is the destination of
accounting information.
91
Figure 5-16: Selection of the RADIUS server that is the destination of accounting
information
When both authentication for the authentication RADIUS server and the general RADIUS
server are configured, the information is sent to the authentication RADIUS server.
(3)
Selection and recovery of a RADIUS server
If the switch cannot verify whether accounting information has been sent to the RADIUS server,
it selects a destination RADIUS server in sequence in the same way as for RADIUS
authentication. As soon as the switch confirms that the information has been successfully
received, the current server information is switched and the auto recovery period (dead-interval
timer) starts.
The dead-interval timer value is the same value as the one configured for RADIUS
authentication. However, the dead-interval timer for RADIUS authentication and the RADIUS
accounting functionality are started and controlled separately on the Switch. The same
sequences are used for dead-interval timer counts and recovery as for RADIUS authentication.
When the dead-interval timer in use is reset (current server is the default) using the clear
radius-server operation command, the dead-interval timers for RADIUS authentication and
the RADIUS account functionality are reset simultaneously
(4)
RADIUS attributes
For more details about RADIUS attributes with this functionality, see the description for each
authentication method:
92
•
IEEE 802.1X: 6.7 Preparation
•
Web authentication: 8.6 Preparation, 8.6.2 For RADIUS authentication
•
MAC-based authentication: 10.6 Preparation, 10.6.2 RADIUS authentication
93
5.4
Functionality common to all Layer 2 authentication methods
This section describes the functionality used in common by all Layer 2 authentication methods.
•
Permitting communication by unauthenticated terminals (authentication IPv4 access lists)
•
Specifying VLAN accommodation by VLAN name
•
Auto MAC VLAN assignment
•
Auto authentication mode accommodation at the same MAC port
•
Authenticating tagged frames on a MAC port
•
Common forced authentication
5.4.1
Permitting communication by unauthenticated terminals
(Authentication IPv4 access list)
When an external DHCP server or domain server is used with the following functionality and
authentication modes, a frame must be passed before authentication:
•
IEEE 802.1X: Port-based authentication (static), port-based authentication (dynamic)
•
Web authentication: fixed VLAN mode, dynamic VLAN mode
•
MAC-based authentication: fixed VLAN mode, dynamic VLAN mode
You can send specific frames beyond the Switch from unauthenticated terminals by using the
authentication ip access-group configuration command to configure the authentication
IPv4 access list for a port subject to any of the above authentication methods.
Figure 5-17: Before and after the authentication IPv4 access list is used
The authentication IPv4 access list differs from standard access lists (such as those configured
by the ip access-group configuration command) in that the filtering conditions no longer
94
apply after authentication. Note that the filtering conditions defined in the standard access lists
take precedence over those in an authentication IPv4 access list. If you configure a standard
access list and an authentication IPv4 access list for an authenticating port, the filtering
conditions in the standard access list will apply before and after authentication. For this reason,
make sure that you include the filtering conditions of the authentication IPv4 access list in the
standard access list.
Note the following when using the authentication ip access-group configuration command:
•
You can only specify one authentication IPv4 access list. When using the authentication
ip access-group configuration command, make sure that you configure the same settings
for each port where authentication will take place.
•
Frame discard settings other than the set conditions are set implicitly.
•
Configure the authentication arp-relay command to pass ARP frames sent from
terminals before authentication.
5.4.2
Specifying VLAN accommodation by VLAN name
You can specify, by name, the VLAN to be accommodated in dynamic VLAN mode for each
authentication method. The VLAN name is specified using the name configuration command of
the VLAN interface. By setting the specified VLAN name in a RADIUS server, you can use the
VLAN name to control the VLANs accommodated in dynamic VLAN mode.
The following table shows this VLAN name functionality and the possible authentication
modes.
Table 5-12: VLAN authentication modes supporting the VLAN name specification
Authentication
method
IEEE 802.1X
Web
authentication
Authentication mode
Supporte
d/Not
supporte
d
Remarks
Port-based authentication
(static)
N
Fixed VLAN mode
Port-based authentication
(dynamic)
Y
Dynamic VLAN mode
VLAN-based authentication
(dynamic)
Y
Legacy mode
Fixed VLAN mode
N
Dynamic VLAN mode
Y
Legacy mode
Y
95
Authentication
method
MAC-based
authentication
Authentication mode
Supporte
d/Not
supporte
d
Fixed VLAN mode
N
Dynamic VLAN mode
Y
Legacy mode
Y
Remarks
Legend
Y: Supported
N: Not supported
For RADIUS server configuration, see Preparing a RADIUS server in the description of each
authentication method in Preparation.
5.4.3
Auto MAC VLAN assignment
The Switch can automatically assign authenticated VLANs that accommodate ports subject to
authentication. Auto assignment is performed based on the following authentication results:
•
When an authenticated VLAN is specified by an internal authentication database after
successful local authentication
•
When an authenticated VLAN is specified using RADIUS attributes after successful
RADIUS authentication
•
When an authenticated VLAN has been configured at forced authentication
Auto MAC VLAN assignment and cancellation depend on whether a VLAN has been
configured after the above authentication, and follows the status of the authenticated terminal of
the port. The following table shows the conditions of auto VLAN assignment and cancellation.
Table 5-13: Conditions of auto VLAN assignment and cancellation
VLAN configuration after
authentication
96
Device's VLAN
configuration
(mac-based)
Port's
MAC VLAN
configuration
Port's
authenticated
terminal
configuration
Auto VLAN
assignment and
cancellation
Configured
Not configured
Not configured ->
Configured
Y1
Configured ->
Not configured
Y2
Remarks
(1)(2)#1
VLAN configuration after
authentication
Device's VLAN
configuration
(mac-based)
Port's
MAC VLAN
configuration
Port's
authenticated
terminal
configuration
Auto VLAN
assignment and
cancellation
Remarks
Not configured ->
Configured
--
Y2
#2
Configured ->
Not configured
Configured
Y1
Configured
--
N
Not configured
--
--
N
Configured ->
Not configured
--
Configured ->
Not configured
Y2
(3)#1
Legend
Y1: Allocates the VLAN.
Y2: Cancellation of the assigned VLAN.
N: Does not allocate the VLAN
--: Both are OK.
#1
Conditions under which automatically assigned VLANs are deleted are as follows:
y When there is no authenticated terminal in the VLAN of the corresponding port ((1)(2)
in the above table)
y When all authenticated terminals of the corresponding port are canceled due to the
corresponding port being in a link-down state ((1)(2) in the above table)
y When all authenticated terminals are canceled because VLAN configuration is deleted
([3] in the table above)
#2
When you configure a VLAN for a port using the switchport mac vlan configuration
command, automatically assigned VLANs are canceled. However, authenticated terminals
follow the configuration, so authentication is not canceled.
The following table shows authentication modes supporting this functionality.
97
Table 5-14: Authentication modes supporting auto VLAN assignment
Authentication
method
IEEE 802.1X
Web
authentication
MAC-based
authentication
Authentication mode
Supporte
d/Not
supporte
d
Remarks
Port-based authentication
(static)
N
Fixed VLAN mode
Port-based authentication
(dynamic)
Y
Dynamic VLAN mode
VLAN-based authentication
(dynamic)
N
Legacy mode
Fixed VLAN mode
N
Dynamic VLAN mode
Y
Legacy mode
N
Fixed VLAN mode
N
Dynamic VLAN mode
Y
Legacy mode
N
Legend
Y: Supported
N: Not supported
(1)
Handling automatically assigned VLANs
The Switch handles automatically assigned VLANs as described below.
When interoperating with the following functionality, automatically assigned VLANs work
based on each functionality:
5.4.4
port
•
Spanning tree
•
Uplink redundancy
•
L2 loop detection functionality
•
DHCP snooping (including dynamic ARP inspection functionality)
Auto authentication mode accommodation at the same MAC
In the Switch, fixed VLAN mode and dynamic VLAN mode can be used at the same MAC port.
When untagged frames are received from a terminal subject to authentication, the Switch
automatically controls the terminal subject to authentication as one in fixed VLAN mode or
98
dynamic VLAN mode according to the accommodated VLANs determined by the
authentication results.
The following table shows the authentication modes supporting this functionality.
Table 5-15: Authentication modes supporting auto authentication mode
accommodation at a single MAC port
Authentication
method
IEEE 802.1X
Web
authentication
MAC-based
authentication
Authentication mode
Supporte
d/Not
supporte
d
Remarks
Port-based authentication
(static)
Y
Fixed VLAN mode
Port-based authentication
(dynamic)
Y
Dynamic VLAN mode
VLAN-based authentication
(dynamic)
N
Legacy mode
Fixed VLAN mode
Y
Dynamic VLAN mode
Y
Legacy mode
N
Fixed VLAN mode
Y
Dynamic VLAN mode
Y
Legacy mode
N
Legend
Y: Supported
N: Not supported
(1)
Auto authentication mode accommodation at RADIUS
authentication
In RADIUS authentication, the terminal authentication mode is determined depending on the
RADIUS attributes of Access-Accept received from the RADIUS server. The target RADIUS
attributes are Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID
when Access-Accept is received from the RADIUS server.
The following table shows the behavior based on combinations of RADIUS attributes when
Access-Accept is received.
99
Table 5-16: Actions based on combinations of RADIUS attributes when Access-Accept
is received
Tunnel-Typ
e
Tunnel-Medium-T
ype
Tunnel-Private-G
roup-ID
None
None
None
VLAN(13)
IEEE-802(6)
Based on Table
5-17
Authentication
action
Terminal
authentication
mode state
Accommodated of a
native VLAN as a
post-authentication
VLAN
Fixed VLAN mode
Based on Table 5-17
Combinations other than above
Authentication
failed
Authentication
failed
Table 5-17: Actions corresponding to Tunnel-Private-Group-ID at RADIUS
authentication
Terminal
authentication
mode state
FDB#
registrati
on
MAC VLAN
registration
Accommodated
in a native VLAN
as one after
authentication
Fixed VLAN
mode
Registered
Unregistered
Same as for
a MAC
VLAN
Accommodated
in a matched
MAC VLAN, as a
post-authenticatio
n VLAN
Dynamic
VLAN mode
Registered
Registered
--
Authentication
failed
Authentication
failed
Unregister
ed
Unregistered
Tunnel-PrivateGroup-ID
contents
Compared
with VLAN
of an
authenticati
on port
None or blank
--
Numeric value
Numeric value
after string VLAN
VLAN name
Other than above
Authentication
action
Legend
--: Does not depend on the contents
#
FDB: Indicates the MAC address table
•
The MAC address of a terminal accommodated in fixed VLAN mode is registered in the
MAC address table as an authentication entry.
•
The MAC address of a terminal accommodated in dynamic VLAN mode is registered in the
MAC address table and MAC VLAN table as an authentication entry.
100
(2)
Auto authentication mode accommodation at local
authentication
In local authentication, the terminal authentication mode is determined depending on the VLAN
results of the built-in authentication database.
Table 5-18: Actions based on the VLAN results for local authentication
Authentication
result VLAN
None or blank
Exist
Terminal
authentication
mode state
FDB#
regist
ration
MAC VLAN
registration
Accommodated
in a native VLAN
as one after
authentication
Fixed VLAN
mode
Regist
ered
Unregistered
Same as MAC
VLAN
Accommodated
of a matched
MAC VLAN as a
post-authenticatio
n VLAN
Dynamic
VLAN mode
Regist
ered
Registered
Other than above
Authentication
failed
Authentication
failed
Unreg
istered
Unregistered
Compared with
VLAN of an
authentication
port
Authentication
action
--
Legend
--: Does not depend on the contents
#
FDB: Indicates the MAC address table
5.4.5
Tagged frame authentication on a MAC port (dot1q vlan
configuration)
If you use the switchport mac dot1q vlan configuration command for a MAC port, when
tagged frames from a terminal subject to authentication are received, the frames are
authenticated based on fixed VLAN mode. Untagged frames are authenticated based on
dynamic VLAN mode.
Before untagged frames are authenticated, they are accommodated in a native VLAN, and
switched to an authenticated VLAN after authentication is successful.
The following figure shows the operation when dot1q vlan is set for the MAC port.
101
Figure 5-18: Behavior when dot1q vlan is configured for the MAC port
For behavior of this functionality at a port, see 5.7.2 Interoperability on the same port (4)
Interoperability of dynamic VLAN mode and fixed VLAN mode on the same port.
5.4.6
Forced authentication common to all authentication modes
Forced authentication common to all authentication modes is enabled by using the
authentication force-authorized enable configuration command.
This functionality works when either of the following conditions is met:
•
When only RADIUS authentication is configured as the authentication method for each type
of authentication method. (This is disabled if priority is set for RADIUS authentication and
local authentication.)
•
When the Switch cannot send a request to the configured RADIUS server
The following table describes the authentication modes that support forced authentication.
Table 5-19: Support for forced authentication common to all authentication modes
Authentication
method
IEEE 802.1X
Web
authentication
102
Authentication mode
Operation of forced
authentication
Port-based authentication
(static)
Y
Port-based authentication
(dynamic)
Y
VLAN-based authentication
(dynamic)
N
Fixed VLAN mode
Y
Authentication
method
MAC-based
authentication
Authentication mode
Operation of forced
authentication
Dynamic VLAN mode
Y
Legacy mode
N
Fixed VLAN mode
Y
Dynamic VLAN mode
Y
Legacy mode
N
Legend
Y: Supported
N: Not supported
(1)
Behavior from the start of an RADIUS authentication request
to permission for forced authentication
Forced authentication is permitted within the period from the start of the authentication request
to timeout of all RADIUS servers registered in the Switch.
Figure 5-19: Sequence before permission of forced authentication (when the maximum
number of RADIUS servers is configured)
Each authentication-requesting terminal requires time before permission for forced
authentication in the sequence above. The number of retries by a RADIUS server, as well as the
IP addresses, can be configured using each configuration command of the general RADIUS
server information and authentication RADIUS server information. For details, see 5.3.1
103
RADIUS server information used with the Layer 2 authentication method.
If a request failed to be sent to a RADIUS server or there was no response from the RADIUS
server, each authentication method collects the account log data shown in the table below.
Table 5-20: Account logs collected by each authentication method
Authentication
method
IEEE 802.1X
Account log message
• No=82
WARNING:SYSTEM: (additional information) Failed to connect to RADIUS
server.
Additional information: IP
You can view the account log by using the show dot1x logging configuration
command.
Web
authentication
MAC-based
authentication
(2)
• No=21
NOTICE:LOGIN:(additional information) Login failed ; Failed to
connection to RADIUS server.
Additional information: MAC, USER, IP, PORT, VLAN
You can view the account log by using the show web-authentication
logging operation command.
• No=21
NOTICE:LOGIN: (additional information) Login failed ; Failed to
connection to RADIUS server
Additional information: MAC, PORT, VLAN
You can view the account log by using the show mac-authentication
logging operation command.
Configuration for forced authentication to work
You need to enable the forced authentication method common to all authentication modes for
these modes to work, and configure the following authentication settings.
Table 5-21: Configuration for forced authentication to work
Authentic
ation
method
IEEE
802.1X
104
Authentication mode
Authentication method configuration
IEEE 802.1X common
aaa authentication dot1x #1
dot1x radius-server host or radius-server host
dot1x system-auth-control
Port-based
authentication (static)
dot1x port-control auto
switchport mode access
dot1x authentication #2
Port-based
authentication (dynamic)
vlan <VLAN-ID> mac-based
dot1x port-control auto
switchport mode mac-vlan
dot1x authentication #2
Authentic
ation
method
Web
authenticati
on
MAC-base
d
authenticati
on
Authentication mode
Authentication method configuration
VLAN-based
authentication (dynamic)
N
Web authentication
common
aaa authentication
web-authentication
radius-server host
web-authentication
web-authentication
web-authentication
web-authentication #1
radius-server host or
system-auth-control
port
user-group #3
Fixed VLAN mode
web-authentication authentication #2
Dynamic VLAN mode
vlan <VLAN-ID> mac-based
switchport mode mac-vlan
web-authentication authentication #2
Legacy mode
N
MAC-based
authentication common
aaa authentication
mac-authentication
radius-server host
mac-authentication
mac-authentication
mac-authentication #1
radius-server host or
system-auth-control
port
Fixed VLAN mode
mac-authentication authentication #2
Dynamic VLAN mode
vlan <VLAN-ID> mac-based
switchport mode mac-vlan
mac-authentication authentication #2
Legacy mode
N
Legend
- : No required configuration specific to authentication mode
N: Forced authentication common to all authentication modes is not supported
#1
Configure only default group radius when forced authentication is used with the
Switch default.
Configure <list-name> group <group-name> when the port-based authentication
method or user ID-based authentication method is used.
#2
Configure this when the port-based authentication method is used.
#3
Configure this when the user ID-based authentication method is used.
(3)
Accommodated VLAN by forced authentication
You can configure VLAN accommodation in dynamic VLAN mode by using the
105
authentication force-authorized vlan configuration command.
If this configuration command is bypassed, the target terminal is accommodated in the native
VLAN. The target terminal is handled as one in fixed VLAN mode.
A terminal accommodated in a VLAN using forced authentication before configuring this
command does not change the accommodating VLAN before the next authentication even after
configuration is changed.
(4)
Interoperability of this functionality and forced authentication
of each authentication method
This functionality and forced authentication of each authentication method are not interoperable.
Configure only one.
Table 5-22: Common to all authentication modes and forced authentication
configuration
Forced authentication
configuration
VLAN configuration to
accommodate at forced
authentication
Forced authentication of
each authentication method
authentication
force-authorized enable
authentication
force-authorized vlan
See Table 5-23.
Configured
Not configured
N
Configured
N
Not configured
Y
Configured
N
Not configured
Legend
Y: Supported
N: Not supported
Table 5-23: Non-interoperable forced authentication configuration
Authentication method
IEEE 802.1X
Configuration command
dot1x force-authorized
dot1x force-authorized vlan
Web authentication
web-authentication static-vlan
force-authorized
web-authentication force-authorized vlan
106
Authentication method
MAC-based
authentication
Configuration command
mac-authentication static-vlan
force-authorized
mac-authentication force-authorized vlan
The configurations above are impossible if forced authentication common to all authentication
modes has been configured. If any one of the configurations above has been configured, forced
authentication configuration common to all authentication modes cannot be configured.
(5)
Private trap for forced authentication
With forced authentication common to all authentication modes, the private trap for forced
authentication can be issued in an authentication mode corresponding to Table 5-19 Support for
forced authentication common to all authentication modes as soon as specific account log data
(SYSTEM) is logged by each authentication method.
Though the IEEE 802.1X forced authentication configuration does not support specification of
the private trap, it can be issued in forced authentication configuration common to all
authentication modes.
Table 5-24: Account log (SYSTEM) and conditions for issuing a private trap
Authenticatio
n method
Configuration necessary to issue Trap
Authentication mode
Command
IEEE 802.1X
Port-based
authentication (static)
Port-based
authentication (dynamic)
Web
authentication
Parameter
snmp-server host
dot1x
authentication
force-authorized
enable
snmp-server host
dot1x
authentication
force-authorized
enable
authentication
force-authorized
vlan #
VLAN-based
authentication (dynamic)
- (n/a)
Fixed VLAN mode
snmp-server host
web-authenticati
on
authentication
force-authorized
enable
snmp-server host
web-authenticati
on
Dynamic VLAN mode
107
Authenticatio
n method
Configuration necessary to issue Trap
Authentication mode
Command
MAC-based
authentication
Parameter
authentication
force-authorized
enable
authentication
force-authorized
vlan#
Legacy mode
- (n/a)
Fixed VLAN mode
snmp-server host
mac-authenticati
on
authentication
force-authorized
enable
snmp-server host
mac-authenticati
on
authentication
force-authorized
enable
authentication
force-authorized
vlan#
Dynamic VLAN mode
Legacy mode
- (n/a)
#
If authentication force-authorized vlan has not been configured, control is done
in fixed VLAN mode. For details, see (3) Accommodated VLAN by forced authentication.
5.4.7
Terminal control when authentication fails
The Switch controls up to 256 terminals in MAC address units using information related to
authentication-failed terminals in Layer 2 authentication modes. The information is in the
authentication-failed terminal list. You can display this list by using the show
authentication fail-list operation command.
Each authentication method registers the terminals in the list when the terminal authentication
failure is confirmed. Processing in case of authentication failure is common to local and
RADIUS authentication.
The following table shows processing in case of authentication failure
108
Table 5-25: Processing in case of authentication failure
Authentica
tion
method
Item
Authentication result for new
authentication
Reject
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
Status of the target
terminal in the
authentication control
table
Failure other
than Reject
Authentication result when
re-authentication is executed
Reject
Failure other
than Reject
Held
Connecting
Held
Connecting
(period
specified with
(waiting for
the next
authentication)
(period
specified with
(waiting for
the next
authentication)
quiet-perio
d maintained)
quiet-perio
d maintained)
Status of the entry for
the target terminal in
the MAC address table
--
--
Deleted
Deleted
Timing to register in
the failed terminal list
(fail-list)
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Status of the target
terminal in the
authentication control
table
Target entry
deleted
Target entry
deleted
Authenticat
ed
Authenticat
ed
(No period
update leaving
the existing
entry)
(No period
update leaving
the existing
entry)
Status of the entry for
the target terminal in
the MAC address table
--
--
Remaining
registered
Remaining
registered
Timing to register in
the failed terminal list
(fail-list)
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Immediately
registered in
case of failure
Status of the target
terminal in the
authentication control
table
Held
Held
Held
Held
(period
specified with
(period
specified with
(period
specified with
(period
specified with
quiet-perio
d maintained)
quiet-perio
d maintained)
quiet-perio
d maintained)
quiet-perio
d maintained)
Status of the entry for
the target terminal in
the MAC address table
--
--
Deleted
Deleted
Timing to register in
the failed terminal list
(fail-list)
Registered
when
quiet-period
expires
Registered
when
Registered
when
Registered
when
quiet-perio
d expires
quiet-perio
d expires
quiet-perio
d expires
Legend
--: No entry for a target terminal in the MAC address table because new authentication has
failed
109
5.5 Configuration commands common to all Layer 2 authentication
modes
5.5.1
List of configuration commands
This section describes configuration common to all Layer 2 authentication modes.
Table 5-26: List of configuration commands common to all Layer 2 authentication
modes and all authentication modes
Command
Description
Authenticati
on mode
F
D
L
authentication
arp-relay
Forwards, to ports not subject to authentication, ARP
frames that were addressed to other devices and that
were sent from unauthenticated terminals.
Y
Y
N
authentication ip
access-group
Forwards, to ports not subject to authentication, IP
frames that were addressed to other devices and that
were sent from unauthenticated terminals, if the
frames were set by applying the IPv4 access list.
Y
Y
N
authentication
force-authorized
enable
Enables forced authentication common to all
authentication modes.
Y
Y
N
authentication
force-authorized vlan
Specifies the post-authenticated VLAN
accommodated by sharing of dynamic VLAN mode
of the target port.
Y
Y
N
name
Specifies a VLAN name for a VLAN.
--
Y
Y
Legend
F: Fixed VLAN mode
D: Dynamic VLAN mode
L: Legacy mode
Y: Operates based on the configuration
N: No command can be entered
-- : Outside the scope of 5.4.2 Specifying VLAN accommodation by VLAN name
5.5.2
Configuring the authentication IPv4 access list
This example uses an external DHCP server in Web authentication fixed VLAN mode. For
details about the Web authentication fixed VLAN mode configuration, see 9.3 Fixed VLAN
mode configuration.
110
Figure 5-20: Example of using an authentication IPv4 access list
Overview
The example below shows how to configure an authentication IPv4 access list that allows
the passing of ARP frames and traffic from unauthenticated terminals to destinations
beyond the Switch. (The configuration necessary for other authentication has been set in
the configuration, and this example displays only the settings used for passage before
authentication.) In this example, a filter and the extended authentication functionality are
assigned.
Configuration command example
1.
(config)# ip access-list extended L2-auth
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# permit ip any host 10.0.0.1
(config-ext-nacl)# exit
(config)# interface fastethernet 0/3
(config-if)# web-authentication port
(config-if)# authentication ip access-group L2-auth
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list that permits unauthenticated terminals to
111
access DHCP frames (bootp) and IP address 10.0.0.1 (DNS server).
Configures the authentication mode setting (web-authentication port) and the access
list name (L2-auth) of conditions for access before authentication, to port 0/3.
Configures ARP frames so that they are passed to devices beyond the Switch.
Notes
1.
Configure any one of the following before configuring an authentication IPv4 access list
and passage of ARP frames to a port.
2.
y
dot1x port-control auto
y
web-authentication port
y
mac-authentication port
Delete both of the following commands from the target port before deleting the
authentication configuration of the port where an authentication IPv4 access list and
passage of ARP frames have been configured.
5.5.3
y
authentication arp-relay
y
authentication ip access-group
Specifying the VLAN to accommodate by a VLAN name
This example uses the Web authentication dynamic VLAN mode.
Figure 5-21: Example of specifying a VLAN name in dynamic VLAN mode
Overview
112
The following example configures dynamic VLAN mode and a control name for VLANs
to be accommodated. Use a control name to set the VLAN to be accommodated after
authentication by the RADIUS server after authentication
y VLAN 30: Unauthenticated VLAN
y VLAN 50: Quarantine VLAN
y VLAN400: Department A network after authentication
y VLAN410: Department B network after authentication
For other configurations necessary for Web authentication, see 9. Web Authentication
Configuration and Operation.
Configuration command example
1.
(config)# vlan 30,800
(config-vlan)# exit
Configures VLAN ID 30, 800.
2.
(config)# vlan 50 mac-based
(config-vlan)# name Keneki-Network
(config-vlan)# exit
Configures the MAC VLAN and the quarantine VLAN name to VLAN ID 50.
3.
(config)# vlan 400 mac-based
(config-vlan)# name GroupA-Network
(config-vlan)# exit
Configures the MAC VLAN and Department A network VLAN name to VLAN ID 400.
4.
(config)# vlan 410 mac-based
(config-vlan)# name GroupB-Network
(config-vlan)# exit
Configures the MAC VLAN and Department B network VLAN name to VLAN ID 410.
5.
(config)# interface fastethernet 0/5
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 30
Configures port 0/5 as a MAC port. Also, configures a native VLAN30 (unauthenticated
VLAN) of the MAC port. (The authenticated VLAN is assigned as described in 5.4.3 Auto
MAC VLAN assignment.)
6.
(config-if)# web-authentication port
113
(config-if)# exit
Configures the authentication mode (web-authentication port) to port 0/5.
7.
(config)# interface fastethernet 0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 800
(config-if)# exit
Configures port 0/10 as an access port for VLAN800. Does not configure the
authentication mode because authentication is excluded. Configures it as the port for the
RADIUS server in the figure.
8.
(config)# interface fastethernet 0/12
(config-if)# switchport mode access
(config-if)# switchport access vlan 50
(config-if)# exit
Configures port 0/12 as the access port for VLAN50. Does not configure the authentication
mode because authentication is excluded. Configures it as the port for the quarantine port
in the figure.
Configure the following for the RADIUS server.
•
When the quarantine result is NG: Keneki-Network to Tunnel-Group-ID
•
When the quarantine result is OK:
•
Switches to VLAN after authentication of Department A : GroupA-Network to
Tunnel-Group-ID
•
Switches to VLAN after authentication of Department B: GroupB-Network to
Tunnel-Group-ID
In Legacy mode, configure the following instead of 5 and 6 in the configuration command
example.
•
Configuration command example instead of step 5, above
(config)# interface fastethernet 0/5
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 50,400,410
(config-if)# switchport mac native vlan 30
(config-if)# exit
•
Configuration command example instead of step 6, above
(config)# web-authentication vlan 50
(config)# web-authentication vlan 400
114
(config)# web-authentication vlan 410
Configures VLAN ID 50, 400, 410 of VLANs after authentication in Legacy mode.
Notes
1.
Be careful of the following when using a VLAN name configured using the name
configuration command as a VLAN after RADIUS authentication.
y Configure the VLAN name so that it will not be duplicated for several VLANs. If a
VLAN name is duplicated, the smallest VLAN ID is assigned as the VLAN after
RADIUS authentication.
y Do not specify digits at the beginning of the VLAN name. Authentication might fail
because the digits are recognized as the VLAN ID.
2.
Be careful of the following when assigning the VLAN after authentication using auto
VLAN assignment of the MAC VLAN.
y Use the vlan mac-based configuration command to set the VLAN to be notified from
the RADIUS server when automatically assigning the VLAN after authentication in
dynamic VLAN mode (in this case, configuration using the switchport mac vlan
configuration command is unnecessary for a MAC port).
y When there is no auto VLAN assignment information in RADIUS attributes when
Accept is received from a RADIUS server, the terminal is accommodated in the native
VLAN of the target MAC port. The terminal is handled as authenticated in fixed VLAN
mode.
y Legacy mode cannot be used. Set the VLAN after authentication by using the
switchport mac vlan configuration command.
5.5.4
Forced authentication configuration common to all
authentication modes
Configure the forced authentication method used in all authentication modes.
Overview
The example below configures forced authentication when multistep authentication is
used:
y Configure RADIUS authentication as the authentication method for each authentication
method.
y Configure multistep authentication for port 0/1.
y Configure the VLAN accommodation at forced authentication.
For other procedures necessary for multistep authentication, see 12. Multistep
Authentication.
115
Configuration command example
1.
(config)# vlan 40,600 mac-based
(config-vlan)# exit
Configures the MAC VLAN to VLAN ID 40 and 600.
2.
(config)# vlan 20
(config-vlan)# exit
Configures VLAN ID 20.
3.
(config)# aaa authentication web-authentication default group radius
(config)# aaa authentication mac-authentication default group radius
Configures RADIUS authentication as an authentication method for each authentication
method.
4.
(config)# authentication force-authorized enable
Enables forced authentication common to all authentication modes.
5.
(config)# interface fastethernet 0/1
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 20
(config-if)# mac-authentication port
(config-if)# web-authentication port
(config-if)# authentication multistep
Configures a MAC port, Web authentication mode, MAC-based authentication mode, and
multistep authentication mode for port 0/1. Also, configure the native VLAN20 of the
MAC port. (The authenticated VLAN is assigned in 5.4.3 Auto MAC VLAN assignment.)
6.
(config-if)# authentication force-authorized vlan 600
(config-if)# exit
Sets 600 for the VLAN to accommodate at forced authentication.
Notes
1.
If forced authentication for each authentication method has been configured, forced
authentication configuration common to all authentication modes cannot be configured.
Delete specified configurations in Table 5-23 Non-interoperable forced authentication
configuration before configuring forced authentication common to all authentication
116
modes.
2.
Configure only RADIUS authentication as an authentication method for each
authentication method. If you have set priority of RADIUS authentication and local
authentication, the forced authentication method is disabled.
3.
Configure the following for RADIUS attribute Filter-Id of a RADIUS server for multistep
authentication in this example.
y
4.
RADIUS server authenticated by MAC-based authentication: @@Web-Auth@@
Use the vlan mac-based configuration command to set the VLAN to be notified from
the RADIUS server when automatically assigning the VLAN after authentication in
dynamic VLAN mode. (In this case, configuration using the switchport mac vlan
configuration command is unnecessary for the MAC port.)
5.
When there is no auto VLAN assignment information in RADIUS attributes and when
Accept is received from a RADIUS server, the terminal is accommodated in the native
VLAN of the target MAC port. The terminal is handled as authenticated in fixed VLAN
mode.
117
5.6
5.6.1
Operations common to all Layer 2 authentication methods
List of operation commands
This section describes the operation commands common to all Layer 2 authentication modes.
Table 5-27: List of the operation commands common to all Layer 2 authentication
modes
Command
118
Description
show authentication
fail-list
Shows information related to terminals that failed to pass Layer 2
authentication in the ascending order of MAC addresses.
clear authentication
fail-list
Clears information related to terminals that failed to pass Layer 2
authentication.
show authentication
logging
Shows operational log messages logged by each Layer 2
authentication in the order they were logged.
clear authentication
logging
Clears operational log messages shown in the order they were
logged..
5.7 Interoperability of Layer 2 authentication with other
functionality
This section uses the following terms for the authentication modes: fixed VLAN mode, dynamic
VLAN mode, and legacy mode. The authentication modes for IEEE 802.1X correspond to the
following:
5.7.1
•
Port-based authentication (static): Fixed VLAN mode
•
Port-based authentication (dynamic): Dynamic VLAN mode
•
VLAN-based authentication (dynamic): Legacy mode
Interoperability on the Switch
In the Switch, the authentication methods of fixed VLAN mode, dynamic VLAN mode, and
legacy mode are interoperable based on the port type.
The following figure shows interoperable authentication methods and behavior that is supported
or not supported.
Figure 5-22: Interoperable authentication methods and supported/unsupported
behavior
119
Table 5-28: Combinations of authentication modes and port types, and
supported/unsupported authentication methods
Authenticati
on mode
In
the
fig
ure
Type
No.
Fixed VLAN
(1)
Access
(2)
Dynamic
VLAN
Legacy
Fixed VLAN
+ dynamic
VLAN
Port type
IEEE 802.1X
Web
authentication
MAC-based
authentication
Y
Port-based
authentication
(static)
Y
Fixed VLAN mode
Y
Fixed VLAN mode
Trunk
N
Y
Fixed VLAN mode
Y
Fixed VLAN mode
(3)
Access
(port-channel)
Y
Port-based
authentication
(static)
N
N
(4)
Trunk
(port-channel)
N
N
N
(5)
MAC
Y
Port-based
authentication
(dynamic)
Y
Dynamic VLAN
mode
Y
Dynamic VLAN
mode
(6)
MAC
(port-channel)
N
N
N
(7)
MAC
Y
VLAN-based
authentication
(dynamic)
Y
Legacy mode
Y
Legacy mode
(8)
MAC
(port-channel)
Y
VLAN-based
authentication
(dynamic)
Y
Legacy mode
N
(9)
MAC#
(Tagged)
N
Y
Fixed VLAN mode
Y
Fixed VLAN mode
MAC#
(Untagged)
Y
Port-based
authentication
(dynamic)
Y
Dynamic VLAN
mode
Y
Dynamic VLAN
mode
Legend
Y: Supported
N: Not supported
120
Supported/unsupported authentication methods and
corresponding authentication modes
- : Not applicable
#
This is when the permission to forward tagged frames is set (the switchport mac dot1q
vlan configuration configuration command). In this case, a tagged frame is received
from an IP telephone and authenticated in fixed VLAN mode while an untagged frame is
received from a terminal and operated in dynamic VLAN mode.
The legacy port does not work on a MAC port that has this setting.
5.7.2
Interoperability on the same port
The following modes are interoperable simultaneously on the same port:
•
Fixed VLAN mode
•
Dynamic VLAN mode
•
Legacy mode
•
Dynamic VLAN mode and fixed VLAN mode
(1)
Interoperability of fixed VLAN modes on the same port
Figure 5-23: Interoperability of fixed VLAN modes on the same port
When using interoperability of fixed VLAN mode on the same port, supported authentication
methods depend on the port type (access port, trunk port) that connects to the Switch as shown in
Figure 5-23 Interoperability of fixed VLAN modes on the same port. They also depend on the
configuration.
Table 5-29 shows the authentication methods supported and not supported depending on the
configuration when interoperability of fixed VLAN mode is used at an access port.
121
Table 5-29: Supported/unsupported authentication methods based on configuration on
an access port
Configuration contents
Common
configuration
Authentication method
Authentication method
configuration
switchport mode
access
switchport access
IEEE
802.1
X
Web
authenticati
on
MAC-based
authenticati
on
dot1x port-control auto
dot1x
multiple-authentication #
web-authentication port
mac-authentication port
Y
Y
Y
web-authentication port
mac-authentication port
N
Y
Y
dot1x port-control auto
dot1x
multiple-authentication #
mac-authentication port
Y
N
Y
dot1x port-control auto
dot1x
multiple-authentication #
web-authentication port
Y
Y
N
Legend
Y: Supported
N: Not supported
#
Set the terminal authentication mode (dot1x multiple-authentication) when
configuring IEEE 802.1X port-based authentication for ports for which Web authentication
or MAC-based authentication has been set.
Whether an authentication method is supported depends on the configuration settings for
interoperability of fixed VLAN mode at a trunk port as shown in Table 5-30.
Table 5-30: Supported/unsupported authentication methods depending on the trunk
port configuration
Configuration
122
Authentication method
Common
configuration
Authentication method
configuration
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
switchport mode
trunk
switchport trunk
dot1x port-control auto
web-authentication port
mac-authentication port
N
Y
Y
Configuration
Common
configuration
Authentication method
Authentication method
configuration
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
web-authentication port
mac-authentication port
N
Y
Y
dot1x port-control auto
mac-authentication port
N
N
Y
dot1x port-control auto
web-authentication port
N
Y
N
Legend
Y: Supported
N: Not supported
(2)
Dynamic VLAN mode interoperability on the same port
Figure 5-24: Interoperability of dynamic VLAN modes for the same port
When using the interoperability of dynamic VLAN mode for the same port, interoperability can
be supported for all authentication methods (IEEE 802.1X, Web authentication, MAC-based
authentication) by specifying the MAC port as a port connection for the Switch, as shown in
Table 5-31. However, some authentication methods are not supported.
For more details, see Table 5-31.
123
Table 5-31: Supported/unsupported authentication methods depending on the
configuration of the MAC port
Configuration
Common configuration
switchport mode
mac-vlan
#1, #2
Authentication method
Authentication method
configuration
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
dot1x port-control auto
dot1x
multiple-authentication
Y
Y
Y
web-authentication port
mac-authentication port
N
Y
Y
dot1x port-control auto
dot1x
multiple-authentication
Y
N
Y
Y
Y
N
#3
web-authentication port
mac-authentication port
#3
mac-authentication port
dot1x port-control auto
dot1x
multiple-authentication
#3
web-authentication port
Legend
Y: Supported
N: Not supported
#1
An authenticated VLAN of a MAC port is assigned in 5.4.3 Auto MAC VLAN assignment.
#2
If there is no auto VLAN assignment information in RADIUS attributes when Accept is
received from the RADIUS server, the terminal is accommodated in the native VLAN of
the target MAC port. The terminal is handled as authenticated in fixed VLAN mode.
#3
If configuring port-based authentication of IEEE 802.1X for a port where Web
authentication or MAC-based authentication has been configured, configure the terminal
authentication mode (dot1x multiple-authentication).
124
(3)
Legacy mode interoperability on the same port
Figure 5-25: Interoperability of legacy modes on the same port
When using the interoperability of legacy mode for the same port, interoperability can be
supported for all authentication methods (IEEE 802.1X, Web authentication, MAC-based
authentication) by specifying the MAC port as the port connection for the Switch as shown in
Table 5-31. However, IEEE 802.1X is unavailable in fixed VLAN mode. In addition, some
authentication methods are not supported depending on the configuration.
For more details, see Table 5-32.
Table 5-32: Supported/unsupported authentication methods in Legacy mode
depending on configuration of a MAC port
Configuration
Authentication method
Configuration at
interface
Configuration in global
configuration mode
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
switchport mode
mac-vlan
switchport mac vlan
aaa authorization
network default
dot1x vlan dynamic enable
dot1x vlan dynamic vlan
web-authentication vlan
mac-authentication vlan
Y
Y
Y
switchport mode
mac-vlan
switchport mac vlan
dot1x port-control
auto
aaa authorization
network default
dot1x vlan dynamic enable
dot1x vlan dynamic vlan
web-authentication vlan
mac-authentication vlan
D
N
N
125
Configuration
Configuration at
interface
Configuration in global
configuration mode
IEEE
802.1X
Web
authenticati
on
MAC-based
authenticati
on
switchport mode
mac-vlan
switchport mac vlan
web-authentication
port
aaa authorization
network default
dot1x vlan dynamic enable
dot1x vlan dynamic vlan
web-authentication vlan
mac-authentication vlan
N
D
N
switchport mode
mac-vlan
switchport mac vlan
mac-authentication
port
aaa authorization
network default
dot1x vlan dynamic enable
dot1x vlan dynamic vlan
web-authentication vlan
mac-authentication vlan
N
N
D
Legend
Y: Supported
N: Not supported
D: Supported in dynamic VLAN mode
126
Authentication method
(4)
Interoperability of dynamic VLAN mode and fixed VLAN mode
on the same port
Figure 5-26: Example of interoperability of dynamic VLAN mode and fixed VLAN mode
on the same port
When using the interoperability of fixed VLAN mode and dynamic VLAN mode for the same
port, interoperability can be supported for all authentication methods (IEEE 802.1X, Web
authentication, MAC-based authentication) by specifying the MAC port as to the port
connection for the Switch as shown in Figure 5-26 Example of interoperability of dynamic
VLAN mode and fixed VLAN mode on the same port. However, IEEE 802.1X is unavailable in
fixed VLAN mode. In addition, some authentication methods are not supported depending on
the configuration. For more details, see Table 5-33.
127
Table 5-33: Supported/unsupported authentication methods depending on
configuration of a MAC port with interoperability of fixed VLAN mode and dynamic
VLAN mode
Configuration contents
- vlan 50 mac-based #1,#4
- switchport mode mac-vlan
- switchport mac dot1q vlan
10 #1
Authentication method
Frame type
Tagged
Untagged
IEEE
802.1X
Web
authenticat
ion
MAC-base
d
authenticat
ion
N
F#2
F#2
D#3
D#3
D#3
F#5
F#5
F#5
Legend
F: Supported in fixed VLAN mode
D: Supported in dynamic VLAN mode
N: Not supported
#1
VLAN numbers are arranged based on Figure 5-26 Example of interoperability of dynamic
VLAN mode and fixed VLAN mode on the same port. The assumption is that each
authentication mode has been configured (dot1x port-control auto,
web-authentication port, mac-authentication port).
#2
Receives a tagged frame and authenticates it in fixed VLAN mode (authentication of IP
telephone in Figure 5-26 Example of interoperability of dynamic VLAN mode and fixed
VLAN mode on the same port).
#3
Receives an untagged frame and authenticates it in dynamic VLAN mode (authentication
of a terminal in Figure 5-26 Example of interoperability of dynamic VLAN mode and fixed
VLAN mode on the same port).
#4
The authenticated VLAN on the MAC port is assigned in 5.4.3 Auto MAC VLAN
assignment.
#5
When there is no auto VLAN assignment information in RADIUS attributes when Accept
is received from the RADIUS server, the terminal is accommodated in the native VLAN of
the target MAC port. The terminal is handled as authenticated in fixed VLAN mode.
128
5.8
Configuration for interoperability of Layer 2 authentication
An example of the configuration for interoperability of Layer 2 authentication is given below:
•
Fixed VLAN mode and dynamic VLAN mode are interoperable on the same port.
See 5.8.1 Configuration where a tagged frame is authenticated on a MAC port.
5.8.1
Configuration where a tagged frame is authenticated on a
MAC port
A tagged frame is forwarded to the MAC port by using the switchport mac dot1q vlan
configuration command. This example uses MAC-based authentication and receives the tagged
frame on the same port in fixed VLAN mode, which authenticates an untagged frame in
dynamic VLAN mode.
Figure 5-27: Example of a configuration where a tagged frame is authenticated on a
MAC port
Overview
The example below shows how to configure a MAC port as one subject to MAC-based
authentication, and to configure the same port to handle tagged and untagged frames.
RADIUS authentication is used as an example of the authentication method.
y VLAN 10: Handles tagged frames and authenticates them in fixed VLAN mode
y VLAN 50, 200: Handles untagged frames and authenticates them in dynamic VLAN
mode (unauthenticated VLAN: 50, authenticated VLAN: 200)
129
For other items necessary to configure for MAC-based authentication, see 11. MAC-based
authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 200 mac-based
(config-vlan)# exit
Configures the MAC VLAN to VLAN ID 200.
2.
(config)# vlan 10,50,500
(config-vlan)# exit
Configures VLAN ID 10, 50, 500.
3.
(config)# interface fastethernet 0/8
(config-if)# switchport mode mac-vlan
Configures port 0/8 as a MAC port.
4.
(config-if)# switchport mac dot1q vlan 10
Configures VLAN 10 as the VLAN that handles a tagged frame on a MAC port.
5.
(config-if)# switchport mac native vlan 50
Configures a native VLAN50 (unauthenticated VLAN) of a MAC port. (The authenticated
VLAN is assigned in 5.4.3 Auto MAC VLAN assignment.)
6.
(config-if)# mac-authentication port
(config-if)# exit
Configures the authentication mode (mac-authentication port) for port 0/8
7.
(config)# interface fastethernet 0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Configures port 0/10 as the access port of VLAN 10. Does not configure the authentication
mode because authentication is excluded. Communication is possible after IP telephony in
the figure is authenticated.
8.
(config)# interface fastethernet 0/20
(config-if)# switchport mode access
130
(config-if)# switchport access vlan 200
(config-if)# exit
Configures port 0/20 as the access port of VLAN200. Does not configure the
authentication mode because authentication is excluded. Communication is possible after
the terminal PC1 in the figure is authenticated.
9.
(config)# interface fastethernet 0/22
(config-if)# switchport mode access
(config-if)# switchport access vlan 500
(config-if)# exit
Configures port 0/22 as the access port of VLAN500. Does not configure the
authentication mode because authentication is excluded. This is set for port used for the
RADIUS server in the figure.
Notes
1.
For details on tagged frame relay of a MAC port, see 16.7 Description of MAC VLANs in
the Configuration Guide Vol. 1.
2.
Use the vlan mac-based configuration command to set the VLAN to be notified from
the RADIUS server when automatically allocating VLANs after authentication in
dynamic VLAN mode. (In this case, configuration using the switchport mac vlan
configuration command for a MAC port is unnecessary.)
3.
If there is no auto VLAN assignment information in RADIUS attributes and when
Accept is received from the RADIUS server, the terminal is accommodated in the native
VLAN of the target MAC port. In this case, it is handled as authenticated in fixed VLAN
mode.
131
5.9
5.9.1
Notes on using Layer 2 authentication methods
Notes on using common Layer 2 authentication methods
(1)
Configuring an authentication method list
The port-based authentication method and the Web authentication user ID-based method are not
interoperable on the Switch. Legacy mode is also not interoperable with other methods. See
5.2.2 Authentication method lists (3) Exclusive relationship of authentication method list
configuration.
(2)
Permitting communication of unauthenticated terminals
Use the following commands for each authentication mode to configure ports subject to
authentication before configuring the authentication ip access-group configuration
command. You cannot use the authentication ip access-group command before you
complete the following configurations.
•
IEEE 802.1X: dot1x port-control auto
•
Web authentication: web-authentication port
•
MAC-based authentication: mac-authentication port
(3)
Auto VLAN assignment of MAC VLANs
Using the vlan mac-based configuration command, in the Switch configure the authenticated
VLAN notified by a RADIUS server. Set up a MAC port for the port subject to authentication.
(4)
port
Auto authentication mode accommodation on the same MAC
When an untagged frame is received from a terminal subject to authentication, the Switch
determines the authentication mode based on the VLAN ID obtained by using the RADIUS
attribute Tunnel-Private-Group-ID of Access-Accept received from RADIUS
authentication. If the obtained VLAN ID has been configured by using the switchport mac
dot1q vlan configuration command for a port, it is judged as an invalid VLAN and
authentication fails.
(5)
Forced authentication common to all authentication modes
The Switch provides forced authentication methods common to all authentication modes and
specific to each authentication mode, both of which are not interoperable. See 5.4.6 Forced
authentication common to all authentication modes (4) Interoperability of this functionality and
forced authentication of each authentication method.
132
5.9.2
Interoperability of several Layer 2 authentication methods
(1)
port
Using several Layer 2 authentication methods on the same
The authentication permitted first will be given priority when executing IEEE 802.1X
VLAN-based authentication (dynamic), Web authentication, and MAC-based authentication
using one terminal.
Because MAC-based authentication uses all frames sent from terminals subject to authentication
as the trigger for authentication, MAC-based authentication typically executes first. However, if
no permission information for MAC-based authentication has been registered on a RADIUS
server or the information cannot be checked in the internal MAC-based authentication DB,
MAC-based authentication is held (for mac-authentication timeout quiet-period)
during which it waits for IEEE 802.1X or Web authentication to execute. If IEEE 802.1X or
Web authentication executes during this period, the first permitted authentication method is
enabled, and other authentication methods cannot be overwritten until the authentication state is
canceled. In this case, authentication failure is recorded in the account logs of other
authentication methods that failed to overwrite.
If IEEE 802.1X or Web authentication is not completed during the time in which MAC-based
authentication is held, a failure log is written in the account log for MAC-based authentication.
(2)
When exceeding the maximum number of accommodations
with several authentication methods used together
When exceeding the maximum number of accommodations with several authentication methods
used together, authentication failure is recorded in the account log information of the
authentication method under processing.
5.9.3
Using with other functionality
(1)
When using a Layer 2 authentication method and DHCP
snooping
When a Layer 2 authentication method and DHCP snooping are used together, the maximum
number of terminals that can communicate is the number of the DHCP snooping controlled
terminals (a maximum of 246 terminals).
(2)
Notes on using the spanning tree
(a) Usage with IEEE 802.1X
The following table shows the interoperability specifications for IEEE 802.1X and the spanning
tree.
133
Table 5-34: Interoperability specifications of IEEE 802.1X and the spanning tree
Functionality
Spanning tree
Interoperability specifications
Authentication can be conducted at ports that are always in the
Forwarding state. Configure this so that authentication will not be
performed on other ports.
Ports that are always in the Forwarding state are as follows:
• PortFast port
• Route bridge port
Sending/receiving BPDU and topology calculations of the spanning tree
are conducted regardless of the IEEE 802.1X authentication status.
134
6. Description of IEEE 802.1X
This chapter describes the operation of IEEE 802.1X, which is a standard for authentication at
the second layer of the OSI model.
6.1 Overview of IEEE 802.1X
6.2 Port-based authentication (static)
6.3 Port-based authentication (dynamic)
6.4 VLAN-based authentication (dynamic)
6.5 EAPOL forwarding functionality
6.6 Account functionality
6.7 Preparation
6.8 Notes on IEEE 802.1X
135
6.1
Overview of IEEE 802.1X
IEEE 802.1X is functionality to control unauthorized LAN connections. You can install an
authentication server (typically, a RADIUS server) at the backend, and use the services provided
by the Switch with terminal authentication performed by the authentication server.
The table below lists the components and gives an overview of behavior in IEEE 802.1X.
Table 6-1: Components and behavior overview
Component
Behavior overview
Switch (Authenticator)
The Authenticator controls access to the terminal LAN and forwards
authentication information between the terminal and the authentication
server. Communication related to authentication between a terminal and
an authentication server is controlled by the EAP Over LAN (EAPOL)
protocol. Authentication information is exchanged between this server
and the authentication server using the EAP Over RADIUS protocol. In
this chapter, the terms Switch and Authenticator refer to both the Switch
itself and the Authenticator software running on it.
Terminal (Supplicant)
The Supplicant uses EAPOL packets to exchange authentication
information with the Switch. In this chapter, the terms terminal and
Supplicant refer to both the terminal itself and the Supplicant software
running on it. The term Supplicant software refers only to the software
that provides Supplicant functionality.
Authentication server
Authenticates terminals. The authentication server checks authentication
information of terminals, and reports whether to permit a requesting
terminal to access services provided by the Switch.
In a typical IEEE 802.1X configuration, terminals operate while directly connected to the port of
the Switch. The figure below shows a typical IEEE 802.1X configuration that uses the Switch.
Figure 6-1: IEEE 802.1X basic configuration
136
The Switch supports extended functionality to authenticate several terminals on a single port
(terminal authentication mode). With the extended functionality, by arranging the L2 switches
or hubs between the terminal and the Switch, it is possible to configure a network in which the
number of terminals is not limited by the number of ports. To achieve this configuration, the L2
switches between the terminal and the Switch must pass EAPOL transparently. The figure below
illustrates this configuration.
Figure 6-2: IEEE 802.1X configuration including L2 switches between the terminals and
the Switch
6.1.1
Basic functionality
The IEEE 802.1X basic functionality supported by the Switch is shown below:
(1)
Authentication operation mode supported by the Switch
The authentication operation mode (PAE mode) supported by the Switch is the Authenticator.
The Switch does not function as a Supplicant.
(2)
Authentication method group
An authentication method group for IEEE 802.1X uses the switch-default common to all IEEE
802.1X authentication modes, and uses an authentication method list with port-based
authentication (static) and port-based authentication (dynamic). See the following:
•
5.1.3 Authentication method groups
•
5.2.2 Authentication method lists
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
7.2.1 Configuring the authentication method group and RADIUS server information
137
(3)
Authentication algorithms
The table below shows the authentication algorithms supported by the Switch.
Table 6-2: Supported authentication algorithms
Authentication algorithm
6.1.2
Overview
EAP-MD5-Challenge
Compares the User Password and challenge value.
EAP-TLS
Authentication method using the certificate issuing mechanism.
EAP-PEAP
Executes authentication using other EAP authentication algorithms on an
EAP-TLS tunnel.
EAP-TTLS
Executes authentication using other authentication algorithms (such as
EAP, PAP, CHAP) on an EAP-TLS tunnel.
Overview of the extended functionality
The Switch extends the functionality of the standard IEEE 802.1X. An overview of the extended
functionality is given below. IEEE 802.1X of the Switch has three basic authentication modes
and authentication submodes. The basic authentication modes indicate the units for
authentication control, while the submode specifies the terminal connection mode in the unit of
authentication.
The supported basic authentication modes of the Switch (the authentication modes) are the
following:
•
Port-based authentication (static)
Registers the MAC address of a successfully authenticated terminal in the MAC address table,
and enables communication with a VLAN specified in the configuration.
•
Port-based authentication (dynamic)
Registers the MAC address of an authenticated terminal in a MAC VLAN and the MAC
address table, and separates networks before and after authentication.
•
VLAN-based authentication (dynamic)
Separates networks before and after authentication by VLAN switching using a MAC VLAN.
The table below shows the functionality supported by each authentication mode.
138
Table 6-3: List of functionality supported by each authentication mode
Functionality
Port-based
authentication
(static)
Port-based
authentication
(dynamic)
VLAN-based
authentication
(dynamic)
--
--
--
External server
• IEEE 802.1X
authentication
RADIUS server
information
• General RADIUS
server information
Y
See 5.3.1
See 6.7
See 7.2.1
Y
See 5.3.1
See 6.7
See 7.2.1
Y
See 5.3.1
See 6.7
See 7.2.1
VLAN
(authenticated VLAN)
--
Y
Y
Access control by
quarantine (using
Filter-Id of the
RADIUS attribute)
Y
See 6.2.3
--
--
Forced authentication
Y
See 6.2.2
Y
See 6.3.2
Y
See 6.4.2
Authentication
permitted port
configuration
Y
See 7.3.3
Y
See 7.4.3
Y
See 7.5.3
Private trap
Y#1
See 5.4.6
Y#1
See 5.4.6
--
External server
• RADIUS server group
Y
See 5.3.1
See 6.7
See 7.2.1
Y
See 5.3.1
See 6.7
See 7.2.1
--
Port-based authentication
method
Y
See 5.2.2
See 5.2.3
Y
See 5.2.2
See 5.2.3
--
Single mode
Y
See 6.2.1
Y
See 6.3.1
--
Terminal authentication
mode
Y
See 6.2.1
Y
See 6.3.1
Y
See 6.4.1
Authentication exclusion
terminal option
Y
See 6.2.1
See 7.3.2
Y
See 6.3.1
See 7.4.2
Y
See 6.4.1
See 7.5.2
--
--
Y
See 7.5.2
Device default:
Local authentication
Device default:
RADIUS
authentication
Authentication
method list
Authentication
submode
Authentication
mode option
Authentication default
VLAN
139
Functionality
Authentication
Authentication
canceled
140
Port-based
authentication
(static)
Port-based
authentication
(dynamic)
VLAN-based
authentication
(dynamic)
Y
See 6.2.2
Y
See 6.3.2
Y
See 6.4.2
Sending an EAPRequest frame by
multicast
Y
See 7.3.2
Y
See 7.4.2
Y
See "7.5.2"
Sending an EAPRequest frame by
unicast
Y
See 7.3.2
Y
See 7.4.2
--
Stopping sending an
EAP-Request frame
Y
See 7.3.2
Y
See 7.4.2
Y
See "7.5.2"
Sending an
EAP-Request/Identity
frame to the terminal
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Resending an
EAP-Request frame to
the terminal
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Stopping authentication
request from the terminal
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Communication blocked
state holding time when
an authentication is
requested by several
terminals
Y#2
See 6.2.1
See 7.3.3
Y#2
See 6.3.1
See 7.4.3
--
Wait time before
authentication restarts in
case of failure of
authentication
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Authentication server
response wait time
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Before passing
authentication
(authentication IPv4
access list)
Y
See 5.4.1
See 5.5.2
Y
See 5.4.1
See 5.5.2
--
Canceling authentication
for a no-response when
authentication is
requested again
Y
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
Y
See 6.4.2
See 7.5.3
Monitoring
non-communication state
of an authenticated
terminal
Y#3
See 6.2.2
See 7.3.3
Y
See 6.3.2
See 7.4.3
--
Switching terminal
detection operation
Functionality
Port-based
authentication
(static)
Port-based
authentication
(dynamic)
VLAN-based
authentication
(dynamic)
Monitoring MAC address
table aging
Y#4
See 6.2.2
See 7.3.3
--#5
Y
See 6.4.2
See 7.5.3
Link-down a connection
port of the terminal
subject to authentication
Y
See 6.2.2
Y
See 6.3.2
Y
See 6.4.2
Changing the VLAN
configuration
Y
See 6.2.2
Y
See 6.3.2
Y
See 6.4.2
Operation commands
Y
See 6.2.2
Y
See 6.3.2
Y
See 6.4.2
EAPOL forwarding
Account log
Common to all modes See 6.5
Account log in the Switch
2100 lines (combining all modes) See 6.6
Account functionality of
the RADIUS server
Common to all modes
See 5.3.4
See 6.6
See 7.2.2
Legend
Y: Supported
--: Not supported
5.x.x indicates a section in 5. Overview of Layer 2 Authentication.
6.x.x indicates a section in this chapter.
7.x.x indicates a section in 7. IEEE 802.1X Configuration and Operation.
#1
A private trap can be issued when forced authentication common to all authentication
modes is set.
#2
The Switch applies only the single mode of port-based authentication (static) and
port-based authentication (dynamic).
#3
Targets terminals requesting full access permission (authenticated and out-of-quarantine).
#4
Targets terminals requesting limited access permission (under quarantine)).
#5
When the first step terminal is successfully authenticated by IEEE 802.1X in multistep
authentication, an authentication entry are monitored by using MAC address table aging.
141
For more details, see 12. Multistep Authentication.
Table 6-4: Operational conditions of IEEE 802.1X
Type
VLAN type
Port-based
authentication
(static)
Port-based
authentication
(dynamic)
VLAN-based
authentication
(dynamic)
Port VLAN
Y
Y#
--
Protocol VLAN
--
--
--
MAC VLAN
--
Y
Y
Y
--
--
Access port
Y
--
--
Trunk port
--
--
--
Protocol port
--
--
--
Untagged
--
Y
Y
Tagged
--
--
--
fastethernet
Y
Y
Y
gigabitethernet
Y
Y
Y
port channel
Y
--
Y
Default VLAN
Port type
MAC port
Interface type
Legend
Y: Supported --: Not supported
#
Supported at auto-authentication mode for an untagged frame of a MAC port (see 5.4.4
Auto authentication mode accommodation at the same MAC port).
IEEE 802.1X of the Switch handles a channel group as one bundled port. The term port used
with this functionality includes both normal ports and channel groups.
The following sections provide an overview of port-based authentication (static), port-based
authentication (dynamic), and VLAN-based authentication (dynamic) in turn. For the same
functionality and operation in authentication modes, see the relevant cross-references (See...).
142
6.2
Port-based authentication (static)
In port-based authentication (static), authentication is controlled for physical ports and channel
groups. These are the standard authentication units of IEEE 802.1X. This authentication mode
does not handle EAPOL frames with IEEE 802.1Q VLAN-Tag. If an EAPOL frame with IEEE
802.1Q VLAN-Tag is received, the frame is discarded.
The figure below shows a configuration using port-based authentication (static).
Figure 6-3: Example of a configuration with port-based authentication (static)
An unauthenticated terminal cannot communicate until it is successfully authenticated. The
terminal can communicate once the terminal is successfully authenticated by port-based
authentication (static), and after the terminal's MAC address and VLAN are registered in the
MAC address table as an IEEE 802.1X port-based authentication entry. (You can use the show
mac-address-table operation command to check what has been registered in the MAC
address table.)
6.2.1
Authentication submode and the authentication mode option
IEEE 802.1X of the Switch provides authentication modes and authentication submodes
included in the authentication modes. An authentication mode indicates the unit of
authentication control, while an authentication submode specifies the terminal connection mode
in the authentication unit. In addition, authentication mode options configurable in each mode
are provided. The table below shows the relationship between authentication submode and the
authentication mode option.
Table 6-5: Relationship between the authentication submode and the authentication
mode option
Authentication mode
Port-based authentication
(static)
Authentication submodes
Single mode
Authentication mode option
--
143
Authentication mode
(1)
Authentication submodes
Authentication mode option
Terminal authentication mode
Authentication-excluded terminal
option
Authentication submode
Port-based authentication (static) provides the single mode and terminal authentication mode.
The default is the single mode. You can use the terminal authentication mode by using the
dot1x multiple-authentication configuration command.
(a) Single mode
This mode authenticates and connects only one terminal in one authentication unit. This is the
standard authentication mode for IEEE 802.1X. If an EAP is received from another terminal
while a first terminal is authenticated, the port of the terminal returns to unauthenticated status,
and authentication restarts after the time specified by the dot1x timeout keep-unauth
configuration command.
Figure 6-4: Single mode configuration
(b) Terminal authentication mode
This mode permits the connection of several terminals in one authentication unit, and performs
authentication for each terminal (identified by the source MAC address). If an EAP is received
from another terminal while the first terminal is authenticated, authentication is individually
started with the terminal that sent the EAP.
144
Figure 6-5: Terminal authentication mode configuration
(2)
Authentication mode option
(a) Authentication-excluded terminal option
This option permits communication without authentication for terminals where the MAC
address has been configured by using the static MAC address learning functionality.# This
option is used to exclude terminals that do not require authentication and which you want to
exclude from an authentication unit: for example devices such as printers without the Supplicant
functionality or servers. This is available only in the terminal authentication mode.
#
Use the mac-address-table static configuration command to set a MAC address in
the MAC address table.
The figure below shows an example of a configuration that has an excluded terminal with
port-based authentication (static).
Figure 6-6: Example of a configuration that has an excluded terminal with port-based
authentication (static)
6.2.2
Authentication functionality
(1)
Authentication triggers
Authentication starts when the Switch receives EAPOL-Start from a port subject to port-based
authentication (static).
145
(2)
Sending an EAP-Request/Identity frame
You can use the dot1x timeout tx-period configuration command to set a time interval at
which EAP-Request/Identity is sent regularly from the Switch, thereby triggering the start of
port-based authentication (static), to a terminal that will not start port-based authentication
(static) by itself.
(3)
Terminal action detection switching option
The Switch multicasts the EAP-Request/Identity at intervals specified in the configuration to
trigger the start of authentication of a terminal. When the authentication submode is the terminal
authentication mode, there might be several terminals in an authentication unit. Because of this,
the Switch continues to send the EAP-Request/Identity by default until authentication of all
terminals is completed.
In this case, when the number of terminals in the authentication unit increases, authenticating the
terminal that responded to a EAP-Request/Identity might place a heavy load on the Switch.
Because of this, some responses from authenticated terminals are omitted to prevent overloading
of the Switch.
However, a problem might occur in which communication is interrupted due to omission of an
authentication sequence depending on the type of Supplicant software. Because of this, the
Switch provides an option to switch actions for authenticated terminals. This option allows you
to make a selection by using the dot1x supplicant-detection configuration command,
and allows you to specify any of the three actions shown below.
Table 6-6: Types of terminal detection action switching options
Option
type
shortcut
Timing of sending
EAP-Request/Identity frame
for terminal detection
Omitting
authenticatio
n sequence
Sends the frame on a multicast
basis regularly
Omitted
Authentication start frame
•
•
•
•
auto
•
disable
•
Sends the frame on a unicast
basis when receiving an
ARP/IP frame from a new
terminal
•
Stops sending
•
Not
omitted
Not
omitted
Response to multicast sending of
EAP-Request/Identity
(EAP-Response/Identity) received
EAPOL-Start received#
•
When an ARP/IP frame is received
from a new terminal
EAPOL-Start received#
•
EAPOL-Start received
•
#
If the functionality to control a re-authentication request from the terminal is disabled, the
Switch starts an authentication sequence when it receives EAPOL-Start.
146
The terminal detection action switching option is effective only in terminal authentication mode.
(a) shortcut
To prevent overloading the Switch, some of the authentication sequence for
EAP-Request/Identity triggers from already-authenticated terminals is omitted. With some
types of Supplicant software, communication might be interrupted at authentication due to such
omission. In this case, if the Supplicant software to be used can send EAPOL-Start by itself,
specify disable.
Figure 6-7: EAP-Request/Identity sequence when a shortcut is used
(b) auto
Does not send EAP-Request/Identity from a multicast address to detect the terminal. An
unauthenticated terminal is detected by reception of any frame sent from the terminal, and
authentication is started by sending EAP-Request/Identity from a unicast address to each
terminal.
Because the EAP-Request/Identity is not sent from a multicast address, authentication is not
executed when EAP-Request/Identity for an authenticated terminal is received.
147
Figure 6-8: EAP-Request/Identity sequence when auto is used
(c) disable
Stops sending EAP-Request/Identity to trigger the start of authentication of the terminal. An
authentication sequence starts when EAPOL-Start is received from the terminal.
148
Figure 6-9: EAP-Request/Identity sequence when disable is used
When this mode is used with Supplicant software that does not send EAPOL-Start voluntarily,
authentication will not start because the timing of the start authentication is lost.
Windows-standard Supplicant software does not send EAPOL-Start voluntarily. However, it
can do this by changing a registry value, SupplicantMode. For more details about the registry,
visit the Microsoft website or see the documentation. If the registry setting is faulty, Windows
might not start. Back up the system before changing any registry values.
(4)
Resending an EAP-Request frame to the terminal
The period until resending and the resend count are set if there is no reply from the terminal to
the EAP-Request (request message from an authentication server) that is sent from the Switch
during terminal authentication. You can use the dot1x timeout supp-timeout configuration
command to set the period until resending, and can use the dot1x max-req configuration
command to set the resend count.
(5)
Functionality to control authentication requests from
terminals
(a) Controlling re-authentication requests from terminals
This functionality controls authentication that is started by EAPOL-Start sent from a terminal.
When re-authentication requests are received at short intervals from many terminals, this
149
functionality prevents the load on the Switch from increasing by stopping the sending of
EAP-Request/Identity. You can configure this functionality by using the dot1x
re-authentication and dot1x ignore-eapol-start configuration commands.
After configuring the functionality, re-authentication for the terminal is executed by sending
EAP-Request/Identity from the Switch at an interval specified with either of the following
configuration commands:
• dot1x timeout tx-period
• dot1x timeout reauth-period
(b) Communication interruption when authentication requests are
received from several terminals
If authentication requests from several terminals are detected at a port where single mode
port-based authentication works, you can configure a time for interrupting communication with
the target port. You can use the dot1x timeout keep-unauth configuration command to set
the communication interruption period.
(6)
Wait time before authentication restarts in the event of
authentication failure
You can use the dot1x timeout quiet-period configuration command to configure the wait
time before the restart of authentication for a terminal that was unsuccessfully authenticated.
(7)
Wait time for a response from an authentication server
You can use the dot1x timeout server-timeout configuration command to configure the
wait time for a response to a request from an authentication server. After the time passes, the
Switch notifies the Supplicant of the authentication failure. Comparing the time with the total
time, including resending configured with the radius-server configuration command, the
Switch notifies the Supplicant of the authentication failure after a shorter time.
(8)
Specifying a forced authentication port
If RADIUS authentication is for a terminal connected to a port for which forced specification is
specified, and the terminal fails to send a request to the RADIUS server due to a route failure or
failure to respond, this functionality places the terminal in authenticated status.
Forced authentication of the Switch is configured for all shared authentication settings and each
authentication functionality, respectively. For details on shared authentication settings, see 5.4.6
Forced authentication common to all authentication modes.
Use the dot1x force-authorized configuration command for a port where forced
authentication is to be permitted. Also, use the dot1x force-authorized eapol
configuration command to send an EAP-Success response to the terminal where forced
150
authentication is permitted.
Forced authentication is permitted when the following conditions are met.
Table 6-7: Forced authentication permission conditions
Item
Configuration
Condition
All of the following have been set in the configuration:
• aaa authentication dot1x
#1
• dot1x radius-server host or radius-server host
• dot1x system-auth-control
• dot1x port-control auto
• dot1x force-authorized
• switchport mode access
• dot1x authentication
Account log
#2
#2
#2
#3
When the following account log is collected by sending an authentication
request to a RADIUS server
• No=82
WARNING:SYSTEM: (additional information) Failed to connect to the
RADIUS server.
Additional information: IP
You can use the show dot1x logging command to check the account log.
#1
When forced authentication is used as the switch default, set default group radius.
When the port-based authentication method is used, set <list-name> group
<group-name>.
#2
Set this for the same port.
#3
Set this when port-based authentication method is used.
The authentication status of a terminal where authentication is permitted by forced
authentication is canceled in the same way as for a normally authenticated terminal, as described
in 6.4.2 Authentication functionality (9) Canceling authentication.
The sequence from the start of requesting authentication from a RADIUS server is the same for
both forced authentication with all authentication methods and each authentication functionality.
For more details, see 5.4.6 Forced authentication common to all authentication modes (1)
Behavior from the start of an RADIUS authentication request to permission for forced
authentication.
All EAPOL frames sent from terminals that went through forced authentication are discarded
before the next re-authentication time.
151
(9)
Canceling authentication
The following methods of canceling authentication are provided in port-based authentication
(static).
•
Canceling authentication for a terminal that does not respond to an authentication request
•
Canceling authentication by monitoring for non-communication by an authenticated terminal
•
Canceling authentication by monitoring MAC address table aging for the terminal in
quarantine status
•
Canceling authentication by link-down of a port connected to the terminal subject to
authentication
•
Canceling authentication by changing the VLAN configuration
•
Canceling authentication by using an operation command
(a) Canceling authentication for a terminal that does not respond to an
authentication request
Because authentication cannot be canceled for a terminal excluded from the network after
authentication from the Switch, the Switch cancels requests for re-authentication of
authenticated terminals and cancels authentication for terminals that do not respond to the
request. For the target port, use the dot1x reauthentication configuration command to
request re-authentication, and then use the dot1x timeout reauth-period configuration
command to configure the re-authentication interval.
(b) Canceling authentication by monitoring for non-communication by
an authenticated terminal
This functionality targets quarantined terminals and authenticated terminals. This functionality
automatically cancels authentication for an authenticated terminal if the terminal does not
respond for a certain period of time. This functionality monitors the IEEE 802.1X authentication
entries in the MAC address table periodically (approx. every minute) and checks whether a
frame has been received from an authenticated terminal registered with IEEE 802.1X. If no
frame is detected from a target terminal for a certain period of time (approximately 10 minutes),
it deletes the target IEEE 802.1X authentication entry from the MAC address table and cancels
authentication.
152
Figure 6-10: Overview of canceling authentication by monitoring for
non-communication of an authenticated terminal
This functionality is enabled when the following conditions are met:
•
IEEE 802.1X port-based authentication (static) or port-based authentication (dynamic) is
enabled and dot1x auto-logout is enabled.
You can use the no dot1x auto-logout configuration command to stop this functionality
from canceling authentication automatically.
(c) Canceling authentication by monitoring MAC address table aging for
a terminal in quarantine status
This functionality targets a registered terminal in quarantine status when terminals are
authenticated with port-based authentication (static). (For details about the quarantine status, see
6.2.3 Collaboration with the NAP quarantine system.)
This functionality monitors the dynamic entries from terminals into the MAC address table
periodically (approx. every one minute) and checks whether the MAC address of a terminal is
old or not. The quarantine status of a terminal is automatically canceled if its MAC address is
deleted from the MAC address due to a timeout. However, to prevent cancellation due to an
effect such as an instantaneous interruption of a line, this functionality cancels the quarantine
status if a MAC address is not registered into the MAC address table for approx. 10 minutes
(time before cancellation) after the MAC address is deleted from the MAC address table.
153
Figure 6-11: Overview of canceling authentication by monitoring MAC address table
aging
This functionality is enabled when the following conditions are met:
•
IEEE 802.1X port-based authentication (static) is enabled, and dot1x auto-logout is
enabled.
•
The target terminal is in quarantine status
You can use the no dot1x auto-logout configuration command to keep this functionality
from canceling authentication automatically even when an aging timeout occurs.
(d) Canceling authentication by link-down of a port connected to the
terminal subject to authentication
This functionality automatically cancels authentication for an authenticated terminal if it detects
a link-down at a port connected to the authenticated terminal.
(e) Canceling authentication by changing the VLAN configuration
This functionality cancels authentication for the terminal included in a VLAN if the VLAN
configuration is changed by a configuration command.
Changes in configuration:
y The VLAN is deleted.
y The VLAN is suspended.
(f)
Canceling authentication by using an operation command
You can use the clear dot1x auth-state command to manually cancel authentication of a
154
terminal subject to IEEE 802.1X authentication.
6.2.3
Collaboration with the NAP quarantine system
The Network Access Protection (NAP) quarantine system examines system normality of
terminals while they are not yet connected to the network, and restricts network access by
terminals that do not conform to a security policy.
In the NAP quarantine system, a device that monitors the security status of terminals is called a
network policy server (NPS), and a terminal that is monitored is called a NAP client. The Switch
is positioned between the NPS and NAP clients.
(1)
Operational overview
The Switch can work with the NAP quarantine system with port-based authentication (static).
Because port-based authentication (static) does not automatically switch VLANs, the NPS
monitors the NAP client in any of the following statuses and reports its status to the Switch.
•
Unauthenticated
•
Under quarantine
•
Authenticated and out of quarantine
The Switch only permits full-access communication to a NAP client that conforms to the
security policy (authenticated and quarantined terminals) based on information sent from the
NPS.
The figure below shows the overview of collaboration with the NAP quarantine system in
port-based authentication (static).
Figure 6-12: Overview of collaboration with the NAP quarantine system in port-based
authentication (static)
155
The Switch controls access to the terminal based on Filter-Id included in the
Access-Accept attribute as a response from the RADIUS server (corresponds to the NPS in
the figure above). An authentication IPv4 access list has been configured for Filter-Id.
The figure below shows actions of the Switch based on the response from the RADIUS server.
Table 6-8: Actions of the Switch based on the response from the RADIUS server (NPS)
In RADIUS server
Auth
entic
ation
resul
t
Quar
antin
e
resul
t
respo
nse
NG
--
OK
OK
RADI
US
Action of the Switch
Access
Contents of the
attribute Filter-Id
Registration
into the MAC
address
table
Sent to the
terminal
Reject
--
Not
implemented
EAPOL-Failu
re
This is the same as for
standard authentication
NG
Accept
Filter-Id =
authentication
ACL
Not
implemented
EAPOL-Succ
ess
Restricted access under
quarantine status
(Range of authentication
ACL)
OK
Accept
Filter-Id = 0 or
no Filter-Id
Implemented
EAPOL-Succ
ess
Full access permission
with an authenticated and
out-of-quarantine status
(Limitation canceled)
Legend
ACL for authentication: authentication IPv4 access list
--: Not applicable because this is the same as for normal failures
Configure access permission to an quarantine server for the Switch using the authentication IPv4
access list while configuring the name of the authentication IPv4 access list to Filter-Id of
the Access-Accept attribute of a RADIUS server. For server attributes, see 6.7 Preparation.
(2)
Displaying "under quarantine" and "authenticated and
out-of-quarantine" statuses for a terminal
In collaboration with the NAP quarantine system, "under quarantine" (permitting limited access)
and "authenticated and out-of-quarantine" (permitting full access) statuses occur. Check these
statuses through the authentication substatus of the show dot1x command. For more details,
see the operation command reference.
156
Table 6-9: Status displayed by IEEE 802.1X
Displayed by the operation command, show dot1x
Auth
entic
ation
resul
t
Quar
antin
e
resul
t
NG
--
Other than authentication
completed
OK
NG
OK
OK
AuthState
Authentication status
of the terminal
Remarks
Sub-Status
Authentication sub
status
No authentication sub
status because
authentication is not
completed
Before authentication
Authentication
completed
Permitting limited access
Under quarantine
Authentication
completed
Permitting full access
After authentication and
out of quarantine
Legend
- : Not applicable because this is the same as for normal failure
(3)
Configuration to enable this functionality
No special configuration to enable collaboration with the NAP quarantine system is provided.
Configure the settings necessary for IEEE 802.1X port-based authentication (static). In addition,
configure access permission for a quarantine server to the authentication IPv4 access list.
•
Port-based authentication (static) configuration: See 7.3 Configuring port-based
authentication (static).
•
Authentication IPv4 access list configuration: See 5.5.2 Configuring the authentication IPv4
access list.
157
6.3
Port-based authentication (dynamic)
In Port-based authentication (dynamic), authentication is controlled for a physical port
belonging to a MAC VLAN. This authentication mode does not support EAPOL frames with the
IEEE 802.1Q VLAN-Tag. When this mode receives an EAPOL frame with the IEEE 802.1Q
VLAN-Tag, it discards the frame. The figure below shows an example of a port-based
authentication (static) configuration.
A successfully authenticated terminal dynamically switches VLANs according to VLAN
information (VLAN ID of a MAC VLAN) from a RADIUS server as the authentication server.
The figure below shows an example of a port-based authentication (dynamic) configuration.
Figure 6-13: Example of a port-based authentication (dynamic) configuration
An unauthenticated terminal cannot communicate until it is successfully authenticated. If
successfully authenticated with port-based authentication (dynamic), the MAC address of a
successfully authenticated terminal and its VLAN ID after authentication are registered in the
MAC VLAN and MAC address table as IEEE 802.1X port-based authentication entries and
communication is enabled. (You can use the show mac-address-table operation command
to check what has been registered in the MAC address table.)
158
Figure 6-14: Operational image of port-based authentication (dynamic)
When communicating with an unauthenticated VLAN, configure an authentication IPv4 access
list.
6.3.1
Authentication submode and the authentication mode option
IEEE 802.1X of the Switch provides authentication modes and authentication submodes. The
authentication modes show a unit for authentication control while the submodes specify the
terminal connection mode in the authentication unit. In addition, authentication mode options
configurable in each mode are provided. The table below shows the relationship among
authentication mode, authentication submode, and the authentication mode option.
159
Table 6-10: Relationship between the authentication submode and the authentication
mode option
Authentication mode
Port-based authentication
(dynamic)
(1)
Authentication
submodes
Authentication mode option
Single mode
--
Terminal authentication
mode
Authentication-excluded terminal option
Authentication submode
These are the same as the submodes in port-based authentication (static). For details, see 6.2.1
Authentication submode and the authentication mode option (1) Authentication submode.
(2)
Authentication mode option
(a) Authentication-excluded terminal option
This option permits communication without authentication for terminals where the MAC
address has been configured using the static MAC address learning functionality#1 and the MAC
VLAN functionality#2. This option is used to exclude terminals that do not require authentication
and which you want to exclude from an authentication unit: for example devices such as printers
without the Supplicant functionality or servers. This is available only in the terminal
authentication mode.
#1
You can configure a MAC address in the MAC address table by using the
mac-address-table static configuration command.
#2
You can configure a MAC address of a MAC VLAN by using the mac-address
configuration command.
The figure below shows an example of a configuration that has an excluded terminal with
port-based authentication (dynamic).
160
Figure 6-15: Example of a configuration that has an excluded terminal with port-based
authentication (dynamic)
6.3.2
Authentication functionality
(1)
Authentication triggers
Authentication starts when the Switch receives EAPOL-Start from a port subject to port-based
authentication (dynamic).
(2)
Sending EAP-Request/Identity frame
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (2) Sending an EAP-Request/Identity frame.
(3)
Terminal action detection switching option
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (3) Terminal action detection switching option.
(4)
Resending an EAP-Request frame to the terminal
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (4) Resending an EAP-Request frame to the terminal.
(5)
Functionality to control an authentication request from the
terminal
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (5) Functionality to control authentication requests from terminals.
(6)
Wait time before authentication restarts in the event of
authentication failure
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
161
functionality (6) Wait time before authentication restarts in the event of authentication failure.
(7)
Wait time for response from an authentication server
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (7) Wait time for a response from an authentication server.
(8)
Specifying a forced authentication port
If RADIUS authentication is for a terminal connected to a port for which forced specification is
specified, and the terminal fails to send a request to the RADIUS server due to a route failure or
failure to respond, this functionality places the terminal in authenticated status.
Forced authentication of the Switch is configured for all shared authentication settings and each
authentication functionality, respectively. For details on shared authentication settings, see 5.4.6
Forced authentication common to all authentication modes.
Use the dot1x force-authorized vlan configuration command for a port where forced
authentication is to be permitted. Also, use the dot1x force-authorized eapol
configuration command to send an EAP-Success response to the terminal where forced
authentication is permitted.
Forced authentication is permitted when the following conditions are met.
Table 6-11: Forced authentication permission conditions
Item
Configuration
Condition
All of the following have been set in the configuration:
#1
• aaa authentication dot1x
• dot1x radius-server host or radius-server host
• dot1x system-auth-control
• dot1x force-authorized vlan
• dot1x port-control auto
• vlan
<VLAN-ID> mac-based#2
• switchport mode mac-vlan
• dot1x authentication
Account log
#2
#3
#3
#4
When the following account log is collected by sending an authentication
request to a RADIUS server:
• No=82
WARNING:SYSTEM: (additional information) Failed to connect to
RADIUS server.
Additional information: IP
You can use the show dot1x logging command to check the account log.
#1
When forced authentication is used as the Switch-default, set default group radius.
When the port-based authentication method is used, set <list-name> group
162
<group-name>.
#2
Configure this for the same VLAN ID.
#3
Configure this for the same port.
#4
Configure this when port-based authentication method is used.
The authentication status of a terminal where authentication is permitted by forced
authentication is canceled in the same way as for a normally authenticated terminal, as described
6.3.2 Authentication functionality (9) Canceling authentication status.
The sequence from the start of requesting authentication from a RADIUS server is the same for
both forced authentication for all authentication methods and each authentication functionality.
For more details, see 5.4.6 Forced authentication common to all authentication modes (1)
Behavior from the start of an RADIUS authentication request to permission for forced
authentication.
All EAPOL frames sent from terminals that went through forced authentication are discarded
before the next re-authentication time.
(9)
Canceling authentication
The following ways of canceling authentication are provided in port-based authentication
(dynamic).
•
Canceling authentication for a terminal that does not respond to a resent authentication
request
•
Canceling authentication by monitoring for non-communication by an authenticated terminal
•
Canceling authentication by link-down of a port connected to the terminal subject to
authentication
•
Canceling authentication by changing the VLAN configuration
•
Canceling authentication by using an operation command
Each authentication cancellation is the same for port-based authentication (static). For details,
see 6.2.2 Authentication functionality (9) Canceling authentication.
163
6.4
VLAN-based authentication (dynamic)
In VLAN-based authentication (dynamic), authentication control is executed for the terminals
belonging to MAC VLANs. This authentication unit does not support an EAPOL frame with
VLAN-Tag provided by IEEE 802.1Q. If such a frame is received, it is discarded.
The trunk ports and access ports of a specified VLAN are handled as excluded ports.
A successfully authenticated port dynamically switches VLANs according to VLAN
information (VLAN ID of a MAC VLAN) from a RADIUS authentication server. However,
authentication fails if VLAN information received from the RADIUS server is not included in
the authenticated VLAN settings (dot1x vlan dynamic radius-vlan configuration
command) after VLAN-based authentication (dynamic).
The figures below show an example operational image of a VLAN-based authentication
(dynamic) configuration.
Figure 6-16: Example of a VLAN-based authentication (dynamic) configuration
164
Figure 6-17: Operational image of VLAN-based authentication (dynamic)
6.4.1
Authentication submode and the authentication mode option
IEEE 802.1X of the Switch has three basic authentication modes and authentication submodes.
The basic authentication modes indicate the unit for authentication control, while the submodes
specify the terminal connection mode in the authentication unit. In addition, authentication
mode options configurable in each mode are provided. The table below shows the relationship
among authentication mode, authentication submode, and the authentication mode option.
165
Table 6-12: Relationship between the authentication submode and the authentication
mode option
Authentication mode
VLAN-based authentication
(dynamic)
Authentication
submode
Terminal authentication
mode
Authentication mode option
Authentication-excluded terminal option
Authentication default VLAN
(1)
Authentication submode
The only authentication submode of VLAN-based authentication (dynamic) is the terminal
authentication mode.
(a) Terminal authentication mode
This is the same as for port-based authentication (static). For details, see 6.2.1 Authentication
submode and the authentication mode option (1) Authentication submode (b) Terminal
authentication mode.
(2)
Authentication mode option
(a) Authentication-excluded terminal option
This option permits communication, eliminating the need for authentication for the terminal
where a MAC address has been configured using the MAC VLAN functionality#. This option is
used to exclude a terminal that does not require authentication and which you want to exclude
from an authentication unit: for example devices such as printers without the Supplicant
functionality or servers. This is available only in the terminal authentication mode.
#
You can configure a MAC address of a MAC VLAN by using the mac-address
configuration command.
The figure below shows an example of the excluded terminal configuration using VLAN-based
authentication (dynamic).
166
Figure 6-18: Example of the excluded terminal configuration using VLAN-based
authentication (dynamic)
(b) Authentication default VLAN functionality
This functionality accommodates the terminal in the port VLAN, which cannot be
accommodated in the MAC VLAN because of a reason such as it is not supported. If the port
LAN or default VLAN has been configured to a port for VLAN-based authentication (dynamic),
the VLAN works as the authentication default VLAN. The following terminals are
accommodated in the authentication default VLAN:
6.4.2
•
Terminal not supported by IEEE 802.1X
•
Unauthenticated terminal supported by IEEE 802.1X
•
Terminal that fails to pass authentication or re-authentication
•
If a VLAN ID specified by the RADIUS server is not one of the MAC VLANs
•
If a VLAN ID specified by the RADIUS server has not been configured to a port
Authentication functionality
(1)
Authentication triggers
Authentication starts when the Switch receives EAPOL-Start from a port subject to
VLAN-based authentication (dynamic).
(2)
Sending an EAP-Request/Identity frame
You can use the dot1x vlan dynamic timeout tx-period configuration command to set
a time interval at which EAP-Request/Identity is sent regularly from the Switch, thereby
triggering the start of VLAN-based authentication (dynamic), to a terminal that will not start
authentication by itself.
167
(3)
Terminal action detection switching option
The Switch multicasts EAP-Request/Identity at intervals specified in the configuration to trigger
the start of authentication of a terminal. When the authentication submode is the terminal
authentication mode, there might be several terminals in an authentication unit. Because of this,
the Switch continues to send EAP-Request/Identity by default until authentication of all
terminals is completed.
In this case, when the number of terminals in the authentication unit increases, authenticating the
terminal that responded to a loaded EAP-Request/Identity might place a heavy load on the
Switch. Because of this, some responses from authenticated terminals are omitted to prevent
overloading of the Switch.
However, a problem might occur in which communication is interrupted due to omission of an
authentication sequence depending on the type of Supplicant software in use. Because of this,
the Switch provides an option to switch actions for authenticated terminals. This option allows
you to make a selection by using the dot1x vlan dynamic supplicant-detection
configuration command and specifies either of the two actions shown below.
(a) Shortcut
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (3) Terminal action detection switching option (a) shortcut.
(b) Disable
This is the same as for port-based authentication (static). For details, see 6.2.2 Authentication
functionality (3) Terminal action detection switching option (c) disable.
(4)
Resending an EAP-Request frame to the terminal
The period until resending and the resend count are set if there is no reply from the terminal to
the EAP-Request (request message from an authentication server) that is sent from the Switch
during terminal authentication. You can use the dot1x vlan dynamic timeout
supp-timeout configuration command to set the period until resending, and can use the
dot1x vlan dynamic max-req configuration command to set the resend count.
(5)
Functionality to control authentication requests from the
terminals
(a) Controlling re-authentication requests from the terminals
This functionality controls authentication that is started by EAPOL-Start sent from a terminal.
When re-authentication requests are received at short intervals from many terminals, this
functionality prevents the load on the Switch from increasing by stopping the sending of
EAP-Request/Identity. You can configure this functionality by using the dot1x vlan dynamic
168
re-authentication and dot1x vlan dynamic ignore-eapol-start configuration
commands.
After configuring the functionality, re-authentication for the terminal is executed by sending
EAP-Request/Identity from the Switch at an interval specified with either of the following
configuration commands:
• dot1x vlan dynamic timeout tx-period
• dot1x vlan dynamic timeout reauth-period
(6)
Wait time before authentication restarts in the event of
authentication failure
You can use the dot1x vlan dynamic timeout quiet-period configuration command to
configure the wait time before the restart of authentication for a terminal that was unsuccessfully
authenticated.
(7)
Wait time for response from an authentication server
You can use the dot1vlan dynamic timeout server-timeout configuration command to
configure the wait time for a response to a request to an authentication server. After the time
passes, the Switch notifies the Supplicant of the authentication failure. Comparing the time with
the total time, including resending configured with the radius-server configuration
command, the Switch notifies the Supplicant of the authentication failure after a short time.
(8)
Specifying a forced authentication port
If RADIUS authentication is for a terminal connected to a port for which forced specification is
specified, and the terminal fails to send a request to the RADIUS server due to a route failure or
failure to respond, this functionality places the terminal in authenticated status.
Forced authentication of the Switch is configured for all shared authentication settings and each
authentication functionality, respectively. However, VLAN-based authentication (dynamic)
does not work on configurations common to all authentication methods. Use the forced
authentication functionality of IEEE 802.1X.
Use the dot1x force-authorized vlan configuration command for a port where forced
authentication is to be permitted. Also, use the dot1x force-authorized eapol
configuration command to send an EAP-Success response to the terminal where forced
authentication is permitted.
Forced authentication is permitted when the following conditions are met.
169
Table 6-13: Forced authentication permission conditions
Item
Condition
Configuration
All of the following have been set in the configuration:
• aaa authentication dot1x
•
•
•
•
•
•
•
•
•
Account log
#1
dot1x radius-server host or radius-server host
dot1x system-auth-control
aaa authorized network default group radius
dot1x vlan dynamic enable
dot1x vlan dynamic radius-vlan#2
dot1x force-authorized vlan#2
vlan <VLAN-ID> mac-based#2
switchport mac#2#3
switchport mode mac-vlan#3
When the following account log is collected by sending an authentication
request to a RADIUS server
• No=82
WARNING:SYSTEM: (additional information) Failed to connect to
RADIUS server.
Additional information: IP
You can use the show dot1x logging command to check the account log.
#1
When forced authentication is used as the Switch default, set default group radius.
#2
Configure the same VLAN ID.
#3
Configure the same port.
The authentication status of a terminal where authentication is permitted by forced
authentication is canceled in the same way as for a normally authenticated terminal, as described
in 6.4.2 Authentication functionality (9) Canceling authentication.
The sequence from the start of requesting authentication to a RADIUS server is the same for
both forced authentication for all authentication methods and each authentication functionality.
For more details, see 5.4.6 Forced authentication common to all authentication modes (1)
Behavior from the start of an RADIUS authentication request to permission for forced
authentication.
All EAPOL frames sent from terminals that went through forced authentication are discarded
before the next re-authentication time.
(9)
Canceling authentication
The following ways of canceling authentication are provided in VLAN-based authentication
(dynamic).
170
•
Canceling authentication for a terminal that does not respond to an authentication request
•
Canceling authentication by monitoring MAC address table aging
•
Canceling authentication by link-down of a port connected to the terminal subject to
authentication
•
Canceling authentication by changing the VLAN configuration
•
Canceling authentication by using an operation command
Monitoring of MAC address table aging monitoring of VLAN-based authentication (dynamic)
targets authenticated terminals. The aging monitoring behavior is the same as for port-based
monitoring (dynamic). For details, see 6.2.2 Authentication functionality (9) Canceling
authentication.
171
6.5
EAPOL forwarding functionality
This functionality forwards EAPOL frames when you do not want to use IEEE 802.1X in the
Switch. Because an EAPOL frame has a destination MAC address reserved by IEEE 802.1D, it
is not forwarded on a standard basis. However, it can be forwarded if IEEE 802.1X is not in use.
This functionality should be configured to use the Switch as an L2 switch between another
Authenticator and the terminal.
For an example of configuring the Switch, see 17.2 Configuring the L2 protocol frame
transparency functionality in the Configuration Guide Vol. 1.
172
6.6
Account functionality
Authentication results of IEEE 802.1X are recorded using the following account functionality:
•
Account log built into the Switch
•
Recording to the account functionality of a RADIUS server
•
Recording of authentication information to the RADIUS server
•
Outputting the account log to a syslog server
(1)
Account log built into the Switch
The account log built into the Switch can record up to 2,100 lines in total for all authentication
modes of IEEE 802.1X. If the 2,100 limit is reached, older recorded lines are deleted and then
the new account log information is added.
The following information is recorded in the account log.
Table 6-14: Account log type
Account log type
Description
LOGIN
Success or failure of authentication operations
LOGOUT
Causes for success or failure of authentication operations
SYSTEM
Relates to actions f IEEE 802.1X ( including permission of
forced authentication)
Table 6-15: Information output into the account log build in the Switch
Account log
type
Ti
me
IP
MAC
VLAN
Port
Message
Suc
ces
s
Y
--
Y
Y#1
Y
Authentication success
message
Fail
ure
Y
--
Y
Y#1
Y
Authentication failure
reason message
LOGOUT
Y
--
Y
Y#1
Y
Authentication
cancellation message
SYSTEM
Y
Y#1#2
Y#1
--
Y#1
LOGI
N
Message related to
operations of IEEE
802.1X
Legend
Y: Output
--: Not output
173
#1
Might not be output, depending on the message type.
#2
Frame sender IP address or destination RADIUS server IP address
For more details about messages, see 25. IEEE 802.1X show dot1x logging in the manual
Operation Command Reference.
The functionality to output recorded account logs is described below:
1.
Displaying account logs each time an event occurs
Account logs are not displayed whenever an event occurs, even in environments where
trace-monitor enable has been set.
2.
Displaying by using an operation command
You can use the show dot1x logging operation command to display the latest account
3.
log information.
Outputting to the syslog server
4.
For details, see (4) Outputting account logs to the syslog server.
Private traps
Functionality to issue private traps when logging account logs of specific events, such as
IEEE 802.1X authentication, is supported. Use each configuration command to specify
whether a private trap is to be issued, and to specify the issuance type.
Table 6-16: Account log (LOGIN/LOGOUT) and conditions to issue a private trap
Account log type
Configuration necessary to issue a private trap
Command
LOGIN
Success
Failure
Parameter
snmp-server host
dot1x
snmp-server traps
dot1x-trap all
snmp-server host
dot1x
Not configured or any of the following is configured:
LOGOUT
snmp-server traps
dot1x-trap all
snmp-server traps
dot1x-trap failure
snmp-server host
dot1x
snmp-server traps
dot1x-trap all
In account log type (SYSTEM), a private trap can only be issued with forced authentication
174
common to all authentication modes. For conditions to issue the private Trap with forced
authentication, see 5.4.6 Forced authentication common to all authentication modes (5)
Private trap for forced authentication.
(2)
Recording using the RADIUS server account functionality
You can use the aaa accounting dot1x configuration command to use the account
functionality of a RADIUS server. For RADIUS attributes used to send accounting information
to a RADIUS server, see 6.7 Preparation.
(3)
Recording authentication information to a RADIUS server
For the RADIUS authentication method, authentication success/failure is recorded depending
on the functionality of the RADIUS server. However, different information is recorded
depending on the type of RADIUS server. For more details, see the instruction manual for the
RADIUS server.
(4)
Outputting account logs to the syslog server
Account log information and operational log information for the whole Switch is output to all
syslog servers for which syslog has been configured.
Figure 6-19: syslog server output format
For more details about outputting log data to a syslog server, see 22. Log Output Functionality.
With the Switch, you cannot specify output or suppression of only IEEE 802.1X authentication
account log information to a syslog server.
175
6.7
Preparation
You need to prepare the following before using the RADIUS authentication method:
•
Configuration
•
Preparing a RADIUS server
(1)
Configuration
In order to use IEEE 802.1X, create the configuration commands to configure VLAN and IEEE
802.1X information for the Switch. (For details, see 7. IEEE 802.1X Configuration and
Operation.)
(2)
Preparing a RADIUS server
(a) RADIUS attributes to use
The table below shows RADIUS attributes used by the Switch.
Table 6-17: Attributes used in authentication (No. 1 Access-Request)
Attribute
Type
value
Description
User-Name
1
User ID to authenticate.
NAS-IP-Address
4
IP address of the Switch requesting authentication.
The IP address of the smallest VLAN ID is used among VLAN
interfaces to which IP addresses have been registered.
NAS-Port
5
•
•
•
176
Port-based authentication (static): IfIndex of an authentication
unit which is authenticating
Port-based authentication (dynamic): IfIndex of an authentication
unit which is authenticating
VLAN-based authentication (dynamic): 4296
Service-Type
6
Service type provided.
Framed(2) fixed.
Framed-MTU
12
Maximum frame size between the Supplicant and Authenticator.
(1466) fixed.
State
24
Enables holding State information between the Authenticator and a
RADIUS server.
Called-Station-Id
30
MAC address of the Switch (lower-case ASCII#, separated by a
hyphen (-)).
Calling-Station-I
d
31
MAC address of Supplicant (lower-case ASCII#, separated by a
hyphen (-)).
NAS-Identifier
32
String to identify Authenticator (host name string).
Attribute
Type
value
Description
NAS-Port-Type
61
Type of a physical port used by Authenticator for user
authentication.
Ethernet(15) fixed.
Connect-Info
77
String to show characteristics of a Supplicant's connection.
• Port-based authentication (static):
Physical port ("CONNECT Ethernet")
Channel group port ("CONNECT Port-Channel ")
• Port-based authentication (dynamic):
Physical port ("CONNECT Ethernet")
• VLAN-based authentication (dynamic):
("CONNECT DVLAN")
EAP-Message
79
Encapsulates an EAP frame.
Message-Authentic
ator
80
Used to protect a RADIUS/EAP frame.
NAS-Port-Id
87
String to identify a port of Authenticator to authenticate Supplicant
(x, y: numeric values).
• Port-based authentication (static): "Port x/y", "ChGr x"
• Port-based authentication (dynamic): "Port x/y"
• VLAN-based authentication (dynamic): "DVLAN x"
#
The Switch uses MAC addresses of Called-Station-Id and Calling-Station-Id in
lower case. However, you can use uppercase a to f for a MAC address using the
radius-server attribute station-id capitalize configuration command.
Table 6-18: Attributes used for authentication (No. 2 Access-Accept)
Attribute
Type
value
Description
Service-Type
6
Service type provided.
Framed(2) fixed
Filter-Id
11
Text string.
• Authentication IPv4 access list name to filter an unauthenticated
frame.
#1
• Used with multistep authentication .
Reply-Message
18
Message displayed to a user#2.
Tunnel-Type
64
Tunnel type.
Important in port-based authentication (dynamic) and VLAN-based
(dynamic).
VLAN(13) fixed
Tunnel-Medium-Typ
e
65
Protocol to create a tunnel.
Important in port-based authentication (dynamic) and VLAN-based
(dynamic).
IEEE 802(6) fixed.
177
Attribute
Type
value
Description
EAP-Message
79
Encapsulates an EAP frame.
Message-Authentic
ator
80
Used to protect a RADIUS/EAP frame.
Tunnel-Private-Gr
oup-ID
81
String to identify a VLAN#3 means a VLAN to assign to an
authenticated Supplicant for Accept.
Important in port-based authentication (dynamic) and VLAN-based
(dynamic).
The following strings correspond to this:
(1) String to show a VLAN ID
(2) String to show "VLAN"+VLAN ID
Space is not permitted in the string (if space is included, VLAN
assignment fails).
(3)String to show the name of a VLAN configured to the VLAN
interface using the name configuration command (priority given to a
smaller VLAN ID)#4
(Example of configuration)
VLAN ID: 10
Configuration command: name: Authen_VLAN
For (1): "10"
For (2): "VLAN10"
For (3): "Authen_VLAN"
#1
For strings used with multistep authentication, see 12. Multistep Authentication.
#2
The string Reply-Message is logged by the Switch as account log data.
#3
String type selection and VLAN ID identification are performed under the following
conditions in the Switch:
1. Conditions for selecting a string type of Tunnel-Private-Group-ID (1)(2)(3)
- A string beginning with 0-9 falls under (1).
- A string beginning with VLAN + 0-9 falls under (2).
- Strings other than above fall under (3).
A string beginning with 0x00-0x1f (one byte) has a tag, but the tag is ignored.
2. Conditions to identify only VLAN ID from strings of (1) and (2)
- Only numbers (0-9) are converted into decimal digits and only first four characters are
effective (5th and following characters are ignored).
Example: 0010, 010, and 10 are treated the same, and become VLAN ID = 10
01234 becomes VLAN ID = 123.
- If a character is other than 0-9, the string ends with that character.
Example: 12 + 3 becomes VLAN ID = 12.
178
#4
For the specification of a VLAN name using the name configuration command, see 5.4.2
Specifying VLAN accommodation by VLAN name.
Table 6-19: Attributes used for authentication (No. 3 Access-Challenge)
Attribute
Type
value
Description
Reply-Message
18
Message displayed to a user#.
State
24
Enables holding State information between the Authenticator and a
RADIUS server.
EAP-Message
79
Encapsulates an EAP frame.
Message-Authentic
ator
80
Used to protect a RADIUS/EAP frame.
#
The string Reply-Message is logged by the Switch as account log data.
Table 6-20: Attributes used for authentication (No. 4 Access-Reject)
Attribute
Type
value
Description
Reply-Message
18
Message displayed to a user.#
EAP-Message
79
Encapsulates an EAP frame.
Message-authentic
ator
80
Used to protect a RADIUS/EAP frame.
#
The string Reply-Message is logged by the Switch as account log data.
Table 6-21: Attributes used for the RADIUS account functionality
Attribute
Type
value
Description
User-Name
1
User ID to authenticate.
NAS-IP-Address
4
IP address of the Switch requesting authentication.
The IP address of The smallest VLAN ID is used among VLAN
interfaces to which IP addresses have been registered.
NAS-Port
5
•
•
Port-based authentication (static): IfIndex of an authentication
unit which is authenticating
Port-based authentication (dynamic): IfIndex of an authentication
unit which is authenticating
179
Attribute
Type
value
Description
•
VLAN-based authentication (dynamic): 4296
Service-Type
6
Service type provided.
Framed(2) fixed.
Calling-Station-I
d
31
MAC address of the Supplicant (lower-case ASCII#, separated by a
hyphen (-)).
NAS-Identifier
32
String to identify the Authenticator (host name string).
Acct-Status-Type
40
Accounting request type.
Start(1), Stop(2)
Acct-Delay-Time
41
Accounting information (send delay time) (seconds).
Acct-Input-Octets
42
Accounting information (number of received octets).
(0) fixed
Acct-Output-Octet
s
43
Accounting information (number of sent octets).
(0) fixed
Acct-Session-Id
44
ID to identify accounting information.
Acct-Authentic
45
Authentication method.
RADIUS (1)
Acct-Session-Time
46
Accounting information (session duration).
(0) fixed.
Acct-Input-Packet
s
47
Accounting information (number of received packets).
(0) fixed
Acct-Output-Packe
ts
48
Accounting information (number of sent packets).
(0) fixed
Acct-Terminate-Ca
use
49
Accounting information session termination cause.
See Table 6-22 Communication interruption causes due to
Acct-Terminate-Cause.
NAS-Port-Type
61
Type of a physical port used by Authenticator for user
authentication.
Ethernet(15) fixed.
NAS-Port-Id
87
String to identify a port of Authenticator to authenticate Supplicant
(x, y: numeric values).
• Port-based authentication (static): "Port x/y", "ChGr x"
• Port-based authentication (dynamic): "Port x/y"
• VLAN-based authentication (dynamic): "DVLAN x"
#
The Switch uses the MAC address of Called-Station-Id in lower case. However, you
180
can uppercase a to f for a MAC address using the radius-server attribute
station-id capitalize configuration command.
Table 6-22: Communication interruption causes due to Acct-Terminate-Cause
Attribute
Type
value
Description
User Request
1
Disconnected following a request from the Supplicant.
• When a logoff is received from an authenticated terminal
Disconnected because terminal movement is detected.
Idle Timeout
4
Disconnected because there has been no communication for a
certain period of time.
Admin Reset
6
Disconnected by the administrator.
• When configuration is deleted in an authentication unit
• When dot1x port-control force-authorized is
configured
• When dot1x port-control force-unauthorized is
configured
• When dot1x port-control is deleted
• When clear dot1x auth-state is performed using the
operation command
Includes other disconnection causes due to changes in authentication
configuration or operation commands.
NAS Request
10
The first-step IEEE 802.1X authentication disconnected because the
second step authentication is successful in multistep authentication
(the authentication multistep dot1x configuration command
has been configured)
Reauthentication
Failure
20
Re-authentication failed.
Port Reinitialized
21
MAC on a port reinitialized.
• When a port is linked-down
• When vlan is deleted from a port in the configuration
• When shutdown is set in the configuration
• When the inactivate operation command is executed
Port
Administratively
Disabled
22
Port disabled administratively.
• When the authentication submode detects the second terminal on
a port in the single mode
(b) Information to be configured to a RADIUS server
You need to configure a user ID, password, and VLAN ID to each user on a RADIUS server in
order to use the RADIUS authentication method. For more details on how to configure the
RADIUS server, see the instruction manual for your RADIUS server.
An example of RADIUS server configuration of VLAN information to each user subject to
authentication is shown below:
•
Port-based authentication (static): Configuration not required
181
•
Port-based authentication (dynamic), VLAN-based authentication (dynamic): Authenticated
VLAN 40
•
Setting for the name configuration command: dot1x-authen-vlan
Table 6-23: Example of RADIUS server configuration
Item
Description
User-Name
User ID of the terminal subject to authentication.
Auth-Type
Local
User-Password
Password of the terminal subject to authentication.
NAS-Identifier
Host name of the Switch.
(String configured using the hostname configuration command)
Tunnel-Type
Virtual VLAN2 (Value 13)
Tunnel-Medium-Typ
e
IEEE-802 (Value 6)
Tunnel-Private-Gr
oup-Id
Any of the following formats for either port-based authentication
(dynamic) or VLAN-based authentication (dynamic)
• 40
An authenticated LAN ID is configured using numbers.
• VLAN40
An authenticated LAN ID is configured using numbers following the
string VLAN.
• dot1x-authen-vlan
String that shows the name of a VLAN configured using the name
configuration command.
Authentication method
182
EAP
6.8
6.8.1
Notes on IEEE 802.1X
Operations when using IEEE 802.1X with other functionality
The table below shows operations when using IEEE 802.1X with other functionality.
Table 6-24: Operations when using IEEE 802.1X with other functionality
Functionality
Spanning tree
Operation
Authentication can be executed at an always forwarding port. Configure
this so that authentication will not be executed in other ports.
Always forwarding ports are as follows:
• PortFast port
• Route bridge port
Ending/receiving BPDU and topology calculation of the spanning tree are
conducted regardless of an authentication state of IEEE 802.1X.
6.8.2
Notes on using IEEE 802.1X
(1)
Aging period configuration for MAC address learning in
VLAN-based authentication (dynamic)
When using VLAN-based authentication (dynamic), do not specify 0 (infinite) as the time
period for an MAC address entry. If doing so, unnecessary MAC address entries accumulate
because the MAC address entry before switching is not deleted with aging when the VLAN for
the terminal is switched. When unnecessary MAC address entries accumulate, use the clear
mac-address-table operation command to delete them.
(2)
Displaying the MAC address table for an authenticated
terminal
The terminal authenticated with port-based authentication displays Dot1x as a type using the
show mac-address-table operation command. The terminal authenticated with
VLAN-based authentication (dynamic) displays Dynamic. However, the terminal under
quarantine in port-based authentication (static) displays Dynamic.
(3)
Connecting an authenticated terminal to another port
When connecting an authenticated terminal to an IEEE 802.1X-effective port, authentication is
canceled. However, when an authenticated terminal with VLAN-based authentication
(dynamic) is connected to a port of a single VLAN belonging to VLAN-based authentication
(dynamic), authentication continues.
In addition, when an authenticated terminal is connected to a different port that does not go
through authentication within a single VLAN, communication is impossible until the
183
authentication status is canceled. Use the clear dot1x auth-state operation command to
cancel the authentication status of the terminal.
(4)
Changing timer values
If you change timer values (tx-period, reauth-period, supp-timeout, quiet-period,
and keep-unauth), new values are reflected when timers running in each authentication unit
time out and become 0. If you want to reflect new values immediately, use the clear dot1x
auth-state operation command to cancel their authentication statuses.
(5)
Notes on arranging an L2 switch between terminals and the
Switch
Because responses from terminals are generally sent on a multicast basis, EAPOL frames to
responses from terminals are transferred to all ports of the same VLAN of an L2 switch when the
L2 switch is arranged between the terminals and the Switch. Therefore, if an L2 switch is
arranged as described in the list below, EAPOL frames from a single terminal are transferred to
several ports of the Switch and authentication is performed for a single terminal on several ports.
This might make authentication unstable, interrupt communication or prevent authentication.
•
When a port configured for a single VLAN of an L2 switch is connected to several ports of the
Switch, which are subject to authentication
•
When a port configured for a single VLAN of an L2 switch is connected to ports of several
Switches, which are subject to authentication
The figure below shows examples of prohibited and correct configurations in which an L2
switch is arranged between terminals and the Switch.
184
Figure 6-20: Prohibited configuration
185
Figure 6-21: Correct configuration
(6)
•
Notes on specifying a MAC VLAN as an access port
When specifying a MAC VLAN in VLAN-based authentication (dynamic) as an access port,
an EAPOL frame is sent from a specified port of the Switch. However, the specified port is
handled as an authentication-excluded p even when a user sends authentication response to an
EAPOL frame. This enables communication on the specified port regardless of the
authentication result.
•
Configure port-based authentication (static) for an interface where a MAC VLAN has been
specified as the access port. However, it is not interoperable with port-based authentication
(dynamic) on a single port. (They can interoperate in the Switch. For more details, see 5.
Overview of Layer 2 Authentication).
(7)
Using a forced authentication port
•
Please note that this functionality might cause security troubles.
•
The Switch provides the forced authentication functionality common to all authentication
modes and for IEEE 802.1X authentication, which are not interoperable. Before use, see 5.4.6
Forced authentication common to all authentication modes (4) Interoperability of this
functionality and forced authentication of each authentication method.
(8)
Interoperability of VLAN-based authentication (dynamic) and
multistep authentication
VLAN-based authentication (dynamic) and multistep authentication are not interoperable in the
Switch. When using VLAN-based authentication (dynamic), check that multistep authentication
has not been configured.
186
7. IEEE 802.1X Configuration and Operation
IEEE 802.1X functionality authenticates Layer 2 of the OSI layer model. This chapter describes
IEEE 802.1X operations.
7.1 Configuring IEEE 802.1X
7.2 Configuration common to all authentication modes
7.3 Configuring port-based authentication (static)
7.4 Configuring port-based authentication (dynamic)
7.5 Configuring VLAN-based authentication (dynamic)
7.6 IEEE 802.1X operations
187
7.1
7.1.1
Configuring IEEE 802.1X
List of configuration commands
The following table describes the configuration commands and authentication modes for IEEE
802.1X.
Table 7-1: Configuration commands and authentication modes for IEEE 802.1X
Command
Description
Authentication
mode
Port-based
VLA
N-ba
sed
Stati
c
Dyn
amic
Dyn
amic
aaa accounting dot1x
Sends IEEE 802.1X accounting
information to the accounting server.
Y
Y
Y
aaa authentication dot1x
Specifies the IEEE 802.1X authentication
method group.
Y
Y
Y
aaa authorization network
default
Enables VLAN-based authentication
(dynamic) using VLAN information
provided by the RADIUS server.
--
--
Y
authentication arp-relay#1
Outputs an ARP frame sent from an
unauthenticated terminal and destined for
another device to a non-authenticating port.
Y
Y
N
authentication ip
access-group#1
Outputs only the frames specified by
applying the IPv4 access list, among the IP
frames sent from an unauthenticated
terminal destined for another device, to a
non-authenticating port.
Y
Y
N
dot1x authentication
Specifies the name of the list of port-based
authentication methods.
Y
Y
N
dot1x auto-logout
The no dot1x auto-logout command
disables the setting to automatically cancel
authentication when no frame is received
from a terminal authenticated by IEEE
802.1X for a certain period of time.
Y
Y
Y
dot1x force-authorized
When using RADIUS authentication, and a
request to the RADIUS server fails because
of a route failure or other problem, forcibly
changes a terminal to be authenticated to an
authenticated state when that terminal
requests authentication at the relevant port.
Y
N
N
188
Command
Description
Authentication
mode
Port-based
VLA
N-ba
sed
Stati
c
Dyn
amic
Dyn
amic
dot1x force-authorized eapol
Sends an EAPOL-Success response frame
from the Switch to a terminal when that
terminal is forcibly changed to an
authenticated state.
Y
Y
Y
dot1x force-authorized vlan
When using RADIUS authentication, and a
request to the RADIUS server fails because
of a route failure or other problem, forcibly
changes a terminal to be authenticated to an
authenticated state when that terminal
requests authentication at the relevant port,
and assigns a post-authentication VLAN.
N
Y
Y
dot1x ignore-eapol-start
Configures the Switch not to transmit
EAP-Request/Identity packets in response
to an EAPOL-Start message received from
a Supplicant.
Y
Y
--
dot1x max-req
Specifies the maximum number of times
that the Switch sends an
EAP-Request/Identity packet when there is
no response from a Supplicant.
Y
Y
--
dot1x multiple-authentication
Applies an authentication sub-mode to
port-based authentication.
Y
Y
--
dot1x port-control#2
Enables port-based authentication.
Y
Y
--
dot1x radius-server host
Specifies information about the RADIUS
server dedicated to IEEE 802.1X
authentication.
Y
Y
Y
dot1x radius-server
dead-interval
Specifies the monitoring timer until
automatic recovery to the primary
RADIUS server when using a RADIUS
server dedicated to IEEE 802.1X
authentication.
Y
Y
Y
dot1x reauthentication
Enables or disables periodic
re-authentication of authenticated
terminals.
Y
Y
--
dot1x supplicant-detection
Specifies how terminals are detected when
terminal authentication mode is specified
as the authentication sub-mode.
Y
Y
--
dot1x system-auth-control
Enables IEEE 802.1X.
Y
Y
Y
189
Command
Description
Authentication
mode
Port-based
VLA
N-ba
sed
Stati
c
Dyn
amic
Dyn
amic
dot1x timeout keep-unauth#3
In the context of port-based authentication
in single-terminal mode, this command
specifies how long the port blocks traffic
after receiving authentication requests
from multiple terminals.
Y
Y
--
dot1x timeout quiet-period
Specifies how long the Switch waits before
allowing a Supplicant that failed
authentication (including
re-authentication) to try again.
Y
Y
--
dot1x timeout reauth-period
Specifies the interval between
re-authentication attempts for
authenticated terminals.
Y
Y
--
dot1x timeout server-timeout
Specifies how long the Switch waits for a
response from the authentication server.
Y
Y
--
dot1x timeout supp-timeout
Specifies how long the Switch waits for a
Supplicant to respond to an
EAP-Request/Identity packet.
Y
Y
--
dot1x timeout tx-period
Specifies the sending interval for periodic
EAP-Request/Identity packets.
Y
Y
--
dot1x vlan dynamic enable
Enables VLAN-based authentication
(dynamic).
--
--
Y
dot1x vlan dynamic
ignore-eapol-start
Specifies that the Switch not transmit
EAP-Request/Identity packets in response
to an EAPOL-Start message received from
a Supplicant.
--
--
Y
dot1x vlan dynamic max-req
Specifies the maximum number of times
that the Switch sends an
EAP-Request/Identity packet when there is
no response from the Supplicant.
--
--
Y
dot1x vlan dynamic radius-vlan
In the context of VLAN-based
authentication (dynamic), this command
specifies the VLANs that the Switch can
dynamically assign on the basis of
information received from the RADIUS
server.
--
--
Y
dot1x vlan dynamic
reauthentication
Enables or disables periodic
re-authentication of authenticated
terminals.
--
--
Y
190
Command
Description
Authentication
mode
Port-based
VLA
N-ba
sed
Stati
c
Dyn
amic
Dyn
amic
dot1x vlan dynamic
supplicant-detection
Specifies how terminals are detected when
terminal authentication mode is specified
as the authentication sub-mode.
--
--
Y
dot1x vlan dynamic timeout
quiet-period
Specifies how long the Switch waits before
allowing a Supplicant that failed
authentication (including
re-authentication) to try again.
--
--
Y
dot1x vlan dynamic timeout
reauth-period
Specifies the interval between
re-authentication attempts for
authenticated terminals.
--
--
Y
dot1x vlan dynamic timeout
server-timeout
Specifies how long the Switch waits for a
response from an authentication server.
--
--
Y
dot1x vlan dynamic timeout
supp-timeout
Configures how long the Switch waits for a
Supplicant to respond to an
EAP-Request/Identity packet.
--
--
Y
dot1x vlan dynamic timeout
tx-period
Specifies the sending interval for periodic
EAP-Request/Identity packets.
--
--
Y
Legend
Port-based, Static: Port-based authentication (static)
Port-based, Dynamic: Port-based authentication (dynamic)
VLAN-based, Dynamic: VLAN-based authentication (dynamic)
Y: The command operates according to the settings.
--: The command can be entered, but has no effect.
N: The command cannot be entered.
#1
For details about the configuration, see 5. Overview of Layer 2 Authentication.
#2
The specification of this command affects the switching of authentication modes.
#3
The specification of this command applies only to single-terminal mode of port-based
authentication (static) and port-based authentication (dynamic).
191
7.1.2
Configuration procedure for IEEE 802.1X
Use the procedure described below to configure IEEE 802.1X.
Figure 7-1: Configuration procedure for IEEE 802.1X
For details about the configuration, see the following:
1.
Configuration common to all authentication modes
The following subsections describe configuration common to all authentication modes.
•
Configuring the authentication method group and RADIUS server information: 7.2.1
Configuring the authentication method group and RADIUS server information
•
Configuring the transmission of accounting information to the RADIUS server: 7.2.2
Configuring the transmission of accounting information
•
2.
Configuring port-based authentication methods: 5.2.3 Authentication method list
configuration (2) Example of port-based authentication method configuration
Configuring individual authentication modes
The following sections describe how to configure individual authentication modes.
Some items are the same as in other authentication modes. In such cases, see the sections
192
referenced in the text.
•
Configuring port-based authentication (static): 7.3 Configuring port-based
authentication (static)
•
Configuring port-based authentication (dynamic): 7.4 Configuring port-based
authentication (dynamic)
•
3.
Configuring VLAN-based authentication (dynamic): 7.5 Configuring VLAN-based
authentication (dynamic)
Enabling IEEE 802.1X
The following subsection describes how to enable IEEE 802.1X to finish IEEE 802.1X
configuration.
•
7.2.3 Enabling IEEE 802.1X
Authentication modes are enabled by using the configuration settings described in the table
below.
Table 7-2: Conditions for enabling authentication modes
Authentication mode
Common
Configuration setting
• aaa authentication dot1x
• dot1x radius-server host or radius-server
• dot1x system-auth-control
Port-based authentication
(static)
•
•
•
•
Port-based authentication
(dynamic)
• vlan <VLAN-ID-list> mac-based
• dot1x port-control auto
• switchport mode mac-vlan
VLAN-based authentication
(dynamic)
•
•
•
•
•
•
vlan <VLAN-ID-list>
dot1x port-control auto
switchport mode access
switchport access vlan
vlan <VLAN-ID-list> mac-based
aaa authorization network default
dot1x vlan dynamic enable
dot1x vlan dynamic radius-vlan
switchport mode mac-vlan
switchport mac vlan
193
7.2
Configuration common to all authentication modes
7.2.1
Configuring the authentication method group and RADIUS
server information
(1)
Configuring the authentication method group
Overview
The example below shows how to configure an IEEE 802.1X authentication method group.
Specify one device default entry for use in common with IEEE 802.1X, and two entries for
1.
the authentication method lists used at authenticating ports.
Device default
RADIUS authentication is specified as the device default in this sample.
2.
Authentication method list
The default RADIUS server groups specified in the authentication method list are
Keneki-group1 and Keneki-group2.
For details about the authentication method list, see subsection 5.2.2 Authentication
method lists.
For details about RADIUS server group information, see 5.3.1 RADIUS server
information used with the Layer 2 authentication method and 8. Login Security and
RADIUS in the Configuration Guide Vol. 1.
Configuration command example
1.
(config)# aaa authentication dot1x default group radius
Specifies RADIUS authentication as the default authentication method of the device.
2.
(config)# aaa authentication dot1x DOT1X-list1 group Keneki-group1
Specifies the RADIUS server group name Keneki-group1 in the authentication
method list DOT1 X-list1.
3.
(config)# aaa authentication dot1x DOT1X-list2 group Keneki-group2
Specifies the RADIUS server group name Keneki-group2 in the authentication
method list DOT1 X-list2.
Notes
y When the device default setting is changed, terminals that had been authenticated by the
corresponding authentication functionality are de-authenticated.
y When settings for the authentication method list are changed, terminals on ports
specifying the corresponding authentication method list are de-authenticated.
194
(2)
Configuring RADIUS server information
(a) When using a RADIUS server dedicated to IEEE 802.1X
Overview
The example below shows how to specify information about a RADIUS server dedicated
to IEEE 802.1X authentication. An IP address and a RADIUS key must be specified to
enable the RADIUS server settings. The configuration command dot1x radius-server
host requires only an IP address for configuration, but the RADIUS server is not used for
authentication until you specify a RADIUS key.
In this example, a monitoring timer (dead-interval time) is also configured to
automatically recover an unavailable RADIUS server dedicated to IEEE 802.1X
authentication.
Configuration command example
1.
(config)# dot1x radius-server host 192.168.10.200 key "dot1x-auth"
Specifies the IP address and RADIUS key for the RADIUS server dedicated to IEEE
802.1X authentication. In this example, the default values are used for the omitted
auth-port, acct-port, timeout, and retransmit.
2.
(config)# dot1x radius-server dead-interval 15
Specifies 15 minutes for the monitoring timer (dead-interval time) until automatic
recovery when the RADIUS server dedicated to IEEE 802.1X authentication is
unavailable.
Notes
y If this information is not specified, the settings for a general-purpose RADIUS server are
used. If both the information for a RADIUS server dedicated to IEEE 802.1X
authentication and the information for a general-purpose RADIUS server are
unspecified, RADIUS authentication cannot be performed.
y Up to four entries can be specified on the entire Switch for information about RADIUS
servers dedicated to IEEE 802.1X authentication.
y When the RADIUS key, retry count, and response timeout time are omitted, the settings
specified by the configuration commands radius-server key, radius-server
retransmit, and radius-server timeout are used, respectively.
(b) When using a general-purpose RADIUS server
For details about the settings for a general-purpose RADIUS server, see 8. Login Security and
RADIUS in the Configuration Guide Vol. 1.
195
7.2.2
Configuring the transmission of accounting information
Overview
The example below shows how to specify that IEEE 802.1X accounting information be
sent to the RADIUS server.
Configuration command example
1.
(config)# aaa accounting dot1x default start-stop group radius
Specifies that accounting information be sent to the RADIUS server.
7.2.3
Enabling IEEE 802.1X
Overview
The example below shows how to enable IEEE 802.1X authentication in global
configuration mode. You cannot execute other commands related to IEEE 802.1X without
executing this command first.
Configuration command example
1.
(config)# dot1x system-auth-control
Enables IEEE 802.1X.
196
7.3
Configuring port-based authentication (static)
After performing configuration according to sections 7.1 Configuring IEEE 802.1X and 7.2
Configuration common to all authentication modes, configure port-based authentication (static)
by performing the procedure in the following figure.
Figure 7-2: Configuration procedure of port-based authentication (static)
For details about the configuration, see the following:
197
1.
Configuring port-based authentication (static): 7.3.1 Configuring port-based
authentication (static)
2.
Configuring authentication mode options: 7.3.2 Configuring authentication mode options
3.
Configuring the transmission interval of the frames sent to terminals
•
Switching terminal detection modes: 7.3.2 Configuring authentication mode options (2)
Switching terminal detection modes
•
Controlling the transmission of the frame that prompts authentication to start: 7.3.3
Configuration related to authentication processing (1) Controlling transmission of the
frame that prompts a terminal to start authentication
•
Functionality for requesting terminal re-authentication: 7.3.3 Configuration related to
authentication processing (2) Configuring the functionality for requesting
re-authentication of terminals
•
4.
Retransmission of EAP-Request frames: 7.3.3 Configuration related to authentication
processing (3) Configuring the retransmission of EAP-Request frames to terminals
Configuring the suppression of authentication requests from terminals: 7.3.3
Configuration related to authentication processing (4) Configuring the functionality for
suppressing authentication requests from terminals
5.
Configuring the idle period for terminals that fail authentication: 7.3.3 Configuration
related to authentication processing (5) Configuring the idle period for terminals that fail
authentication
6.
Configuring a timeout period for responses from the authentication server: 7.3.3
Configuration related to authentication processing (6) Configuring a timeout period for
responses from the authentication server
7.
Configuring a forced authentication port: 7.3.3 Configuration related to authentication
processing (8) Configuring a forced authentication port
8.
Configuring traffic blocking in response to authentication requests from multiple
terminals: 7.3.3 Configuration related to authentication processing (7) Configuring traffic
blocking in response to authentication requests from multiple terminals
9.
Configuring the IPv4 access list dedicated to authentication: 5. Overview of Layer 2
Authentication.
7.3.1
Configuring port-based authentication (static)
(1)
Configuring an authentication port and the VLAN information
for authentication
This procedure designates a physical port or channel group as an authenticating port.
198
Figure 7-3: Sample configuration of port-based authentication (static)
Overview
The example below shows how to configure an access port, enable port-based
authentication (static) for the port, and specify the authentication sub-mode. If you omit the
authentication sub-mode setting, the port will operate in single-terminal mode.
Configuration command example
1.
(config)# vlan 10
(config-vlan)# exit
Specifies VLAN ID 10.
2.
(config)# interface fastethernet 0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
Specifies port 0/1 as an access port and VLAN ID 10.
3.
(config-if)# dot1x multiple-authentication
Specifies terminal authentication mode as the authentication sub-mode.
4.
(config-if)# dot1x port-control auto
(config-if)# exit
Enables port-based authentication.
(2)
Configuring the name of the method list for port-based
authentication
Overview
The example below shows how to configure the name of the method list for port-based
199
authentication.
For details about the configuration of the authentication method list, see subsection 7.2.1
Configuring the authentication method group and RADIUS server information (1)
Configuring the authentication method group.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x authentication DOT1X-list1
(config-if)# exit
Specifies the authentication method list name DOT1X-list1 for port 0/1.
Notes
y When this information is not specified, authentication is performed according to the
device default described in 7.2.1 Configuring the authentication method group and
RADIUS server information (1) Configuring the authentication method group.
y If the name of the authentication method list specified for the port does not match the
name of the authentication method list in the authentication method group, or an
authentication method list does not exist in the authentication method group,
authentication is performed according to the device default.
y Port-based authentication (static) cannot be configured at the same time as the
user-ID-based authentication method for Web authentication or VLAN-based
authentication (dynamic). For details, see subsection 5.2.2 Authentication method lists.
7.3.2
Configuring authentication mode options
(1)
Configuring authentication exclusion options
This procedure specifies the MAC address of a terminal that the Switch allows to bypass
authentication. You can use this option to allow network access for devices that do not support
IEEE 802.1X. The example below connects a printer that is allowed unauthenticated access
(MAC address: 1234.5600.e001) to port 0/1, which was configured above in 7.3.1 Configuring
port-based authentication (static).
200
Figure 7-4: Sample configuration of authentication exclusion for port-based
authentication (static)
Overview
The example below shows how to register a static entry in the MAC address table for
port-based authentication (static).
Configuration command example
1.
(config)# mac-address-table static 1234.5600.e001 vlan 10 interface
fastethernet 0/1
Adds the MAC address (1234.5600.e001) for which you want to permit unauthenticated
access to VLAN ID 10 from port 0/1 to the MAC address table.
(2)
Switching terminal detection modes
Switches send EAP-Request/Identity packets to the multicast address at the interval specified by
the tx-period command to prompt terminals to begin authentication. The example below
shows how to specify the authentication sequence that takes place when a terminal that is
already authenticated responds to an EAP-Request/Identity packet. By default, authentication
processing is skipped.
Overview
y The shortcut setting skips the authentication sequence to reduce the load on the
Switch.
y The disable setting does not perform periodic transmission of EAP-Request/Identity
packets.
201
y The auto setting sends an EAP-Request/Identity packet only to a new terminal when an
ARP/IP frame is received from it.
Configuration command example (shortcut)
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x supplicant-detection shortcut
(config-if)# exit
Specifies that re-authentication is skipped and that authentication is considered
successful when an EAP-Response/Identity packet is received from an authenticated
terminal at port 0/1.
Configuration command example (auto)
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x supplicant-detection auto
(config-if)# exit
Specifies that an EAP-Request/Identity packet is sent only to a target terminal at port 0/1
when an ARP/IP frame is received from a new terminal.
7.3.3
Configuration related to authentication processing
(1)
Controlling transmission of the frame that prompts a terminal
to start authentication
You can specify the interval at which a Switch transmits EAP-Request/Identity packets to
prompt authentication for a terminal that does not begin authentication by itself.
Overview
The example below shows how to send EAP-Request/Identity packets to the multicast
address at the interval specified by the tx-period timer. Because authenticated terminals
also respond to an EAP-Response/Identity packet, specify a value that satisfies the
following expression to ensure that the Switch does not become overloaded:
reauth-period > tx-period ≥ (total-number-of-terminals-to-be-authenticated-on-the-Switch
÷ 20) x 2
202
The default value of tx-period is 30 seconds. Therefore, when the Switch authenticates
300 or more terminals, change the value of the tx-period timer.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x timeout tx-period 300
(config-if)# exit
Specifies a 300-second interval for the transmission of EAP-Request/Identity packets to
port 0/1 configured for port-based authentication.
(2)
Configuring the functionality for requesting re-authentication
of terminals
Because the authentication of a terminal that is removed from the network after authentication
cannot be canceled from the Switch, re-authentication is requested from authenticated terminals.
If no response is received, the authentication of the terminal is canceled.
Overview
The example below shows how to configure the Switch to transmit an
EAP-Request/Identity message to each authenticated terminal at the interval specified by
the reauth-period timer. Make sure that the value of the reauth-period timer is
greater than the value of the tx-period timer.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x timeout reauth-period 360
(config-if)# exit
Enables the re-authentication request functionality at port 0/1, and then sets the
re-authentication interval to 360 seconds.
(3)
Configuring the retransmission of EAP-Request frames to
terminals
You can specify how long the Switch waits for a terminal to respond to an EAP-Request frame
(a request message from the authentication server) before resending the request, and the
maximum number of times that the Switch resends the request.
Overview
203
Make sure that the product of the resending interval multiplied by the number of
retransmissions does not exceed the value specified for the reauth-period timer.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x timeout supp-timeout 60
Specifies a retransmission period of 60 seconds for EAP-Request frames at port 0/1.
2.
(config-if)# dot1x max-req 3
(config-if)# exit
Specifies that EAP-Request frames be retransmitted a maximum of three times at port
0/1.
(4)
Configuring the functionality for suppressing authentication
requests from terminals
You can prevent authentication from being initiated by EAPOL-Start frames from terminals.
With this functionality enabled, the authentication of new terminals and re-authentication of
existing terminals take place at the intervals specified by the tx-period timer and
reauth-period timer, respectively.
Overview
The example below shows how to reduce the load on the Switch when a large number of
terminals send re-authentication requests during a short period. You cannot execute the
commands below without executing the dot1x reauthentication command first.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x ignore-eapol-start
(config-if)# exit
Prevents authentication processing from being initiated in response to EAPOL-Start
frames received at port 0/1.
(5)
Configuring the idle period for terminals that fail
authentication
You can configure how long a terminal that fails authentication must remain idle before it can
try again.
Overview
204
The example below shows how to prevent a situation where the Switch is overloaded by a
large number of authentication requests received during a short period from terminals that
fail authentication. Note that the idle period you specify also applies to users who fail
authentication because they enter an incorrect user name or password.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x timeout quiet-period 300
(config-if)# exit
Specifies an idle period of 300 seconds before terminals attached to port 0/1 configured
for port-based authentication can retry the authentication process.
(6)
Configuring a timeout period for responses from the
authentication server
You can specify how long the Switch waits for the authentication server to respond to a request.
When the specified time has elapsed, the Switch notifies the Supplicant that authentication has
failed. The Supplicant learns of the failed authentication after the shorter of the following times:
the time specified in the commands below, and the total time including retransmissions specified
by the attributes of the radius-server configuration command.
Overview
When multiple RADIUS servers are configured by using the radius-server
configuration command, and you specify a shorter time than the total wait time, including
retransmissions by each server, the Supplicant will be notified that authentication has failed
before the Switch can send requests to all the authentication servers. If you want this
notification to wait until the Switch has failed to obtain a response from all of the
configured authentication servers, be sure to specify a longer value for this command.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x timeout server-timeout 300
(config-if)# exit
Specifies a 300-second timeout period for responses from the authentication server at
port 0/1 configured for port-based authentication.
(7)
Configuring traffic blocking in response to authentication
requests from multiple terminals
You can specify how long to block traffic at a port configured for port-based authentication in
205
single-terminal mode in the event that the port receives authentication requests from multiple
terminals.
Overview
The example below shows how to specify how long to block traffic at a target port when it
detects authentication requests from multiple terminals.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x timeout keep-unauth 1800
(config-if)# exit
Specifies that port 0/1 configured for port-based authentication blocks traffic for 1,800
seconds.
(8)
Configuring a forced authentication port
Overview
This procedure allows forced authentication at a port for port-based authentication (static).
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# dot1x force-authorized
(config-if)# exit
Specifies port 0/1 as a forced authentication port.
2.
(config)# dot1x force-authorized eapol
Sends the EAPOL-Success response frame from the Switch to the terminal when it is
forcibly authenticated.
(9)
Configuring conditions for automatic cancellation of
authentication
(a) Configuring the functionality for non-communication monitoring at
authenticated terminals
When port-based authentication (static) or port-based authentication (dynamic) is enabled, this
functionality is enabled even if the dot1x auto-logout configuration command is not
specified. In port-based authentication (static), non-communication monitoring is performed for
quarantined and authenticated terminals. If no dot1x auto-logout is specified with the
configuration command, authentication is not canceled automatically.
206
(b) Configuring the monitoring of MAC address table aging
When port-based authentication (static) or VLAN-based authentication (dynamic) is enabled,
this functionality is enabled even if the dot1x auto-logout configuration command is not
specified. In port-based authentication (static), MAC address table aging is monitored for
terminals in a quarantine state. If no dot1x auto-logout is specified with the configuration
command, authentication is not canceled automatically.
207
7.4
Configuring port-based authentication (dynamic)
After performing configuring according to sections 7.1 Configuring IEEE 802.1X and 7.2
Configuration common to all authentication modes, configure port-based authentication
(dynamic) by performing the procedure in the following figure.
Figure 7-5: Configuration procedure of port-based authentication (dynamic)
For details about the configuration, see the following:
208
1.
Configuring port-based authentication (static): 7.4.1 Configuring port-based
authentication (dynamic)
2.
Configuring authentication mode options: 7.4.2 Configuring authentication mode options
3.
Configuring the transmission interval of the frames sent to terminals
•
Switching terminal detection modes: 7.4.2 Configuring authentication mode options (2)
Switching terminal detection modes
•
Controlling the transmission of the frame that prompts authentication to start: 7.4.3
Configuration related to authentication processing (1) Controlling transmission of the
frame that prompts a terminal to start authentication
•
Functionality for requesting terminal re-authentication: 7.4.3 Configuration related to
authentication processing (2) Configuring the functionality for requesting
re-authentication of terminals
•
4.
Retransmission of EAP-Request frames: 7.4.3 Configuration related to authentication
processing (3) Configuring the retransmission of EAP-Request frames to terminals
Configuring the suppression of authentication requests from terminals: 7.4.3
Configuration related to authentication processing (4) Configuring the functionality for
suppressing authentication requests from terminals
5.
Configuring the idle period for terminals that fail authentication: 7.4.3 Configuration
related to authentication processing (5) Configuring the idle period for terminals that fail
authentication
6.
Configuring a timeout period for responses from the authentication server: 7.4.3
Configuration related to authentication processing (6) Configuring a timeout period for
responses from the authentication server
7.
Configuring a forced authentication port: 7.4.3 Configuration related to authentication
processing (8) Configuring a forced authentication port
8.
Configuring traffic blocking in response to authentication requests from multiple
terminals: 7.4.3 Configuration related to authentication processing (7) Configuring traffic
blocking in response to authentication requests from multiple terminals
9.
Configuring the IPv4 access list dedicated to authentication: 5. Overview of Layer 2
Authentication
7.4.1
Configuring port-based authentication (dynamic)
(1)
Configuring an authentication port and the VLAN information
for authentication
This procedure designates a physical port as an authenticating port.
209
Figure 7-6: Sample configuration of port-based authentication (dynamic)
Overview
This example below shows how to configure a MAC VLAN and a MAC port, enable
VLAN-based authentication (dynamic) for the port, and specify the authentication
sub-mode. If you omit the authentication sub-mode setting, the port will operate in
single-terminal mode.
Configuration command example
1.
(config)# vlan 200,400 mac-based
(config-vlan)# exit
Configures VLAN ID 200, 400 as a MAC VLAN.
2.
(config)# vlan 10
(config-vlan)# exit
Specifies VLAN ID 10.
3.
(config)# interface fastethernet 0/2
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 10
Specifies the port 0/2 that is connected to a terminal to authenticate as a MAC port, and
specifies VLAN 10 before authentication. (Post-authentication VLANs are assigned as
described in 5.4.3 Auto MAC VLAN assignment.)
4.
(config-if)# dot1x multiple-authentication
Specifies terminal authentication mode as the authentication sub-mode.
5.
210
(config-if)# dot1x port-control auto
(config-if)# exit
Enables port-based authentication (dynamic).
(2)
Configuring the name of the method list for port-based
authentication
Overview
The example below shows how to configure the name of the method list for port-based
authentication.
For details about the configuration of the authentication method list, see subsection 7.2.1
Configuring the authentication method group and RADIUS server information (1) Configuring
the authentication method group.
Configuration command example
1.
(config)# interface fastethernet 0/2
(config-if)# dot1x authentication DOT1X-list1
(config-if)# exit
Specifies the authentication method list name DOT1X-list1 for port 0/2.
Notes
y When this information is not specified, authentication is performed according to the
device default described in 7.2.1 Configuring the authentication method group and
RADIUS server information (1) Configuring the authentication method group.
y If the name of the authentication method list specified for the port does not match the
name of the authentication method list in the authentication method group, or an
authentication method list does not exist in the authentication method group,
authentication is performed according to the device default.
y Port-based authentication (dynamic) cannot be configured at the same time as the
user-ID-based authentication method for Web authentication or VLAN-based
authentication (dynamic). For details, see subsection 5.2.2 Authentication method lists.
7.4.2
Configuring authentication mode options
(1)
Configuring authentication exclusion options
This procedure specifies the MAC address of a terminal that the Switch allows to bypass
authentication. You can use this option to allow network access for devices that do not support
IEEE 802.1X. The example below connects a printer that is allowed unauthenticated access
(MAC address: 1234.5600.e001) to port 0/2, which was configured above in 7.4.1 Configuring
port-based authentication (dynamic).
211
Figure 7-7: Sample configuration of authentication exclusion for port-based
authentication (dynamic)
Overview
The example below shows how to register a static entry in the MAC address table and
MAC VLAN for port-based authentication (dynamic).
Configuration command example
1.
(config)# mac-address-table static 1234.5600.e001 vlan 200 interface
fastethernet 0/2
Adds the MAC address (1234.5600.e001) for which you want to permit unauthenticated
access to VLAN ID 200 at port 0/2 to the MAC address table.
2.
(config)# vlan 200 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Specifies that the MAC address (1234.5600.e001) be allowed to access VLAN ID 200.
The printer can now access VLAN ID 200 without performing IEEE 802.1X
authentication.
(2)
Switching terminal detection modes
This procedure is the same as for port-based authentication (static). See subsection 7.3.2
Configuring authentication mode options (2) Switching terminal detection modes.
7.4.3
Configuration related to authentication processing
(1)
212
Controlling transmission of the frame that prompts a terminal
to start authentication
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (1) Controlling transmission of the frame
that prompts a terminal to start authentication.
(2)
Configuring the functionality for requesting re-authentication
of terminals
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (2) Configuring the functionality for
requesting re-authentication of terminals.
(3)
Configuring the retransmission of EAP-Request frames to
terminals
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (3) Configuring the retransmission of
EAP-Request frames to terminals.
(4)
Configuring the functionality for suppressing authentication
requests from terminals
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (4) Configuring the functionality for
suppressing authentication requests from terminals.
(5)
Configuring the idle period for terminals that fail
authentication
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (5) Configuring the idle period for terminals
that fail authentication.
(6)
Configuring a timeout period for responses from the
authentication server
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (6) Configuring a timeout period for
responses from the authentication server.
(7)
Configuring traffic blocking in response to authentication
requests from multiple terminals
This procedure is the same as for port-based authentication (static). See subsection 7.3.3
Configuration related to authentication processing (7) Configuring traffic blocking in response
to authentication requests from multiple terminals.
213
(8)
Configuring a forced authentication port
Overview
This procedure allows forced authentication at a port for port-based authentication
(dynamic) and specifies the post-authentication VLAN to be assigned.
Configuration command example
1.
(config)# interface fastethernet 0/2
(config-if)# dot1x force-authorized vlan 200
(config-if)# exit
Allows forced authentication at port 0/2, and specifies the VLAN ID of the
post-authentication VLAN to be assigned.
2.
(config)# dot1x force-authorized eapol
Sends the EAPOL-Success response frame from the Switch to the terminal when the
terminal is forcibly authenticated.
(9)
Configuring conditions for automatic cancellation of
authentication
(a) Configuring the functionality for non-communication monitoring at
authenticated terminals
This functionality cancels the status of an authenticated terminal. The procedure is the same as
for configuring the non-communication monitoring functionality of port-based authentication
(static). See subsection 7.3.3 Configuration related to authentication processing (9)
Configuring conditions for automatic cancellation of authentication (a) Configuring the
functionality for non-communication monitoring at authenticated terminals.
214
7.5
Configuring VLAN-based authentication (dynamic)
After performing configuration according to 7.1 Configuring IEEE 802.1X and 7.2
Configuration common to all authentication modes, configure VLAN-based authentication
(dynamic) by performing the procedure in the following figure.
Figure 7-8: Configuration procedure of VLAN-based authentication (dynamic)
For details about the configuration, see the following:
1.
Configuring port-based authentication (static): 7.5.1 Configuring VLAN-based
authentication (dynamic)
2.
Configuring authentication mode options: 7.5.2 Configuring authentication mode options
215
3.
Configuring the transmission interval of the frames sent to terminals
•
Switching terminal detection modes 7.5.2 Configuring authentication mode options
•
Controlling the transmission of the frame that prompts authentication to start: 7.5.3
Configuration related to authentication processing (1) Controlling transmission of the
frame that prompts a terminal to start authentication
•
Functionality for requesting terminal re-authentication: 7.5.3 Configuration related to
authentication processing (2) Configuring the functionality for requesting
re-authentication of terminals
•
4.
Retransmission of EAP-Request frames: 7.5.3 Configuration related to authentication
processing (3) Configuring the retransmission of EAP-Request frames to terminals
Configuring the suppression of authentication requests from terminals: 7.5.3
Configuration related to authentication processing (4) Configuring the functionality for
suppressing authentication requests from terminals
5.
Configuring the idle period for terminals that fail authentication: 7.5.3 Configuration
related to authentication processing (5) Configuring the idle period for terminals that fail
authentication
6.
Configuring a timeout period for responses from the authentication server: 7.5.3
Configuration related to authentication processing (6) Configuring a timeout period for
responses from the authentication server
7.
Configuring a forced authentication port: 7.5.3 Configuration related to authentication
processing (7) Configuring a forced authentication port
7.5.1
Configuring VLAN-based authentication (dynamic)
This functionality authenticates terminals belonging to a MAC VLAN.
Figure 7-9: Sample configuration of VLAN-based authentication (dynamic)
216
Overview
The example below shows how to configure a MAC VLAN and enable VLAN-based
authentication (dynamic) for that VLAN. Register authenticated terminals according to the
VLAN specified by the RADIUS server. Additionally, register the list of VLANs specified
by the RADIUS server with the dot1x vlan dynamic radius-vlan configuration
command.
Configuration command example
1.
(config)# vlan 300,400 mac-based
(config-vlan)# exit
Configures VLAN ID 300, 400 as a MAC VLAN.
2.
(config)# vlan 10
(config-vlan)# exit
Specifies VLAN ID 10.
3.
(config)# dot1x vlan dynamic radius-vlan 300,400
Specifies VLAN ID 300, 400 for VLAN-based authentication (dynamic).
4.
(config)# aaa authorization network default group radius
Registers according to the VLAN specified by the RADIUS server.
5.
(config)# dot1x vlan dynamic enable
Enables VLAN-based authentication (dynamic).
7.5.2
Configuring authentication mode options
(1)
Configuring authentication exclusion options
This procedure specifies the MAC address of a terminal that the Switch allows to bypass
authentication. You can use this option to allow network access for devices that do not support
IEEE 802.1X. The example below connects a printer that is allowed unauthenticated access
(MAC address: 1234.5600.e001) to VLAN ID 300, which was configured above in 7.5.1
Configuring VLAN-based authentication (dynamic).
217
Figure 7-10: Sample configuration of authentication exclusion for VLAN-based
authentication (dynamic)
Overview
The example below shows how to register a MAC address in a MAC VLAN for
VLAN-based authentication (dynamic).
Configuration command example
1.
(config)# vlan 300 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Specifies the MAC address (1234.5600.e001) that is allowed to access the MAC VLAN
with VLAN ID 300. The printer can now access VLAN ID 300 without performing
IEEE 802.1X authentication.
(2)
Switching terminal detection modes
Switches send EAP-Request/Identity packets to the multicast address at the interval specified by
the tx-period command to prompt terminals to begin authentication. The example below
shows how to specify the authentication sequence that takes place when a terminal that is
already authenticated responds to an EAP-Request/Identity packet. By default, authenticating
processing is skipped.
Overview
y The shortcut setting skips the authentication sequence to reduce the load on the
Switch.
y The disable setting does not perform periodic transmission of EAP-Request/Identity
packets.
218
The auto setting cannot be specified for VLAN-based authentication (dynamic).
Configuration command example
1.
(config)# dot1x vlan dynamic supplicant-detection shortcut
Specifies that re-authentication is skipped and that authentication is considered
successful when an EAP-Response/Identity packet is received from a terminal
authenticated by VLAN-based authentication (dynamic).
7.5.3
Configuration related to authentication processing
(1)
Controlling transmission of the frame that prompts a terminal
to start authentication
You can specify the interval at which a Switch transmits EAP-Request/Identity packets to
prompt authentication for a terminal that does not begin authentication by itself.
Overview
The example below shows how to send EAP-Request/Identity packets to the multicast
address at the interval specified by the tx-period timer. Because authenticated terminals
also respond to an EAP-Response/Identity packet, specify a value that satisfies the
following expression to ensure that the Switch does not become overloaded:
reauth-period > tx-period ≥ (total-number-of-terminals-to-be-authenticated-on-the-Switch
÷ 20) x 2
The default value of tx-period is 30 seconds. Therefore, when the Switch authenticates
300 or more terminals, change the value of the tx-period timer.
Configuration command example
1.
(config)# dot1x vlan dynamic timeout tx-period 300
Specifies a 300-second interval for the transmission of EAP-Request/Identity packets
for VLAN-based authentication (dynamic).
(2)
Configuring the functionality for requesting re-authentication
of terminals
Because the authentication of a terminal that is removed from the network after authentication
cannot be canceled from the Switch, re-authentication is requested from authenticated terminals.
If no response is received, the authentication of the terminal is canceled.
Overview
219
The example below shows how to configure the Switch to transmit an
EAP-Request/Identity message to each authenticated terminal at the interval specified by
the reauth-period timer. Make sure that the value of the reauth-period timer is
greater than the value of the tx-period timer.
Configuration command example
1.
(config)# dot1x vlan dynamic reauthentication
(config)# dot1x vlan dynamic timeout reauth-period 360
Enables the re-authentication functionality for VLAN-based authentication (dynamic),
and then sets the re-authentication interval to 360 seconds.
(3)
Configuring the retransmission of EAP-Request frames to
terminals
You can specify how long the Switch waits for a terminal to respond to an EAP-Request frame
(a request message from the authentication server) before resending the request, and the
maximum number of times that the Switch resends the request.
Overview
Make sure that the product of the resending interval multiplied by the number of
retransmissions does not exceed the value specified for the reauth-period timer.
Configuration command example
1.
(config)# dot1x vlan dynamic timeout supp-timeout 60
Specifies a retransmission period of 60 seconds for EAP-Request frames for
VLAN-based authentication (dynamic).
2.
(config)# dot1x vlan dynamic max-req 3
Specifies that EAP-Request frames be retransmitted a maximum of three times for
VLAN-based authentication (dynamic).
(4)
Configuring the functionality for suppressing authentication
requests from terminals
You can prevent an authentication from being initiated by EAPOL-Start frames from terminals.
With this functionality enabled, the authentication of new terminals and re-authentication of
existing terminals take place at the intervals specified by the tx-period timer and
reauth-period timer, respectively.
Overview
The example below shows how to reduce the load on the Switch when a large number of
terminals send re-authentication requests during a short period. You cannot execute the
220
commands below without executing the dot1x reauthentication command first.
Configuration command example
1.
(config)# dot1x vlan dynamic reauthentication
(config)# dot1x vlan dynamic ignore-eapol-start
Prevents authentication processing from being initiated in response to EAPOL-Start
frames received for VLAN-based authentication (dynamic).
(5)
Configuring the idle period for terminals that fail
authentication
You can configure how long a terminal that fails authentication must remain idle before it can
try again.
Overview
The example below shows how to prevent a situation where the Switch is overloaded by a
large number of authentication requests received during a short period from terminals that
fail authentication. Note that the idle period you specify also applies to users who fail
authentication because they enter an incorrect user name or password.
Configuration command example
1.
(config)# dot1x vlan dynamic timeout quiet-period 300
Specifies an idle period of 300 seconds before terminals can retry the authentication
process when using VLAN-based authentication (dynamic).
(6)
Configuring a timeout period for responses from the
authentication server
You can specify how long the Switch waits for the authentication server to respond to a request.
When the specified time has elapsed, the Switch notifies the Supplicant that authentication has
failed. The Supplicant learns of the failed authentication after the shorter of the following times:
the time specified in the commands below, and the total time including retransmissions specified
by the attributes of the radius-server configuration command.
Overview
When multiple RADIUS servers are configured by using the radius-server
configuration command, and you specify a shorter time than the total wait time, including
retransmissions by each server, the Supplicant will be notified that authentication has failed
before the Switch can send requests to all the authentication servers. If you want this
notification to wait until the Switch has failed to obtain a response from all of the
configured authentication servers, be sure to specify a longer value for this command.
221
Configuration command example
1.
(config)# dot1x vlan dynamic timeout server-timeout 300
This procedure allows forced authentication at a port for VLAN-based authentication
(dynamic).
(7)
Configuring a forced authentication port
Overview
This procedure allows forced authentication at a port for VLAN-based authentication
(dynamic) and specifies the post-authentication VLAN to be assigned.
Configuration command example
1.
(config)# interface fastethernet 0/3
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 300
(config-if)# dot1x force-authorized vlan 300
(config-if)# exit
Allows forced authentication at port 0/3 and specifies the VLAN ID of the
post-authentication VLAN to be assigned.
2.
(config)# dot1x force-authorized eapol
Sends the EAPOL-Success response frame from the Switch to the terminal when it is
forcibly authenticated.
(8)
Configuring conditions for automatic cancellation of
authentication
(a) Configuring the monitoring of MAC address table aging
This functionality cancels the status of an authenticated terminal. The procedure is the same as
when configuring the aging monitoring functionality for port-based authentication (static). See
subsection 7.3.3 Configuration related to authentication processing (9) Configuring conditions
for automatic cancellation of authentication (b) Configuring the monitoring of MAC address
table aging.
222
7.6
7.6.1
IEEE 802.1X operations
List of operation commands
The following table shows the operation commands for IEEE 802.1X..
Table 7-3: List of operation commands
Command
7.6.2
Description
show dot1x
Displays the status of each authentication unit and information about
authenticated Supplicants.
show dot1x logging
Displays the operation log messages output by IEEE 802.1X.
show dot1x
statistics
Displays statistics concerning IEEE 802.1X authentication.
clear dot1x
auth-state
Clears the information related to authenticated terminals.
clear dot1x logging
Clears the operation log messages output by IEEE 802.1X.
clear dot1x
statistics
Resets statistics concerning IEEE 802.1X authentication to 0.
reauthenticate
dot1x
Initiates re-authentication for IEEE 802.1X-authenticated terminals.
Displaying the IEEE 802.1X status
(1)
Displaying authentication status
Use the show dot1x operation command to display the status of IEEE 802.1X authentication.
(a) Displaying general status information
Execute the show dot1x operation command to display the status of an entire IEEE 802.1X
device.
Figure 7-11: Output of show dot1x
> show dot1x
Date 28.10.09 10:24:10 UTC
System 802.1X : Enable
AAA Authentication Dot1x
Authorization Network
Accounting Dot1x
Auto-logout
:
:
:
:
Enable
Disable
Enable
Enable
Authentication Default
: RADIUS
Authentication port-list-DDD : RADIUS ra-group-3
Accounting Default
: RADIUS
Port/ChGr/VLAN
Port 0/1
AccessControl
---
PortControl
Auto
Status
Authorized
Supplicants
1
223
Port 0/4(Dynamic)
ChGr 1
Multiple-Auth
Multiple-Auth
Auto
Auto
-----
1
0
>
(b) Displaying the status of port-based authentication (static)
Use the show dot1x port operation command to display the status of each port in port-based
authentication (static). Use the show dot1x channel-group-number operation command to
view the status of each channel group.
•
If you specify a port number, the command outputs status information for the specified port.
•
Specify the detail parameter to include the information about terminals to be authenticated.
Figure 7-12: Output of show dot1x port command (with detail parameter specified)
> show dot1x port 0/1 detail
Date 28.10.09 10:24:51 UTC
Port 0/1
AccessControl : --Status
: Authorized
Supplicants
: 1 / 1
TxTimer
: 30
ReAuthSuccess : 0
KeepUnauth
: 3600
Authentication : port-list-DDD
VLAN(s): 4
Supplicants MAC
[VLAN 4]
0013.20a5.24ab
F
PortControl
Last EAPOL
ReAuthMode
ReAuthTimer
ReAuthFail
:
:
:
:
:
Auto
0013.20a5.24ab
Disable
3600
2
Status
AuthState
BackEndState
SessionTime(s) Date/Time
Port(Static) Supplicants : 1
Authorized
Authenticated Idle
81
2009/10/28 10:23:30
ReAuthSuccess
SubState
0
Full
>
(c) Displaying the status of port-based authentication (dynamic)
Use the show dot1x port operation command to display the status of each port in port-based
authentication.
•
If you specify a port number, the command outputs status information for the specified port.
•
Specify the detail parameter to include the information about the VLANs that terminals to
be authenticated belong to and the information about the terminals.
Figure 7-13: Output of show dot1x port command (with detail parameter specified)
> show dot1x port 0/4 detail
Date 28.10.09 10:25:15 UTC
Port 0/4 (Dynamic)
AccessControl : Multiple-Auth
Status
: --Supplicants
: 0 / 1 / 64
TxTimer
: 30
ReAuthSuccess : 0
SuppDetection : Auto
Authentication : port-list-DDD
VLAN(s): 4,40
224
PortControl
Last EAPOL
ReAuthMode
ReAuthTimer
ReAuthFail
:
:
:
:
:
Auto
0013.20a5.3e4f
Disable
3600
1
Supplicants MAC
F
[Unauthorized]
0013.20a5.3e4f
Status
AuthState
BackEndState
SessionTime(s) Date/Time
Port(Unknown) Supplicants : 1
Unauthorized
Connecting
Idle
2
2009/10/28 10:25:14
ReAuthSuccess
SubState
0
---
>
(d) Displaying the status of VLAN-based authentication (dynamic)
Use the show dot1x vlan dynamic operation command to display the status of each VLAN in
VLAN-based authentication (dynamic).
•
If you specify a VLAN ID, the command outputs status information for the specified VLAN.
•
Specify the detail parameter to include the information about the VLANs that terminals to
be authenticated belong to and the information about the terminals.
Figure 7-14: Output of show dot1x vlan dynamic command (with detail parameter
specified)
> show dot1x vlan dynamic detail
Date 24.03.09 19:58:47 UTC
VLAN(Dynamic)
AccessControl : Multiple-Auth
Status
: --Supplicants
: 1 / 1 / 256
TxTimer
: 30
ReAuthSuccess : 0
SuppDetection : Shortcut
VLAN(s): 400
Supplicants MAC
[VLAN 400]
000a.799a.ddf0
F
PortControl
Last EAPOL
ReAuthMode
ReAuthTimer
ReAuthFail
:
:
:
:
:
Auto
000a.799a.ddf0
Disable
3600
0
Status
AuthState
BackEndState
SessionTime(s) Date/Time
VLAN(Dynamic) Supplicants : 1
Authorized
Authenticated Idle
46
2009/03/24 19:52:55
ReAuthSuccess
0
>
7.6.3
Modifying the IEEE 802.1X authentication status
(1)
Initializing the authentication status
Use the clear dot1x auth-state operation command to initialize the authentication status.
You can specify a port number, a VLAN ID, or the MAC address of a terminal. If you omit this
specification, the Switch will initialize all authentication information. After executing this
command, affected terminals must be re-authenticated before they can access the network again.
Figure 7-15: Example of initializing all IEEE 802.1X authentication statuses in the
Switch
> clear dot1x auth-state
Do you wish to initialize all 802.1X authentication information? (y/n):y
225
(2)
Forced re-authentication
Use the reauthenticate dot1x operation command to force re-authentication. You can
specify a port number, a VLAN ID, or the MAC address of a terminal. If you omit this
specification, the Switch will force all authenticated terminals to undergo re-authentication.
Executing this command does not affect the network access of Supplicants that have been
successfully re-authenticated.
Figure 7-16: Example of forcing re-authentication for all IEEE 802.1X-authenticated
ports and VLANs in the Switch
> reauthenticate dot1x
Do you wish to reauthenticate all 802.1X ports and VLANs? (y/n):y
226
8. Description of Web Authentication
This chapter provides an overview of the Web authentication functionality, which controls
VLAN access at the user level based on credentials supplied from an ordinary Web browser.
8.1 Overview
8.2 Fixed VLAN mode
8.3 Dynamic VLAN mode
8.4 Legacy mode
8.5 Accounting functionality
8.6 Preparation
8.7 Authentication error messages
8.8 Notes on Web authentication
8.9 Replacing Web authentication pages
8.10 Procedure for creating Web authentication pages
8.11 Description of internal DHCP server functionality
227
8.1
Overview
In Web authentication, user authentication is based on a user ID and password that a user
supplies through an ordinary Web browser, such as Internet Explorer (abbreviated hereafter to
Web browser). The Switches change the status of the terminal to be authenticated on the basis of
the MAC address of this authenticated user's terminal and grant terminal access to the
post-authentication network. (We recommend using Internet Explorer 6 for Web authentication
for the Switch.)
Web authentication includes the following authentication modes:
•
Fixed VLAN mode
Successfully authenticated terminals have the MAC addresses entered in the MAC address
table and are permitted access to the VLAN specified in the configuration.
•
Dynamic VLAN mode
Successfully authenticated terminals have the MAC addresses entered in a MAC address
table and registered in a MAC VLAN. Terminals are given access to different VLANs before
and after authentication.
•
Legacy mode
VLAN switching by MAC VLAN enables terminals to access different VLANs before and
after authentication.
Web authentication allows users to execute authentication using only a Web browser, without
the need to install any special software on the terminal. Web authentication also supports
one-time password authentication using the SecurID mechanism engineered by RSA Security.
For details on the one-time password authentication, see 14. One-time Password Authentication
[OP-OTP].
For authentication, there is local authentication, which uses an authentication DB stored in the
Switch (called an internal Web authentication DB), and there is RADIUS authentication, for
which authentication requests are sent to an external RADIUS server. Users can choose either of
these methods. Note that Web authentication supports IPv4 addresses only.
The following table shows the supported functionality in each authentication mode.
Table 8-1: Support list for each authentication mode
Functionality
Default for
Switch:
Local
228
Internal Web
authentication DB
Fixed VLAN
Dynamic VLAN
Legacy
Y
See 8.2.1.
See 8.6.1.
Y
See 8.3.1.
See 8.6.1.
Y
See 8.4.1.
See 8.6.1.
Functionality
authentication
Default for
Switch:
RADIUS
authentication
Fixed VLAN
Dynamic VLAN
Legacy
User ID
1 to 128
characters.
See 9.7.2.
1 to 128
characters.
See 9.7.2.
1 to 128
characters.
See 9.7.2.
Password
1 to 32
characters.
See 9.7.2.
1 to 32
characters.
See 9.7.2.
1 to 32
characters.
See 9.7.2.
VLAN
(post- authentication
VLAN)
Y
See 9.7.2.
Y
See 9.7.2.
Y
See 9.7.2.
- External server
- RADIUS server
information for Web
authentication
- General-purpose
RADIUS server
information
Y
See 5.3.1.
See 8.2.1.
See 8.6.2.
See 9.2.1.
Y
See 5.3.1.
See 8.3.1.
See 8.6.2.
See 9.2.1.
Y
See 5.3.1.
See 8.4.1.
See 8.6.2.
See 9.2.1.
User ID
1 to 128
characters.
See 8.2.1.
See 8.6.2.
1 to 128
characters.
See 8.3.1.
See 8.6.2.
1 to 128
characters.
See 8.4.1.
See 8.6.2.
Password
1 to 32
characters.
See 8.2.1.
See 8.6.2.
1 to 32
characters.
See 8.3.1.
See 8.6.2.
1 to 32
characters.
See 8.4.1.
See 8.6.2.
VLAN
(post- authentication
VLAN)
Y
See 8.2.1.
See 8.6.2.
Y
See 8.3.1.
See 8.6.2.
Y
See 8.4.1.
See 8.6.2.
See 9.5.1.
Forced authentication
Y
See 8.2.2.#
Y
See 8.3.2.#
Y
See 8.4.2.#
Y
See 9.3.2.
Y
See 9.4.2.
Y
See 9.5.2.
Y
See 8.5.
Y
See 8.5.
Y
See 8.5.
External server
• RADIUS server group
information
Y
See 5.3.1.
See 8.2.1.
See 8.6.2.
See 9.2.1.
Y
See 5.3.1.
See 8.3.1.
See 8.6.2.
See 9.2.1.
N
Authentication method
by port
Y
See 5.2.2.
See 5.2.3.
Y
See 5.2.2.
See 5.2.3.
N
Configuration of
ports for
authentication
Private trap
Authentication
method list
229
Functionality
Fixed VLAN
Dynamic VLAN
Legacy
Authentication method
by user ID
Y
See 5.2.2.
See 5.2.3.
Y
See 5.2.2.
See 5.2.3.
N
Terminal IP
address
assignment
Internal DHCP server
N
Y
See 8.11.
See 9.6.
Y
See 8.11.
See 9.6.
Maximum
number of
authenticated
users
On a port basis
1024
See 8.2.2.
See 9.3.2.
256
See 8.3.2.
See 9.4.2.
256
See 8.4.2.
See 9.5.2.
On a Switch basis
1024
See 8.2.2.
See 9.3.2.
256
See 8.3.2.
See 9.4.2.
256
See 8.4.2.
See 9.5.2.
Web authentication IP
address
1024
See 8.2.2.
See 9.2.2.
256
See 8.3.2.
See 9.2.2.
256
See 8.4.2.
See 9.2.2.
Pre-authentication pass
(IPv4 access list for
authentication)
Y
See 5.4.1.
See 5.5.2.
Y
See 5.4.1.
See 5.5.2.
N
URL redirection
functionality
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
TCP port specification
for URL redirection
trigger packets
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
Protocol specification for
the Login page
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
URL automatic display
after successful
authentication
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
Y
See 8.4.2.
See 9.5.2.
User switching option
Y
See 8.2.2.
See 9.2.5.
Y
See 8.3.2.
See 9.2.5.
Y
See 8.4.2.
See 9.2.5.
Exceeding maximum
connection time period
Y
See 8.2.2.
See 9.2.3.
Y
See 8.3.2.
See 9.2.3.
Y
See 8.4.2.
See 9.2.3.
Monitoring for
non-communication with
authenticated terminals
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
Login
Logout
230
Functionality
Roaming
(moving
authenticated
terminals
between ports)
Accounting log
Web
authentication
page
Fixed VLAN
Dynamic VLAN
Legacy
Monitoring for aging of
MAC address table
N
N
Y
See 8.4.2.
See 9.5.2.
Monitoring for
connection of
authenticated terminals
Y
See 8.2.2.
See 9.3.2.
N
N
Receiving special frames
from authenticated
terminals
Y
See 8.2.2.
See 9.2.3.
Y
See 8.3.2.
See 9.2.3.
Y
See 8.4.2.
See 9.2.3.
Link-down of ports
where authenticated
terminals are connected
Y
See 8.2.2.
Y
See 8.3.2.
N
VLAN configuration
change
Y
See 8.2.2.
Y
See 8.3.2.
Y
See 8.4.2.
Web pages operation
Y
See 9.7.12.
Y
See 9.7.12.
Y
See 9.7.12.
Operation commands
Y
See 8.2.2.
Y
See 8.3.2.
Y
See 8.4.2.
Permission setting of
moving between ports
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
Y
See 8.5.
Y
See 8.5.
N
Private traps
Internal accounting log in
the Switch
2,100 lines total for all modes.
See 8.5.
Accounting functionality
of RADIUS servers
Common to all modes
See 5.3.4.
See 8.5.
See 9.2.4.
Replacing Web
authentication pages
Common to all modes
See 8.9.
See 9.7.7.
Specification of
individual Web
authentication pages by
port
Y
See 8.2.2.
See 9.3.2.
Y
See 8.3.2.
See 9.4.2.
N
Legend
Y: Supported
N: Not supported
5.x.x refers to sections in 5. Overview of Layer 2 Authentication.
231
8.x.x refers to sections in this chapter.
9.x.x refers to sections in 9. Web Authentication Configuration and Operation.
#
For details about forced authentication common to all authentication methods, see 5.4.6
Forced authentication common to all authentication modes.
The following table shows the operating conditions for Web authentication.
Table 8-2: Operating conditions for Web authentication
Type
VLAN type
Fixed VLAN
Dynamic
VLAN
Legacy
Port VLAN
Y
Y#
N
Protocol VLAN
N
N
N
MAC VLAN
#
Y
Y
Y
N
N
Access port
Y
N
N
Trunk port
Y
N
N
Protocol port
N
N
N
Untagged
N
Y
Y
Tagged
#
N
N
fastethernet
Y
Y
Y
gigabitethernet
Y
Y
Y
port channel
N
N
Y
Default VLAN
Port type
MAC port
Interface type
Legend
Y: Enabled
N: Disabled
#: Enabled with the switchport mac dot1q vlan setting.
#
Operation possible when the automatic authentication mode is available for untagged
frames at a MAC port. (See 5.4.4 Auto authentication mode accommodation at the same
MAC port.)
The subsequent sections describe the overview of the authentication modes in the order of fixed
VLAN mode, dynamic VLAN mode, and legacy mode. For the same operation of the same
232
functionality for each authentication mode, see the appropriate section referenced in the table
above.
233
8.2
Fixed VLAN mode
An unauthenticated terminal cannot communicate until it is authenticated. If authentication
succeeds in fixed VLAN mode, the MAC address of the terminal and VLAN ID is registered in
the MAC address table as a Web authentication entry, enabling the terminal to communicate.
(The registration status in the MAC address table can be checked using the show
mac-address-table operation command.)
Users can log in using the Web authentication IP address or using the URL redirection
functionality. Either way, the local authentication method and the RADIUS authentication
method can be used for authentication. Therefore, you must set the Web authentication IP
address, the URL redirection, or both.
8.2.1
Authentication methods group
A Web authentication methods group uses the Switch default for all the Web authentication
modes, and uses an authentication methods list for fixed VLAN mode and dynamic VLAN
mode. Also see the following:
•
5.1.3 Authentication methods groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.2.2 Authentication method lists
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
9.2.1 Authentication method group and RADIUS server information configuration
(1)
Switch default: Local authentication
Local authentication searches the internal Web authentication DB by a user ID and a password
from the user seeking authentication and validates the credentials. The following figure shows
the authentication operation of the local authentication method.
234
Figure 8-1: Overview of fixed VLAN mode (local authentication method)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
Web authentication IP address.
2.
When the internal Web authentication DB is searched, the VLAN ID that the user to be
authenticated (the PC in the figure above) belongs to is identified by using the connection
port or VLAN ID of the user to be authenticated.
3.
VLAN capacity can be restricted by searching the internal Web authentication DB with the
VLAN ID information added to the user ID and password.
4.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
5.
The authenticated PC is able to access servers in the VLAN associated with the port.
(a) VLAN restriction
The VLAN ID is extracted from the port where a user seeking authentication is connected, and
the internal Web authentication DB is searched by VLAN ID with other credentials, thereby
authentication can be restricted to a specific VLAN.
(2)
Switch default: RADIUS authentication
The following figure shows the operation of RADIUS authentication method.
235
Figure 8-2: Overview of fixed VLAN mode (RADIUS authentication method)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
specified URL.
2.
When requesting an external RADIUS server to execute authentication, the VLAN ID that
the user to be authenticated (the PC in the figure above) belongs to is identified by using
the connection port or VLAN ID of the user to be authenticated.
3.
VLAN capacity can be restricted by requesting that the RADIUS server execute
authentication with the VLAN ID information added to the user ID and password.
4.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
5.
The authenticated PC can access servers in the VLAN associated with the port.
(a) VLAN restriction
RADIUS authentication uses the same method as local authentication to obtain VLAN
information and executes authentication by setting the obtained VLAN ID information (the
VLAN ID a terminal is associated with when requesting authentication) in the RADIUS
attribute NAS-Identifier at the time the authentication request is sent to the RADIUS server.
VLAN information to be authenticated (the VLAN ID to which a terminal is associated when
requesting authentication) is set in addition to a user ID and a password in NAS-Identifier as
the RADIUS server configuration, thereby restricting VLAN capacity.
(3)
Authentication methods list: Authentication method by port
For details on the operation of the authentication method by port, see 5.2.2 Authentication
method lists.
236
8.2.2
Authentication functionality
(1)
Web authentication IP address
Users can log in and log out using a Web authentication IP address configured on the Switch.
Unlike the IP address configured on each interface, a Web authentication IP address is used only
for logging in or logging out of Web authentication. A Web authentication IP address can be
configured with the web-authentication ip address configuration command.
Figure 8-3: Login operation using the Web authentication IP address
Notes
y When using a Web authentication IP address, always set the IP address in an
unauthenticated VLAN for Web authentication.
y As a Web authentication IP address, set the IP address of a subnet that does not duplicate
the VLAN interface configured on the Switch.
(2)
URL redirection
Configure the Switch to detect outgoing HTTP and HTTPS requests from an unauthenticated
terminal and forcibly display the Login page on the terminal for the user to log in. Note that, if
configuring URL redirection, always set an IP address in the VLAN where a terminal seeking
authentication is associated.
(a) Adding URL redirection trigger packet TCP port numbers
For the trigger packet for URL redirection, the TCP destination port numbers are 80 and 443,
and only one TCP destination port numbers can be added with the configuration command.
After the configuration, the basic TCP destination port numbers remain as 80 and 443.
237
Configure an additional port number with the configuration commands web-authentication
redirect tcp-port and web-authentication web-port.
If different additional port numbers are configured with these two commands, the basic port
numbers and the additional port numbers configured by each command are valid. If the same
additional port numbers are configured, the operations are shown as follows.
Table 8-3: Operations when configuring the same additional port number
web-authenticati
on
redirect tcp-port
web-authentication web-port
HTTP
Redirect as HTTP
web-authentication
redirect tcp-port
web-authenti
cation
web-port
HTTP
Redirect as HTTP
HTTPS
Redirect as HTTP
(HTTPS-specified
port number is
ignored.)
HTTPS
Redirect as HTTP
(HTTPS-specified
port number is
ignored.)
Command entered
first is valid.
Command entered
first is valid.
(b) Specifying a protocol for the Login page
When using the URL redirection functionality of Web authentication, select HTTP or HTTPS in
the configuration for the protocol (URL) to display the Web authentication Login page. If not
specified, the page is displayed via HTTPS. Configure the protocol for a Login page with the
web-authentication redirect-mode configuration command.
(3)
Specifying the automatically displayed URL after successful
authentication
Specify the URL of a page to be automatically displayed after displaying the page indicating
successful authentication. Configure this URL using the web-authentication jump-url
configuration command.
(4)
Specifying forced authentication port
If RADIUS authentication of a terminal connected to the port where forced authentication is
specified fails because the request cannot be sent to the RADIUS server or no response is
returned due to, for example, a path failure, a terminal seeking authentication changes to the
Accept status. The forced authentication configuration of the Switch includes both the
configuration common to all authentications and the configuration by authentication
functionality. For details about functionality common to all authentication methods, see 5.4.6
238
Forced authentication common to all authentication modes.
Set the web-authentication static-vlan force-authorized configuration command
in the port that allows forced authentication. Note that force authentication is allowed when the
following conditions are met.
Table 8-4: Permission conditions on forced authentication
Item
Condition
Configuration
All the following configurations must be configured:
#1
• aaa authentication web-authentication
• web-authentication radius-server host, or, radius-server host
• web-authentication system-auth-control
• web-authentication port
#2
• web-authentication static-vlan force-authorized
• web-authentication authentication
• web-authentication user-group
Accounting log
#2
#3
#4
When the following accounting log is recorded when sending an authentication
request to the RADIUS server:
No = 21
NOTICE: LOGIN: (additional information) Login failed ;
Failed to connection to RADIUS server.
Additional information: MAC, USER, IP, PORT, VLAN
Check the accounting log with the show web-authentication logging
operation command.
#1
When using forced authentication as the Switch default, set only default group
radius.
When using an authentication method per port or an authentication method per user ID, set
<list-name> group <group-name>.
#2
Set this in the same Ethernet port.
#3
Set this when using an authentication method per port.
#4
Set this when using an authentication method per user ID.
The terminal's authentication status, which was set via forced authentication, is removed in the
same way as normal authenticated terminals, as per 8.2.2 Authentication functionality (6)
Logout from authenticated status.
The operations from the start of sending authentication requests to the RADIUS server until the
acceptance of forced authentication are the same for both forced authentication common to all
authentication methods and forced authentication per authentication method. For details about
239
the operations, see (1) Behavior from the start of an RADIUS authentication request to
permission for forced authentication in 5.4.6 Forced authentication common to all
authentication modes.
(5)
Maximum number of users to be authenticated
The maximum number of users to be authenticated can be configured both on a Switch basis and
on a port basis. You can configure up to 1,024 authenticated users or terminals using the
web-authentication static-vlan max-user configuration command. The configuration
can be simultaneously made on a Switch basis and on a port basis. However, if the number of
users authenticated either way reaches the limit, authentication is no longer available for a new
user.
In addition, if the maximum number of users seeking authentication is changed to less than the
number of authenticated users during an operation, the authenticated user can continue to
communicate, but any new users cannot be authenticated.
(6)
Logout from authenticated status
Fixed VLAN mode provides the following means of logging out:
•
Logout when the maximum connection time is exceeded
•
Logout of an authenticated terminal by non-communication monitoring
•
Logout of an authenticated terminal by the connection monitoring functionality
•
Logout in response to a special frame received from an authenticated terminal
•
Logout of a terminal connected to a link-down port
•
Logout resulting from changes to the VLAN configuration
•
Logout using a Web page
•
Logout using an operation command
(a) Logout when the maximum connection time is exceeded
When a terminal exceeds the maximum connection time specified by the configuration
command, the Web authentication status is automatically logged out. In this case, the user is not
presented with a logout page. When the user logs in again in the authenticated status, if local
authentication (RADIUS authentication when using the RADIUS authentication) succeeds, the
authentication time can be extended. However, if that fails, the authentication time cannot be
extended. Configure the maximum connection time with the web-authentication
max-timer configuration command.
(b) Logout of an authenticated terminal by non-communication
monitoring
This functionality causes an authenticated terminal to automatically log out when it has not
240
communicated with for a certain period of time. The functionality periodically (approximately
every minute) monitors the Web authentication entry of the MAC address table and verifies that
the terminal receives a frame from the authenticated terminal registered with Web authentication.
If no frame is received from the target terminal for a certain time period (approximately 10
minutes), the functionality deletes the target Web authentication entry from the MAC address
table and causes the authentication to be logged out.
Figure 8-4: Overview of monitoring of non-communication on authenticated terminal
The operation of monitoring non-communication on an authenticated terminal is enabled under
the following condition:
•
The Web authentication fixed VLAN mode or dynamic VLAN mode is enabled, and
web-authentication auto-logout is enabled.
The no web-authentication auto-logout configuration command prevents
authentication from automatically being logged out.
(c) Logout of an authenticated terminal by the connection monitoring
functionality
The Switch monitors the connection status of authenticated terminals by sending an ARP
request at the interval specified by the web-authentication logout polling interval
configuration command and monitoring for an ARP reply. If it receives no ARP reply within the
time period defined by the web-authentication logout polling retry-interval and
web-authentication logout polling count configuration commands, the Switch
considers the connection to have timed out and automatically logs out of the Web authentication
status of the terminal. The user is not presented with a logout page. Disable this functionality by
using the no web-authentication logout polling enable configuration command.
(d) Logout in response to a special frame received from an
241
authenticated terminal
The Switch logs out of the authentication status of target terminals from which it receives a
special frame. In this case, the user is not presented with a logout page. Special frames are
defined below. If all the following conditions are met, the authentication status is logged out:
•
A ping frame sent from an authenticated terminal to the Web authentication IP address
•
The TTL value of a ping frame must match the TTL value specified by the
web-authentication logout ping ttl configuration command.
•
The TOS value of a ping frame must match the TOS value specified by the
web-authentication logout ping tos-windows configuration command.
(e) Logout of a terminal connected to a link-down port
When a port with Web authentication fixed VLAN mode (the web-authentication port
configuration command) configured goes down, the Switch logs out of the authenticated
terminal in the Web authentication fixed VLAN mode at the port. The user is not presented with
a logout page.
(f)
Logout resulting from changes to the VLAN configuration
When using configuration commands to change the configuration of a VLAN that includes
authenticated terminals, the Switch logs out of the authentication status of terminals associated
with that VLAN.
The following configuration changes trigger a logout:
y Deletion of a VLAN
y Suspension of a VLAN
(g) Logout using a web page
When a terminal accesses the Web-authenticated URL, a logout page appears on the terminal.
When the user clicks the Logout button on this page, their Web authentication status is logged
out. See 9.7.12 Authentication procedure from terminal.
(h) Logout using an operation command
Executing the clear web-authentication auth-state operation command forcibly logs
out some of the Web-authenticated users or all the Web-authenticated users.
(7)
Roaming (moving authenticated terminals between ports)
When an authenticated terminal connected to the network via, for example, a hub is moved
between ports without the link going down, the roaming functionality enables the terminal to
continue to communicate in the authentication status.
242
Roaming is enabled when any of the following conditions is met:
•
The web-authentication static-vlan roaming configuration command is
configured.
•
Ports between which a terminal is moved are in fixed VLAN mode.
•
Ports between which a terminal is moved are associated with the same VLAN.
When a terminal is moved between ports under conditions other than the above, the
authentication of the target terminal is forcibly logged out.
Figure 8-5: Overview of roaming in fixed VLAN mode
(8)
User switching option
When a user logs in to a specific terminal using Web authentication, the option enables another
user ID to log in without requiring the original user to log out. Enable this option using the
web-authentication user replacement configuration command. Note that this option
switches user IDs without requiring a logout operation in one terminal (MAC address), not
allows multiple users to simultaneously log in.
The following figure shows an operation example when the user switching option is configured.
243
Figure 8-6: Overview of user switching option (Example of RADIUS authentication)
1.
When user A logs in from a specific terminal (Terminal 1 in the figure), authentication is
executed using an authentication method (RADIUS or local authentication) according to
the configuration on the Switch. (In this example, user A is accepted and managed as an
authenticated user.)
2.
If another user ID (user B in the figure) logs in from an authenticated terminal (Terminal 1
in the figure), authentication is executed using an authentication method (RADIUS or local
authentication) according to the configuration on the Switch.
3.
As a result of the authentication, the new user (user B in the figure) is accepted.
4.
The Switch logs out the old user (user A in the figure).
5.
The management information on the Switch is updated with the new user as an
authenticated user or authenticated, and the Switch notifies the new user that the login was
successful. At this time, the management information, the login date and time, and the
remaining time of the old user is updated with those information of the new user.
•
VLANs to which terminals are attached and the authentication mode of a new user
An authentication mode and VLAN where terminals are attached by the acceptance of new
users are determined depending on authentication results of new users.
•
When switching users simultaneously on multiple terminals
When switching users simultaneously on multiple terminals, up to 1,280 terminals are
managed as users, which is the limit of Web authentication.
•
The failure of new users
During authentication for user switching, if a logout condition is met due to link-down of the
port, the Switch logs out all the authenticated terminals where the logout condition is met in
the same way as the conventional operation during authentication, and the authentication of a
new user fails. If authentication of a new user fails (is denied), the authentication status of the
244
old user is maintained.
(a) Configuration of authentication method by user ID and identification
of user ID
The range of user ID identification differs depending on whether the authentication method by
user ID is configured. When the authentication method by user ID is configured, the
identification range are the user IDs sent for authentication request to the RADIUS server, not
the entire entered user ID character strings. (For details about the authentication method by user
ID, see 5.2.2 Authentication method lists.)
The following table shows an example configuration status of the authentication method by the
user ID and the range of user ID identification.
Table 8-5: Example configuration status of the authentication method by the user ID
and the range of user ID identification
Authenticati
on method
by user ID
Number
of
authentic
ations
Character string
entered by user
Range of user ID
identification
Not
configured
1
userAAA@list
111
userAAA@list11
1
New user
--
2
userAAA@list
111
userAAA@list11
1
Same user
--
3
userBBB@list
111
userBBB@list11
1
Different user
Y
4
userBBB@list
222
userBBB@list22
2
Different user
Y
1
userAAA@list
111
userAAA
New user
--
2
userAAA@list
111
userAAA
Same user
--
3
userBBB@list
111
userBBB
Different user
Y
4
userBBB@list
222
userBBB
Same user
--
Configured
Result of user
identification
User
switching
operation
Legend
Y: Operated
--: Not operated
(b) User switching operation at multistep authentication ports
At a multistep authentication port, the Switch compares the Web authentication result
(Filter-Id) of a new user with the result of the terminal authentication performed with the old
245
user of the terminal, and determines whether authentication can be registered. (For details about
the multistep authentication, see 12. Multistep Authentication.)
The following table shows user switching operation at a multistep authentication ports.
Table 8-6: User switching at multistep authentication ports
Configuratio
n of
multistep
authenticatio
n port
No option
User
acceptance
option
configured
Authentication of old user
Terminal authentication
Authentication of new user
User authentication
Terminal
authenticatio
n type
Authenti
cation
result
Authentica
tion result
MAC-based
authenticatio
n
Succeed
ed
Succeeded
MAC-based
authenticatio
n
Failed
Succeeded
Authentication
management
status of
terminal
Multistep
authentication
Single
authentication
User authentication
Authentica
tion result
Authentication
management
status of
terminal
Failed
Login status of
old user
Succeeded
Multistep
authentication
status of new
user
Failed
Login status of
old user
Succeeded
Login status of
old user#1
Single
authentication
status of new
user#2
Succeed
ed
dotlx
option for
terminal
authenticatio
n configured
MAC-based
authenticatio
n
IEEE
802.1X
246
Succeed
ed
Succeed
ed
Succeeded
Succeeded
Succeeded
Multistep
authentication
Multistep
authentication
Multistep
authentication
Failed
Login status of
old user
Succeeded
Multistep
authentication
status of new
user
Failed
Login status of
old user
Succeeded
Multistep
authentication
status of new
user
Failed
Login status of
old user
Succeeded
Multistep
authentication
Authentication of old user
Configuratio
n of
multistep
authenticatio
n port
Terminal authentication
Terminal
authenticatio
n type
Authenti
cation
result
Authentication of new user
User authentication
Authentica
tion result
Authentication
management
status of
terminal
User authentication
Authentica
tion result
Authentication
management
status of
terminal
status of new
user
#1
Even though authentication of a new user was successful, if terminal authentication is also
required for the user, the authentication of the new user is treated as failure, and the login
status of the old user remains.
#2
If authentication of a new user succeeds and terminal authentication is not required for the
user, the status becomes single authentication.
(9)
Individual Web authentication page by port
This functionality handles the registered custom file set (the directory name) as the individual
Web authentication page of a port, and displays the associated individual Web authentication
page when Web authentication is accessed from the port. Use the web-authentication
html-fileset configuration command to associate the individual Web authentication page to
the port.
•
When Other destination is accessed from unauthenticated terminals
Use the URL redirection functionality to redirect the access to the individual Web
authentication page associated with the port.
•
The URL of redirect destinations when the URL redirection functionality operates at the port
The URL of http://IP-address/login.html is common to a Web authentication page and an
individual Web authentication page. However, the page to be displayed is the file set
configured by port.
•
When accessing an authenticated page file that is not associated
Ports to which individual Web authentication pages are associated cannot access URLs or
HTML files not associated with that port.
For example, if an individual Web authentication page file set redirected to the quarantine server
is configured for a specific port, operations are possible that require the user who accesses an
authentication page from the target authentication port to log in after the quarantine processing
at the quarantine server and requires users at other ports to execute normal Web authentication.
247
An individual Web authentication page used for this functionality is registered on the Switch
using the Web authentication switching page functionality. A file set registered on the Switch is
called a custom file set. For details on this functionality, see 8.9 Replacing Web authentication
pages.
8.2.3
Authentication operations
In fixed VLAN mode, authentication is executed in the following sequence.
Figure 8-7: Authentication operation (when using Web authentication IP address)
248
Figure 8-8: Authentication operation (When using URL redirection functionality)
249
8.3
Dynamic VLAN mode
An unauthenticated terminal cannot communicate until it is authenticated. If authentication
succeeds in dynamic VLAN mode, the MAC address of the terminal and the authenticated
VLAN ID are registered in the MAC VLAN and the MAC address table as a Web authentication
entry, enabling the terminal to communicate on the post-authentication VLAN. (Check the
registration status in the MAC address table using the show mac-address-table operation
command.)
While legacy mode operates by configuring post-authentication VLANs, dynamic VLAN mode
operates by configuring MAC VLANs set for physical ports. For communication on
unauthenticated VLANs in dynamic VLAN mode, configure an authentication IPv4 access list.
Users can log in using the URL redirection functionality or using the Web authentication IP
address. Either way, the local authentication method and the RADIUS authentication method
can be used for authentication.
8.3.1
Authentication methods group
The authentication methods group uses an authentication methods list in fixed VLAN mode and
dynamic VLAN mode with the Switch default set to the mode that is common to all Web
authentications. Also see the following:
•
5.1.3 Authentication method groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.2.2 Authentication method lists
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
9.2.1 Authentication method group and RADIUS server information configuration
(1)
Switch default: Local authentication
Local authentication searches the internal Web authentication DB by user ID and password from
the user seeking authentication and validates the credentials by comparing the registration
details. If validated, the Switch attaches the terminal to the VLAN registered in the internal Web
authentication DB and allows the terminal to communicate.
The following figure shows the authentication operation of the local authentication method:
250
Figure 8-9: Overview of dynamic VLAN mode (local authentication method)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
specified URL.
2.
The Switch validates the user ID and password by comparing them against the user
information in the internal Web authentication DB.
3.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
4.
The authenticated PC is attached to the post-authentication VLAN and can connect to
servers. The Switch also registers the MAC address of the authenticated PC and VLAN ID
in the MAC VLAN and the MAC address table.
(a) Limitations on post-authentication VLANs
See 5.4.3 Auto MAC VLAN assignment and 5.4.4 Auto authentication mode accommodation at
the same MAC port.
(2)
Switch default: RADIUS authentication
The following figure shows the operation of RADIUS authentication method.
251
Figure 8-10: Overview of dynamic VLAN mode (RADIUS authentication method)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
specified URL.
2.
Authentication is executed using the user ID and password according to the external
RADIUS server.
3.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
4.
According to the VLAN ID information sent from the RADIUS server, the authenticated
PC is attached to the post-authentication VLAN and can connect to the server. The Switch
also registers the MAC address of the authenticated PC and VLAN ID in the MAC VLAN
and the MAC address table.
(a) Limitations on post-authentication VLANs
See 5.4.3 Auto MAC VLAN assignment and 5.4.4 Auto authentication mode accommodation at
the same MAC port.
(3)
Authentication methods list: Authentication method by port
For details about authentication methods by port, see 5.2.2 Authentication method lists.
8.3.2
Authentication functionality
(1)
Web authentication IP address
The functionality is the same as that for fixed VLAN mode. See (1) Web authentication IP
252
address in 8.2.2 Authentication functionality.
(2)
URL redirection
The functionality is the same as that for fixed VLAN mode. See (2) URL redirection in 8.2.2
Authentication functionality.
(3)
Specifying the automatically displayed URL after successful
authentication
Specify the URL of a page to be automatically displayed after displaying the page indicating
successful authentication. Set the time before URL transition to approximately 20 to 30 seconds
because the IP address of the authenticated terminal must be changed at the time of switching
from an unauthenticated VLAN to a post-authentication VLAN. If the internal DHCP server of
the Switch has assigned an IP address to an unauthenticated terminal, the Switch obtains an IP
address from the official DHCP server via the post-authentication VLAN. Therefore, it might
take approximately 20 to 30 seconds from when authentication is completed until
post-authentication VLAN communication is enabled.
Use the web-authentication jump-url configuration command to configure the URL of a
page to be automatically displayed after displaying the page indicating successful authentication
and the time period before URL transition.
(4)
Specifying forced authentication port
If RADIUS authentication of a terminal connected to a port where forced authentication is
specified fails because the request cannot be sent to the RADIUS server or no response is
returned due to, for example, a path failure, a terminal seeking authentication will be in the
Accept status. The forced authentication configuration of the Switch includes configuration
common to all authentication methods and configuration by authentication functionality. For
details about functionality common to authentication methods, see 5.4.6 Forced authentication
common to all authentication modes. Configure the web-authentication
force-authorized vlan configuration command in the port where forced authentication is
allowed. Note that forced authentication is allowed when the following conditions are met.
253
Table 8-7: Permission conditions on forced authentication
Item
Condition
Configuration
All the following configurations must be configured:
#1
• aaa authentication web-authentication
• web-authentication radius-server host, or, radius-server host
• web-authentication system-auth-control
• vlan
<VLAN-ID-list> mac-based#2
• web-authentication port
#3
• web-authentication force-authorized vlan
• switchport mode mac-vlan
• web-authentication authentication
• web-authentication user-group
Accounting log
#2, #3
#3
#4
#5
When the following accounting log is recorded when sending an authentication
request to the RADIUS server:
No = 21
NOTICE: LOGIN: (additional information) Login failed ;
Failed to connection to RADIUS server.
Additional information: MAC, USER, IP, PORT, VLAN
Check the account log using the show web-authentication logging
operation command.
#1
When using forced authentication as the Switch default, set only default group
radius.
When using authentication method by port or authentication method by user ID, set
<list-name> group <group-name>.
#2
Set the same VLAN ID.
#3
Set this in the same Ethernet port.
#4
Set this when using an authentication method by port.
#5
Set this when using an authentication method by user ID.
The terminal's authenticated status made by forced authentication is canceled, as in the case with
normal authenticated terminals, as per (6) Logout from authenticated status in 8.2.2
Authentication functionality.
The operations from the start of an authentication request to the RADIUS server until forced
authentication acceptance are the same for both forced authentication common to all
authentication methods and forced authentication per authentication method. For details about
the operations, see (1) Behavior from the start of an RADIUS authentication request to
254
permission for forced authentication in 5.4.6 Forced authentication common to all
authentication modes.
(5)
Maximum number of users to be authenticated
The maximum number of users to be authenticated can be configured both on a Switch basis and
on a port basis. Configure up to 256 authenticated users or terminals using the
web-authentication max-user configuration command. The configuration can be
simultaneously made on a Switch basis and on a port basis. However, after the number of users
authenticated either way reaches the limit, authentication is no longer available for new users. In
addition, if the maximum number of users to be authenticated is changed to be less than the
number of authenticated users during an operation, the authenticated user can continue to
communicate, but new users cannot be authenticated.
(6)
Logout from authenticated status
Dynamic VLAN mode provides the following means of logging out:
•
Logout when the maximum connection time is exceeded
•
Logout of an authenticated terminal by non-communication monitoring
•
Logout in response to a special frame received from an authenticated terminal
•
Logout of a terminal connected to a link-down port
•
Logout resulting from changes to the VLAN configuration
•
Logout using a Web page
•
Logout using an operation command
The means of each logout is the same as that of fixed VLAN mode. See (6) Logout from
authenticated status in 8.2.2 Authentication functionality.
(7)
Roaming (moving authenticated terminals between ports)
When an authenticated terminal connected to the network via, for example, a hub is moved
between ports without the link going down, the roaming functionality enables the terminal to
continue to communicate in the authentication status.
Roaming is enabled when any of the following conditions is met:
•
The web-authentication static-vlan roaming configuration command is
configured.
•
Ports between which a terminal is moved are in fixed VLAN mode.
•
The post-authentication VLAN of the port before being switched is configured in the
switchport mac vlan configuration command for the Switch destination port.
When a terminal is moved between ports under conditions other than the above, the
authentication of the target terminal is forcibly logged out.
255
Figure 8-11: Overview of roaming in dynamic VLAN mode
(8)
User switching option
The functionality is the same as that for fixed VLAN mode. See (8) User switching option in
8.2.2 Authentication functionality.
(9)
Individual Web authentication page by port
The functionality is the same as that for fixed VLAN mode. See (9) Individual Web
authentication page by port in 8.2.2 Authentication functionality.
8.3.3
Authentication operations
In dynamic VLAN mode, an authentication is executed in the following sequence.
256
Figure 8-12: Authentication operation (when using Web authentication IP address)
257
Figure 8-13: Authentication operation (when using URL redirection functionality)
258
8.4
Legacy mode
A terminal attached to an unauthenticated VLAN can communicate within the unauthenticated
VLAN because frame reception allows the MAC address and the unauthenticated VLAN ID to
be registered in the MAC address table as a dynamic entry. If authentication succeeds in legacy
mode, the MAC address and the post-authentication VLAN is registered in a MAC VLAN,
enabling the terminal to communicate within the post-authentication VLAN. Users can log in
using Web authentication IP address or the IP address of the unauthenticated VLAN. In either
way, the local authentication method and the RADIUS authentication method can be used for
authentication.
8.4.1
Authentication method group
A Web authentication method group uses the Switch default for all the Web authentication
modes (legacy mode does not use an authentication methods list.). Also see the following:
•
5.1.3 Authentication method groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
9.2.1 Authentication method group and RADIUS server information configuration
(1)
Switch default: Local authentication
Local authentication searches the internal Web authentication DB by a user ID and a password
from the user seeking authentication and validates the credentials by comparing the registration
details. If validated, the Switch attaches the terminal to the VLAN registered in the internal Web
authentication DB and allows the terminal to communicate.
The following figure shows the authentication operation of the local authentication method:
259
Figure 8-14: Overview of legacy mode (local authentication method)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
specified URL.
2.
The Switch validates the user ID and password by comparing them against the user
information in the internal Web authentication DB.
3.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
4.
The authenticated PC is attached to the post-authentication VLAN and can connect to
servers.
(a) Limitations on post-authentication VLANs
If the VLAN ID registered in the entry of the target user in the internal Web authentication DB is
not included in the post-authentication VLAN configuration (the web-authentication vlan
configuration command) in legacy mode, authentication fails.
(2)
Switch default: RADIUS authentication
In a relatively large-scale configuration, it is recommended to use an external RADIUS server to
execute authentication. The following figure shows the operation of RADIUS authentication
method.
260
Figure 8-15: Overview of legacy mode (example of RADIUS authentication)
1.
A PC user connected via a hub opens a Web browser and accesses the Switch using the
specified URL.
2.
Authentication is executed using the user ID and password via the external RADIUS
server.
3.
If authentication succeeds, a page opens on the PC indicating that authentication was
successful.
4.
Based on the VLAN ID information sent from the RADIUS server, the authenticated PC is
attached to the post-authentication VLAN and can connect to the server.
(a) Limitations on post-authentication VLANs
If the VLAN ID registered in the entry of the user in the RADIUS server is not included in the
post-authentication VLAN configuration (the web-authentication vlan configuration
command) in legacy mode, authentication fails.
8.4.2
Authentication functionality
(1)
Web authentication IP address
The functionality is the same as that for fixed VLAN mode. See (1) Web authentication IP
address in 8.2.2 Authentication functionality.
(2)
Specifying the automatically displayed URL after successful
261
authentication
The functionality is the same as that of dynamic VLAN mode. See (3) Specifying the
automatically displayed URL after successful authentication in 8.3.2 Authentication
functionality.
(3)
Specifying forced authentication port
If RADIUS authentication of a terminal connected to the port where forced authentication is
specified fails because the request cannot be sent to the RADIUS server or no response is
returned due to, for example, a path failure, a terminal seeking authentication changes to the
Accept status. The forced authentication configuration of the Switch includes the configuration
common to authentication and the configuration for each authentication functionality. However,
legacy mode is not available using the configuration common to authentication. Use the forced
authentication functionality of Web authentication. Configure the web-authentication
force-authorized vlan configuration command on the port where forced authentication is
allowed. Note that force authentication is allowed when the following conditions are met.
Table 8-8: Permission conditions on forced authentication
Item
Condition
Configuration
All the following configurations must be configured:
#1
• aaa authentication web-authentication
• web-authentication radius-server host, or, radius-server host
• web-authentication system-auth-control
• vlan
<VLAN-ID-list> mac-based#2
• web-authentication vlan
#2
• web-authentication force-authorized vlan
• switchport mac vlan
• switchport mode mac-vlan
Accounting log
#2, #3
#2, #3
#3
When the following accounting log is recorded when sending an authentication
request to the RADIUS server:
No = 21
NOTICE: LOGIN: (additional information) Login failed ;
Failed to connection to RADIUS server.
Additional information: MAC, USER, IP, PORT or CHGR, VLAN
Check the account log with the show web-authentication logging operation
command.
#1
When using forced authentication as the Switch default, configure only default group
radius.
#2
Configure the same VLAN ID.
#3
262
Configure this on the same Ethernet port.
The terminal's authenticated status made by forced authentication is canceled, as in the case with
usual authenticated terminals, as per (5) Logout from authenticated status in 8.4.2
Authentication functionality.
The operations from the start of sending an authentication request to the RADIUS server until
the acceptance of forced authentication are the same for both forced authentication common to
all authentication methods and forced authentication per authentication method. For details
about the operations, see (1) Behavior from the start of an RADIUS authentication request to
permission for forced authentication in 5.4.6 Forced authentication common to all
authentication modes.
(4)
Maximum number of users to be authenticated
The functionality is the same as that for dynamic VLAN mode. See (5) Maximum number of
users to be authenticated in 8.3.2 Authentication functionality.
(5)
Logout from authenticated status
Legacy mode provides the following means of logging out:
•
Logout when the maximum connection time is exceeded
•
Logout by aging monitoring of the MAC address table
•
Logout in response to a special frame received from an authenticated terminal
•
Logout resulting from changes to the VLAN configuration
•
Logout using a Web page
•
Logout using an operation command
The means of logout other than "Logout by aging monitoring of the MAC address table" are the
same as those of fixed VLAN mode. See (6) Logout from authenticated status in 8.2.2
Authentication functionality.
(a) Logout by aging monitoring of the MAC address table
The Switch periodically (approximately every minute) monitors dynamic entries in the MAC
address table to verify that the MAC address of the terminal registered with the
post-authentication VLAN ID in legacy mode is aged. Because of this, if the MAC address of
the terminal has been deleted from the MAC address table due to an aging timeout, the
authenticated status of Web authentication is automatically logged out and the terminal is
changed to be attached to the unauthenticated VLAN ID. In this case, the user is not presented
with a logout page.
Note that the Switch logs out the authentication status in order to prevent the authentication from
being logged out due to an instant disconnection of the line, if the MAC address is not registered
263
in the MAC address table within approximately 10 minutes (postponement time to being logged
out) from when the MAC address is deleted from the MAC address table.
Figure 8-16: Overview of logout by aging monitoring of MAC address table
Disable this functionality using the no web-authentication auto-logout configuration
command. (The configuration is possible so that the authentication is not forcibly logged out
when aging timeout occurs.)
(6)
Moving an authenticated terminal between ports and
displaying the number of authenticated users
In legacy mode, no configuration is used for roaming. When an authenticated terminal is moved
between ports, the operations are as follows:
1.
When a terminal is authenticated, the number of authenticated users is counted up at the
port where the terminal was authenticated.
2.
In legacy mode, if an authenticated terminal is moved to another port and if all the
following conditions are met, the terminal can continue to communicate:
•
Ports between which a terminal is moved are in legacy mode.
•
The post-authentication VLAN of the port before being switched is configured in the
switchport mac vlan configuration command for the Switch destination port.
A moved terminal can communicate until it is detected by the aging monitoring of the
264
MAC address table. However, if DHCP snooping or a filter is concurrently used at the port
to which the terminal has been moved, the operation depends on their conditions.
If a terminal is moved under conditions other than the above, authentication is logged out.
However, if an authenticated terminal is moved to the port that is not for authentication in
3.
legacy mode, the authentication might not be logged out.
During the next authentication, the Switch detects if the terminal is moved to another port.
4.
If legacy mode is available on the port to which the terminal is moved, the number of
authenticated users is counted as follows:
•
If the count is the maximum number of authenticated users or less, the number of
authenticated users at the port from which the terminal is moved is decreased and the
authentication is registered at the destination port.
•
If the count exceeds the maximum number of authenticated users, the number of
authenticated users at the port from which the terminal is moved is decreased and the
5.
authentication is logged out.
Before the next authentication, if the aging monitoring of the MAC address table detects
the deletion of the MAC address at the port from which the terminal of moved,
authentication is processed as a new terminal at the destination port.
(7)
User switching option
The functionality is the same of that of fixed VLAN mode. See (8) User switching option in
8.2.2 Authentication functionality.
8.4.3
Authentication operations
In legacy mode, an authentication is executed in the following sequence.
265
Figure 8-17: Authentication operation (When using Web authentication IP address)
266
8.5
Accounting functionality
The Switch uses the following accounting functionality to record the results of Web
authentication operations:
•
Internal accounting log on the Switch
•
Recording to the accounting functionality of the RADIUS server
•
Recording of authentication information to the RADIUS server
•
Outputting accounting log to the syslog server
(1)
Internal accounting log on the Switch
The internal accounting log on the Switch can record up to 2,100 lines of information for all the
authentication modes of Web authentication. Upon reaching this limit, the Switch starts
overwriting existing accounting information beginning from the oldest entries.
The functionality records the following accounting log information.
Table 8-9: Accounting log type
Accounting log type
Details
LOGIN
Details on a login operation (succeeded, failed)
LOGOUT
Details on a logout operation (causes, etc.)
SYSTEM
Details on operations of Web authentication functionality
(including roaming detection and forced authentication)
Table 8-10: Information output to internal accounting log on the Switch
Ti
me
User
IP
MAC
VLAN
Port#1
Suc
cee
ded
Y
Y
Y#2
Y
Y#2
Y
Login success
Fail
ed
Y
Y
Y#3
Y#3
Y#3
Y#3
Cause for login
failure
LOGOUT
Y
Y#3
Y#3
Y#3
Y#3
Y#3
Logout message
SYSTEM
Y
Y#3
Y#3
Y#3
N
Y#3
Message about
operation of Web
authentication
functionality
Accounting
log type
LOGIN
Message
Legend
267
Y: Output
N: Not output
#1
Fixed VLAN mode, dynamic VLAN mode: The interface port number is output.
Legacy mode: The interface port number or the channel group number is output.
#2
In dynamic VLAN mode, the IP address displayed in the event of a successful
authentication is that of the terminal prior to authentication. The VLAN ID is that of the
post-authentication VLAN.
#3
Depending on the message, the information might not be output.
For details on messages, see show web-authentication logging in 26. Web Authentication in
the manual Operation Command Reference.
The recorded accounting log is output as follows:
1.
Displayed on the console for each event
In an environment where the trace-monitor enable operation command has been
2.
executed, the accounting log is not displayed on the console for each event.
Displayed using the operation command
The accounting log recorded is displayed from the latest information using the show
web-authentication logging operation command.
3.
Output to the syslog server
4.
See (4) Outputting accounting log to the syslog server.
Private trap
The Switch supports the functionality that issues private traps, which is triggered by the
accounting log recorded when a specific event of Web authentication occurs. Configure
whether private traps are issued and the issuing type using the configuration command.
Table 8-11: Accounting log (LOGIN/LOGOUT) and private trap issuing condition (1)
Accounting log type
Configuration required for issuing private trap
Command
LOGIN
Succeeded
Failed
268
Parameter
snmp-server host
web-authentication
snmp-server traps
web-authentication-trap all
snmp-server host
web-authentication
Configuration required for issuing private trap
Accounting log type
Command
Parameter
Not configured, or either of the following is configured
LOGOUT
snmp-server traps
web-authentication-trap all
snmp-server traps
web-authentication-trap
failure
snmp-server host
web-authentication
snmp-server traps
web-authentication-trap all
Table 8-12: Accounting log (SYSTEM) and private trap issuing condition (2)
Accounting
log type
Authentication
mode
Configuration required for issuing private trap
SYSTEM
Command
Forced
authentication
Fixed VLAN
Dynamic
VLAN
Legacy
Roaming
Fixed VLAN
Dynamic
VLAN
Legacy
Parameter
snmp-server host
web-authenticat
ion
web-authentication static-vlan
force-authorized
action trap
snmp-server host
web-authenticat
ion
web-authentication
force-authorized vlan
action trap
snmp-server host
web-authenticat
ion
web-authentication
force-authorized vlan
action trap
snmp-server host
web-authenticat
ion
web-authentication static-vlan
roaming
action trap
snmp-server host
web-authenticat
ion
web-authentication
force-authorized vlan
action trap
- (No configuration because this mode is not supported)
Private traps of forced authentication can be issued when forced authentication common to
authentications is configured. For details, see (5) Private trap for forced authentication in
5.4.6 Forced authentication common to all authentication modes.
269
(2)
Recording to the accounting functionality of the RADIUS
server
Use the accounting functionality of the RADIUS server using the aaa accounting
web-authentication configuration command. For details on the RADIUS attribute used for
sending account information to the RADIUS server, see 8.6 Preparation.
(3)
Recording of authentication information to the RADIUS
server
When using the RADIUS authentication method, the success or failure of authentication is
recorded depending on the functionality of the RADIUS server. However, information to be
recorded might differ depending on the RADIUS server used. See the manual of the RADIUS
server for details.
(4)
Outputting accounting log to the syslog server
Accounting log information together with the operation log information of the entire Switch is
output to all the syslog servers where syslog is configured in the configuration.
Figure 8-18: Format of output to syslog server
For details about information output to the syslog server, see 22. Log Output Functionality.
Note that the Switch cannot specify for outputting or preventing from outputting only the
accounting log information of Web authentication to the syslog server.
270
8.6
8.6.1
Preparation
For local authentication
To use the local authentication method, the following preparations are required:
•
Configuring the Switch
•
Registering the internal Web authentication DB
•
Backing up the internal Web authentication DB
•
Restoring the internal Web authentication DB
(1)
Configuring the Switch
To use Web authentication, configure the information for VLANs and Web authentication on
the Switch using the configuration commands. (See 9. Web Authentication Configuration and
Operation.)
(2)
Registering the internal Web authentication DB
Before using the local authentication method, you must register the user information (the user ID,
password, and post-authentication VLAN ID of a terminal seeking authentication) in the internal
Web authentication DB using an operation command.
The procedure of registering the information in the internal Web authentication DB includes
editing of the user information (adding, changing, deleting) and incorporating the updates in the
internal Web authentication DB. The procedure is show below.
Before adding user information, the environment setting and the configuration of the Web
authentication system must be completed.
•
Add the user information (the user ID, password, and post-authentication VLAN ID of the
terminal seeking authentication) using the set web-authentication user operation
command.
•
To change a registered password, use the set web-authentication passwd operation
command.
•
To change a registered post-authentication VLAN ID, use the set web-authentication
vlan operation command.
•
To delete registered user information, use the remove web-authentication user
operation command.
•
Edited user information is incorporated in the internal Web authentication DB by executing
the commit web-authentication operation command.
Use the show web-authentication user operation command to view the user address
information edited before executing the commit web-authentication operation command.
271
The following table shows the range of the number of characters and available characters for
user ID and password.
Table 8-13: Range of the number of characters and available characters
Range of the number of
characters for user ID
Range of the number of
characters for password
1 to 128 characters
1 to 32 characters
Available characters
0 to 9
A to Z
a to z
at mark (@)
hyphen (-)
underscore (_)
dot (.)
Figure 8-19: Editing user information and incorporating updates into the internal Web
authentication DB
(3)
Backing up the internal Web authentication DB
Use the store web-authentication operation command to back up the internal Web
authentication DB.
(4)
Restoring the internal Web authentication DB
Use the load web-authentication operation command to restore the internal Web
authentication DB from a backup file you created. Note that any recent editing or registrations
you made using the set web-authentication user command or similar will be lost and
replaced with the contents of the backup file.
272
8.6.2
For RADIUS authentication
To perform RADIUS authentication, the following preparations are required:
•
Configuring the Switch
•
Preparing the RADIUS server
(1)
Configuring the Switch
To user Web authentication, configure the information of VLAN and Web authentication on the
Switch using the configuration commands. (See 9. Web Authentication Configuration and
Operation.)
(2)
Preparing a RADIUS server
(a) RADIUS attributes used by the Switch
The following table describes the RADIUS attributes used by the Switch.
Table 8-14: Attributes used for authentication (Part 1 Access-Request)
Attribute name
Type
value
Description
User-Name
1
User ID to be authenticated
User-Password
2
User password
NAS-IP-Address
4
IP address of the Switch seeking authentication. Use the IP address
of smallest VLAN ID among the VLAN interfaces where IP
addresses are registered.
NAS-Port
5
•
•
•
Fixed VLAN mode: IfIndex by authentication
Dynamic VLAN mode: IfIndex by authentication
Legacy mode: 4296
Service-Type
6
Service type to be provided.
Framed (2) static.
State
24
Text character string.
When performing Access-Request for Access-Challenge, if
Access-Challenge has State, the State information held on
the Switch is added.
Called-Station-Id
30
The MAC address of the port (lowercase ASCII#, hyphen (-)
delimited)
Calling-Station-Id
31
The MAC address of the terminal (lowercase ASCII+, hyphen (-)
delimited)
273
Attribute name
Type
value
32
NAS-Identifier
Description
•
•
•
Fixed VLAN mode
VLAN ID of VLAN where the terminal seeking authentication is
attached
For VLAN10: 10
Dynamic VLAN mode
Character string configured by the hostname configuration
command
Legacy mode
Character string configured by the hostname configuration
command
NAS-Port-Type
61
The type of the physical port that the terminal uses for user
authentication
Virtual(5)
Connect-Info
77
Character string indicating the connection characteristics
• Fixed VLAN mode:
Physical port (CONNECT Ethernet)
• Dynamic VLAN mode:
Physical port (CONNECT Ethernet)
• Legacy mode:
(CONNECT DVLAN)
NAS-Port-Id
87
Character string to identify ports, where x and y are replaced with
numbers
• Fixed VLAN mode: "Port x/y"
• Dynamic VLAN mode: "Port x/y"
• Legacy mode: "DVLAN x"
#
Although the Switch uses the MAC address of Called-Station-Id and
Calling-Station-Id in lowercase, you can change the characters a to f in the MAC
address to those in uppercase using the radius-server attribute station-id
capitalize configuration command.
Table 8-15: Attributes used for authentication (Part 2 Access-Challenge)
Attribute name
Type
value
Description
Reply-Message
18
Text character string.
This message is displayed on a web page.
State
24
Text character string.#
The State information between the Switch and the RADIUS server
is retained.
#
The Switch records the character string of Reply-Message as an accounting log entry.
274
Table 8-16: Attributes used for authentication (Part 3 Access-Accept)
Attribute name
Type
value
6
Service-Type
Description
Service types provided.
Framed(2) static.
Filter-Id
11
Text character string.
Used for multistep authentication.#1
Reply-Message
18
Not used#2
Tunnel-Type
64
Tunnel type.
VLAN(13) static.
Tunnel-Medium-Type
65
Protocol for creating a tunnel.
IEEE802(6) static.
Tunnel-Private-Gro
up-ID
81
Character string for identifying VLANs.#3
The following character strings are used:
(1) Character string indicating the VLAN ID
(2) Character string indicating VLAN + the VLAN ID
No space must be included in a character string. (If included, VLAN
assignment fails.)
(3) Character string indicating the VLAN name configured in the
VLAN interface using the name configuration command. (The
smaller VLAN ID is prioritized.)#4
Configuration example:
VLAN ID: 10
Configuration using the name configuration command:
Authen_VLAN
For (1): 10
For (2): VLAN10
For (3): Authen_VLAN
#1
For details about character strings used for multistep authentication, see 12. Multistep
Authentication.
#2
The Switch records the character string of Reply-Message as an accounting log entry.
#3
The Switch selects a character string format and identifies VLAN ID under the following
conditions:
1. Conditions on selecting character string format (1), (2), and (3) of
Tunnel-Private-Group-ID
- Format (1) for character string starting with numbers between 0 and 9
- Format (2) for character string starting with VLAN + numbers between 0 and 9.
- Format (3) for character string other than the above.
275
Note that if the first one byte is between 0x00 and 0x1f, a tag is attached but ignored.
2. Conditions on identifying VLAN ID from the character string in format (1) or (2)
- Converts only the numerical characters 0 to 9 into a decimal number and its first four
characters become valid. (The fifth and subsequent characters are ignored.)
Example: 0010 is the same as 010 or 10, so the VLAN ID = 10.
For 01234, the VLAN ID = 123.
- If a character other than 0 through 9 exists in the middle of the character string, the
character is considered to be the end of the string.
Example: For 12 + 3, the VLAN ID = 12.
#4
For details about specifying a VLAN name using the name configuration command, see
5.4.2 Specifying VLAN accommodation by VLAN name.
Table 8-17: Attributes used for RADIUS accounting functionality
Attribute name
Type
value
Description
User-Name
1
User ID to be authenticated
NAS-IP-Address
4
IP address of the Switch seeking authentication.
Use the IP address of smallest VLAN ID among the VLAN
interfaces where IP addresses are registered.
NAS-Port
5
Fixed VLAN mode: Authenticated IfIndex by authentication
Dynamic VLAN mode: Authenticated IfIndex by authentication
Legacy mode: 4296
Service-Type
6
Service type to be provided.
Framed(2) static.
Calling-Station-I
d
31
The MAC address of the authenticated terminal (lowercase ASCII#,
hyphen (-) delimited)
NAS-Identifier
32
•
•
276
Fixed VLAN mode
VLAN ID of VLAN where the terminal seeking authentication is
attached
For VLAN10: 10
Dynamic VLAN mode
Character string configured by the hostname configuration
command
Acct-Status-Type
40
Type of accounting request.
Start(1), Stop(2).
Acct-Delay-Time
41
Accounting information (transmission delay time) (in seconds)
Acct-Input-Octets
42
Accounting information (the number of receive octets).
(0) static.
Attribute name
Type
value
Description
Acct-Output-Octet
s
43
Accounting information (the number of send octets).
(0) static.
Acct-Session-Id
44
ID to identify accounting information
Acct-Authentic
45
Authentication method.
RADIUS(1), Local(2).
Acct-Session-Time
46
Accounting information (session duration time).
(0) static.
Acct-Input-Packet
s
47
Accounting information (the number of received packets).
(0) static.
Acct-Output-Packe
ts
48
Accounting information (the number of sent packets).
(0) static.
Acct-Terminate-Ca
use
49
Accounting information (cause of session termination).
See Table 8-18 Disconnection causes in Acct-Terminate-Cause.
NAS-Port-Type
61
Type of the physical port used for authentication by the terminal.
Virtual(5) static.
NAS-Port-Id
87
Character string to identify ports, where x and y are replaced with
numbers:
• Fixed VLAN mode: Port x/y
• Dynamic VLAN mode: Port x/y
• Legacy mode: DVLAN x
#
Although the Switch uses the MAC address of Calling-Station-Id in lowercase, you
can change the characters a to f in the MAC address to uppercase using the
radius-server attribute station-id capitalize configuration command.
Table 8-18: Disconnection causes in Acct-Terminate-Cause
Attribute name
Type
value
Description
User Request
1
Disconnected due to the logout request on the Web
authentication page.
Disconnected due to the detection that the terminal moved.
Idle Timeout
4
Disconnected due to a certain time period of
non-communication.
Session Timeout
5
Disconnected due to the expiration of the session period.
277
Attribute name
Type
value
Description
Admin Reset
6
Disconnected by the administrator.
• When deleting web-authentication port in the
configuration:
Includes reasons of disconnection by change of configuration
for other authentication and operation commands.
Port Preempt
13
Session was terminated to provide a user having higher
priority with services.
For switching users, the user to be switched from is logged
out. (When configuring the web-authentication user
replacement configuration command)
Port Reinitialized
21
The MAC of the port is re-initialized.
• When the link to the port goes down
• When deleting vlan from the port in the configuration
• When configuring shutdown in the configuration
• When executing the inactivate operation command
(b) Information configured in the RADIUS server
Before using the RADIUS authentication method, configure the user ID, password, and VLAN
ID for each user in the RADIUS server. For details about how to configure the information in the
RADIUS server, see the manual of the RADIUS server you are using. The following shows an
example of configuring VLAN information for each user in the RADIUS server:
•
For fixed VLAN mode: VLAN ID of the VLAN where the terminal seeking authentication is
attached is 20.
•
For dynamic VLAN mode and legacy mode: Post-authentication VLAN 400.
•
Configuration using the name configuration command: GroupA-Network
Table 8-19: Example of configuring the RADIUS server
Configuration item
278
Configuration details
User-Name
User ID for authentication.
Range of the number of characters: 1 to 128 characters
Available characters: Range of character code is from 0x21 to 0x7E#
Auth-Type
Local
User-Password
Password for the user seeking authentication
Range of the number of characters: 1 to 32 characters
Available characters: Range of character code is from 0x21 to 0x7E#
Tunnel-Type
Virtual VLAN (Value 13)
Configuration item
Configuration details
NAS-Identifier
For fixed VLAN mode:
20
Configure the VLAN ID of VLAN where the terminal seeking
authentication is attached in numerical characters.
Tunnel-Medium-Type
IEEE-802 (value 6)
Tunnel-Private-Gro
up-ID
For dynamic VLAN mode and legacy mode, use any of the following
formats:
• 400
Configure post-authentication VLAN ID in numerical characters.
• VLAN0400
Configure post-authentication VLAN ID in numerical characters
immediately after the character string VLAN.
• GroupA-Network
Character string indicating the VLAN name configured using the name
configuration command.
Authentication
method
PAP
#
For details about the characters in the range of character code, see List of character codes
in the manual Configuration Command Reference.
279
8.7
Authentication error messages
The following figure shows the format of the error messages displayed on the authentication
error page.
Format of authentication error messages:
The table below describes the cause of each authentication error you might encounter.
Table 8-20: Authentication error messages and their causes
280
Error message
Error
no.
Cause
User ID or password is wrong.
Please enter correct user ID
and password.
11
You did not specify a user ID.
12
The length of the login user ID exceeded the maximum
number of characters.
13
You did not specify a password.
14
The specified user ID is not registered in the internal
Web authentication DB.
15
The length of the password exceeded the maximum
number of characters or the password is not registered.
22
An attempt to log in again from an authenticated
terminal using local authentication failed because the
user entered the wrong password.
RADIUS: Authentication reject.
31
A response other than Accept was received from the
RADIUS server. A rejection or challenge triggers this
error.
RADIUS: No authentication
response.
32
No response was received from the RADIUS server.
This error is triggered if communication with the
RADIUS server times out or the RADIUS server is not
configured.
Error message
You cannot login by this
machine.
Error
no.
Cause
33
The possible causes are as follows:
• The post-authentication VLAN specified by the
RADIUS server does not appear in the Web
authentication definition.
• The post-authentication VLAN in dynamic VLAN
mode is not a MAC VLAN.
• The post-authentication VLAN in legacy mode is not
a MAC VLAN of the port.
• No VLAN interface is assigned to the
post-authentication VLAN.
• The VLAN configured in the RADIUS attribute of
the RADIUS server crashed with the native VLAN of
the port for authentication.
• The VLAN configured in the RADIUS attribute of
the RADIUS server crashed with the VLAN
configured using the switchport mac dot1q vlan
configuration command.
34
An attempt to log in again from an authenticated
terminal using RADIUS authentication failed because a
response other than Accept was received from the
RADIUS server. This error is triggered when the
response is a rejection or challenge.
35
The possible causes are as follows:
• The port is not specified as that in fixed VLAN mode
or in dynamic VLAN mode.
• Because dynamic VLAN mode and legacy mode of
IEEE 802.1X/Web authentication/MAC-based
authentication coexist on the same port, the
authentication in legacy mode is not possible.
• The link to the port for authentication where the
terminal is connected has gone down.
36
The VLAN containing the authenticated terminal has
been suspended.
37
In RADIUS authentication, the authentication failed
because the number of users logged in exceeded the
capacity of the device.
41
A login request was received under a different user ID
from the terminal having the same MAC address.
281
Error message
282
Error
no.
Cause
42
The possible causes are as follows:
• The VLAN ID configured in the internal Web
authentication DB does not appear in the Web
authentication definition.
• The post-authentication VLAN in dynamic VLAN
mode is not MAC VLAN.
• The post-authentication VLAN in legacy mode is not
the MAC VLAN of the port.
• No VLAN interface is assigned to the
post-authentication VLAN.
• The VLAN configured in the internal Web
authentication DB crashed with the native VLAN on
the port for authentication.
• The VLAN configured in the internal Web
authentication DB crashed with the VLAN
configured using the switchport mac dot1q vlan
configuration command.
44
The possible causes are as follows:
• The terminal has already been authenticated by
different authentication functionality.
• The MAC address has already been registered in the
MAC address table by the mac-address-table
static configuration command.
• The MAC address of the terminal has already been
registered in the MAC VLAN by the mac-address
configuration command.
45
The possible causes are as follows:
• The port is not specified as that in fixed VLAN mode
or in dynamic VLAN mode.
• Because dynamic VLAN mode and legacy mode of
IEEE 802.1X/Web authentication/MAC-based
authentication coexist on the same port, the
authentication in legacy mode is not possible.
• The link to the port for authentication where the
terminal is connected has gone down.
46
The VLAN containing the authenticated terminal has
been suspended.
47
The authentication failed because the number of user
logged in exceeded the capacity of the device.
77
The associated VLAN was suspended when the Switch
attempted to register the MAC address of a terminal in
the MAC address table.
Alternatively, no interface is assigned to the VLAN.
78
When the MAC address is registered in the MAC
address table, the number of users logged in exceeded
the capacity of the device.
Alternatively, the MAC address might not be able to be
registered in the MAC address table due to the
restrictions of the hardware.
Error message
Error
no.
Cause
101
The configuration of Web authentication is invalid.
103
During the authentication (AUTHENTICATING), a login
request was received from a terminal having the same
MAC address.
51
The Switch could not resolve the terminal's MAC
address from its IP address.
52
The possible causes are as follows:
• Multistep authentication is not available because the
terminal's MAC-based authentication or IEEE
802.1X has been canceled.
• Multistep authentication is not available because
another authentication has been completed.
A system error occurred.
Please contact the system
administrator.
64
The Switch could not access the RADIUS server.
A fatal error occurred.
Please inform the system
administrator.
71
An internal Web authentication error occurred.
(RADIUS authentication requests that exceeded the
capacity occurred simultaneously.)
72
The Switch could not register the MAC address of the
authenticated terminal in the MAC VLAN.
74
An error occurred when the Switch attempted to register
a MAC address in the MAC address table.
75
An error occurred when the Switch attempted to delete a
MAC address from the MAC address table.
Sorry, you cannot logout just
now.
Please try again after a while.
81
The Switch could not resolve a MAC address for the IP
address of a terminal from which it received a logout
request.
The client PC is not
authenticated.
82
A logout request was received from a terminal that is
not logged in.
Sorry, you cannot login just
now.
Please try again after a while.
Error resolution by error number
x
1x: Log in again using the correct user ID and password.
x
3x: Review the Web authentication information of the RADIUS server and the
Switch.
x
4x: Review the configuration of the internal Web authentication DB.
x
5x: Repeat the login process after a while.
x
6x: Review the configuration of the RADIUS server information of the Switch.
x
7x: Check the system configuration.
x
8x: Check that the URL is correct and repeat the logout process.
x
9x: The 9x code appears when the one-time password authentication is used for Web
283
authentication. For details, see 14. One-time Password Authentication [OP-OTP].
x
101: Review the configuration of the Web authentication information of the RADIUS
server and the Switch.
x
103: Check that the login process is completed with another Web browser page.
#: For details about multistep authentication, see 12. Multistep Authentication.
284
8.8
8.8.1
Notes on Web authentication
Notes common to the authentication modes
(1)
Using a Web authentication IP address and URL redirection
functionality
[Fixed VLAN mode] [Dynamic VLAN mode]
Users can log in using Web authentication IP address or using the URL redirection functionality.
Either way, the local authentication method and the RADIUS authentication method are
available for authentication. Therefore, you must set both, or either Web authentication IP
address, or URL redirection.
(2)
Using the URL redirection functionality
[Fixed VLAN mode] [Dynamic VLAN mode]
(a) Setting an IP address
To use the URL redirection, always set an IP address in the VLAN.
(b) Restrictions on using the functionality in a proxy environment
If all the following conditions are met when the functionality is used, the terminal cannot be
authenticated because the Web authentication login page is not displayed on the terminal.
•
A proxy is configured for the network.
•
The URL redirection is enabled.
(The web-authentication redirect enable configuration command is the default.)
•
The Web authentication login page protocol HTTPS is specified for URL redirection.
(The web-authentication redirect-mode configuration command is the default.)
In this case, configure the following on the Switch and the terminal seeking authentication.
•
Switch side: Configure a Web authentication IP address.
•
Terminal seeking authentication side: Configure a Web authentication IP address as a proxy
exception address.
(c) External URL access via HTTPS from an unauthenticated terminal
When accessing a URL via HTTPS from an unauthenticated terminal, if the domain name of the
certificate registered on the Switch does not match that of the terminal, a warning message
indicating certificate mismatching appears on the Web browser. Even in that case, if you select
the Continue operation, the Web authentication Login page is displayed and you can proceed
with login processing.
285
(d) Access port (port waiting for TCP) number for Web authentication
The Switch does not support the specification of an access port for Web authentication.
The web-authentication redirect tcp-port and web-authentication web-port
configuration commands are specified for use with the URL redirection functionality.
(3)
Setting the IP address lease time from the DHCP server
When using a DHCP server to assign unauthenticated IP addresses to terminals seeking
authentication, specify as short a lease time as possible for IP addresses assigned by the DHCP
server. The smallest lease time the internal DHCP server allows is 10 seconds. However,
specifying such a small value in an environment with a large number of users can place a heavy
load on the Switch. Consider this when setting the lease time.
(4)
When changing the internal Web authentication DB
Additions and changes made for the internal Web authentication DB using operation commands
do not apply to current authenticated users. The updates are incorporated from the next login.
(5)
When restarting the Web authentication by restarting the
Switch
If the Switch is restarted, all the current authentications are canceled. In this case, perform
authentication again manually from the terminals after the Switch is restarted.
(6)
Setting the maximum connection time
When shortening or extending the maximum connection time using the web-authentication
max-timer configuration command, the change does not apply to the current authenticated user.
The setting is enabled from the next login.
(7)
Note on extending authentication connection time
When the user logs in again with the terminal authenticated, if local authentication (RADIUS
authentication when using RADIUS authentication) succeeds, the authentication time can be
extended. If the authentication fails, the time cannot be extended.
(8)
Terminal IP address after logout
[Dynamic VLAN mode] [Legacy mode]
After logging out of the terminal (logout through the web page, forced logout due to exceeded
connection time, or forced logout due to an aging timeout of the MAC address table), change the
terminal's IP address to the IP address of the terminal before the authentication.
•
In the case of a manual setting, manually set the terminal's IP address to the IP address of the
terminal before the authentication.
•
When using the DHCP server, delete the terminal's IP address, and then instruct the DHCP
server to re-assign an IP address to the terminal. (Example: For Windows, after executing
286
ipconfig /release from the command prompt, execute ipconfig /renew.)
(9)
Notes if communication with the RADIUS server is
disconnected
If communication with the RADIUS server used for Web authentication is disconnected, or if
the RADIUS server configured using the radius-server host configuration command does
not exist, authentication processing takes time because the Switch wait for a timeout (the time
period set using the radius-server timeout configuration command) for each login request,
and then re-send the request to the RADIUS server (the number of re-send times set using the
radius-server retransmit configuration command).
Also, if multiple RADIUS servers are configured, the Switch accesses the servers by login in the
order specified by the radius-server host configuration command. Therefore, if the link
goes down due to a failure or other reason with the RADIUS server configured earlier,
authentication processing takes time.
In this case, once the login process Web authentication is stopped, and you must configure again
the correct RADIUS server by the radius-server host configuration command. After that,
you can execute login processing.
(10)
Using forced authentication port
This functionality might cause security problems. Carefully consider this factor when using the
functionality.
1.
This functionality supports only the RADIUS authentication method.
When forced authentication is used, set only the RADIUS authentication for the
authentication method. If both local and RADIUS authentication are set as follows, you
can set force authentication.
• aaa authentication web-authentication default group radius local
• aaa authentication web-authentication default local group radius
2.
Although the Switch has the forced authentication functionality both for common to
authentications and for Web authentication, these two cannot be simultaneously
configured. Use the functionality by referring to (4) Interoperability of this functionality
and forced authentication of each authentication method in 5.4.6 Forced authentication
common to all authentication modes.
(11)
Restriction when using roaming with DHCP snooping
[Fixed VLAN mode] [Dynamic VLAN mode]
When the DHCP snooping functionality is used with the web-authentication
static-vlan roaming and web-authentication roaming configuration commands set, if
an authenticated terminal is moved to another port, the authentication status is transited to the
287
port to which the terminal has been moved, but the terminal cannot communicate because the
binding database is not updated.
(12) Moving between ports and maximum number of
authenticated users
[Fixed VLAN mode] [Dynamic VLAN mode]
The Switch checks the maximum number of authenticated users for only newly authenticated
users.
Because of this, if an authenticated terminal moves between ports, the Switch does not check the
maximum number of authenticated users at the port where the terminal is moved.
(13)
Connecting devices between the terminal and the Switch
Do not connect a proxy server or router under the Switch.
If the terminal undergoing authentication is behind a device (such as a proxy server or router)
that substitutes its own MAC address in outgoing packets, the Switch will identify the MAC
address of the device as belonging to the terminal. This results in an inability to control
authentication at the level of individual terminals.
Be careful when connecting a hub without inter-port relay-blocking functionality or a wireless
LAN downstream from the Switch. PCs attached to that hub or wireless LAN will be able to
communicate with each other regardless of their authentication status.
Figure 8-20: Connections between the Switch and terminals
288
8.8.2
Notes on using fixed VLAN mode
(1)
Ports in fixed VLAN mode
The port having an Ethernet interface only can operate in fixed VLAN mode.
In fixed VLAN mode, Web authentication can be processed with a tagged frame at an access
port or trunk port and a MAC port where tagged frame relay is made available (by the
switchport mac dot1q vlan configuration command).
(2)
Using the internal DHCP server of the Switch
In fixed VLAN mode, the internal DHCP server of the Switch cannot be used.
Prepare an external DHCP server.
8.8.3
Notes on using dynamic VLAN mode and legacy mode
(1)
Notes on configuring the aging time of MAC address learning
Note that if a terminal is not used for a while when the aging time of the MAC address table is set
to be short, the terminal is forcibly logged out. Set the no web-authentication
auto-logout configuration command in order to prevent being forcibly logged out.
(2)
When receiving no communication from the terminal after
switching to post-authentication VLAN
If non-communication is received from the terminal after switching to post-authentication
VLAN, MAC address is not learned. In this case, because the MAC address is not registered in
the MAC address regardless of the authentication status, the terminal is forcibly logged out. Be
sure to make the terminal to communicate after it is authenticated. Set the no
web-authentication auto-logout configuration command in order to prevent being
forcibly logged out.
(3)
Interoperability between legacy mode and multistep
authentication
There is no interoperability between legacy mode and multistep authentication. When using
legacy mode, check that the multistep authentication is not configured.
289
8.9
Replacing Web authentication pages
For the file set types and the authentication page types used for the Switch's functionality of
replacing Web authentication pages, the following terms are used.
Table 8-21:Terms used for the functionality of replacing Web authentication pages
Term
Description
File set
Generic term of a directory storing HTML files (login.html,
logout.html, etc.) required for performing Web
authentication.
Authentica
tion page
8.9.1
Default file set
Directory stored in the initial status on the Switch, and all the
HTML files in the directory are in the initial status.
Custom file set
Directory storing a user-created HTML file for Web
authentication
Basic Web
authentication page
The standard Web authentication page to be displayed when
usual Web authentication is executed.
For the basic Web authentication page, the Switch contains the
default file set that can be replaced with a custom file set.
(This is the authentication page usually used for Web
authentication for the Switch.)
Individual Web
authentication page
Web authentication page to be displayed when a specific
condition is met after the condition is associated with a custom
file set.
The Switch does not contain the default file set to add an
individual Web authentication page. A custom file set is used to
add the page.
(This is the authentication page used for specifying an
individual Web authentication page by port of the Switch.)
Replacing Web authentication pages
Use an external device (a PC) to create pages that appear during the Web authentication process,
such as the login and logout pages (hereafter referred to as Web authentication pages), and use
the set web-authentication html-files operation command to replace the pages on the
Switch as the custom file set. The pages you can replace are listed below.
Table 8-22: Replaceable page files
File type
Login page
290
HTML file name
login.html
Remarks
Required for the custom file set at the time of
replacement
File type
HTML file name
Logout page
logout.html
Login success page
loginOK.html
Login failed page
loginNG.html
Logout completed page
logoutOK.html
Logout failed page
logoutNG.html
Authentication-in-progre
ss page
loginProcess.html
Icon
favicon.ico
Remarks
Used for one-time password authentication#
#
When using one-time password authentication, an authentication-in-progress page can be
treated as a replaceable file. For details about the authentication-in-progress page file, see
14. One-time Password Authentication [OP-OTP].
Register the basic Web authentication page and the individual Web authentication page shown
in Table 8-21 Terms used for the functionality of replacing Web authentication pages on the
Switch as a custom file set.
•
Custom file set of the basic Web authentication page
Use the set web-authentication html-files operation command to register the
specified RAMDISK file set on the Switch, and replace the basic authentication page
currently in operation with the page file of the file set. In addition, you can simultaneously
register an image file such as a GIF file as well as page files.
•
Custom file set of the individual Web authentication page
Use the set web-authentication html-files operation command to the file set on the
Switch in the same fashion as the basic Web authentication page. However, individually
register the file set with the file set name specified by the html-fileset parameter.
The following figure shows the procedure of registering a custom file set saved on a memory
card as the individual Web authentication page. For an individual Web authentication page, you
can register up to four types of files sets other than the basic Web authenticating page.
291
Figure 8-21: Procedure of registering a custom file set
1.
Copy the custom file set 1 (defaultfile) on the memory card to the RAMDISK of the
Switch via the copy operation command.
2.
Specify the file set name defaultfile that has been copied to the RAMDISK, because
defaultfile is used as the basic Web authentication page. (set web-authentication
html-files ramdisk defaultfile)
The files that are not included in the custom file set ((B) and (C) in the above figure) are
3.
supplied from the default file set.
Copy the custom file set 2 (filesetAAA) to the RAMDISK of the Switch via the copy
operation command.
4.
FilesetAAA is used as the individual Web authentication page, so specify the file set
name filesetAAA copied to the RAMDISK as the file set name to be registered on the
Switch (FILESETAAA in the figure). (set web-authentication html-files
ramdisk filesetAAA html-fileset FILESETAAA)
The files that are not included in the custom file set ((B) in the above figure) are supplied
from the default file set.
Note that during registration the command checks only the size of the file, not its contents. Make
sure that the HTML and image files in the folder you specify work correctly before you replace
the default pages.
For details about the total size of custom file sets and the number of the files that can be
registered, see 3.2 Switch capacities in the Configuration Guide Vol. 1. Use the clear
web-authentication html-files operation command to delete the Web authentication
pages you have registered. In this case, the default pages are restored. You can also replace the
authentication error messages listed in Table 8-20 Authentication error messages and their
292
causes. This process also lets you replace the icon (favicon.ico) that represents the pages in
the Favorites menu of the Web browser. The pages, messages, and icons registered by the set
web-authentication html-files operation command are retained when the device is
restarted.
For details about each file, see 8.10 Procedure for creating Web authentication pages.
8.9.2
Notes on using Web authentication page replacement
functionality
(1)
Storing and changing the created Web authentication page
files
Store the Web authentication page file created by a PC onto an external media. To change a Web
authentication page file, edit the stored Web authentication page file and register it on the
Switch.
Use the store web-authentication html-files operation command to retrieve the Web
authentication page file being operated on the Switch. The Web authentication page file
retrieved is temporarily stored in the RAMDISK. Transfer the file to PC via FTP or store it on a
memory card using the copy operation command. (Restarting the Switch deletes the file on the
RAMDISK.)
(2)
Transferring the created Web authentication page file
Transfer the created Web authentication page file to the RAMDISK on the Switch. Use FTP or
transfer it or use the copy operation command to copy it from the memory card. After you
register the file on the Switch by the set web-authentication html-files operation
command, the Web authentication page file that was transferred to the RAMDISK is no longer
necessary. Delete the file using the del operation command. (Restarting the Switch also deletes
the file on the RAMDISK.)
(3)
Custom file set when changing the version
When the Switch is changed from Ver. 2.2 or later to a version earlier than Ver. 2.2 or when a
file backed up with Ver. 2.2 or later is restored in the device in a version earlier than Ver. 2.2, all
the registered custom file sets are deleted. This means that the basic Web authentication page
custom file sets and the individual Web authentication page custom file sets are all deleted, and
the default file set is restored.
293
8.10 Procedure for creating Web authentication pages
The following are the pages you can replace using the Web authentication page replacement
functionality and their corresponding file names:
•
Login page (file name: login.html)
•
Logout page (file name: logout.html)
•
Login success page (file name: loginOK.html)
•
Login failed page (file name: loginNG.html)
•
Logout completed page (file name: logoutOK.html)
•
Logout failed page (file name: logoutNG.html)
Create the files for each Web authentication page in HTML format.
When using one-time password authentication, use the authentication-in-progress page as the
replacement file. For details about an authentication-in-progress file, see 14. One-time Password
Authentication [OP-OTP].
Your customized HTML files can include client-side scripts in languages such as JavaScript.
However, you cannot include code that involves server access or CGI scripts written in Perl or
other languages. Note that the login page, the logout page, and the Reply-Message page must
include specific code that interacts with the Web authentication interface. For details about the
login page and the logout page, see 8.10.1 Login page (login.html) and 8.10.2 Logout page
(logout.html), respectively.
You can replace the error messages listed in Table 8-20 Authentication error messages and their
causes by creating a file with the file name given below. For details about how to create this file,
see 8.10.3 Authentication error message file (webauth.msg).
•
Authentication error message file (file name: webauth.msg)
You can also replace the icon that represents the pages in the bookmarks menu of the Web
browser.
•
Icon displayed in the Favorites menu of the web browser (file name: favicon.ico)
Note
Make sure that the file names you assign to your replacement pages and authentication
error messages match the file names given in this section.
8.10.1
Login page (login.html)
This page prompts a client to log in by entering a user ID and password.
294
(1)
Conditions
You must include the code listed in the following table when creating an HTML file to serve as
the login page.
Table 8-23: Code required in login page
Code
Purpose
<form name="Login" method="post"
action="/cgi-bin/Login.cgi"></form>
Initiates a Web authentication login process.
Do not modify this code.
<input name="uid" size="40"
maxlength="128" autocomplete="OFF"
type="text">
Provides a field for entering a user ID. Do not
change any attributes except size and
maxlength. Place this code inside the
<form></form> tags. Make sure that
maxlength allows for 6 or more characters.
<input name="pwd" size="40"
maxlength="32" autocomplete="OFF"
type="password">
Provides a field for entering a password. Do
not change any attributes except size and
maxlength. Place this code inside the
<form></form> tags. Make sure that
maxlength allows for 6 or more characters.
<input value="Login" type="submit">
Sends the login request to Web authentication.
Do not modify this code. Place this code inside
the <form></form> tags.
When creating an HTML file common to login and logout pages, see Table 8-24 Code required
in logout page.
Note
If the login.html file contains a reference to another file, prefix the file name with a slash
(/).
Example: <img src="/image_file.gif">
(2)
Sample code
The following figure shows an example of the source code for a login page (login.html).
295
Figure 8-22: Example source code for the login page (login.html)
296
(3)
Display example
The following figure shows an example of how the login page appears to a user. (Example of the
display common to login and logout pages)
Figure 8-23: Example of the login page
8.10.2
Logout page (logout.html)
A client who logs in using Web authentication uses this page to issue a logout request.
(1)
Conditions
You must include the code listed in the following table when creating an HTML file to serve as
the logout page.
Table 8-24: Code required in logout page
Code
Purpose
<form name="Logout"
action="/cgi-bin/Logout.cgi"
method="post" ></form>
Initiates a Web authentication logout process. Do not
modify this code.
<input value="Logout" type="submit">
Sends the logout request to Web authentication. Do
not modify this code. Place this code inside the
<form></form> tags.
Note
If the logout.html file contains a reference to another file, prefix the file name with a slash
(/).
Example: <img src="/image_file.gif">
297
(2)
Sample code
The following figure shows an example of the source code for a logout page (logout.html).
Figure 8-24: Example source code for the logout page (logout.html)
(3)
Display example
The following figure shows an example of how the logout page appears to a user.
298
Figure 8-25: Example of the logout page
8.10.3
Authentication error message file (webauth.msg)
The authentication error message file (webauth.msg) contains the messages presented to the
user when an attempt to log in or out of Web authentication fails. You can configure the Switch
to send custom error messages instead of the default messages. This process requires that you
create a file containing nine lines of data, each corresponding to a specific message as described
in the table below.
Table 8-25: Contents of the authentication error message file by line
Line no.
1
Content
The message output when the user enters the wrong login ID or password, or when an
authentication error is caused by the Web authentication DB.
Default message:
User ID or password is wrong.<BR>Please enter correct user ID and
password.
2
The message output when an authentication error is caused by RADIUS.
Default message:
RADIUS: Authentication reject.
3
The message output in an environment configured to use RADIUS authentication when the
Switch cannot establish a connection to the RADIUS server.
Default message:
RADIUS: No authentication response.
4
The message output when login fails due to an error in a Switch configuration or a conflict
with other functionality.
Default message:
You cannot login by this machine.
299
Line no.
Content
5
The message output when a minor error occurs in a Web authentication program.
Default message:
Sorry, you cannot login just now.<BR>Please try again later.
6
The message output when a major error occurs in a Web authentication program.
Default message:
A system error occurred.<BR>Please contact the system administrator.
7
The message output when a critical error occurs in a Web authentication program.
Default message:
A fatal error occurred.<BR>Please inform the system administrator.
8
The message output when logout fails for such reasons as the CPU becoming overloaded
while processing the logout request.
Default message:
Sorry, you cannot logout just now.<BR>Please try again later.
9
The message output when a user who is not logged in issues a logout request.
Default message:
The client PC is not authenticated.
(1)
Conditions
•
If a line contains only a line break, the Switch outputs the default message for that line.
•
When saving the file, specify CR+LF or LF as the line break code.
•
Each line can contain a maximum of 512 single-byte characters, including HTML markup
and the line break tag <BR>. Any excess characters are ignored.
•
If the authentication error message file contains more than nine lines, subsequent lines are
ignored.
(2)
•
Key points regarding error message file creation
The text in the authentication error message file is handled as HTML text by the Web browser.
If you include HTML markup in an error message, the message is formatted accordingly.
•
Each message must occupy one line in the file. If you want to insert a line break in an error
message, use the HTML line break tag <BR>.
(3)
Sample code
The following figure shows an example of the source code for the authentication error message
file (webauth.msg).
300
Figure 8-26: Example source code for the authentication error message file
(webauth.msg)
(4)
Display example
The following figure shows an example of the login failed page displayed to a user who enters
the wrong password in an environment where the default authentication error message file
applies.
Figure 8-27: Example of the login failed page (invalid password)
8.10.4
Tags specific to Web authentication
(1)
Type of tags specific to Web authentication
By embedding tags specific to Web authentication in the HTML files that serve as the Web
authentication pages, you can convert the portion of the tags accordingly. You can display
information such as the login time and error messages on the authentication pages according to
the contents of the HTML files, and also can recognize the information using a desired
application that operates on the Web browser.
301
Table 8-26: Type of tags specific to authentication and conversion information
Tags specific to Web
authentication
Example of character string after
conversion
Conversion information
<!-- Login_Time -->
2008/11/20 19:56:01 UTC
Time when login was
successful
<!-- Logout_Time -->
2008/11/20 20:56:01 UTC
Logout time#1
<!-- After_Vlan -->
100
VLAN ID after successful
login
<!-- Error_Message -->
The user ID or password is
invalid.
Error message#2
<!-- Redirect_URL -->
http://www.example.com
URL automatically
displayed after successful
authentication
#1: This tag has different meanings depending on the page where it appears:
Login success page: The time when auto-logout will take place when the maximum
connection time is reached.
Logout completed page: The time when the logout process was completed
#2: The error that caused the login or logout attempt to fail
For examples of how to use these tags, see 8.10.5 Examples of other pages.
The following table shows which Web authentication pages can display with which tags with
their information successfully converted.
Table 8-27: Web authentication pages and tags with their information successfully
converted
Pages with their information successfully converted
(Pages for data conversion)
Tags specific to Web
authentication
Login
page
Logout
page
Login
success
page
Login
failed page
Logout
completed
page
Logout
failed
page
<!-- Login_Time -->
--
--
Y
--
--
--
<!-- Logout_Time -->
--
--
Y
--
Y
--
<!-- After_Vlan -->
--
--
Y
--
--
--
<!-- Error_Message -->
--
--
--
Y
--
Y
<!-- Redirect_URL -->
--
--
Y
--
--
--
Legend
302
Y: When the HTML file contains tags specific to Web authentication, its information is
converted accordingly.
--: Even when the HTML file contains tags specific to Web authentication, its information
is not converted.
(2)
Notes
(a) The default HTML file for Web authentication
The default HTML file for Web authentication in advance contains tags specific to Web
authentication to display its information on the web browser. The exception is that VLAN ID
after login was successful does not appear on the Web browser because the specific tag (<!-After_Vlan -->) for converting its information is embedded as the following code in the
default HTML file:
[HTML (loginOK.html) coded by default in the login success page]
<meta name="vlan-id" content="<!-- After_Vlan -->" />
#: The content with meta tags is handled as additional information, and does not appear in a
common web browser.
To display the VLAN ID after login was successful on the web browser, optionally create a login
success page file (loginOK.html file), and then follow the procedure described in 8.9.1
Replacing Web authentication pages to display the VLAN ID on the login success page.
(b) Handling space characters (blank characters)
Space characters included in each tag specific to Web authentication are recognized as the
delimiter between keywords. Although a keyword must not include space characters, if one or
more space characters are included between each keyword, they are properly processed as the
delimiters. Note that the maximum number of characters recognized as a tag specific to Web
authentication is 80 characters, including < and >, the beginning and end of the string.
[Keyword]
8.10.5
5.
<!--
6.
Login_Time, Logout_Time, After_Vlan, Error_Message
7.
-->
Examples of other pages
This section provides sample source code for the Web authentication pages loginOK.html,
logoutOK.html, loginNG.html, and logoutNG.html.
303
(1)
Login success page (loginOK.html)
The figures below show an example of the source code for a login success page and how the
page appears to the user.
Figure 8-28: Example source code for the login success page (loginOK.html)
Note
304
If the loginOK.html file contains a reference to another file, prefix the file name with a
slash (/).
Example: <img src="/image_file.gif">
Figure 8-29: Example of the login success page
(2)
Logout complete page (logoutOK.html)
The figures below show an example of the source code for a logout completed page and how the
page appears to the user.
Figure 8-30: Example source code for the logout completed page (logoutOK.html)
Note
If the logoutOK.html file contains a reference to another file, prefix the file name with a
305
slash (/).
Example: <img src="/image_file.gif">
Figure 8-31: Example of the logout completed page
(3)
Login/logout failed pages (loginNG.html/logoutNG.html)
The figures below show example of the source code for a login or logout failed page and how the
page appears to the user.
Figure 8-32: Example source code for the login failed page (loginNG.html)
306
Note
If the loginNG.html or logoutNG.html file contains a reference to another file, prefix
the file name with a slash (/).
Example: <img src="/image_file.gif">
Figure 8-33: Example of the login failed page
Figure 8-34: Example of the logout failed page
307
8.11 Description of the internal DHCP server functionality.
The internal DHCP server functionality of the Switch dynamically assigns IP addresses or
option information to DHCP clients.
8.11.1
Support specification
The following table shows the support specification of the internal DHCP server of the Switch.
The DHCP server and the clients are direct-coupled on the same network.
Table 8-28: Support specification of the internal DHCP server
Item
Specification
Connection configuration
Directly contains DHCP clients.
DHCP clients cannot be contained via a DHCP relay agent.
BOOTP server functionality
Not supported
Dynamic DNS link
Not supported
Dynamic IP address assignment
functionality
Not supported
Static IP address assignment
functionality
Not supported
8.11.2
Information sent to clients
The following table describes the information that the Switch can send to the clients. The
information that can be sent does not include the information handled as option even if the
option for sending the information is specified on the Switch unless the client side uses an option
request list to request the Switch to send the information handled as option.
Table 8-29: List of information sent to clients
Item
308
Specification
IP address
Set an IP address available for a client.
IP address lease time
Set the lease time of an IP address to be sent. In the Switch, the
value is determined by the
default-lease-time/max-lease-time parameter and a
request form the client. (Option No. 51)
Subnet mask
The subnet mask of network information specified in the
configuration is used. (Option No. 1)
Item
Specification
Router option
Specify the IP address of the router on the subnet of the client.
This IP address is used as the gateway address of the client.
(Option No. 3)
DNS option
Specify the IP address of a domain name server available for
the client. (Option No. 6)
8.11.3
Preventing duplicate assignments of IP addresses
The DHCP server of the Switch does not support the prevention of duplicate assignments of an
IP address via ICMP echo requests. The Switch uses the show ip dhcp conflict operation
command to display the information of the terminal that has received the decline message.
8.11.4
Notes on using a DHCP server
This section describes the notes on using the DHCP server functionality.
(1)
Default lease time of the Switch
The default lease time of the Switch is 10 seconds, and you cannot set any smaller value than that.
The setting range of the lease time is between 10 seconds and 365 days.
The maximum number of IP addresses available for assignment is 512.
309
9. Web Authentication Configuration and
Operation
This chapter describes operation of the Web authentication functionality, which controls VLAN
access at the user level, based on credentials supplied from an ordinary Web browser.
9.1 Web authentication configuration
9.2 Configuration common to all authentication modes
9.3 Fixed VLAN mode configuration
9.4 Dynamic VLAN mode configuration
9.5 Legacy mode configuration
9.6 Internal DHCP server configuration
9.7 Operation of Web authentication
310
9.1
9.1.1
Web authentication configuration
List of configuration commands
The table below describes the commands used to configure Web authentication..
Table 9-1: List of configuration commands
Command
Description
Authenticati
on mode
F
D
L
aaa accounting
web-authentication
Sends accounting information for Web
authentication to an accounting server.
Y
Y
Y
aaa authentication
web-authentication
Configures an authentication method group for
Web authentication.
Y
Y
Y
authentication arp-relay#1
Forces ARP frames that are from unauthenticated
terminals and that are bound for other devices to be
output to ports that are not subject to authentication.
Y
Y
N
authentication ip
#1
access-group
Forces IP frames that are from unauthenticated
terminals, that are bound for other devices, and that
are set by applying an IPv4 access list to be output
to ports that are not subject to authentication.
Y
Y
N
web-authentication
authentication
Sets an authentication method list name for the
port-based authentication method.
Y
Y
N
web-authentication
auto-logout
Disables configuration from automatically logging
out authentication when detecting that frames have
not been received from an authenticated terminal in
Web authentication by the auto-logout
command for a certain period of time.
Y
Y
Y
web-authentication
force-authorized vlan
Forcibly makes a terminal subject to authentication
and authentication-permitted status and assigns an
authenticated VLAN when the VLAN RADIUS
authentication method is used or when a request to a
RADIUS server fails due to route failure.
--
Y
Y
web-authentication
html-fileset
Configures custom file set names of individual Web
authentication pages displayed by port.
Y
Y
N
web-authentication ip address
Configures an authentication IP address and domain
name.
Y
Y
Y
web-authentication jump-url
Configures a URL to be automatically display after
the Authentication Success page is displayed and
time to move to the destination of the URL.
Y
Y
Y
web-authentication logout ping
tos-windows
Specifies the TOS value of special frames to cancel
an authentication status of a corresponding MAC
address when receiving the special frames (ping)
Y
Y
Y
311
Command
Description
Authenticati
on mode
F
D
L
sent by authenticated terminals.
web-authentication logout ping
ttl
Specifies the TTL value of special frames to cancel
an authentication status of a corresponding MAC
address when receiving the special frames (ping)
sent by authenticated terminals.
Y
Y
Y
web-authentication logout
polling count
Specifies the number of times the Switch resends
the monitoring packet when there is no response to
a monitoring frame that periodically monitors a
connection status of authenticated terminals.
Y
--
--
web-authentication logout
polling enable
Disables configuration from automatically logging
out authentication when detecting that an
authenticated terminal has not been connected in
periodic connection monitoring by the no
web-authentication logout polling enable
command.
Y
--
--
web-authentication logout
polling interval
Specifies the polling interval of monitoring by a
monitoring frame that monitors a connection status
of an authenticated terminal periodically.
Y
--
--
web-authentication logout
polling retry-interval
Specifies the interval between retransmissions of
monitoring frames when there is no response.
Y
--
--
web-authentication max-timer
Specifies the maximum connection time.
Y
Y
Y
web-authentication max-user
Specifies the maximum number of authenticated
users permitted by the Switch.
--
Y
Y
web-authentication max-user
(interface)
Specifies the maximum number of authenticated
users permitted on a port.
--
Y
Y
web-authentication port#2
Configures an authentication mode to a port.
Y
Y
--
web-authentication
radius-server host
Configures RADIUS server information for Web
authentication.
Y
Y
Y
web-authentication
radius-server dead-interval
Configures a monitoring timer before auto recovery
to the primary RADIUS server when Web
authentication RADIUS server is used.
Y
Y
Y
web-authentication
redirect-mode
Configures a protocol to display the Web
authentication Login page when the URL redirect
functionality is enabled.
Y
Y
--
web-authentication redirect
enable
Enables the URL redirect functionality. The no
Y
Y
--
web-authentication redirect enable
command disables this functionality.
312
Command
Description
Authenticati
on mode
F
D
L
web-authentication redirect
tcp-port
Adds a TCP destination port number of a frame
subject to URL redirect in the Switch when the
URL redirect functionality is enabled.
Y
Y
--
web-authentication roaming
Configures communication permission (roaming) if
an authenticated terminal connected via a hub is
connected to a different port.
--
Y
Y
web-authentication
static-vlan force-authorized
Forcibly authenticates a terminal that is connected
to the target port and subject to authentication and
authentication-permitted status and assigns an
authenticated VLAN when the RADIUS
authentication method is used or when a request to a
RADIUS server fails due to a route failure.
Y
--
--
web-authentication
static-vlan max-user
Specifies the maximum number of authenticated
users permitted by the Switch.
Y
--
--
web-authentication
static-vlan max-user
(interface)
Specifies the maximum number of authenticated
users permitted on a corresponding port.
Y
--
--
web-authentication
static-vlan roaming
Configures communication permissions (roaming)
if an authenticated terminal connected via a hub is
connected to a different port.
Y
--
--
web-authentication
system-auth-control
Enables Web authentication.
Y
Y
Y
web-authentication user-group
Enables the user ID-based authentication method.
Y
Y
N
web-authentication user
replacement
Enables authentication with a different user ID after
successful authentication with the first user ID
when several user IDs are used for a terminal.
Y
Y
Y
web-authentication vlan
Configures the VLAN ID to dynamically switch
after user authentication.
--
--
N
web-authentication web-port
Adds a TCP destination port number of a frame
subject to URL redirect in the Switch when the
URL redirect functionality is enabled.
Y
Y
--
Legend
F: Fixed VLAN mode
D: Dynamic VLAN mode
L: Legacy mode
Y: Operates based on the configuration
--: Command can be entered but does not function
N: Command cannot be entered
313
#1
For more details about configurations, see 5. Overview of Layer 2 Authentication.
#2
This command influences the switching of authentication modes.
The table below shows the list of internal DHCP server configuration commands
Table 9-2: List of internal DHCP server configuration commands
Command
Description
Authenticati
on mode
F
D
L
default-router
Specifies a router option to distribute to a client. A router option
is an IP address the client can use as a router IP address over the
subnet (default router). Configures the IP address of a router like
a "setting to distribute an IP address to a client".
--
Y
Y
dns-server
Configures the domain name server option to distribute to a
client.
--
Y
Y
ip dhcp
excluded-address
Specifies the range of IP addresses to be excluded from ones to
distribute among ones specified by the network command.
Configures IP addresses to be excluded from ones to distribute to
a client in the IP address range of the network.
--
Y
Y
ip dhcp pool
Configures DHCP address pool information.
--
Y
Y
lease
Specifies the default lease time of an IP address to distribute to a
client. Configures lease time of an IP address used by the client
like a "setting to distribute an IP address to a client".
--
Y
Y
max-lease
Specifies the maximum lease time allowable when a client
specifies lease time and requests an IP address.
--
Y
Y
network
Specifies the subnet of the network that dynamically distributes
IP addresses through DHCP. IP addresses whose host bits all are
not 0 or 1 are actually registered in the DHCP address pool.
Configures a network that distributes IP addresses through
DHCP like a "setting to distribute an IP address to a client".
--
Y
Y
service dhcp
Specifies the interface to enable a DHCP server. Only the
interface specified using this command receives DHCP packets.
Configures a VLAN interface to which a DHCP client is
connected like a "setting to distribute an IP address to a client".
--
Y
Y
Legend
F: Fixed VLAN mode
D: Dynamic VLAN mode
L: Legacy mode
314
Y: Operates based on configuration
--: Command can be entered but does not function
9.1.2
Procedure of configuration for Web authentication
Configure Web authentication following the procedure below.
315
Figure 9-1: Procedure for configuring Web authentication
For more details about authentication, see the following:
1.
Configuration common to all authentication modes
Configure configuration common to all authentication modes.
316
•
Authentication group and RADIUS server information configuration: 9.2.1
Authentication method group and RADIUS server information configuration
•
Web authentication IP address configuration: 9.2.2 Web authentication IP address
configuration
•
Auto logout condition configuration common to all authentication modes: 9.2.3 Auto
logout condition configuration common to all authentication modes
•
Configuration of sending accounting information to RADIUS server: 9.2.4
Configuration of sending accounting information
•
User switching option configuration: 9.2.5 User switching option configuration
•
User ID-based authentication method: 5.2.3 Authentication method list configuration
(3) Example of user ID-based authentication method configuration
•
2.
Port-based authentication method: 5.2.3 Authentication method list configuration (2)
Example of port-based authentication method configuration
Each authentication mode configuration
Configure each authentication mode.
Some items to configure might be common to other authentication modes. In such cases,
see the reference sections.
•
Fixed VLAN mode configuration: 9.3 Fixed VLAN mode configuration
•
Dynamic VLAN mode configuration: 9.4 Dynamic VLAN mode configuration
Legacy mode configuration: 9.5 Legacy mode configuration
Internal DHCP server configuration
•
3.
For dynamic VLAN mode and legacy mode, the internal DHCP server in the Switch is
available.
Internal DHCP server configuration: 9.6 Internal DHCP server configuration
Enabling the Web authentication method
•
4.
Web authentication is completed when the Web authentication method is enabled at the
end.
•
9.2.6 Enabling Web authentication
Each authentication mode is enabled with the following configuration.
Table 9-3: Conditions to enable each authentication mode
Authentication mode
Common
Configuration
• aaa authentication web-authentication
• web-authentication radius-server host
or
radius-server
• web-authentication system-auth-control
317
Authentication mode
Fixed VLAN mode
Configuration
Used on an access port
• vlan <VLAN-ID-list>
• web-authentication port
• switchport mode access
• switchport access vlan
Used on a trunk port
vlan <VLAN-ID-list>
•
•
•
•
•
web-authentication port
switchport mode trunk
switchport trunk allowed vlan
switchport trunk native vlan
Use on a MAC port
• vlan <VLAN-ID-list> or vlan <VLAN-ID-list> mac-based
• web-authentication port
• switchport mode mac-vlan
• switchport mac dot1q vlan
318
Dynamic VLAN mode
• vlan <VLAN-ID-list> mac-based
• web-authentication port
• switchport mode mac-vlan
Legacy mode
•
•
•
•
vlan <VLAN-ID-list> mac-based
web-authentication vlan
switchport mode mac-vlan
switchport mac vlan
9.2
Configuration common to all authentication modes
This section describes configuration of each authentication mode based on the following basic
structure. Port numbers of a RADIUS server and an authenticated network are 0/19 and 0/20 in
the figure below. For port numbers connected to terminals subject to authentication, see the
configuration examples of each authentication mode.
Figure 9-2: Basic structure
9.2.1
Authentication method group and RADIUS server
information configuration
(1)
Authentication method group configuration
[Overview]
The following example shows how to configure an authentication method group for Web
authentication. Configure one entry of Switch-default used in common for Web
authentication and two entries of the authentication method list used for the authentication
1.
ports.
Switch-default
This example uses the RADIUS and local authentication methods as Switch-default
authentication methods. If RADIUS authentication fails, the Switch is configured to
execute local authentication.
y
The internal Web authentication DB is used as a local authentication method.
319
Register the internal Web authentication DB in the Switch. See 9.7.2 Registering the
internal Web authentication DB.
2.
Authentication method list
RADIUS server group information specified for the authentication method list for
Keneki-group1 and Keneki-group2 has been configured. For the authentication
method list, see 5.2.2 Authentication method lists.
For RADIUS server group information, see 5.3.1 RADIUS server information used with
the Layer 2 authentication method, and 8. Login Security and RADIUS in the
Configuration Guide Vol. 1.
Configuration command example
1.
(config)# aaa authentication web-authentication default group radius
local
Configures the RADIUS authentication method and local authentication method in turn
as the Switch-default authentication methods.
2.
(config)# aaa authentication web-authentication WEB-list1 group
Keneki-group1
Configures the RADIUS server group name Keneki-group1 for the authentication
method list WEB-list1.
3.
(config)# aaa authentication web-authentication WEB-list2 group
Keneki-group2
Configures the RADIUS server group name Keneki-group2 for the authentication
method list WEB-list2.
Notes
y When configuration of Switch-default changes, authentication of the corresponding
terminal is canceled.
y When configuration of the authentication method list changes, authentication is
canceled for the terminals of ports where the port-based authentication method and user
ID-based authentication method are configured.
y If aaa authentication web-authentication is configured, the local
authentication method is used.
y Configure only default group radius using the command above when using the
forced authentication functionality. Otherwise, this is unavailable when the priority of
RADIUS authentication and local authentication has been configured (as shown above).
320
(2)
RADIUS server information configuration
(a) When using a Web authentication RADIUS server
Overview
Configure authentication RADIUS server information used only with Web authentication.
Configure the IP address and RADIUS key to enable a server configuration. Configure
only the IP address using the web-authentication radius-server host
configuration command. In this case, a RADIUS key is not used in authentication. Also,
configure the monitoring timer (dead-interval) to automatically recover itself when the
Web authentication RADIUS server is unavailable as in this example.
Configuration command example
1.
(config)# web-authentication radius-server host 192.168.10.201 key
"web-auth"
Configure the IP address and the RADIUS key of a RADIUS server used only in Web
authentication. In this case, for auth-port, acct-port, timeout, and retransmit,
their initial values when omitted are applied.
2.
(config)# web-authentication radius-server dead-interval 15
Configure the monitoring timer (dead-interval) to 15 minutes before auto recovery if the
configured Web authentication RADIUS server is unavailable.
Notes
y Follows the general RADIUS server information configuration if this information has
not been configured. If both Web authentication RADIUS server information and the
general RADIUS server information have not been configured, RADIUS authentication
cannot be executed.
y Up to four entries of Web authentication RADIUS server information can be configured
for the Switch.
y If the RADIUS key, number of retransmissions, and response timeout period are not
configured, they follow the configuration using the radius-server key and
radius-server retransmit configuration commands along with radius-server
timeout.
(b) When using a general RADIUS server
For the general RADIUS server configuration, see 8. Login Security and RADIUS in the
Configuration Guide Vol. 1.
321
9.2.2
Web authentication IP address configuration
Overview
Configure an IP address and domain name exclusive to Web authentication.
Configuration command example
1.
(config)# web-authentication ip address 10.10.10.1 fqdn
ax1240s.example.com
Configures an IP address (10.10.10.1) and domain name exclusive for Web
authentication.
9.2.3
Auto logout condition configuration common to all
authentication modes
(1)
Maximum connection time configuration
Overview
Configure the maximum connection time for an authenticated user. The user automatically
logs out when exceeding the maximum connection time.
Configuration command example
1.
(config)# web-authentication max-timer 60
Configures 60 minutes as the maximum connection time of an authenticated user.
(2)
Logout condition configuration by receiving special frames
Overview
Configure logout conditions by receiving special frames from authenticated terminals.
Configuration command example
1.
(config)# web-authentication logout ping tos-windows 2
(config)# web-authentication logout ping ttl 2
Automatically logs the terminal of a corresponding MAC address out only when
conforming to both TOS and TTL values.
9.2.4
Configuration of sending accounting information
Overview
Configure for Web authentication accounting information to a RADIUS server.
322
Configuration command example
1.
(config)# aaa accounting web-authentication default start-stop group
radius
Configures Web authentication accounting information for a RADIUS server.
9.2.5
User switching option configuration
Overview
Configure user-switching options that can be authenticated with a different user ID after
successful authentication with the first user ID on a single terminal.
Configuration command example
1.
(config)# web-authentication user replacement
Configures user-switching options.
Notes
Does not return to the first user ID even after a successful authenticated user ID when user
switching is canceled.
9.2.6
Enabling Web authentication
Overview
Enable Web configuration after configuration for Web authentication is executed.
Configuration command example
1.
(config)# web-authentication system-auth-control
Enables Web authentication.
Notes
Configure this command after quitting all Web authentication configurations. If
authentication is enabled, an account log of authentication failure might be logged.
323
9.3
Fixed VLAN mode configuration
Configure fixed VLAN mode according to the following flow chart after configuration based on
9.1 Web authentication configuration and 9.2 Configuration common to all authentication
modes.
Figure 9-3: Procedure for configuring fixed VLAN mode
For more details about each configuration, see the following:
1.
Fixed VLAN mode configuration: 9.3.1 Fixed VLAN mode configuration
2.
URL redirect functionality configuration: 9.3.2 Configuration related to authentication
(1) URL redirect functionality configuration
3.
Auto display URL configuration after successful authentication: 9.3.2 Configuration
related to authentication (2) Auto display URL configuration after successful
authentication
4.
Auto logout condition configuration: 9.3.2 Configuration related to authentication (3)
Auto logout condition configuration
5.
Configuration of the maximum number of users subject to authentication: 9.3.2
Configuration related to authentication (4) Configuration of the maximum number of
324
users subject to authentication
6.
Forced authentication port configuration: 9.3.2 Configuration related to authentication
(5) Forced authentication port configuration
7.
Roaming configuration: 9.3.2 Configuration related to authentication (6) Roaming
(permitting authenticated port change communication) configuration
8.
Authentication exclusion configuration: 9.3.2 Configuration related to authentication (7)
Authentication exclusion configuration
9.
Individual Web authentication page configuration: 9.3.2 Configuration related to
authentication (8) Individual Web authentication page configuration
10. Authentication IPv4 access list configuration: 5. Overview of Layer 2 Authentication
In fixed VLAN mode, the Switch-internal DHCP server is unavailable. Instead, an external
DHCP server is used, but this requires configuring an authentication IPv4 access list to
communicate with the external DHCP server before authentication. For more details, see 5.
Overview of Layer 2 Authentication.
9.3.1
Fixed VLAN mode configuration
Figure 9-4: Example of fixed VLAN mode structure
(1)
Configuration of authentication port and VLAN information
for authentication
Overview
Configure fixed VLAN mode and authentication VLAN information to a port used with
325
fixed VLAN mode.
Configuration command example
1.
(config)# vlan 30
(config-vlan)# exit
Configures VLAN ID 30.
2.
(config)# interface fastethernet 0/3
(config-if)# switchport mode access
(config-if)# switchport access vlan 30
Configures port 0/3 connected to terminals subject to authentication as an access port
and configures VLAN 30 for authentication.
3.
(config-if)# web-authentication port
(config-if)# exit
Sets fixed VLAN mode to port 0/3.
(2)
Configuring an IP address to a VLAN interface
Overview
Configure an IP address to a VLAN used for authentication.
Configuration command example
1.
(config)# interface vlan 30
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# exit
Configures an IP address to VLAN 30 used with Web authentication.
(3)
Authentication method list name configuration for port-based
authentication method
Overview
Configure the authentication method list name for the port-based authentication method.
For authentication method list configuration, see 9.2.1 Authentication method group and
RADIUS server information configuration (1) Authentication method group configuration.
Configuration command example
1.
(config)# interface fastethernet 0/3
(config-if)# web-authentication authentication WEB-list1
(config-if)# exit
326
Configures the authentication method list name WEB-list1 to port 0/3.
Notes
y If this information has not been configured, authentication follows the Switch-default in
9.2.1 Authentication method group and RADIUS server information configuration (1)
Authentication method group configuration.
y If an authentication method list name configured to the port does not conform to one in
the authentication method group or does not exist in the group, authentication follows
the Switch default.
y User ID-based authentication and legacy mode for Web authentication are not
interoperable. For more details, see 5.2.2 Authentication method lists.
9.3.2
Configuration related to authentication
This section explains the configuration related to fixed VLAN mode.
(1)
URL redirect functionality configuration
(a) TCP port configuration for trigger packet
Overview
Configures the destination TCP port number where trigger packets of redirect are sent.
Packets to default TCPs (80 and 443) and the TCP port number configured here are
included in these packets. You can also add TCP port numbers for HTTP and HTTPS one
by one using the web-authentication web-port configuration command.
Configuration command example
1.
(config)# web-authentication redirect tcp-port 8080
Adds TCP port number 8080.
2.
(config)# web-authentication web-port https 24000
Adds TCP port number 24000 for HTTPS.
Notes
When different port numbers are added using the two commands above, basic port
numbers and the additional port numbers configured by each of the commands are enabled.
For operations when a single port number is added, see 8.2.2 Authentication functionality
(2) URL redirection (a) Adding URL redirection trigger packet TCP port numbers.
327
(b) Configuration of a protocol for login operation
Overview
Configure a protocol for login operation with the URL redirect functionality for Web
authentication.
Configuration command example
1.
(config)# web-authentication redirect-mode http
Uses HTTP with the URL redirect functionality for Web authentication.
(2)
Auto display URL configuration after successful
authentication
Overview
Configure the URL for terminal access after successful authentication.
Configuration command example
1.
(config)# web-authentication jump-url "http://www.example.com/"
Displays the page http://www.example.com/ after successful authentication.
Notes
You can change the time before moving to the URL specified using the configuration
command (default five seconds), but you do not need to configure the time in fixed VLAN
mode. Change the time when you want to display the specified URL faster than by default.
(3)
Auto logout condition configuration
(a) Maximum connection time configuration
This configuration is common to all authentication modes of Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(b) Configuration of the functionality to monitor non-communication of
an authenticated terminal
This functionality is enabled without configuring the web-authentication auto-logout
configuration command when fixed VLAN mode and dynamic VLAN mode of Web
authentication are enabled.
A user is not automatically logged out if configured by the no web-authentication
auto-logout configuration command.
328
(c) Configuration of the functionality to monitor connection of an
authenticated terminal
Overview
Configure the connection monitoring functionality to monitor connection of an
authenticated terminal.
Configuration command example
1.
(config)# web-authentication logout polling enable
Enables the connection monitoring functionality.
2.
(config)# web-authentication logout polling interval 300
Configures 300 seconds to a polling interval of the connection-monitoring frame.
3.
(config)# web-authentication logout polling retry-interval 10
Configures 10 seconds to the number of retransmissions of the connection-monitoring
frame.
4.
(config)# web-authentication logout polling count 5
Configures 5 times as the number of retransmissions of the connection-monitoring
frame.
(d) Special frame receiving condition configuration
This configuration is common to all authentication modes of Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(4)
Configuration of the maximum number of users subject to
authentication
Overview
Configure the maximum number of users who can be authenticated in fixed VLAN mode.
Configure this in the global configuration mode when configuring by the Switch while
configuring the configuration mode of a corresponding port when configuring by port.
Configuration command example
1.
(config)# web-authentication static-vlan max-user 30
Configures 30 users as the maximum number of users who can be authenticated in Web
authentication.
329
(5)
Forced authentication port configuration
Overview
Configure a port subject to fixed VLAN mode to one where forced authentication is
permitted.
Configuration command example
1.
(config)# interface fastethernet 0/3
(config-if)# web-authentication static-vlan force-authorized
(config-if)# exit
Configures port 0/3 as a forced authentication port.
Notes
Configure only RADIUS authentication as an authentication method when using forced
authentication. Forced authentication does not work under the following configurations:
y aaa authentication web-authentication default group radius local
y aaa authentication web-authentication default local group radius
(6)
Roaming (permitting authenticated port change
communication) configuration
Overview
Configure an authenticated terminal in fixed VLAN mode so that it can communicate even
if it is connected to a different port without port link-down.
Configuration command example
1.
(config)# web-authentication static-vlan roaming
Continues communication if an authenticated terminal is connected to a different port.
Notes
Roaming is available under any of the following conditions:
y Connected to a port subject to fixed VLAN mode before and after reconnection
y Connected to the same VLAN before and after reconnection
(7)
Authentication exclusion configuration
Configure ports and terminals to be excluded from targets of authentication in fixed VLAN
mode. In this example, ports 0/19 and 0/20, and the shared printer are excluded.
330
Figure 9-5: Example of authentication exclusion structure in fixed VLAN mode
(a) Authentication exclusion port configuration
Overview
Do not configure an authentication mode to a port to be excluded from authentication
targets in fixed VLAN mode.
Configuration command example
1.
(config)# interface range fastethernet 0/19-0/20
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 30
(config-if-range)# exit
Configures ports 0/19 and 0/20 of VLAN ID 30 as access ports. Does not configure the
authentication mode (web-authentication port).
(b) Authentication exclusion terminal configuration
Overview
Register MAC addresses of the terminals to be excluded from authentication targets in
fixed VLAN mode in the MAC address table.
Configuration command example
331
1.
(config)# mac-address-table static 1234.5600.e001 vlan 30 interface
fastethernet 0/3
Configures the MAC addresses of a terminal to be excluded from authentication targets
and where communication is permitted VLAN ID 30 (MAC address of the shared
printer in the figure: 1234.5600.e001) in the MAC address table.
(8)
Individual Web authentication page configuration
Overview
Configure the custom file set names of individual Web authentication pages used for ports
subject to authentication in fixed VLAN mode.
Configuration command example
1.
(config)# interface fastethernet 0/3
(config-if)# web-authentication port
(config-if)# web-authentication html-fileset FILESETAAA
(config-if)# exit
Configures the custom file set name FILESETAAA for the individual Web authentication
page used on port 0/3 (the name registered in the Switch using the set
web-authentication html-files operation command as the custom file set name).
Notes
1.
Configure the web-authentication port command to a port where this command is
configured beforehand.
2.
Register the custom file set of the individual Web authentication page to the Switch using
the set web-authentication html-files configuration command.
332
9.4
Dynamic VLAN mode configuration
Configure dynamic VLAN mode according to the following flow chart after configuration based
on 9.1 Web authentication configuration and 9.2 Configuration common to all authentication
modes.
Figure 9-6: Procedure of configuring dynamic VLAN mode
For more details about each configuration, see the following:
1.
Dynamic VLAN mode configuration: 9.4.1 Dynamic VLAN mode configuration
2.
URL redirect functionality configuration: 9.4.2 Configuration related to authentication
(1) URL redirect functionality configuration
3.
Auto display URL configuration after successful authentication: 9.4.2 Configuration
related to authentication (2) Configuring automatically displayed URL and time before
moving from URL to URL after successful authentication
4.
Auto logout condition configuration: 9.4.2 Configuration related to authentication (3)
Auto logout condition configuration
5.
Configuration of the maximum number of users subject to authentication: 9.4.2
333
Configuration related to authentication (4) Configuration of the maximum number of
users subject to authentication
6.
Forced authentication port configuration: 9.4.2 Configuration related to authentication
(5) Forced authentication port configuration
7.
Roaming configuration: 9.4.2 Configuration related to authentication (6) Roaming
(permitting authenticated port change communication) configuration
8.
Authentication exclusion configuration: 9.4.2 Configuration related to authentication (7)
Authentication exclusion configuration
9.
Individual Web authentication page configuration: 9.4.2 Configuration related to
authentication (8) Individual Web authentication page configuration by port
10. Authentication IPv4 access list configuration: 5. Overview of Layer 2 Authentication
9.4.1
Dynamic VLAN mode configuration
Figure 9-7: Example of dynamic VLAN mode structure
(1)
Configuration of authentication port and VLAN information
for authentication
Overview
Configure dynamic VLAN mode and authentication VLAN information to a port used with
dynamic VLAN mode.
Configuration command example
1.
334
(config)# vlan 400 mac-based
(config-vlan)# exit
Configures the MAC VLAN to VLAN ID 400.
2.
(config)# vlan 30
(config-vlan)# exit
Configures VLAN ID 30.
3.
(config)# interface fastethernet 0/5
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 30
Configures port 0/5 where a terminal subject to authentication as a MAC port and
specifies unauthenticated VLAN 30 (unauthenticated VLANs are assigned according to
5.4.3 Auto MAC VLAN assignment).
4.
(config-if)# web-authentication port
(config-if)# exit
Configures dynamic VLAN mode to port 0/5.
(2)
Configuring an IP address to a VLAN interface
Overview
Configure IP addresses to unauthenticated and authenticated VLANs used in Web
authentication.
Configuration command example
1.
(config)# interface vlan 30
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# exit
Configures an IP address to unauthenticated VLAN 30 used in Web authentication.
2.
(config)# interface vlan 400
(config-if)# ip address 192.168.40.1 255.255.255.0
(config-if)# exit
Configures an IP address authenticated VLAN 400 used in Web authentication.
(3)
Configuring the authentication method list of port-based
authentication method
Overview
335
Configure an authentication method list name for the port-based authentication method.
For the authentication method list configuration, see 9.2.1 Authentication method group
and RADIUS server information configuration (1) Authentication method group
configuration.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# web-authentication authentication WEB-list1
(config-if)# exit
Configures an authentication method list name WEB-list1 to port 0/5.
Notes
y If this information has not been configured, authentication follows the Switch default in
9.2.1 Authentication method group and RADIUS server information configuration (1)
Authentication method group configuration.
y If an authentication method list name configured for the port does not conform to one in
the authentication method group or does not exist in the group, authentication follows
the Switch default.
y User ID-based authentication and legacy mode of Web authentication are not
interoperable. For more details, see 5.2.2 Authentication method lists.
9.4.2
Configuration related to authentication
This section explains the configuration related to dynamic VLAN mode.
(1)
URL redirect functionality configuration
Same as in fixed VLAN mode. See 9.3.2 Configuration related to authentication (1) URL
redirect functionality configuration.
(2)
Configuring automatically displayed URL and time before
moving from URL to URL after successful authentication
Overview
Configure a URL for terminal access after successful authentication and time required to
move to a different URL.
Configuration command example
1.
(config)# web-authentication jump-url "http://www.example.com/"
delay 30
Displays the page of http://www.example.com/ 30 seconds after successful
authentication.
336
Notes
Because the IP address of a terminal needs to be changed with switching from an
unauthenticated VLAN to an authenticated VLAN, configure approximately 20-30
seconds as the time before moving to a different URL. If IP addresses have been distributed
to unauthenticated terminals on the internal DHCP server (default lease time: 10 seconds),
the IP addresses are obtained from the normal DHCP server at an authenticated VLAN.
Because of this, it might take approximately 20-30 seconds before an authenticated VLAN
can communicate after the completion of authentication.
(3)
Auto logout condition configuration
(a) Maximum connection time configuration
This configuration is common to all authentication modes for Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(b) Configuration of the functionality to monitor non-communication of
an authenticated terminal
Same as in fixed VLAN mode. See 9.3.2 Configuration related to authentication (3) Auto logout
condition configuration (b) Configuration of the functionality to monitor non-communication of
an authenticated terminal.
(c) Special frame receiving condition configuration
This configuration is common to all authentication modes for Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(4)
Configuration of the maximum number of users subject to
authentication
Overview
Configure the maximum number of users who can be authenticated in dynamic VLAN
mode. Configure this in the global configuration mode when configuring by the Switch
while configuring the configuration mode of a corresponding port when configuring by
port.
Configuration command example
1.
(config)# web-authentication max-user 5
Configures 5 users as the maximum number of users who can be authenticated in Web
authentication.
337
(5)
Forced authentication port configuration
Overview
Configure a port subject to dynamic VLAN mode to one where forced authentication is
permitted.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# web-authentication force-authorized vlan 400
(config-if)# exit
Configures the VLAN ID of an authenticated VLAN where forced authentication is
permitted and which is assigned to port 0/5.
Notes
1.
Use the vlan configuration command to configure the VLAN ID with mac-based
configuration (MAC VLAN configuration) performed.
2.
Configure only RADIUS authentication as an authentication method when using forced
authentication. Forced authentication does not work under the following configuration:
y
aaa authentication web-authentication default group radius
local
y
aaa authentication web-authentication default local group
radius
(6)
Roaming (permitting authenticated port change
communication) configuration
Overview
Configure an authenticated terminal in dynamic VLAN mode so that it can communicate
even if it is connected to a different port without port link-down fixed VLAN mode.
Configuration command example
1.
(config)# web-authentication roaming
Continues communication if an authenticated terminal is connected to a different port.
Notes
Roaming is available under any of the following conditions:
y Connected to a port subject to dynamic VLAN mode before and after reconnection
y Authenticated VLAN before connected to a different port must be configured to the
switchport mac vlan configuration command of the port
338
(7)
Authentication exclusion configuration
Configure ports and terminals to be excluded from the targets of authentication in dynamic
VLAN mode. In this example, ports 0/19 and 0/20, and the shared printer are excluded.
Figure 9-8: Example of authentication exclusion structure in dynamic VLAN mode
(a) Authentication exclusion port configuration
Overview
Configures the port to be excluded from authentication targets without configuring the
authentication mode.
Configuration command example
1.
(config)# interface fastethernet 0/19
(config-if)# switchport mode access
(config-if)# switchport access vlan 30
(config-if)# exit
Configures port 0/19 of VLAN ID 30 as an access port. Does not configure the
authentication mode (web-authentication port).
2.
(config)# interface fastethernet 0/20
(config-if)# switchport mode access
(config-if)# switchport access vlan 400
339
(config-if)# exit
Configures port 0/20 of MAC VLAN ID 400 as an access port. Does not configure an
authentication mode (web-authentication port).
(b) Authentication exclusion terminal configuration
Overview
Registers MAC addresses of the terminals to be excluded from authentication targets in
MAC VLANs and the MAC address table.
Configuration command example
1.
(config)# vlan 400 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Configures the MAC address to be excluded from authentication targets to MAC VLAN
ID 400 (MAC address of the shared printer in the figure: 1234.5600.e001).
2.
(config)# mac-address-table static 1234.5600.e001 vlan 400 interface
fastethernet 0/5
Configures the MAC address of a terminal to be excluded from authentication targets
and where communication is permitted on port 0/5 of MAC VLAN ID 400 (MAC
address of the shared printer in the figure: 1234.5600.e001) in the MAC address table.
(8)
Individual Web authentication page configuration by port
Overview
Configure the custom file set names of individual Web authentication pages used for ports
subject to authentication in dynamic VLAN mode.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# web-authentication port
(config-if)# web-authentication html-fileset FILESETBBB
(config-if)# exit
Configures the custom file set name FILESETBBB for the individual Web authentication
page used on port 0/5 (the name registered in the Switch using the set
web-authentication html-files operation command as the custom file set name).
Notes
340
1.
Configure the web-authentication port command to a port where this command is
configured beforehand.
2.
Register the custom file set of the individual Web authentication page to the Switch using
the set web-authentication html-files operation command.
341
9.5
Legacy mode configuration
Configure legacy mode according to the following flow chart after configuration based on 9.1
Web authentication configuration and 9.2 Configuration common to all authentication modes.
Figure 9-9: Procedure for configuring legacy mode
For more details about each configuration, see the following:
342
1.
Legacy mode configuration: 9.5.1 Legacy mode configuration
2.
Auto display URL configuration after successful authentication: 9.5.2 Configuration
related to authentication (1) Configuring automatically displayed URL and time before
moving from URL to URL after successful authentication
3.
Auto logout condition configuration: 9.5.2 Configuration related to authentication (2)
Auto logout condition configuration
4.
Configuration of the maximum number of users subject to authentication: 9.5.2
Configuration related to authentication (3) Configuration of the maximum number of
users subject to authentication
5.
Forced authentication port configuration: 9.5.2 Configuration related to authentication
(4) Forced authentication port configuration
6.
Authentication exclusion configuration: 9.5.2 Configuration related to authentication (5)
Authentication exclusion configuration
9.5.1
Legacy mode configuration
Figure 9-10: Example of legacy mode structure
(1)
Configuration of authentication port and VLAN information
for authentication
Overview
Configure the authentication VLAN information to the port used with legacy mode.
Configuration command example
1.
(config)# vlan 500 mac-based
343
(config-vlan)# exit
Configures MAC VLAN to VLAN ID 500.
2.
(config)# vlan 30
(config-vlan)# exit
Configures VLAN ID 30.
3.
(config)# interface fastethernet 0/7
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 500
(config-if)# switchport mac native vlan 30
(config-if)# exit
Configures port 0/7 where a terminal subject to authentication as a MAC port and
specifies unauthenticated VLAN 30 and authenticated VLAN ID 500.
(2)
Configuring authenticated VLAN
Overview
Configure an authenticated VLAN ID used in legacy mode. It is dynamically switched to a
VLAN configured by this command after successful authentication.
Configuration command example
1.
(config)# web-authentication vlan 500
Configures VLAN ID 500 of an authenticated VLAN in legacy mode.
Notes
If this information has not been configured, authentication fails in legacy mode. Configure
the target VLAN ID.
(3)
Configuring an IP address to a VLAN interface
Overview
Configure the IP addresses to unauthenticated and authenticated VLANs used in Web
authentication.
Configuration command example
1.
(config)# interface vlan 30
(config-if)# ip address 192.168.0.1 255.255.255.0
(config-if)# exit
Configures the IP address to unauthenticated VLAN 30 used in Web authentication.
344
2.
(config)# interface vlan 500
(config-if)# ip address 192.168.50.1 255.255.255.0
(config-if)# exit
Configures an IP address to authenticated VLAN 500 used in Web authentication.
9.5.2
Configuration related to authentication
This section explains the configuration related to legacy mode.
(1)
Configuring automatically displayed URL and time before
moving from URL to URL after successful authentication
Same as in dynamic VLAN mode. See 9.4.2 Configuration related to authentication (2)
Configuring automatically displayed URL and time before moving from URL to URL after
successful authentication.
(2)
Auto logout condition configuration
(a) Maximum connection time configuration
This configuration is common to all authentication modes of Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(b) MAC address table aging monitoring configuration
This functionality is enabled without configuring the web-authentication auto-logout
configuration command when legacy mode of Web authentication is enabled.
The user does not automatically log out using the no web-authentication auto-logout
configuration command.
(c) Special frame receiving condition configuration
This configuration is common to all authentication modes of Web authentication. See 9.2
Configuration common to all authentication modes and 9.2.3 Auto logout condition
configuration common to all authentication modes.
(3)
Configuration of the maximum number of users subject to
authentication
Same as in dynamic VLAN mode. See 9.4.2 Configuration related to authentication (4)
Configuration of the maximum number of users subject to authentication.
(4)
Forced authentication port configuration
Overview
345
Configures an authenticated VLAN where forced authentication is permitted and which is
assigned to a port subject to legacy mode.
Configuration command example
1.
(config)# interface fastethernet 0/7
(config-if)# web-authentication force-authorized vlan 500
(config-if)# exit
Configures the VLAN ID of an authenticated VLAN where forced authentication is
permitted and which is assigned to port 0/7.
Notes
1.
Use the vlan configuration command to configure the VLAN ID with mac-based
configuration (MAC VLAN configuration).
2.
Configure only RADIUS authentication as an authentication method when using forced
authentication. Forced authentication does not work under the following configurations:
y
aaa authentication web-authentication default group radius
local
y
aaa authentication web-authentication default local group
radius
(5)
Authentication exclusion configuration
Configure ports and terminals to be excluded from the targets of authentication in legacy mode.
In the figure below, ports 0/19 and 0/20, and the shared printer are excluded.
Figure 9-11: Example of authentication exclusion structure in legacy mode
346
(a) Authentication exclusion port configuration
Overview
Configure a port to be excluded from authentication targets as an access port.
Configuration command example
1.
(config)# interface fastethernet 0/19
(config-if)# switchport mode access
(config-if)# switchport access vlan 30
(config-if)# exit
Configures port 0/19 of the VLAN ID 30 as an access port.
2.
(config)# interface fastethernet 0/20
(config-if)# switchport mode access
(config-if)# switchport access vlan 500
(config-if)# exit
Configures port 0/20 of the MAC VLAN ID 500 as an access port.
(b) Authentication exclusion terminal configuration
Overview
Register the MAC addresses of the terminals to be excluded from the authentication targets
in the MAC VLANs.
Configuration command example
1.
(config)# vlan 500 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Configures the MAC address to be excluded from the authentication targets to the MAC
VLAN ID 500 (MAC address of the shared printer in the figure: 1234.5600.e001).
347
9.6
Internal DHCP server configuration
This configuration distributes IP addresses to DHCP clients (terminals subject to authentication)
in Web authentication. This example includes the internal DHCP server using 9.4 Dynamic
VLAN mode configuration as a basic structure.
Overview
Specifies the IP addresses that you do not want to assign to DHCP clients as assignment
exclusion addresses. Also, configures the DHCP address pool to distribute IP addresses to
DHCP clients dynamically.
Figure 9-12: Example of internal DHCP server (dynamic VLAN mode)
Configuration command example
1.
(config)# service dhcp vlan 30
Enables the DHCP server for unauthenticated VLAN 30.
2.
(config)# ip dhcp excluded-address 192.168.0.1
(config)# ip dhcp excluded-address 192.168.0.200
Excludes the IP addresses for VLAN 30 of the Switch and the RADIUS server.
3.
(config)# ip dhcp pool POOL30
(dhcp-config)# network 192.168.0.0/24
Configures the address pool name POOL30 and the network address of the address pool
348
(configure the same network address as unauthenticated VLAN 30).
4.
(dhcp-config)# lease 0 0 1
Configures the lease time of the address (1 minute).
5.
(dhcp-config)# default-router 192.168.0.1
Configures the IP address of unauthenticated VLAN 30 as the default router.
6.
(dhcp-config)# dns-server 200.0.0.1
(dhcp-config)# exit
Configures the IP address of the DNS server.
Configure the following to use the internal DHCP server for authenticated VLAN.
Configuration command example
1.
(config)# service dhcp vlan 400
Enables the DHCP server for authenticated VLAN 400.
2.
(config)# ip dhcp excluded-address 192.168.40.1
(config)# ip dhcp excluded-address 192.168.40.254
Excludes the IP address of VLAN 400 of the Switch and the default gateway address of
the L3 switch.
3.
(config)# ip dhcp pool POOL400
(dhcp-config)# network 192.168.40.0/24
Configures the address pool name POOL400 and the network address of the address pool
(configure the same network address as authenticated VLAN 400).
4.
(dhcp-config)# lease 1
Configures the lease time of the address (one day).
5.
(dhcp-config)# default-router 192.168.40.1
Configures the IP address of the authenticated VLAN 400 as the default router.
6.
(dhcp-config)# dns-server 200.0.0.1
(dhcp-config)# exit
Configures the IP address of the DNS server.
349
350
9.7
9.7.1
Operation of Web authentication
List of operation commands
The table below shows the list of operation commands for Web authentication
Table 9-4: List of operation commands
Command
Description
set web-authentication user
Adds user information (user ID, password, and authenticated
VLAN ID for Web authentication to the internal Web
authentication DB.
set web-authentication passwd
Changes the password of a registered user ID in the internal
Web authentication DB (editing user information).
set web-authentication vlan
Changes the authenticated VLAN ID of a registered user ID in
the internal Web authentication DB (editing user information).
remove web-authentication
user
Deletes user information from the internal Web authentication
DB (editing user information).
commit web-authentication
Applies any additions or changes you made to the internal Web
authentication DB.
store web-authentication
Backs up the internal Web authentication DB to a file.
load web-authentication
Restores the internal Web authentication DB from a backup
file.
show web-authentication user
Displays the contents of the internal Web authentication DB
and any pending additions or changes.
clear web-authentication
auth-state
Forcibly logs out an authenticated user.
show web-authentication
Displays the configuration for Web authentication.
show web-authentication login
Displays the configuration for Web authentication.
show web-authentication login
select-option
Displays the authentication status for Web authentication after
selecting the display option.
show web-authentication login
summary
Displays the number of authenticated users.
show web-authentication
statistics
Displays statistics related to Web authentication.
clear web-authentication
statistics
Clears Web authentication statistics.
show web-authentication
logging
Displays authenticated account logs.
351
Command
Description
clear web-authentication
logging
Clears authenticated account logs.
set web-authentication
html-files
Registers the specified custom file set for the Web
authentication page in the Switch.
clear web-authentication
html-files
Deletes the custom file set for the Web authentication page
registered in the Switch.
show web-authentication
html-files
Displays the file names and sizes of the custom file set for the
Web authentication page, as well as the date and time of
registration.
store web-authentication
html-files
Collects the running custom file set for the Web authentication
page and stores the files in a directory of a RAMDISK.
The table below shows the list of operation commands for the internal DHCP server.
Table 9-5: List of operation commands for the internal DHCP server
Command
9.7.2
Description
show ip dhcp binding
Displays combination information over the DHCP server.
clear ip dhcp binding
Deletes combination information from the DHCP server
database.
show ip dhcp conflict
Displays collision IP addresses detected by the DHCP server.
A collision IP address refers to an IP address assigned to a
terminal over the network though it is blank as a pool IP
address in the DHCP server.
clear ip dhcp conflict
Clears a collision IP address from the DHCP server.
show ip dhcp server statistics
Displays statistics on the DHCP server.
clear ip dhcp server
statistics
Resets statistics on the DHCP server.
Registering the internal Web authentication DB
Use the set web-authentication user operation command to register information about a Web
authentication user (such as a user ID, password, and authenticated VLAN ID) in the internal
Web authentication DB. Specifically, you can use this command to edit (add/change/delete) user
information and apply additions or changes to the internal Web authentication DB. You need to
complete the environmental settings for Web authentication and configuration before adding
user information.
352
(1)
Adding user information
Use the set web-authentication user operation command to add a user ID, password, and
authenticated VLAN ID for each user subject to authentication.
•
Fixed VLAN mode: Specify the VLAN ID for the connected port of the user (terminal)
subject to authentication
•
Dynamic VLAN mode and legacy mode: Specify the VLAN ID to be accommodated after
authentication
In the example below, USER01-USER05 (five users) are registered.
Command input
# set web-authentication user USER01 PAS0101 100
# set web-authentication user USER02 PAS0200 100
# set web-authentication user USER03 PAS0300 100
# set web-authentication user USER04 PAS0320 100
# set web-authentication user USER05 PAS0400 100
(2)
Changing and deleting user information
Follow the procedure below to change the password of the registered user and authenticated
VLAN ID, and then delete the user.
(a) Changing password
Use the set web-authentication passwd operation command to change the password of
the registered user. In the example below, the password is for the user ID (USER01).
Command input
# set web-authentication passwd USER01 PAS0101 PPP4321
Changes the password of the user ID (USER01) from PAS0101 to PPP4321.
(b) Changing authenticated VLAN ID
Use the set web-authentication vlan operation command to change the authenticated VLAN ID
of the registered user.
•
Fixed VLAN mode: Specify the VLAN ID for the port connected to the user (terminal)
subject to authentication
•
Dynamic VLAN mode and legacy mode: Specify the VLAN ID that accommodates the user
(terminal) subject to authentication
In the example below, the authenticated VLAN ID is for the user ID (USER01).
Command input
353
# set web-authentication vlan USER01 200
Changes the VLAN ID of the user ID (USER01) to 200.
(c) Deleting user information
Use the remove web-authentication user operation command to delete registered user
information. In the example below, user information is for the user ID (USER01).
Command input
# remove web-authentication user USER01
Remove web-authentication user
Are you sure? (y/n): y
#
Deletes the user ID (USER01).
(3)
Applying additions or changes to the internal Web
authentication DB
Applies additions or changes in user information to the internal Web authentication DB by the
commit web-authentication operation command.
Command input
# commit web-authentication
Commitment web-authentication user data. Are you sure? (y/n): y
Commit complete.
#
9.7.3
Backing up and restoring the internal Web authentication DB
Displays backing up and restoring the internal Web authentication DB.
(1)
Backing up the internal Web authentication DB
You can create a backup file (backupfile in the example below) for the internal Web
authentication DB using the store web-authentication operation command.
Command input
# store web-authentication ramdisk backupfile
Backup web-authentication user data.
Backup complete.
#
354
Are you sure? (y/n): y
(2)
Restoring the internal Web authentication DB
You can use the load web-authentication operation command to restore the internal Web
authentication DB from a backup file (backupfile in the example below).
Command input
# load web-authentication ramdisk backupfile
Restore web-authentication user data.
Are you sure? (y/n): y
Restore complete.
#
9.7.4
Displaying configuration status of Web authentication
Web authentication configuration status is displayed with the show web-authentication
operation command.
Figure 9-13: Displaying Web authentication configuration status
# show web-authentication
Date 2009/10/29 02:56:27 UTC
<<<Web-Authentication mode status>>>
Dynamic-VLAN: Enable
Static-VLAN: Enable
<<<System configuration>>>
* Authentication parameter
Authentic-mode: Dynamic-VLAN
ip address: 10.10.10.10
web-port: HTTP: 80 (Fixed) HTTPS: 443 (Fixed)
max-user: 256
user-group: Disable
user replacement: Disable
roaming: Disable
html-files: Custom
web-authentication vlan:
* AAA methods
Authentication Default
: RADIUS
Authentication port-list-AAA: RADIUS ra-group-1
Accounting Default: RADIUS
* Logout parameter
max-timer: 60(min)
auto-logout: Enable
logout ping: tos-windows:
logout polling: -
1
ttl:
1
* Redirect parameter
redirect: Enable
redirect-mode: HTTPS
tcp-port: 80 (Fixed), 443 (Fixed)
web-port: HTTP: 80 (Fixed) HTTPS: 443 (Fixed)
jump-url: Disable
* Logging status
355
[Syslog send]: Disable
[Traps]: Disable
* Internal DHCP sever status
service dhcp vlan: Disable
<Port configuration>
Port Count: 2
Port: 0/6
VLAN ID: 40
Forceauth VLAN: Disable
Access-list-No: L2-auth
ARP relay: Enable
Max-user: 256
HTML fileset: FILESETXYZ
Port: 0/22
VLAN ID: 40
Forceauth VLAN: Disable
Access-list-No: L2-auth
ARP relay: Enable
Max-user: 256
Authentication method: port-list-AAA
HTML fileset: FILESETXYZ
<<<System configuration>>>
* Authentication parameter
Authentic-mode: Static-VLAN
ip address: 10.10.10.10
web-port: HTTP: 80 (Fixed) HTTPS: 443 (Fixed)
max-user: 1024
user-group: Disable
user replacement: Disable
roaming: Disable
html-files: Custom
web-authentication vlan: * AAA methods
Authentication Default: RADIUS
Authentication port-list-AAA: RADIUS ra-group-1
Accounting Default: RADIUS
* Logout parameter
max-timer: 60(min)
auto-logout: Enable
logout ping: tos-windows:
1 ttl:
1
logout polling: Enable [ interval: 300, count: 3, retry-interval: 1 ]
* Redirect parameter
redirect: Enable
redirect-mode: HTTPS
tcp-port: 80 (Fixed), 443 (Fixed)
web-port: HTTP: 80 (Fixed) HTTPS: 443 (Fixed)
jump-url: Disable
* Logging status
[Syslog send]: Disable
[Traps]: Disable
* Internal DHCP sever status
service dhcp vlan: <Port configuration>
Port Count: 1
356
Port : 0/5
VLAN ID: 4
Forceauth VLAN: Disable
Access-list-No: L2-auth
ARP relay: Enable
Max-user: 1024
Authentication method: port-list-AAA
HTML fileset: FILESETXYZ
#
9.7.5
Displaying the status of Web authentication
You can use the show web-authentication statistics command to display the status of
Web authentication and the status of communication with the RADIUS server.
Figure 9-14: Displaying Web authentication status information
# show web-authentication statistics
Date 2009/10/29 03:05:10 UTC
Web-Authentication Information:
Authentication Request Total:
Authentication Current Count:
Authentication Error Total:
13
1
2
RADIUS Web-Authentication Information:
[RADIUS frames]
TxTotal:
15 TxAccReq:
14 TxError:
RxTotal:
12 RxAccAccpt:
10 RxAccRejct:
RxAccChllg:
0 RxInvalid:
Account Web-Authentication Information:
[Account frames]
TxTotal:
19 TxAccReq:
18 TxError:
RxTotal:
18 RxAccResp:
18 RxInvalid:
1
2
0
1
0
#
9.7.6
Displaying the status of Web authentication sessions
(1)
Displaying without the display option specified
You can use the show web-authentication login command to display the authentication
status of users logged in using Web authentication.
Figure 9-15: Displaying status information for Web-authenticated users
# show web-authentication login
Date 2009/03/24 17:12:13 UTC
Dynamic VLAN mode total login counts (Login/Max):
1 / 256
Authenticating client counts:
0
Port roaming: Disable
No F User name
Port VLAN Login time
Limit
1 * USER20-all_floor@example.com
0/20 200 2009/03/24 17:09:15
00:57:02
Static VLAN mode total login counts (Login/Max):
Authenticating client counts:
0
1 / 1024
357
Port roaming: Disable
No F User name
Port VLAN Login time
Limit
1
USER10-all_floor@example.com
0/10
10 2009/03/24 17:08:25
00:56:12
#
(2)
Displaying with the display option specified (select-option
specified)
Displays the Web authentication configuration status by the show web-authentication
login select-option operation command with the display option specified. The example
when the interface port number is specified is shown below.
Figure 9-16: Displaying information when a port is specified
# show web-authentication login select-option port 0/10
Date 2009/03/24 17:12:22 UTC
Static VLAN mode total login counts (Login/Max):
1 / 1024
Authenticating client counts:
0
Port roaming: Disable
No F User name
Port VLAN Login time
Limit
1
USER10-all_floor@example.com
0/10
10 2009/03/24 17:08:25
00:56:03
#
(3)
Displaying only with the number of authenticated terminals
(summary displayed)
Displays the number of authenticated users with the show web-authentication login
summary operation command.
Figure 9-17: Displaying only the number of authenticated users
# show web-authentication login summary port
Date 2009/03/24 17:15:42 UTC
Dynamic VLAN mode total login counts (Login/Max):
Port roaming: Disable
No Port Login / Max
1 0/20
1 / 256
Static VLAN mode total login counts (Login/Max):
Port roaming: Disable
No Port Login / Max
1 0/10
1 / 1024
1 / 256
1 / 1024
#
9.7.7
Registering Web authentication page files
(1)
set
Registering the basic Web authentication page custom file
You can register the basic Web authentication custom file set as shown below.
358
1.
Create files for each Web authentication pages using an external device (PC). (The set of
the files is referred to as the basic Web authentication custom file set.)
2.
Copy the basic Web authentication custom file set onto a RAMDISK from a memory card.
3.
Register the basic Web authentication custom file set using the set web-authentication
html-files operation command.
Figure 9-18: Registering the basic Web authentication page custom file set
# copy mc webfileset ramdisk webfileset
# set web-authentication html-files ramdisk webfileset
Do you wish to install new html-files ? (y/n):y
executing...
Install complete.
#
(2)
Registering the individual Web authentication page custom
file set
You can register the individual Web authentication custom file set as shown below.
1.
Create files for each Web authentication page using an external device (a PC). (The set of
the files is referred to as the individual Web authentication custom file set.)
2.
Copy the individual Web authentication custom file set onto a RAMDISK from a memory
card.
3.
Register the individual Web authentication custom file set using the set
web-authentication html-files operation command.
Figure 9-19: Registering the individual Web authentication page files
# copy mc filesetAAA ramdisk filesetAAA
# set web-authentication html-files ramdisk filesetAAA html-fileset
FILESETAAA
Do you wish to install new html-files? (y/n):y
executing...
Install complete.
#
Notes
y Be sure to specify the html-fileset parameter and the custom file set name using the
set web-authentication html-files operation command when registering
individual Web authentication page custom file sets. If these settings are not specified,
files are registered as basic Web authentication custom file sets.
y Specify the name of the individual Web authentication page custom file set to be
registered in the Switch in uppercase alphanumeric characters.
y Specify the custom file set name registered using this command (FILESETAAA in the
359
example above) when specifying the individual Web authentication page custom file set
by port. (For configuration of the individual Web authentication page custom file set, see
9.3.2 Configuration related to authentication (8) Individual Web authentication page
configuration.)
9.7.8
Displaying information about registered Web authentication
page files
To display information about the Web authentication page files you registered, use the show
web-authentication html-files operation command.
Figure 9-20: Displaying information about Web authentication page file
# show web-authentication html-files
Date 2009/10/29 02:59:53 UTC
Total Size:
50,356
File Date
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
2009/10/29 02:12
default now
2009/10/29 02:12
< FILESETXYZ >
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
2009/10/29 02:14
default now
2009/10/29 02:14
Size
1,507
1,307
1,260
666
937
586
640
545
0
17,730
Name
login.html
loginProcess.html
loginOK.html
loginNG.html
logout.html
logoutOK.html
logoutNG.html
webauth.msg
favicon.ico
the other files
1,507
1,307
1,260
666
937
586
640
545
0
17,730
login.html
loginProcess.html
loginOK.html
loginNG.html
logout.html
logoutOK.html
logoutNG.html
webauth.msg
favicon.ico
the other files
・・・1
・・・2
・・・3
・・・4
#
1.
Displays the time taken to register the basic Web authentication page custom file set.
2.
loginProcess.html is used for one-time password authentication. For more details, see
14. One-time Password Authentication [OP-OTP].
3.
For the default status, default now is displayed.
4.
Displayed when the individual Web authentication page custom file set is registered.
9.7.9
Deleting the registered individual Web authentication page
custom file set
Use the clear web-authentication html-files command to delete the Web
360
authentication pages you registered using the set web-authentication html-files
operation command.
Figure 9-21: Deleting the individual Web authentication page custom file set
# clear web-authentication html-files
Do you wish to clear registered html-files and initialize? (y/n):y
executing...
Clear complete.
#
Figure 9-22: Deleting the individual Web authentication page custom file set
# clear web-authentication html-files html-fileset FILESETAAA
Do you wish to clear registered html-files and initialize? (y/n):y
executing...
Clear complete.
#
Figure 9-23: Deleting all custom file sets
# clear web-authentication html-files -all
Do you wish to clear registered html-files and initialize? (y/n):y
executing...
Clear complete.
#
9.7.10
set
Retrieving the running Web authentication page custom file
You can store the running Web authentication page custom file set in a directory in a RAMDISK
using the store web-authentication html-files operation command. Use the copy
operation command to copy the Web authentication page custom file set stored in the
RAMDISK to a memory card. (When restarting the Switch, files in the RAMDISK are deleted.)
Because the Web authentication page custom file sets are retrieved at the same time, you cannot
specify files individually.
Figure 9-24: Retrieving the basic Web authentication page custom file set
# store web-authentication html-files ramdisk webfileset
Do you wish to store html-files? (y/n): y
executing...
Store complete.
#
361
Figure 9-25: Retrieving the individual Web authentication page custom file set
# store web-authentication html-files ramdisk filesetAAA html-filset
FILESETAAA
Do you wish to store html-files? (y/n): y
executing...
Store complete.
#
Notes
Use the set web-authentication html-files operation command to specify the
custom file set name specified by the html-fileset parameter when retrieving
individual Web authentication page custom file sets. If these settings are not specified, files
are registered as basic Web authentication custom file sets.
9.7.11
Checking the DHCP server
(1)
Checking the number of assignable IP addresses
The number of IP addresses that can be assigned to clients is displayed by address pools,
which is the result of executing the show ip dhcp server statistics operation command.
Make sure the number is greater than the number of IP addresses you want to assign to clients.
Figure 9-26: Result of executing show ip dhcp server statistics
# show ip dhcp server statistics
Date 2009/04/13 09:31:14 UTC
< DHCP Server use statistics >
address pools: 252
automatic bindings : 1
expired bindings: 1
over pools request: 0
discard packets: 0
< Receive Packets >
DHCPDISCOVER: 8
DHCPREQUEST: 4
DHCPDECLINE: 2
DHCPRELEASE: 1
DHCPINFORM: 1
< Send Packets >
DHCPOFFER: 8
DHCPACK: 4
DHCPNAK: 0
#
(2)
Checking distributed IP address
Use the show ip dhcp binding operation command to check IP addresses assigned to DHCP
clients. IP addresses that are not leased are displayed.
362
Figure 9-27: Result of executing show ip dhcp binding
> show ip dhcp binding
Date 2008/11/26 09:29:33 UTC
No IP Address
MAC Address
1
192.168.100.1
00d0.5909.7121
Lease Expiration
2008/11/26 10:29:16
Type
Automatic
>
9.7.12
Authentication procedure from terminal
This section describes the procedure for logging in and logging out from a Web authentication
terminal. Follow the procedure below after the configuration necessary for Web authentication
is complete.
(1)
Configuring IP address to unauthenticated terminal
If you use a DHCP server for the IP address settings for a terminal and connect a terminal subject
to authentication to an unauthenticated VLAN, the terminal requests an IP address from the
DHCP server. The DHCP server sends an unauthenticated IP address to the terminal. The
terminal can access Web authentication.
If you do not use the DHCP server, assign the IP address for authentication (IP address to access
the Switch) to the terminal manually.
(2)
Displaying the Web authentication Login page
Accesses the WEB authentication URL (http://unauthenticated-VLAN-interface-IP
address/login.htm) if no Web authentication IP address has been configured.
Accesses the WEB authentication URL
(http://Web-authentication-IP-address/login.htm) if a Web authentication IP address has
been configured.
Enter your user ID and password in the Web authentication Login page.
This page is common to logging in and logging out. For more details, see 9.7.12 Authentication
procedure from terminal (7) Specifying the common URL for login and logout and (8) Logout
from the Login Success page.
363
Figure 9-28: Login page
(3)
Authenticating user ID and password entered in the Login
page
Checks whether the entered user ID and password conform to the user information registered in
the internal Web authentication DB as the local authentication method. Also, checks whether
authentication is possible or not after requesting the RADIUS server.
(4)
Displaying the Authentication Success page with successful
authentication
When a user matches the information in the internal Web authentication DB or RADIUS server,
the Login Success page is displayed enabling communication within a VLAN. Furthermore,
accommodation in the VLAN is changed according to the VLAN IDs registered by the user.
Figure 9-29: Login Success page
364
Cancel authentication by pressing the Logout button in the page instead of closing the page. To
use the Logout button in the Login Success page, see 9.7.12 Authentication procedure from
terminal (8) Logout from the Login Success page.
If the URL to be accessed by the web-authentication jump-url configuration command
after successful authentication has been specified, the terminal accesses the URL after the Login
Success page is displayed on the terminal.
(5)
Page displayed when authentication fails
The Authentication Error page is displayed when authentication fails.
8.7 Authentication error messages shows the causes of errors displayed in the Authentication
Error page.
Figure 9-30: Login Failure page
(6)
Logout
A terminal logs out by any of the following means (auto logout depends on the authentication
mode provided by the Switch. For more details, see 8. Description of Web Authentication).
•
Logout when exceeding the maximum connection time
•
Logout by monitoring non-communication of an authenticated terminal (in legacy mode,
logout by MAC address table aging monitoring)
•
Logout by authenticated terminal connection monitoring
•
Logout by receiving special frames
•
Logout by link-down of a port connected to a terminal subject to authentication
•
Logout by changing a VLAN configuration
•
Logout on the Web page
365
•
Logout by the operation command
After logging out in the Web page or if forcibly logged out from Web authentication, change the
IP address of the terminal with the unauthenticated IP address. If you are using the DHCP server,
request an IP address for the terminal.
(a) Logout on the Web page
Access the URL that has successfully passed Web authentication from the terminal
(http://authenticated-VLAN-interface-IP-address/login.html) to display the Logout page on the
terminal. When pressing the Logout button in the page, you can log out from Web
authentication. After authentication is canceled, the VLAN ID is re-accommodated in the
original VLAN, and the Logout Completion page is displayed.
Figure 9-31: Logout page
366
Figure 9-32: Logout Completion page
(7)
Specifying the common URL for login and logout
You can specify the URL common to logging in and logging out
(http://unauthenticated-or-authenticated-VLAN-interface-IP-address/). (You do not need to
specify login.html or logout.html after the IP address.)
You need to configure the default gateway to use the Logout button. For more details, see 9.7.12
Authentication procedure from terminal (8) Logout from the Login Success page.
Figure 9-33: Common Login and Logout page
(8)
Logout from the Login Success page
You can log out by clicking the Logout button in the Login Success page (same as logout in the
367
page common to logging in and logging out).
•
When using the DHCP server to configure a terminal's IP address, configure the IP address of
the authenticated VLAN interface to address information to be distributed as the default
router option.
•
If you do not use the DHCP server, specify the IP address of the authenticated VLAN
interface for a terminal as the default gateway manually.
Specify the URL common to logging in and logging out
(http://authenticated-VLAN-interface-IP-address/) when logging in to Web authentication.
After the Login Success page (see Figure 9-29: Login Success page) is displayed, use this page
without closing it. You can cancel authentication by clicking the Logout button in the page.
(9)
IP address of authenticated terminal
If you have used the DHCP server to configure the IP address for a terminal, an authenticated IP
address is sent by the DHCP server and you can access the authenticated network after the
accommodated VLAN of the terminal is changed.
If you do not use the DHCP server, manually change the IP address for the terminal to the
network address after authentication after the Login Success page is displayed. When you use
the default gateway, change the address.
368
10. Description of MAC-based Authentication
This chapter provides an overview of MAC-based authentication, which controls VLAN access
per terminal by authenticating them based on their MAC addresses.
10.1 Overview
10.2 Fixed VLAN mode
10.3 Dynamic VLAN mode
10.4 Legacy mode
10.5 Accounting functionality
10.6 Preparations
10.7 Notes on using MAC-based authentication
369
10.1 Overview
MAC-based authentication provides functionality for authenticating a terminal by using the
source MAC address of a frame sent from a terminal and allows communication only from
authenticated terminals.
The following authentication modes are available for MAC-based authentication:
•
Fixed VLAN mode
Registers the MAC address of a successfully authenticated terminal in the MAC address table
and allows access to the VLAN designated by the configuration for communication.
•
Dynamic VLAN mode
Registers the MAC address of a successfully authenticated terminal in the MAC VLAN and
MAC address table. Terminals are given access to different VLANs before and after
authentication.
•
Legacy mode
Performs VLAN switching via the MAC VLAN and enables terminals to access different
VLANs before and after authentication.
For authentication, there is local authentication, which uses an authentication DB stored in the
Switch (called an internal MAC-based authentication DB), and there is RADIUS authentication,
for which authentication requests are sent to an external RADIUS server. Users can choose
either of these methods.
The following table lists the supported functionality of each authentication mode.
Table 10-1: Supported functionality by authentication mode
Functionality
Switch default:
local
authentication
370
Fixed VLAN
Dynamic VLAN
Legacy
Internal MAC-based
authentication DB
Y
See 10.2.1.
See 10.6.1.
Y
See 10.3.1.
See 10.6.1.
Y
See 10.4.1.
See 10.6.1.
MAC address
Y
See 11.6.2.
Y
See 11.6.2.
Y
See 11.6.2.
VLAN
Y
See 11.6.2.
Y
See 11.6.2.
Y
See 11.6.2.
Password
N
N
N
VLAN
(VLAN after
authentication)
Y
See 10.2.1.
See 11.3.2.
Y
See 10.3.1.
See 11.4.1.
Y
See 10.4.1.
See 11.5.1.
Functionality
Switch default:
RADIUS
authentication
Fixed VLAN
Dynamic VLAN
Legacy
Y
See 5.3.1.
See 10.2.1.
See 10.6.2.
See 11.2.1.
Y
See 5.3.1.
See 10.3.1.
See 10.6.2.
See 11.2.1.
Y
See 5.3.1.
See 10.4.1.
See 10.6.2.
See 11.2.1.
1-32 characters
See 10.2.1.
See 10.6.2.
See 11.2.4.
1-32 characters
See 10.3.1.
See 10.6.2.
See 11.2.4.
1-32 characters
See 10.4.1.
See 10.6.2.
See 11.2.4.
Y
See 10.6.2.
Y
See 10.6.2.
Y
See 10.6.2.
Password
1-32 characters
See 10.6.2.
See 11.2.4.
1-32 characters
See 10.6.2.
See 11.2.4.
1-32 characters
See 10.6.2.
See 11.2.4.
VLAN
(VLAN after
authentication)
Y
See 10.2.1.
See 10.6.2.
See 11.3.2.
Y
See 10.3.1.
See 10.6.2.
See 11.4.1.
Y
See 10.4.1.
See 10.6.2.
See 11.5.1.
Forced authentication
Y
See 10.2.2.#
Y
See 10.3.2.#
Y
See 10.4.2.
Authentication
permission port
configured
Y
See 11.3.2.
Y
See 11.4.2.
Y
See 11.5.2
Y
See 10.5.
Y
See 10.5.
Y
See 10.5.
MAC address format at
authentication and
password specification
Y
See 10.6.2.
See 11.2.4.
Y
See 10.6.2.
See 11.2.4.
Y
See 10.6.2.
See 11.2.4.
External server
RADIUS server
group information
Y
See 5.3.1.
See 10.2.1.
See 10.6.2.
See 11.2.1.
Y
See 5.3.1.
See 10.3.1.
See 10.6.2.
See 11.2.1.
N
Port-based
authentication
Y
See 5.2.2.
See 5.2.3.
Y
See 5.2.2.
See 5.2.3.
N
External server
RADIUS server
information for
MAC-based
authentication
• General-purpose
RADIUS server
information
•
User ID
(MAC address)
VLAN
Private trap
Authentication
method list
•
371
Functionality
Maximum
number of
authenticated
users
Authentication
and
re-authentication
De-authenticatio
n
372
Fixed VLAN
Dynamic VLAN
Legacy
Per port
1024
See 10.2.2.
See 11.3.2.
256
See 10.3.2.
See 11.4.2.
256
See 10.4.2.
See 11.5.2.
Per Switch
1024
See 10.2.2.
See 11.3.2.
256
See 10.3.2.
See 11.4.2.
256
See 10.4.2.
See 11.5.2.
Authentication restart
delay timer
Y
See 10.2.2.
See 11.2.4.
Y
See 10.3.2.
See 11.2.4.
Y
See 10.4.2.
See 11.2.4.
Periodic
re-authentication
request
Y
See 10.2.2.
See 11.2.4.
Y
See 10.3.2.
See 11.2.4.
Y
See 10.4.2.
See 11.2.4.
Authentication target
MAC address
restriction (MAC
access list)
Y
See 10.2.2.
See 11.2.2.
Y
See 10.3.2.
See 11.2.2.
Y
See 10.4.2.
See 11.2.2.
Authentication
dedicated IPv4 access
list
Y
See 5.4.1.
See 5.5.2.
Y
See 5.4.1.
See 5.5.2.
N
Maximum connection
time exceeded
Y
See 10.2.2.
See 11.2.3.
Y
See 10.3.2.
See 11.2.3.
Y
See 10.4.2.
See 11.2.3.
Monitoring for
authenticated terminal
non-communication
Y
See 10.2.2.
See 11.3.2.
Y
See 10.3.2.
See 11.4.2.
N
Monitoring for MAC
address table aging
N
N
Y
See 10.4.2.
See 11.5.2.
Authenticated terminal
connection port link
down
Y
See 10.2.2.
Y
See 10.3.2.
N
VLAN configuration
change
Y
See 10.2.2.
Y
See 10.3.2.
Y
See 10.4.2.
Operation command
Y
See 10.2.2.
Y
See 10.3.2.
Y
See 10.4.2.
Functionality
Roaming
(moving
authenticated
terminal among
ports)
Port move permission
configured
Private trap
Accounting log
Fixed VLAN
Dynamic VLAN
Legacy
Y
See 10.2.2.
See 11.3.2.
Y
See 10.3.2.
See 11.4.2.
N
Y
See 10.5.
Y
See 10.5.
N
Accounting log built in
the Switch
2,100 lines for all modes
See 10.5.
RADIUS server
accounting
functionality
Common to all modes
See 5.3.4.
See 10.5.
See 11.2.5.
Legend
Y: Supported
N: Not supported
See 5.x.x: See the relevant section in 5. Overview of Layer 2 Authentication
See 10.x.x: See the relevant section in this chapter
See 11.x.x: See the relevant section in 11. MAC-based authentication Configuration and
Operation
#
For details about using forced authentication common to all authentication modes, see
5.4.6 Forced authentication common to all authentication modes.
The following table summarizes the operating conditions of MAC-based authentication.
Table 10-2: Operating conditions of MAC-based authentication
Type
VLAN type
Default VLAN
Fixed VLAN
Dynamic
VLAN
Legacy
Port VLAN
Y
Y#
N
Protocol VLAN
N
N
N
MAC VLAN
#
Y
Y
Y
N
N
373
Type
Port type
Fixed VLAN
Dynamic
VLAN
Legacy
Access port
Y
N
N
Trunk port
Y
N
N
Protocol port
N
N
N
Untagged
N
Y
Y
Tagged
#
N
N
fastethernet
Y
Y
Y
gigabitethernet
Y
Y
Y
port channel
N
N
N
MAC port
Interface type
Legend
Y: Operable
N: Not operable
#: Operable when switchport mac dot1q vlan is configured
#
Operable when automatic authentication mode is configured for untagged frames on a
MAC port (see 5.4.4 Auto authentication mode accommodation at the same MAC port for
details).
The subsequent sections give an overview of fixed VLAN mode, dynamic VLAN mode, and
legacy mode. For the same functionality and same operation in each authentication mode, read
the descriptions given in the references.
374
10.2 Fixed VLAN mode
Prior to authentication, a terminal cannot start communication until it is successfully
authenticated. In fixed VLAN mode, after authentication is successful the MAC address and
VLAN ID of the terminal are registered in the MAC address table as a MAC-based authentication
entry, and then the terminal is allowed to communicate. (Entries registered in the MAC address
table can be confirmed by using the show mac-address-table operation command.)
10.2.1
Authentication method group
In the MAC-based authentication method group, the Switch default is used in common for all
MAC-based authentication modes, and an authentication method list is used in both fixed
VLAN mode and dynamic VLAN mode. See the following sections as well:
•
5.1.3 Authentication method groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.2.2 Authentication method lists
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
11.2.1 Configuring the authentication method group and RADIUS server information
(1)
Switch default: local authentication
In local authentication, the Switch compares the source MAC address of frames sent from a
terminal with the MAC addresses in the internal MAC-based authentication DB. If the source
MAC address matches an entry in the DB, authentication is successful, and the terminal is
allowed to access the network.
375
Figure 10-1: Fixed VLAN mode (local authentication method)
1.
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
2.
The VLAN ID of the terminal to be authenticated (the printer in the figure) is determined
from a connection port or VLAN ID of the terminal to be authenticated.
3.
The Switch checks the MAC address of a received frame against the MAC-based
authentication DB.
(For details about VLAN ID matching, see Table 10-3 VLAN ID matching in local
4.
authentication.)
Authentication succeeds if the MAC address is registered in the internal MAC-based
authentication DB.
5.
The terminal (printer in the figure) can now communicate with the servers belonging to the
connected VLAN.
Local authentication can be performed based on the MAC address only or a combination of
MAC address and VLAN ID. Either authentication method can be selected by using the
mac-authentication vlan-check configuration command.
A combination of the MAC address and MAC mask can be registered in the internal MAC-based
authentication DB. The table below summarizes the priorities for matching. The authentication
DB also allows the registration of entries having only MAC addresses as well as entries having
combinations of MAC addresses and MAC masks.
376
Table 10-3: VLAN ID matching in local authentication
Configuration command:
mac-authentication
vlan-check
VLAN ID configured in internal MAC-based authentication DB
((1) and (2) indicate the priority)
Yes
No
Set
(1) Matches MAC address and
VLAN ID
(2) Matches MAC address,
MAC mask, and VLAN ID
(1) Matches MAC address only
(2) Matches MAC address and
MAC mask
Not set
(1) Matches MAC address only
(2) Matches MAC address and
MAC mask
(1) Matches MAC address only
(2) Matches MAC address and
MAC mask
(2)
Switch default: RADIUS authentication
In RADIUS authentication, the Switch submits the source MAC address of a frame received
from a terminal to an external RADIUS server for authentication. When the source MAC
address matches an entry in the server, authentication is successful, and the terminal is allowed
to access the network.
Figure 10-2: Fixed VLAN mode (RADIUS authentication method)
1.
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
2.
The VLAN ID of the terminal (the printer in the figure) to be authenticated is determined
from a connection port or VLAN ID of the terminal to be authenticated.
3.
An authentication request is issued to the external RADIUS server by sending a user ID
(terminal MAC address), password (terminal MAC address or password), and VLAN ID.
377
4.
A response indicating successful authentication is received from the RADIUS server.
5.
The terminal (printer in the figure) can now communicate with the servers belonging to the
connected VLAN.
RADIUS authentication can be performed based on the MAC address only or a combination of
MAC address and VLAN ID. Either authentication method can be selected by using the
mac-authentication vlan-check configuration command.
The following table lists the conditions for when the MAC address and VLAN ID are used for
authentication.
Table 10-4: VLAN ID matching in RADIUS authentication
Configuration command
mac-authentication vlan-check
Behavior
Set
Matches MAC address and VLAN ID
Not set
Matches MAC address only
The format of the MAC address to be used for RADIUS authentication can be defined by using
the mac-authentication id-format configuration command. In addition, the password to
be used for issuing an authentication request to the RADIUS server can be set by using the
mac-authentication password configuration command. If the mac-authentication
password command is not set, the MAC address of the terminal to be authenticated can be used
as the password.
For details, see 10.6.2 RADIUS authentication, (2) Preparing a RADIUS server, (c) MAC
address format and password at authentication request in fixed VLAN mode.
(3)
Authentication method list: port-based authentication
For details about operations in port-based authentication, see 5.2.2 Authentication method lists.
10.2.2
Authentication functionality
(1)
Trigger for authentication
In fixed VLAN mode, authentication starts for all the frames received by the Switch from the
ports specified for MAC-based authentication fixed VLAN mode. The target ports in the
MAC-based authentication fixed VLAN mode can be set to target Ethernet ports by using the
mac-authentication port configuration command.
(2)
Restricting target authentication MAC addresses
In MAC-based authentication, a MAC access list is used to specify a specific range of MAC
addresses as the target for MAC-based authentication.
378
•
Valid MAC access list parameters
Specified contents of the source MAC address and source mask. (Optional information such
as a destination MAC address is not valid.)
•
Handling of MAC addresses matching the MAC access list permit condition
The device with the matching MAC address is handled as an authentication target, and
authentication is performed.
•
Handling of MAC addresses matching the MAC access list deny condition
The device with the matching MAC address is not handled as an authentication target, and
authentication is not performed.
In addition, when there is no MAC address list ID specified by the mac-authentication
access-group configuration command, no restriction is imposed on the MAC addresses, and
all MAC addresses are subject to authentication.
(3)
Re-authentication delay timer
MAC-based authentication allows a re-authentication delay timer to be set. This functionality
reduces the number of re-authentication attempts when frames are repeatedly received from a
terminal that was denied authentication. If a frame is received within the re-authentication delay
timer time interval (300 seconds by default) from a terminal that was denied authentication,
authenticated is not performed.
Figure 10-3: Overview of authentication restart delay timer
In addition, this functionality prevents unnecessary collection of the MAC-based authentication
error log when MAC-based authentication and IEEE 802.1X or Web authentication are
operating on the same port. In a configuration where multiple authentication methods operate on
379
the same port, terminals scheduled for IEEE 802.1X or Web authentication are also subject to
MAC-based authentication, so authentication requests are unnecessarily processed, and the
MAC-based authentication error log is unnecessarily collected.
For this reason, if a terminal is successfully authenticated by some other authentication method
during a re-authentication delay timer interval, no MAC-based authentication error log is
collected for the terminal. The MAC-based authentication error log is collected only when the
re-authentication delay timer expires and the terminal is not successfully authenticated by the
other authentication method.
The use of authentication MAC address restrictions and the re-authentication delay timer makes
it possible to reduce the chances for unnecessary authentication request processing and
MAC-based authentication error log collection. The mac-authentication timeout
quiet-period configuration command can be used to disable the re-authentication delay timer
or change its timer value.
(4)
Periodic re-authentication request
After successful authentication, a re-authentication request must be issued to the RADIUS
server within a certain period of time (3,600 seconds by default) to reflect the configuration
information of the RADIUS server. When a periodic re-authentication request results in
successful authentication, the authentication status continues. Otherwise, the authentication of
the target terminal is forcibly canceled.
380
Figure 10-4: Overview of periodic re-authentication request to the RADIUS server
The re-authentication cycle can be configured by using the mac-authentication timeout
reauth-period configuration command.
(5)
Specifying a forced authentication port
When a terminal connected to a port for which forced authentication is specified undergoes
RADIUS authentication, and sending a request to the RADIUS server fails due to a line failure
or the RADIUS does not respond, the terminal becomes authenticated. In the Switch, the
configuration for forced authentication can shared among all authentication methods or
specified separately per authentication method. For details about shared authentication
configuration, see 5.4.6 Forced authentication common to all authentication modes.
The port subject to forced authentication is configured by using the mac-authentication
static-vlan force-authorized configuration command. In addition, forced
authentication is successful when the following conditions are met.
381
Table 10-5: Conditions for successful forced authentication
Item
Condition
Configuration
All the following configurations have been set:
#1
• aaa authentication mac-authentication
• mac-authentication radius-server host or radius-server host
• mac-authentication system-auth-control
• mac-authentication port
#2
• mac-authentication static-vlan force-authorized
• mac-authentication authentication
Accounting log
#2
#3
The following accounting log is collected when an authentication request is sent to the
RADIUS server:
No=21
NOTICE:LOGIN: (additional-information) Login failed ; Failed to
connection to RADIUS server.
additional-information: MAC, PORT, or VLAN
The accounting log can be confirmed by using the show mac-authentication
logging operation command.
#1
When using forced authentication by Switch default, specify only default group
radius.
When using port-based authentication, set <list-name> group <group-name>.
#2
Specify the same Ethernet port.
#3
Specify this when using port-based authentication.
In addition, when a terminal becomes authenticated through forced authentication, the
authentication status of the terminal is cleared like a normal authenticated terminal, as described
in 10.2.2 Authentication functionality, (7) De-authentication.
Furthermore, all the operations from the start of requesting authentication to the RADIUS server
to successful forced authentication are the same for shared forced authentication and
per-authentication-method forced authentication. For details about the operations, see 5.4.6
Forced authentication common to all authentication modes, (1) Behavior from the start of an
RADIUS authentication request to permission for forced authentication.
(6)
Maximum number of authentication terminals
The maximum number of authentication terminals can be specified per Switch and per port. In
addition, the maximum number of authentication terminals (up to 1,024) can be specified by
using the mac-authentication static-vlan max-user configuration command.
Though the maximum number of authentication terminals can be specified per Switch and per
port simultaneously, if either limit is reached, no more terminals can be authenticated. Also, if
382
the maximum number of authentication terminals is changed to a value lower than the number of
currently authenticated terminals, the currently authenticated terminals can continue
communication, but no more terminals can be authenticated.
(7)
De-authentication
Fixed VLAN mode provides the following de-authentication methods:
•
De-authentication when the maximum connection time is exceeded
•
De-authentication by monitoring the non-communication state of authenticated terminals
•
De-authentication of terminals connected to link-down ports
•
De-authentication resulting from changes to the VLAN configuration
•
De-authentication by using an operation command
(a) De-authentication when the maximum connection time is exceeded
The maximum connection time is monitored per authenticated terminal (by MAC address)
starting from successful terminal authentication, and a terminal is de-authenticated
automatically when the maximum connection time is exceeded. The maximum connection time
can be configured by using the mac-authentication max-timer configuration command.
(b) De-authentication by monitoring the non-communication state of
authenticated terminals
This functionality automatically de-authenticates an authenticated terminal if the terminal
remains in a non-communication status for a certain period of time. Also, the MAC-based
authentication entry of the MAC address table is periodically monitored (every minute) to
confirm whether frames are being received from each authenticated terminal. If no frame is
received from a target terminal for a certain period of time#, the target MAC-based
authentication entry is deleted from the MAC address table, and the terminal is de-authenticated.
#
Configured by using the mac-authentication auto-logout configuration command
(delay-time, 3,600 seconds by default)
The non-communication monitoring time can be changed or disabled by using the
mac-authentication auto-logout configuration command. Note that if the
non-communication monitoring time (delay-time) is set to 0, the default value (3,600
seconds) is used.
383
Figure 10-5: Overview of non-communication monitoring of authenticated terminals
Non-communication monitoring is enabled for authenticated terminals when the following
condition is met:
•
When the MAC-based authentication fixed VLAN mode or dynamic VLAN mode is in effect
and mac-authentication auto-logout is enabled
If the no mac-authentication auto-logout configuration command is set, terminals are
not de-authenticated.
(c) De-authentication of terminals connected to link-down ports
When a link-down is detected on a port for which the mac-authentication port
configuration command is set, the authenticated terminal in the MAC-based authentication fixed
VLAN mode of the port is automatically de-authenticated.
(d) De-authentication resulting from changes to the VLAN configuration
When the configuration of a VLAN including authenticated terminals is changed by
configuration commands, the terminals included in the changed VLAN are automatically
de-authenticated.
[Changes to the configuration]
y The VLAN is deleted.
y The VLAN is suspended.
(e) De-authentication by using an operation command
You can manually de-authenticate some or all MAC-authenticated terminals by using the clear
mac-authentication auth-state operation command.
(8)
Roaming (moving authenticated terminals between ports)
If an authenticated terminal (the printer in the figure below) connected via a hub is moved
384
among ports without a link-down occurring, the terminal is still authenticated and can continue
communication.
Roaming is possible when all of the following conditions are met:
•
The mac-authentication static-vlan roaming configuration command is set.
•
The ports before and after the move are fixed VLAN mode ports.
•
The VLAN before and after the move is the same VLAN.
If terminal movement among ports is detected while the above conditions are not met, the target
terminal is forcibly de-authenticated.
Figure 10-6: Roaming in fixed VLAN mode
385
10.3 Dynamic VLAN mode
Prior to authentication, a terminal cannot start communication until it is successfully
authenticated. In dynamic VLAN mode, after is successful the MAC address of the terminal and
the VLAN ID after MAC-based authentication are both registered in the MAC VLAN and MAC
address table as a MAC-based authentication entry, and then the terminal is allowed to
communicate. (Entries registered in the MAC address table can be confirmed by using the show
mac-address-table operation command.)
10.3.1
Authentication method group
In the MAC-based authentication method group, the Switch default is used in common for all
MAC-based authentication modes, and an authentication method list is used in both fixed
VLAN mode and dynamic VLAN mode. See the following sections as well:
•
5.1.3 Authentication method groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.2.2 Authentication method lists
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
11.2.1 Configuring the authentication method group and RADIUS server information
(1)
Switch default: local authentication
The source MAC address of a frame received from a terminal is compared with the MAC
addresses in the internal MAC-based authentication DB. If the source MAC address matches an
entry in the DB, authentication is successful. The terminal gains membership to the VLAN
registered in the internal MAC-based authentication DB, and communication becomes possible.
386
Figure 10-7: Dynamic VLAN mode (local authentication)
6.
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
7.
The MAC address of the received frame is compared with those in the internal MAC-based
authentication DB of the Switch.
8.
If the MAC address matches one in the DB, the VLAN to which the terminal will become a
member is determined according to the VLAN registered in the internal MAC-based
authentication DB.
9.
The terminal (the printer in the figure) gains membership to the VLAN
(post-authentication VLAN) registered in the internal MAC-based authentication DB, and
then the terminal is allowed to communicate with the servers that belong to the
post-authentication VLAN. In addition, the MAC address and VLAN ID of the
authenticated terminal are registered in the MAC VLAN and MAC address table.
(a) Switching accommodation VLANs
For details, see 5.4.3 Auto MAC VLAN assignment and 5.4.4 Auto authentication mode
accommodation at the same MAC port.
(2)
Switch default: RADIUS authentication
In RADIUS authentication, an authentication request is sent to an external RADIUS server by
using the source MAC address of frames sent from a terminal. If authentication is successful, in
the terminal gains membership to the specified post-authentication VLAN, and communication
becomes possible.
387
Figure 10-8: Dynamic VLAN mode (RADIUS authentication)
1.
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
2.
An authentication request is issued to an external RADIUS server by sending a user ID
(terminal MAC address) and a password (terminal MAC address or password).
3.
If authentication is successful, VLAN information from the RADIUS server is received.
4.
The terminal (the printer in the figure) gains membership to the VLAN
(post-authentication VLAN) received from the RADIUS server and is allowed to
communicate with the terminals that belong to the post-authentication VLAN. In addition,
the MAC address and VLAN ID of the authenticated terminal are registered in the MAC
VLAN and MAC address table.
(a) Switching accommodation VLANs
For details, see 5.4.3 Auto MAC VLAN assignment and 5.4.4 Auto authentication mode
accommodation at the same MAC port.
(3)
Authentication method list: port-based authentication
For details on operations at authentication by port, see 5.2.2 Authentication method lists.
10.3.2
Authentication functionality
(1)
Trigger for authentication
In dynamic VLAN mode, all frames received by the Switch via the port subject to the
MAC-based authentication dynamic VLAN mode become triggers that start authentication. The
port subject to the MAC-based authentication dynamic VLAN mode is set to the target Ethernet
388
port by the mac-authentication port configuration command. In addition, the type of the
target Ethernet port (switchport mode configuration command) must be set to the MAC port
in advance.
(2)
Restricting target authentication MAC addresses
This functionality works the same as in fixed VLAN mode. See 10.2.2 Authentication
functionality, (2) Restricting target authentication MAC addresses.
(3)
Re-authentication delay timer
This functionality works the same as in fixed VLAN mode. See 10.2.2 Authentication
functionality, (3) Re-authentication delay timer.
(4)
Periodic re-authentication request
This functionality works the same as in fixed VLAN mode. See 10.2.2 Authentication
functionality, (4) Periodic re-authentication request.
(5)
Specifying a forced authentication port
When a terminal connected to a port for which forced authentication is specified undergoes
RADIUS authentication, and sending a request to the RADIUS server fails due to a line failure
or the RADIUS does not respond, the terminal becomes authenticated. In the Switch, the
configuration for forced authentication can shared among all authentication methods or
specified separately per authentication method. For details about shared authentication
configuration, see 5.4.6 Forced authentication common to all authentication modes.
The port subject to forced authentication is configured by using the mac-authentication
force-authorized vlan configuration command. In addition, forced authentication is
successful when the following conditions are met.
Table 10-6: Conditions for successful forced authentication
Item
Configuration
Condition
All the following configurations have been set:
#1
• aaa authentication mac-authentication
• mac-authentication radius-server host or radius-server host
• mac-authentication system-auth-control
• vlan
<VLAN-ID-list> mac-based#2
• mac-authentication force-authorized vlan
• mac-authentication port
#2, #3
#3
• switchport mode mac-vlan
#3
• mac-authentication authentication
#4
389
Item
Condition
Accounting log
The following accounting log is collected when an authentication request is sent to
the RADIUS server:
No=21
NOTICE: LOGIN: (additional-information) Login failed; Failed to
connection to RADIUS server.
additional-information: MAC, PORT, VLAN
The accounting log can be confirmed by using the show mac-authentication
logging operation command.
#1
When using forced authentication by Switch default, set only default group radius.
When using port-based authentication, set <list-name> group <group-name>.
#2
Specify the same VLAN ID.
#3
Specify the same Ethernet port.
#4
Specify this when using port-based authentication.
In addition, when a terminal becomes authenticated through forced authentication, the
authentication status of the terminal is cleared like a normal authenticated terminal, as described
in 10.3.2 Authentication functionality, (7) De-authentication.
Furthermore, all operations from the start of requesting authentication to the RADIUS server to
successful forced authentication are the same for shared forced authentication and
per-authentication-method forced authentication. For details about the operations, see 5.4.6
Forced authentication common to all authentication modes, (1) Behavior from the start of an
RADIUS authentication request to permission for forced authentication.
(6)
Maximum number of authentication terminals
The maximum number of authentication terminals can be specified per Switch and per port. The
maximum number of authentication terminals (up to 256) can be specified by using the
mac-authentication max-user configuration command.
Though the maximum number of authentication terminals can be specified per Switch and per
port simultaneously, if either limit is reached, no more terminals can be authenticated. Also, if
the maximum number of authentication terminals is changed to a value lower than the number of
currently authenticated terminals, the currently authenticated terminals can continue
communication, but no more terminals can be authenticated.
(7)
De-authentication
Dynamic VLAN mode provides the following de-authentication methods:
390
•
De-authentication when the maximum connection time is exceeded
•
De-authentication by monitoring the non-communication state of authenticated terminals
•
De-authentication of terminals connected to link-down ports
•
De-authentication resulting from changes to the VLAN configuration
•
De-authentication by using an operation command
Each de-authentication method operates the same as those for fixed VLAN mode. For details,
see 10.2.2 Authentication functionality, (7) De-authentication.
(8)
Roaming (moving authenticated terminals between ports)
If an authenticated terminal (the printer in the figure below) connected via a hub is moved
among ports without a link-down occurring, the terminal is still authenticated can continue
communication.
Roaming is possible when all of the following conditions are met:
•
The mac-authentication roaming configuration command is set.
•
The ports before and after the move are dynamic VLAN mode ports.
•
The post-authentication VLAN before the move is defined for the port after the move by
using the switchport mac vlan configuration command.
If terminal movement among ports is detected while the above conditions are not met, the target
terminal is forcibly de-authenticated.
Figure 10-9: Roaming in dynamic VLAN mode
391
10.4 Legacy mode
10.4.1
Authentication method group
The MAC-based authentication method, the Switch default is used in common for all
MAC-based authentication modes. (Note that the authentication method list can be used in
legacy mode.) For details, see the following sections:
•
5.1.3 Authentication method groups
•
5.3.3 Configuring the priority for device default local authentication and RADIUS
authentication
•
5.3.1 RADIUS server information used with the Layer 2 authentication method
•
11.2.1 Configuring the authentication method group and RADIUS server information
(1)
Switch default: local authentication
The source MAC address of a frame received from a terminal is compared with the MAC
addresses in the internal MAC-based authentication DB. If the source MAC address matches an
entry in the DB, authentication is successful. The terminal gains membership to the VLAN
registered in the internal MAC-based authentication DB, and communication becomes possible.
Figure 10-10 Legacy mode (local authentication)
1.
392
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
2.
The MAC address of the received frame is compared with those in the internal MAC-based
authentication DB of the Switch.
3.
If the MAC address matches on in the DB, the VLAN to which the terminal will become a
member is determined according to the VLAN registered in the internal MAC-based
authentication DB.
4.
The terminal (the printer in the figure) gains membership to the VLAN
(post-authentication VLAN) registered in the internal MAC-based authentication DB, and
then the terminal is allowed to communicate with the servers that belong to the
post-authentication VLAN.
(a) Switching accommodation VLANs
Authentication fails after legacy mode authentication is performed if the VLAN ID registered
for the entry of the target MAC address in the internal MAC-based authentication DB has not
been included in the VLAN configuration (mac-authentication vlan configuration
command). Authentication also fails if no VLAN information has been registered for the entry
of the target MAC address in the internal MAC-based authentication DB.
(2)
Switch default: RADIUS authentication
In RADIUS authentication, an authentication request is sent to an external RADIUS server by
using the source MAC address of frames sent from a terminal. If authentication is successful, in
the terminal gains membership to the specified post-authentication VLAN, and communication
becomes possible.
393
Figure 10-11: Legacy mode (RADIUS authentication)
1.
The Switch receives a frame from a terminal (the printer in the figure) connected via a hub.
2.
An authentication request is issued to an external RADIUS server by sending a user ID
(terminal MAC address) and a password (terminal MAC address or password).
3.
If authentication is successful, VLAN information from the RADIUS server is received.
4.
The terminal (the printer in the figure) gains membership to the VLAN
(post-authentication VLAN) received from the RADIUS server and is allowed to
communicate with the terminals that belong to the post-authentication VLAN.
(a) Switching accommodation VLANs
Authentication fails after legacy mode authentication is performed if the VLAN ID registered
for the entry of the target MAC address in the internal MAC-based authentication DB has not
been included in the VLAN configuration (mac-authentication vlan configuration
command).
10.4.2
Authentication functionality
(1)
Trigger for authentication
In legacy mode, all frames received by the Switch from the port that is a member of the MAC
VLAN, and from the native VLAN of the port specified to be subject to the MAC-based
authentication legacy mode are triggers to start authentication. All frames are subject to
394
authentication regardless of whether they are MAC unicast, MAC broadcast, or MAC multicast
frames.
For this reason, if terminals in the native VLAN of the MAC VLAN attempt to communicate
with each other, communication data among all terminals are frames subject to MAC-based
authentication, and MAC-based authentication is performed. To cope with this, it is essential to
ensure the proper settings and operations by restricting MAC addresses subject to authentication
or using similar functionality.
In MAC-based authentication, the need for special settings and authentication procedures is
eliminated by simply connecting the target terminal to the Switch directly or via another switch.
However, note that MAC-based authentication is never started unless a frame is sent from the
target MAC terminal.
The authentication port in legacy mode differs from that in fixed VLAN mode and dynamic
VLAN mode. An Ethernet port number is specified per Switch rather than per port for legacy
mode operation. This port number for legacy mode operation can be set by using the
mac-authentication interface command.
(2)
Restricting target authentication MAC addresses
This functionality works the same as in fixed VLAN mode. See 10.2.2 Authentication
functionality, (2) Restricting target authentication MAC addresses.
(3)
Re-authentication delay timer
This functionality works the same as in fixed VLAN mode. See 10.2.2 Authentication
functionality, (3) Re-authentication delay timer.
(4)
Periodic re-authentication request
This functionality works the same as in fixed VLAN mode. For details, see 10.2.2
Authentication functionality, (4) Periodic re-authentication request.
(5)
Specifying a forced authentication port
When a terminal connected to a port for which forced authentication is specified undergoes
RADIUS authentication, and sending a request to the RADIUS server fails due to a line failure
or the RADIUS does not respond, the terminal becomes authenticated. In the Switch, the
configuration for forced authentication can shared among all authentication methods or
specified separately per authentication method. However, legacy mode does not operate when
the configuration for forced authentication is shared among all authentication modes. In this case,
be sure to use the forced authentication functionality for MAC-based authentication. The port
subject to forced authentication is configured by using the mac-authentication
force-authorized vlan configuration command. Forced authentication is successful when
the following conditions are met.
395
Table 10-7: Conditions for successful forced authentication
Item
Condition
Configuration
All the following configurations have been set:
#1
• aaa authentication mac-authentication
• mac-authentication radius-server host or radius-server host
• mac-authentication system-auth-control
• mac-authentication vlan
• vlan
#2
<VLAN-ID-list> mac-based#2
• mac-authentication force-authorized vlan
• switchport mac vlan
• switchport mode mac-vlan
#3
• mac-authentication interface
Accounting log
#2, #3
#2, #3
#4
The following accounting log is collected when an authentication request is sent to
the RADIUS server:
No=21
NOTICE: LOGIN: (additional-information) Login failed ; Failed to
connection to RADIUS server.
additional-information: MAC, PORT, VLAN
The accounting log can be confirmed by using the show mac-authentication
logging operation command.
#1
When using forced authentication by Switch default, set only default group radius.
#2
Specify the same VLAN ID.
#3
Specify the same Ethernet port.
#4
Specify an Ethernet port number for which the command in #3 has been set.
In addition, when a terminal becomes authenticated through forced authentication, the
authentication status of the terminal is canceled like a normal authenticated terminal, as
described in 10.4.2 Authentication functionality, (7) De-authentication.
Furthermore, all operations from the start of requesting authentication to the RADIUS server to
successful forced authentication are the same for shared forced authentication and
per-authentication-method forced authentication. For details about the operations, see 5.4.6
Forced authentication common to all authentication modes, (1) Behavior from the start of an
RADIUS authentication request to permission for forced authentication.
(6)
Maximum number of authentication terminals
The maximum number of authentication terminals can be specified per Switch and per port. The
maximum number of authentication terminals (up to 256) can be specified by using the
mac-authentication max-user configuration command.
396
Though the maximum number of authentication terminals can be specified per Switch and per
port simultaneously, if either limit is reached, no more terminals can be authenticated. Also, if
the maximum number of authentication terminals is changed to a value lower than the number of
currently authenticated terminals, the currently authenticated terminals can continue
communication, but no more terminals can be authenticated.
(7)
De-authentication
Legacy mode provides the following de-authentication methods:
•
De-authentication when the maximum connection time is exceeded
•
De-authentication by monitoring the aging of the MAC address table
•
De-authentication resulting from changes to the VLAN configuration
•
De-authentication by using an operation command
With the exception of de-authentication by monitoring the aging of the MAC address table, each
de-authentication method operates same as those for fixed VLAN. For details, see 10.2.2
Authentication functionality, (7) De-authentication.
(a) De-authentication by monitoring the aging of the MAC address table
Dynamic entries in the MAC address table are periodically monitored (at approximately
one-minute intervals) for whether the MAC address of the terminal registered with a VLAN ID
after legacy mode authentication has aged. The MAC address aging time in legacy mode differs
from that in fixed VLAN mode and dynamic VLAN mode and conforms to the setting of the
mac-address-table aging-time configuration command. After a target MAC address is
deleted due to aging timeout as specified by mac-address-table aging-time, if the MAC
address is still deleted after the delay time specified by the mac-authentication
auto-logout configuration command (delay-time, 3,600 seconds by default),
de-authentication is performed automatically. The delay time after aging timeout can be
changed or disabled by using the mac-authentication auto-logout configuration
command.
In addition, if the delay time (delay-time) is set to 0, de-authentication is performed
immediately after the target MAC address is deleted due to aging timeout.
397
Figure 10-12: Overview of MAC address table aging of authenticated terminals in
legacy mode
(8)
Moving authenticated terminals among ports and displaying
the number of authenticated terminals
No roaming configurations are supported in legacy mode. If an attempt is made to move an
authenticated terminal to another port, the following operations are performed:
1.
After a terminal is authenticated successfully, it is counted towards the number of
authentication terminals on the port at which it was authenticated.
2.
If a terminal authenticated in legacy mode is moved to another port, it is allowed to
continue communication as long as all of the following conditions are met:
•
The ports before and after the move are ports subject to legacy mode.
•
The post-authentication VLAN before the move must have been defined in the
switchport mac vlan configuration command for the port after move.
The moved terminal is allowed to continue communication until it is detected by
monitoring of MAC address table aging. However, if DHCP snooping and filters are in use
at the port after the move, whether communication can continue depends upon their
conditions. If a terminal is moved while the above conditions are not met, it is
de-authenticated. However, if a terminal authenticated in legacy mode is moved to a port
3.
not subject to authentication, the terminal might not be de-authenticated.
The movement of a terminal to another port is detected when the next re-authentication is
performed.
4.
If the port after the move is subject to legacy mode authentication, the number of
authenticated terminals is counted as follows:
•
398
If the number of authenticated terminals is less than the maximum, the number of
authenticated terminals at the port prior to the move is subtracted, and terminal
authentication and registration is performed at the port after the move.
•
If the number of authenticated terminals is equal to or greater than the maximum, the
number of authenticated terminals at the port prior to the move is subtracted, and
5.
terminal de-authentication is performed.
If the loss of a MAC address at the port before the move is detected by monitoring of MAC
address table aging before the next time authentication is performed, the terminal is
authenticated at the port after the move as a new terminal.
399
10.5 Accounting functionality
The authentication results of MAC-based authentication are recorded by the following
accounting functionality:
•
Built-in accounting log of the Switch
•
Recording in the accounting functionality of the RADIUS server
•
Recording authentication information in the RADIUS server
•
Outputting accounting log information to the syslog server
(1)
Built-in accounting log of the Switch
The built-in accounting log of the Switch can log a maximum of 2,100 lines total for all the
MAC-based authentication modes. When the maximum number of 2,100 lines is exceeded, the
oldest lines are deleted, and the newest accounting log information is added. The following table
lists the accounting log information that is recorded.
Table 10-8: Types of accounting log entries
Accounting log entry
type
Contents
LOGIN
Information (success or failure) relating to an authentication operation
LOGOUT
Information (reason, etc.) relating to de-authentication operation
SYSTEM
Information relating to operation of MAC-based authentication
functionality (including roaming detection and forced authentication)
Table 10-9: Information output to the built-in accounting log of the Switch
Success
Failure
Time
Accounting log
entry type
MAC
VLAN
PORT
Y
Y
Y#
Y
Authentication success message
Y
Y
Y#
Y#
Authentication failure reason message
LOGOUT
Y
Y
Y#
Y
De-authentication message
SYSTEM
Y
Y
Y#
Y#
Message relating to MAC-based
authentication functionality operation
LOGIN
Legend
Y: Message output
N: No message output
#
400
Message
Some messages might not be output.
For details about the messages, see 27. MAC-based authentication show mac-authentication
logging in the manual Operation Command Reference.
In addition, the following lists the output functionality of the accounting logs:
1.
Console display per event
Even when the trace-monitor enable operation command has been set, accounting log
2.
information is not output to the console each time an event occurs.
Operation command display
By using the show mac-authentication logging operation command, you can
display the collected accounting log entries in chronological order starting from the latest
3.
one.
Output to the syslog server
4.
For details, see (4) Outputting accounting log information to the syslog server.
Private trap
The Switch supports functionality for issuing a private trap when accounting log
information is collected for specific MAC-based authentication events. Use configuration
commands to specify whether traps are issued and also the type of traps that are issued.
Table 10-10: Accounting log entries (LOGIN/LOGOUT) and conditions for issuing
private traps (1)
Accounting log entry
type
LOGIN
Success
Failure
Configuration required for issuing private traps
Command
Parameter
snmp-server host
mac-authentication
snmp-server traps
mac-authentication-trap all
snmp-server host
mac-authentication
Not configured, or one of the following configured:
LOGOUT
snmp-server traps
mac-authentication-trap all
snmp-server traps
mac-authentication-trap
failure
snmp-server host
mac-authentication
snmp-server traps
mac-authentication-trap all
401
Table 10-11: Accounting log entry (SYSTEM) and conditions for issuing private traps
(2)
Accounting
log entry
type:
SYSTEM
Authentication
mode
Configuration required for issuing private traps
Command
Forced
authentication
Fixed VLAN
Dynamic
VLAN
Legacy
Roaming
Fixed VLAN
Dynamic
VLAN
Legacy
Parameter
snmp-server host
mac-authentication
mac-authentication
static-vlan
force-authorized
action trap
snmp-server host
mac-authentication
mac-authentication
force-authorized vlan
action trap
snmp-server host
mac-authentication
mac-authentication
force-authorized vlan
action trap
snmp-server host
mac-authentication
mac-authentication
static-vlan roaming
action trap
snmp-server host
mac-authentication
mac-authentication roaming
action trap
-- (There is no configuration because this mode is not supported.)
A forced authentication private trap can also be issued when the configuration for forced
authentication is shared among authentication modes. For details, see 5.4.6 Forced
authentication common to all authentication modes, (5) Private trap for forced
authentication.
(2)
Recording in the accounting functionality of the RADIUS
server
The accounting functionality of the RADIUS server can be used by using the aaa accounting
mac-authentication configuration command. For details about the RADIUS attributes used
when sending accounting information to the RADIUS server, see 10.6 Preparation.
(3)
Recording authentication information in the RADIUS server
In RADIUS authentication, authentication success or failure is recorded by using the
functionality of the RADIUS server. However, the information that is recorded varies depending
on the RADIUS server in use. For more information, see the documentation for the RADIUS
server.
402
(4)
Outputting accounting log information to the syslog server
Accounting log information and operation log information for all Switches are output to all the
syslog servers defined in the syslog configuration.
Figure 10-13: Log output format to the syslog server
For details about log output to the syslog server, see 22. Log Output Functionality.
In addition, the Switch cannot specify or suppress the output of only MAC-based authentication
accounting log information to the syslog server.
403
10.6 Preparation
10.6.1
Preparing for local authentication
When using the local authentication method, the following preparations are required:
•
Configuration
•
Registering the internal MAC-based authentication DB
•
Backing up the internal MAC-based authentication DB
•
Restoring the internal MAC-based authentication DB
(1)
Configuration
To use MAC-based authentication, the Switch defines VLAN information and MAC-based
authentication information by the configuration command. (See 11.1 Configuring MAC-based
authentication.)
(2)
Registering the internal MAC-based authentication DB
Before using a local authentication method, MAC address information (the MAC addresses of
the terminals to be authenticated and the VLAN ID after authentication) must be registered in
the internal MAC-based authentication DB. The procedure for registering the MAC address
information includes editing the MAC address information (addition and deletion), and then
reflecting it in the internal MAC-based authentication DB. The procedure is described below.
Before adding the MAC address information, the environment and configuration of the
MAC-based authentication system must be defined.
•
Add the MAC address information (the MAC addresses of the terminals to be authenticated
and the VLAN ID after authentication) by using the set mac-authentication
mac-address operation command.
•
To delete registered MAC address information, use the remove mac-authentication
mac-address operation command.
•
Reflect the edited MAC address information in the internal MAC-based authentication DB by
executing the commit mac-authentication operation command.
In addition, the MAC address information edited prior to execution of the commit
mac-authentication operation command can be viewed by using the show
mac-authentication mac-address operation command.
404
Figure 10-14: Editing the MAC address information and reflecting the result in the
internal MAC-based authentication DB
In local authentication, the MAC address is retrieved in the order that is displayed when the
show mac-authentication mac-address operation command is executed.
(a) Registering the same MAC address
The internal MAC-based authentication DB allows the same MAC address to be specified for
multiple VLAN IDs (or for no VLAN at all).
(b) Registering MAC mask information
The internal MAC-based authentication DB allows MAC address and MAC mask entries to be
registered. An entry with a MAC mask can be registered in the DB even if they are contained in
another entry with a MAC mask. However, it cannot be registered if the numeric value of the
entry is completely identical to another entry. Note that only one entry with the any condition
can be registered. (If a registered entry already exists, it is overwritten.)
The show mac-authentication mac-address operation command displays entries in
ascending order by MAC address. However, entries are displayed in order of entries that are
only MAC addresses, entries with MAC masks, and then the entry with the any condition.
(3)
Backing up the internal MAC-based authentication DB
To back up the internal MAC-based authentication DB, use the store mac-authentication
operation command.
Two backup files are automatically generated. One file contains MAC-address-only entries, and
the other file contains entries that have MAC masks.
•
<file-name>: File containing entries that do not have MAC masks
•
<file-name>.msk: File containing entries that have MAC masks
(4)
Restoring the internal MAC-based authentication DB
To restore the internal MAC-based authentication DB from the backup files, use the load
405
mac-authentication operation command.
Be careful when restoring the DB. The information edited and registered by using commands
such as the set mac-authentication mac-address operation command immediately
before the restoration are discarded and replaced with the restored information.
Two backup files are automatically generated. One file contains MAC-address-only entries, and
the other file contains entries that have MAC masks. (For details, see (3) Backing up the internal
MAC-based authentication DB.)
•
When using MAC-address-only entries, restore from a backup file containing entries that do
not have MAC masks.
•
When using MAC address entries and entries with MAC masks, restore from a backup file
containing entries that have MAC masks.
10.6.2
RADIUS authentication
When using RADIUS authentication, the following preparations are required:
•
Configuration
•
Preparing a RADIUS server
(1)
Configuration
For MAC-based authentication, VLAN information and MAC information can be configured in
the Switch by using configuration commands. (See 11.1 Configuring MAC-based
authentication.)
(2)
Preparing a RADIUS server
(a) RADIUS attributes to be used
The following table describes the RADIUS attribute names used by the Switch.
Table 10-12: Attribute names used in authentication (part 1: Access-Request)
Attribute name
406
Type
value
Description
User-Name
1
Terminal MAC address.
Each byte of the terminal MAC address is separated by a hyphen
(-).#1
User-Password
2
User password.
Each byte of the terminal MAC address is separated by a hyphen
(-).#1
NAS-IP-Address
4
IP address of the Switch requesting authentication.
From among the VLAN interfaces that have an IP address
registered, the IP address of the smallest VLAN ID is used.
Attribute name
NAS-Port
Type
value
5
Description
•
•
•
Service-Type
6
Fixed VLAN mode: IfIndex of authentication unit under
authentication
Dynamic VLAN mode: IfIndex of authentication unit under
authentication
Legacy mode: 4296
Service type to be provided.
Fixed to Framed(2)
Called-Station-Id
30
Port MAC address (lower-case ASCII characters#2 delimited by
hyphens (-))
Calling-Station-Id
31
Terminal MAC address (lower-case ASCII characters#2
delimited by hyphens (-))
NAS-Identifier
32
•
•
•
NAS-Port-Type
61
Fixed VLAN mode
VLAN ID of VLAN to which a terminal that is requesting
authentication belongs.
For VLAN10, 10
Dynamic VLAN mode
Character string specified by the hostname configuration
command
Legacy mode
Character string specified by the hostname configuration
command
Type of physical port used by a terminal for authentication
Virtual(5)
Connect-Info
77
Character string indicating the connection characteristics
• Fixed VLAN mode:
Physical port ("CONNECT Ethernet")
• Dynamic VLAN mode:
Physical port ("CONNECT Ethernet")
• Legacy mode:
("CONNECT DVLAN")
NAS-Port-Id
87
Character string for port identification (x and y represent
numbers)
• Fixed VLAN mode: "Port x/y"
• Dynamic VLAN mode: "Port x/y"
• Legacy mode: "DVLAN x"
#1
See (b) Information to be set in the RADIUS server.
#2
The MAC addresses for Called-Station-Id and Calling-Station-Id are lower
case when used by the Switch. However, the letters a to f in the MAC addresses can be
converted to upper-case letters by using the radius-server attribute station-id
capitalize configuration command.
407
Table 10-13: Attribute names used in authentication (part 2: Access-Accept)
Attribute name
Type
value
Description
Service-Type
6
Service type provided.
Fixed to Framed(2)
Filter-Id
11
Text character string.
Used in multistep authentication.#1
Reply-Message
18
Not used#2
Tunnel-Type
64
Tunnel type.
Fixed to VLAN(13)
Tunnel-Medium-Type
65
Protocol to be used for tunnel creation
Fixed to IEEE 802(6)
Tunnel-Private-Group
-ID
81
Character string for VLAN identification.#3
The following character strings can be used.
(1) Character string containing the VLAN ID
(2) Character string containing VLAN + VLAN-ID
No space can be included in the character string. (If a space is
included in the character string, VLAN assignment fails.)
(3) Character string representing the name of a VLAN defined
for a VLAN interface by the name configuration command
(The smaller VLAN ID takes precedence.)#4
(Configuration example)
VLAN ID: 10
Configuration command name: Authen_VLAN
For (1): 10
For (2): VLAN10
For (3): Authen_VLAN
#1
For details about character strings used in multistep authentication, see 12. Multistep
Authentication.
#2
The Switch collects the Reply-Message character string as accounting log information.
#3
The Switch selects a character string format and identifies the VLAN ID in accordance
with the following conditions:
1. Conditions for selecting character string formats (1), (2) and (3) for
Tunnel-Private-Group-ID
•
Format (1) is used for a character string that begins with a number from 0 to 9.
•
Format (2) is used for a character string that begins with VLAN plus a number from 0 to
9.
408
•
Format (3) is used for a character string other than the above character strings.
In addition, when the first byte is in the range from 0x00 to 0x1f, it means that a tag is
present but the tag is ignored.
2. Conditions for identifying the VLAN ID from character strings in formats (1) and (2)
•
The numbers 0-9 are converted into decimal numbers and only the first four characters
are a valid range. (The fifth and the subsequent characters are all ignored.)
Example: 0010 is equivalent to 010 or 10, and it is handled as VLAN ID = 10.
However, 01234 is handled as VLAN ID = 123.
•
When any character except the numbers 0-9 is included in a character string, it is
processed as the end of the character string.
Example: 12+3 is handled as VLAN ID = 12.
#4
For details about specifying the VLAN name by using the name configuration command,
see 5.4.2 Specifying VLAN accommodation by VLAN name.
Table 10-14: Attribute names used in RADIUS accounting functionality
Attribute name
Type
Value
Description
User-Name
1
Terminal MAC address.
Each byte of the terminal MAC address is separated by a
hyphen (-).#1
NAS-IP-Address
4
IP address of the Switch requesting authentication.
From among the VLAN interfaces that have an IP address
registered, the IP address of the smallest VLAN ID is used.
NAS-Port
5
•
•
•
Service-Type
6
Fixed VLAN mode: IfIndex of authentication unit under
authentication
Dynamic VLAN mode: IfIndex of authentication unit under
authentication
Legacy mode: 4296
Service type provided
Fixed to Framed(2)
Calling-Station-Id
31
MAC address of authentication terminal (lower-case ASCII
characters#2 delimited by hyphens (-))
NAS-Identifier
32
•
•
•
Fixed VLAN mode
VLAN ID of VLAN to which a terminal that is requesting
authentication belongs
For VLAN10, 10
Dynamic VLAN mode
Character string specified by the hostname configuration
command
Legacy mode
Character string specified by the hostname configuration
command
409
Attribute name
Type
Value
Description
Acct-Status-Type
40
Accounting request type
Start(1) or Stop(2)
Acct-Delay-Time
41
Accounting information (sending delay time in seconds)
Acct-Input-Octets
42
Accounting information (number of received octets)
Fixed to (0)
Acct-Output-Octets
43
Accounting information (number of sent octets)
Fixed to (0)
Acct-Session-Id
44
ID for accounting information identification
Acct-Authentic
45
Authentication method
RADIUS(1) or Local(2)
Acct-Session-Time
46
Accounting information (session duration time)
Fixed to (0)
Acct-Input-Packets
47
Accounting information (number of received packets)
Fixed to (0)
Acct-Output-Packets
48
Accounting information (number of sent packets)
Fixed to (0)
Acct-Terminate-Cause
49
Accounting information (cause of session termination)
See Table 10-15 Disconnection causes for
Acct-Terminate-Cause.
NAS-Port-Type
61
Type of physical port used by a terminal for authentication
Fixed to Virtual(5)
NAS-Port-Id
87
Character string for port identification (x and y represent
numbers)
• Fixed VLAN mode: "Port x/y"
• Dynamic VLAN mode: "Port x/y"
• Legacy mode: "DVLAN x""
#1
See (b) Information to be set in the RADIUS server.
#2
The MAC addresses for Calling-Station-Id are lower case when used by the Switch.
However, the letters a to f in the MAC addresses can be converted to upper-case letters by
using the radius-server attribute station-id capitalize configuration
command.
410
Table 10-15: Disconnection causes for Acct-Terminate-Cause
Attribute name
Type
value
Description
User Request
1
Disconnection due to detection of a terminal move
Idle Timeout
4
Disconnection due to non-communication continuing for a
certain period of time
Session Timeout
5
Disconnection due to session expiration
Admin Reset
6
Intentional disconnection by an administrator
• Deletion of mac-authentication port in
configuration
Also includes disconnection causes due to changes to other
authentication configurations and operation commands.
NAS Request
10
First-step MAC-based authentication disconnected because
the second-step authentication succeeded in multistep
authentication
Service Unavailable
15
Service no longer able to be provided
• If de-authentication is performed by max-user check of a
destination port after a terminal moved
Reauthentication
Failure
20
Re-authentication failed
Port Reinitialized
21
Port MAC re-initialized.
• Port link down
• Deletion of vlan from port by the configuration
• Setting of shutdown by the configuration
• Execution of inactivate operation command
(b) Information to be set in the RADIUS server
The user ID and password used to request authentication from the RADIUS server by the
MAC-based authentication functionality are both the MAC address of the terminal. When
setting MAC-based authentication terminal information for the RADIUS server, it is necessary
to delimit each byte of the MAC address of the terminal with hyphen (-) for both the user ID and
password.
The MAC address format of the user ID and password can be specified by the configuration. For
details on this specification by the configuration, see (c) MAC address format and password at
authentication request in fixed VLAN mode and (d) MAC address format and password at
authentication request in dynamic VLAN mode and legacy mode.
For more details about configuring the RADIUS server, see the documentation for the RADIUS
server.
411
The configuration example below is for a RADIUS server configuration that is based on the
following authenticated terminal information:
•
Terminal MAC address: 12-34-56-00-ff-e1
•
For fixed VLAN mode: The VLAN ID of the VLAN to which the terminal requesting
authentication belongs is 10.
•
For dynamic VLAN mode and legacy mode: The VLAN ID of the post-authentication VLAN
is 311
•
Setting of the name configuration command: mac-authen-vlan
Table 10-16: Example of RADIUS server configuration
Item
Contents of configuration
User-Name
12-34-56-00-ff-e1
Each byte of the terminal MAC address is separated by a hyphen (-).#1
Auth-Type
Local
User-Password
12-34-56-00-ff-e1
Each byte of the terminal MAC address is separated by a hyphen (-).#2
Tunnel-Type
Virtual VLAN (value of 13)
NAS-Identifier
Fixed VLAN mode
10
The VLAN ID of the VLAN to which the terminal requesting
authentication is defined as a number.
Tunnel-Medium-Type
IEEE-802 (value of 6)
Tunnel-Private-Group
-ID
Dynamic VLAN mode and legacy mode
Any of the following formats is used:
• 311
The post-authentication VLAN ID is defined as a number.
• VLAN0311
The post-authentication VLAN ID is defined as a number immediately
after the character string VLAN
• mac-authen-vlan
A character string representing a VLAN name defined by the name
configuration command
Authentication
method
PAP
#1
If the upper-case letters A to F are included in a MAC address, they must be converted to
the lower-case characters a to f before the MAC address is specified in the RADIUS server.
When a MAC address format has been set by the configuration, be sure to use that format.
#2
When a MAC address format has been set by the configuration, use that format. When a
412
password has been set by the configuration, be sure to use the character string defined by
the configuration.
(c) MAC address format and password at authentication request in
fixed VLAN mode
Because VLAN does not move in fixed VLAN mode, VLAN ID included in the result of an
authentication request to the RADIUS server is not taken into consideration. For this reason, the
following VLAN limitation functionality is supported to prevent authentication from unintended
VLANs.
•
Limiting VLAN by using User-Name
• Limiting VLAN by using NAS-Identifier
5. Limiting VLAN by using User-Name
When an authentication request is issued to the RADIUS server, a user ID is created for
authentication by including a delimiter (default: %VLAN) and added information (VLAN ID).
The delimiter character string can be specified by the mac-authentication vlan-check
configuration command.
The example shown below is where the address is 12-34-56-00-ff-e1 and VLAN ID is 100.
Table 10-17: Configuration definition and RADIUS server authentication request format
Configuration definition
id-format
None
id-format 0
id-format 0
capitals
vlan-check
None
RADIUS server authentication request
format
password
None
User ID
12-34-56-00-ff-e1
vlan-check
12-34-56-00-ff-e1%VLAN10
0
vlan-check key @VLAN
12-34-56-00-ff-e1@VLAN10
0
None
12-34-56-00-ff-e1
vlan-check
12-34-56-00-ff-e1%VLAN10
0
vlan-check key @VLAN
12-34-56-00-ff-e1@VLAN10
0
None
12-34-56-00-FF-E1
vlan-check
12-34-56-00-FF-E1%VLAN1
00
Password
12-34-56-00-f
f-e1
12-34-56-00-f
f-e1
12-34-56-00FF-E1
413
Configuration definition
id-format
id-format 1
id-format 1
capitals
id-format 2
id-format 2
capitals
id-format 3
id-format 3
capitals
None
vlan-check
password
User ID
vlan-check key @VLAN
12-34-56-00-FF-E1@VLAN1
00
None
12345600ffe1
vlan-check
12345600ffe1%VLAN100
vlan-check key @VLAN
12345600ffe1@VLAN100
None
12345600FFE1
vlan-check
12345600FFE1%VLAN100
vlan-check key @VLAN
12345600FFE1@VLAN100
None
1234.5600.ffe1
vlan-check
1234.5600.ffe1%VLAN100
vlan-check key @VLAN
1234.5600.ffe1@VLAN100
None
1234.5600.FFE1
vlan-check
1234.5600.FFE1%VLAN100
vlan-check key @VLAN
1234.5600.FFE1@VLAN100
None
12:34:56:00:ff:e1
vlan-check
12:34:56:00:ff:e1%VLAN100
vlan-check key @VLAN
12:34:56:00:ff:e1@VLAN100
None
12:34:56:00:FF:E1
vlan-check
12:34:56:00:FF:E1%VLAN10
0
vlan-check key @VLAN
12:34:56:00:FF:E1@VLAN1
00
None
vlan-check
vlan-check key @VLAN
414
RADIUS server authentication request
format
Configured
(Arbitrary
character
string)
12-34-56-00-ff-e1
12-34-56-00-ff-e1%VLAN10
0
12-34-56-00-ff-e1@VLAN10
0
Password
12345600ffe1
12345600FFE
1
1234.5600.ffe
1
1234.5600.FF
E1
12:34:56:00:ff
:e1
12:34:56:00:F
F:E1
Specified
character
string
Configuration definition
id-format
id-format 0
id-format 0
capitals
id-format 1
id-format 1
capitals
id-format 2
id-format 2
capitals
id-format 3
id-format 3
vlan-check
RADIUS server authentication request
format
password
User ID
None
12-34-56-00-ff-e1
vlan-check
12-34-56-00-ff-e1%VLAN10
0
vlan-check key @VLAN
12-34-56-00-ff-e1@VLAN10
0
None
12-34-56-00-FF-E1
Vlan-check
12-34-56-00-FF-E1%VLAN1
00
vlan-check key @VLAN
12-34-56-00-FF-E1@VLAN1
00
None
12345600ffe1
vlan-check
12345600ffe1%VLAN100
vlan-check key @VLAN
12345600ffe1@VLAN100
None
12345600FFE1
vlan-check
12345600FFE1%VLAN100
vlan-check key @VLAN
12345600FFE1@VLAN100
None
1234.5600.ffe1
vlan-check
1234.5600.ffe1%VLAN100
vlan-check key @VLAN
1234.5600.ffe1@VLAN100
None
1234.5600.FFE1
vlan-check
1234.5600.FFE1%VLAN100
vlan-check key @VLAN
1234.5600.FFE1@VLAN100
None
12:34:56:00:ff:e1
vlan-check
12:34:56:00:ff:e1%VLAN100
vlan-check key @VLAN
12:34:56:00:ff:e1@VLAN100
None
12:34:56:00:FF:E1
Password
415
Configuration definition
id-format
capitals
vlan-check
RADIUS server authentication request
format
password
User ID
Password
vlan-check
12:34:56:00:FF:E1%VLAN10
0
vlan-check key @VLAN
12:34:56:00:FF:E1@VLAN1
00
6.
Limiting VLANs by using NAS-Identifier
In fixed VLAN mode, the acquired VLAN ID (the VLAN ID to which a terminal belongs
at authentication request) is set in the NAS-Identifier RADIUS attribute when an
authentication request is issued to RADIUS server.
The number of VLANs that can belong to the RADIUS server can be limited by setting the
user ID and password in NAS-Identifier together with authentication VLAN
information (the VLAN ID to which the terminal belongs at authentication request).
(d) MAC address format and password at authentication request in
dynamic VLAN mode and legacy mode
In MAC-based authentication of the Switch, a terminal MAC address is used for the user ID and
password when issuing an authentication request to the RADIUS server, but the MAC address
format and password character string can be changed by the configuration. In addition, the
letters a to f can be changed into the corresponding upper-case letters by specifying capitals.
The following table summarizes an example of issuing an authentication request to the RADIUS
server with the terminal MAC address set to 12-34-56-00-ff-e1.
Table 10-18: Configuration definition and RADIUS server authentication request format
Configuration definition
id-format
None
416
password
None
RADIUS server authentication request
format
User ID
Password
12-34-56-00-ff-e1
12-34-56-00-ff-e1
id-format 0
12-34-56-00-ff-e1
12-34-56-00-ff-e1
id-format 0 capitals
12-34-56-00-FF-E1
12-34-56-00-FF-E1
id-format 1
12345600ffe1
12345600ffe1
id-format 1 capitals
12345600FFE1
12345600FFE1
id-format 2
1234.5600.ffe1
1234.5600.ffe1
Configuration definition
id-format
password
RADIUS server authentication request
format
User ID
Password
id-format 2 capitals
1234.5600.FFE1
1234.5600.FFE1
id-format 3
12:34:56:00:ff:e1
12:34:56:00:ff:e1
id-format 3 capitals
12:34:56:00:FF:E1
12:34:56:00:FF:E1
12-34-56-00-ff-e1
Specified character
string
None
id-format 0
Configured
(Arbitrary
character string)
12-34-56-00-ff-e1
id-format 0 capitals
12-34-56-00-FF-E1
id-format 1
12345600ffe1
id-format 1 capitals
12345600FFE1
id-format 2
1234.5600.ffe1
id-format 2 capitals
1234.5600.FFE1
id-format 3
12:34:56:00:ff:e1
id-format 3 capitals
12:34:56:00:FF:E1
417
10.7 Notes on using MAC-based authentication
10.7.1
Notes for common to the authentication modes
(1)
Frames that trigger authentication
[Fixed VLAN mode] [Dynamic VLAN mode]
The first frame that triggers authentication is not forwarded because it is a frame prior to
authentication.
(2)
Setting the maximum connection time
When the maximum connection time is shortened or lengthened by the mac-authentication
max-timer configuration command, the changed time does not apply to currently authenticated
terminals. It becomes effective starting from the next authentication.
(3)
Internal MAC-based authentication DB
(a) Changing the internal MAC-based authentication DB
When an operation command is used to make an addition or change to the internal MAC-based
authentication DB, the addition or change does not apply to currently authenticated terminals. It
becomes effective starting from the next authentication.
(b) Specifying multiple identical MAC addresses to the internal
MAC-based authentication DB
Multiple identical MAC addresses with different VLAN IDs (or no VLAN ID at all) can be
defined for VLAN IDs in the internal MAC-based authentication DB. In this case, the operation
is performed as follows for the first matched MAC address depending on the authentication
mode and the configuration.
418
Table 10-19: Fixed VLAN mode
VLAN ID setting in internal
MAC-based
authentication DB for first
matching MAC address
Configured
Not configured
Configuration:
mac-authentication
vlan-check
Operation
Configured
Authentication is successful when the
internal MAC-based authentication DB
and the MAC address and VLAN of an
authentication request terminal match.
(VLAN comparison is also performed.)#.
Not configured
Authentication is successful for the VLAN
to which the target authentication terminal
belongs when the internal MAC-based
authentication DB and the first MAC
address match. (No VLAN comparison is
performed.)
Configured
Authentication is successful for the VLAN
to which the target authentication terminal
belongs when the internal MAC-based
authentication DB and the first MAC
address match. (No VLAN comparison is
performed.)
Not configured
#
If both do not match, authentication fails. (Under this condition, this is not necessarily the
first matching MAC address.)
Table 10-20: Dynamic VLAN mode and legacy mode
VLAN ID setting in internal
MAC-based authentication
DB for first matching MAC
address
Operation
Configured
The terminal gains membership to the VLAN of the first matching
MAC address, and authentication is successful.
Not configured
•
•
[Dynamic VLAN mode]
Accommodation in the native VLAN as a post-authentication
VLAN# (Management of terminals as an authenticated terminal
in fixed VLAN mode)
[Legacy mode]
Authentication fails because the terminal is unable to gain
membership to the post-authentication VLAN.
#
See 5.4.4 Auto authentication mode accommodation at the same MAC port.
419
(c) Searching for an entry with a MAC mask
When no matching entry is found in the entries that have no MAC masks, entries that have MAC
masks are searched to find a match. The behavior for when a matching entry is found is the same
as that for entries that have no MAC mask.
The entries that have MAC masks are searched in ascending order of MAC addresses (as
displayed by using the show mac-authentication mac-address operation command).
Depending on how MAC masks are specified, some entries including MAC address might
appear. Confirm that they appear in the intended order by using the show
mac-authentication mac-address operation command.
(4)
Using a forced authentication port
1.
Be especially careful when using this functionality, as it can pose a security problem.
2.
This functionality supports only RADIUS authentication.
When using forced authentication, specify only RADIUS authentication as the
authentication method. When setting both local authentication and RADIUS authentication
as shown below, forced authentication does not operate even if it has been configured.
• aaa authentication mac-authentication default gourp radius local
• aaa authentication mac-authentication default local gourp radius
3.
The Switch supports forced authentication common to all authentication modes and forced
authentication by MAC-based authentication but does not allow both to be configured
concurrently. Prior to using the authentication functionality, see 5.4.6 Forced
authentication common to all authentication modes, (4) Interoperability of this
functionality and forced authentication of each authentication method.
(5)
Restrictions on interoperation of roaming settings and DHCP
snooping
[Fixed VLAN mode] [Dynamic VLAN mode]
When the DHCP snooping functionality is used while the mac-authentication
static-vlan roaming and mac-authentication roaming configuration commands are
set, if an attempt is made to move the authenticated terminal, its authentication state changes to
that of a port after the move, but communication is not allowed because the binding database is
not updated.
(6)
Moving a terminal among ports and the maximum number of
authentication terminals
[Fixed VLAN mode] [Dynamic VLAN mode]
The maximum number of authentication terminals is checked only when terminals are newly
authenticated. For this reason, if an authenticated terminal is moved to another port, the
420
maximum number of authentication terminals is not checked at the port after the move.
10.7.2
Notes on use of fixed VLAN mode
(1)
Fixed VLAN mode port
Fixed VLAN mode can operate only on ports in an Ethernet interface. In addition, fixed VLAN
mode allows MAC-based authentication using tagged frames to operate at a port defined so that
tagged frames can be forwarded via the access port/trunk port and MAC port (by using the
switchport mac dot1q vlan configuration command).
10.7.3
Notes on use of legacy mode
(1)
Notes on configuring aging time for MAC address learning
When a short aging time is set for the MAC address table (by using the mac-address-table
aging-time configuration command), the time until de-authentication is shortened
automatically by the MAC address aging monitoring functionality. To prevent automatic
de-authentication, use the no mac-authentication auto-logout configuration command.
(2)
Devices to be connected between the Switch and terminals of
the target authentication terminal
Do not connect proxy servers or routers under the Switch. For example, if there is something that
rewrites the MAC address of a client terminal (such as proxy server and router) on a route
between the Switch and any authentication terminal, authentication cannot be performed per
terminal because the terminal with the rewritten MAC address cannot be recognized as the
terminal to be authenticated. In addition, if a hub or wireless LAN that does not have an
inter-port blocking functionality is connected under the Switch and several PCs are also
connected, note that communication between the PCs is allowed without authentication.
Figure 10-15: Connection between the Switch and terminals
421
(3)
Port number information in accounting log information
Port number information is available as information for authentication and re-authentication.
When the connection port for an authenticated terminal is moved, the information is not
collected immediately. The detected port number information is collected of the next time
re-authentication occurs.
(4)
Interoperability of legacy mode and multistep authentication
The Switch cannot use legacy mode and multistep authentication simultaneously. To use legacy
mode, make sure that multistep authentication is not configured for the Switch.
422
11. MAC-based authentication Configuration
and Operation
MAC-based authentication functionality controls access to VLANs by users authenticated from
MAC addresses. This chapter describes MAC-based authentication configuration and operation.
11.1 Configuring MAC-based authentication
11.2 Configuration common to all authentication modes
11.3 Configuring fixed VLAN mode
11.4 Configuring dynamic VLAN mode
11.5 Configuring legacy mode
11.6 MAC-based authentication operations
423
11.1 Configuring MAC-based authentication
11.1.1
List of configuration commands
The following table describes configuration commands for MAC-based authentication and
authentication modes.
Table 11-1: List of configuration commands and authentication modes
Command
Description
Authenticati
on mode
F
D
L
aaa accounting
mac-authentication
Sends accounting information for MAC-based
authentication to an accounting server.
Y
Y
Y
aaa authentication
mac-authentication
Specifies the authentication method group for
MAC-based authentication.
Y
Y
Y
authentication arp-relay#1
Outputs ARP frames sent from unauthenticated
terminals to other devices to a non-authenticating
port.
Y
Y
N
authentication ip
#1
access-group
Outputs only the frames specified by applying the
IPv4 access list, among the IP frames sent from an
unauthenticated terminal destined for another
device, to a non-authenticating port.
Y
Y
N
mac-authentication
access-group
By applying the MAC access list to MAC-based
authentication ports, sets whether terminals are to
be authenticated or not by using MAC addresses.
Y
Y
Y
mac-authentication
authentication
Specifies the names of authentication method lists
for authentication methods by port.
Y
Y
N
mac-authentication
auto-logout
The no mac-authentication auto-logout
command disables automatic cancellation of
authentication when the following status is
detected:
Frames from terminals authenticated with
MAC-based authentication have not been received
for a certain period.
Y
Y
Y
authentication ip
access-group#1
Outputs only the frames specified by applying the
IPv4 access list, among the IP frames sent from an
unauthenticated terminal destined for another
device, to a non-authenticating port.
Y
Y
N
mac-authentication
force-authorized vlan
When using RADIUS authentication, and a
request to the RADIUS server fails because of a
route failure or other problem, forcibly changes a
terminal connected to the target port to an
authenticated state.
--
Y
Y
424
Command
Description
Authenticati
on mode
F
D
L
mac-authentication id-format
When using RADIUS authentication, specifies
MAC address format for authentication requests
to the RADIUS server.
Y
Y
Y
mac-authentication interface
Specifies Ethernet ports for MAC-based
authentication.
--
--
Y
mac-authentication max-timer
Specifies the maximum connection time.
Y
Y
Y
mac-authentication max-user
Specifies the maximum number of authenticated
terminals by device.
--
Y
Y
mac-authentication max-user
Specifies the maximum number of authenticated
terminals for the relevant port.
--
Y
Y
mac-authentication password
When using RADIUS authentication, sets the
password used for authentication requests to the
RADIUS server.
Y
Y
Y
mac-authentication port#2
Specifies the authentication mode for ports.
Y
Y
--
mac-authentication
radius-server host
Specifies information for using a RADIUS server
dedicated to MAC-based authentication.
Y
Y
Y
mac-authentication
radius-server dead-interval
When using a RADIUS server dedicated to
MAC-based authentication, specifies the
monitoring timer for the period up to automatic
recovery of the primary RADIUS server.
Y
Y
Y
mac-authentication roaming
Specifies communication permissions when
moving an authenticated terminal to another port
connected via a hub, etc., without a link down.
--
Y
--
mac-authentication
static-vlan force-authorized
When using RADIUS authentication, and a
request to the RADIUS server fails because of a
route failure or other problem, forcibly changes a
terminal connected to the target port to an
authenticated state.
Y
--
--
mac-authentication
static-vlan max-user
Specifies the maximum number of authenticated
terminals by device.
Y
--
--
mac-authentication
static-vlan max-user
(interface)
Specifies the maximum number of authenticated
terminals for the relevant port.
Y
--
--
mac-authentication
static-vlan roaming
Specifies communication permissions when
moving an authenticated terminal to another port
connected via a hub, etc., without a link down.
Y
--
--
mac-authentication
system-auth-control
Enables MAC-based authentication.
Y
Y
Y
(interface)
425
Command
Description
Authenticati
on mode
F
D
L
mac-authentication timeout
quiet-period
Specifies the time during which authentication
will not be attempted (delay timer for
authentication to be resumed) for the same
terminal (MAC address) when authentication
fails.
Y
Y
Y
mac-authentication timeout
reauth-period
Specifies the cycle for terminals to be
re-authenticated after being successfully
authenticated.
Y
Y
Y
mac-authentication vlan
Specifies the VLAN ID for dynamic switching
after terminals are authenticated.
--
--
Y
mac-authentication vlan-check
Checks the VLAN ID when checking a MAC
address during authentication processing.
Y
--
--
Legend
F: Fixed VLAN mode
D: Dynamic VLAN mode
L: Legacy mode
Y: The command operates according to the settings.
--: The command can be entered, but has no effect.
N: The command cannot be entered.
#1
For details about the configuration, see 5. Overview of Layer 2 Authentication
#2
The specification of this command affects the switching of authentication modes.
11.1.2
Configuration procedure for MAC-based authentication
Use the procedure described below to configure MAC-based authentication.
426
Figure 11-1: Configuration procedure for MAC-based authentication
For details about the configuration, see the following:
1.
Configuration common to all authentication modes
The following subsections describe configuration common to all authentication modes.
y Configuring the authentication method group and RADIUS server information: 11.2.1
Configuring the authentication method group and RADIUS server information
y Configuring MAC addresses for authentication: 11.2.2 Restrictions on MAC addresses
for authentication
y Configuring the maximum connection time: 11.2.3 Configuring the maximum
connection time
427
y Configuring the process for authentication requests to the RADIUS server: 11.2.4
Configuring authentication requests to the RADIUS server
y Configuring transmission of accounting information to the RADIUS server: 11.2.5
Configuring the transmission of accounting information
y Configuring authentication methods by port: 5.2.3 Authentication method list
configuration (2) Example of port-based authentication method configuration
2.
Configuring individual authentication modes
The following sections describe how to configure individual authentication modes.
Some items are the same as in other authentication modes. In such cases, see the sections
referenced in the text.
y Configuring fixed VLAN mode: 11.3 Configuring fixed VLAN mode
y Configuring dynamic VLAN mode: 11.4 Configuring dynamic VLAN mode
y Configuring legacy mode: 11.5 Configuring legacy mode
3.
Enabling MAC-based authentication functionality
Enabling the MAC-based authentication functionality completes the configuration of
MAC-based authentication.
y 11.2.6 Enabling MAC-based authentication functionality
Authentication modes are enabled by using the configuration settings described in the table
below.
Table 11-2: Conditions for enabling authentication modes
Authentication mode
Common
Configuration setting
• aaa authentication mac-authentication
• mac-authentication radius-server host
or
radius-server
• mac-authentication system-auth-control
Fixed VLAN mode
When used at access ports
• vlan <VLAN-ID-list>
• mac-authentication port
• switchport mode access
• switchport access vlan
When used at trunk ports
vlan <VLAN-ID-list>
•
•
•
•
•
mac-authentication port
switchport mode trunk
switchport trunk allowed vlan
switchport trunk native vlan
When used at MAC ports
vlan <VLAN-ID-list> or vlan <VLAN-ID-list> mac-based
•
•
•
•
428
mac-authentication port
switchport mode mac-vlan
switchport mac dot1q vlan
Authentication mode
Configuration setting
Dynamic VLAN mode
• vlan <VLAN-ID-list> mac-based
• mac-authentication port
• switchport mode mac-vlan
Legacy mode
•
•
•
•
•
vlan <VLAN-ID-list> mac-based
mac-authentication interface
mac-authentication vlan
switchport mode mac-vlan
switchport mac vlan
429
11.2 Configuration common to all authentication modes
This chapter describes how to configure each authentication mode by using the following basic
configuration. For this example, the port numbers used for the RADIUS server and the
post-authentication network are 0/19 and 0/20, respectively. For details about port numbers for
connecting terminals to be authenticated, see the configuration examples of each authentication
mode.
Figure 11-2: Basic configuration
11.2.1 Configuring the authentication method group and RADIUS
server information
(1)
Configuring the authentication method group
Overview
The example below shows how to configure an authentication method group for
MAC-based authentication.
Specify one device default entry for use in common with MAC-based authentication, and
1.
two entries for the authentication method lists used at authenticating ports.
Device default
In this example, the default authentication methods for the device are RADIUS
authentication and local authentication, and the Switch is configured so that local
430
authentication is executed when RADIUS authentication fails.
- For RADIUS authentication, you can configure settings such as for passwords and
the format of the MAC address when making authentication requests. For details
about these settings, see 11.2.4 Configuring authentication requests to the RADIUS
server.
- Local authentication uses the internal MAC-based authentication DB. See 11.6.2
Registering an internal MAC-based authentication DB, register the internal
MAC-based authentication DB in the Switch.
2.
Authentication method list
For the RADIUS server group information to be specified for authentication method
lists, Keneki-group1 and Keneki-group2 are assumed to have been set in advance.
For details about authentication method lists, see 5.2.2 Authentication method lists.
Configuration command example
1.
(config)# aaa authentication mac-authentication default group radius
local
Sets the default authentication method for the device, in the sequence of RADIUS
authentication method and then local authentication method.
2.
(config)# aaa authentication mac-authentication MAC-list1 group
Keneki-group1
Sets the RADIUS server group name Keneki-group1 in the authentication method list
MAC-list1.
3.
(config)# aaa authentication mac-authentication MAC-list2 group
Keneki-group2
Sets the RADIUS server group name Keneki-group2 in the authentication method list
MAC-list2.
Notes
y When the device default setting is changed, terminals that had been authenticated by the
corresponding authentication functionality are de-authenticated.
y When settings for the authentication method list are changed, terminals on ports
specifying the corresponding authentication method list are de-authenticated.
y When aaa authentication mac-authentication is not specified, local
authentication is assumed.
y When using the forced authentication functionality, specify only default group
radius by using the above commands. Forced authentication cannot be used with only
local authentication, or when the priority for RADIUS authentication and local
authentication (as in the above settings) has been specified.
431
(2)
Configuring RADIUS server information
(a) When using a RADIUS server dedicated to MAC-based
authentication
Overview
The example below shows how to specify information about a RADIUS server dedicated
to MAC-based authentication. An IP address and a RADIUS key must be specified to
enable the RADIUS server settings. The configuration command mac-authentication
radius-server host requires only an IP address for configuration, but the RADIUS
server is not used for authentication until you specify a RADIUS key.
In this example, a monitoring timer (dead-interval time) is also configured to
automatically recover an unavailable RADIUS server dedicated to MAC-based
authentication.
1.
(config)# mac-authentication radius-server host 192.168.10.202 key
"mac-auth"
Specifies the IP address and RADIUS key for the RADIUS server dedicated to
MAC-based authentication. In this example, the default values are used for the omitted
auth-port, acct-port, timeout, and retransmit.
2.
(config)# mac-authentication radius-server dead-interval 15
Specifies 15 minutes for the monitoring timer (dead-interval time) until automatic
recovery when the RADIUS server dedicated to MAC-based authentication is
unavailable.
Notes
y If this information is not specified, the settings for a general-purpose RADIUS server are
used. If both the information for a RADIUS server dedicated to MAC-based
authentication and the information for a general-purpose RADIUS server are
unspecified, RADIUS authentication cannot be performed.
y Up to four entries can be specified on the entire Switch for information about RADIUS
servers dedicated to MAC-based authentication.
y When the RADIUS key, retry count, and response timeout time are omitted, the settings
specified by the configuration commands radius-server key, radius-server
retransmit, and radius-server timeout are used, respectively.
(b) When using a general-purpose RADIUS server
For details about the settings for a general-purpose RADIUS server, see 8. Login Security and
432
RADIUS in the Configuration Guide Vol. 1.
11.2.2
Restrictions on MAC addresses for authentication
Overview
The example below shows how to specify a range of terminals (MAC addresses) that
request MAC-based authentication and a range of terminals that do not request
MAC-based authentication.
Configuration command example
1.
(config)# mac-authentication access-group MacAuthFilter
(config)# mac access-list extended MacAuthFilter
(config-ext-macl)# permit 1234.5600.e000 0000.0000.ffff any
(config-ext-macl)# exit
Specifies that the terminals with MAC addresses ranging from 1234.5600.e000 to
1234.5600.efff request MAC-based authentication.
Notes
- An access list used with this functionality does not depend on the setting of the flow
detection mode.
- Because only extended MAC access lists are supported, specify the effective range of
MAC addresses in the MAC address (src specification) portion of the sender.
- For configuration commands concerning MAC access lists, destination MAC addresses
(dst and afterward) must also be specified. However, these addresses are ignored as filters
for MAC-based authentication, so you can specify values of your choice.
- MAC addresses satisfying permit conditions are subject to MAC-based authentication
processing. MAC addresses satisfying deny conditions are not subject to MAC-based
authentication processing, and authentication requests are not sent to the RADIUS server.
The last line of the MAC access list contains implicit deny conditions for all MAC
addresses. This example only sets one line as a permit condition. If this permit condition is
not satisfied, the implicit deny condition is considered satisfied. In this case, the MAC
addresses in question are not subject to MAC-based authentication processing and
authentication requests are not sent to the RADIUS server.
11.2.3
Configuring the maximum connection time
Overview
The example below shows how to specify the maximum connection time for authenticated
terminals. When the maximum connection time is exceeded, authentication is
433
automatically canceled.
Configuration command example
1.
(config)# mac-authentication max-timer 60
Specifies that the time at which authentication for authenticated terminals is canceled is
60 minutes.
11.2.4
Configuring authentication requests to the RADIUS server
(1)
Specifying the MAC address format when sending a request
to the RADIUS server
Overview
The example below shows how to specify the MAC address format of terminals used for
authentication requests to the RADIUS server. For combined settings, see 10.6.2 RADIUS
authentication (2) Preparing a RADIUS server.
Configuration command example
1.
(config)# mac-authentication id-format 3 capitals
Specifies the MAC address format for authentication requests to the RADIUS server to
be in the form nn:nn:nn:nn:nn:nn and to use the upper-case characters A to F. (If
capitals is not specified, use lower-case characters.)
Notes
If this command is not specified, the format of nn-nn-nn-nn-nn-nn using lower-case
characters a to f is assumed.
(2)
Specifying the password used for requests to the RADIUS
server
Overview
The example below shows how to specify the password used when terminals request
authentication from the RADIUS server. For combined settings, see 10.6.2 RADIUS
authentication (2) Preparing a RADIUS server.
Configuration command example
1.
(config)# mac-authentication password system1-pc0001
Specifies the character string to be used as the password when requesting authentication
from the RADIUS server. The password must be in the range from 1 to 32 characters.
Notes
- When this command is not specified, the MAC addresses of terminals to be authenticated
434
are treated as passwords. MAC address formats depend on the setting of the configuration
command mac-authentication id-format.
- Passwords specified by this command are common to all MAC-based authentication
terminals.
(3)
Specifying the delay timer for resumption of RADIUS
authentication
Overview
The example below shows how to specify the interval of time from suspension of
authentication processing to resumption of processing for terminals (MAC addresses) for
which requests for authentication to the RADIUS server have been denied.
Configuration command example
1.
(config)# mac-authentication timeout quiet-period 60
Specifies the interval from suspension of authentication processing to resumption of
processing to 60 seconds. Suspension of authentication processing is applied only to
MAC-based authentication, and processing for IEEE 802.1X and Web authentication
are not affected.
Notes
- This functionality operates with a default of 300 seconds when the MAC-based
authentication functionality is enabled. When the value of the timer is set to 0, no time is
available for authentication. Note that requests for authentication to the RADIUS server
start immediately when the packets are sent from terminals for which authentication has
been denied.
- With this setting, the configuration at the time MAC-based authentication is denied is
applied. Therefore, when the authentication of a terminal is suspended because of a denial
of MAC-based authentication, and the delay timer for resumption of RADIUS
authentication is changed, the changed values apply to the terminal being suspended only
after its authentication has been resumed and from the point when authentication is denied
again.
(4)
Specifying the interval for periodic requests for
re-authentication to the RADIUS server
Overview
The example below shows how to specify the interval at which to send requests to the
RADIUS server to check the authentication information of authenticated terminals.
Configuration command example
435
1.
(config)# mac-authentication timeout reauth-period 600
Specifies the interval at which to send periodic requests for re-authentication to the
RADIUS server to 600 seconds. For terminals authenticated by MAC-based
authentication, this functionality periodically requests re-authentication from the
RADIUS server after the specified time has elapsed from the time when the terminals
were authenticated.
Notes
1.
When 0 is set for the periodic re-authentication request interval, periodic re-authentication
requests to the RADIUS server are terminated. In this case, the changes in the
authentication information of the RADIUS server are not reflected, and terminals that
have been authenticated remain moved to a post-authentication VLAN.
2.
For details about canceling authentication status, see the following:
y Fixed VLAN mode: 10.2.2 Authentication functionality (7) De-authentication
y Dynamic VLAN mode: 10.3.2 Authentication functionality (7) De-authentication
3.
y Legacy mode: 10.4.2 Authentication functionality (7) De-authentication
For this setting, the configuration at the time the terminals were authenticated by
MAC-based authentication applies. Therefore, with terminals authenticated under
MAC-based authentication, the time to send periodic requests for re-authentication to the
RADIUS server changes, and the changed values apply to the authenticated terminals only
after re-authentication is requested and from the point when the terminals are
authenticated.
11.2.5
Configuring the transmission of accounting information
Overview
The example below shows how to specify the transmission of accounting information for
MAC-based authentication to the RADIUS server.
Configuration command example
1.
(config)# aaa accounting mac-authentication default start-stop group
radius
Specifies the transmission of accounting information to the RADIUS server.
11.2.6
Enabling MAC-based authentication functionality
Overview
The example below shows how to enable MAC-based authentication after configuration
for MAC-based authentication is complete.
436
Configuration command example
1.
(config)# mac-authentication system-auth-control
Enables MAC-based authentication.
Notes
Specify this command after all settings for MAC-based authentication have been
completed. If MAC-based authentication is enabled before configuration is complete,
account logs might be collected for authentication failures.
437
11.3 Configuring fixed VLAN mode
After performing configuration as described in 11.1 Configuring MAC-based authentication and
11.2 Configuration common to all authentication modes, use the following procedure to
configure fixed VLAN mode.
Figure 11-3: Configuration procedure for fixed VLAN mode
438
For details about the configuration, see the following:
1.
Configuring fixed VLAN mode: 11.3.1 Configuring fixed VLAN mode
2.
Configuring VLAN restrictions when cross-checking authentication: 11.3.2 Settings for
authentication processing (1) Restrictions of VLAN when cross-checking authentication
information
3.
Configuring automatic cancellation of authentication: 11.3.2 Settings for authentication
processing (2) Conditions for automatically canceling authentication
4.
Configuring the maximum number of authentication terminals: 11.3.2 Settings for
authentication processing (3) Maximum number of authenticated terminals
5.
Configuring forced authentication ports: 11.3.2 Settings for authentication processing (4)
Forced authentication ports
6.
Configuring roaming: 11.3.2 Settings for authentication processing (5) Setting roaming
(allowing communication for moved ports of authenticated terminals)
7.
Configuring authentication exclusion for ports or terminals: 11.3.2 Settings for
authentication processing (6) Authentication exclusion
8.
Configuring an IPv4 access list exclusive for authentication: 5. Overview of Layer 2
Authentication
11.3.1
Configuring fixed VLAN mode
Figure 11-4: Example configuration of fixed VLAN mode
439
(1)
Configuring authenticating ports and VLAN information for
authentication
Overview
The example below shows how to set fixed VLAN mode and VLAN information for
authentication for ports used for fixed VLAN mode.
Configuration command example
1.
(config)# vlan 10
(config-vlan)# exit
Sets VLAN ID 10.
2.
(config)# interface fastethernet 0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
Sets port 0/4 as the access port to which terminals to be authenticated are connected, and
sets VLAN 10 for authentication.
3.
(config-if)# mac-authentication port
(config-if)# exit
Sets fixed VLAN mode to port 0/4.
(2)
Configuring authentication method list names for
authentication methods by port
Overview
The example below shows how to set names of authentication method lists for
authentication methods by port.
For details about configuring authentication method lists, see 11.2.1 Configuring the
authentication method group and RADIUS server information (1) Configuring the
authentication method group.
Configuration command example
1.
(config)# interface fastethernet 0/4
(config-if)# mac-authentication authentication MAC-list1
(config-if)# exit
Sets the authentication method list name MAC-list1 to port 0/4.
Notes
- When this information is not set, authentication is executed according to the device
440
default as described in 11.2.1 Configuring the authentication method group and RADIUS
server information (1) Configuring the authentication method group.
- When a name of an authentication method list set for a port does not match a name of an
authentication method list of an authentication method group or is not present in an
authentication method group, authentication will be executed according to the device
default.
- This setting cannot be specified concurrently with authentication method by user ID for
Web authentication or legacy mode. For details, see 5.2.2 Authentication method lists.
11.3.2
Settings for authentication processing
This subsection describes the settings for authentication processing for fixed VLAN mode.
(1)
Restrictions of VLAN when cross-checking authentication
information
Overview
The example below shows how to set the VLAN ID to be cross-checked when
cross-checking authentication terminals by local authentication or RADIUS authentication
in fixed VLAN mode.
Configuration command example
1.
(config)# mac-authentication vlan-check key @VLAN
Authentication terminals are cross-checked in local authentication by MAC addresses
and VLAN ID of the corresponding ports and in RADIUS authentication by MAC
addresses, separated by the character string @ and VLAN ID of the corresponding ports.
For RADIUS authentication, see 11.2.4 Configuring authentication requests to the
RADIUS server (1) Specifying the MAC address format when sending a request to the
RADIUS server and (2) Specifying the password used for requests to the RADIUS server,
and set the MAC address format and password if necessary.
(2)
Conditions for automatically canceling authentication
(a) Maximum connection time
This setting is common to all authentication modes for MAC-based authentication. See 11.2
Configuration common to all authentication modes and 11.2.3 Configuring the maximum
connection time.
(b) Non-connection monitoring time for authentication terminals
Overview
441
The example below shows how to set the non-connection monitoring time for
authentication terminals. When no frames are received from target terminals after the
specified time has elapsed, authentication of the terminals is automatically canceled.
Configuration command example
1.
(config)# mac-authentication auto-logout delay-time 600
Sets non-connection monitoring time for authentication terminals to 600 seconds (10
minutes). This functionality operates by default (delay-time: 3600 seconds) if
MAC-based authentication is enabled.
When no mac-authentication auto-logout is set, authentication is not canceled.
Notes
- When the time for automatically canceling authentication and the time for periodic
re-authentication requests to the RADIUS server (the mac-authentication timeout
reauth-period) overlap, automatically canceling authentication will be given a higher
priority.
- This setting is applied immediately. However, a delay of up to 60 seconds until actually
applying the functionality occurs because non-connection monitoring time is a 60-second
cycle. When the value of mac-authentication auto-logout delay-time is changed
from the current time to a shorter time, and terminals with the elapsed changed
non-connection monitoring time are detected, authentication is automatically canceled. In
this case, a maximum delay of up to 60 seconds is again observed.
(3)
Maximum number of authentication terminals
Overview
The example below shows how to set the maximum number of terminals that can be
authenticated in fixed VLAN mode. For devices, set this number by using global
configuration mode, and for ports, set this number through the configuration mode
corresponding to the ports.
Configuration command example
2.
(config)# interface fastethernet 0/4
(config-if)# mac-authentication static-vlan max-user 2
(config-if)# exit
Specifies that the maximum number of authentication terminals in port 0/4 is 2.
(4)
Forced authentication ports
Overview
The example below shows how to set ports that will be permitted for forced authentication
442
in fixed VLAN mode.
Configuration command example
1.
(config)# interface fastethernet 0/4
(config-if)# mac-authentication static-vlan force-authorized
(config-if)# exit
Sets port 0/4 to a forced authentication port.
Notes
When using forced authentication, set only the RADIUS authentication method. Forced
authentication does not operate in the following settings:
- aaa authentication mac-authentication default gourp radius local
- aaa authentication mac-authentication default local gourp radius
(5)
Setting roaming (allowing communication for moved ports of
authenticated terminals)
Overview
The example below shows how to set authentication terminals in fixed VLAN mode to be
able to connect even if the terminals have been moved to other ports without linking down
the port.
Configuration command example
1.
(config)# mac-authentication static-vlan roaming
Sets authentication terminals in fixed VLAN mode to be able to connect after moving to
other ports.
Notes
Roaming operates in the following conditions:
- Ports for fixed VLAN mode before and after moving
- The same VLAN before and after moving
(6)
Authentication exclusion
You can set ports and terminals in fixed VLAN mode to be excluded from authentication. In this
example, ports 0/19, 0/20 and a shared server as illustrated in the following figure are set to be
excluded from authentication.
443
Figure 11-5: Configuration example of authentication exclusion in fixed VLAN mode
(a) Ports excluded from authentication
Overview
The example below shows how to prevent authentication mode from being set for ports
excluded from authentication in fixed VLAN mode.
Configuration command example
1.
(config)# interface range fastethernet 0/19-0/20
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 10
(config-if-range)# exit
Sets ports 0/19 and 0/20 in VLAN ID 10 as access ports. No authentication mode is set
(mac-authentication port).
(b) Terminals excluded from authentication
Overview
The example below shows how to register MAC addresses into the MAC address table for
MAC addresses of terminals excluded from authentication in fixed VLAN mode.
Configuration command example
444
1.
(config)# mac-address-table static 1234.5600.e001 vlan 10 interface
fastethernet 0/4
Sets the MAC address (MAC address of shared server: 1234.5600.e001 in the figure) of
a terminal permitted to connect but exempt from authentication with port 0/4 in VLAN
ID 10 to the MAC address table.
445
11.4 Configuring dynamic VLAN mode
After performing the configuration described in 11.1 Configuring MAC-based authentication
and 11.2 Configuration common to all authentication modes, configure dynamic VLAN mode
according to the following procedure.
Figure 11-6: Configuration procedure for dynamic VLAN mode
446
For details about the configuration, see the following:
1.
Setting dynamic VLAN mode: 11.4.1 Configuring dynamic VLAN mode
2.
Setting automatic cancellation of authentication: 11.4.2 Settings for authentication
processing (1) Configuring conditions for automatically canceling authentication
3.
Settings for the maximum number of authentication terminals: 11.4.2 Settings for
authentication processing (2) Maximum number of authentication terminals
4.
Settings for forced authentication ports: 11.4.2 Settings for authentication processing (3)
Forced authentication ports
5.
Settings for roaming: 11.4.2 Settings for authentication processing (4) Setting roaming
(allowing communication for moved ports of authenticated terminals)
6.
Settings for ports or terminals excluded from authentication: 11.4.2 Settings for
authentication processing (5) Authentication exclusion
7.
Settings for IPv4 access list exclusive for authentication: 5. Overview of Layer 2
Authentication
11.4.1
Configuring dynamic VLAN mode
Figure 11-7: Configuration example of dynamic VLAN mode
(1)
Configuring authentication ports and VLAN information for
authentication
Overview
447
The example below shows how to set dynamic VLAN mode and VLAN information for
authentication for ports used for dynamic VLAN mode.
Configuration command example
1.
(config)# vlan 200 mac-based
(config-vlan)# exit
Sets the MAC VLAN to VLAN ID 200.
2.
(config)# vlan 10
(config-vlan)# exit
Sets VLAN ID 10.
3.
(config)# interface fastethernet 0/5
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 10
Sets port 0/5 where terminals for authentication are connected as a MAC port, and sets
VLAN 10 for pre-authentication. (For details about post-authentication VLAN
assignment, see 5.4.3 Auto MAC VLAN assignment.)
4.
(config-if)# mac-authentication port
(config-if)# exit
Sets port 0/5 to dynamic VLAN mode.
(2)
Configuring authentication method list names for
authentication method by port
Overview
The example below shows how to set the names of authentication method lists for
authentication method by port.
For details about setting authentication method lists, see 11.2.1 Configuring the
authentication method group and RADIUS server information (1) Configuring the
authentication method group.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# mac-authentication authentication MAC-list1
(config-if)# exit
Sets the authentication method list name MAC-list1 to port 0/5.
448
Notes
- When this information is not set, authentication is performed according to the device
default as described in 11.2.1 Configuring the authentication method group and RADIUS
server information (1) Configuring the authentication method group.
- When a name of an authentication method list set for a port does not match the name of an
authentication method list of an authentication method group or is not present in an
authentication method group, authentication will be performed according to the device
default.
- The setting cannot be specified concurrently with the authentication method by user ID in
Web authentication or legacy mode. For details, see 5.2.2 Authentication method lists.
11.4.2
Settings for authentication processing
The subsection describes settings concerning authentication processing for dynamic VLAN
mode.
(1)
Configuring conditions for automatically canceling
authentication
(a) Maximum connection time
This setting is common to all authentication modes for MAC-based authentication. See 11.2
Configuration common to all authentication modes and 11.2.3 Configuring the maximum
connection time.
(b) Non-connection monitoring time for authentication terminals
Configuration is the same as for fixed VLAN mode. See 11.3.2 Settings for authentication
processing (2) Conditions for automatically canceling authentication (b) Non-connection
monitoring time for authentication terminals.
(2)
Maximum number of authentication terminals
Overview
The example below shows how to set the maximum number of terminals that can be
authenticated in dynamic VLAN mode. For device settings, set this number by using global
configuration mode, and to adjust the settings for ports, set this number by using the
configuration mode corresponding to the ports.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# mac-authentication max-user 2
449
(config-if)# exit
Specifies that the maximum number of authentication terminals for port 0/5 is 2.
(3)
Forced authentication ports
Overview
The example below shows how to allow forced authentication and assign a
post-authentication VLAN to ports in dynamic VLAN mode.
Configuration command example
1.
(config)# interface fastethernet 0/5
(config-if)# mac-authentication force-authorized vlan 200
(config-if)# exit
Allows forced authentication at port 0/5, and sets the VLAN ID of post-authentication
VLAN to be assigned.
Notes
1.
By using the configuration command vlan, set the VLAN ID with the mac-based setting
(MAC VLAN setting).
2.
When using forced authentication, set only the RADIUS authentication method. Settings
for forced authentication do not operate with the following settings:
- aaa authentication mac-authentication default gourp radius local
- aaa authentication mac-authentication default local gourp radius
(4)
Setting roaming (allowing communication for moved ports of
authenticated terminals)
Overview
The example below shows how to set authentication terminals in dynamic VLAN mode to
be able to connect even if the terminals have been moved to other ports without linking
down the ports.
Configuration command example
1.
(config)# mac-authentication roaming
Sets authentication terminals in dynamic VLAN mode to be able to connect after
moving to other ports.
Notes
Roaming operates in the following conditions:
- Ports for dynamic VLAN mode before and after moving
- Post-authentication VLAN before moving has been specified by the configuration
450
command switchport mac vlan
(5)
Authentication exclusion
You can set ports and terminals in dynamic VLAN mode to be excluded from authentication. In
this example, ports 0/19, 0/20 and a shared server as illustrated in the following figure are set to
be excluded from authentication.
Figure 11-8: Configuration example of authentication exclusion in dynamic VLAN mode
(a) Configuring ports excluded from authentication
Overview
The example below shows how to set ports excluded from authentication as access ports.
No authentication mode is specified.
Configuration command example
1.
(config)# interface fastethernet 0/19
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Sets port 0/19 of VLAN ID 10 as an access port. No authentication mode is set
(mac-authentication port).
2.
(config)# interface fastethernet 0/20
(config-if)# switchport mode access
451
(config-if)# switchport access vlan 200
(config-if)# exit
Sets port 0/20 of MAC VLAN ID 200 as an access port. No authentication mode is set
(mac-authentication port).
(b) Terminals excluded from authentication
Overview
The example below shows how to register MAC addresses of terminals excluded from
authentication to a MAC VLAN and MAC address table.
Configuration command example
1.
(config)# vlan 200 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Sets a MAC address of a terminal excluded from authentication (MAC address of shared
server: 1234.5600.e001 in the figure) to MAC VLAN ID 200.
2.
(config)# mac-address-table static 1234.5600.e001 vlan 200 interface
fastethernet 0/5
Sets the MAC address (MAC address of shared server: 1234.5600.e001 in the figure) of
a terminal permitted to connect but exempt from authentication with port 0/5 in MAC
VLAN ID 200 to the MAC address table.
452
11.5 Configuring legacy mode
After performing the configuration described in 11.1 Configuring MAC-based authentication
and 11.2 Configuration common to all authentication modes, configure legacy mode according
to the following procedure.
Figure 11-9: Configuration procedure for legacy mode
For details about the configuration, see the following:
1.
Setting legacy mode: 11.5.1 Configuring legacy mode
2.
Setting automatic cancellation of authentication: 11.5.2 Settings for authentication
processing (1) Configuring the conditions for automatic cancellation of authentication
3.
Setting the maximum number of authentication terminals: 11.5.2 Settings for
authentication processing (2) Maximum number of authentication terminals
4.
Setting forced authentication ports: 11.5.2 Settings for authentication processing (3)
453
Forced authentication ports
5.
Setting authentication exclusion of ports or terminals: 11.5.2 Settings for authentication
processing (4) Authentication exclusion
11.5.1
Configuring legacy mode
Figure 11-10: Configuration example configuration for legacy mode
(1)
Configuring ports for legacy mode
Overview
The example below shows how to set the ports used for legacy mode.
Configuration command example
1.
(config)# mac-authentication interface fastethernet 0/6
Sets port 0/6 as a port for legacy mode.
(2)
Configuring VLAN information for authentication ports
Overview
The example below shows how to set VLAN information for authentication for the ports
used for legacy mode.
Configuration command example
454
1.
(config)# vlan 300 mac-based
(config-vlan)# exit
Sets the MAC VLAN to VLAN ID 300
2.
(config)# vlan 10
(config-vlan)# exit
Sets VLAN ID 10.
3.
(config)# interface fastethernet 0/6
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 300
(config-if)# switchport mac native vlan 10
(config-if)# exit
Sets port 0/6 to which terminals for authentication are connected as a MAC port, and
then sets the pre-authentication VLAN 10 and post-authentication VLAN 300.
(3)
Post-authentication VLAN
Overview
The example below shows how to set the post-authentication VLAN ID used for legacy
mode. After authentication succeeds in legacy mode, the network is switched dynamically
to the VLAN set by this command.
Configuration command example
1.
(config)# mac-authentication vlan 300
Sets the VLAN ID of the post-authentication VLAN of legacy mode.
Notes
When this information is not set, authentication in legacy mode fails. Set the target VLAN
ID.
11.5.2
Settings for authentication processing
This subsection describes the settings for the authentication processing of legacy mode.
455
(1)
Configuring the conditions for automatic cancellation of
authentication
(a) Maximum connection time
This setting is common to all authentication modes in MAC-based authentication. See 11.2
Configuration common to all authentication modes and 11.2.3 Configuring the maximum
connection time.
(b) Delay time between monitoring of MAC address aging and
automatic cancellation of authentication
Overview
For authentication terminals in legacy mode, the example below shows how to set the delay
time between when MAC address aging times out and automatic cancellation of
authentication. The MAC address aging time is specified by the configuration command
mac-address-table aging-time.
Configuration command example
1.
(config)# mac-authentication auto-logout delay-time 60
Sets the delay time between when MAC address aging times out and automatic
cancellation of authentication to 60 seconds. If MAC-based authentication is enabled,
this functionality operates by default (delay-time: 3600 seconds). If no
mac-authentication auto-logout is specified, authentication is not canceled.
Notes
- When the time for automatic cancellation of authentication and the time for periodic
re-authentication requests to the RADIUS server (mac-authentication timeout
reauth-period) overlap, automatic cancellation of authentication is given higher
priority.
- This setting is applied immediately. However, a delay of up to 60 seconds until the setting
actually takes place occurs because monitoring of MAC address aging is on a 60-second
cycle. When the value of mac-authentication auto-logout delay-time is changed
from the current time to a shorter time, and terminals for which the changed delay time
have elapsed are detected, automatic cancellation of authentication is executed. In this case,
a delay of up to 60 seconds is again observed.
(2)
Maximum number of authentication terminals
The configuration procedure is the same as for dynamic VLAN mode. See 11.4.2 Settings for
authentication processing (2) Maximum number of authentication terminals.
456
(3)
Forced authentication ports
Overview
The example below shows how to allow forced authentication at a legacy mode port, and
specify the post-authentication VLAN to be assigned.
Configuration command example
1.
(config)# interface fastethernet 0/6
(config-if)# mac-authentication force-authorized vlan 300
(config-if)# exit
Allows forced authentication at port 0/6 and specifies the VLAN ID of the
post-authentication VLAN to be assigned.
Notes
1.
By using the configuration command vlan, set the VLAN ID with the mac-based setting
(MAC VLAN setting).
2.
When using forced authentication, set only the RADIUS authentication method. Settings
for forced authentication do not operate with the following settings:
- aaa authentication mac-authentication default gourp radius local
- aaa authentication mac-authentication default local gourp radius
(4)
Authentication exclusion
You can set ports and terminals in legacy mode to be excluded from authentication. In this
example, ports 0/19, 0/20 and a shared server as illustrated in the following figure are set to be
excluded from authentication.
457
Figure 11-11: Configuration example of authentication exclusion in legacy mode
(a) Configuring ports excluded from authentication
Overview
The example below shows how to set ports excluded from authentication as access ports.
Configuration command example
1.
(config)# interface fastethernet 0/19
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Sets port 0/19 in VLAN ID 10 as an access port. No authentication mode is set
(mac-authentication port).
2.
(config)# interface fastethernet 0/20
(config-if)# switchport mode access
(config-if)# switchport access vlan 300
(config-if)# exit
Sets port 0/20 in MAC VLAN ID 300 as an access port.
458
(b) Terminals excluded from authentication
Overview
The example below shows how to register MAC addresses of terminals excluded from
authentication to a MAC VLAN.
Configuration command example
1.
(config)# vlan 300 mac-based
(config-vlan)# mac-address 1234.5600.e001
(config-vlan)# exit
Sets a MAC address of a terminal excluded from authentication (MAC address of shared
server: 1234.5600.e001 in the figure) in MAC VLAN ID 300.
459
11.6 MAC-based authentication operations
11.6.1
List of operation commands
The following table shows the operation commands for MAC-based authentication.
Table 11-3: List of operation commands
Command
Description
set mac-authentication
mac-address
Adds MAC addresses and information about
post-authentication VLAN IDs for MAC-based authentication
to the internal MAC-based authentication DB (edits MAC
address information).
remove mac-authentication
mac-address
Deletes MAC address information from the internal
MAC-based authentication DB (edits MAC address
information).
commit mac-authentication
Updates the internal MAC-based authentication DB with
MAC address information that has been edited.
store mac-authentication
Creates backup files for the internal MAC-based
authentication DB.
load mac-authentication
Restores the internal MAC-based authentication DB from the
backup files.
show mac-authentication
mac-address
Displays the contents registered in the internal MAC-based
authentication DB as well as any MAC address information
that is being edited.
show mac-authentication
Displays the setting status of MAC-based authentication.
show mac-authentication
auth-state
Displays the authentication status of MAC-based
authentication.
show mac-authentication
auth-state select-option
Displays the authentication status of MAC-based
authentication by selecting display options.
show mac-authentication
auth-state summary
Displays the number of authenticated terminals.
clear mac-authentication
auth-state
Forcibly cancels the authentication of authenticated MAC
addresses.
show mac-authentication login
Displays the authentication status of MAC-based
authentication (the displayed content is the same when
specifying the operation command show
mac-authentication auth-state).
show mac-authentication login
select-option
Displays the authentication status of MAC-based
authentication by selecting display options (the displayed
content is the same as when specifying the operation command
show mac-authentication auth-state
select-option).
460
Command
Description
show mac-authentication login
summary
Displays the number of authenticated terminals (the displayed
content is the same as when specifying the operation command
show mac-authentication auth-state summary).
show mac-authentication
logging
Displays the authenticated account log.
clear mac-authentication
logging
Clears the authenticated account log.
show mac-authentication
statistics
Displays statistics for MAC-based authentication.
clear mac-authentication
statistics
Clears statistics for MAC-based authentication.
11.6.2
Registering an internal MAC-based authentication DB
You can register MAC address information (MAC addresses, post-authentication VLAN IDs)
for authentication terminals used in the local authentication method to the internal MAC-based
authentication DB. The procedure includes editing (adding and deleting) MAC address
information and updating the internal MAC-based authentication DB. An example of
registration is shown below.
Before adding MAC address information, you must finish setting up the environment for the
MAC-based authentication system and configuration must be complete.
(1)
Adding MAC address information
For each terminal to be authenticated, add MAC addresses and post-authentication VLAN IDs
by using the operation command set mac-authentication mac-address. The following
examples include a registration of only MAC addresses, and a registration of both MAC
addresses and MAC masks.
Command entry (specifying MAC addresses)
# set mac-authentication mac-address 0012.e201.fff1 20
# set mac-authentication mac-address 0012.e202.fff1 30
Command entry (specifying both MAC addresses and MAC masks)
# set mac-authentication mac-address 0012.e201.0000 0000.0000.ffff 40
# set mac-authentication mac-address 0012.e202.0000 0000.0000.ffff 60
Command entry (specifying an any condition)
# set mac-authentication mac-address 0000.0000.0000 ffff.ffff.ffff 1
461
The above registration information is displayed as follows by using the operation command
show mac-authentication mac-address. The information is displayed in ascending order
by MAC address. However, registration of entries with only MAC addresses precedes
registration of entries with MAC masks.
MAC address searches when using local authentication are executed by using the order given
below.
Figure 11-12: Display of authentication status of internal MAC-based authentication DB
# show mac-authentication mac-address edit
Date 2008/11/13 17:40:02 UTC
Total mac-address counts: 5
mac-address
mac-mask
VLAN
0012.e201.fff1 20
0012.e202.fff1 30
0012.e201.0000 0000.0000.ffff
40
0012.e202.0000 0000.0000.ffff
60
(any)
ffff.ffff.ffff
1
#
(2)
Deleting MAC address information
Use the operation command remove mac-authentication mac-address to delete
registered MAC address information. In the next example, information for a single user is
deleted.
Command entry
# remove mac-authentication mac-address 0012.e202.fff1 30
Remove mac-authentication mac-address. Are you sure? (y/n): y
#
MAC address 0012.e202.fff1 and VLAN ID 30 are deleted.
(3)
Updating the internal MAC-based authentication DB
Update the internal MAC-based authentication DB with edited MAC address information by
using the operation command commit mac-authentication.
Command entry
# commit mac-authentication
Commitment mac-authentication mac-address data. Are you sure? (y/n):
y
Commit complete.
462
#
11.6.3 Backing up and restoring the internal MAC-based
authentication DB
The following example illustrates how to back up the internal MAC-based authentication DB
and restore the DB from the backup files.
(1)
Backing up internal MAC-based authentication DB
A backup file (backupfile in the following example) is created by using the operation
command store mac-authentication from the internal MAC-based authentication DB.
Command entry
# store mac-authentication ramdisk backupfile
Backup mac-authentication MAC address data. Are you sure? (y/n): y
Backup complete.
#
Two files are automatically created (example when the file name is backupfile):
- backupfile: File that does not contain MAC mask information
- backupfile.msk: File that contains MAC mask information
(2)
Restoring internal MAC-based authentication DB
A backup file (backupfile in the following example) is restored by using the operation
command load mac-authentication from the internal MAC-based authentication DB.
Command entry (restoring the internal MAC-based authentication DB that does not contain
MAC mask information)
# load mac-authentication ramdisk backupfile
Restore mac-authentication MAC address data. Are you sure? (y/n): y
Restore complete.
#
Command entry (restoring the internal MAC-based authentication DB that contains MAC
mask information)
# load mac-authentication ramdisk backupfile.msk
Restore mac-authentication MAC address data. Are you sure? (y/n): y
463
Restore complete.
#
11.6.4
Displaying the status of MAC-based authentication settings
Use the operation command show mac-authentication to display the setting status of
MAC-based authentication.
Figure 11-13: Displaying setting status of MAC-based authentication
# show mac-authentication
Date 2009/10/28 08:51:52 UTC
<<<MAC-Authentication mode status>>>
Dynamic-VLAN : Enable
Static-VLAN : Enable
<<<System configuration>>>
* Authentication parameter
Authentic-mode : Dynamic-VLAN
max-user
: 256
id-format type : xx-xx-xx-xx-xx-xx
password
: Disable
vlan-check
: roaming
: Disable
mac-authentication vlan:
* AAA methods
Authentication Default
: RADIUS
Authentication port-list-BBB: RADIUS ra-group-2
Accounting Default
: RADIUS
* Logout parameter
max-timer
: infinity
auto-logout : 3600
quiet-period : 300
reauth-period : 3600
* Logging status
[Syslog send] : Disable
[Traps]
: Disable
<Port configuration>
Port Count
: 2
Port
: 0/6
VLAN ID
: 40
Forceauth VLAN
: Disable
Access-list-No
: L2-auth
ARP relay
: Enable
Max-user
: 256
Port
: 0/22
VLAN ID
: 40
Forceauth VLAN
: Disable
Access-list-No
: L2-auth
ARP relay
: Enable
464
Max-user
: 256
Authentication method: port-list-BBB
<<<System configuration>>>
* Authentication parameter
Authentic-mode : Static-VLAN
max-user
: 1024
id-format type : xx-xx-xx-xx-xx-xx
password
: Disable
vlan-check
: Disable
roaming
: Disable
mac-authentication vlan: * AAA methods
Authentication Default
: RADIUS
Authentication port-list-BBB: RADIUS ra-group-2
Accounting Default
: RADIUS
* Logout parameter
max-timer
: infinity
auto-logout : 3600
quiet-period : 300
reauth-period : 3600
* Logging status
[Syslog send] : Disable
[Traps]
: Disable
<Port configuration>
Port Count
: 1
Port
: 0/5
VLAN ID
: 4
Forceauth VLAN
: Disable
Access-list-No
: L2-auth
ARP relay
: Enable
Max-user
: 1024
Authentication method: port-list-BBB
#
11.6.5
Displaying status of MAC-based authentication
Use the operation command show mac-authentication statistics to display the status of
MAC-based authentication and the status of communication with the RADIUS server.
Figure 11-14: Displaying the status of MAC-based authentication
# show mac-authentication statistics
Date 2009/10/28 09:12:44 UTC
MAC-Authentication Information:
Authentication Request Total:
Authentication Success Total:
Authentication Fail Total :
Authentication Refuse Total:
Authentication Current Count:
Authentication Current Fail:
12
6
5
0
1
0
RADIUS MAC-Authentication Information:
[RADIUS frames]
TxTotal :
12 TxAccReq:
11 TxError :
1
465
RxTotal :
11 RxAccAccpt:
11 RxAccRejct:
0
RxAccChllg:
0 RxInvalid:
0
Account MAC-Authentication Information:
[Account frames]
TxTotal :
11 TxAccReq:
11 TxError :
0
RxTotal :
11 RxAccResp:
11 RxInvalid:
0
#
11.6.6 Displaying the authentication status of MAC-based
authentication
(1)
Displaying without specifying display options
Use the operation command show mac-authentication auth-state to display the
authentication status of MAC-based authentication. The same content can also be displayed by
using the operation command show mac-authentication login.
Figure 11-15: Displaying the authentication status of MAC-based authentication
# show mac-authentication auth-state
Date 2009/03/24 17:14:56 UTC
Dynamic VLAN mode total client counts(Login/Max): 1 / 256
Authenticating client counts: 0
Hold down client counts : 0
Port roaming: Disable
No F MAC address
Port VLAN Login time
Limit
Reauth
1 * 00d0.5909.7121 0/20 200 2009/03/24 17:14:55 infinity 3598
Static VLAN mode total client counts(Login/Max): 1 / 1024
Authenticating client counts: 0
Hold down client counts : 0
Port roaming: Disable
No F MAC address
Port VLAN Login time
Limit
Reauth
1 0000.e28c.4add 0/10 10 2009/03/24 17:14:38 infinity 3582
#
(2)
Displaying by specifying display options (specifying
select-option)
Use the operation command show mac-authentication auth-state select-option to
display the authentication status of MAC-based authentication with display option specified.
The following example illustrates an implementation where an interface port number is
specified.
The same content can also be displayed by using the operation command show
mac-authentication login select-option.
Figure 11-16: Display of information when specifying ports
# show mac-authentication auth-state select-option port 0/20
Date 2009/03/24 17:15:14 UTC
Dynamic VLAN mode total client counts(Login/Max):
466
1 / 256
Authenticating client counts: 0
Hold down client counts : 0
Port roaming: Disable
No F MAC address
Port VLAN Login time
Limit
Reauth
1 * 00d0.5909.7121 0/20 200 2009/03/24 17:14:55 infinity 3580
#
(3)
Displaying only the number of authenticated terminals
(summary display)
Use the operation command show mac-authentication auth-state summary to display
the number of terminals authenticated by MAC-based authentication.
The same content can also be displayed by using the operation command show
mac-authentication login summary.
Figure 11-17: Display of the number of authenticated terminals
# show mac-authentication auth-state summary port
Date 2009/03/24 17:16:56 UTC
Dynamic VLAN mode total client counts(Login/Max):
Authenticating client counts: 0
Hold down client counts : 0
Port roaming: Disable
No Port Login / Max
1 0/20
1 / 256
Static VLAN mode total client counts(Login/Max):
Authenticating client counts: 1
Hold down client counts : 0
Port roaming: Disable
No Port Login / Max
1 0/10
1 / 1024
1 / 256
1 / 1024
#
467
12. Multistep Authentication
The Switch supports multistep authentication, which performs terminal authentication and user
authentication in two steps. This chapter describes multistep authentication.
12.1 Overview
12.2 Configuration
12.3 Operation
468
12.1 Overview
This functionality grants access only to registered users using legitimate terminals in two stages
of authentication.
•
Allows the user of the legitimate terminal who completes the first stage of authentication to
complete the second stage of user authentication.
•
Grants access to registered users who have completed the second stage of user authentication.
In this way, access by unauthenticated users or via a portable terminal is prevented.
The following figure shows an overview of multistep authentication.
Figure 12-1: Overview of multistep authentication
The Switch uses the following Layer 2 authentication methods for the first-step terminal
authentication (hereinafter terminal authentication) and the second-step user authentication
(hereinafter user authentication):
•
Terminal authentication: MAC-based authentication, IEEE 802.1X
•
User authentication: IEEE 802.1X, Web authentication
Although there is no functionality in setting up multistep authentication independently, the
following functionality addresses terminals subject to authentication:
•
Forced authentication: See 12.1.2 Authentication behavior (8) Forced authentication
•
Moving authenticated terminals to other ports: See 12.1.2 Authentication behavior (10)
Roaming (moving authenticated terminals between ports)
•
Displaying authentication status, accounting logs, and traps: See 12.1.2 Authentication
behavior (11) Displaying status, accounting logs, and traps
469
12.1.1
Scope of support
(1)
Authentication modes
Multistep authentication is available only by using the RADIUS authentication method. The
following table provides the authentication modes for multistep authentication.
Table 12-1: Authentication modes used in multistep authentication
Authentication
Authentication method
group#
Authentication mode
MAC-based authentication and
IEEE 802.1X
Switch default
Authentication method list
Fixed VLAN mode
Dynamic VLAN mode
MAC-based authentication and
Web authentication
Switch default
Authentication method list
Fixed VLAN mode
Dynamic VLAN mode
IEEE 802.1X and Web
authentication
Switch default
Authentication method list
Fixed VLAN mode
Dynamic VLAN mode
#
If you set up either of the authentication method groups, they operate by RADIUS
authentication.
Multistep authentication is not available in legacy mode. Therefore, the configuration for legacy
mode in the following table cannot be set up with the configuration of multistep authentication at
the same time.
Table 12-2: Legacy mode configurations that cannot be used with multistep
authentication
Authentication
Configuration commands
IEEE 802.1X
dot1x vlan dynamic enable
dot1x vlan dynamic radius-vlan
Web authentication
web-authentication vlan
MAC-based authentication
MAC-based authentication interface
MAC-based authentication vlan
(2)
Expected users and terminals
This manual defines the expected users and terminals where connection to the multistep
authentication port as follows.
470
Table 12-3: Definition of expected users and terminals
Expected user or
terminal
Authentication required for
communication
Authentication type
Printer
Terminal authentication only
Single authentication
Employee user
Terminal authentication and
user authentication
Multistep authentication
Guest user
User authentication only
Single authentication
(3)
Options for multistep authentication
Multistep authentication supports basic multistep authentication and the option categories that
are shown in the following table.
Table 12-4: Option categories for multistep authentication
Terminal
authenticat
ion
User
authenticat
ion
MAC-based
authenticati
on
IEEE
802.1X
Web
authenticati
on
Basic multistep
authentication
authentication
multi-step
Users are
authenticated after
successful terminal
authentication.
MAC-based
authenticati
on
IEEE
802.1X
Web
authenticati
on
Authorized user
authentication
option
authentication
multi-step
permissive
Users are
authenticated even if
terminal authentication
fails.
IEEE
802.1X,
MAC-based
authenticati
on
Web
authenticati
on
Terminal
authentication
dot1x option
authentication
multi-step dot1x
Users are
authenticated after
successful terminal
authentication.
IEEE 802.1X is added
to terminal
authentication.
Option
categories of
multistep
authentication
Configuration
Remarks
(a) Option for authorized user authentication
The settings for user authentication for the Switch have the option for authorized user
authentication. Basically, the user has the opportunity for authentication after successful
terminal authentication, but an employee user and a guest user can coexist in a single multistep
authentication port with these optional settings. The table below shows the configuration of
multistep authentication and whether terminal or user authentication are supported.
471
Table 12-5: Configuration of multistep authentication and availability of terminal or user
authentication
Multistep
authentication
settings
Yes
No
Authorized user
authentication
option settings
Printer
Employee
user
Guest user
No
S
M
B
Yes
S
M#
S#
n/a
S
S
S
Legend
M: Multistep authentication
S: Single authentication
N: User authentication is unavailable.
n/a: Not applicable
#
The multistep authentication port can carry out user authentication even if terminal
authentication fails. However, this depends on the Filter-Id RADIUS attribute, terminal
authentication success is required for the specific user ID (an employee user), and
authentication can be completed without terminal authentication for the specific user (a
guest user).
(b) Terminal authentication dot1x option
This option adds IEEE 802.1X to terminal authentication. Basically, user authentication is
allowed after successful MAC-based authentication, and user authentication (this case, only
Web authentication) is allowed when terminal authentication IEEE 802.1X has succeeded by
setting this option.
•
The port is set up with this option, as a terminal authentication, and then executes MAC-based
authentication and IEEE 802.1X at the same time.
•
The port with this option is allowed user authentication when terminal authentication
succeeds.
•
This option and the authorized user authentication option cannot be set up on a single port.
(4)
Authentication functionality behavior on a single port
The table below shows the behavior of authentication functionality on the same multistep
authentication settings port.
472
Table 12-6: Behavior of authentication functionality on the same multistep
authentication settings port
Multistep
authentication
port settings and
option
categories
Port with basic
multistep
authentication
Port with
authorized user
authentication
option
Port with terminal
authentication
dot1x option
Port not set
(single
authentication)
Terminal authentication
User authentication
Expected
user or
terminal
Filter-Id
RADIUS
attribute
support
Permit
MAC-bas
ed
authentica
tion
Permit
IEEE
#
802.1X
Filter-Id
RADIUS
attribute
support
Permit
IEEE
802.1X
Permit
Web
authentica
tion
No
S
n/a
n/a
n/a
n/a
Printer
Yes
P
n/a
No
M
M
Employee
user
Yes
M
M
Employee
user
No
S
n/a
n/a
n/a
n/a
Printer
Yes
P
n/a
No
S
S
Guest user
Yes
M
M
Employee
user
No
S
S
n/a
n/a
n/a
Printer
Yes
P
P
No
n/a
M
Employee
user
Yes
n/a
M
Employee
user
n/a
S
S
n/a
n/a
S
n/a
Legend
M: Multistep authentication
S: Single authentication
P: Waits for the result of user authentication (pending)
n/a: Not applicable
#
For example, IEEE 802.1X computer authentication
12.1.2
Authentication behavior
(1)
MAC-based authentication events
There is a difference in the frame that should be used for authentication in MAC-based
authentication between the multistep authentication port and the single authentication port. In
473
the table below, multistep authentication of all of the frames, including EAPOL frames or
HTTP/HTTPS frames, are MAC-based authentication with or without IEEE 802.1X settings and
Web authentication configuration on the multistep authentication port.
On a single authentication port, EAPOL frames should use MAC-based authentication if IEEE
802.1X is not configured, and HTTP/HTTPS frames should use MAC-based authentication if
Web authentication is not configured. The following table provides the frame for the
authentication in MAC-based authentication.
Table 12-7: Frame of the multistep authentication configuration and MAC-based
authentication
Frame type
EAPOL
HTTP/HTTPS
IEEE 802.1X
configured
IEEE 802.1X
not
configured
Web
authenticatio
n
configured
Web
authenticatio
n
not
configured
Multistep authentication
configured
Y
Y
Y
Y
Multistep authentication not
configured
(Single authentication port)
N
Y
N
Y
Port settings
Legend
Y: Subject to MAC-based authentication
N: Not subject to MAC-based authentication
(2)
Determination of authentication behavior based on the
Filter-Id RADIUS attribute
When the multistep authentication receives authentication success (Accept) from a RADIUS
server, the Switch determines the authentication behavior of the next stage from the character
string of the Filter-Id RADIUS attribute.
The table below provides the strings of the Filter-Id RADIUS attribute in multistep
authentication.
Table 12-8: Character string of Filter-Id RADIUS attribute in multistep authentication
Character string of
Filter-Id RADIUS
attribute
@@1X-Auth@@
474
Description
Authorizing the authentication behavior
Authentication functionality
to determine the character
string of RADIUS Attributes
Filter-Id
MAC-based authentication
Character string of
Filter-Id RADIUS
attribute
Description
Authentication functionality
to determine the character
string of RADIUS Attributes
Filter-Id
of IEEE 802.1X
@@Web-Auth@@
Authorizing authentication behavior of
Web authentication
IEEE 802.1X#1, MAC-based
authentication
@@MultiStep@@
Authorizing authentication behavior of
IEEE 802.1X and Web authentication
(User executes either authentication)
IEEE 802.1X#1, #2, MAC-based
authentication
@@MAC-Auth@@
MAC-based authentication is required.
IEEE 802.1X, Web
authentication
#1
When terminal authentication dot1x option is configured
#2
When the terminal is authenticated by IEEE 802.1X, it uses only web authenticated user
authentication even if Filter-Id is @@MultiStep@@.
(3)
Behavior of basic multistep authenticated ports
Terminal authentication and user authentication can be performed by the following methods on
the basic multistep authenticated port.
1.
Terminal authentication waits for the next user authentication when terminal
authentication succeeds with the character strings below of the Filter-Id RADIUS
attribute. In this case, the MAC address of the target terminals is not registered as
authentication entries in the MAC address table. (Ports without the character strings below
are subject to single authentication, and then the MAC address of the target terminals are
registered as authentication entries in the MAC address table.)
• @@1X-Auth@@
• @@Web-Auth@@
• @@MultiStep@@
2.
User authentication is permitted after successful terminal authentication. The
authentication is completed after a successful user authentication that does not depend on
the result of the Filter-Id RADIUS attribute. The terminal can access the Switch when
the MAC address of the target terminal is registered as an authentication entry in the MAC
address table. In addition, when an authentication functionality registers the MAC address
as an authentication entry in the MAC address table, the show mac-address table
operation command displays the following authentication functionality for the MAC
address table entries:
•
IEEE 802.1X (Dot1x)
475
•
Web authentication (WebAuth)
•
MAC-based authentication (MacAuth)
MAC address entries that show (Static) are entries that were registered by using the
mac-address-table static configuration command. Terminals that have not finished
authentication are shown as (Dynamic).
3.
Available authentication functionality on this port
The table below shows the authentication functionality available on a basic multistep
authentication port.
Table 12-9: Authentication functionality available on basic multistep authentication
ports
Terminal authentication
User authentication
Terminal management
MAC-based authentication:
Success
No user authentication
Single authentication
MAC-based authentication:
Success
IEEE 802.1X: Success
Multistep authentication
MAC-based authentication:
Success
Web authentication: Success
Multistep authentication
The Switch can only support the above combinations.
The following figure shows the behavior of the multistep authentication port.
476
Figure 12-2: Authentication behavior of basic multistep authenticated ports
In dynamic VLAN mode, when terminal or user authentication is successful, the terminal is
assigned to the VLAN ((i) and (ii) in Figure 12-2).
Even if user authentication failed, the status of the VLAN assigned at terminal authentication ((i)
in Figure 12-2) is preserved.
The Switch monitors an authenticated terminal, and if the Switch consistently finds that there
has been no access from the terminal, it cancels the authentication status, and the assigned
VLAN reverts to the pre-authentication VLAN (native VLAN).
(4)
Authentication behavior of ports with the authorized user
authentication option
If employee users and guest users use the same port for multistep authentication, the
authentication multi-step configuration command specifies permissive as the
authorized user authentication option. The port for which authorized user authentication is
specified allows user authentication (IEEE 802.1X or Web authentication), even if terminal
authentication (MAC-based authentication) on the first stage has failed. Then, user
authentication can be performed when terminal authentication (MAC-based authentication)
failed (retained entry). Therefore, specify more than 0 seconds for the re-authentication retry
interval for MAC-based authentication (mac-authentication timeout quiet-period).
477
(The default is 300 seconds.) The following table shows the authentication functionality
available on ports with the authorized user authentication option.
Table 12-10: Authentication functionality on ports with the authorized user
authentication option
Terminal authentication
User authentication
Terminal management
MAC-based authentication:
Success
No user authentication
Single authentication
MAC-based authentication:
Success
IEEE 802.1X: Success
Multistep authentication
MAC-based authentication:
Success
Web authentication: Success
Multistep authentication
MAC-based authentication:
Failure
IEEE 802.1X: Success
Single authentication
MAC-based authentication:
Failure
Web authentication: Success
Single authentication
The Switch can only support the above combinations.
The following figure shows the authentication behavior of ports with the authorized user
authentication option.
478
Figure 12-3: Authentication behavior of authorized user authentication option on the
multistep authentication port
In dynamic VLAN mode, when terminal or user authentication is successful, the terminal is
assigned to the VLAN ((i) and (ii) in Figure 12-2).
Even if the user authentication failed, the status of the VLAN assigned at terminal authentication
((i) in Figure 12-2) is preserved.
479
The Switch monitors an authenticated terminal, and if the Switch consistently finds that there
has not been any access from the terminal, it cancels the authentication status, and the assigned
VLAN reverts to the pre-authentication VLAN (native VLAN). If the Switch authenticates an
employee user on the port that already has authorized user authentication, then the employee
user is authenticated by user authentication ((iii) in Figure 12-3). In this case, configure
"@@MAC-Auth@@" for the Filter-Id RADIUS attribute on the RADIUS server for user
authentication. This will allow you to assign the authentication status of employee users to failed
authentication ((iv) in Figure 12-3) when terminal authentication has failed on ports for which
the authorized user authentication option is configured.
The table below shows the Filter-Id RADIUS attribute received on a port with the authorized
user authentication option and the authentication behavior of user authentication.
Table 12-11: Authentication behavior of ports with the authorized user authentication
option
Filter-Id RADIUS
attribute received by
user authentication
Terminal
authentication
result
Authentication behavior of user
authentication
Expected
user
None
--
Define the user not required
MAC-based authentication: user
authentication succeeds
Guest user
@@MAC-Auth@@
Success
Define the user required MAC-based
authentication.
MAC-based authentication succeeds:
user authentication succeeds
Employee
user
Failure
Define the user required MAC-based
authentication.
MAC-based authentication failed: user
authentication failed
Unauthorize
d user
--
Define the user not required
MAC-based authentication: user
authentication succeeds
Guest user
Other than the above
Legend
--: Not dependent on terminal authentication result
(5)
Authentication behavior of ports with the terminal
authentication dot1x option
Terminal authentication and user authentication can be performed with the following methods
on ports with the terminal authentication dot1x option:
1.
Terminal authentication waits for the next user authentication when terminal
authentication succeeds with the character strings below of the Filter-Id RADIUS
attribute. In this case, the MAC address of the target terminals is not registered as
480
authentication entries in the MAC address table. (Ports without the character strings below
are subject to single authentication, and then the MAC address of the target terminals are
registered as authentication entries in the MAC address table.)
• @@1X-Auth@@
• @@Web-Auth@@
• @@MultiStep@@
2.
User authentication is permitted after successful terminal authentication. The
authentication is completed after a successful user authentication that does not depend on
the result of the Filter-Id RADIUS attribute. The terminal can access the Switch when
the MAC address of the target terminal is registered as an authentication entry in the MAC
address table. In addition, when an authentication functionality registers the MAC address
as an authentication entry in the MAC address table, the show mac-address table
operation command displays the following authentication functionality in the MAC
address table entry.
•
IEEE 802.1X (Dot1x)
•
Web authentication (WebAuth)
•
MAC-based authentication (MacAuth)
MAC address entries that show (Static) are entries that were registered by using the
mac-address-table static configuration command. Terminals that have not finished
authentication are shown as (Dynamic).
3.
Available authentication functionality on this port
The following table shows the authentication functionality on ports with the terminal
authentication dot1x option.
Table 12-12: Authentication functionality on ports with the terminal authentication dot1x
option
Terminal authentication
User authentication
Terminal Management
MAC-based authentication:
Success
No user authentication
Single authentication
IEEE 802.1X: Success
No user authentication
Single authentication
MAC-based authentication:
Success
Web authentication: Success
Multistep authentication
IEEE 802.1X: Success
Web authentication: Success
Multistep authentication
The Switch can only support the above combinations.
The following figure shows the authentication behavior of ports with the terminal authentication
481
dot1x option.
Figure 12-4: Authentication behavior on a port with the terminal authentication dot1x
option
In dynamic VLAN mode, when terminal or user authentication is successful, the terminal is
assigned to the VLAN ((i) and (ii) in Figure 12-2).
Even if the user authentication failed, the status of the VLAN assigned at terminal authentication
((i) in Figure 12-2) is preserved.
The Switch monitors an authenticated terminal, and if the Switch consistently finds that there
has been no access from the terminal, it cancels the authentication status, and the assigned
VLAN reverts to the pre-authentication VLAN (native VLAN).
(6)
Authentication behavior of ports not configured for multistep
authentication (single authentication ports)
The following figure shows the authentication behavior of a port not configured for multistep
authentication.
482
Figure 12-5: Authentication behavior of a port not configured for multistep
authentication
Even if one of the following character strings has been specified for Filter-Id, the port is
handled with single authentication:
• @@1X-Auth@@
• @@Web-Auth@@
• @@MultiStep@@
(7)
Post-authentication VLAN
In dynamic VLAN mode, when terminal or user authentication is successful, the terminal is
assigned the VLAN sent by the RADIUS server for terminal and user authentication. For details
about configuring the VLAN information to the RADIUS server. See 12.1.3 Preparation.
(8)
Forced authentication
The target terminals for which forced authentication is enabled use the following authentication.
Table 12-13: Authentication for target terminals with forced authentication
Multistep authentication port option
Forced authentication
with terminal
authentication
Forced authentication
with user
authentication
Basic multistep authentication
Single authentication
Multistep authentication
Authorized user authentication option
Single authentication
Single authentication
Terminal authentication dot1x option
Single authentication
Multistep authentication
The following VLANs are associated with forced authentication terminals.
483
Table 12-14: VLANs associated with target forced authentication terminals
Port
Configuration
VLAN for forced
authentication
VLAN
Access port
n/a
Fixed VLAN
Trunk port
n/a
Fixed VLAN
MAC port
Yes
Depends on VLAN assigned by configuration
No
Native VLAN
n/a
Fixed VLAN
MAC port
(when dot1q vlan is
configured)
(9)
Managing authenticated terminals and de-authentication
(a) Managing multistep authenticated terminals
The Switch manages the authenticated terminal according to the final authentication status. If
the terminal has been authenticated by terminal authentication and is then authenticated by user
authentication, the terminal is managed by user authentication. The Switch manages the terminal
with the final authentication status when it has been authenticated by single authentication even
for multistep authentication ports.
(b) De-authentication of multistep authenticated terminals
Canceling the authentication status on the multistep authenticated terminal depends on the
de-authentication condition of user authentication. When the terminal is authenticated by single
authentication on a multistep authentication port, it will be de-authenticated according to the
de-authentication condition of the authentication functionality used. For details about the
clearing authentication status, see the description of each authentication functionality.
If the Switch receives an EAPOL-Start frame on ports with the terminal authentication dot1x
option, it forcibly cancels the Web authentication status of the authenticated terminal. (If the
terminal is authenticated by MAC-based authentication, and Web authentication receives an
EAPOL-Start frame on the same port, the terminal will be forcibly de-authenticated.)
(c) Monitoring non-communication of a multistep authenticated terminal
The following non-communication monitoring operations are applied to authenticated terminals
on multistep authentication ports depending on their status:
484
•
Authenticated terminals are monitored for non-communication.
•
Terminals waiting to be authenticated are monitored for MAC address table aging.
•
Entries of terminals that failed to authenticate are held for a period of time.
The table below shows the status of the terminal and monitoring methods for
non-communication.
Table 12-15: Terminal status and monitoring methods for non-communication
Terminal
status
Authentication
status
Authentica
tion
complete
Multistep
authentication
(user authentication
complete)
n/a
Non-communication
monitoring time
Non-communication
monitoring time
Single
authentication
Non-communication
monitoring time
Non-communication
monitoring time
Non-communication
monitoring time
Terminal
authentication
succeeds#1
(waits for user
authentication to
complete)
MAC address table
aging monitoring time
MAC address table
aging monitoring time
n/a
Quarantined#1, #2
n/a
MAC address table
aging monitoring time
n/a
Authentication
failed
Retry MAC-based
authentication.
Waits for a
re-authentication
interval
Retry IEEE 802.1X
authentication.
Waits for a
re-authentication
interval
Delete entries
immediately
Waiting
for
authenticat
ion
Authentica
tion failed
MAC-based
authentication
IEEE 802.1X
Web authentication
Legend
n/a: Not applicable
#1
The MAC address of a target terminal is managed in the MAC address table as a Dynamic
entry.
#2
Port-based authentication (static) only
(10)
Roaming (moving authenticated terminals between ports)
Authenticated terminals that are moved between ports behave depending on the final
authentication method. You do not have to set up roaming specifically for multistep
authentication.
1.
Final authentication method: IEEE 802.1X
The terminal is de-authenticated when the terminal move is detected.
485
2.
Final authentication method: Web authentication
The behavior follows the configuration of the authentication policies and roaming for Web
authentication.
Authenticated terminals can be moved among ports that have the same authentication
policy. If both the source and destination ports support single authentication, they follow
the port movement conditions for Web authentication.
Authentication policy
Both source and destination ports must support the same combination of
configurations as follows.
Table 12-16: Combination of configurations for the source and destination ports
Conditions
Configured the authentication
multi-step command on the source and
destination ports
Remarks
Ports not configured by the authentication
multi-step command are processed by single
authentication.
Same status of authorized user
authentication option
Checked when the authentication multi-step
command is configured
Same status of terminal authentication
dot1x option
Checked when the authentication multi-step
command is configured
Same combination as below
Checked when the authentication multi-step
command is configured
dot1x port-control
Checked when the aaa authentication dot1x
default command is configured
web-authentication port
Checked when the web-authentication
system-auth-control command is configured
MAC-based authentication port
Checked when the mac-authentication
system-auth-control command is configured
The authentication status of the port will be canceled if the combination does not match any
listed above.
3.
Final authentication method: MAC-based authentication
The behavior follows the configuration of roaming for MAC-based authentication.
Authenticated terminals can be moved among ports that have the same status of multistep
authentication. If both source and destination ports support single authentication, they
follow the port movement conditions for MAC-based authentication.
486
Table 12-17: Configuration of multistep authentication on the ports
Conditions
Configured the authentication
multi-step command on the source and
destination ports
Remarks
Ports not configured by the authentication
multi-step command are processed by single
authentication.
Same status of authorized user
authentication option
Checked when the authentication multi-step
command is configured
Same status of terminal authentication
dot1x option
Checked when the authentication multi-step
command is configured
The authentication status of the port will be canceled if the combination does not match any
listed above.
For details about roaming for the Web authentication and MAC-based authentication, see
Roaming (moving authenticated terminals between ports) in 8. Description of Web
Authentication and 10. Description of MAC-based Authentication.
The figure below shows the transfer scenario and whether the multistep authenticated terminal
can be transferred.
487
Figure 12-6: Port movement scenario and the multistep authenticated terminal
movement conditions
The port (i in Figure 12-6) which supports single authentication follows the port movement
conditions of Web authentication or MAC-based authentication. The ports (iii), (v), (vii) in
Figure 12-6 are the destination and source ports. The authenticated terminal is allowed to move
if it follows Table 12-16 Combination of configurations for the source and destination ports or
Table 12-17 Configuration of multistep authentication on the ports.
Other ports that do not match the configuration for multistep authentication when moved will be
de-authenticated.
The target terminal follows the final authentication method used to authenticate the terminal
when the move among ports is detected. The behavior of the authentication method when the
move is detected according to Figure 12-6 Port movement scenario and the multistep
authenticated terminal movement conditions is described below.
1.
Final authentication method: IEEE 802.1X
When the movement of an IEEE 802.1X authenticated terminal is detected by receiving
frames, no roaming settings exist. Therefore, the authentication is canceled in all scenarios.
488
2.
Final authentication method: Web authentication
The table below shows the behavior of Web-authenticated terminals when the movement is
detected by receiving frames. For details about authentication policies, see Table 12-16
Combination of configurations for the source and destination ports.
Table 12-18: Behavior of Web-authenticated terminal port movement
Roaming for Web authentication
Port
movement
scenario in
Figure 12-6
disable
enable
Authentication policy
matches
Authentication policy
does not match
(i), (iii), (v),
(vii)
Authentication canceled
Update authentication
information (move ports)
Authentication canceled
Other than the
above
Authentication canceled
Authentication canceled
Authentication canceled
3.
Final authentication method: MAC-based authentication
The following table shows the behavior of a MAC-authenticated terminal when the transfer
has been detected by receiving frames.
Table 12-19: Behavior of MAC-authenticated terminal port movement
Port
movement
scenario in
Figure 12-6
Roaming for MAC-based authentication
disable
enable
(i), (iii), (v),
(vii)
Authentication canceled
Update authentication
information (move ports)
Other than the
above
Authentication canceled
Authentication canceled
(11)
•
Displaying status, accounting logs, and traps
Multistep authentication status
To display the progress of multistep authentication per MAC address, use the show
authentication multi-step operation command.
•
Displaying accounting logs
To display chronological accounting log information for each authentication functionality,
use the show authentication logging operating command.
•
Private traps
Private traps are configured according to the authentication functionality. Multistep
489
authentication does not have specific private traps.
12.1.3
Preparation
Multistep authentication supports only RADIUS authentication. When the port receives Accept
from the RADIUS server, terminal authentication and user authentication determine the
authentication behavior based on the character string of the Filter-Id RADIUS attribute.
Table 12-20: Attribute name (Access-Accept) on multistep authentication
Attribute name
Filter-Id
Type
value
11
Description
Text character string.
The Switch determines the authentication behavior when
multistep authentication is performed.#
•
•
•
•
Tunnel-Private-Gro
up-ID
81
@@1X-Auth@@
@@Web-Auth@@
@@MultiStep@@
@@MAC-Auth@@
Character string for identifying the VLAN.
1. RADIUS server for terminal authentication
• User authentication uses IEEE 802.1X.
Pre-authentication VLAN for IEEE 802.1X.
• User authentication uses Web authentication.
Web authentication log on is shown if an IP address is
assigned to a VLAN.
2. RADIUS server for user authentication
• Post-authentication VLAN
#
For details about the information for the authentication functionality and behavior that
defines the character string of Filter-Id. See 12.1.2 Authentication behavior.
Other RADIUS attributes follow the proper authentication functionality. See the section on
preparation in the description of each authentication functionality.
12.1.4
Notes on using multistep authentication
(1)
Settings for authorized user authentication option and
MAC-based authentication
The authorized user authentication option (permissive) is functionality authorized for the user
if terminal authentication (MAC-based authentication) failed. When you configure a port with
the authorized user authentication option, check the following configurations for MAC-based
authentication to execute terminal authentication and user authentication.
1.
Restricting MAC addresses to be authenticated
Configure the MAC address of the terminal authorized by user authentication (IEEE
490
802.1X or Web authentication) as an authenticated MAC address by restricting the target
MAC addresses (mac-authentication access-group command).
If you do not configure the MAC address as MAC-authenticated, MAC-based
authentication will not start, and then user authentication will not be able to be performed.
For details about restricting target MAC addresses, see 10. Description of MAC-based
Authentication, 10.2.2 Authentication functionality, (2) Restricting target authentication
MAC addresses.
2.
Re-authentication delay timer
Specify a re-authentication delay of more than 0 seconds (by using the
mac-authentication timeout quiet-period configuration command). (The default
interval is 300 seconds.)
If you specify 0 seconds, the terminal cannot receive the failure information when
MAC-based authentication is in progress. Therefore, user authentication cannot execute
even if the authorized user authentication option is enabled. For details about the
re-authentication interval timer, see 10. Description of MAC-based Authentication, 10.2.2
Authentication functionality, (3) Re-authentication delay timer.
(2)
Using IEEE 802.1X
To use IEEE 802.1X on a multistep authenticated port, use the following configuration:
•
Authentication sub mode:
Terminal authentication mode (dot1x multiple-authentication)
•
Terminal detection behavior toggle option: auto (dot1x supplicant-detection auto)
(3)
Terminal authentication dot1x option
If you configure the terminal authentication dot1x option, the MAC-based authentication and
IEEE 802.1X on terminal authentication are performed at the same time. If you use the
authenticated terminal by setting IEEE 802.1X and Web authentication, do not define
MAC-based authentication as a system requirement. (For example, do not assign a MAC-based
authenticated terminal to a RADIUS server.) Do not configure a forced authentication on a
MAC-based authentication.
(4)
Multistep authentication and legacy mode
Multistep authentication is not available in legacy mode. If you use multistep authentication, see
Table 12-2 Legacy mode configurations that cannot be used with multistep authentication to
confirm whether legacy mode is configured.
491
12.2 Configuration
12.2.1
List of configuration commands
The following table describes the commands used to configure multistep authentication.
Table 12-21: List of configuration commands for multistep authentication
Command
authentication
multi-step
12.2.2
Description
Configures the port to support multistep authentication.
Structure of multistep authentication
This section describes the structure examples, configuration, and overview of multistep
authentication.
The following table shows the structure of multistep authentication. All the scenarios obtain a
terminal IP address from a DHCP server.
Table 12-22: Structure of multistep authentication
Multistep
port type
Authentication
mode
Port
Authorized
user
Authentication
functionality
Termi
nal
kihonmarut
isuteppunin
shoupo-to
Dynamic
VLAN
Fixed VLAN
492
MAC
Access
trunk
MAC
(Native)
Overview
reference
Example
reference
12.2.3
(1)(d)
User
Employee
user
MAC
Web
12.2.3 (1)(b)
Scenario (i)
Printer
MAC
--
12.2.3 (1) (c)
Scenario (ii)
Employee
user
MAC
Web
12.2.3 (2)((b)
Scenario (iii)
Printer
MAC
--
12.2.3 (2)(c)
Scenario (iv)
12.2.3
(2)(d)
Multistep
port type
Authentication
mode
Port
Authorized
user
Authentication
functionality
Termi
nal
Port with
authorized
user
authenticati
on option
Dynamic
VLAN
MAC
Fixed VLAN
Port with
terminal
authenticati
on dot1x
option
12.2.3
Access
trunk
MAC
(Native)
Overview
reference
Example
reference
12.2.4
(1)(d)
User
Guest user
--
Web
12.2.4 (1)(b)
Scenario (v)
Employee
user
MAC
Web
12.2.4 (1)(c)
Scenario (vi)
Guest user
--
Web
12.2.4 (2)(b)
Scenario (vii)
Employee
user
MAC
Web
12.2.4 (2)(c)
Scenario (viii)
12.2.4
(2)(d)
Dynamic
VLAN
MAC
Employee
user
IEEE
802.1X
Web
12.2.5 (1)(b)
Scenario (ix)
12.2.5
(1)(c)
Fixed VLAN
Access
trunk
Employee
user
IEEE
802.1X
Web
12.2.5 (2)(b)
Scenario (x)
12.2.5
(2)(c)
Configuring basic multistep authentication ports
(1)
Dynamic VLAN mode
(a) Summary
The descriptions in this section assume that dynamic VLAN mode with basic multistep
authentication ports assign employee users and printers to the same port, and then they obtain IP
addresses after authentication.
493
Figure 12-7: Example of a basic multistep authentication (dynamic VLAN mode)
(b) Scenario (i): Employee user authentication overview
Authentication behavior
If you use basic multistep authentication, a terminal will be assigned to the
post-authentication VLAN when the terminal is authenticated (MAC-based authentication),
and then the terminal acquires an IP address from the authentication IPv4 access list. By
executing user authentication (Web authentication), the terminal IP address will not change
in dynamic VLAN mode both before and after Web authentication.
494
Figure 12-8: Authentication behavior of employee users (dynamic VLAN mode)
Overview
Table 12-23: Overview of employee users authentication (dynamic VLAN mode)
Configuration
settings
Requirements
Authentication
IPv4 access list
Required
Parameters
Remarks
deny
eq bootps vlan
20
The pre-authentication VLAN
discards DHCP frames.#
permit
eq bootps
Forwards DHCP frames throughout
the VLAN
Internal DHCP
server
for the Switch
Not required
--
External
DHCP server
Required
VLAN 40
Sets to a post-authentication VLAN
495
Configuration
settings
Requirements
Parameters
RADIUS
server
MAC-based
authentication
(authenticates
MAC address of
employee user
terminal)
Tunnel-P
rivate-G
roup-ID
"40"
Sends response to post-authentication
VLAN
Filter-I
d
"@@Web-Auth@@
Responds with "@@Web-Auth@@".
Waits for a user authentication (Web
authentication) when a terminal has
been authenticated (MAC-based
authentication). Assigned to VLAN;
however, traffic is prevented.
Web
authentication
(authenticates
employee user
ID)
Tunnel-P
rivate-G
roup-ID
"40"
Sends response to post-authentication
VLAN
Filter-I
d
Not set
Sends response without Filter-Id
"
Remarks
#
If you do not configure an internal DHCP server and then forward DHCP frames via an
authentication IPv4 access list on the pre-authentication VLAN, the frames cannot start
MAC-based authentication. Therefore, MAC-based authentication will not be able to start
until the VLAN obtains an IP address and an ARP frame is sent. In this scenario, if you do
not set up a DHCP server on a pre-authentication VLAN, MAC-based authentication will
never start. If you set up the DHCP frames to be discarded in the pre-authentication VLAN,
MAC-based authentication will start using DHCP frames when terminal authentication is
completed.
(c) Scenario (ii): Printer authentication overview
Authentication behavior
If you configure a printer on the same port with an employee user in dynamic VLAN,
authenticate it according to the following sequence.
496
Figure 12-9: Printer authentication behavior (dynamic VLAN mode)
Overview
Table 12-24: Overview of printer authentication (dynamic VLAN mode)
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Not required
n/a
Internal DHCP
server of the
Switch
Not required
n/a
External
DHCP server
Required
VLAN 40
RADIUS
server
MAC-based
authentication
(authenticate
printer MAC
address)
Tunnel-Pr
ivate-Gro
up-ID
"40"
Filter-Id
Not set
Remarks
The access list is not required if the
terminal only uses MAC-based
authentication; however, if you
configure the printer on the same
port as the employee user, the same
authentication IPv4 access list must
be applied.
Sets to a post-authentication VLAN
Sends response to
post-authentication VLAN
Sends response without
Filter-Id.
Access will be permitted when
terminal authentication
(MAC-based authentication) is
completed.
497
Configuration
settings
Requirements
Web
authentication
Parameters
n/a
Remarks
Settings unnecessary
Legend
n/a: Not applicable
(d) Configuration for dynamic VLAN mode
This section describes the configuration for dynamic VLAN mode on a port for basic multistep
authentication.
Overview
The example below shows how to assign the following authentication at a port where a
terminal will be authenticated.
y VLAN
y Authentication method
y MAC port and native VLAN
y Terminal authentication (MAC-based authentication)
y User authentication (Web authentication)
y Multistep authentication port
y Authentication IPv4 access list
For details about the configuration of Web authentication, see 9. Web Authentication
Configuration and Operation. For the configuration for MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 40 mac-based
(config-vlan)# exit
Assigns MAC VLAN to VLAN ID 40. (Assigns the VLAN ID to be the same as the
post-authentication VLAN ID, which is sent from RADIUS server.)
2.
(config)# vlan 20
(config-vlan)# exit
Specifies VLAN ID 20.
3.
(config)# aaa authentication mac-authentication default group radius
(config)# aaa authentication web-authentication default group
radius
498
Configures RADIUS authentication of both MAC and Web authentication.
4.
(config)# interface fastethernet 0/1
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 20
Configures the MAC-based authentication to port 0/1. Assigns a native VLAN 20
(pre-authentication VLAN) on a MAC port. (Post-authentication VLAN is assigned
according to 5.4.3 Auto MAC VLAN assignment.)
5.
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication multi-step
Configures the Web authentication, MAC-based authentication, multistep
authentication (without the authorized user authentication option) to port 0/1.
6.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for the frame sent from an unauthenticated
terminal to port 0/1. Configures the port to forward an ARP frame from an
unauthenticated terminal.
7.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# deny udp any any eq bootps vlan 20
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Sets an authentication IPv4 access list to discard DHCP frames (bootps) in the
pre-authentication VLAN and to allow the Switch to forward DHCP frames to another
VLAN.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For a MAC-based authentication RADIUS server : "@@Web-Auth@@"
2.
To assign the post-authentication VLAN in dynamic VLAN mode automatically, assign
the VLAN sent from the RADIUS server as a MAC VLAN in the vlan configuration
command. (In this case, you do not have to assign the switchport mac vlan
499
configuration command to the MAC port.)
3.
If the Switch receives the response (Accept) that describes that the authentication has
succeeded and has no information about the post-authentication VLAN, the authenticated
terminal will be associated with native VLAN on the target MAC port. The terminal will be
authenticated in fixed VLAN mode.
(2)
Fixed VLAN mode
(a) Summary
The descriptions in this section assume that fixed VLAN mode with basic multistep
authentication port assigns employee users and printers to the same port, and then they obtain IP
addresses after authentication.
Figure 12-10: Example of basic multistep authentication (fixed VLAN mode)
(b) Scenario (iii): Employee users authentication overview
Authentication behavior
First, an employee user authenticated by basic multistep authentication obtains an IP
500
address from an authentication IPv4 access list and starts terminal authentication
(MAC-based authentication) by using a frame such as an ARP frame. This will lead the
terminal to user authentication (Web authentication), and the traffic from the terminal will
have full access after Web authentication.
Figure 12-11: Authentication behavior of employee users (fixed VLAN mode)
Overview
Table 12-25: Overview of employee users authentication (fixed VLAN mode)
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Required
permit
Internal DHCP
server of the
Switch
Not required
n/a
eq bootps
Remarks
Forwards DHCP frames throughout
the VLAN
501
Configuration
settings
Requirements
Parameters
External DHCP
server
Required
VLAN 20
RADIUS server
MAC-based
authentication
(authenticates
MAC address of
employee user
terminal)
TunnelPrivate
-GroupID
Not set
FilterId
"@@Web-Auth@@
"
Web
authentication
(authenticates
employee user
ID)
TunnelPrivate
-GroupID
Not set
FilterId
Not set
Remarks
Sets to a post-authentication VLAN
Sends response without
Tunnel-Private-Group-ID
Responds with "@@Web-Auth@@"
Sends response without
Tunnel-Private-Group-ID
Responds without Filter-Id
Legend
n/a: Not applicable
(c) Scenario (iv): Printer authentication overview
Authentication behavior
If you configure a printer on the same port with an employee user in fixed VLAN mode,
authenticate it according to the following sequence.
Figure 12-12: Authentication behavior of printers (fixed VLAN mode)
502
Overview
Table 12-26: Overview of printer authentication (fixed VLAN mode)
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Not required
n/a
Internal DHCP
server of the
Switch
Not required
n/a
External DHCP
server
Required
VLAN 20
RADIUS server
MAC-based
authentication
(authenticates
printer MAC
address)
TunnelPrivate
-GroupID
Not set
FilterId
Not set
Remarks
The access list is not required if the
terminal only uses MAC-based
authentication; however, if you
configure the printer on the same
port as the employee user, the same
authentication IPv4 access list must
be applied.
Sets to a post-authentication VLAN
Sends response without
Tunnel-Private-Group-ID
Sends response without
Filter-Id.
Access will be permitted when
terminal authentication
(MAC-based authentication) is
completed.
Web
authentication
n/a
Settings unnecessary
Legend
n/a: Not applicable
(d) Configuration for fixed VLAN mode
This section describes the configuration of fixed VLAN mode on a port for basic multistep
authentication.
Overview
The example below shows how to assign the following authentication at a port where
terminals will be authenticated:
y VLAN
y Authentication method
y Access port and VLAN
y Terminal authentication (MAC-based authentication)
503
y User authentication (Web authentication)
y Multistep authentication port
y Authentication IPv4 access list
For details about the configuration for Web authentication, see 9. Web Authentication
Configuration and Operation; for the configuration of MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 20
(config-vlan)# exit
Specifies VLAN ID 20 to be accessed before and after authentication.
2.
(config)# aaa authentication mac-authentication default group radius
(config)# aaa authentication web-authentication default group
radius
Configures RADIUS authentication of both MAC and Web authentication.
3.
(config)# interface fastethernet 0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 20
Specifies the port 0/1 for the access port. Assign a VLAN 20 to an access port.
4.
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication multi-step
Configures the Web authentication, MAC-based authentication, multistep
authentication (without the authorized user authentication option) to port 0/1.
5.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for the frame sent from unauthenticated
terminals to port 0/1. Configures the port to forward an ARP frame from an
unauthenticated terminal.
6.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Configures an authentication IPv4 access list that forwards DHCP frames (bootps) sent
504
from unauthenticated terminals.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For a MAC-based authentication RADIUS server :"@@Web-Auth@@"
12.2.4 Configuring ports for the authorized user authentication
option
(1)
Dynamic VLAN mode
(a) Summary
You can assign a guest user and an employee user to the same port in dynamic VLAN mode for
ports with the authorized user authentication option. The portable terminal for a guest user is
authenticated by Web authentication, and the terminal will become a member of a VLAN that is
accessible by the guest user.
The portable terminal for an employee user is not allowed to access a VLAN, and the terminal
used by registered users must be associated with a VLAN.
The section describes how both types of users obtain an IP address in the different VLANs
before and after authentication.
505
Figure 12-13: Example of authorized user authentication option (dynamic VLAN mode)
(b) Scenario (v): Guest user authentication overview
Authentication behavior
The authorized user authentication option assumes that a guest user and an employee user
are assigned to the same port. A guest user fails terminal authentication, and the user in
dynamic VLAN mode cannot move to another VLAN. Therefore, the guest user has to
obtain an IP address in the pre-authentication VLAN. To obtain the IP address in the
pre-authentication VLAN, use the internal DHCP server of the Switch is used.
This section describes an authentication IPv4 access list for employee users. It is not
necessary to configure an authentication IPv4 access list for guest user authentication.
If you set up the internal DHCP server in the pre-authentication VLAN, DHCP frames will
start MAC-based authentication even if the DHCP frames have been configured to be
forwarded on the authentication IPv4 access list.
506
Figure 12-14: Authentication behavior of guest users (dynamic VLAN mode)
Overview
Table 12-27: Overview of guest users authentication (dynamic VLAN mode)
Configuration
settings
Requirements
Parameters
Remarks
Authentication
IPv4 access list
Not required
n/a
The access list is not required for a
guest user; however, if you
configure the guest user on the
same port as the employee user, the
same authentication IPv4 access list
must be applied.
Internal DHCP
server of the
Switch
Required
VLAN 20
Enabled on pre-authentication
VLAN
External DHCP
server
Required
VLAN
30, 40
Sets to a post-authentication VLAN
507
Configuration
settings
Requirements
Parameters
RADIUS server
MAC-based
authentication
(authenticates
MAC address of
portable
terminal)
n/a
Web
authentication
(authenticates
guest user ID
TunnelPrivate
-GroupID
"30"
FilterId
Not set
Remarks
Sends response
Reject: Access-Reject
Assigns post-authentication VLAN
Sends response without
Filter-Id
Legend
n/a: Not applicable
(c) Scenario (vi): Employee user authentication overview
Authentication behavior
The behavior of employee user authentication is the same as that of basic multistep
authentication when terminal authentication (MAC-based authentication) has succeeded.
The internal server on this port is enabled in the pre-authentication VLAN for a guest user.
In this case, an IP address that is not actually used is temporarily obtained in the
pre-authentication VLAN. An authentication IPv4 access list must be set up to obtain an IP
address from the external DHCP in the post-authentication VLAN, because the terminal
only moves from pre- to post-authentication VLAN when terminal authentication
(MAC-based authentication) succeeds. An employee user is not allowed to use a portable
terminal; terminal authentication (MAC-based authentication) must be configured on the
RADIUS server for Web authentication. The authentication process completes after either
Web or MAC-based authentication.
508
Figure 12-15: Authentication behavior of employee users (dynamic VLAN mode)
Overview
Table 12-28: Overview of employee users authentication (dynamic VLAN mode)
Configuration
settings
Requirements
Parameters
Remarks
Authentication
IPv4 access list
Required
permit
Internal DHCP
server of the
Switch
Not required
n/a
The internal DHCP is not required
for an employee user; however, it is
required for a guest user in the
pre-authentication VLAN.
External DHCP
server
Required
VLAN 40
Sets to a post-authentication VLAN
eq bootps
Forwards DHCP frames throughout
the VLAN
509
Configuration
settings
Requirements
RADIUS server
MAC-based
authentication
(authenticates
MAC address of
employee user
terminal)
Web
authentication
(authenticates
employee user
ID )
Parameters
Remarks
TunnelPrivate
-GroupID
"40"
Responds with post-authentication
VLAN
FilterId
"@@Web-Auth@@
"
Sends response "@@Web-Auth@@"
Waits for a user authentication
(MAC-based authentication) when
a terminal has been authenticated
(Web authentication). Assigned to
VLAN; however, traffic is
prevented.
TunnelPrivate
-GroupID
"40"
Responds with post-authentication
VLAN
FilterId
"@@MAC-Auth@@
"
"@@MAC-Auth@@"
Only terminal-authenticated
(MAC-based authentication) users
are permitted successful
authentication.
Legend
n/a: Not applicable
(d) Configuration for dynamic VLAN mode
This section describes the configuration for dynamic VLAN mode on a port with the authorized
user authentication option.
Overview
The example below shows how to assign the following authentication at a port where a
terminal will be authenticated:
y VLAN
y Authentication method
y MAC port and native VLAN
y Terminal authentication (MAC-based authentication)
y User authentication (Web authentication)
y Multistep authentication port (with the authorized user authentication option)
y Authentication IPv4 access list
y Internal DHCP server of the Switch
For details about the configuration for Web authentication, see 9. Web Authentication
Configuration and Operation; for the configuration of MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
510
Configuration command example
1.
(config)# vlan 30 mac-based
(config-vlan)# exit
(config)# vlan 40 mac-based
(config-vlan)# exit
Assigns MAC VLAN to VLAN ID 30 and 40. (Assigns the VLAN ID to be the same as
the post-authentication VLAN ID that is sent from RADIUS server.)
2.
(config)# vlan 20
(config-vlan)# exit
Assigns VLAN ID 20.
3.
(config)# aaa authentication mac-authentication default group radius
(config)# aaa authentication web-authentication default group
radius
Configures RADIUS authentication for both MAC and Web authentication.
4.
(config)# interface fastethernet 0/1
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 20
Specifies the port 0/1 for the MAC port.
Assigns a native VLAN 20 (pre-authentication VLAN) on a MAC port.
(Post-authentication VLAN is assigned according to 5.4.3 Auto MAC VLAN
assignment.)
5.
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication multi-step permissive
Configures Web authentication, MAC-based authentication, and multistep
authentication (with the authorized user authentication option) to port 0/1.
6.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for frames sent from unauthenticated
terminals to port 0/1. Configures the port to forward ARP frames from unauthenticated
terminals.
511
7.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Configures an authentication IPv4 access list that forwards DHCP frames (bootps) sent
from unauthenticated terminals.
8.
(config)# interface vlan 20
(config-if)# ip address 192.168.20.254 255.255.255.0
(config-if)# exit
(config)# service dhcp vlan 20
(config)# ip dhcp pool NativeVLAN
(dhcp-config)# network 192.168.20.0/24
(dhcp-config)# exit
Assigns IP addresses to pre-authentication VLANs. Enables the internal DHCP server
on pre-authentication VLAN 20.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For a MAC-based authentication RADIUS server : "@@Web-Auth@@"
y For a Web authentication RADIUS server :"@@MAC-Auth@@"
2.
To automatically assign the post-authentication VLAN in dynamic VLAN mode, assign
the VLAN sent from the RADIUS server as a MAC VLAN in the vlan configuration
command. (In this case, you do not have to assign the switchport mac vlan
configuration command to the MAC port.)
3.
If the Switch receives the response (Accept) that describes that the authentication has
succeeded and has no information about the post-authentication VLAN, the authenticated
terminal will be associated with the native VLAN on the target MAC port. The terminal
will be authenticated in fixed VLAN mode.
(2)
Fixed VLAN mode
(a) Summary
The descriptions of this section assume that fixed VLAN mode on a port with the authorized
user authentication option assigns guest users and employee user to the same port, and then they
obtain IP addresses before authentication.
512
Figure 12-16: Example of authorized user authentication option (fixed VLAN mode)
(b)
Scenario (vii): Guest user authentication overview
Authentication behavior
First, the guest user on a port with the authorized user authentication option obtains an IP
address from an authentication IPv4 access list and starts terminal authentication
(MAC-based authentication) by using a frame such as an ARP frame. In this case,
MAC-based authentication will fail because the MAC address of a portable terminal is not
registered. The port with the authorized user authentication option allows the terminal to
execute user authentication (Web authentication) even if terminal authentication
(MAC-based authentication) fails. The guest user will have full access after Web
authentication.
513
Figure 12-17: Authentication behavior of guest users (fixed VLAN mode)
Overview
Table 12-29: Overview of guest user authentication (fixed VLAN mode)
514
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Required
permit
Internal DHCP
server of the
Switch
Not required
n/a
External DHCP
server
Required
VLAN 20
Sent to a post-authentication VLAN
RADIUS server
MAC-based
authentication
(authenticates
MAC address of
portable
terminal)
n/a
Setting unnecessary; sends
response Reject: Access-Reject
eq bootps
Remarks
Forwards DHCP frames throughout
the VLAN
Configuration
settings
Requirements
Web
authentication
(authenticates
guest user ID)
Parameters
Tunnel-P
rivate-G
roup-ID
Not set
Filter-I
d
Not set
Remarks
Sends response without
Tunnel-Private-Group-ID
Responds without Filter-Id.
The authentication will be
completed regardless of the result
of terminal authentication
(MAC-based authentication),
Legend
n/a: Not applicable
(c) Scenario (viii): Employee user authentication overview
Authentication behavior
First, the employee user on a port with the authorized user authentication option obtains an
IP address from an authentication IPv4 access list and starts terminal authentication
(MAC-based authentication) by using a frame such as an ARP frame. This will lead the
terminal to Web authentication and the traffic from the terminal will have full access after
Web authentication.
515
Figure 12-18: Authentication behavior of employee users (fixed VLAN mode)
Overview
Table 12-30: Overview of employee users authentication (fixed VLAN mode))
516
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Required
permit
Internal DHCP
server of the
Switch
Not required
n/a
The internal DHCP server is not
required for an employee user;
however, it is required for a guest
user in a pre-authentication VLAN.
External DHCP
server
Required
VLAN 20
Sets to a post-authentication VLAN
eq bootps
Remarks
Forwards DHCP frames throughout
the VLAN
Configuration
settings
Requirements
Parameters
RADIUS server
MAC-based
authentication
(authenticates
MAC address of
employee user
terminal)
Tunnel-P
rivate-G
roup-ID
Not set
Filter-I
d
"@@Web-Auth@@
"
Web
authentication
(authenticates
employee user
ID)
Tunnel-P
rivate-G
roup-ID
Not set
Filter-I
d
"@@MAC-Auth@@
"
Remarks
Sends response without
Tunnel-Private-Group-ID
Sends response "@@Web-Auth@@".
Waits for a user authentication
when a terminal has been
authenticated (MAC-based
authentication). The traffic is
prevented.
Sends response without
Tunnel-Private-Group-ID
Responds with "@@MAC-Auth@@"
Only the terminal authenticated
(MAC-based authentication) user is
permitted successful authentication.
Legend
n/a: Not applicable
(d) Configuration for fixed VLAN mode
This section describes the configuration of fixed VLAN mode on a port with the authorized user
authentication option.
Overview
The example below shows how to assign the following authentication at a port where
terminals will be authenticated:
y VLAN
y Authentication method
y Access port and VLAN
y Terminal authentication (MAC-based authentication)
y User authentication (Web authentication)
y Multistep authentication port (with the authorized user authentication option)
y Authentication IPv4 access list
For details about the configuration for Web authentication, see 9. Web Authentication
Configuration and Operation; for the configuration for MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 20
(config-vlan)# exit
517
Specifies VLAN ID 20 to be accessed before and after authentication.
2.
(config)# aaa authentication mac-authentication default group radius
(config)# aaa authentication web-authentication default group
radius
Configures RADIUS authentication for both MAC and Web authentication.
3.
(config)# interface fastethernet 0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 20
Specifies the port 0/1 as the access port. Assigns VLAN 20 to an access port.
4.
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication multi-step permissive
Configures Web authentication, MAC-based authentication, and multistep
authentication (with the authorized user authentication option) to the port 0/1.
5.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for frames sent from unauthenticated
terminals to port 0/1. Configures the port to forward ARP frames from unauthenticated
terminals.
6.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Configures an authentication IPv4 access list that forwards DHCP frames (bootps) sent
from unauthenticated terminals.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For a MAC-based authentication RADIUS server : "@@Web-Auth@@"
y For a Web authentication RADIUS server :"@@MAC-Auth@@"
518
12.2.5 Configuring ports with the terminal authentication dot1x
option
(1)
Dynamic VLAN mode
(a) Summary
The descriptions in this section assume that dynamic VLAN mode for a port with the terminal
authentication dot1x option assigns employee users and printers to the same port, and then they
obtain IP addresses after authentication. (Printer authentication is configured in the same way as
basic multistep authentication ports. See 12.2.3 Configuring basic multistep authentication
ports.)
Figure 12-19: Example of terminal authentication dot1x (dynamic VLAN mode)
(b) Scenario (ix): Employee users authentication overview
Authentication behavior
If you use the terminal authentication dot1x option, a terminal will be assigned to the
post-authentication VLAN when the terminal has authenticated (IEEE 802.1X
authentication), and then it acquires an IP address from the authentication IPv4 access list.
519
By executing user authentication (Web authentication), the terminal IP address is fixed
both before and after Web authentication in dynamic VLAN mode.
Figure 12-20: Authentication behavior of employee users (dynamic VLAN mode)
Overview
Table 12-31: Overview of employee users authentication (dynamic VLAN mode)
Configuration
settings
Requirements
Authentication
IPv4 access
Required
520
Parameters
deny
eq bootps vlan
20
Remarks
Discards DHCP frames in the
pre-authentication VLAN#
Configuration
settings
Requirements
list
Parameters
permit
eq bootps
Remarks
Forwards DHCP frames throughout
the VLAN
Internal
DHCP server
of the Switch
Not required
n/a
External
DHCP server
Required
VLAN 40
RADIUS
server
IEEE 802.1X
(authenticates
MAC address of
employee user
terminal)
Tunnel-P
rivate-G
roup-ID
"40"
Responds with post-authentication
VLAN
Filter-I
d
"@@Web-Auth@@
"
Sends response "@@Web-Auth@@".
Waits for a user authentication (Web
authentication) when a terminal has
been authenticated (IEEE 802.1X
authentication). Assigned to VLAN;
however, traffic is prevented.
Web
authentication
(authenticates
employee user
ID)
Tunnel-P
rivate-G
roup-ID
"40"
Responds with post-authentication
VLAN
Filter-I
d
Not set
Sends response without Filter-Id
Sets to a post-authentication VLAN
#
If you do not configure an internal DHCP server and then forward DHCP frames via an
authentication IPv4 access list on the pre-authentication VLAN, the frames cannot start
MAC-based authentication. Therefore, MAC-based authentication will not be able to start
until the VLAN obtains an IP address and an ARP frame is sent. In this scenario, if you do
not set up a DHCP server on a pre-authentication VLAN, MAC-based authentication will
never start. If you set up the DHCP frames to be discarded in the pre-authentication VLAN,
MAC-based authentication will start by using DHCP frames when terminal authentication
is completed.
(c) Configuring dynamic VLAN mode
This section describes the configurations of dynamic VLAN mode on a port with the terminal
authentication dot1x option.
Overview
The example below shows how to assign the following authentication at a port where
terminals will be authenticated:
y VLAN
y Authentication method
521
y MAC port and native VLAN
y Terminal authentication (IEEE 802.1X)
y User authentication (Web authentication )
y Multistep authentication port (with terminal authentication dot1x option )
y Authentication IPv4 access list
For details about the configuration for Web authentication, see 9. Web Authentication
Configuration and Operation; for the configuration of MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 40 mac-based
(config-vlan)# exit
Assigns MAC VLAN to VLAN ID40. (Assigns the VLAN ID to be the same as
post-authentication VLAN ID which is sent from RADIUS server.)
2.
(config)# vlan 20
(config-vlan)# exit
Specifies VLAN ID 20.
3.
(config)# aaa authentication dot1x default group radius
(config)# aaa authentication web-authentication default group
radius
Configures RADIUS authentication for both IEEE 802.1X and Web authentication.
4.
(config)# interface fastethernet 0/1
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac native vlan 20
Specifies the port 0/1 for the MAC port. Assigns native VLAN 20 (pre-authentication
VLAN) on a MAC port. (The post-authentication VLAN is assigned according to 5.4.3
Auto MAC VLAN assignment.)
5.
(config-if)# dot1x port-control auto
(config-if)# dot1x multiple-authentication
(config-if)# dot1x supplicant-detection auto
(config-if)# web-authentication port
(config-if)# authentication multi-step dot1x
Configures IEEE 802.1X, Web authentication, and multistep authentication (with
terminal authentication dot1x option) to port 0/1.
522
6.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for frames sent from unauthenticated
terminals to port 0/1. Configures the port to forward ARP frames from unauthenticated
terminals.
7.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# deny udp any any eq bootps vlan 20
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Sets an authentication IPv4 access list to discard DHCP frames (bootps) in the
pre-authentication VLAN and to allow the Switch to forward DHCP frames to another
VLAN.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For an IEEE 802.1X authentication RADIUS server: "@@Web-Auth@@"
Note that when the port is set up with this option, MAC-based authentication and IEEE
802.1X operate simultaneously for terminal authentication. Configure the RADIUS
server to fail the terminal for MAC-based authentication.
2.
If you automatically assign the post-authentication VLAN in dynamic VLAN mode,
assign the VLAN sent from the RADIUS server as a MAC VLAN in the vlan
configuration command. (In this case, you do not have to assign the switchport mac
vlan configuration command to the MAC port.)
3.
If the Switch receives the response (Accept), which describes that authentication has
succeeded and no information about the post-authentication VLAN is included, the
authenticated terminal will be associated with native VLAN on the target MAC port. The
terminal will be authenticated in fixed VLAN mode.
(2)
Fixed VLAN mode
(a) Summary
The descriptions in this section assume that fixed VLAN mode with the terminal authentication
dot1x option assigns employee users and printers to the same port, and then they obtain IP
addresses after authentication. (Printer authentication is configured in the same way as basic
523
multistep authentication ports. See 12.2.3 Configuring basic multistep authentication ports.)
Figure 12-21: Example of terminal authentication dot1x option (fixed VLAN mode)
(b) Scenario (x): Employee user authentication overview
Authentication behavior
First, the employee user on a port with the terminal authentication dot1x option obtains an
IP address from an authentication IPv4 access list and starts terminal authentication (IEEE
802.1X) by using a frame such as an ARP frame. This will lead the terminal to user
authentication (Web authentication), and the traffic from the terminal will have full access
after Web authentication.
524
Figure 12-22: Authentication behavior of employee users (fixed VLAN mode)
Overview
Table 12-32: Overview of employee users authentication (fixed VLAN mode)
Configuration
settings
Requirements
Parameters
Authentication
IPv4 access list
Required
permit
Internal DHCP
server of the
Switch
Not required
n/a
External DHCP
server
Required
VLAN 20
eq bootps
Remarks
Forwards DHCP frames throughout
the VLAN
Sets to a post-authentication VLAN
525
Configuration
settings
Requirements
Parameters
RADIUS server
IEEE 802.1X
(authenticates
MAC address of
employee user
terminal)
TunnelPrivate
-GroupID
Not set
FilterId
"@@Web-Auth@@
"
Web
authentication
(authenticates
employee user
ID)
TunnelPrivate
-GroupID
Not set
FilterId
Not set
Remarks
Sends response without
Tunnel-Private-Group-ID
Sends response "@@Web-Auth@@"
Sends response without
Tunnel-Private-Group-ID
Responds without Filter-Id
Legend
n/a: Not applicable
(c) Configuring fixed VLAN mode
This section describes the configuration of fixed VLAN mode on a port with the terminal
authentication dot1x option.
Overview
The example below shows how to assign the following authentication at a port where
terminals will be authenticated:
y VLAN
y Authentication method
y Access port and VLAN
y Terminal authentication (IEEE 802.1X)
y User authentication (Web authentication )
y Multistep authentication port (with terminal authentication dot1x option )
y Authentication IPv4 access list
For details about the configuration for Web authentication, see 9. Web Authentication
Configuration and Operation; for the configuration for MAC-based authentication, see 11.
MAC-based authentication Configuration and Operation.
Configuration command example
1.
(config)# vlan 20
(config-vlan)# exit
Specifies VLAN ID 20 to be accessed before and after authentication.
2.
526
(config)# aaa authentication dot1x default group radius
(config)# aaa authentication web-authentication default group
radius
Configures RADIUS authentication for both IEEE 802.1X and Web authentication.
3.
(config)# interface fastethernet 0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 20
Specifies the port 0/1 as the access port. Assigns VLAN 20 to the access port.
4.
(config-if)# dot1x port-control auto
(config-if)# dot1x multiple-authentication
(config-if)# dot1x supplicant-detection auto
(config-if)# web-authentication port
(config-if)# authentication multi-step dot1x
Configures IEEE 802.1X, Web authentication, and multistep authentication (with
terminal authentication dot1x option) to the port 0/1.
5.
(config-if)# authentication ip access-group L2-AUTH
(config-if)# authentication arp-relay
(config-if)# exit
Configures an authentication IPv4 access list for frames sent from unauthenticated
terminals to port 0/1. Configures the port to forward ARP frames sent from
unauthenticated terminals.
6.
(config)# ip access-list extended L2-AUTH
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# exit
Configures an authentication IPv4 access list that forwards DHCP frames (bootps) sent
from unauthenticated terminals.
Notes
1.
Configure the following parameter to the Filter-Id RADIUS attribute on the RADIUS
server when multistep authentication is set up as above:
y For an IEEE 802.1X authentication RADIUS server: "@@Web-Auth@@"
Note that when the port is set up with this option, MAC-based authentication and IEEE
802.1X operate simultaneously for terminal authentication. Configure the RADIUS
server to fail the terminal for MAC-based authentication.
527
12.3 Operation
12.3.1
List of operation commands
The following table shows the operation commands for multistep authentication.
Table 12-33: List of operation commands for multistep authentication
Command
Description
show authentication
multi-step
Displays the information for authenticated terminals on a multistep
authentication port per interface.
show authentication
logging
Chronologically displays accounting log information for each Layer
2 authentication method starting from the newest entry.
12.3.2
Displaying the multistep authentication status
To display information for authenticated terminals on a multistep authentication port, use the
show authentication multi-step operation command on the Switch.
Figure 12-23: Example of show authentication multi-step
# show authentication multi-step
Date 2009/10/29 06:58:27 UTC
Port 0/1 : multi-step dot1x
<
Supplicant information
>
No MAC address
State VLAN F Type
1 000d.0b3a.e977 pass
100
multi
<Authentic method>
Last (first step)
web
(dot1x)
Port 0/5 : multi-step
<
Supplicant information
>
No MAC address
State VLAN F Type
1 0013.20a5.24ab pass
10 * single
<Authentic method>
Last (first step)
mac
(-)
Port 0/22 : multi-step permissive
<
Supplicant information
>
No MAC address
State VLAN F Type
1 000b.972f.e22b pass
100
single
<Authentic method>
Last (first step)
dot1x (-)
#
528
13. Secure Wake-on-LAN [OP-WOL]
Secure Wake-on-LAN functionality allows you to access the Switch from home or outside the
company by using a Web browser to turn the power to a desktop PC on or off. This chapter
describes the details and operation of Secure Wake-on-LAN. A software optional license is
required to use this functionality.
13.1 Overview
13.2 Configuration
13.3 Operation
529
13.1 Overview
This functionality allows access to the Switch from outside the company, whether at home or on
a business trip, via an in-house network using a Web browser to turn the power on or off to a
desktop PC within the company. Users can open the user authentication screen for the Secure
Wake-on-LAN functionality on the Switch but only authenticated users have access to the
functionality. Users are authenticated through the user information registered on the user
database dedicated to the Secure Wake-on-LAN functionality on the Switch. For authenticated
users, terminal information registered on the Switch is displayed in a Web browser, which
enables the user to select the PC and send activation commands. By introducing a remote
desktop environment, users can turn desktop PCs on/off at their discretion, which results in
saving energy for the whole system.
Figure 13-1: Overview of the Secure Wake-on-LAN functionality
13.1.1
Preparation for using the Switch
With Secure Wake-on-LAN, users access the authentication screen using a Web browser, select
the target terminal, and send an activation command. Two types of databases with built-in
Wake-on-LAN (WOL) functionality need to be registered on the Switch before use; a database
for registering the terminals where activation commands are sent (hereafter called the WOL
Terminal DB) and a database for user authentication (the WOL User DB).
The two types of databases with built-in WOL are reflected on the device by entering (set) and
registering (commit) them using the operation commands, as in the built-in databases for Web
authentication. The databases can be backed up (store) and restored (load) as well.
530
Figure 13-2: Example of selecting/sending commands on a Web browser
(1)
IP address on the VLAN interface
To access the Secure Wake-on-LAN user authentication screen, specify the IP address of the
VLAN interface on the Switch. Use configuration commands to specify the IP address. When
specifying the URL to access the Secure Wake-on-LAN user authentication screen, you can
choose the language: English or Japanese.
•
English: https://IP-address-of-VLAN-interface/wol/en/wol_login.html
•
Japanese: https://IP-address-of-VLAN-interface/wol/ja/wol_login.html
As both screens in English and in Japanese have been registered on the Switch, there is no
setting to switch the language. Use the URL above.
(2)
Built-in database for registering terminals where activation
commands are sent (WOL Terminal DB)
On the WOL Terminal DB, register the information on the terminals where activation
commands are sent, using Secure Wake-on-LAN (MAC address, VLAN ID, terminal IP address,
confirmation of the activation of the terminal, and supplementary explanation of the terminal
information). If you register on the WOL Terminal DB that confirmation of the activation of the
terminal is required, register the terminal IP address as well. The IP address is necessary because
the activation is confirmed using ping.
•
For a terminal in a DHCP environment: register DHCP.
Set the DHCP snooping functionality of the Switch as well. When the target terminal is a
DHCP client, the activation of the terminal can be confirmed by specifying the IP address
distributed by the DHCP server using the DHCP snooping functionality. For details of the
531
DHCP snooping functionality, see DHCP Snooping in the Configuration Guide Vol. 1.
•
For a terminal with a static IP address: register the static IP address of the terminal.
Register the terminal name registered on the WOL Terminal DB as the name for identifying the
terminal access rights on the WOL User DB. The following table describes the information to
register on the WOL Terminal DB
Table 13-1: Information registered on the WOL Terminal DB
Item
Information to register
Default
Scope of
registration
Terminal name
Register the name of the terminal where an
activation command is sent in text format.
Nil
128 letters
MAC address
Register the MAC address of the terminal to
which an activation command is sent.
Nil
In the form of
xxxx.xxxx.xxxx
VLAN ID
Register the VLAN number the terminal to
which an activation command is sent belongs
to.
Nil
1 to 4094
Method to confirm
the activation of the
terminal
Register the method of confirming the
activation of the terminal to which an
activation command is sent.
Confirmation
required
•
No confirmation
required
Register that no confirmation of the
activation of the terminal using ping is
required
Confirmation
required
Register that confirmation of the activation
of the terminal using ping is required
Register the terminal IP address and the
timeout duration for confirming the
activation as stated below.
Terminal IP
address
Timeout
Supplementary
explanation
DHCP
For a terminal in a DHCP
environment:
Register DHCP which
identifies the IP address in
liaison with DHCP
snooping
IPv4 address
For a terminal in a static IP
address environment:
Directly register the static
IP address of the terminal.
•
Confirmation
required
No confirmation
required
DHCP
IPv4 address:
1.0.0.0 to
126.255.255.255
128.0.0.0 to
223.255.255.255
DHCP
•
•
Register the timeout duration to confirm the
activation using ping.
120 seconds
60 to 600 seconds
Register the supplementary explanation of
the terminals to which the activation
commands are sent in text (specify the user
of the terminal, IP address of the static IP
terminal, etc.).
Nil
128 letters
For the details of the device capacities of the WOL Terminal DB, see 3.2 Switch capacities in the
532
Configuration Guide Vol. 1.
(3)
Built-in database for user authentication (WOL User DB)
Register the information of the Secure Wake-on-LAN users.
The following table describes the information to be registered.
Table 13-2: Information registered in the WOL User DB
Item
Information to be registered
Default
Scope of
registration
User ID
Register the ID of the Secure Wake-on-LAN user.
Nil
128 letters
Password
Register the password of the Secure Wake-on-LAN
user.
Nil
32 letters
Access rights to
the terminal
Register the access rights to the terminal of the
Secure Wake-on-LAN user.
Nil
• any
• manual
• Name of
any
Register the access rights to all terminals.
(all terminals registered on the WOL Terminal DB)
manual
Register the rights to directly specify MAC address
and VLAN ID.
Terminal
name
Register the access rights to specific terminals.
(Specify the terminal name registered on the WOL
Terminal DB)
the
terminal: 128
letters
Note:
The upper limit on the number of combinations of users and terminals is 300. For example,
if you allowed one user to access 300 terminals, then no more access rights to other
terminals can be set for the user. The settings of any and manual are excluded from this
limit.
For details of the device capacities of the WOL User DB, see 3.2 Switch capacities in the
Configuration Guide Vol. 1.
How the Selecting Terminals and Sending Activation Commands screen is displayed in the Web
browser varies according to the access rights registered on the WOL User DB. Shown below is
an example of how the screen looks like depending on the registered access rights to the
terminals.
533
Figure 13-3: Example of the Selecting Terminals and Sending Activation Commands
screen for registering access rights to the terminal
For details, see 13.3.8 Procedure for selecting/sending commands in a Web browser.
(4)
Using HTTPS servers
When using HTTPS servers, register the server certification. For details, see Supplement: Web
Authentication Manual - SSL Certification Operation.
(5)
Command direct sending functionality by using operation
commands
The Switch supports the command direct sending functionality by using operation commands in
addition to selecting/sending commands of a Web browser. In the command direct sending
functionality, specify the MAC address of the desktop PC and the VLAN using the operation
command wol and send the activation command directly. In this case, the activation command
can be sent, even if no IP address is assigned to the target VLAN interface. Because it allows
remote logging in the Switch using Telnet and operation commands, it is suitable for operation
within the company.
534
Figure 13-4: Example of the use of the command direct sending functionality
13.1.2
Notes on using Secure Wake-on-LAN
(1)
Setting terminals where the activation command is sent
Confirm the activation of the terminal where you sent the activation command via the Switch
using ping, depending on what is registered in the WOL Terminal DB. When doing this, set
respond to ping on the target terminal. Some terminals might be set to do not respond to
ping.
(2)
VLAN interface to which the activation command is sent
You can send the activation command, even if no IP address is assigned to the VLAN interface
of the target terminal.
(3)
Use with Layer 2 functionality
Do not set Layer 2 authentication functionality on the port that connects the Switch and the
terminal where the activation command is sent. If you do this, you might not be able to access
your desktop PC remotely from outside the company even after turning on the PC, or you might
be able to mistakenly access the user authentication screen of the Secure Wake-on-LAN
functionality from a terminal that has not yet been authenticated on the port where Web
authentication is executed.
It can be used with the Layer 2 authentication functionality within a device. Use different ports
for the connection of the terminals in the Secure Wake-on-LAN functionality and for Layer 2
authentication.
535
13.2 Configuration
13.2.1
List of configuration commands
The following table describes the commands used to configure the Secure Wake-on-LAN
functionality..
Table 13-3: List of configuration commands
Command
Enables the HTTP server functionality.
http-server
13.2.2
Description
Enabling the HTTP server functionality
Overview
The example below shows how to enable the HTTP server functionality when the Secure
Wake-on-LAN functionality is used.
Configuration command example
1.
(config)# http-server
Enables the HTTP server functionality.
Note
Configure this command when the Secure Wake-on-LAN functionality is used.
536
13.3 Operation
13.3.1
List of operation commands
The following table describes operation commands for the Secure Wake-on-LAN functionality.
Table 13-4: List of operation commands
Command
Description
set wol-device name
Registers on the WOL Terminal DB the information of a new
terminal where the activation command is sent.
set wol-device mac
Changes the MAC address of the terminal information registered on
the WOL Terminal DB.
set wol-device vlan
Changes the VLAN ID of the terminal information registered on the
WOL Terminal DB.
set wol-device ip
Changes the IP address and method to identify IP address of the
terminal information registered on the WOL Terminal DB.
set wol-device alive
Changes the method of confirming activation of the terminal
information registered on the WOL Terminal DB.
set wol-device
description
Changes the supplementary explanation of the terminal information
registered on the WOL Terminal DB.
remove wol-device name
Deletes the terminal information registered on the WOL Terminal
DB.
show wol-device name
Displays the terminal information edited or registered on the WOL
Terminal DB.
commit wol-device
Stores the terminal information edited on the WOL Terminal DB in
a built-in flash memory and reflects it in the operation.
store wol-device
Creates a backup file of the WOL Terminal DB.
load wol-device
Restores the WOL Terminal DB from a backup file.
set wol-authentication
user
Registers new user information (user ID, password, and access
rights to the terminal) on the WOL User DB.
set wol-authentication
password
Changes the password of the user registered on the WOL User DB.
set wol-authentication
permit
Changes (adds or deletes) the information of the terminals
accessible from users registered on the WOL User DB.
remove
wol-authentication user
Deletes the user information being edited on the WOL User DB.
show wol-authentication
user
Displays user information edited or registered on the WOL User
DB.
537
Command
Description
commit
wol-authentication
Reflects the edited parts of on the WOL User DB on the operation.
store wol-authentication
ramdisk
Creates a backup file of the WOL User DB.
load wol-authentication
ramdisk
Restores the WOL User DB.
wol
Specifies the MAC address and VLAN of your desktop PC and
directly sends the activation command.
show wol
Displays the information of the users currently using the Secure
Wake-on-LAN functionality from Web browsers.
Legend
WOL Terminal DB: Built-in database for registering terminals where activation
commands are sent
WOL User DB: Built-in database for user authentication
13.3.2
Registering, changing, and deleting on the WOL Terminal DB
Register data on the built-in database for registering terminals where activation commands are
sent (WOL Terminal DB), which is used with the Secure Wake-on-LAN functionality. Register
on the WOL Terminal DB the name of the terminal where activation commands are sent, MAC
address, VLAN, and confirmation of the activation of the terminal. The procedure includes the
revision (addition, change, and deletion) of the WOL Terminal DB and the reflection of the
revised data on the database. Shown below are examples of the registration.
(1)
Registering new data on the WOL Terminal DB
For each user of the Secure Wake-on-LAN functionality, register the name of the terminal,
MAC address, VLAN, and confirmation of the activation of the terminal using the operation
command set wol-device name.
In the following example, data for three terminals are registered.
Command entry
# set wol-device name PC01 1234.5600.6fd4 4094 ip 202.68.133.72 alive
check timeout 300 description change-user
# set wol-device name pc.20082001.abc 1234.5600.ff02 2000 ip
202.68.133.71 alive check
# set wol-device name pc.20082002.abc 1234.5600.ff03 2000 ip
202.68.133.75 alive nocheck description notePC
538
(2)
Changing and deleting on the WOL Terminal DB
Follow the procedure below to change the registered terminal information or to delete terminal
information.
(a) Changing MAC address
To change the MAC address of a registered terminal, use the operation command set
wol-device mac. The following example illustrates the change in the MAC address of the
terminal (pc.20082001.abc).
Command entry
# set wol-device mac pc.20082001.abc 1234.5600.ffe1
Changes the MAC address of the terminal (pc.20082001.abc) to 1234.5600.ffe1.
(b) Changing VLAN
To change the VLAN of the registered terminal, use the operation command set
wol-device vlan.
The following example illustrates the change in the VLAN of the terminal
(pc.20082001.abc).
Command entry
# set wol-device vlan pc.20082001.abc 4000
Changes the VLAN of the terminal (pc.20082001.abc) to 4000.
(c) Deleting terminal information
To delete the information of a registered terminal, use the operation command remove
wol-device name. The following example illustrates the deletion of the terminal
(pc.20082001.abc).
Command entry
# remove wol-device name pc.20082001.abc
Remove wol-device name.
Are you sure? (y/n): y
#
Deletes the information of the terminal (pc.20082001.abc).
539
(3)
Displaying the WOL Terminal DB
To display the status of editing or registering the WOL Terminal DB, use the operation
command show wol-device name.
Figure 13-5: Displaying the WOL Terminal DB
# show wol-device name edit
Date 2008/11/06 14:48:49 UTC
Total device counts:
5
No Device name
MAC
VLAN IP address
Alive
Description
1 PC01
1234.5600.6fd4 4094 202.68.133.72 300
change-user
2 PC02
00ee.16fd.a142 100 10.1.10.10
600
all-user-...
3 PC03_High... 0022.fa12.34dd
10 DHCP
60
High_price
4 PC04
04ff.d423.f145
5 DHCP
120
5 PC05
0612.7faf.1fdd 2000 202.68.133.70
no-check notePC
#
(4)
Reflecting data on the WOL Terminal DB
To reflect the edited terminal information on the WOL Terminal DB, use the operation
command commit wol-device.
Command entry
# commit wol-device
Commitment wol-device name data.
Are you sure? (y/n): y
Commit complete.
#
13.3.3
Backing up and restoring the WOL Terminal DB
The following are examples of creation of a backup file of the WOL Terminal DB and
restoration of the database from the backup file.
(1)
Baking up the WOL Terminal DB
Use the operation command store wol-device to create a backup file of the WOL
Terminal DB (backupfile in the following example).
Command entry
# store wol-device ramdisk backupfile
Backup wol-device name data.
Backup complete.
#
540
Are You sure? (y/n): y
(2)
Restoring the WOL Terminal DB
Use the operation command load wol-device to restore the WOL Terminal DB from the
backup file (backupfile in the following example).
Command entry
# load wol-device ramdisk backupfile
Restore wol-device name data.
Are you sure? (y/n): y
Restore complete.
#
13.3.4
Registering, changing, and deleting on the WOL User DB
Register data on the built-in database for user authentication (WOL User DB), which is used
with the Secure Wake-on-LAN functionality. Register on the WOL User DB the ID of the
Secure Wake-on-LAN, user, password, access rights, and the names of the accessible terminals.
The procedure includes the edit (addition, change and deletion) of the WOL User DB and the
reflection of the edited data on the database. Shown below are examples of the registration.
(1)
Registering new data on the WOL Terminal DB
For each user of the Secure Wake-on-LAN functionality, register user ID, password, access
rights to the terminal and the names of the accessible terminals, using the operation command
set wol-authentication user.
In the following example, data for three terminals are registered.
Command entry
# set wol-authentication user user01.example.abc.com pass01 permit
device-name pc.20082001.abc
# set wol-authentication user user02.example.abc.com pass02 permit
device-name pc.20082002.abc
# set wol-authentication user user03.example.abc.com pass03 permit
device-name pc.20082003.abc
(a) Checking consistency between the registered WOL Terminal DB
and WOL User DB
When registering the name of an accessible terminal (device-name) on the WOL User DB,
541
check the entry using the operation command show wol-authentication user. An
asterisk (*) added to the entry means that the name of the target terminal is not registered on the
WOL Terminal DB. (For an example of the display, see (3) Displaying the WOL User DB
below.) After checking the terminal name with the operation command show
wol-device-name, change the entry referring to (2) Changing and deleting on the WOL
User DB. You cannot select the target terminal in the procedure for selecting and sending
commands of a Web browser until the asterisk is hidden.
(2)
Changing and deleting on the WOL User DB
Follow the procedure below to change or delete registered user information.
(a) Changing the password
To change the password of a registered user, use the operation command set
wol-authentication password. The following example illustrates the change in the
password of a user (ID: user01.example.abc.com).
Command entry
# set wol-authentication password user01.example.abc.com pass01
pass1001
Changes the password of a user (ID: user01.example.abc.com) from pass01 to
pass1001.
(b) Changing (adding or deleting) the information of an accessible
terminal
To change (add or delete) the information of the accessible terminal of a registered user, use the
operation command set wol-authentication permit. The following example
illustrates the addition of the information of the accessible terminal of a user (ID:
user02.example.abc.com).
Command entry
# set wol-authentication permit user02.example.abc.com add
device-name pc.20083002.abc
Adds pc.20083002.abc to the information of the accessible terminal of a user (ID:
user02.example.abc.com).
(c) Deleting user information
To delete the information of a registered user, use the operation command remove
542
wol-authentication user. The following example illustrates the deletion of the
information of a user (ID: user01.example.abc.com).
Command entry
# remove wol-authentication user user01.example.abc.com
Remove wol-authentication user.
Are you sure? (y/n): y
#
Deletes the user (ID user01.example.abc.com).
(3)
Displaying the WOL User DB
To display the status of editing or registering the WOL User DB, use the operation command
show wol-authentication user.
Figure 13-6: Displaying the WOL User DB
# show wol-authentication user edit
Date 2008/11/06 20:48:57 UTC
Total user counts:
5
Total device link:
7
No any
manual device
1 deny
deny
2
2 permit permit
1
*
3 deny
permit
3
4 permit deny
0
*
5 permit deny
1
Username
Mail-Address_of_USER04_of_The_Company...
USER01
USER02
USER03
USER05
#
An asterisk (*) added to the user means that the name of the user is not registered on the WOL
Terminal DB. Select the detail option to display the names of the terminals registered for the
user. Check which terminal has an asterisk (*).
Figure 13-7: Displaying the WOL User DB (selecting the detail option)
# show wol-authentication user edit detail
Date 2008/11/06 20:49:10 UTC
No
1 : Mail-Address_of_USER04_of_The_Company@example.com
permit : any=deny, manual=deny
device-name
1 : PC01
2 : PC03_High-Speed_machine
No
2 : USER01
permit : any=permit, manual=permit
device-name
1 : PC01
No
3 : USER02
permit : any=deny, manual=permit
device-name
543
*
1
2
3
: PC02@
: PC01
: PC03_High-Speed_machine
No
4 : USER03
permit : any=permit, manual=deny
No
5 : USER05
permit : any=permit, manual=deny
device-name
*
1 : PC04@
#
(4)
Reflecting data on the WOL User DB
To reflect the edited user information on the WOL User DB, use the operation command
commit wol-authentication.
Command entry
# commit wol-authentication
Commitment wol-authentication user data. Are you sure? (y/n): y
Commit complete.
#
13.3.5
Backing up and restoring the WOL User DB
The following are examples of the creation of a backup file for the WOL User DB and
restoration of the database from the backup file.
(1)
Baking up the WOL User DB
Use the operation command store wol-authentication to create a backup file for the
WOL User DB (backupfile in the following example).
Command entry
# store wol-authentication ramdisk backupfile
Backup wol-authentication user data.
Are you sure? (y/n): y
Backup complete.
#
(2)
Restoring the WOL Terminal DB
Use the operation command load wol-authentication to restore the WOL User DB
544
from the backup file (backupfile in the following example).
Command entry
# load wol-authentication ramdisk backupfile
Restore wol-authentication user data.
Are you sure? (y/n): y
Restore complete.
#
13.3.6 Displaying information of a user by using the Secure
Wake-on-LAN
Use the operation command show wol to display the information of a user using the Secure
Wake-on-LAN. Check the status of sending the activation commands or accessing the terminal
on the display.
Figure 13-8: Displaying the information of a user using the Secure Wake-on-LAN
# show wol
Date 2008/11/06 17:32:25 UTC
No User name
Phase Magic Device IP
Target
1 User-A
IDLE
Timeout
2 User-B
CHECK Sent 192.168.1.102 Waiting
3 User-C
IDLE
Sent
192.168.10.100 Alive
4 User-D
RESOLVE Failed Waiting
5 User-E
RESOLVE Sent
Waiting
6 Mail-Address_of_USER04_of_The_Co... IDLE
Sent
202.68.133.72
Alive
#
Figure 13-9: Basic phase transition
The maximum number of users who can simultaneously use the Secure Wake-on-LAN
545
functionality is 32. When the maximum of 32 has been reached, no more users are allowed to use
the functionality. If you are unable to use it, verify that the number of users displayed by the
command is 32.
13.3.7
Command direct sending functionality
Log in to the Switch and directly send the activation command to the terminal using operation
command.
Command entry
# wol 1234.5600.00fe 4000
The magic packet is sent.
#
13.3.8 Procedure for selecting/sending commands in a Web
browser
This section explains the procedure for executing the Secure Wake-on-LAN functionality from
outside the company. After configuring the Switch as required for the Secure Wake-on-LAN
functionality and setting the WOL User DB and the WOL Authentication DB, follow the
procedure below.
The recommendation is to follow the procedure in SSL (HTTPS) for security reasons. Choose
either English or Japanese for the language used on the operation screen. English is used in the
examples in this section.
546
Figure 13-10: Screen sequence of selecting/sending commands in a Web browser
547
(1)
Access to the Secure Wake-on-LAN user authentication
screen
Before accessing the Secure Wake-on-LAN user authentication screen, choose the language,
either English or Japanese.
•
English: https://IP-address-of-VLAN-interface/wol/en/wol_login.html
•
Japanese: https://IP-address-of-VLAN-interface/wol/ja/wol_login.html
The Secure Wake-on-LAN user authentication screen is displayed. Enter your use ID and
password.
Figure 13-11: Secure Wake-on-LAN user authentication screen
Table 13-5: Displays on the user authentication screen
Displays in English
Displays in Japanese
Secure WOL: user authentication
セキュア WOL:ユーザ認証
Please enter your user ID and password.
ユーザ ID とパスワードを入力してください。
user ID
ユーザ ID
password
パスワード
Enter
実行
(2)
Authenticating the user ID and password entered on the user
authentication screen
Verify that the entered user ID and password match the user information of the WOL User DB
548
registered on the System. When they are the same, the Selecting Terminals and Sending
Activation Commands screen (Figure 13-13) is displayed. When they are not the same, the
failure in the Secure Wake-on-LAN screen (Figure 13-12) is displayed.
•
Click the back button to restart from the user authentication screen.
•
Click the close button to terminate.
Figure 13-12: Failure in the Secure Wake on the LAN screen
Table 13-6: Displays on the failure screen
Displays in English
Displays in Japanese
See Table 13-7 List of messages displayed on the failure screen.
back
戻る
close
閉じる
Table 13-7: List of messages displayed on the failure screen
No.
1)
Displays in English
License key is not installed.
Displays in Japanese
セキュア WOL ソフトウェアオプションライセ
ンスキーが未設定です。
549
No.
Displays in English
Displays in Japanese
2)
Target not selected; redo from
authentication.
端末が選択されていません。再度,ユーザ認証
からやりなおしてください。
3)
Session timeout.
セッションがタイムアウトしました。
4)
Invalid specification; redo
from authentication.
入力情報に誤りがあります。再度,ユーザ認証
からやりなおしてください。
5)
WOL server busy; try again
later.
セキュア WOL サーバがビジーです。少し待って
から再度実行してください。
6)
Authentication failed.
認証が失敗しました。
7)
User engaged; try again later.
ユーザ ID が重複しています。少し待ってから再
度実行してください。
Table 13-8: Details of message or measures taken
No.
Details or measures
1)
Secure Wake-on-LAN software optional license key has not been set.
2)
There is an error in the terminal information you entered. Check the problem and retry the
operation.
The name of the terminal you entered is not registered on the WOL Terminal DB.
The name of the terminal was not selected.
3)
The user information you entered has expired. Retry from the user authentication screen.
4)
There is an error in the information you entered. Check the problem and retry the operation.
You have not entered all the required parameters.
There is an error in the information you entered.
5)
The number of users has reached the upper limit of the Secure Wake-on-LAN functionality.
Retry the operation later.
6)
You entered an incorrect user ID or password.
Check the user ID and password and retry from the user authentication screen.
7)
The entered user ID has already been authenticated. The terminal is currently being activated.
(3)
Selecting Terminals and Sending Activation Commands
After the user has successfully been authenticated on the user authentication screen of the Secure
Wake-on-LAN, the Selecting Terminals and Sending Activation Commands screen is displayed.
550
Figure 13-13: Selecting Terminals and Sending Activation Commands screen
Table 13-9: Displays on the Directly Specifying Device Information screen
Displays in English
Displays in Japanese
Secure WOL: direct access
セキュア WOL:機器情報直接指定
MAC address (mandatory)
MAC アドレス(入力必須)
VLAN ID (mandatory)
VLAN ID(入力必須)
IP address (if known)
IP アドレス(任意)
Wake up
起動開始
Table 13-10: Displays on the Selecting the Target Device screen
Displays in English
Displays in Japanese
Secure WOL: target list
セキュア WOL:対象機器選択
No
No
551
Displays in English
Displays in Japanese
Select
選択
Computer name
機器名
Description
コメント
Wake up
起動開始
The Directly Specifying Device Information screen and the Selecting the Target Device screen
are displayed on the Selecting Terminals and Sending Activation Commands screen.
•
The Directly Specifying Device Information screen is displayed at the top of the screen
•
The Selecting the Target Device screen is displayed at the bottom of the screen
Enter the terminal information on either screen, and then click the Wake up button. Then, a
screen that tells the completion of transmission is displayed. (See Figure 13-15 Example of the
screen displayed after sending the activation command.)
If the access rights to the terminal (manual/any/device-name) are not registered, the message
Not available is displayed. (See Figure 13-14 Example of the Access Rights to the Terminal
Not Registered screen)
(a) Directly Specifying Device Information screen (Secure WOL: direct
access)
The screen is displayed when manual is specified for the right to access the terminal of the
WOL User DB registered on the Switch. If manual is not registered, this screen is not displayed.
On this screen, directly specify the terminal MAC address and VLAN ID to send the activation
command. After sending the command, the activation of the terminal to which the command is
sent is confirmed.
When a static IP address is set on the terminal in a static IP address environment, specify the IP
address.
(b) Selecting the Target Device screen (Secure WOL: target list)
The screen is displayed when device-name is registered for the right to access the terminal of
the WOL User DB registered on the Switch. If manual is registered, all terminal information
registered on the WOL Terminal DB is displayed. If neither of device-name nor any is
registered, no screen for terminal selection is displayed. On this screen, select a terminal from
among the terminal information registered on the target user in the WOL User DB to send the
activation command.
552
(c) Access Rights to the Terminal Not Registered screen
If the right to access the terminal has not been registered, the screens below are displayed.
Figure 13-14: Example of the Access Right to the Terminal Not Registered screen
Table 13-11: Access Rights to the Terminal Not Registered screen ((1) in the figure
above)
Displays in English
Displays in Japanese
Not available.
実行できません。
back
戻る
close
閉じる
•
Access rights in (2) of the figure above: Display of the screen where any and device-name
have not been registered
553
See the Table 13-9 Displays on the Directly Specifying Device Information screen
•
Access rights in (3) of the figure above: Display of the screen where manual has not been
registered
See Table 13-10 Displays on the Selecting the Target Device screen.
(d) Screen displayed after sending the activation command
Click the Wake up button on the screens to directly specify or select terminals to display the
screen below.
Figure 13-15: Example of the screen displayed after sending the activation command
Table 13-12: Screen displayed after sending the activation command
Displays in English
Displays in Japanese
Waking up the target.
起動処理中
Show status
状況確認
close
閉じる
•
To check the activation status of the target terminal, click the Show status button. The screen
to check the operation status of the terminal where the activation command is sent (Figure
13-16) is displayed.
•
554
Click the close button to terminate.
(4)
Checking the operation status of the terminal where the
activation command is sent
It displays the operation status of the terminal where the activation command is sent. The screen
is automatically updated every five seconds.
Figure 13-16: Screen to check the operation status of the terminal where the activation
command is sent
Table 13-13: Displays on the screen to check the operation status of the terminal where
the activation command is sent
Displays in English
Displays in Japanese
Secure WOL: operational status
セキュア WOL:動作状態
Computer name
機器名
Description
コメント
MAC address
MAC アドレス
VLAN ID
VLAN ID
Wake-up command
起動コマンド
IP address
IP アドレス
Operational status
動作状態
555
Table 13-14: Displays of the information of the terminal where the activation command
is sent
Displayed item
Description
Computer name
Name of the terminal (name registered on the WOL Terminal DB)
Description
Supplementary explanation (of the terminal registered on the WOL
Terminal DB)
MAC address
MAC address of the terminal (registered on the WOL Terminal DB)
VLAN ID
VLAN ID of the terminal (registered on the WOL Terminal DB)
Table 13-15: Display of the operation status of the target terminal
Item
Wake-up
command
IP address
Displays in English
Displays in
Japanese
Meaning
Preparing
準備中
Preparing an activation command for
the target terminal
Sending
送信中
Sending the activation command to the
target terminal
Was sent
送信済
Completed the transmission of the
activation command to the target
terminal
--
--
Did not complete the transmission of
the activation command
Sensing
検出中
Detecting the IP address of the target
terminal by the DHCP snooping
functionality
<IP address>
IP アドレス
値
IP address of the target terminal
Unknown
不明
•
•
Operational status
556
Suspended before identifying the IP
address of the target terminal
(time-out)
The IP address of the target terminal
unknown doe to the invalidity of the
DHCP snooping functionality
--
--
Have not set the activation
confirmation of the target terminal
using the data of the WOL Terminal
DB.
Sensing
検出中
Have not completed the processing of
the IP address of the target terminal
Waiting for a
response
応答待ち
Waiting for the response from the target
terminal
Item
Displays in English
Displays in
Japanese
Meaning
Responding
応答あり
Received the response from the target
terminal
Not responding
応答なし
Have not received the response from
the target terminal (time-out)
557
14. One-time Password Authentication
[OP-OTP]
The Switch provides Web authentication and login authentication functionality, linking with
RSA SecurID and using one-time password authentication functionality. This chapter describes
the operation of one-time password authentication. A software optional license is required to use
this functionality.
14.1 Overview
14.2 Configuration
14.3 Operation
558
14.1
Overview
The Switch prevents unauthorized access through Web authentication or login authentication by
using the one-time password authentication functionality of RSA SecurID.
Figure 14-1: Overview of one-time password authentication
When the software optional license key that you purchased is registered, users are allowed to use
the New PIN mode and Next Token mode.
559
Figure 14-2: Registering the software optional license key
•
New PIN mode
Instead of registering a PIN code on the RSA authentication server beforehand, users can
register the code during the first access.
•
Next Token mode
If users enter the correct user ID and password after several successive login failures, they can
re-enter the token code.
560
Table 14-1: Scope of the support provided by the software optional license
Item
Software optional
license registered
Software optional
license not registered
Token code and PIN code entry when logging
in
Y
Y
New PIN mode
Y
N
Next Token mode
Y
N
Legend
Y: Usable; N: Unusable
14.1.1
Scope of support
(1)
Applicability of one-time password authentication
On a Switch, one-time password authentication can be used for Web authentication and login
authentication. The following tables describe the applicability to Web authentication and login
authentication.
(a) Web authentication
In Web authentication, the New PIN mode and Next Token mode can be used for any
authentication mode.
Table 14-2: Applicability of one-time password authentication in Web authentication
Authentication mode
Local
authenticatio
n
RADIUS
authenticatio
n
One-time password authentication
(applicability of New PIN mode and
Next Token mode)
Fixed VLAN mode
Y
Y
Y
Dynamic VLAN mode
Y
Y
Y
Legacy mode
Y
Y
Y
Legend
Y: Applicable
(b) Login authentication
In login authentication, the applications where New PIN mode and Next Token mode can be
used are limited.
561
Table 14-3: Applicability of one-time password authentication in login authentication
Local
authenticatio
n
RADIUS
authenticatio
n
One-time password authentication
(applicability of New PIN mode and
Next Token mode)
Serial
Y
N
N
Telnet
Y
Y
Y
FTP
Y
Y
N
Login method
Legend
Y: Applicable; N: Not applicable
(2)
Error messages displayed when using one-time password
authentication
The following table describes the error messages displayed on the login failure screen when
using one-time password authentication for Web authentication. (For details about error
messages other than those described below, see 8.7 Authentication error messages in 8.
Description of Web Authentication.)
Table 14-4: Error messages displayed when using one-time password authentication
Error message
Invalid sequence. Please
retry again.
Error
number
Reason for error occurrence
91
Authentication failed because the response to the PIN
code from the RSA authentication server is received
outside the designated waiting time.
92
Authentication failed for the following reasons:
The terminal connection information of the user
who sent the result of the response of a PIN code
changed.
• The Switch and the session code of the user are
inconsistent.
•
93
14.1.2
Authentication failed because the user is invalid due
to failure in receiving the response to the PIN code
from the RSA authentication server.
Screen files displaying Reply-Message
This functionality uses authentication-in-progress screen files (loginProcess.html files) in
addition to the Web authentication screen files shown in section 8.10 Procedure for creating
Web authentication pages in 8. Description of Web Authentication.
The authentication-in-progress screen file is an HTML file used to display the Reply-Message in
the Access-Challenge sent from the RADIUS server and received by the Switch, and to send the
562
entered PIN code.
(1)
Authentication-in-progress screen file (loginProcess.html)
(a) Setting conditions
To create an HTML file for the authentication-in-progress screen, include all tags listed in the
following table.
Table 14-5: Settings required for the authentication-in-progress screen
Tags
Explanation
<form name="Process" method="post"
action="/cgi-bin/Process.cgi"></form>
This tag directs the sending of a PIN code and
other information for Web authentication. Do not
change any part of this tag.
<input name="pcode" size="40"
maxlength="32" autocomplete="OFF"
type="password">
This tag specifies the PIN code and other
information. Do not change any part of the tag
with the exception of size and maxlength.
Place this tag inside the above-mentioned <form>
and </form>.
<input value="Enter" type="submit">
This tag sends the PIN code and other information
for Web authentication. Do not change any part of
this tag. Place this tag inside the above-mentioned
<form> and </form>.
Note:
If you want to associate another file with the loginProcess.html file, add a slash (/) to
the beginning of the name of the other file.
Example: < img src="/image_file.gif" >
(b) Example source code
An example of the source code of the authentication-in-progress screen
(loginProcess.html) is shown below.
563
Figure 14-3: Example source code of the authentication-in-progress screen
(loginProcess.html)
(c) Example of the authentication-in-progress screen
An example of the authentication-in-progress screen is shown below.
564
Figure 14-4: Example of the authentication-in-progress screen
(2)
Adding authentication error message files
An authentication error message file (webauth.msg) contains messages for display on the
response screen when Web authentication login or logout fails. If you want to replace the default
authentication error message, create an authentication error message file that contains the
message shown below after the 9 lines of messages indicated in section 8.10.3 Authentication
error message file (webauth.msg) in 8. Description of Web Authentication.
Table 14-6: Messages in the authentication error message file
Line
number
Description
10
Message displayed when a PIN code is sent:
(Default message)
Invalid sequence. <BR>Please retry again.
(a) Setting conditions
•
For lines that contain only a line feed, the default error message is displayed.
•
When storing the file, use either CR+LF or LF for the line feed code.
•
The maximum length of a message on a single line is 512 one-byte (256 two-byte) characters,
including HTML tags and line feed tags (<BR>). Characters after this limit are ignored.
565
•
If the authentication error message file has 11 or more lines, the messages after the 10th line
are ignored.
(b) Overview of the creation of an authentication error message file
•
The text specified in the authentication error message file is used as an HTML text without
any modifications. Therefore, if you add any HTML tags to a message, the tags work.
•
Each message must be written on a single line. If you want to insert a line feed in the middle of
the error message, insert the line feed tag <BR>.
(c) Example source code
An example of the source code of the authentication error message file (webauth.msg) is
shown below.
Figure 14-5: Example source code of the authentication error message file
(webauth.msg)
(3)
Tags dedicated to Web authentication used with this
functionality
The authentication-in-progress screen file can be rewritten using the Web authentication screen
replacement functionality as with other Web authentication files. If you insert the following tags
dedicated to Web authentication, the file can be substituted for user-specific Web authentication
screen files.
(a) Adding tags dedicated to Web authentication
By inserting tags dedicated to Web authentication in the HTML file of the Web authentication
screen, the portion where the tag is written is converted into the intended information. If you
insert an appropriate tag in the HTML file, you can display the login time or an error message on
the authentication screen, or recognize the information through an application operating in the
Web browser.
566
Table 14-7: Tags dedicated to Web authentication and converted information
Tag dedicated to Web
authentication
Example of the text after
conversion
Meaning of the converted information
<!-- Session_Code
-->
123456
Session identification code per user (screen)
<!-- Reply_Message
-->
Do you want to enter
your ...
Reply-Message of Access-Challenge sent
from the RADIUS server
The dedicated tag that is converted into the session identification code (<!-- Session_Code
-->) is embedded in the default HTML file as described below. It is not displayed in a Web
browser.
•
HTML inserted into the authentication-in-progress screen by default (loginProcess.html)
<input name="scode" type="hidden" value="<!-- Session_Code -->">
Note: As the type of the input tag is hidden, it is not displayed in typical Web browsers.
If you want to display the identification code of the session under authentication in a Web
browser, create an authentication-in-progress screen file (loginProcess.html file). Register
it on the Switch as described in subsection 8.9.1 Replacing Web authentication pages to display
it on the authentication-in-progress screen. The following table describes which combination of
tags dedicated to Web authentication and the screens are valid for the conversion of information.
Table 14-8: Combinations of the tags dedicated to Web authentication and the screens
that are valid for the conversion of information
Types of screens (to be converted)
Tags dedicated to
Web authentication
Login
Authenti
cation-in
-progres
s
Logout
Success
ful login
Failed
login
Logout
complete
d
Failed
logout
<!-Session_Code -->
--
Y
--
--
--
--
--
<!-Reply_Message
-->
--
Y
--
--
--
--
--
Legend
Y: If the tag dedicated to Web authentication is included in the HTML file, it is converted
into the intended information.
--: Even if the tag dedicated to Web authentication is included in the HTML file, it is not
converted into the intended information.
567
14.1.3
Using with other Web authentication functionality
All other Web authentication functionality, including URL Redirect, IP address dedicated for
authentication, and passage before authentication, can be used with the one-time password
authentication functionality.
568
14.2 Configuration
No configuration to enable one-time password authentication functionality is set on the Switch.
See the following to specify the configuration required for Web authentication and login
authentication.
•
Web authentication: 8. Description of Web Authentication and 9. Web Authentication
Configuration and Operation
•
Login authentication: 8. Login Security and RADIUS in the Configuration Guide Vol. 1
569
14.3 Operation
14.3.1
List of operation commands
The following table describes the operation commands for one-time password authentication.
Table 14-9: List of operation commands
Command
Description
set web-authentication
html-files
Registers the designated Web authentication screen file.
clear web-authentication
html-files
Deletes the registered Web authentication screen file.
show web-authentication
html-files
Displays the file name, file size, and registration date and time
of the registered Web authentication screen file.
store web-authentication
html-files
Take the Web authentication screen file currently in operation
and stores it in a directory on the RAMDISK.
For usage examples, see 9. Web Authentication Configuration and Operation.
570
Part 4
High Reliability Based on Redundant Configurations
15. Description of the GSRP Aware
Functionality
GSRP aware functionality clears internal MAC address table entries by receiving a frame from a
GSRP Switch. This chapter provides an overview of the GSRP aware functionality.
15.1 Overview of GSRP
15.2 GSRP switchover control
15.3 Configuration
15.4 Operation
571
15.1 Overview of GSRP
15.1.1
Overview
The Gigabit Switch Redundancy Protocol (GSRP) provides redundancy for the Switches by
securing a communication path via another Switch in the same network even if the primary
Switch has failed.
Another functionality that can provide redundancy on a network is the Spanning Tree Protocol.
Because the paired switches exchange control frames to check each other's status with GSRP,
the switchover from one Switch to another is faster than using a spanning tree. GSRP is also
suitable for large-scale configurations in which core switches are used in multiple stages on a
network. On the other hand, a spanning tree is a standard protocol and suitable for building a
network consisting of switches and routers manufactured by different vendors.
The following figure provides an overview of redundancy in Layer 2 provided by GSRP.
572
Figure 15-1: Overview of GSRP
15.1.2
Supported specifications
The Switch supports GSRP aware only. For details, see 15.2 GSRP switchover control.
573
15.2 GSRP switchover control
When the backup GSRP Switch takes over as the master Switch, the backup Switch assumes the
forwarding and blocking responsibility for frames. However, that is not enough to immediately
resume end-to-end communication because the MAC address entries in the MAC address tables
in the adjacent switches are still registered for the previous master GSRP Switch. To
immediately resume communication, the MAC address table entries on the adjacent switches
need to be cleared when the GSRP switches change their statuses. GSRP supports the following
methods for clearing the MAC address table entries in the adjacent switches.
(1)
Sending GSRP Flush request frames
When the GSRP backup Switch takes over as the master Switch, the backup Switch sends a
control frame called a GSRP Flush request frame to the adjacent switches to request the clearing
of the MAC address table entries. A Switch that can receive this GSRP Flush request frame and
clear the internal MAC address table is GSRP aware. A GSRP aware Switch floods the GSRP
Flush request frame. The Switch is constantly GSRP aware. The following figure provides an
overview of clearing MAC address table entries by using GSRP Flush request frames
Figure 15-2: Overview of clearing MAC address table entries by using GSRP Flush
request frames
1.
574
GSRP Switch B takes over from GSRP Switch A. GSRP Switch B sends a GSRP Flush
request frame to the Switch.
2.
The Switch receives the GSRP Flush request frame, and clears the internal MAC address
table.
3.
As a result, the Switch floods a MAC address request on the port to which the PC is
connected until the MAC address of the PC is learned from the frames sent from the PC.
The frames sent from the PC are forwarded to the destination via the master Switch (GSRP
Switch B).
4.
When a frame returns to the PC as a response, the Switch learns the MAC address of the PC.
Thereafter, the Switch forwards the frames from the PC only to GSRP Switch B.
575
15.3 Configuration
The Switch supports GSRP awareness only. There is no configuration.
576
15.4 Operation
15.4.1
List of operation commands
The following table describes the operation commands for GSRP.
Table 15-1: List of operation command
Command
show gsrp aware
15.4.2
Description
Displays information about GSRP.
Confirming GSRP aware information
The Switch displays the GSRP aware information by the information command show gsrp
aware.
Figure 15-3: An example of executing the show gsrp detail command
> show gsrp aware
Date 2008/11/14 14:34:40 UTC
Last mac_address_table Flush Time : 2008/11/14 14:34:35
GSRP Flush Request Parameters :
GSRP ID : 10
VLAN Group ID : 6
Port : 0/16
Source MAC Address : 0012.e208.2096
>
577
16. Uplink Redundancy
With uplink redundancy, a redundant configuration can be built without using spanning trees.
This chapter describes uplink redundancy and its use.
16.1 Description
16.2 Configuration
16.3 Operation
578
16.1 Description
Uplink redundancy duplicates uplink ports on the Switch. If a failure occurs, the backup port
takes over for the current port to continue communication with upstream switches. By using
uplink redundancy, you can create redundant uplink ports without using protocols such as the
Spanning Tree Protocol. A pair of redundant ports is called an uplink port.
•
Connect Layer 2 switches in a V-shape and the lower-level switch conducts switching.
•
The lower-level switch duplicates the uplink port by pairing the Layer 2 interface (Ethernet or
port channel).
The following figure shows a basic configuration of uplink redundancy.
Figure 16-1: Overview of uplink redundancy
When you use uplink redundancy in this configuration, if the link between the Switch and
upstream Switch A fails, the link between the Switch and upstream Switch B can take over to
continue communication.
The following table shows functionality details and gives cross-references to explanations.
579
Table 16-1: Functionality supported by uplink redundancy
Func
tional
ity
Basic
Exten
sion
16.1.1
Item
Functionality
reference
Settings
reference
Uplink redundancy operation
16.1.1
--
Applicable interfaces for uplink ports
16.1.1
16.2.2
Number of uplink ports
16.1.1
--
Switchover and preemption between primary and
secondary ports
16.1.2
--
Preemption when recovering from failure
16.1.2
16.2.2
Port control
16.1.2
--
Functionality for sending and receiving flush control
frames
16.1.3
16.2.3
MAC address update functionality
16.1.4
16.2.4
Functionality to fix the active port at switch startup
16.1.5
--
Uplink redundancy operation
Uplink redundancy provides redundancy by pairing two ports or bundles of ports (link
aggregation ports). This pairing is called an uplink port. An uplink port consists of a primary
port that performs communication during normal operation and a secondary port that takes over
as the primary port in case of a failure. You can configure these ports by using configuration
commands.
In an uplink port, the port that is currently performing communication is called the active port.
The other port is called the standby port, and it stands ready to take over as the active port if the
active port fails so that communication can continue. The ports of the uplink port must belong to
the same VLAN and have the same settings. In addition, the ports used for an uplink port cannot
be used for another uplink port.
The following figure provides an overview of uplink redundancy operation.
580
Figure 16-2: Operation overview of uplink redundancy
Normal operation
Communication between the primary port on the Switch and the upstream Switch A is
possible. The secondary port on the Switch is not communicating.
If the primary port fails
If the primary port link goes down, the Switch switches the active port over to the
secondary port and uses it to continue communication with upstream switches. This action
is called a switchover.
When the primary port is restored
When the primary port link is re-enabled and the port is standing by, you can use Switch
functionality such as automatic preemption (using a timer) or manual preemption to switch
the active port to the primary port. This action is called preemption.
When the active port is switched over, from the new active port you send the flush control
frames that require, due to the configuration, an upstream switch to clear the MAC address table
(1)
Applicable interfaces for uplink ports
An Ethernet interface or a port-channel interface can be specified as an uplink port. A
combination of an Ethernet interface and a port-channel interface can also be set as the pair of
primary and secondary ports, as shown in the table below.
581
Table 16-2: Combination of primary and secondary ports
Primary port
Ethernet interface
(Fast Ethernet)
Secondary port
Ethernet interface
(Fast Ethernet)
Ethernet interface
(gigabit Ethernet)
Port-channel interface
Ethernet interface
(gigabit Ethernet)
Ethernet interface
(Fast Ethernet)
Ethernet interface
(gigabit Ethernet)
Port-channel interface
Port-channel interface
Ethernet interface
(Fast Ethernet)
Ethernet interface
(gigabit Ethernet)
Port-channel interface
(2)
Number of uplink ports
In this functionality, the combination of a primary port and a secondary port is set as an uplink
port. The following table describes the number of uplink ports that can be set in a Switch.
Table 16-3: Maximum number of uplink ports that can be set
Model
Maximum number that can be set
AX1250S-24T2C
13
AX1240S-24T2C
13
AX1240S-24P2C
AX1240S-48T2C
16.1.2
ports
25
Switchover and preemption between primary and secondary
Switchover and preemption automatically change the active port or manually change the active
port using operation commands when a failure occurs on the port that performs communication.
For switchover or preemption, the partner port of the active port needs to be the standby port.
582
(1)
Switchover in case of failure
Configure a primary port and a secondary port on the Switch beforehand. During normal
operation, communication is performed via the primary port. When link down is detected on the
primary port, the active port is switched to the secondary port. The MAC address table in the
Switch is not deleted, and the port number is switched from the primary port to the secondary
port.
The new active port sends a flush control frame, which clears the MAC address table, to the
upstream switch of the uplink port. Alternatively, it sends a MAC address update frame, which
requests that the MAC address table be updated. Either frame signifies that a switchover has
occurred.
Figure 16-3: Overview of the switchover of the primary and secondary
(2)
Preemption at recovery from a failure
When the port recovers from a failure, preemption occurs due to automatic preemption, timer
preemption, or manual preemption.
(a) Automatic preemption
When the uplink redundancy is in effect, automatic preemption is executed by setting the
configuration preemption time to 0 seconds. When a link-up occurs on the primary port, the port
is preempted automatically and immediately. For details of automatic preemption by a timer, see
(b) Timer preemption.
(b) Timer preemption
When the uplink redundancy is in effect, timer preemption is executed automatically by setting
583
the configuration preemption time to 1 to 300 seconds. The port is preempted, if the link-up
status on the primary port continues longer than the timer preemption wait time set by the
switchport backup interface configuration command. When a link-down occurs on the
primary port before the timer preemption wait time is completed, the time measurement is reset
to zero. The following figure shows an outline of timer preemption.
Figure 16-4: Overview of timer preemption
(c) Manual preemption
When the uplink redundancy is in effect, the secondary port continues to be active even after a
link-up occurs on the primary port due to recovery from a failure. To switch the active port from
the second port to the primary after the primary port is recovered, use the select switchport
backup interface operation command. The operation command is executable, when a
link-up occurs on the port to be specified as active.
(3)
Port control
Port control in the uplink redundancy functionality is control for blocking (status in which
communication is not possible) or forwarding (status in which communication is possible).
Execute the port control shown in the table below.
584
Table 16-4: Uplink redundancy port control
Status of the port (setting of primary/secondary and
physical condition)
Status
Setting
Normal condition
Physical
condition
Port control in the uplink redundancy
functionality
Operation
Receives
frames
Sends
frames
Primary
link-up
Forwarding
Y
Y
Secondary
link-up
Blocking
N
N#
Primary
link-down
Blocking
N
N
Secondary
link-up
Forwarding
Y
Y
Primary
link-up
Blocking
N
N#
Secondary
link-up
Forwarding
Y
Y
When the link-down state is
detected on the secondary
port
Primary
link-up
Forwarding
Y
Y
Secondary
link-down
Blocking
N
N
When the link-down state is
detected on both primary
and secondary ports
Primary
link-down
Blocking
N
N
Secondary
link-down
Blocking
N
N
When the link-down state is
detected on the primary port
When the primary port is
recovered and in the link-up
state, and the condition is
any of the following:
- Before automatic
preemption is executed
- Before timer
preemption is executed
- Waiting for manual
preemption
Legend
Y: Sends; N: Does not send
#
Frames such as LACP can be sent or received even during blocking.
16.1.3
Functionality for sending and receiving flush control frames
(1)
Sending operation
If a flush control frame that requests clearing the MAC address table is configured to be sent, a
flush control frame is sent when the active port is switched. The Switch sends frames from the
new active port immediately after the switched primary and secondary ports are enabled. The
same frame is sent three times at intervals of one second when the active port is switched. The
following table describes the destination VLANs.
585
Table 16-5: VLANs where flush control frames are sent
Settings of sending flush control
frames in the configuration
Destination VLAN is not specified
Destination VLAN is specified
(2)
Types of ports that send
frames
Destination VLAN
Access port
Sent to access VLAN
Trunk port
Sent to native VLAN
MAC port
Sent to native VLAN
Protocol port
Sent to native VLAN
Access port
Sent to access VLAN
Trunk port
Sent to designated VLAN
MAC port
Sent to native VLAN
Protocol port
Sent to native VLAN
Receiving action
By receiving the flush control frame, the MAC address table is cleared. All entries are cleared,
every time one frame is received. There is no configuration for receiving frames.
16.1.4
MAC address update functionality
This functionality updates the MAC address table of an upstream switch instead of a flush
control frame, if the upstream switch is not a Switch (for example, when it is another company's
product).
586
Figure 16-5: Overview of the address update functionality
(1)
Sending operation
If a flush control frame that requests clearing of the MAC address table is configured to be sent,
a MAC address update frame is sent when the active port is switched. The Switch sends frames
from the new active port immediately after the switched primary and secondary ports are
enabled. If switchover is not successful, no frame is sent. A maximum of 1,024 MAC addresses,
which were taken from the MAC address table when the active port was switched, can be sent. If
more than 1,024 addresses were taken, the 1,025th address and thereafter are not sent and
operation log data is collected instead. Among all addresses in the registered MAC address, only
the ones that meet the following conditions are sent:
•
Learnt at a non-uplink port
•
The VLAN of the learnt MAC address is included in the uplink port.
•
Registered as static, dynamic, authentication (dot1x, WebAuth and MacAuth). (Snoop MAC
address update frames are not sent.)
•
Not included in the exempted VLANs designated by the configuration
(See (b) Target and exempted VLANs of the MAC address update functionality below.)
The following figure shows an example of MAC addresses to be sent.
587
Figure 16-6: Example of MAC addresses to be sent
Table 16-6: MAC addresses to be sent
MAC address
VLAN
State of learning
Port
Destination
MAC (1)
10
MacAuth
0/19
Y
MAC (2)
50
Static
0/19
N
MAC (3)
30
WebAuth
0/19
N
MAC (4)
40
Dynamic
0/20
N
MAC (5)
20
Dynamic
0/20
Y
Legend
Y: To be sent; N: Not to be sent
(a) Number of frame re-transmissions
A maximum of three re-transmissions can be set in the configuration. At retransmission time the
MAC address table is not obtained again, and the same frames as the first transmission are sent.
(b) Target and exempted VLANs of the MAC address update
588
functionality
•
Target VLANs
Among the VLANs learnt at the non-uplink port, all VLANS included in the uplink port are
targets.
The MAC address update functionality sends all MAC addresses included in the above
VLANs.
•
Exempted VLANs
If you have any MAC addresses you do not want to send in the MAC address update
functionality, exclude them in units of VLANs. Specify such a VLAN and exclude it from the
target VLANs defined above. The MAC addresses learnt at an exempted VLAN are not sent
by the MAC address update functionality.
(c) Using with the functionality for sending and receiving flush control
frames
This functionality and the functionality for sending and receiving flush control frames can be set
on the same port. In this case, send the flush control frames first, and send the MAC address
update frames later.
(2)
Receiving behavior
When the MAC address update frames are received, the MAC addresses are learnt as usual and
the MAC address table is updated. There is no configuration for receiving frames.
16.1.5
Functionality to fix the active port at Switch startup
Use the functionality to fix the active port at Switch startup if you want to always start
communication on the primary port when the Switch starts. When this functionality is enabled
on the Switch, communication via the uplink port does not start even if the secondary port is
enabled at startup. Instead, communication starts only when the primary port is enabled.
Operation proceeds as usual when communication has started on the primary port. If the primary
port fails or a user executes the appropriate operation command, the secondary port takes over
for the primary port. If the primary port link is disabled at switch startup because, for example,
an upstream switch on the primary port side has failed, execute the appropriate switchport
backup interface operation command to use the secondary port to start communication.
The following figure shows operation when active port locking at Switch startup is enabled.
589
Figure 16-7: Operation when functionality to fix the active port at Switch startup is
enabled
16.1.6
Operation logs, MIBs and traps
(1)
Collecting operation logs
The following operations conducted in this functionality are logged as Switch events:
switchover and preemption between primary and secondary ports, clearing of the MAC address
table when the flush control frames are received, and excessive detection of MAC addresses
when MAC address update frames are sent. The operation log data can be viewed by using the
show logging operation command. If the functionality to output logs to the syslog server is set,
the collected operation logs are sent to the syslog server.
(2)
Private MIBs and traps
This functionality supports private MIBs and private traps. For details of private MIBs, see the
manual MIB Reference. Use the snmp-server host configuration command to set whether a
private trap can be issued.
16.1.7
Using with other functionality
This functionality can be used with the following functionality. The following table describes
the operations when used with other functionality.
590
Table 16-7: Operations when used with other functionality
Other functionality
Can/cannot
be used with
Operations when used at the same time
Link aggregation
Can
Can operate using an aggregated link.
Spanning tree
Cannot
Spanning trees are forcibly disabled at primary and
secondary ports (port by port).
L2 loop detection
Can
Operates as set in the configuration. However, L2 loop
detection frames are not received at the blocking port by
uplink redundancy.
GSRP-aware
Can
Operates as normal. However, GSRP Flush request frames
are not received at the blocking port by uplink redundancy.
OAN
Can
Operates as set in the configuration.
Authentication
Can
(Actual
operation is not
recommended)
Use this functionality and the following functionality only
on the same device:
• IEEE 802.1X
• Web authentication
• MAC-based authentication
• DHCP snooping
Use with the above-mentioned functionality at the primary
and secondary ports is not recommended.
MAC address table
static definition
Cannot
Can be configured.
However, they actually cannot be used together, as the
MAC address table static definition port is disabled by the
switchover of the primary and secondary ports.
Other functionality
Can
Can be operated only at the port where either primary or
secondary is in the forwarding state. How the functionality
operates depends on the setting of each primary or
secondary port. Therefore, if different functionality is set
on primary and secondary ports, how the functionality
operates depends on the setting of the currently operating
port. No identity check is conducted on the configuration
setting of primary and secondary ports.
16.1.8
Notes on using uplink redundancy
(1)
Use with L2 loop detection
If only send is set on an L2 loop detection port, loops are detected but no switchover between
primary and secondary ports occurs. If L2 loop detection is conducted on the secondary port as
well after having switched to the secondary port, a loop will be detected again unless the cause
of the loop is systematically eliminated. If you use a port as the primary or secondary port and as
a L2 loop detection (send-inact) port, the send-inact port is disabled when an incoming L2
loop detection frame from another port is received.
591
(2)
Pairing a port with an uplink port
Set the same VLAN for the port that is paired with a primary or secondary port.
(3)
Timer preemption wait time setting when spanning trees are
used at a higher-level switch
When spanning trees are used at a higher-level switch, the status will be listening or
learning after recovering from a link-down state and communication cannot be restored
immediately. In this case, we recommend setting the timer preemption wait time to 30 seconds
or longer.
(4)
Using the functionality for sending and receiving flush
control frames
•
Check whether the upstream switches support the reception of flush control frames sent by
uplink redundancy.
The MAC address table will not be cleared, even if the Switch sends flush control frames to a
switch that does not support the functionality. In this case, use the MAC address update
functionality.
•
If a VLAN Tag value is set here, the flush control frames are sent in the form of tagged frames
even if the target port is an access port.
•
On the primary port, specify the settings to send the flush control frames.
(5)
Using the MAC address update functionality
Specify the MAC address update functionality on the primary port.
(6)
Changing the setting in a loop structure
The uplink redundancy functionality is used in the network that forms a loop. When changing
the setting of uplink redundancy, shut down the target port of uplink redundancy beforehand and
cancel the shutdown after changing the setting. If you change the setting without shutting down,
a loop might be formed.
592
16.2 Configuration
16.2.1
List of configuration commands
The following table describes the commands used to configure uplink redundancy.
Table 16-8: List of configuration commands
Command
Description
switchport backup interface
Specifies primary and secondary ports and automatic or timer
preemption wait time.
switchport backup flush
request transmit
Enables the sending of flush control frames to request that the
upstream switches clear their MAC address tables.
switchport backup
mac-address-table update
transmit
Enables the sending of MAC address update frames to
request that the upstream switches update their MAC address
tables.
switchport backup
mac-address-table update
exclude-vlan
Specifies the VLAN to be excluded when sending MAC
address update frames.
switchport backup
mac-address-table update
retransmit
Specifies the number of re-transmissions of MAC address
update frames.
switchport-backup
startup-active-port-selection
Enables active port locking at Switch startup.
16.2.2 Specifying the primary and secondary ports and timer
preemption wait time
Overview
The example below shows how to configure Ethernet port 0/1 as the primary port and
Ethernet port 0/20 as the secondary port. The example specifies the timer preemption wait
time when the primary port is restored.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# switchport backup interface fastethernet 0/20
preemption delay 10
(config-if)# exit
Enters configuration mode for port 0/1, which is the primary port. Sets port 0/20 as the
secondary port and 10 seconds as the timer preemption wait time. After having switched
to the secondary port and when 10 seconds or more have passed since the restoration of
593
the primary port, the primary port becomes the active port.
Note
When spanning trees are used at the higher-level switch, the status will be listening or
learning after recovering from the link-down state and communication cannot be
restored immediately. In this case, we recommend that you set the timer preemption wait
time to 30 seconds or longer.
16.2.3 Setting the functionality to send/receive flush control frames
to upstream switches
Overview
The example below shows how to configure Ethernet port 0/1 as the primary port and
specifies the sending of flush control frames. Also, the example specifies the VLAN Tag
value to be added to the flush control frames. No setting is required for reception.
Configuration command example
1.
(config)# vlan 10,50
(config-vlan)# exit
Configures VLAN 10 and 50.
2.
(config)# interface fastethernet 0/1
(config-if)# switchport mode trunk
(config-if)# switchport trunk allowed vlan 10,50
(config-if)# switchport trunk native vlan 10
Configures the port 0/1 as a trunk port. Configures VLAN 10 and 50. Set the native
VLAN to 10.
3.
(config-if)# switchport backup flush request transmit vlan 50
(config-if)# exit
Sets the VLAN Tag value to be added to the flush control frames to 50.
Notes
1.
When the VLAN Tag value is set here, the flush control frames are sent in the form of
tagged frames even if the target port is an access port.
2.
594
Configure the above settings for the primary port.
16.2.4 Setting the MAC address update functionality to upstream
switches
Overview
The example below shows how to configure Ethernet port 0/1 as the primary port and
specifies the following:
y Configures the trunk port; VLAN 10, 20, 30, and 50; and native VLAN 10
y Enables the MAC address update functionality
y Configures a VLAN to not be subject to the MAC address update functionality
y Configures the number of update frame re-transmissions
The example sets Ethernet port 0/20 as the secondary port and configure the same VLAN
as the primary port. No setting is required for reception.
Configuration command example
1.
(config)# vlan 10,20,30,50
(config-vlan)# exit
Configures VLAN 10, 20, 30 and 50.
2.
(config)# interface fastethernet 0/1
(config-if)# switchport mode trunk
(config-if)# switchport trunk allowed vlan 10,20,30,50
(config-if)# switchport trunk native vlan 10
Configures the port 0/1 as a trunk port. Configures VLAN 10, 20, 30, and 50. Set the
native VLAN to 10.
3.
(config-if)# switchport backup mac-address-table update transmit
Enables the MAC address update functionality.
4.
(config-if)# switchport backup mac-address-table update exclude-vlan
20
Configures VLAN 20 to be excluded.
5.
(config-if)# switchport backup mac-address-table update retransmit 3
(config-if)# exit
Sets the number of update frame re-transmissions to 3.
6.
(config)# interface fastethernet 0/20
(config-if)# switchport mode trunk
(config-if)# switchport trunk allowed vlan 10,20,30,50
(config-if)# switchport trunk native vlan 10
(config-if)# exit
Configures the port 0/20 as a trunk port. Configures VLAN 10, 20, 30, and 50. Sets the
native VLAN to 10.
595
Note
Configure the above settings for the primary port.
596
16.3 Operation
16.3.1
List of operation commands
The following table describes the operation commands for uplink redundancy.
Table 16-9: List of operation commands
Command
Description
show switchport backup
Displays information about flush control frames.
show switchport backup
statistics
Displays statistics pertaining to flush control frames.
clear switchport backup
statistics
Clears statistics pertaining to flush control frames.
select switchport backup
interface
Specifies the interface that performs manual preemption.
show switchport backup
mac-address-table update
Displays information about MAC address update frames.
show switchport backup
mac-address-table statistics
Displays statistics pertaining to MAC address update frames.
clear switchport backup
mac-address-table statistics
Clears statistics pertaining to MAC address update frames.
16.3.2
Displaying the status of uplink redundancy
(1)
Displaying the switchover status and the destination VLANs
for flush control frames
You can display the switchover status of the primary and secondary ports, the remaining time of
automatic or timer preemption, and destination VLANs. The following figure shows the result
of executing the show switchport backup operation command.
Figure 16-8: Results of executing show switchport backup
> show switchport backup
Date 2010/01/08 16:48:07 UTC
Startup active port selection: primary only
Switchport backup pairs
Preemption
Primary
Status
Secondary Status
Delay Limit
Port 0/1
Blocking
Port 0/25 Forwarding
Port 0/10 Blocking
ChGr 4
Forwarding
100
98
*Port 0/11 Down
Port 0/15 Down
Port 0/26 Blocking
ChGr 1
Forwarding
30
25
ChGr 8
Blocking
Port 0/24 Forwarding
300
297
Flush
VLAN
4094
10
untag
100
>
597
Note
In the following case, no information about a primary/secondary pair is displayed:
y When there is no configuration of the port channel interface designated in the
secondary port
(2)
Displaying statistics about the flush control frames
You can display statistics including the number of sending/receiving flush control frames and of
the frames that cleared the MAC address table. The following figure shows the result of
executing the show switchport backup statistics operation command.
Figure 16-9: Results of executing show switchport backup statistics
> show switchport backup statistics
Date 2008/11/04 17:34:51 UTC
System ID : 00ed.f009.0001
Port 0/1 Transmit : on
Transmit Total packets
:
3
Receive Total packets
:
0
Valid packets
:
0
Unknown version
:
0
Self-transmitted
:
0
Duplicate sequence :
0
Last change time
: 2008/11/04 16:52:21 UTC (00:42:30 ago)
Last transmit time : 2008/11/04 16:52:22 UTC (00:42:29 ago)
Last receive time : Sender system ID : 0000.0000.0000
...
...
>
(3)
Displaying the switchover status and the target VLANs for
MAC address update frames
Display the switchover status of the primary and secondary ports, the remaining time of
automatic or timer preemption and the lists target VLANs and exempted VLANs. The following
figure shows the result of executing the show switchport backup mac-address-table
update operation command.
Figure 16-10: Result of executing show switchport backup mac-address-table update
> show switchport backup mac-address-table update
Date 2010/01/08 18:02:40 UTC
Startup active port selection: primary only
Switchport backup pairs
Preemption
Retransmit
Primary
Status
Secondary Status
Delay Limit
Port 0/1
Down
Port 0/2
Forwarding
0
VLAN
: 1,101-149,151-200,2001-2049,2051-2100,4040-4049,4051-4094
Exclude-VLAN
: 50,150,1050,2050,3050,4050
Switchport backup pairs
Preemption
Retransmit
Primary
Status
Secondary Status
Delay Limit
Port 0/25 Down
Port 0/26 Forwarding
0
3
VLAN
: 1,101-149,151-200,2001-2049,2051-2100,4040-4049,4051-4094
Exclude-VLAN
: 50,150,1050,2050,3050,4050
598
Switchport backup pairs
Preemption
Retransmit
Primary
Status
Secondary Status
Delay Limit
ChGr 1
Down
ChGr 2
Forwarding
0
3
VLAN
: 1,101-149,151-200,2001-2049,2051-2100,4040-4049,4051-4094
Exclude-VLAN
: 50,150,1050,2050,3050,4050
>
Note
In the following case, no information about a primary/secondary pair is displayed:
y When there is no configuration of the port channel interface designated in the
secondary port
(4)
Displaying statistics about the MAC address update frames
You can display statistics including the number of re-transmissions of MAC address update
frames and of the switchovers that occurred. The following figure shows the result of executing
the show switchport backup mac-address-table update statistics operation
command.
Figure 16-11: Results of executing show switchport backup mac-address-table update
statistics
> show switchport backup mac-address-table update statistics
Date 2009/03/20 18:04:33 UTC
System ID : 0012.e244.0000
Port 0/1 Transition count
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 16:25:55
Last transmit time : -
:
20094
:
0
:
0
UTC (01:38:38 ago)
Port 0/2
Transition count
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 16:25:59
Last transmit time : 2009/03/20 16:26:07
:
20094
:
294
:
0
UTC (01:38:34 ago)
UTC (01:38:26 ago)
Port 0/25 Transition count
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 18:01:31
Last transmit time : 2009/03/20 18:01:36
:
18743
:
325020
:
9224
UTC (00:03:02 ago)
UTC (00:02:57 ago)
Port 0/26 Transition count
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 18:01:37
Last transmit time : 2009/03/20 18:04:22
:
18743
:
4098830
:
10569
UTC (00:02:56 ago)
UTC (00:00:11 ago)
ChGr 1
:
511
:
30553
:
480
UTC (00:03:04 ago)
UTC (00:03:14 ago)
Transition count
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 18:01:29
Last transmit time : 2009/03/20 18:01:19
ChGr 2
Transition count
:
512
599
Update transmit total packets
Transmission over flows
Last change time
: 2009/03/20 18:01:33
Last transmit time : 2009/03/20 18:04:32
:
128844
:
480
UTC (00:03:00 ago)
UTC (00:00:01 ago)
>
Note
In the following case, no information about a primary or secondary pair is displayed:
y When there is no configuration of the port channel interface designated in the
secondary port
16.3.3
Manually switching over the primary and secondary ports
You can switch ports manually. The following figure shows the results of executing the select
switchport backup interface operation command.
Figure 16-12: Results of executing select switchport backup interface
# select switchport backup interface port-channel 8
#
600
Part 5
High Reliability Based on Network Failure Detection
17. Storm Control
Storm control functionality limits the number of flooding frames that are forwarded. This
chapter describes storm control and its use.
17.1 Description
17.2 Configuration
17.3 Operation
601
17.1 Description
17.1.1
Overview of storm control
If a loop exists in a Layer 2 network, broadcast frames are forwarded without limit between
switches, severely increasing network loads, and the load on connected devices. This condition
is called a broadcast storm and is a problem that must be avoided in Layer 2 networks.
Additionally, multicast storms, in which an unlimited number of multicast frames are forwarded,
and unicast storms, in which an unlimited number of unicast frames are forwarded, must be
avoided. Storm control refers to the functionality that limits the number of flooded frames that
are forwarded by a switch to control the impact of storms on the network and connected devices.
For the Switch, the maximum number of frames that are received per second can be specified as
a storm detection threshold (upper threshold) for each Ethernet interface so that frames
exceeding that threshold are discarded. You can specify three separate threshold values, one
each for broadcast frames, multicast frames, and unicast frames. If the number of received
frames exceeds the threshold, the port can be blocked, a private trap can be sent, or a log
message can be output.
17.1.2
Functionality to limit flow rate
The Switch can automatically stop the traffic or limit the flow rate when a storm is detected, and
cancel the limit.
The Switch blocks the frames or limits the flow rate to the designated level, if the number of
frames of a specific type (broadcast, multicast or unicast) exceeds the storm detection threshold.
If the number of frames of the designated type received per second exceeds the storm detection
threshold (upper threshold), the Switch limits the flow rate to the threshold (lower threshold). By
setting the detection threshold to zero, you can stop the traffic after detecting the storm. If this
functionality has maintained the flow rate under the recovery-from-storm threshold for a
specified period of time, the functionality will be automatically canceled (monitoring time for
canceling the flow rate limit). After canceling the limit, the storm will be monitored with the
recovery-from-storm threshold. The following chart describes the operation to limit flow rate.
602
Figure 17-1: Operation to limit flow rate
Table 17-1: Explanation of the actions and period of time in the figure
Action
Description
Storm detection
Position to detect the storm control.
Starts the action specified with the action command.
Recovery from the
storm
Position to detect the recovery from storm control.
The action log command and the action trap command are recovered.
Duration of the storm
Duration when the storm control is effective.
In the action log command and the action trap command, this duration
is determined as the period of storm.
Storm detection
threshold
Threshold to detect a storm.
A storm is detected when the number of frames exceeds the value (pps)
designated in the configuration. The frames exceeding the threshold on the
hardware are discarded (upper threshold).
If no recovery-from-storm threshold is set, it is regarded as same as the storm
detection threshold.
Recovery-from-storm
threshold
Threshold to determine recovery from the storm. If the number of frames falls
below the value (pps) designated in the configuration, it is determined that the
Switch has recovered from the storm.
Flow rate limit value
Value specified in the configuration that limits the flow rate (pps) after a storm
is detected (lower threshold).
Duration of flow rate
limitation
The time period when the flow rate is limited.
Monitoring time for
determining recovery
from the storm
When the number of frames drops below the recovery-from-storm threshold
(pps) and remains there for 30 seconds, the Switch is considered to have
recovered from the storm.
Monitoring time for
canceling the flow rate
limitation
When the number of frames drops below the recovery-from-storm threshold
(pps) and remains there for the period of time specified in the configuration,
the flow rate limit is canceled.
603
17.1.3
Notes on using the storm control functionality
(1)
Handling unicast frames
For the Switch, unicast storm detection and the frames to be discarded are not the same. A
unicast storm is detected by counting all unicast frames received by the Switch, whereas frames
that are to be discarded are determined by counting only the flooded unicast frames, which are
those without a destination MAC address registered in the MAC address table.
(2)
Detecting storms and recovery
The Switch determines that a storm has occurred when the number of frames received in one
second exceeds the threshold specified in the configuration section. After a storm, if the number
of frames received per second drops below the threshold value and remains there for 30 seconds,
the Switch is considered to have recovered from the storm. (See Figure 17-1 Operation to limit
flow rate.)
(3)
Checking recovery from a storm when a port is blocked
If a port is blocked when a storm occurs, recovery from a storm cannot be detected because the
port is no longer receiving any frames. If you set the port to be blocked when a storm occurs,
make sure that port recovery is performed by a method that uses a network monitoring device or
other device and not by the Switch.
604
17.2 Configuration
17.2.1
List of configuration commands
The following table describes the configuration commands used for storm control.
Table 17-2: List of configuration commands
Command
storm-control
17.2.2
Description
Sets the threshold value for storm control. In addition, operations that can be performed
when a storm is detected can be specified.
Basic settings
z Suppressing broadcast frames
To prevent broadcast storms, specify a threshold for the number of broadcast frames received
through the Ethernet interface. Specify a value that allows some margin after determining the
number of frames used for normal operations. This is because the broadcast frames include
frames required for communication such as ARP packets.
z Suppressing multicast frames
To prevent multicast storms, specify a threshold for the number of multicast frames received
through the Ethernet interface. Specify a value that allows some margin after determining the
number of frames used for normal operations. This is because multicast frames include frames
required for communication such as control multicast frame like BPDU and control packets for
IPv4 multicast packets.
z Suppressing unicast storms
To prevent unicast storms, specify a threshold for the number of unicast frames received through
an Ethernet interface. Specify a value that allows some margin after determining the number of
frames used for normal operations.
Although the Switch use the total number of received unicast frames for the detection of unicast
frames, only flooded unicast frames are counted as frames to be discarded instead of being
forwarded because their destination MAC addresses are not registered in the MAC address table.
In particular, if you want to block a port when a storm is detected, specify a threshold value with
sufficient margin so that a storm is not detected from normal-operation frames.
605
z Operations when a storm is detected
Specify the Switch operations to be performed when a storm is detected. Select any combination
of blocking a port, sending a private trap, and outputting a log message for each port.
•
Blocking a port
When a storm is detected on a port, deactivate the port. Use the activate command to
activate the port again after recovery from the storm.
•
Sending a private trap
When a storm has been detected, after recovery is detected, a private trap is sent as a
notification.
•
Outputting a log message
When a storm has been detected, after recovery is detected, a log message is output as a
notification. Note that a message must be output if a port is blocked.
Overview
In the example below, configurable interfaces are Ethernet interfaces. The example shows
how to configure the Switch so that, if a storm occurs on a port, the port is blocked.
Configuration command example
1.
(config)# interface fastethernet 0/10
(config-if)# storm-control broadcast level pps 50
Sets the threshold for detecting a storm of broadcast frames to 50 pps.
2.
(config-if)# storm-control multicast level pps 500
Sets the threshold for detecting a storm of multicast frames to 500 pps.
3.
(config-if)# storm-control unicast level pps 1000
Sets the threshold for detecting a storm of unicast frames to 1000 pps.
4.
(config-if)# storm-control action inactivate
(config-if)# exit
Deactivates a port when a storm is detected on the port.
17.2.3
Extended setting: Limiting flow rate
The storm detection threshold is the same as the basic setting. It limits the flow rate to the level
designated per frame type instead of blocking the ports.
Overview
606
The example below shows how to configure the Switch so that the flow rate is lowered
when a storm occurs and the number of received frames exceeds the storm detection
threshold. Set the monitoring time for canceling the flow rate limit automatically when the
flow rate is back on or below the threshold. Configure the Switch to output operation log
data in case of storm detection and recovery from the storm.
Configuration command example
1.
(config)# interface fastethernet 0/20
(config-if)# storm-control broadcast level pps 50 40
Sets the threshold for the recovery from the storm of broadcast frames to 40 pps in
addition to the basic setting in port 0/20.
2.
(config-if)# storm-control multicast level pps 500 400
Sets the threshold for the recovery from the storm of multicast frames to 400 pps in
addition to the basic setting.
3.
(config-if)# storm-control unicast level pps 1000 800
Sets the threshold for the recovery from the storm of unicast frames to 800 pps in
addition to the basic setting.
4.
(config-if)# storm-control action filter
Enables the setting for limiting the flow rate.
5.
(config-if)# storm-control filter-broadcast 30
Sets the flow rate limit of broadcast frames to 30 pps.
6.
(config-if)# storm-control filter-multicast 300
Sets the flow rate limit of multicast frames to 300 pps.
7.
(config-if)# storm-control filter-unicast 700
Sets the flow rate limit of unicast frames to 700 pps.
8.
(config-if)# storm-control filter-recovery-time 15
Sets the monitoring time for canceling the flow rate limitation to 15 seconds.
9.
(config-if)# storm-control action log
(config-if)# exit
Sets to output the operation logs in case of storm detection and recovery from the storm.
607
17.3 Operation
17.3.1
List of operation commands
The following table describes operation commands for storm control.
Table 17-3: List of operation commands
Command
show storm-control
17.3.2
Description
Displays the statue of storm control.
Checking the status of storm control
Use the show storm-control command to check the settings and the operating status of storm
control. Confirm the storm detection threshold, recovery-from-storm threshold, flow rate limit
value (lower threshold), the status of storm detection, as well as the number of storm detection, if
any, and the time when the last storm was detected. Specify the detail parameter to display the
actions when a storm was detected, length of time of monitoring flow limit and its remaining
time. The following figure shows the result of executing the show storm-control operation
command:
Figure 17-2: Result of executing the show storm-control command
> show storm-control
Date 2009/03/24 10:46:35 UTC
<Broadcast>
Port
Detect Recovery
Filter
0/1
200
100
100
0/2
200
100
-
State
Filtering
Forwarding
Count Last detect
1 2009/03/24 10:46:25
0 ----/--/-- --:--:--
<Unicast>
Port
Detect Recovery
0/1
10000
5000
0/2
10000
5000
State
Filtering
Forwarding
Count Last detect
1 2009/03/24 10:45:52
0 ----/--/-- --:--:--
Filter
5000
-
>
Figure 17-3: Result of executing show storm-control detail (port 0/1 broadcast
detail displayed)
> show storm-control port 0/1 broadcast detail
Date 2009/03/24 10:48:20 UTC
<Broadcast>
Port 0/1
Detect rate : 200
Recover rate : 100
Action : Filter,Trap,Log
608
Filter rate : 100
Filter recovery time : 30
<Status>
State : Filtering
Current rate :
189
Detect count :
1
Filter recovery remaining time : 30
Current filter rate
:
100
Last detect
: 2009/03/24 10:46:25
>
609
18. IEEE 802.3ah/UDLD
The IEEE 802.3ah/UDLD functionality detects unidirectional link failures to prevent related
network failures. This chapter describes the IEEE 802.3ah/UDLD functionality and its use.
18.1 Description
18.2 Configuration
18.3 Operation
610
18.1 Description
18.1.1
Overview
UDLD (Unidirectional Link Detection) functionality detects unidirectional link failures.
When a unidirectional link failure occurs, one switch is able to send data but cannot receive data,
while the other switch is able to receive data but cannot send data. Furthermore, a malfunction
occurs in an upper protocol, and various other failures occur throughout the network. Some of
the known failures are loops in the spanning tree and frame losses caused by link aggregation.
These failures can be prevented by setting the target port to inactivate when a unidirectional
link failure is detected.
The OAM (Operations, Administration, and Maintenance) protocol, which functions as a part of
the slow protocol in IEEE 802.3ah (Ethernet in the First Mile) and will be referred to hereafter
as IEEE 802.3ah/OAM, describes the following method. OAM status information is regularly
exchanged between the local switch and the partner switch by using control frames and checking
frames' destination reachability at a remote device to monitor the bidirectional link status.
Switch use the IEEE 802.3ah/OAM functionality to monitor the bidirectional link status. If the
status cannot be checked in this case, UDLD functionality is used to detect unidirectional link
failures.
The IEEE 802.3ah/OAM protocol also includes the concept of active and passive modes. The
sending of a control frame starts at the active-mode switch and the passive-mode switch does not
send any control frames until it has received a control frame. Because the factory default setting
of the Switch enables IEEE 802.3ah/OAM functionality, all ports operate in passive mode.
Unidirectional link failures are detected by executing the efmoam active udld configuration
command to configure the port of one of the switches connected by an Ethernet cable. For the
correct detection of unidirectional link failures, IEEE 802.3ah/OAM functionality must also be
enabled for the port of the other switch. If a unidirectional link failure is detected on the port
configured with the efmoam active udld command, the port is deactivated and a link failure
is detected on the port of the other switch. As a result, operations on the two target ports of the
connected switches are stopped.
18.1.2
Supported specifications
IEEE 802.3ah/UDLD functionality supports IEEE 802.3ah/OAM functionality as described in
the following table.
611
Table 18-1: IEEE 802.3ah OAMPDUs supported by IEEE 802.3ah/UDLD functionality
Item
Description
Supported
Information
Sends OAM status information to a remote device.
Y
Event Notification
Sends a link event warning to a remote device.
N
Variable Request
Asks a remote device for the MIB variable.
N
Variable Response
Sends the requested MIB variable.
N
Loopback Control
Controls the loopback status of a remote device.
N
Organization Specific
Used for functionality expansion.
N
Legend Y: Supported; N: Not supported
18.1.3
Notes on using IEEE 802.3ah/UDLD
(1)
When a switch that does not support IEEE 802.3ah/OAM
functionality is connected between switches configured with IEEE
802.3ah/UDLD functionality
Because a standard switch does not forward control frames used by IEEE 802.3ah/OAM
functionality, information cannot be transmitted between switches, and a unidirectional link
failure is detected on a port configured with the efmoam active udld configuration command.
Accordingly, IEEE 802.3ah/UDLD functionality cannot be used.
(2)
When a media converter or other relay device is connected
between switches configured with IEEE 802.3ah/UDLD functionality
If a media converter that does not automatically disconnect the link when the other link is
disconnected is installed between switches, recognition of the link status varies between the
switches. Accordingly, a unidirectional link failure is detected even if the remote device is not
operating on a port configured with the efmoam active udld command. When attempting
recovery from a failure, both switches must be synchronized, which makes operation more
difficult. Use a media converter that automatically disconnects the link status if the other link is
disconnected.
(3)
Connecting to the UDLD functionality of another
manufacturer's switch
The IEEE 802.3ah/UDLD functionality of the Switch and the UDLD functionality of other
manufacturers' switches cannot be connected because UDLD functionality specifications differ
by manufacturer.
612
18.2 Configuration
18.2.1
List of configuration commands
The following table describes the commands used to configure IEEE 802.3ah/UDLD.
Table 18-2: List of configuration commands
Command
Description
efmoam active
Activates IEEE 802.3ah/OAM functionality on a physical port.
efmoam disable
Disables IEEE 802.3ah/OAM functionality.
efmoam udld-detection-count
Specifies the counter value for determining a unidirectional link
failure.
18.2.2
Configuring IEEE 802.3ah/UDLD
(1)
Configuring IEEE 802.3ah/UDLD functionality
Overview
To use IEEE 802.3ah/UDLD functionality, first enable IEEE 802.3ah/OAM functionality
for the entire switch. As the factory default setting, IEEE 802.3ah/OAM functionality is
enabled for the Switch (all ports are set to passive mode). Next, configure active mode with
the UDLD parameter added for the ports on which you want to activate the functionality to
detect unidirectional link failures. In this subsection, IEEE 802.3ah/UDLD functionality is
used for fastethernet 0/1.
Configuration command example
1.
(config)# interface fastethernet 0/1
Switches to the Ethernet interface configuration mode for port 0/1.
2.
(config-if)# efmoam active udld
(config-if)# exit
Sets active mode for the IEEE 802.3ah/OAM functionality port 0/1 to initiate the
detection of unidirectional link failures.
(2)
Setting the unidirectional link failure detection count
Overview
A unidirectional link failure is detected if the number of successive failures for checking
613
the bidirectional link status resulting from a timeout of information sent from the link
origination reaches the predetermined number. This predetermined number is the
unidirectional link failure detection count. The bidirectional link status is checked once
every second. By changing the bidirectional link failure detection count, you can adjust the
length of time between the actual occurrence of a unidirectional link failure and the time at
which it is detected. If you decrease the count value, failures can be detected nearer the
time of occurrence, but there is a greater risk of false detection. Usually, it is not necessary
to change this setting. The following is the approximate time from the occurrence of a
unidirectional link failure and its detection (note that a maximum deviation of 10% is
possible):
5 + unidirectional-link-failure-detection-count seconds
Configuration command example
1. (config)# efmoam udld-detection-count 60
Sets to 60 the maximum number of successive timeouts allowed for information sent
from the other switch before detecting a unidirectional link failure.
614
18.3 Operation
18.3.1
List of operation commands
The following table describes the operation commands for IEEE 802.3ah/OAM.
Table 18-3: List of operation commands
Command
Description
show efmoam
Displays the IEEE 802.3ah/OAM configuration information and
port setting information.
show efmoam statistics
Displays statistics regarding IEEE 802.3ah/OAM.
clear efmoam statistics
Clears statistics regarding IEEE 802.3ah/OAM.
18.3.2
Displaying IEEE 802.3ah/OAM information
To display IEEE 802.3ah/OAM information, use the show efmoam operation command. The
show efmoam command displays the IEEE 802.3ah/OAM configuration information and
information about the ports in active mode. The show efmoam statistics operation
command displays the status of failures detected by the IEEE 802.3ah/UDLD functionality in
addition to IEEE 802.3ah/OAM protocol statistics.
Figure 18-1: Results of executing the show efmoam command
> show efmoam
Date 2008/11/13 17:36:11 UTC
Port
Status
Dest MAC
0/1
Forced Down (UDLD) 0012.e214.ffae
0/2
Mutually Seen
0012.e214.ffaf
0/3
Partner Seen
0012.e214.ffb0
0/4
Down
unknown
0/5
Down
unknown
>
Figure 18-2: Result of executing the show efmoam statistics command
> show efmoam statistics
Date 2008/11/13 17:35:25 UTC
Port 0/1 [Forced Down (UDLD)]
OAMPDUs:Tx
:
133
Invalid:
0
Expirings
:
1
Port 0/2 [Mutually Seen]
OAMPDUs:Tx
:
771
Invalid:
0
Expirings
:
0
Rx
:
Unrecogn. :
Thrashings:
57
0
0
Blockings:
1
Rx
:
Unrecogn. :
Thrashings:
750
0
0
Blockings:
0
615
Port 0/3 [Partner Seen]
OAMPDUs:Tx
:
Invalid:
Expirings
:
>
616
631
0
0
Rx
:
Unrecogn. :
Thrashings:
593
0
0
Blockings:
0
19. L2 Loop Detection
L2 loop detection is functionality that detects a loop failure in a Layer 2 network and corrects the
loop failure by blocking the port causing the loop. This chapter describes L2 loop detection and
its use.
19.1 Description
19.2 Configuration
19.3 Operation
617
19.1 Description
19.1.1
Overview
If a loop failure occurs in a Layer 2 network, MAC address learning becomes unstable or normal
communication cannot continue because of the load on the switch. Protocols such as Spanning
Tree are provided to avoid such states. Generally, the L2 loop detection functionality corrects
loop failures in a non-redundant access network, but not in the core network in which these
protocols are used.
When an L2 loop failure that occurred under the control of the Switch is detected, the L2 loop
detection functionality deactivates (makes it inactive) the port on which the failure was
detected to isolate the failure cause from the network. Isolation is necessary to prevent the loop
failure from spreading throughout the entire network.
Figure 19-1: Examples of loop failures
Loop failure 1.
A line is connected incorrectly to the Switch A resulting in a loop failure.
Loop failure 2 & 3.
618
A line is connected incorrectly from the Switch A or B to a lower-level switch or to an L2
switch resulting in a loop failure.
Loop failure 4.
A line is connected to a lower-level switch incorrectly resulting in a loop failure that
spreads to the core network.
As described above, the L2 loop detection functionality can detect loop failures in various
locations, including those with incorrect connections to the Switch or to other switches.
19.1.2
Overview of the operation
In L2 loop detection, a control frame for detecting an L2 loop (an L2 loop detection frame) is
sent regularly from the port (a physical port or a channel group) specified in the configuration
section. If the L2 loop detection frame sent from the Switch is received on a port on which the L2
loop detection functionality is enabled, a loop failure is determined, and the port on which the
frame is received or the port originating the frame is deactivated (inactive).
After the cause of the loop failure has been corrected, an operation command can be used to
activate the inactive port. If the automatic-restoration functionality has been configured, the
deactivated port can be activated automatically.
(1)
Types and actions of ports used by the L2 loop detection
functionality
Listed below are the types of ports used by the L2 loop detection functionality. The types of
ports are set using the configuration command loop-detection.
•
Detecting port
The default position when the L2 loop detection functionality is enabled (status where the
configuration command loop-detection has not been set)
•
Detecting and blocking port (send-inact-port)
The L2 loop detection functionality is enabled. The port is deactivated when the L2 loop
detection frame sent from a local switch is received.
•
Detecting and sending port (send-port)
The L2 loop detection functionality is enabled. The port is not deactivated, even when the L2
loop detection frame sent from a local switch is received.
•
Uplink port (uplink-port)
The port connected to a higher-level network or a key port that enables the L2 loop detection
functionality
•
Out-of-scope port (exception-port)
The port is where the L2 loop detection functionality is disabled.
619
The following table describes the actions of ports.
Table 19-1: Types and actions of ports
Types of port
L2 loop
detection
functionalit
y
Sending
L2 loop
detection
frames
Detecting port
Enabled
send-inactport
Actions when receiving the L2 loop detection
frames from a local switch
Deactivating
the port
Collecting
action logs
Sending traps
--
--
Y
Y
Enabled
Y
Y
Y
Y
send-port
Enabled
Y
--
Y
Y
uplink-port
Enabled
--
#
Y
Y
exception-p
ort
Disabled
--
--
--
--
Legend Y: Performed --: Not performed
#
The behavior is as follows when a loop is detected in the uplink port:
-
The uplink port is not deactivated.
-
If the L2 loop detection frame is sent from the send-inact-port, the port is
deactivated.
-
(2)
If the L2 loop detection frame is sent from the send-port, the port is not deactivated.
Sending L2 loop detection frames
(a) Tagged frame
The same number of L2 loop detection frames for switchport trunk allowed vlan of a
trunk port and switchport mac dot1q vlan of a MAC port as the number of relevant VLANs
is sent in the form of tagged frames. L2 loop detection frames for switchport trunk native
vlan of a trunk port are sent in the form of untagged frames.
(b) Untagged frame
•
Access port
L2 loop detection frames of VLANs that belong to the relevant port are sent in the form of
untagged frames.
•
Protocol port and MAC port
When VLANs are multiplexed, L2 loop detection frames are aggregated and sent in the form
of untagged frames. (The frames for the redundant VLANs are not sent.)
620
(c) Ports to which frames are sent
• interface fastethernet
• interface gigabitethernet
• interface port-channel
(sent not in units of the physical port but of the logical port)
The number of L2 loop detection frames sent from each port varies depending on the type of a
port (access, trunk, protocol, or MAC) and the number of VLANs accommodated.
(d) Interval for sending frames
An L2 loop detection frame is sent from all VLANs belonging to the detecting and blocking port
and the detecting and sending port within the interval specified in the configuration section. An
L2 loop detection frame sending interval can be set with the configuration command
loop-detection interval.
(e) Sending rate and the number of frames sent
L2 loop detection frames are sent from the available port or VLAN that fall within the range of
device capacities. No frame exceeding the capacities is sent. A port or VLAN that cannot send
frames cannot detect loop failures.
For details of device capacities, see 3.2 Switch capacities in the Configuration Guide Vol. 1.
(3)
Receiving the L2 loop detection frames and deactivating
ports
(a) Setting the threshold number of L2 loop detection frames received
before deactivating ports
The threshold for the number of L2 loop detection frames that can be received before
deactivating ports is set with the configuration command loop-detection threshold.
If this command is omitted, the port is deactivated when the first L2 loop detection frame is
received. Setting this command is effective when you want to avoid deactivating the detecting
and blocking port by the detection of a temporary L2 loop failure.
(b) Retaining the number of L2 loop detections
The number of received L2 loop detection frames from a local switch is calculated for each port.
The number is retained until the port is deactivated and is cleared immediately after the port is
deactivated. The length of time for retaining the number of L2 loop detection frames can be set
with the configuration command loop-detection hold-time. The number of the received
frames is retained for the period specified with this command. If no frame is received during the
specified retention time, the number is cleared.
621
(c) Deactivating ports
Ports are deactivated in units of physical ports. If any port that belongs to a channel group goes
down, inactivate is issued to all physical ports that belong to the same channel group,
deactivating them. It does the same for any standby port using the standby link functionality
(link-down /no-link-down)
(4)
Restoring the deactivated ports
There are two ways to restore the port deactivated by the L2 loop detection functionality:
manual restoration and automatic restoration.
(a) Manual restoration
The port deactivated by the L2 loop detection functionality can be restored in units of physical
ports by using the operation command activate. The ports in a channel group are also restored
in a unit of physical port. When one physical port in the channel group deactivated by the L2
loop detection functionality is linked up, the whole channel group is restored.
(b) Automatic restoration
This functionality automatically restores the port deactivated by the L2 loop detection after a
specified period of time. This functionality is enabled by using the configuration command
loop-detection auto-restore-time. If the ports in a channel group have been
deactivated, an activate command is issued to all physical ports that belong to the same group.
The same command is automatically issued for any standby port using the standby link
functionality (link-down /no-link-down)
19.1.3
Use with Layer 2 functionality
The following table shows how the L2 loop detection functionality can be used simultaneously
with other functionality.
Table 19-2: Use of L2 loop detection functionality with other functionality
Functionality
Link aggregation
622
Item
IEEE 802.3ad
Use in the
same
switch
Use in the
same port
Actions when used at the
same time
Yes
Yes
When the physical ports
belonging to the channel group
where the ports are deactivated
by the L2 loop detection
functionality are linked, then the
channel group is restored.
Functionality
Item
Use in the
same
switch
Use in the
same port
Actions when used at the
same time
MAC address table
MAC address
learning
Yes
Yes
The L2 loop detection frames are
excluded from learning.
Port VLAN
Port-based VLAN
Yes
Yes
Sending in a form of untagged
frame
Protocol VLAN
Protocol-based
VLAN
Yes
Yes
MAC VLAN
MAC VLAN
Yes
Yes
If VLANs are multiple, L2 loop
detection frames are aggregated
and sent.
Spanning tree
IEEE 802.1d
IEEE 802.1w
IEEE 802.1s
PVST+
Yes
Yes#
Sending/receiving L2 loop
detection frames becomes
possible only when forwarding.
DHCP snooping
Terminal filter
Yes
Yes
The L2 loop detection frames are
excluded from DHCP snooping.
Filter
permit/deny
Yes
Yes
The L2 loop detection frames are
excluded from filtering.
QoS
Change in priority
Yes
Yes
The L2 loop detection frames are
excluded from QoS flow.
Priority of the
outgoing frames
Setting
user-priority
Yes
Yes
The L2 loop detection frames are
excluded from priority setting of
the outgoing frames.
Layer 2 authentication
IEEE 802.1X
Web
authentication
MAC-based
authentication
Yes
Yes
Sending/receiving L2 loop
detection frames becomes
possible even before
authentication.
#
When used in the same port and the port deactivated by the L2 loop detection functionality
is inactive, the topology of the spanning tree changes.
19.1.4
Operation logs and traps
(1)
Collecting operation logs
This functionality collects two types of logs: received frame logs and loop
detection/deactivation event logs.
(a) Received frame logs
This functionality collects 1,000 received L2 loop detection frames, which were sent from the
Switch. It collects such information as frame sending/receiving ports, VLAN number, and port
623
actions. The received frame logs can be checked by the operation command show
loop-detection logging. The received frame logs are not sent to the syslog server.
(b) Loop detection/deactivation event logs
The logs collect such information as loop failures detected by the L2 loop detection functionality
and the operations such as deactivation and restoration on ports in the operation log as device
events. The operation logs can be seen by the operation command show logging. The loop
detection/deactivation event logs are sent to the syslog server.
(2)
Private MIB/Trap
This functionality supports private MIB and private traps. For details of private MIBs, see the
manual MIB Reference. Use the configuration command snmp-server host to determine
whether a private trap is issued or not.
19.1.5
Application example
The following figure shows a network configuration in which the L2 loop detection
functionality is used.
624
Figure 19-2: An example of a network configuration in which the L2 loop detection
functionality is used
(1)
Using detecting and blocking ports
This port type is generally specified for L2 loop detection. As shown by the Switches A and B in
the figure, specifying lower-level ports as detecting and blocking ports is effective for failures
caused by incorrect lower-level connections (see 1, 2, and 3 in the figure).
(2)
Using detecting and sending ports
This port type is effective for minimizing the extent of a loop failure when L1 loop detection is
used on a switch at the lowest possible level. When a switch is connected to multiple layers (see
Switches A and C in the figure), if a port on the Switch A side is deactivated due to an incorrect
connection (2 in the figure), none of the terminals unrelated to the loop failure occurring on
Switch C can connect to a higher-level network. This is the reason that using the L2 loop
detection functionality in a lower-level switch (Switch C in the figure) is recommended.
For such cases, specify a port on Switch A side as the detecting and sending port. This setting
allows Switch C to detect loop failures during normal operation, but if Switch C is unable to
detect loop failures because L2 loop detection is configured incorrectly, Switch A can detect
625
loop failures. (In this case, it does not deactivate the port.)
(3)
Using uplink ports
Specify an uplink port for ports connected to a higher-level network or for ports that will connect
to the core network. If an incorrect connection, such as item 4 in the figure, is found, this setting
allows connection to the core network to be reserved because Switch A source port has been
deactivated.
19.1.6
Notes on using the L2 loop detection functionality
(1)
Operation on a protocol VLAN or MAC VLAN
An L2 loop detection frame is an untagged frame with its own format. Because the L2 loop
detection frame is transferred as a native VLAN on a protocol port or a MAC port, a loop failure
across switches might not be detected if the following conditions are met:
•
A port on the core network side is specified as an uplink port.
•
No native VLANs are specified on the core network side.
In such cases, if a port on the core network side specified as an uplink port is specified as the
detecting and sending port, loop failures can be detected. The following are specific
configuration examples.
(a) Example configuration in which loop detection is restricted
In the configuration shown in the figure below, if the connection between hubs under the Switch
is incorrect, a loop across switches occurs. In the figure, Switch A sends an L2 loop detection
frame from the detecting and blocking port on the hub side, but the frame is not sent from the
uplink port on the core switch side. Because Switch B tries to transfer the L2 loop detection
frame received on the MAC port as a native VLAN, the L2 loop detection frame is not
forwarded to the core switch side. In such cases, loop failures cannot be detected because the L2
loop detection frame is not returned to Switch A.
626
Figure 19-3: Configuration in which loop detection is restricted
(b) Example configuration in which loops can be detected
If a port on the core switch side of Switch A is specified as a detecting and sending port, Switch
A can detect loop failures because Switch B forwards the L2 loop detection frame received from
the port on the core switch side to the MAC port.
Figure 19-4: Configuration in which loops can be detected
(2)
Operation when the tag translation functionality is used on
other devices
If the tag of an L2 loop detection frame sent from the Switch was translated on another device
and received as another VLAN of the Switch, it is determined that a loop failure has occurred.
(3)
Operating environment for L2 loop detection
When the L2 loop detection functionality is used, if a switch that does not support the
functionality is installed on the same network and receives a loop detection frame, it discards the
frame. Therefore, if a loop failure occurs on the path containing these switches, the failure is not
detected.
627
(4)
Functionality that activates a deactivated port automatically
(automatic-restoration functionality)
Note the following if you use the automatic-restoration functionality in static link aggregation:
•
If you use the auto-negotiation functionality for connection, specify a line speed. If you do not
specify a line speed, the line speed might temporarily vary due to degradation of the line
quality, in which case the low-speed line might be withdrawn from the target channel group.
If a loop is detected in this state, the automatic-restoration functionality might not operate in
the target channel group.
If the automatic-restoration functionality does not operate, correct the cause of the loop, and then
use the activate operation command to place the port in active status.
628
19.2 Configuration
19.2.1
List of configuration commands
The following table describes the commands used to configure L2 loop detection.
Table 19-3: List of configuration commands
Command
Description
loop-detection
Sets the port type for the L2 loop detection functionality.
loop-detection
auto-restore-time
Sets the time until a deactivated port is activated automatically.
loop-detection enable
Enables the L2 loop detection functionality.
loop-detection hold-time
Sets the length of time when the number of L2 loop detection is
held before a port is deactivated.
loop-detection
interval-time
Sets the interval for sending L2 loop detection frames.
loop-detection threshold
Sets the number of L2 loop detection before a port is deactivated.
19.2.2
Configuring the L2 loop detection functionality
(1)
Enabling L2 loop detection and specifying the type of port for
L2 loop detection
Overview
The example below shows how to set up the L2 loop detection configuration to enable L2
loop detection for the entire switch, and to specify which ports actually detect L2 loop
failures and which are L2 loop detection out-of-scope ports.
Configuration command example
1.
(config)# loop-detection enable
Enables L2 loop detection.
2.
(config)# interface fastethernet 0/2
(config-if)# loop-detection send-inact-port
(config-if)# exit
Sets ports 0/2 as detecting and blocking ports.
3.
(config)# interface fastethernet 0/4
(config-if)# loop-detection send-port
(config-if)# exit
629
Sets ports 0/4 as detecting and sending ports.
4.
(config)# interface gigabitethernet 0/25
(config-if)# loop-detection uplink-port
(config-if)# exit
Sets ports 0/25 as uplink ports.
5.
(config)# interface fastethernet 0/1
(config-if)# loop-detection exception-port
(config-if)# exit
Sets ports 0/1 as an L2 loop detection out-of-scope ports.
(2)
Setting the interval for sending L2 loop detection frames
Overview
Frames that exceed the transmission rate of L2 loop detection frames are not sent. In
addition, loop failures will no longer be able to be detected on the ports or VLANs from
which the frames could not be sent. If the maximum transmission rate of L2 loop detection
frames is exceeded, specify a longer interval so that no frames will exceed the transmission
rate.
Configuration command example
1.
(config)# loop-detection interval-time 60
Sets the L2 loop detection frame sending interval to 60 seconds.
(3)
Specifying the conditions for deactivating ports
Overview
If no command is specified, a port is deactivated when a loop failure is detected once
(initial value). To avoid port deactivation due to a momentary loop, specify the number of
L2 loop detection frames to be received before the port is deactivated.
Configuration command example
1.
(config)# loop-detection threshold 100
Sets the number of L2 loop detection frames to be received before the port is deactivated
to 100, and deactivates the port when 100 frames have been received.
2.
(config)# loop-detection hold-time 60
Holds the number of received L2 loop detection frames for 60 seconds after the last
frame was received. Clears the number when 60 seconds passes without receiving the
frame again.
630
(4)
Setting the automatic-restoration time after the port
deactivation
Overview
The following example shows how to specify the time to automatically activate the ports
deactivated by the L2 loop detection functionality.
Configuration command example
1.
(config)# loop-detection auto-restore-time 360
Sets the ports deactivated by the L2 loop detection functionality to automatically
activate in 360 seconds.
631
19.3 Operation
19.3.1
List of operation commands
The following table describes operation commands for the L2 loop detection functionality.
Table 19-4: List of operation commands
Command
Description
show loop-detection
Displays L2 loop detection information.
show loop-detection
statistics
Displays L2 loop detection statistics.
clear loop-detection
statistics
Clears L2 loop detection statistics.
show loop-detection
logging
Displays the logs of the received L2 loop detection frames.
clear loop-detection
logging
Clears the logs of the received L2 loop detection frames.
19.3.2
Checking the L2 loop detection status
Use the show loop-detection operation command to check the L2 loop detection settings
and the operating status. Check for ports that are unable to send frames because the rate for
sending L2 loop detection frames on the port has exceeded the maximum value. If the
configuration of VLAN port counts does not exceed the capacity, there is no problem. Also,
check for ports that have been deactivated due to a loop failure in the status section of the port
information section.
Figure 19-5: Result of executing the show loop-detection operation command
> show loop-detection
Date 2008/11/12 16:22:28 UTC
Interval Time
:10
Output Rate
:20pps
Threshold
:200
Hold Time
:300
Auto Restore Time
:3600
VLAN Port Counts
Configuration
:6
Port Information
Port
Status
Type
0/1
Down
trap
0/2
Down
trap
0/3
Down
trap
0/4
Down(loop) send-inact
0/5
Up
exception
0/6
Down
send
0/7
Up
send-inact
632
Capacity
:200
DetectCnt RestoringTimer
0
0
0
200
3569
0
200
0
-
SourcePort
0/6
0/7
0/4
-
Vlan
1
1
1
0/8
0/22
0/24
0/25
0/26
ChGr:1
ChGr:2
ChGr:5
ChGr:8
Down(loop) send-inact
...
...
Down
uplink
Down
trap
Down
trap
Down
trap
Down(loop) send-inact
Down(loop) send-inact
Down
trap
Down
uplink
200
3569
ChGr:8(U)
0
0
0
200
200
0
-
3569
3569
-
ChGr:2
ChGr:1
0/8
1
1
1
1
>
633
20. CFM
CFM (Connectivity Fault Management) verifies the connectivity between bridges at the Layer 2
level and confirms routes; in other words, it is functionality for managing and maintaining
wide-area Ethernet networks. This chapter describes CFM and its operations.
20.1 Description
20.2 Configuration
20.3 Operation
634
20.1 Description
20.1.1
Overview
Ethernet has been used not only for intra-company LANs but also for wide-area networks. As a
result, Ethernet requires the same maintenance and management functionality as SONET and
ATM.
CFM uses the following functionality to maintain and manage Layer 2 networks:
1.
Continuity Check
This functionality continuously monitors the management points so that information is
correctly passed to the destination. (It checks for reachability and connectivity.)
2.
Loopback
This functionality identifies how far loopback reaches on the route after detecting a failure.
(It performs a loopback test.)
3.
Linktrace
This functionality uses linktrace to confirm the route up to the management point after
detecting a failure. (It performs route searches in the Layer 2 network.)
The following figure shows an example of a CFM configuration.
Figure 20-1: Example of CFM configuration
(1)
CFM functionality
CFM is prescribed in IEEE 802.1ag and has the functionality shown in the table below. The
635
Switch supports the functionality below.
Table 20-1: CFM functionality
Name
Description
Continuity Check (CC)
Monitors reachability continuously between management points.
Loopback
Loopback test.
Performs the same functionality as ping in Layer 2.
Linktrace
Route search.
Performs the same functionality as traceroute at Layer 2.
(2)
CFM configuration
The table below shows the CFM components. CFM operates within the maintenance and
management area consisting of domains, MAs, MEPs, and MIPs.
Table 20-2: CFM components
Name
Description
Domain (Maintenance Domain)
Management group on the network for which CFM
is applied.
MA (Maintenance Association)
VLAN group with subdivided domains for
management.
MEP (Maintenance association End Point)
Management termination point.
A MEP is a port on the boundary of a domain and is
set for each MA. In addition, MEPs execute CFM
functionality.
MIP (Maintenance domain Intermediate Point)
Management intermediate point.
Management point located in a domain.
MP (Maintenance Point)
Management point.
A general term for MEP and MIP.
20.1.2
CFM components
(1)
Domain
CFM uses domains to hierarchically maintain the network. It maintains and manages the
network by sending and receiving CFM PDUs in the domain. The domains are classified into
levels 0 to 7 (called domain levels); larger values correspond to higher levels.
Higher-level domains discard CFM PDUs from lower-level domains. Lower-level domains
forward CFM PDUs from higher-level domains without processing them. Therefore, CFM
636
PDUs from lower-level domains cannot be passed to the higher-level domains; each domain can
independently execute maintenance and management. Domain levels are specified in the
standard to be used according to classes. Domain levels assigned to classes are shown in the
following table.
Table 20-3: Domain levels assigned to classes
Domain level
7
Classes
Customer (user)
6
5
4
Service provider (all carriers)
3
2
Operator (carrier)
1
0
Domains can be set hierarchically. When the domains are hierarchical, lower domain levels are
set to the inside, and the higher domain levels are set to the outside. The following figure shows
an example of a hierarchical domain configuration.
Figure 20-2: Example of hierarchical domain configuration
(2)
MA
MAs are used for management by subdividing a domain into VLAN groups. A domain requires
at least one MA. Since CFM operates within MAs, the setting of MAs allows the management
637
area to be controlled in detail. MAs can be identified by domain name and MA name. Therefore,
for switches operating in the same MA, the same domain name and MA name must be set. The
following figure shows an example of an MA management area.
Figure 20-3: Example of MA management area
In addition, the same setting is necessary for the VLAN that sends and receives CFM PDU in the
same MA (the primary VLAN). In the initial state, a primary VLAN is a VLAN that has the
smallest VLAN ID in the MA. The ma vlan-group configuration command allows an arbitrary
VLAN to be set as the primary VLAN. If the primary VLAN is set to the same VLAN as that for
data transfer, actual reachability can be monitored.
(3)
MEP
MEPs are management points on the boundary of a domain and are set to the MA. A MEP ID (a
unique ID in the MA) is set for each MEP. MEPs execute CFM functionality. CFM sends and
receives CFM PDUs between MEPs (that is, between domain boundaries) to confirm the
connectivity of target networks.
There are two types of MEPs:
z Up MEP
An Up MEP is a MEP set on the relay side. Up MEPs do not send or receive CFM PDUs.
CFM PDUs are sent and received through MIPs or a port in the same MA. The following
figure shows an example of configuring Up MEPs.
638
Figure 20-4: Example Up MEP configuration
z Down MEP
A Down MEP is a MEP set on the line side. Down MEPs send and receive CFM PDUs.
The following figure shows an example of configuring Down MEPs.
Figure 20-5: Example Down MEP configuration
The following figures show an example of sending from Down MEPs and Up MEPs and an
example of receiving at Down MEPs and Up MEPs.
Figure 20-6: Sending from Down MEPs and Up MEPs
639
Figure 20-7: Receiving at Down MEPs and Up MEPs
Set Down MEPs and Up MEPs in the correct positions. For example, set Down MEPs on the line
side (inside an MA). If it is set on the relay side (outside an MA), CFM functionality does not
operate correctly because CFM PDUs are sent outside of the MA. The following figure shows an
example of an incorrect Down MEP configuration.
Figure 20-8: Example of incorrect Down MEP configuration
(4)
MIP
A MIP is a management point set in a domain and is set within a domain (that is, it is shared
among all MAs in the same domain). For hierarchical configurations, MIPs are set to the
position where a higher-level domain overlaps with a lower-level domain. In addition, since
MIPs respond to loopback and linktrace, they are set to positions within a domain that can be
maintained and managed.
(a) Setting to positions where domains overlap
If a MIP is set to a position where domains overlap, the higher-level domain recognizes the
lower-level domain, but it can be managed while it is not aware of the configuration of the lower
level domain. The following figure shows an example of a hierarchical configuration using
domain level 1 and domain level 2.
640
Figure 20-9: Example of hierarchical configuration using domain level 1 and domain
level 2
When designing domain level 2, set the port that is set to a MEP in the MA of domain level 1 for
a MIP in domain level 2. As a result, domain level 2 can manage domain level 1 without being
aware of it operationally while domain level 2 is recognizing the scope of domain level 1. When
a failure occurs, it is possible to identify a problem in domain level 2 or where the problem
occurs in domain level 1, and the area to be investigated can be identified.
(b) Setting to positions to be maintained and managed
As MIPs are set in a domain, finer maintenance and management can be made. The figure below
shows an example configuration of a domain without MIPs. In this example, when a failure
occurs in the network, it is possible to confirm that communication between MEPs of Switches
A and E cannot be made, but it is impossible to identify where the failure occurred.
641
Figure 20-10: Example configuration of a domain without MIPs
The figure below shows an example configuration of a domain with MIPs. In this example, since
the MIPs in the domain allow each switch to return loopback and linktrace responses, it is
possible to identify the location of the failure.
Figure 20-11: Example of configuration with MIP setting in a domain
20.1.3
Designing domains
When using CFM, design the domains first. The configuration and hierarchical structure of
domains should be designed first, and then each domain should be designed in detail.
For the design of domains, you must configure domain levels, MAs, MEPs, and MIPs.
(1)
Designing domain configuration and hierarchy
Set the MA port (the boundary of the domain) to a MEP, and then set the port to overlap with a
lower domain to a MIP. The design procedure for the configuration and hierarchy of a domain is
shown using the example configuration in the following figure:
642
Figure 20-12: Example configuration
A domain is designed using carrier A, B, all carriers, and users as units, and a domain level is
configured for each class. In addition, the items below are assumed:
•
Carrier A, B, and all carriers manage connectivity, including ports supplied to the user, to
ensure availability of the lines supplied to the user.
•
A user manages the connectivity of lines supplied by the carrier to monitor whether the lines
supplied by the carrier can be used.
Domains should be designed starting from the lower level as shown below:
z Configuring domain levels 1 and 2
1.
Set MA Group_A at domain level 1.
In this example, a single MA manages one domain. However, if you want to subdivide the
domain into VLAN groups and to manage them in more detail, set an MA for each unit you
want to manage.
2.
Set a MEP to the MA port of Switches B and D, which are domain boundaries.
To manage the connectivity including ports supplied to the user, the carrier sets the Up
MEPs.
3.
For domain level 2, set an MA in the same manner as the above, and then set Up MEPs to
Switches E and G.
643
Figure 20-13: Configuration of domain levels 1 and 2
z Configuring domain level 4
1.
Set MA Group_C at domain level 4.
2.
Set a MEP to the MA port of Switches B and G, which are the boundaries of domain level
4. To manage the connectivity including ports supplied to the user, the carrier sets the Up
MEPs.
3.
Since domain level 4 includes domain levels 1 and 2, set MIPs to Switches D and E, which
are the relay points.
If a MEP of a lower domain is set to a MIP of a higher domain, use of loopback and
linktrace allows the identification of a problem; in other words, problems in a domain
managed by itself or problems in a domain managed by a lower level result in easy
identification of areas to check in the event of a failure.
Figure 20-14: Configuration of domain level 4
644
z Setting of domain level 7
1.
Set MA Group_D at domain level 7.
2.
Set a MEP to the MA port of Switches A and H, which are the boundaries of domain level
7. To manage the connectivity of the lines supplied by the carrier, the user sets the Down
MEPs.
3.
Since domain level 7 includes domain level 4, set MIPs to Switches B and G, which are the
relay points.
Since domain levels 1 and 2 are set as the relay points of domain level 4, it is not necessary
to set them at domain level 7.
Figure 20-15: Configuration of domain level 7
(2)
Detailed design of each domain
For detailed design for each domain, set MIPs to the positions where you want to apply loopback
and linktrace. The following figures show examples of configuration before and after setting
MIPs.
Figure 20-16: Example configuration before setting MIPs
645
Figure 20-17: Example configuration after setting MIPs
Set MIPs to the ports in the domain to which loopback and linktrace are to be sent. In this
example, MIPs are set to Switches B and D. This setting allows loopback and linktrace to
execute for MIPs of Switches B and D. In addition, a response can be returned as linktrace route
information.
Switch C, to which MIPs are not set, cannot be specified as a destination for loopback and
linktrace. In addition, since Switch C does not respond to linktrace, the route information does
not include information about Switch C.
(3)
Example domain configuration
Domains can be hierarchically configured. Note, however, that you must set lower-level
domains towards the inside of the hierarchical structure and higher-level domains towards the
outside. The table below shows examples of domain configurations and the availability of the
configurations.
Table 20-4: Examples of domain configurations and availability
Configuration state
646
Example
Availability
Neighboring domains
Yes
Connected domains
Yes
Nested domains
Yes
Configuration state
Example
Availability
Combination of
neighboring domains and
nested domains
Yes
Intersecting domains
No
20.1.4
Continuity Check
Continuity Check (CC) continuously monitors connectivity among MEPs. All MEPs in an MA
send and receive CCMs (Continuity Check Messages, a type of CFM PDU) mutually and learn
the MEPs in the MA. The learned contents of MEPs are also used in loopback and linktrace.
If Switches operating CC do not receive CCMs or the MA port of the target Switch cannot
communicate, then the result is regarded as a failure. At that time, a CCM with the failure
detection flag set is sent to notify the MEPs in the MA. The table below shows failures detected
by CC. The detected failures have failure levels. The configuration of the Switch can change the
failure level detected. By default, failures of level 2 or higher are detected.
Table 20-5: Failure levels detected by CC and failure description
Failure level
Description
5
Received CCM with a different domain and MA
4
Received CCM with incorrect MEP ID or transmission interval
3
Cannot receive CCM
2
The port of the target Switch cannot communicate.
1
Received CCM that reported detection of a failure.
Remote Defect Indication
0
No failure detected
Default
Detected
Not detected
The operation example of CC refers to Switch B in the figure below. Each MEP uses multicast to
send CCMs inside the MA at one-minute intervals. Constant reception of CCMs from each MEP
allows continuous monitoring of connectivity. In addition, the configuration of the Switch can
change the intervals of CCM transmissions.
647
Figure 20-18: Continuous monitoring of connectivity using CC
If a CCM from Switch A cannot be sent to Switch B because of a failure in the Switches or the
network, Switch B judges it as a failure in the network of Switch A.
Figure 20-19: Failure detection in CC
Switch B detects a failure and notifies all MEPs in the MA that a failure was detected.
648
Figure 20-20: Notifying all MEPs of the failure
Each MEP that receives a CCM for failure detection notification recognizes the failure
somewhere in the MA. Execution of loopback and linktrace in the Switch allows identification
of which the route in the MA has a failure.
(1)
Failure detection and trap notification
When CC detects a failure, the trap is reported. Note that the configuration can be used to restrict
trap notification for a specified time after a failure is detected. The following table shows time
types to be set via the configuration.
Table 20-6: Trap notification time when CC detects a failure
Time type
Description
Setting range
Failure detection start
time (trap notification
time after failure
detection)
Time after failure detection until trap notification.
After the time set by configuration elapses after
failure detection, trap is notified.
From 2,500 to
10,000 ms
Failure re-detection time
(continuous trap
notification restricted
time)
Time during which continuous failure detection is
regarded as re-detection.
Even if a failure is detected within the time specified
by configuration after failure detection, it is regarded
as re-detection and no trap is notified. (However, if a
higher level failure than current level is detected
during re-detection time, trap is notified.)
From 2,500 to
10,000 ms
20.1.5
Loopback
Loopback is functionality similar to ping and operates at the Layer 2 level. Loopback confirms
connectivity between MEPs or between a MEP and MIP in the same MA. While CC is used to
confirm MEP-MEP connectivity, loopback can also be used to confirm MEP-MIP connectivity;
649
in other words, connectivity in an MA can be confirmed in detail.
Connectivity can be checked by sending the loopback message (a type of CFM PDU) from a
MEP to a destination and then confirming the response from the destination. Since MIPs and
MEPs directly respond to loopback, and for example, if multiple MIPs are set in the Switch, each
MIP can confirm connectivity. The following figures show examples of execution of loopback
to MIPs and to MEPs.
Figure 20-21: Execution of loopback to MIP
Figure 20-22: Execution of loopback to MEP
Since loopback uses the learned contents of CC, CC must be started before using loopback. In
addition, if a MIP is specified as the destination, the MAC address of the MIP port must be
checked in advance.
20.1.6
Linktrace
Linktrace is functionality similar to traceroute and operates at the Layer 2 level. Linktrace
collects switch information passing between MEPs or MEPs and MIPs in the same MA and
generates route information. Linktrace sends a linktrace message (a type of CFM PDU) and
collects returned responses as route information. The following figure shows an example of
sending a linktrace message to a destination.
650
Figure 20-23: Sending a linktrace message to a destination
The linktrace message is forwarded to the destination through MIPs. MIPs transfer the response
indicating which ports were used for receiving and which ports were used for forwarding. The
switch at the source keeps the response message as route information. The following figure
shows an example of forwarding a linktrace message to a destination.
Figure 20-24: Forwarding of a linktrace message to a destination
MIPs return responses and forward the linktrace message to the destination. Switches without a
MEP or MIP set, such as Switch C, cannot return a response. (To return a response, one or more
MIPs must be set.) When the linktrace message reaches the MEP or MIP of the destination, the
MEP or MIP returns a response to the source indicating that the message was received and also
which port was used to receive it. The source stores the response and uses it to generate route
information, and then it confirms the route up to the destination. Linktrace responds at each
switch. For example, whether one or more MIPs are set in the Switch, information about the
receiving ports and sending ports is returned in the same manner in either case. Since linktrace
uses the learned contents of CC, CC must be started before using linktrace. In addition, if a MIP
is specified as the destination, MAC address of the MIP port must be checked in advance.
(a) Identifying failures by using linktrace
Using linktrace execution results allows identification of the Switch or port reporting a failure.
651
z Detecting timeout
The following figure is an example of linktrace detecting a timeout.
Figure 20-25: Example of linktrace detecting a timeout
In this example, if Switch A detects a timeout by using linktrace, the port of the receiving side on
the network cannot communicate. The linktrace message is forwarded from Switch B to Switch
C, but Switch C cannot communicate, and then a timeout occurs because Switch C does not
respond.
z Detecting forwarding failure
The following figure shows an example of linktrace detecting a failure to forward the message.
Figure 20-26: Example of linktrace detecting forwarding failure
If Switch A detects a forwarding failure by using linktrace, you can assume that the port on the
sending side on the network cannot communicate. This is because a response is returned to
Switch A indicating that the port on the sending side cannot communicate if Switch C cannot
forward the linktrace message to Switch D (destination).
(b) Linktrace responses
The linktrace message uses multicast frames. When forwarding linktrace messages at Switches
operating CFM, the port used for forwarding is determined by referring to the MIP CCM
652
database and the MAC address table. Switches not operating CFM flood the linktrace message.
Therefore, if there are Switches not operating CFM on the network, Switches on other routes
than the destination also return responses.
20.1.7
Common behavior
(1)
Behavior on blocked ports
The tables below show the behavior of CFM functionality on the blocked ports.
Table 20-7: If Up MEP is blocked
Functionality
Behavior
CC
•
Sends and receives CCMs. The port sending CCMs is set to Blocked.
Loopback
•
•
Can execute the l2ping operation command.
Responds to self-addressed loopback messages.
Linktrace
•
•
Can execute the l2traceroute operation command.
Responds to linktrace messages. The Egress Port is set to Blocked in response to
linktrace messages.
Table 20-8: If Down MEP is blocked
Functionality
Behavior
CC
•
Does not send or receive CCMs.
Loopback
•
•
Cannot execute the l2ping operation command.
Does not respond to self-addressed loopback messages.
Linktrace
•
•
Cannot execute the l2traceroute operation command.
Does not respond to linktrace messages.
Table 20-9: If MIP is blocked
Functionality
Behavior
CC
•
Does not transmit CCMs.
Loopback
•
Does not respond to self-addressed loopback messages received from the line
side.
Responds to self-addressed loopback messages received from the relay side.
Does not transmit loopback messages.
•
•
653
Functionality
Linktrace
Behavior
•
•
•
Does not respond to linktrace messages received from the line side.
Responds to linktrace messages received from the relay side. The Egress Port is
set to Blocked in response to linktrace messages.
Does not transmit linktrace messages.
Table 20-10: If another port than MEP and MIP is blocked
Functionality
Behavior
CC
•
Does not transmit CCMs.
Loopback
•
Does not transmit loopback messages.
Linktrace
•
Does not transmit linktrace messages.
20.1.8
Databases used in CFM
The table below shows the databases used in CFM.
Table 20-11: Databases used for CFM
Database
654
Description
Command to check
contents
MEP CCM database
Database stored in each MEP.
MEP information in the same MA.
Used to continuously monitor connectivity in CC.
Contains the following information:
• MEP IDs
• MAC addresses corresponding to MEP IDs
• Information on failure occurring on the target
MEPs
show cfm
remote-mep
MIP CCM database
Database stored in Switches.
MEP information in the same domain.
Used to determine the port to use for transfer when
transferring the linktrace message.
Contains the following information:
• MAC addresses of MEPs
• VLAN and port that receives CCM from the target
MEPs
None
Linktrace database
Database that stores linktrace execution results.
Contains the following information:
• MEP executing linktrace and destination
• TTL
• Information on Switches returning responses
• Information on ports receiving linktrace messages
• Information on ports forwarding linktrace
messages
show cfm
l2traceroute-db
(1)
MEP CCM database
The MEP CCM database stores information about what MEPs exist in an MA. In addition, it
also stores failure information for the target MEPs. The destination of loopback and linktrace
can be specified using MEP ID, but MEP IDs not registered in the MEP CCM database cannot
be specified. The show cfm remote-mep operation command can be used to confirm whether
a MEP ID is registered in the database. Entries in this database are created when a MEP receives
a CCM during CC execution.
(2)
MIP CCM database
The MIP CCM database is used to determine what port is used for forwarding linktrace
messages.
If, when forwarding, the MAC address of the destination MEP is not registered in the MIP CCM
database, the port for forwarding is determined by referring to the MAC address table.
If the MAC address table does not include it either, the linktrace message is not forwarded, and a
response is returned to the source indicating that forwarding cannot be made. Entries in this
database are created when a MIP transfers a CCM during CC execution.
(3)
Linktrace database
The linktrace database retains the execution results of linktrace. The show cfm
l2traceroute-db operation command allows the results of linktrace already executed to be
referenced.
(a) Number of routes to store
Responses for a maximum of 256 switches per route can be stored for a total of 1,024 switches.
The quantity of routes stored is determined by the quantity of switches per route stored for each
response. If responses for 256 switches per route are stored, four routes can be stored, and if
responses for 16 switches per route are stored, 64 routes can be stored. If the stored responses
exceed 1,024 switches, older route information is deleted, and the information on newer routes is
stored. If linktrace is executed for the destination registered in the linktrace database, the route
information up to the target destination is deleted from the linktrace database, and a new
linktrace response is stored. The following figure shows the linktrace database.
655
Figure 20-27: Linktrace database
Entries in this database are created when a MEP receives a response during linktrace execution.
20.1.9
Notes on using CFM
(1)
Switches not running CFM
When applying CFM, CFM need not be run on all Switches in a domain. However, for Switches
not running CFM, you must make them transmit CFM PDUs. For switches not running CFM,
except Switches, settings should be made so that the frame shown in the table below is
transmitted.
Table 20-12: Frame to be transmitted
Frame type
Multicast
Destination MAC address
From 0180.c200.0030 to 0180.c200.003f
If CFM is not running, the Switch transmits all CFM PDUs.
(2)
Interoperability with other functionality
For interoperability with other functionality, the behavior is described in the following table.
Table 20-13: Interoperability with other functionality of the Switch
Functionality
Port type
656
Availability
Remarks
Access port
Y
Trunk port
Y
Protocol port
N
CFM frames cannot join the port on the left
(cannot be forwarded in VLAN).
MAC port
N
CFM frames cannot join the port on the left
(cannot be forwarded in VLAN).
Functionality
VLAN
Relay blocking
between ports
Availability
Remarks
N
Relay-blocking functionality between
ports is invalid for CFM frames.
Link aggregation
Y
CFM operates on each channel.
Spanning tree
Y
GSRP aware
Y
Ring Protocol
Y
IGMP/MLD snooping
Y
DHCP snooping
Y
Terminal filter
N
Dynamic ARP
inspection
Y
CFM frames cannot be received.
L2 loop detection functionality
Y
LLDP
N
UDLD
Y
Filter
N
For MAC access list specification, implicit
discard is performed.
QoS
N
No effect on forwarding.
Priority of self-generated frames can be
changed.
IEEE 802.1X authentication
N
Web authentication (including one-time
password authentication)
N
Since CFM frames might not be received,
do not set the authentication port on the
forwarding route of CFM.
MAC-based authentication
N
Multistep authentication
N
Secure Wake on LAN
N
Uplink redundancy
Y
Storm control
Y
If multicast is specified, CFM is also
discarded.
Port mirroring
N
Monitor port setting is invalid. In addition,
self-generated frames and
software-forwarded frames cannot be
mirrored.
Legend
657
Y: Available
N: Not available
(3)
Burst reception of CFM PDUs
If the number of remote MEPs continuously monitored by CC is 48 or more and if the
transmission timing of CFM PDUs from the remote MEP is coincidentally the same, the Switch
might receive a burst of CFM PDUs. In such a case, the Switch might discard CFM PDUs,
possibly resulting in incorrect detection of failures. If this occurs frequently, adjustment should
be made so that the transmission timing of CFM PDU is different for each device.
(4)
Configuring MEPs in an MA that sets the same primary VLAN
in the same domain
For MAs (including the same MA) that sets the same primary VLAN in the same domain, do not
set multiple MEPs for the same port. If set, CFM cannot operate normally on the corresponding
MEPs.
(5)
Collection of route information with linktrace
For linktrace, the destination port of the linktrace message is determined by referring to the MIP
CCM database or the MAC address table. Therefore, because the destination port cannot be
determined until CC sends and receives a CCM when in link-up (including re-link-up after
link-down) and after route change via the spanning tree, correct route information cannot be
collected.
(6)
If MIPs do not respond to loopback and linktrace at blocked
ports
If a MIP is set to a blocked port and any of the following operations are executed on the target
port, the MIP might not respond to loopback or linktrace:
•
Operation of loop guard functionality with spanning tree (PVST+, single)
•
When spanning tree (MSTP) is running, an access VLAN or native VLAN is set as the
primary VLAN
658
•
Operation of Ring Protocol
•
Operation of uplink redundancy
20.2 Configuration
20.2.1
List of configuration commands
The following table lists the CFM configuration commands.
Table 20-14: List of configuration commands
Command
Description
domain name
Sets the name used for a target domain.
ethernet cfm cc
alarm-priority
Sets the failure level to be detected by CC.
ethernet cfm cc
alarm-reset-time
Sets the time interval for finding re-detection when CC repeatedly
detects failures.
ethernet cfm cc
alarm-start-time
Sets the time after CC detects a failure until a trap is reported.
ethernet cfm cc interval
Sets the CCM transmission interval for a target MA.
ethernet cfm cc enable
Sets the MA which uses CC in the domain.
ethernet cfm domain
Sets a domain.
ethernet cfm enable
(global)
Starts CFM.
ethernet cfm enable
(interface)
Stops CFM when no ethernet cfm enable is set.
ethernet cfm mep
Sets a MEP used in CFM.
ethernet cfm mip
Sets a MIP used in CFM.
ma name
Sets the name of an MA used in a target domain.
ma vlan-group
Sets the VLAN belonging to an MA used in a target domain.
20.2.2
Configuring CFM (multiple domains)
This section describes the procedure to configure multiple domains. The following figure shows
an example of setting Switch A.
659
Figure 20-28: Example CFM configuration (multiple domains)
(1)
Setting of MA for multiple domains or each domain
Overview
If there are multiple domains, set them in order from the lowest-level domain. When setting
MAs, it is necessary to match the domain level, MA identification number, domain name,
and MA name with those of matching switches. If the settings are different, the Switch and
the matching switches cannot be judged as the same MA. For the primary VLAN of MAs,
set the VLAN for the MEP of the Switch to send CFM PDUs. If the primary-vlan
parameter is not set, the VLAN with the smallest VLAN ID among VLANs set by the
vlan-group parameter is set to the primary VLAN.
Configuration command example
1.
(config)# ethernet cfm domain level 1 direction-up
(config-ether-cfm)# domain name str operator_1
Sets domain level 1 and the initial state of MEPs to Up MEP. Moves to configuration
Ethernet CFM mode and sets the domain name.
2.
(config-ether-cfm)# ma 1 name str ma1_vlan100
(config-ether-cfm)# ma 1 vlan-group 10,20,100 primary-vlan 100
(config-ether-cfm)# exit
Sets the MA name, VLAN belonging to the MA, and primary VLAN to MA1.
3.
(config)# ethernet cfm domain level 2
(config-ether-cfm)# domain name str operator_2
(config-ether-cfm)# ma 2 name str ma2_vlan200
(config-ether-cfm)# ma 2 vlan-group 30,40,200 primary-vlan 200
(config-ether-cfm)# exit
660
Sets domain level 2 and the initial state of MEPs to Down MEP.
Sets the MA name, VLAN belonging to the MA, and primary VLAN to MA2.
(2)
Configuring MEPs and MIPs
Overview
MEPs and MIPs should be configured so that the number of settings for them is within the
device capacities.
To start operation of MEPs and MIPs that are already configured, enable CFM on the
Switch.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# ethernet cfm mep level 1 ma 1 mep-id 101
(config-if)# ethernet cfm mip level 2
(config-if)# exit
(config)# interface fastethernet 0/2
(config-if)# ethernet cfm mip level 1
(config-if)# exit
y Sets MEPs belonging to domain level 1 and MA1 to port 0/1. In addition, sets MIPs for
domain level 2. Set MIPs for domain level 1 to port 0/2.
2.
(config)# ethernet cfm enable
Starts operation of CFM on the Switch.
(3)
Stopping CFM on a port
Overview
The following example shows how to temporarily stop CFM on a port.
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# no ethernet cfm enable
(config-if)# exit
Stops CFM on port 0/1.
(4)
Configuring CC
Overview
661
CC begins operating immediately after ethernet cfm cc enable is set.
Configuration command example
1.
(config)# ethernet cfm cc level 1 ma 1 enable
Starts execution of CC for domain level 1 and MA1.
20.2.3
Configuring CFM (multiple MAs in one domain)
The following describes the procedure to set multiple MAs in a single domain. The following
figure shows an example of setting Switch A.
Figure 20-29: Example of CFM configuration (multiple MAs in one domain)
(1)
Configuring multiple MAs in a single domain
Overview
To set multiple MAs in a single domain, make sure that the MA IDs and MA names are not
duplicated. For details about the basic domain and MA settings, see 20.2.2 Configuring
CFM (multiple domains).
Configuration command example
1.
(config)# ethernet cfm domain level 6 direction-up
(config-ether-cfm)# domain name str customer_6
Sets the domain level and the initial state of MEPs to Up MEP. Moves to configuration
Ethernet CFM mode and sets the domain name.
2.
(config-ether-cfm)# ma 1 name str ma1_vlan100
(config-ether-cfm)# ma 1 vlan-group 10,20,100 primary-vlan 100
(config-ether-cfm)# ma 2 name str ma2_vlan200
(config-ether-cfm)# ma 2 vlan-group 30,40,200 primary-vlan 200
(config-ether-cfm)# exit
662
Sets the MA ID, MA name, VLAN belonging to the MA, and primary VLAN.
(2)
Configuring MEPs and MIPs
Overview
You must set a MEP for each MA. The example below shows how to configure multiple
MAs to share MIPs, and to set one MIP for each port. For details about the basic MEP and
MIP settings, see 20.2.2 Configuring CFM (multiple domains).
Configuration command example
1.
(config)# interface fastethernet 0/1
(config-if)# ethernet cfm mep level 6 ma 1 mep-id 101
(config-if)# ethernet cfm mep level 6 ma 2 mep-id 201
(config-if)# exit
(config)# interface range fastethernet 0/2-4
(config-if-range)# ethernet cfm mip level 6
(config-if-range)# exit
Sets MEPs belonging to domain level 6 and MA1 for port 0/1. In addition, sets MEPs
belonging to MA2. Sets MIPs of domain level 6 to port 0/2 to 0/4.
2.
(config)# ethernet cfm enable
Starts operation of CFM on the Switch.
663
20.3 Operation
20.3.1
List of operation commands
The following table lists CFM operation commands.
Table 20-15: List of operation commands
Command
Description
l2ping
Executes loopback functionality of CFM to check the connectivity
between specified MPs.
l2traceroute
Executes linktrace functionality of CFM to check the route between
specified MPs.
show cfm
Displays CFM domain information
show cfm remote-mep
Displays CFM remote MEP information.
show cfm fault
Displays CFM failure information.
show cfm
l2traceroute-db
Displays the route information acquired by the l2traceroute
command.
show cfm statistics
Displays CFM statistics.
clear cfm remote-mep
Clears CFM remote MEP information.
clear cfm fault
Clears CFM failure information.
clear cfm
l2traceroute-db
Clears the route information acquired by the l2traceroute command.
clear cfm statistics
Clears CFM statistics.
20.3.2
Confirming connection between MPs
The l2ping command checks continuity between specified MPs and displays the results. The
number of confirmations and waiting time for responses can be set by the command. If not
specified, the number of confirmations is 5, and the waiting time for a response is 5 seconds, and
when the response for continuity confirmation is received or after the waiting time for response
elapses, the next confirmation is repeated.
Figure 20-30: l2ping command execution result
> l2ping remote-mep 1010 domain-level 7 ma 1000 mep 1020 count 3
L2ping to MP:1010(0012.e254.dc01) on Level:7 MA:1000 MEP:1020 VLAN:20
Time:2009/10/28 06:59:50
1: L2ping Reply from 0012.e254.dc01 64bytes Time= 20 ms
2: L2ping Reply from 0012.e254.dc01 64bytes Time= 10 ms
664
3: L2ping Reply from 0012.e254.dc01 64bytes Time=
--- L2ping Statistics --Tx L2ping Request : 3 Rx L2ping Reply :
Round-trip Min/Avg/Max : 10/13/20 ms
>
20.3.3
10 ms
3 Lost Frame :
0%
Confirming the route between MPs
The l2traceroute command collects the route information between specified MPs and
displays the results. The waiting time for a response and the TTL value can be set by the
command. If not specified, the waiting time for a response is 5 seconds and the TTL value is 64.
Reception of a response from MP specified as the destination can be confirmed by Hit in the
execution results.
Figure 20-31: l2traceroute command execution result
> l2traceroute remote-mep 1010 domain-level 7 ma 1000 mep 1020 ttl 64
L2traceroute to MP:1010(0012.e254.dc01) on Level:7 MA:1000
MEP:1020 VLAN:20
Time:2009/10/28 08:27:44
63 00ed.f205.0115 Forwarded
62 0012.e2a8.f8d0 Forwarded
61 0012.e254.dc01 Do notForwarded Hit
>
20.3.4
Confirming the state of MPs on a route
The show cfm l2traceroute-db detail command confirms the route up to the destination
MP and detailed information on the MPs on the route. If NotForwarded is displayed, the
information next to Action under Ingress Port and Egress Port can be used to identity
why the linktrace message was not forwarded.
Figure 20-32: show cfm l2traceroute-db detail command execution result
> show cfm l2traceroute-db detail
Date 2009/10/29 08:45:32 UTC
L2traceroute to MP:302(0012.e254.dc09) on Level:3 MA:300 MEP:300 VLAN:300
Time:2009/10/29 08:35:02
63 00ed.f205.0111 Forwarded
Last Egress : 00ed.f205.0001 Next Egress : 00ed.f205.0001
Relay Action: MacAdrTbl
Chassis ID Type: MAC
Info: 00ed.f205.0001
Ingress Port Type: LOCAL
Info: Port 0/1
MP Address: 00ed.f205.0101 Action: OK
Egress Port Type: LOCAL
Info: Port 0/17
MP Address: 00ed.f205.0111 Action: OK
62 0012.e254.dc09 Do notForwarded Hit
Last Egress : 00ed.f205.0001 Next Egress : 0012.e254.dbf0
Relay Action: RlyHit
Chassis ID Type: MAC
Info: 0012.e254.dbf0
Ingress Port Type: LOCAL
Info: Port 0/17
MP Address: 0012.e254.dc01 Action: OK
Egress Port Type: LOCAL
Info: Port 0/25
MP Address: 0012.e254.dc09 Action: OK
>
665
20.3.5
Confirming the state of CFM
The show cfm command displays the settings and the failure detection state of CFM. If a failure
is detected in CC, the information under Status can be used to check the highest level of failure
in the detected failures.
Figure 20-33: show cfm command execution result
> show cfm
Date 2009/10/28 09:31:33 UTC
Domain Level 3 Name(str): ProviderDomain_3
MA 300 Name(str) : Tokyo_to_Osaka
Primary VLAN:300 VLAN:10-20,300
CC:Enable Interval:1min
Alarm Priority:2 Start Time: 2500ms Reset Time:10000ms
MEP Information
ID:8012 UpMEP CH1 (Up) Enable MAC:00ed.f205.0101 Status:MA 400 Name(str) : Tokyo_to_Nagoya
Primary VLAN:400 VLAN:30-40,400
CC:Enable Interval:10min
Alarm Priority:0 Start Time: 7500ms Reset Time: 5000ms
MEP Information
ID:8014 DownMEP 0/21(Up) Disable MAC:00ed.f205.0115 Status:MIP Information
0/12(Up) Enable MAC:00ed.f205.010c
0/22(Down) Enable MAC:Domain Level 4 Name(str): ProviderDomain_4
MIP Information
CH8 (Up) Enable MAC:00ed.f205.0108
>
20.3.6
Confirming detailed failure information
The show cfm fault detail command displays the failure detection state and CCM
information used for failure detection for each failure type. The remote MEP which sends CCM
can be checked referring to the information indicated by RMEP, MAC, and VLAN.
Figure 20-34: show cfm fault detail command execution result
> show cfm fault domain-level 7 detail
Date 2009/10/29 07:28:32
MD:7 MA:1000
MEP:1000
OtherCCM : - RMEP:1001
ErrorCCM : On RMEP:1001
Timeout : On RMEP:1001
PortState: RDI
: - RMEP:1001
>
666
UTC
Fault
MAC:0012.e254.dbff VLAN:1000 Time:2009/10/29 07:18:44
MAC:0012.e254.dbff VLAN:1000 Time:2009/10/29 07:27:45
MAC:0012.e254.dbff VLAN:1000 Time:2009/10/29 07:27:20
MAC:0012.e254.dbff VLAN:1000 Time:2009/10/29 07:23:45
Part 6
Remote Network Management
21. Using SNMP to Manage Networks
This chapter describes the SNMP agent functionality with a focus on supported specifications.
21.1 Description
21.2 Configuration
667
21.1 Description
21.1.1
SNMP overview
(1)
Network management
High-level network management is essential for maintaining the operating environment and
performance of a network system. The Simple Network Management Protocol (SNMP) is the
industry-standard network management protocol for managing a multivendor network
consisting of SNMP-supported network devices. The server for collecting and managing
management information is the SNMP manager, and each network device is called an SNMP
agent. The following figure provides an overview of network management.
Figure 21-1: Overview of network management
(2)
SNMP agent functionality
The SNMP agent for the Switch is a program incorporated into the Switch on the network and
provides the SNMP manager with internal switch information. A management information base
(MIB) consists of different kinds of internal switch information. The SNMP manager is software
that retrieves, edits, and processes switch information and provides the various kinds of
information to the network administrator for network management. The following figure is an
example of MIB retrieval.
668
Figure 21-2: Example of MIB retrieval
This Switch supports SNMPv1 (RFC 1157) and SNMPv2c (RFC 1901). When managing the
network with the SNMP manager, use the SNMPv1 and SNMPv2c protocols. Note that
SNMPv1 and SNMPv2c can be used simultaneously. In addition, the SNMP agent has
functionality called a trap for reporting events (mainly failure information). The SNMP agent
can learn about changes by receiving traps without periodically monitoring the changes in the
state of the Switch. In this case, however, note that the Switch cannot verify whether the trap has
arrived from the device to the SNMP manager because the trap uses UDP. Accordingly, some
traps might not arrive at the SNMP manager because of network congestion. The following
figure shows an example of a trap.
Figure 21-3: Example of a trap
21.1.2
MIB overview
The Switch manages and provides the SNMP manager with two types of MIBs. One MIB
contains information defined in the RFC while the other MIB contains information proprietary
to the switch vendor. The MIB defined in the RFC is called a standard MIB, and there is no
difference between the supplied information because the standard MIB is standardized. In
contrast, a MIB that is proprietary to a switch vendor is called a private MIB, and its supplied
information varies from switch to switch. However, MIB operations (information retrieval and
information specifications) are common to standard and private MIBs. The operation required is
to specify the Switch and target MIB information. Specify the Switch using the IP address and
the MIB information using the object ID.
669
(1)
MIB structure
A MIB has a tree structure. Because of the tree structure, the MIB usually assumes that each
node is assigned a sequence number for identification. The sequence number is assigned by
tracking the numbers of the respective nodes sequentially from the root in order to uniquely
identify the MIB information. This number string is called an object ID, and the object ID is
expressed by inserting a dot between the lower group object numbers in order from the root. For
example, the object ID of the sysDescr MIB is expressed as 1.3.6.1.2.1.1.1. The following
figure is an example of a MIB tree structure.
Figure 21-4: Example of a MIB tree structure
(2)
Expressing MIB objects
An object ID is a set of numbers and dots (example: 1.3.6.1.2.1.1.1). Because a number-only
object ID is not easy to read, some managers allow the use of mnemonics, such as sysDescr for
the specification. When specifying the object ID with mnemonics, be sure to confirm in advance
the mnemonics the SNMP manager can use.
(3)
Index
When using an object ID to specify a MIB, some MIBs have one meaning and some MIBs have
multiple sets of information. An index is used to identify each MIB. The index is expressed by
adding a number to the end of the object ID to indicate the occurrence of information.
When a MIB has only one meaning, add 0 to the object ID of the MIB. When it has multiple sets
of information, add a number to the end of the object ID to indicate the order of information. For
example, specify ifType (1.3.6.1.2.1.2.2.1.2) for a MIB indicating an interface type. This
Switch has multiple interfaces. When checking the type of specific interface, use specifications
such as "the type of the second interface". When specifying the type by using a MIB, add the
670
index .2 to the end of the MIB to indicate the second item as shown in ifType.2
(1.3.6.1.2.1.2.2.1.2.2).
The index expression differs from MIB to MIB. A MIB entry expressed as INDEX
{xxxxx,yyyyy,zzzzzz} in the MIB definition section of the RFC has xxxxx and yyyyy and zzzzzz
as indexes. Check the index for each MIB before executing MIB operations.
(4)
MIBs supported by the Switch
This Switch provides the MIBs required for network management, such as for device status,
interface statistics, and device information for the Switch. For details about each MIB, see the
MIB Reference.
21.1.3
SNMPv1 and SNMPv2c operations
To collect and set up management data (MIB: management information base), the SNMP
provides the following four operations.
• GetRequest:
Retrieves information from the specified MIB.
• GetNextRequest:
Retrieves information from the MIB next to the specified MIB.
• GetBulkRequest:
Extended version of GetNextRequest
• SetRequest:
Sets the value for the specified MIB.
Each operation is performed for a Switch (SNMP agent) from the SNMP manager. A description
of each operation is given below.
(1)
GetRequest operation
A GetRequest operation is used when the SNMP manager retrieves MIB information from a
Switch (an agent functionality). One or more MIBs can be specified for this operation.
When the Switch holds a target MIB, the GetResponse operation returns the MIB information.
When it does not hold the target MIB, the GetResponse operation returns noSuchName. The
following figure depicts the GetRequest operation.
Figure 21-5: GetRequest operation
671
In SNMPv2c, when the Switch does not hold the target MIB, the GetResponse operation
returns noSuchObject as the MIB value. The following figure depicts the GetRequest
operation for SNMPv2c.
Figure 21-6: GetRequest operation (SNMPv2c)
(2)
GetNextRequest operation
The GetNextRequest operation is similar to the GetRequest operation. The GetRequest
operation is used to read the specified MIB while the GetNextRequest operation is used to
extract the MIB next to the specified MIB. One or more MIBs can be specified for this operation.
When the Switch holds the MIB next to the specified MIB, the GetResponse operation returns
the MIB. When the specified MIB is the last one, the GetResponse operation returns
noSuchName. The following figure depicts the GetNextRequest operation.
Figure 21-7: GetNextRequest operation
672
In SNMPv2c, when the specified MIB is the last one, the GetResponse operation returns
endOfMibView as the MIB value. The following figure depicts the GetNextRequest
operation.
Figure 21-8: GetNextRequest operation (SNMPv2c)
(3)
GetBulkRequest operation
The GetBulkRequest operation is an extended GetNextRequest operation. This operation
specifies the number of repetitions so that as many MIBs as the specified number of repetitions
can be retrieved from the item next to the specified MIB. One or more MIBs can be specified for
this operation.
When the Switch holds as many MIBs as the specified number of repetitions from the item next
to the specified MIB, the GetResponse operation returns the MIB. When the specified MIB is
the last one or the last MIB is encountered until the number of repetitions is reached, the
GetResponse operation returns endOfMibView as the MIB value. The following figure
depicts the GetBulkRequest operation.
Figure 21-9: GetBulkRequest operation
673
(4)
SetRequest operation
The SetRequest operation is similar to the GetRequest, GetNextRequest, and
GetBulkRequest operations in that it is executed for a Switch (agent functionality) from the
SNMP manager but its value setting method is different from that of the other operations.
The SetRequest operation assumes a setting value and a MIB. When a setting value is given,
the GetResponse operation returns the MIB and the setting value. The following figure depicts
the SetRequest operation.
Figure 21-10: SetRequest operation
(5)
Overview of Response when no MIB is configured
No MIB can be configured in the following three cases:
•
The MIB is read-only (including managers that belong to read-only communities)
•
The setting value is not correct.
•
Configuration is not possible because of the status of the Switch.
Each case returns a different response. When the MIB is read-only, the GetResponse operation
returns noSuchName. In SNMPv2c, when the MIB is read-only, the GetResponse operation
returns notWritable. The following figure depicts the SetRequest operation when the MIB
is read-only.
674
Figure 21-11: SetRequest operation when the MIB variable is read-only
Overview of When the type of setting value is not correct, the GetResponse operation returns
badValue. In SNMPv2c, when the type of setting value is not correct, the GetResponse
operation returns wrongType. The following figure depicts the SetRequest operation when
the type of the setting value is not correct.
Figure 21-12: SetRequest operation when the type of setting value is not correct
When configuration is not possible because of the status of the Switch, genError is returned.
For example, when an attempt is made to set a value on a Switch and when a setting timeout is
detected on the Switch, genError is returned. The following figure shows the SetRequest
operation when configuration is not possible because of the status of the Switch.
675
Figure 21-13: SetRequest operation when no configuration is enabled because of the
status of the Switch
(6)
Operation restrictions by communities
In SNMPv1 and SNMPv2c, restrictions can be made in the SNMP manager that executes
operations on the basis of the concept of community. Each community is used when the SNMP
manager executes the operation, and the SNMP agent is assigned as one group. When executing
MIB operations, the SNMP manager and SNMP agent are required to belong to the same group
(community). The following figure depicts the operation of a community.
Figure 21-14: Community operations
Switch A belongs to the public community and localnetwork community, but it does not
belong to the othernetwork community. In this case, switch A accepts MIB operations
requested by the SNMP managers A and B in the public community and localnetwork
community, but it does not accept MIB operations requested by the SNMP manager C in the
othernetwork community.
676
(7)
Operation restrictions by IP addresses
In consideration of security, the Switch can be configured so that it does not accept MIB
operations if a combination of the community and IP address of the SNMP manager does not
match the access list. When SNMPv1 and SNMPv2c are used in the Switch, it is necessary to
register the communities by means of the configuration command. Each community is specified
in a string of characters. In addition, public is often used as the community name.
(8)
SNMP operation error status codes
When an error occurs during an operation, the SNMP agent assigns an error code as the error
status and returns a response in the GetResponse operation. The response thus returned
contains the number of MIB values in which the error has occurred as an error location number.
When the result of an operation is normal, a code indicating no errors is set as the error status and
the response in the GetResponse operation returns MIB information on the actually executed
operation. The following table summarizes the error status codes.
Table 21-1: Error status codes
Error status
Code
Description
noError
0
Error not found
tooBig
1
Data size too large to be set as a value in the PDU
noSuchName
2
Specified MIB not found or writing not allowed
badValue
3
Setting value invalid
readOnly
4
Writing failed (the Switch does not return this status code).
genError
5
Some other type of error found
noAccess
6
set operation attempted for a MIB that cannot be accessed
wrongType
7
Specified type different from that required for a MIB
wrongLength
8
Specified length different from data length required for a MIB
wrongEncoding
9
ASN.1 code not valid
wrongValue
10
MIB value not valid
noCreation
11
Corresponding MIB not found
inconsistentValue
12
Value setting not possible at present for some reason
resourceUnavailable
13
Resource not available to set a value
677
Error status
Code
Description
commitFailed
14
Value update failed
undoFailed
15
Failed to restore the original value from the updated value at
update failure
notWritable
17
Setting not possible
inconsistentName
18
Creation not possible at present because the MIB does not exist
21.1.4
Traps
(1)
Overview of traps
Each SNMP agent has functionality called a trap for event notifications (mainly information
about failures or log information). The trap refers to the notification of an important event
asynchronously from the SNMP agent to the SNMP manager. The SNMP can detect the status
change of the Switch periodically by receiving the trap notification. Based on this notification,
the SNMP can extract the MIBs on Switches to obtain more detailed information.
In this case, however, notice that the SNMP manager cannot verify whether a trap has arrived
from a Switch because the trap uses UDP. Accordingly, some traps might not arrive at the
SNMP manager because of network congestion. The following figure is an example of a trap.
Figure 21-15: Example of a trap
(2)
Trap format
A trap frame contains information about what happened and when it happened in each Switch
subject to IP address assignment. The following figure shows the trap format.
678
Figure 21-16: Trap format
21.1.5
RMON MIB
The Remote Network Monitoring (RMON) functionality covers the provision of Ethernet
statistics, event generation by checking the threshold values of the collected statistics, and the
capture of packets. The RMON has been defined in RFC 1757.
This section provides an overview of the statistics, history, alarm, and event groups of the RMON
MIBs.
(1)
Statistics group
The statistics group collects basic statistics about each subnetwork being monitored. For
example, it collects the total number of packets in a subnetwork, the number of packets for each
packet type, such as broadcast packets, and the number of errors, which include CRC errors and
collision errors. The use of the statistics group enables the collection of statistics about
subnetwork traffic conditions and line status.
(2)
History group
The history group samples the statistics that are almost the same as the information collected by
the statistics group and holds the sampled information as history information.
The history group includes the control table named historyControlTable and the data table
named etherHistoryTable. The table historyControlTable is a MIB used to set the
sampling interval and the number of history records.
The table etherHistoryTable is a MIB of history records about the sampled statistics. The
history group holds the statistics on the Switch for a certain period of time. For this time, the
network is under less of a load compared with when the SNMP manager regularly executes
polling to collect the statistics, and statistics can be obtained continuously over a certain period
of time.
679
(3)
Alarm group
The alarm group is a MIB for setting a check interval and a threshold value for MIBs to be
monitored, keeping a log when MIBs reach threshold values, and specifying the issuing of a trap
to the SNMP manager.
For example, the alarm group can log information or issue a trap to the SNMP manager if it
detects that no packets can be received successively ten times or more within a five-minute
period set as a sampling period. The use of the alarm group assumes that the event group is
configured as well.
(4)
Event group
The event group consists of the eventTable group MIB that specifies an operation to be
executed when a MIB threshold set in the alarm group is exceeded and the logTable group
MIB that keeps the log when the threshold value is exceeded.
The eventTable group MIB is a MIB that determines whether to keep the log, issues a trap to
the SNMP manager, executes both of them, or executes nothing.
The logTable group MIB keeps the log on the Switch when the eventTable group specifies
logging. Because the number of log entries allowable on the Switch is predetermined, adding a
new entry causes the old entry to be deleted when the predetermined number of entries is
exceeded. Special care must be taken, because the preceding log entries might be deleted unless
they are periodically saved in the SNMP manager.
680
21.2 Configuration
21.2.1
List of configuration commands
The following table lists the SNMP/RMON configuration commands.
Table 21-2: List of configuration commands
Command
Description
hostname
Sets the host name of a Switch. This setting is equivalent to sysName
defined in RFC 1213.
rmon alarm
Sets the control information of the RMON (RFC 1757) alarm group.
rmon collection history
Sets the control information for the statistics history of the RMON
(RFC 1757) Ethernet.
rmon event
Sets the control information for an RMON (RFC 1757) event group.
snmp-server community
Sets an SNMP community.
snmp-server contact
Sets the contact information about the Switch. This setting is
equivalent to sysContact defined in RFC 1213.
snmp-server host
Registers the network management device (SNMP manager) to which
traps are sent.
snmp-server location
Sets the name of the location where the Switch is installed. This
setting is equivalent to sysLocation defined in RFC 1213.
snmp-server traps
Sets a trigger (timing) for issuing a trap.
snmp trap link-status
Prevents a trap (SNMP link down or up trap) from being sent when a
link-up failure or a link-down failure occurs on a line.
21.2.2 Configuring MIB access permissions in SNMPv1 and
SNMPv2c
Overview
The example below shows how to configure access permissions for the MIB of the Switch
from the SNMP manager.
When allowing only a specific SNMP manager to access the Switch, it is necessary to
register the IP address of the terminal in advance to give access permission by means of the
configuration command ip access-list standard. In addition, note that one access
list can be specified for one community.
Configuration command example
681
1.
(config)# ip access-list standard SNMPMNG
(config-std-nacl)# permit host 128.1.1.2
(config-std-nacl)# exit
Configures an access list to allow access from the IP address 128.1.1.2.
2.
(config)# snmp-server community "NETWORK" ro SNMPMNG
Configures the MIB access mode for the community of the SNMP manager and the
applicable access list.
•
Community name: NETWORK
•
Access list: SNMPMNG
•
Access mode: read only
Notes
•
An access list for use by the Switch does not depend on the settings of the flow detection
mode.
•
An IP address meeting a permit condition is subject to access permission.
An IP address meeting a deny condition is subject to access rejection.
An implicit deny condition for all IP addresses is set at the end of the IP access list.
In this example of the setting, the permit condition is defined in one line. When this
permit condition is not met, access is rejected because it is assumed that the implicit
deny condition has been met.
21.2.3
Configuring the sending of traps in SNMPv1 and SNMPv2c
Overview
The example below shows how to register an SNMP manager for issuing a trap.
Configuration command example
1.
(config)# snmp-server host 128.1.1.2 traps "NETWORK" version 1 snmp
Configures an SNMP manager to issue standard traps.
y Community name: NETWORK
y SNMP manager IP address: 128.1.1.2
y Traps to be issued: Standard traps
21.2.4
Suppressing link traps
The Switch issues an SNMP trap by default when a link-up or link-down failure occurs in the
Ethernet interface. In addition, the sending of link traps can be suppressed for each Ethernet
682
interface through the configuration. For example, unnecessary processing by the Switch,
network, and SNMP manager can be eliminated by sending the traps only to important lines,
such as lines for making connections to the server and suppressing the sending of the link traps
on another line.
Overview
The example below shows how to determine the contents of the link trap configuration
according to the operation policies of the entire network.
Figure 21-17: Link trap configuration diagram
As seen from the above figure, no configuration is required for port 0/1 because traps are sent. In
contrast, port 0/12 need be configured so that no traps are sent.
Configuration command example
1.
(config)# interface fastethernet 0/12
(config-if)# no snmp trap link-status
(config-if)# exit
Configures the port so that no traps are sent when a link-up or link-down failure
occurs.
21.2.5 Configuring control information for the RMON Ethernet
history group
Overview
The example below shows how to configure the control information for the RMON (RFC
1757) Ethernet statistics history information. The command can configure a maximum of
32 entries. The SNMP manager must be registered in advance.
Configuration command example
683
1.
(config)# interface fastethernet 0/5
Moves to the interface mode for port 0/5.
2.
(config-if)# rmon collection history controlEntry 33 owner
"NET-MANAGER" buckets 10
(config-if)# exit
Configures the information identification number of the control information for
statistics history information, the identification information of the person responsible for
the configuration, and the number of history entries for storing statistics.
y Information identification number: 33
y Number of entries obtained for the history information: 10
y Identification information about the person responsible for the configuration:
NET-MANAGER
21.2.6
Threshold check for specific MIB values by RMON
Overview
The example below shows how to configure the Switch to be used such that a threshold
value for a specific MIB value is checked regularly, and the SNMP manager is notified of
an event when the threshold value is exceeded. When specifying the trap as an event
execution method, the trap mode must be configured in advance.
Configuration command example
1.
(config)# rmon event 3 log trap public
Configures an event to be executed when an alarm is generated.
y Information identification number: 3
y Event execution method: log, trap
y Trap-sending community name: public
2.
(config)# rmon alarm 12 "ifOutDiscards.3"
256111 delta
rising-threshold 400000 rising-event-index 3 falling-threshold 100
falling-event-index 3 owner "NET-MANAGER"
Configures the control information for the RMON alarm group under the following
conditions:
y Control information identification number for the RMON alarm group: 12
y Object identifier for the MIB used for checking the threshold: ifOutDiscards.3
y Time interval for checking the threshold: 256,111 seconds
y Method for checking the threshold: difference value check (delta)
y Upper threshold value: 400000
y Identification number of the method for generating an event if the upper threshold
684
is exceeded: 3
y Lower threshold value: 100
y Identification number of the method for generating an event if the lower threshold
is exceeded: 3
y Identification information of the person responsible for configuration:
NET-MANAGER
21.2.7
Confirmation of communication with the SNMP manager
When configuring the SNMP agent functionality for network management by the SNMP
protocol, confirm the following items:
z The SNMP manager on the network must be able to obtain a MIB for the Switch.
z The SNMP trap must have been sent to the SNMP manager on the network from the Switch.
The procedure for this confirmation is given below. For details about the MIBs that can be
obtained from the Switch, see 1. Overview of Supported MIBs in the manual MIB Reference. For
details about traps that are sent from the Switch, see 4.2 Supported Trap-PDU parameters in the
manual MIB Reference.
1.
Execute the operation command ping by specifying the IP address of the SNMP manager
to confirm that IP communication with the SNMP manager can be made from the Switch.
If no IP communication can be made, see the Troubleshooting Guide.
2.
Confirm that the SNMP manager can obtain a MIB for the Switch. If it cannot obtain the
MIB, see the Troubleshooting Guide.
685
22. Log Output Functionality
This chapter describes the log output functionality of this Switch.
22.1 Description
22.2 Configuration
686
22.1 Description
This Switch logs information on operation and failures into an operation log. The operation log
is stored on the Switch, and use of the information allows management of the operation status of
the device, and the monitoring of failures. The operation log records the events that occur during
operation of the device in the order they occurred. The information stored as the operation log is
as follows:
•
User command operations and response messages
•
Operation information generated by the device
•
Device failure logs
These logs are stored on the device in text format and can be checked via the operation command
show logging. In addition, device failure logs can be checked via the operation command
show critical-logging. The log information collected by this device can be sent to other
devices by using the syslog functionality (for example, with UNIX workstations) on the
network via the syslog interface.#1,#2
#1
Functionality to receive syslog messages from other devices is not supported.
#2
For syslog messages generated by this Switch, the HOSTNAME and TIMESTAMP columns in
HEADER defined by RFC 3164 are not set. To add HOSTNAME and TIMESTAMP, use the
configuration command logging syslog-header. The following diagram shows the
syslog server output format when this command is set.
Figure 22-1: Syslog server output format
By setting the configuration command logging syslog-header, (2) to (4) are added. In
addition, by setting the configuration command hostname, the following character string
is added to the (3) HOSTNAME column:
687
y If the configuration command hostname is not set: AX1200S
y If the configuration command hostname is set: (The set character string)
However, if the setting character string includes a space, AX1200S is used.
For details of (5) to (8) in the diagram, see the manual Message Log Reference. However,
since the message indicating AUT in (5) in the diagram indicates the account log of the
Layer 2 certification functionality, see the manual Operation Command Reference.
In addition, the use of the operation command trace-monitor allows the operation log to
appear on the monitor of the operation terminal (console). For details on the monitor display,
see 9. Switch Management in the Configuration Guide Vol. 1.
688
22.2 Configuration
22.2.1
List of configuration commands
The following table lists the configuration commands related to log output functionality.
Table 22-1: List of configuration commands (settings related to syslog output)
Command
Description
logging event-kind
Sets the event type of the log information to be sent to the syslog server.
logging facility
Sets the facility to output the log information through the syslog interface.
logging host
Sets the output destination of the log information.
logging trap
Sets the priority of the log information to be sent to the syslog server.
logging
syslog-header
Adds HOSTNAME, TIMESTAMP, or a functionality number to the message to
be sent to syslog server.
22.2.2
Configuring output of the log to syslog
Overview
The example below shows how to send the collected log information to a syslog server by
using syslog output functionality.
Configuration command example
1.
(config)# logging host 192.168.101.254
Sets up the log so that log data is generated for the IP address 192.168.101.254
22.2.3 Configuring addition of the HEADER part to log data output
to syslog
Overview
The example below shows how to add HOSTNAME, TIMESTAMP, or a functionality number
to the HEADER part of a syslog message.
Configuration command example
1.
(config)# logging syslog-header
Adds HOSTNAME, TIMESTAMP, or a functionality number to the HEADER part of a
syslog message.
689
Part 7
Management of Neighboring Device Information
23. LLDP
This chapter includes descriptions of LLDP, which is functionality to collect information about
neighboring devices of the Switch, and how to use the functionality.
23.1 Description
23.2 Configuration
23.3 Operation
690
23.1 Description
23.1.1
Overview
LLDP (Link Layer Discovery Protocol) is a protocol to collect information about neighboring
devices. The goal of the functionality is to enable easy examination of information about
connected devices for operation and maintenance.
(1)
Application example of LLDP
The LLDP functionality sends information about the Switch and about the target port to each
port connected to neighboring devices. Managing the information about neighboring devices
received at the target port allows you to understand the connection status between the Switch
and neighboring devices. The diagram below shows an example of LLDP application. In this
example, Switch A is installed on the 1st floor and understands the connection status between
neighboring Switch B and Switch C, which are installed on other floors in the same building.
Figure 23-1: Example of LLDP application
23.1.2
Supported specifications
The supported information distributed to neighboring devices by using this functionality
includes information unique to the Switch as extended functionality based on IEEE 802.1AB
Draft 6. The following table shows the supported information.
Table 23-1: Information supported by LLDP
No.
1
Name
End Of LDPDU
Description
LDPDU terminal identifier
691
No.
Name
Description
2
Time-to-Live
Information retention period
3
Chassis ID
Identifier of the device
4
Port ID
Port identifier
5
Port description
Port type
6
System name
Device name
7
System description
Device type
--
Organizationally-defined TLV extensions
TLV uniquely defined by the vendor or
organization
a
VLAN ID
VLAN ID being set
b
VLAN Address
IP address associated with a VLAN
8
Legend --: Not available
Details of the information supported by LLDP are described below.
For details on MIB, see the manual MIB Reference.
(1)
Time-to-Live (information retention period)
Indicates the time to retain the distributed information on the receiving side. The retention time
can be changed via the configuration but we recommend using it in the initial state.
(2)
Chassis ID (device identifier)
The chassis ID identifies the device. The subtype is defined for this information and the contents
sent vary depending on the subtype. The table below shows the subtypes and contents to be sent.
Table 23-2: Subtype list of Chassis Id
subtype
Type
Contents to be sent
1
Chassis component
The same value as entPhysicalAlias of Entity MIB
2
Chassis interface
The same value as ifAlias of interface MIB
3
Port
The same value as portEntPhysicalAlias of Entity
MIB
4
Backplane component
The same value as backplaneEntPhysicalAlias of
Entity MIB
5
692
MAC address
The same value as macAddress of LLDP MIB
subtype
Type
Contents to be sent
6
Network address
The same value as networkAddress of LLDP MIB
7
Locally assigned
The same value as local of LLDP MIB
Transmission/ reception conditions for Chassis ID are as follows:
•
Transmission: Only subtype = 5 is sent. The MAC address of the device is sent.
•
Reception: All subtypes shown above can be received.
•
Max. length for received data: 255 bytes
(3)
Port ID (port identifier)
Port ID identifies the port. The subtype is defined for this information and the contents sent vary
depending on the subtype. The table below shows the subtype and the contents sent.
Table 23-3: subtype list of Port ID
subtype
Type
Contents to be sent
1
Port
The same value as ifAlias of Interface MIB
2
Port component
The same value as portEntPhysicalAlias of Entity
MIB
3
Backplane component
The same value as backplaneEntPhysicalAlias of
Entity MIB
4
MAC address
The same value as macAddr of LLDP MIB
5
Network address
The same value as networkAddr of LLDP MIB
6
Locally assigned
The same value as local of LLDP MIB
Transmission/ reception conditions for Port ID are as follows:
•
Transmission: Only subtype = 4 is sent. The MAC address of a target port is sent.
•
Reception: All subtypes shown above can be received.
•
Max. length for received data: 255 bytes
(4)
Port description (port type)
This information indicates the port type. There is no subtype for this information.
Transmission contents and reception condition are as follows:
•
Transmission contents: Same value as ifDescr of Interface MIB
•
Max. length for received data: 255 bytes
693
(5)
System name (device name)
This information indicates the device name. There is no subtype for this information.
Transmission contents and reception conditions are as follows:
•
Transmission contents: Same value as sysName of systemMIB
•
Max. length for received data: 255 bytes
(6)
System description (device type)
This information indicates the device type. There is no subtype for this information.
Transmission contents and reception conditions are as follows:
•
Transmission contents: Same value as sysDescr of systemMIB
•
Max. length for received data: 255 bytes
(7)
Organizationally defined TLV extensions
The information below is unique to the Switch.
(a) VLAN ID
This indicates the VLAN ID of the VLAN Tag used by a target port. This information is valid
only for a trunk port.
(b) VLAN Address
If there is VLAN for which IP addresses are set, this information indicates the VLAN ID and one
of the IP addresses.
23.1.3
Notes on using LLDP
(1)
If another device that does not support this functionality is
connected between devices for which this functionality is set
If the configuration is one of the following, it is difficult to correctly grasp the connection status
with neighboring devices.
•
If the connection is made through a switch, the switch forwards the LLDP distribution
information. Therefore, since the distribution information can be received as neighboring
information between devices not connected directly, the information cannot be distinguished
from information between directly connected devices.
•
If a connection is made through a router, the LLDP distribution information is discarded at the
router, so the information cannot be received by a device for which the LLDP functionality is
set.
(2)
Connection to other company devices
Interconnection with the Link Layer Discovery Protocol# supported uniquely by other
694
companies cannot be made.
# Cisco Systems: CDP (Cisco Discovery Protocol)
Extreme Networks: EDP (Extreme Discovery Protocol)
Foundry Networks: FDP (Foundry Discovery Protocol)
(3)
Connection with the IEEE 802.1AB standard
The LLDP of the Switch is original functionality whose support is based on IEEE 802.1AB
Draft 6. There is no connectivity with IEEE 802.1AB standards.
(4)
Maximum number of neighboring devices
Information for a maximum of 50 neighboring devices can be accommodated per device. If the
maximum is exceeded, the distributed information is discarded when received. To ensure the
time needed to delete the received neighboring device information because of a timeout, the
discard state continues for a set period. The time is the same as the retention time for
neighboring device information when the threshold of maximum accommodation is exceeded.
695
23.2 Configuration
23.2.1
List of configuration commands
The following tables lists the configuration commands for LLDP
Table 23-4: List of configuration commands
Command
Description
lldp enable
Starts operation of LLDP on the port.
lldp hold-count
Specifies the time for a neighboring device to retain LLDP frame sent by
this Switch.
lldp interval-time
Specifies the transmission interval between LLDP frames sent by this
Switch.
lldp run
Activates LLDP functionality for the entire device.
23.2.2
LLDP settings
(1)
Setting up LLDP functionality
Overview
The example below shows how to enable the LLDP functionality for the entire device, and
to enable the functionality for an actually operating port.
In this example, the LLDP functionality operates in the status of fastethernet 0/1.
Configuration command example
1.
(config)# lldp run
Enables the LLDP functionality for the entire switch.
2.
(config)# interface fastethernet 0/1
Moves to the Ethernet interface configuration mode of port 0/1.
3.
(config-if)# lldp enable
(config-if)# exit
Starts operation of LLDP functionality at port 0/1.
(2)
Setting up the LLDP frame transmission interval and
retention time
Overview
If the interval between transmission of LLDP frames is changed, you can adjust the time to
reflect the change in the device information. If the interval is decreased, the change is
696
reflected immediately or soon thereafter. If the interval is increased, the change is delayed.
Configuration command example
1.
(config)# lldp interval-time 60
Sets the interval between transmission of LLDP frames to 60 seconds.
2.
(config)# lldp hold-count 3
Sets the time for neighboring devices to retain the information sent by this device, using
the number of times of interval-time (in this case, 60 sec x 3 = 180 sec).
697
23.3 Operation
23.3.1
List of operation commands
The following table lists the LLDP operation commands
Table 23-5: List of operation commands
Command
Description
show lldp
Displays LLDP setting information and neighboring device
information.
show lldp statistics
Displays LLDP statistics.
clear lldp
Clears the LLDP neighboring information.
clear lldp statistics
Clears LLDP statistics.
23.3.2
Display of LLDP information
LLDP information is displayed by the operation command show lldp. The operation command
show lldp displays the LLDP setting information and the number of neighboring devices for
each port. The operation command show lldp detail displays the detailed information on
neighboring devices.
Figure 23-2: Execution results of show lldp
>show lldp
Date 2008/11/13 13:26:51 UTC
Status: Enabled Chassis ID: Type=MAC
Info=00ed.f031.0001
Interval Time: 30
Hold Count: 4 TTL: 120
Port Counts=3
0/1(CH:8)
Link: Up
Neighbor Counts: 0
0/12
Link: Down Neighbor Counts: 0
0/13
Link: Down Neighbor Counts: 0
>
Figure 23-3: Execution results of show lldp detail
> show lldp detail
Date 2008/11/13 13:33:44 UTC
Status: Enabled Chassis ID: Type=MAC
Info=00ed.f031.0001
Interval Time: 30
Hold Count: 4 TTL: 120
System Name:
System Description: ALAXALA AX1240 AX-1240-24T2C [AX1240S-24T2C] Switching
software Ver. 2.0 OS-LT2
Total Neighbor Counts=1
Port Counts=3
Port 0/1(CH:8)
Link: Up
Neighbor Counts: 1
Port ID: Type=MAC
Info=00ed.f031.0101
698
Port Description: FastEther 0/1
Tag ID: Untagged=100
Tagged=
1 TTL:99 Chassis ID: Type=MAC
Info=0012.e214.ff99
System Name:
System Description: ALAXALA AX1240 AX-1240-48T2C [AX1240S-48T2C] Switching
software Ver. 2.0 OS-LT2
Port ID: Type=MAC
Info=0012.e214.ffaf
Port Description: FastEther 0/22
Tag ID: Untagged=100
Port 0/12
Link: Down Neighbor Counts: 0
Port 0/13
Link: Down Neighbor Counts: 0
>
699
Part 8
Port Mirroring
24. Port Mirroring
Port mirroring is the functionality that sends a copy of sent or received frames to a specified
physical port. This chapter describes port mirroring and its uses.
24.1 Description
24.2 Configuration
700
24.1 Description
24.1.1
Overview of port mirroring
Port mirroring is the functionality that sends a copy of sent or received frames to a specified
physical port. The copying of frames is called mirroring. By using an analyzer to receive the
forwarded mirror frames, traffic can be monitored or analyzed. The following figures show the
flow of received frames and sent frames when mirroring is used.
Figure 24-1: Mirroring of received frames
Figure 24-2: Mirroring of sent frames
As indicated in the above figures, a physical port whose traffic is monitored is called a
monitored port, and the physical port to which the frames copied for mirroring are sent is called
a mirror port. Also note that the monitored and mirror ports can be in a multipoint-to-point
relationship. That is, copies of frames received by multiple monitored ports can be sent to one
mirror port. It is not possible to send copied frames to multiple mirror ports.
701
Figure 24-3: Mirroring of frames with multiple ports
There are no operation commands for port mirroring. Use the analyzer connected to the mirror
port to confirm that frames are mirrored.
24.1.2
Notes on using port mirroring
(1)
Notes on use with other functionality
•
On monitor ports, other functionality can operate without restrictions.
•
On the mirror port, VLANs are unavailable when port mirroring is used. The spanning tree
protocol, the Ring Protocol, and IGMP or MLD snooping, which are based on VLAN
functionality, are also unavailable.
(2)
1.
Notes on using port mirroring
The monitor port cannot output more mirror frames than the mirror port's bandwidth
allows.
2.
If the FCS of a received frame is incorrect, the target frame is not mirrored.
3.
Filter control can be used for the monitored port, but this does not affect port mirroring.
4.
For the mirroring of sent frames, the Switch mirrors the frames that are forwarded by
hardware. Outgoing frames are mirrored, but the following sent frames are not. (See Table
24-1 Availability of mirroring for sent frames.)
702
•
Outgoing L2 frames (for example, LLDP, UDLD)
•
DHCP frames (when DHCP snooping is enabled)
•
ARP frames (when dynamic ARP inspection is enabled)
•
IGMP frames (when IGMP snooping is enabled)
•
MLD frames (when MLD snooping is enabled)
•
Pre-authentication frames (when Layer 2 authentication is enabled)
•
GSRP aware frames (only for transmission when the frames are being forwarded)
•
Uplink-redundant, outgoing flash control frames (when flash control frame sending is
enabled)
•
Uplink-redundant, outgoing MAC address update frames (when MAC address updating
is enabled)
•
Outgoing L2 loop detection frames (when L2 loop detection is enabled)
•
CFM forwarded frames (when CFM is enabled)
•
Sent frames for CCM, loopbacks (messages and response), linktraces (messages and
response) (when CFM is enabled)
When received frames are mirrored, all received frames, including the incoming frames, are
mirrored.
5.
When sent frames are mirrored, if multiple monitored ports are used and frames are
flooded to some or all ports, frames are mirrored as follows:
•
If the monitored ports are members of either the group consisting of ports 0/1 to 0/24,
0/49, and 0/50 or the group consisting of ports 0/25 to 0/48, two frames are mirrored.
•
If the monitored ports are members of groups other than the above two groups, one
frame is mirrored.
6.
When sent frames are mirrored, even if untagged frames are sent, tagged frames that have
the tag of VLAN for the sent frames are mirrored.
7.
When frames are mirrored, only one session can be set.
8.
When the following functionality is enabled on the mirror ports, the mirror ports send
control frames:
•
LLDP: LLDP frames
•
IEEE 802.3ah/UDLD: UDLD frames
•
Spanning tree protocol: BPDU frames
The spanning tree protocol is enabled by default. To stop sending BPDU frames, set the
configuration command spanning-tree disable, or set BPDU filtering on the
mirror ports (configuration command: spanning-tree bpdufilter).
Table 24-1: Availability of mirroring for sent frames
Category of
frames
Availability
of mirroring