9.2 Managing AAA via the web. Westermo RFI-219-F4G-T7G, Viper-212A-T5G-P8-HV, RFI-219-F4G-T7G-F8, RFI-211-F4G-T7G, L106-F2G, Viper-212A, L205-S1, Viper-112A-T5G, L110-F2G, Viper-112A-T3G
Add to my manuals
1088 Pages
advertisement
Westermo OS Management Guide
Version 4.22.0-0
9.2
Managing AAA via the web interface
9.2.1
Login Account Management via the Web Interface
Menu path: Maintenance ⇒ Password
In this section the password for the built-in account admin can be changed.
New Password Enter the new password for the admin account.
Repeat New Password To minimise risk of typing error, enter the new password for the admin account once again.
© 2017 Westermo Teleindustri AB 201
Westermo OS Management Guide
Version 4.22.0-0
9.2.2
Select Login Method via the Web Interface
It is possible to add a centralised authentication server/group ( section 9.2.9
local database ( section 9.2.3
) as login method, in addition to the built-in admin
account.
Menu path: Configuration ⇒ AAA ⇒ Login
Method Select login method from the drop-down box. Only configured local databases and servers/groups, of type RADIUS and TACACS+, will be visible in the box. If Disabled is selected, only the built-in admin account will be enabled.
202 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.3
Local User Databases
Menu path: Configuration ⇒ AAA ⇒ Local User DB
The main page for local user databases shows an overview of created databases.
ID A unique identifier for the local user database.
Description The users description of this database.
Edit Click this icon to edit the user database. See
for details.
Delete
New
Click this icon to remove the user database. You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new user database. See
for details. You can create at maximum
4 databases.
© 2017 Westermo Teleindustri AB 203
Westermo OS Management Guide
Version 4.22.0-0
9.2.4
New Local User Database
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ New
ID The local user database identifier. This is generated automatically in the web interface and can not be changed.
Description Optional.
A user defined description for this database that will be visible in listings.
After pressing the Apply button, users can be added to the database. See
9.2.5
Edit a local user database
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒
See
for descriptions of the fields on this page.
204 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.6
Users
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒
The users list is displayed on the edit page for the local user database.
Username A username unique in this database.
New User Press this button to create a new user in this database. See
© 2017 Westermo Teleindustri AB 205
Westermo OS Management Guide
Version 4.22.0-0
9.2.7
New User
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ ⇒ New User
Username A username unique in this database.
Password The password for this user.
9.2.8
Edit User
Menu path: Configuration ⇒ AAA ⇒ Local Users DB ⇒ ⇒ (Users table)
See
for descriptions of the fields on this page.
206 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.9
Remote Server overview
Menu path: Configuration ⇒ AAA ⇒ Remote Server
The main page for Remote Server shows an overview of configured server groups and the remote server configurations.
© 2017 Westermo Teleindustri AB 207
Westermo OS Management Guide
Version 4.22.0-0
9.2.9.1
Server Groups in the overview
ID The group identifier
Description The user defined name of this group
Type The type of remote servers in the group (RADIUS or
TACACS+), which can not be mixed.
Servers List of servers included in this group. Each server is presented by its description name and the server identifier inside parentheses
Edit Click this icon to edit the RADIUS group. See
for details.
Delete Click this icon to remove the group. You will be asked to acknowledge the removal before it is actually executed. Removing a group will not remove the config of the included servers.
New Group Click this button to add a new group.
See
for details. You can create at maximum
2 groups.
9.2.9.2
Remote servers in the overview
ID The remote server identifier
Description The user defined name on this server
Type
Address
The type of remote servers (RADIUS or TACACS+).
IP or FQDN of the server
Auth Port The port used for authentication
Edit Click this icon to edit the remote server setting. See
for details.
Delete Click this icon to remove the remote server setting.
You will be asked to acknowledge the removal before it is actually executed.
New Server Click this button to add a new remote server configuration. See
for details. You can define at maximum 6 remote server configurations.
208 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.10
Edit a server group
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ (Server Groups)
ID The group identifier. This is generated automatically in the web interface and can not be changed.
Description Optional. A user defined name for this group that will be visible in listings.
Type
Servers
The group type (RADIUS or TACACS+).
Remote servers that are included in this group. The order of this list is important as it defines the order that servers are queried. Select a server in the dropdown list and add it by clicking the plus icon. Only remote servers of the same type as the group will be added. Use the icon to remove a server from the group. You are limited to max 3 servers per group.
© 2017 Westermo Teleindustri AB 209
Westermo OS Management Guide
Version 4.22.0-0
9.2.11
Add a server group
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ New Group
See
for descriptions of the fields on this page. You can have at maximum 2 server groups.
210 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.12
Edit a remote server
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ (Remote Servers)
ID
Description Optional. A user defined name for this server configuration that will be visible in listings.
Type The type of remote-servers (RADIUS or TACACS+).
Address Mandatory. The IP number or Fully Qualified Domain
Name (FQDN) to the remote server
Auth Port
The remote server identifier. This is generated automatically in the web interface and can not be changed.
Mandatory.
The port number for server authentication requests.
The default and standardised port number for this is 1812 for RADIUS and 49 for
TACACS+ but can be changed here if needed. If port number 0 is entered, the standardised port number will be configured.
Secret Optional. A shared secret (password) that should be used to encrypt the communication with this server.
© 2017 Westermo Teleindustri AB 211
Westermo OS Management Guide
Version 4.22.0-0
9.2.13
Add a remote server
Menu path: Configuration ⇒ AAA ⇒ Remote Server ⇒ New Server
See
for descriptions of the fields on this page. You can have at maximum 6 remote server configurations.
212 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.14
Authentication Chains Overview
Menu path: Configuration ⇒ AAA ⇒ Auth Chain
The main page for authentication chains shows an overview of created chains.
ID A unique identifier for the authentication chain.
Description The users description of the authentication chain.
Methods An ordered list of the methods in the authentication chain.
Edit Click this icon to edit the authentication chain. See
for details.
Delete
New
Click this icon to remove the authentication chain.
You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new authentication chain.
See
for details. You can create at maximum 4 authentication chains.
© 2017 Westermo Teleindustri AB 213
Westermo OS Management Guide
Version 4.22.0-0
9.2.15
New Authentication Chain
Menu path: Configuration ⇒ AAA ⇒ Auth Chain ⇒ New
ID
Description
The authentication chain identifier. This is generated automatically in the web interface and can not be changed.
Optional. A user defined description for this authentication chain that will be visible in listings.
Continue on Reject Default Enabled. If enabled continue to next method if rejected, if disabled stop on reject, only continue if method unavailable. See
for more information.
Methods The list of methods. Select method and click the Add to add the method to the list.
Press the Apply button to store changes.
9.2.16
Edit an authentication chain
Menu path: Configuration ⇒ AAA ⇒ Auth Chain ⇒
Click the pen icon in the overview page to edit a specific chain. See
for descriptions of the fields on this page.
214 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.17
IEEE 802.1X authentication
Menu path: Configuration ⇒ AAA ⇒ 802.1X
Here you see a listing of currently configured 802.1X instances.
ID The IEEE 802.1X instance identifier
Enabled If this instance is active, A green check-mark means yes and a dash means no
Description The user defined name on this IEEE 802.1X instance
Method The server or group used for authentication, which needs to be of type RADIUS.
Edit Click this icon to edit the instance See for details.
Delete
New
Click this icon to remove the instance. You will be asked to acknowledge the removal before it is actually executed. Removing an IEEE 802.1X instance will not remove the referenced RADIUS group or server.
Click this button to add a new IEEE 802.1X instance.
See
for details. You can currently only
create one instance.
© 2017 Westermo Teleindustri AB 215
9.2.18
Edit an IEEE 802.1X instance
Menu path: Configuration ⇒ AAA ⇒ 802.1X ⇒
Westermo OS Management Guide
Version 4.22.0-0
ID The IEEE 802.1X instance identifier. This is generated automatically in the web interface and can not be changed.
Enabled
Description
Check to enable this instance.
Optional. A user defined name for this instance.
Method Mandatory. Use this drop-down menu to select a
RADIUS group or a remote RADIUS server. Remote servers and groups, of type RADIUS, are created separately. See
and
Active Authentication Enable/disable Authentication initiation
Re-Authenticate Enable/disable periodic reauthentication
IMPORTANT: Creating an IEEE 802.1X instance does not in itself activate authentication. Port access is managed in the VLAN configuration. See
and
. The instance here must be referenced from the port access configu-
ration for it to be used!
216 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.19
Add an IEEE 802.1X instance
Menu path: Configuration ⇒ AAA ⇒ 802.1X ⇒ New
See
for descriptions of the fields on this page. You can currently
only configure one IEEE 802.1X instance.
© 2017 Westermo Teleindustri AB 217
Westermo OS Management Guide
Version 4.22.0-0
9.2.20
MAC based authentication
Menu path: Configuration ⇒ AAA ⇒ MAC Auth
Here you see a listing of currently configured MAC authentication lists.
ID
Enabled
The MAC authentication list identifier
If this list is active, A green check-mark means yes and a dash means no
Description The user defined name on this MAC authentication list
Edit Click this icon to edit the list See details.
for
Delete
New List
Click this icon to remove the list. You will be asked to acknowledge the removal before it is actually executed.
Click this button to add a new MAC authentication list. See
for details. You can create up to 8 MAC authentication lists.
218 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
9.2.21
Edit a MAC authentication list
Menu path: Configuration ⇒ AAA ⇒ MAC Auth ⇒
ID The MAC authentication list identifier. This is generated automatically in the web interface and can not be changed.
Enabled Check to enable this list.
Description Optional. A user defined name for this list.
MAC Optional.
A list of MAC addresses and MAC address patterns.
Single MAC addresses are specified in the format: HH:HH:HH:HH:HH:HH. A wildcard * can be used at the end of the pattern to match a block of addresses. Examples: 00:80:C8:*,
00:D8:AA:2C:85:01. Use the drop-down list to select a port if you want the pattern to only be valid for requests coming in through a specific port. The description field is optional. Add a pattern by clicking on the plus icon. Use the icon to remove a pattern. A list is limited to max 44 addresses/patterns.
IMPORTANT: Creating a MAC authentication list does not in itself activate filtering of addresses. Port access is managed in the VLAN configuration. See
and
. The created MAC authentication list must be referenced
from the port access configuration for it to be used!
© 2017 Westermo Teleindustri AB 219
Westermo OS Management Guide
Version 4.22.0-0
9.2.22
Add a new MAC authentication list
Menu path: Configuration ⇒ AAA ⇒ MAC Auth ⇒ New List
See
for descriptions of the fields on this page.
220 © 2017 Westermo Teleindustri AB
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 2 Legal information
- 3 Table of Contents
- 10 I Introduction to WeOS and its Management Methods
- 11 1 Introduction
- 11 1.1 Westermo and its WeOS products
- 11 1.2 Getting Started
- 12 1.3 Introduction to WeOS
- 12 1.4 How to read this document
- 14 1.5 Westermo products running WeOS
- 17 2 Quick Start
- 17 2.1 Starting the Switch for the First Time
- 18 2.2 Modifying the IP Setting
- 30 3 Overview of Management Methods
- 31 3.1 When to use the WeConfig tool
- 31 3.2 When to use the Web
- 32 3.3 When to use the CLI
- 34 4 Management via Web Interface
- 35 4.1 Document Conventions
- 36 4.2 Logging in
- 38 4.3 Navigation
- 41 4.4 System Overview
- 48 5 Management via CLI
- 48 5.1 Overview of the WeOS CLI hierarchy
- 50 5.2 Accessing the CLI
- 54 5.3 Using the CLI
- 60 5.4 General CLI commands
- 64 6 WeOS SNMP Support
- 64 6.1 Introduction and feature overview
- 77 6.2 Managing SNMP via the web interface
- 81 6.3 Manage SNMP Settings via the CLI
- 86 II Common Switch Services
- 87 7 General Switch Maintenance
- 87 7.1 Overview
- 123 7.2 Maintenance via the Web Interface
- 138 7.3 Maintenance via the CLI
- 169 8 General System Settings
- 169 8.1 Overview of General System Features
- 172 8.2 Managing System Settings via Web
- 177 8.3 Managing System Settings via CLI
- 191 9 Authentication, Authorisation and Accounting
- 192 9.1 Overview over AAA
- 201 9.2 Managing AAA via the web
- 221 9.3 Managing AAA via the CLI
- 241 9.4 Feature Parameters
- 242 10 Ethernet Port Management
- 242 10.1 Overview of Ethernet Port Management
- 257 10.2 Managing port settings via the web interface
- 261 10.3 Managing port settings via the CLI
- 271 11 Ethernet Statistics
- 271 11.1 Ethernet Statistics Overview
- 278 11.2 Statistics via the web interface
- 283 11.3 Statistics via the CLI
- 286 12 SHDSL Port Management
- 286 12.1 Overview of SHDSL Port Management
- 292 12.2 Managing SHDSL ports via the web interface
- 300 12.3 Managing SHDSL ports via the CLI
- 306 13 ADSL/VDSL Port Management
- 306 13.1 Overview of ADSL/VDSL Port Management
- 320 13.2 Managing ADSL/VDSL ports via the web interface
- 332 13.3 Managing ADSL/VDSL ports via the CLI
- 337 14 Power Over Ethernet (PoE)
- 337 14.1 Overview of Power over Ethernet (PoE)
- 341 14.2 Managing PoE via the web interface
- 345 14.3 Managing PoE via the CLI interface
- 348 15 Virtual LAN
- 348 15.1 VLAN Properties and Management Features
- 359 15.2 Port-based network access control
- 364 15.3 Managing VLAN settings via the web interface
- 374 15.4 Managing VLAN settings via the CLI
- 386 16 FRNT
- 386 16.1 Overview of the FRNT protocol and its features
- 390 16.2 FRNT and RSTP coexistence
- 392 16.3 Managing FRNT settings via the web interface
- 397 16.4 Managing FRNT settings via the CLI
- 400 17 Ring Coupling and Dual Homing
- 401 17.1 Overview
- 415 17.2 Managing via the Web
- 419 17.3 Managing via CLI
- 429 17.4 Feature Parameters
- 430 18 Spanning Tree Protocol - RSTP and STP
- 430 18.1 Overview of RSTP/STP features
- 436 18.2 Managing RSTP via the web interface
- 440 18.3 Managing RSTP via the CLI
- 445 19 Media Redundancy Protocol
- 445 19.1 Overview of the MRP protocol and its features
- 449 19.2 Managing MRP settings via the web interface
- 452 19.3 Managing MRP settings via the CLI
- 456 20 Link Aggregation
- 456 20.1 Link Aggregation Support in WeOS
- 467 20.2 Managing Link Aggregation via the Web
- 471 20.3 Managing Link Aggregation via CLI
- 476 21 Multicast in Switched Networks
- 476 21.1 Overview
- 482 21.2 Managing IGMP in the Web Interface
- 484 21.3 Managing IGMP in the CLI
- 488 22 General Network Settings
- 488 22.1 Overview
- 489 22.2 Network interfaces
- 505 22.3 General IP settings
- 508 22.4 Managing network interfaces via the web
- 515 22.5 Managing general IP settings via the web
- 521 22.6 Managing network interfaces via the CLI
- 532 22.7 Managing general IP settings via the CLI
- 548 22.8 Feature Parameters
- 549 23 DHCP Server
- 550 23.1 Overview of DHCP Server Support in WeOS
- 564 23.2 Configuring DHCP Server Settings via the Web
- 571 23.3 Configuring DHCP Server Settings via the CLI
- 583 23.4 Feature Parameters
- 584 24 DHCP Relay Agent
- 585 24.1 Overview of DHCP Relay Agent Support
- 596 24.2 Configuring DHCP Relay Agent via the Web
- 599 24.3 Configuring DHCP Relay Agent via the CLI
- 606 25 Alarm handling, LEDs and Digital I/O
- 606 25.1 Alarm handling features
- 619 25.2 Managing Alarms via the Web
- 625 25.3 Managing Alarms via the CLI
- 652 25.4 Digital I/O
- 654 25.5 LEDs
- 657 26 Logging Support
- 658 26.1 Logging Support in the web interface
- 659 26.2 Managing Logging Support via the CLI
- 661 III Router/Gateway Services
- 662 27 IP Routing in WeOS
- 662 27.1 Summary of WeOS Routing and Router Features
- 670 27.2 Static unicast routes via Web
- 673 27.3 Enabling Routing, Managing Static Routing, etc., via CLI
- 675 28 Dynamic Routing with OSPF
- 675 28.1 Overview of OSPF features
- 689 28.2 OSPF Web
- 693 28.3 Managing OSPF via the CLI
- 705 29 Dynamic Routing with RIP
- 705 29.1 Overview of RIP Features
- 711 29.2 RIP Web
- 714 29.3 Managing RIP via the CLI
- 723 30 IP Multicast Routing
- 723 30.1 Summary of WeOS Multicast Routing Features
- 727 30.2 Managing Multicast Routing via Web Interface
- 732 30.3 Managing Multicast Routing via CLI
- 736 31 Virtual Router Redundancy (VRRP)
- 737 31.1 Introduction to WeOS VRRP support
- 744 31.2 Managing VRRP via the web interface
- 749 31.3 Managing VRRP via the CLI
- 757 32 Firewall Management
- 758 32.1 Overview
- 785 32.2 Firewall Management via the Web Interface
- 809 32.3 Firewall Management via the CLI
- 823 IV Virtual Private Networks and Tunnels
- 824 33 Overview of WeOS VPN and Tunnel support
- 824 33.1 WeOS support for VPNs
- 825 33.2 Tunneling using PPP
- 825 33.3 Tunneling using GRE
- 826 34 PPP Connections
- 827 34.1 Overview of PPP Properties and Features
- 837 34.2 Managing PPP settings via the web interface
- 843 34.3 Managing PPP settings via the CLI
- 854 35 GRE tunnels
- 854 35.1 Overview of GRE tunnel Properties and Management Features
- 858 35.2 Managing GRE settings via the web interface
- 860 35.3 Managing GRE settings via the CLI
- 864 36 IPsec VPNs
- 865 36.1 Overview of IPsec VPN Management Features
- 886 36.2 Managing VPN settings via the web interface
- 896 36.3 Managing VPN settings via the CLI
- 913 36.4 Feature Parameters
- 914 37 SSL VPN
- 914 37.1 Overview of SSL VPN Management Features
- 933 37.2 Managing SSL VPN settings via the web interface
- 939 37.3 Managing SSL VPN settings via the CLI
- 954 37.4 Feature Parameters
- 955 38 WeConnect
- 957 38.1 Installing WeConnect via the Web
- 959 38.2 Installing WeConnect via the CLI
- 961 38.3 Troubleshooting
- 965 V Serial Port Management and Applications
- 966 39 Serial Port Management
- 967 39.1 Overview of Serial Port Management
- 970 39.2 Managing serial ports via the web interface
- 973 39.3 Managing serial ports via the CLI interface
- 979 40 Serial Over IP
- 979 40.1 Overview of Serial Over IP
- 991 40.2 Managing Serial Over IP via the web interface
- 998 40.3 Managing Serial Over IP via the CLI interface
- 1014 41 Modbus Gateway
- 1016 41.1 Managing Modbus Gateway via the web interface
- 1020 41.2 Managing Modbus Gateway via the CLI interface
- 1029 42 MicroLok II Gateway
- 1029 42.1 Overview of MicroLok Gateway Properties and Management Features
- 1034 42.2 Managing MicroLok Gateway via the web interface
- 1038 42.3 Managing MicroLok Gateway via the CLI interface
- 1045 VI Train Specific Protocols
- 1046 43 TTDP
- 1046 43.1 Overview of TTDP Management Features
- 1065 43.2 Managing TTDP settings via the CLI
- 1072 VII Appendixes
- 1073 Acronyms and abbreviations
- 1076 References
- 1081 Index