manualshive.com logo in svg

Microchip Technology Microsemi PDS-408G, Web Management User Manual, Page: 62 / 99

Share
Download
Microchip Technology Microsemi PDS-408G Web Management User Manual Download Page 62

RADIUS,  

General 

Microsemi PDS-408G Web Management User Guide Ver. 1.0.1, 03-2019 

62

 

10

 

RADIUS,  

10.1 

General 

RADIUS (Remote Authentication Dial-In User Service) and  (Terminal Access Controller 
Access Control System) are networking protocols that provide centralized Authentication, Authorization, 
and Accounting (AAA or Triple A) management for users who connect to the unit over Web, telnet, 
SSH. The remote username and password are sent to RADIUS/ Server for authentication 
(user + password match/do not match) and authorization (privilege level) rather than being tested 
locally using unit local configuration file. 

 

 

 

 

10.1.1 

General - Authentication, Access-Level terminology 

 

Authentication

 - Remote username and password is sent to RADIUS-Server for authentication 

instead of tested locally by the unit. The RADIUS-Server determines if remote user should be 
accepted or rejected. 

 

Access-Level 

- Remote user access-level is determined by the RADIUS-Server. For normal 

unit operation, all remote users should obtain access level 15 (administrator) by remote 
RADIUS-Server.

 

10.1.2 

General - Setting up remote RADIUS Server 

 

Successful RADIUS Server configuration must include two steps. The first step is to configure 
RADIUS Server to acknowledge remote user username and password. The second step is 
configuring the RADIUS Server so that  RADIUS-Server 

Access-Accept

 reply message will 

include AVP (Attribute value Pair) number 26 with the string 

priv-lvl=15

, assigning admin (15) 

privilege level to the user. Successful Radius-Server 

Access-Accept

 reply lacking the attribute 

number 26 with the mentioned string will assign user privilege level number 1 out of 15 with no 
ability to do any changes inside the unit. 

 

Configuring Free-Radius users.conf configuration file: 
Change 

users.conf

 as follows:

 

username   Cleartext-Password := "pass" 
                   Cisco-= "priv-lvl=15" 

 

 

 

 

NOTE: 

RADIUS/ configuration only will have no effect on remote user authentication over 
Web, Telnet, SSH. To complete the configuration user must configure also authentication 
method located under: Access Control

Telnet/SSH/Web 

Summary of Contents for Microsemi PDS-408G

Page 1: ...PDS 408G Web Management User Guide Ver 1 0 1 03 2019...

Page 2: ...ndependently determine suitability of any products and to test and verify the same The information provided by Microsemi hereunder is provided as is where is and with all faults and the entire risk as...

Page 3: ...iew 20 3 2 1 Port Statistics Overview 20 3 2 2 Detailed Port Statistics 21 3 3 Overview Unit System Information 21 4 NETWORK IPS MAC 22 4 1 Network Configuration Ethernet Ports 23 4 2 Network Configur...

Page 4: ...obal VLAN Configuration 40 6 2 3 Port VLAN Configuration 41 6 3 VLAN View Members 43 6 4 VLAN View Ports 44 7 POE BT POWER 45 7 1 General PoE background 45 7 2 PoE BT Set PoE BT Power 46 7 2 1 Global...

Page 5: ...s and state 68 11 AGGREGATION LACP 69 11 1 General 69 11 2 Aggregation LACP Aggregation Aggregation Configuration 69 11 2 1 Aggregation Group Configuration 69 11 2 2 Hash Contributors Configuration 70...

Page 6: ...Information 86 15 5 IGMP Snooping View Status 86 15 5 1 IGMP Snooping Status 86 15 5 2 Router Port 87 16 PORT MIRRORING 88 16 1 Port Mirroring General 88 16 1 1 Enable Ports Mirroring 88 16 1 2 Port...

Page 7: ...Configuration 24 Figure 4 3 Dynamic Static IPv6 Address Configuration 25 Figure 4 4 IP Routes Default Gateway configuration 26 Figure 4 5 NTP Server configuration 26 Figure 4 6 Time Zone Configuratio...

Page 8: ...guration 49 Figure 8 2 STP Port Configuration 50 Figure 8 3 View STP Bridges 51 Figure 8 4 View STP Detailed Bridge Status 51 Figure 8 5 View STP Port Status 53 Figure 8 6 View STP Port Statistics 53...

Page 9: ...86 Figure 16 1 Port Mirroring 88 Figure 17 1 Maintenance Reset and Restore unit 90 Figure 17 2 Maintenance Download unit configuration 90 Figure 17 3 Maintenance Activate unit configuration 91 Figure...

Page 10: ...ption Standard AES Advanced Encryption Standard MD5 Message Digest algorithm 5 SHA Secure Hash Algorithm MDI Media Dependent Interface MIB Management Information Base PD Powered Device SNMP Simple Net...

Page 11: ...er The unit uses Silicon Labs CP210x USB to UART IC internally If this is the 1st time you are connecting to the USB interface then an appropriate USB driver should be installed in advanced before usi...

Page 12: ...ange power is delivered over two pair Green power is delivered over four pair 1 8 RJ45 Ports 9 10 Figure 1 5 Unit ports 9 10 out of 11 RJ45 Gigabit Ethernet only none PoE Top left green LED Ethernet L...

Page 13: ...commended to enable SNMP only after changing the SNMP default passwords Web the interface is configured as HTTP Please change to HTTPS whenever there are security concerns 2 2 Web interface overview P...

Page 14: ...and how to work with each of them Failing to do so may lead to configuration errors Running configuration profile immediate unit configuration Any configuration change will take effect immediately an...

Page 15: ...b Management User Guide Ver 1 0 1 03 2019 15 2 3 2 Saving unit configuration over Web and CLI From the Web press on Save running config followed by pressing on Save Configuration Figure 2 2 Save unit...

Page 16: ...packets Pressing on any of the port numbers will open a detailed table page with much more in depth traffic statistics for the specific selected port Unit System Info displays system information such...

Page 17: ...of the other LED The tables bellow summarize al the LED combinations used to indicate network status PoE status network configuration and PoE configuration Link LED left State Link up 1000 100 10 Link...

Page 18: ...section will appear only whenever the SFP module is reported as inserted Network The following network status displays are available network Status Description Disabled Ethernet port is disabled rega...

Page 19: ...ies PD Underload PD device power consumption is to low less then 10mA so power was turned off endless On On Off cycle Table 3 5 PoE Status PoE Power This column displays the PoE PD device ongoing powe...

Page 20: ...tion 3 1 3 Unit Status The unit status dynamically updated table displays the overall power consumed by all PoE PD devices and unit internal temperature The temperature has the option to be displayed...

Page 21: ...rt report by using the drop down port list on the top right Figure 3 5 Port Statistics Overview 3 3 Overview Unit System Information The unit system information page displays the unit software version...

Page 22: ...v4 6 configure static dynamic IPv4 IPv6 address and mask default gateway DNS NTP configure NTP Server IP address Enable Disable NTP Server Time Zone configure time zone and daylight saving time SysLog...

Page 23: ...d is it half full duplex Configured Configure Enable Disable Ethernet port Copper ports 1 10 When enabled set port speed to Auto or limit its speed to specific speed rate Also set port to Half Full du...

Page 24: ...a DHCPv4 enabled interface over specific VLAN ID From any DHCPv6 VLANS ID The first DNS server offered from a DHCPv6 enabled interface From this DHCPv6 VLANS ID DNS server offered from a DHCPv6 enable...

Page 25: ...tion options IF MAC DHCPv4 client will use unit MAC address port index as option 61 ASCII Text string HEX Hexadecimal number Hostname opt 12 Text string Table 4 5 DNS Server Configuration options 4 2...

Page 26: ...s in the note above to route all unknown destination IP traffic to the same default gateway In case there are multiple path options please use the appropriate Distance Next Hop cost field to prioritiz...

Page 27: ...guring the severity importance of the SysLog messages that will trigger the sending Figure 4 8 SysLog configuration 4 6 Network Configuration MAC Table learning This page provides various options rega...

Page 28: ...he aging counter for the specific MAC address to start counting from zero again Disable Automatic Aging Enable Disable from MAC table to automatically erase MAC address if no packet with the same sour...

Page 29: ...Incoming packets from learning disabled VLANs will be forwarded to other ports as before no packet drop Forward to specific port if destination MAC is known or flood to all other ports on same VLAN i...

Page 30: ...ntain up to 8192 entries This page can show up to 999 MAC entries for every page with a default of 20 MAC addresses per page Figure 4 14 View unit MAC Address Table 4 8 Network View IP Status This pag...

Page 31: ...03 2019 31 4 9 Network View Routing Info This page displays the routing option used by the unit for communicating with other IP based network devices located on other networks The routing information...

Page 32: ...TTPS Configuration HTTP HTTPS Controls whether the unit embedded web server should operate in HTTP or HTTPS mode HTTPS uses TLS v1 2 encryption to encrypt all Web network traffic between the user web...

Page 33: ...led or disable and how the remote user username password will be authenticated Should it be done locally by the unit or by remote RADIUS TACACS authentication server Accounting Method Configuration Co...

Page 34: ...be tested against the unit local configuration Web The remote web username password authentication will be done by a remote Radius Server In case the Radius Server is down no reply then TACACS authent...

Page 35: ...agement interface over the web SNMP and Telnet SSH Up to 16 entries can be added to the Access Control List table Figure 5 6 Access Control List 5 5 Access Control View ACL Statistics This page tracks...

Page 36: ...itch supports single 802 1Q VLAN tagging and double 802 1Q VLAN tagging also known as QinQ or 802 1ad Switch ports with no external VLAN tagging are referred to as Access Ports Switch Ports with exter...

Page 37: ...of VLAN tagging Typically it should be 0x8100 followed by additional two byte VLAN ID In case of Q in Q 802 1ad double VLAN tagging it should be 0x88A8 Valid VLAN ID range Valid VLAN ID numbers range...

Page 38: ...nect end devices Receive native VLAN packets no VLAN Receive Priority VLAN VLAN 0 packets Receive VLAN packets with VLAN ID same as Access VLAN ID VLAN 5 as in this example Transmit only native VLAN p...

Page 39: ...mple Leave all other VLAN tags unchanged This apply to both VLAN TPID 0x88A8 and 0x8100 Tagged All all frames whether classified to the Port VLAN VLAN 5 or not are transmitted with a tag Untagged All...

Page 40: ...es must be tagged on egress Tx they will be tagged with an S tag 0x88A8 Switch port config Hybrid Mode Port Type S Custom Port Same as for Hybrid S Port except that the user may configure custom TPID...

Page 41: ...rts have the following characteristics o Member of exactly one VLAN as configured in the Port VLAN field Default Access VLAN is 1 o Accepts untagged and C tagged frames o Discards all frames that are...

Page 42: ...If a frame is untagged or priority tagged the frame gets classified to the Port VLAN If frames must be tagged on egress they will be tagged with a C tag S Port On ingress frames with a VLAN tag with T...

Page 43: ...is identical to the syntax used in the Enabled VLANs field By default a Trunk or Hybrid port will become member of all VLANs and is therefore set to 1 4095 The field may be left empty which means tha...

Page 44: ...AN View Ports Microsemi PDS 408G Web Management User Guide Ver 1 0 1 03 2019 44 6 4 VLAN View Ports This page displays a summary of all ports VLAN configuration Figure 6 7 VLAN Port Status for Combine...

Page 45: ...e first PoE specification known as PoE AF IEEE 802 3af capable of delivering up to 15W on two out of four cable pairs inside the RJ45 connector The maximum power offered for each PD Powered device as...

Page 46: ...power it will be shut down by the unit Uninterruptable Power When checked checked by default the Switch is prevented from performing a PoE power down and up cycle as part of the Switch s startup proc...

Page 47: ...e priority levels Low High Critical Low The lowest PoE PD capacity By default all PoE ports are config to low priority High Higher priority than Low Critical Highest PoE port priority Terminal Type De...

Page 48: ...ftware failed to detect PoE ICs This message should not appear during normal unit operation Detecting PoE The software is in the middle of the process to detect PoE ICs over I2C bus This message shoul...

Page 49: ...ge priority Lower numeric values have better priority The bridge priority plus the MSTI instance number concatenated with the 6 byte MAC address of the switch forms a Bridge Identifier For MSTP operat...

Page 50: ...IST port configurations and change them It contains settings for physical and aggregated ports Figure 8 2 STP Port Configuration Port The switch port number of the logical STP port STP Enabled Control...

Page 51: ...er ports If set it can cause temporary loss of connectivity after changes in a spanning trees active topology because of persistently incorrect learned station location information It is set by a netw...

Page 52: ...et 8 4 2 CIST Ports Aggregation State Port The switch port number of the logical STP port Port ID The port id as used by the STP protocol This is the priority part and the logical port index of the br...

Page 53: ...ew STP Port Status Port The switch port number of the logical STP port CIST Role The current STP port role of the CIST port The port role can be one of the following values AlternatePort BackupPort Ro...

Page 54: ...anning Tree STP Spanning Tree View STP Port Statistics Microsemi PDS 408G Web Management User Guide Ver 1 0 1 03 2019 54 STP The number of legacy STP Configuration BPDUs received transmitted on the po...

Page 55: ...g drawn from the alphabet A Z a z digits 0 9 minus sign No space characters are permitted as part of a name The first character must be an alpha character And the first or last character must not be a...

Page 56: ...branch to be included excluded The allowed string length is 1 to 32 and the allowed content is ASCII characters from 33 to 126 View Type Indicates if the named OiD branch should be included excluded...

Page 57: ...Community Configuration that this entry should belong to SNMPv3 One of the SNMPv3 users that were already configured by the help of SNMPv3 Users page Group Name A string identifying the group name th...

Page 58: ...ers from 33 to 126 secondsurity Level Indicates the security model that this entry should belong to Possible security models are NoAuth NoPriv No authentication and no privacy Auth NoPriv Authenticati...

Page 59: ...e without necessary sending SNMP Trap to the SNMP Trap Server Enabled Send SNMP Trap to the IP address of the remote SNMP Trap Server Disabled Keep SNMP Trap Server record without sending any traps to...

Page 60: ...yChange network topology was changed lldpRemTablesChange 9 4 SNMP Configuration example 9 4 1 SNMPv2 Configuration Example Enabling SNMP is the only step required to enable SNMPv2 with default SNMPv2...

Page 61: ...the groups created in the previous step 9 4 2 SNMPv3 Configuration Example Configure SNMPv3 user Remove SNMPv1 v2 from group configuration Add SNMPv3 security model and assign to it a group name Add t...

Page 62: ...by the RADIUS Server For normal unit operation all remote users should obtain access level 15 administrator by remote RADIUS Server 10 1 2 General Setting up remote RADIUS Server Successful RADIUS Ser...

Page 63: ...w requests to a server that has failed to respond to a previous request dead This should stop the switch from continually trying to contact a server that it has already determined as dead Setting the...

Page 64: ...that has failed to respond to a previous request dead This should stop the switch from continually trying to contact a server that it has already determined as dead Change secondsret Key Specify to ch...

Page 65: ...current status of the RADIUS server This field takes one of the following values o Disabled RADIUS server is disabled o Not Ready RADIUS server is enabled but IP communication is not yet up and runni...

Page 66: ...ccessChallenges RADIUS Access Challenge packets valid or invalid received from the server Rx Malformed Access Responses radiusAuthClientExtMalformed AccessResponses RADIUS malformed Access Response pa...

Page 67: ...out or received a response This variable is incremented when an Access Request is sent and decremented due to receipt of an Access Accept Access Reject Access Challenge timeout or retransmission Tx Ti...

Page 68: ...not yet up and running Ready RADIUS server is enabled IP communication is up and running and the RADIUS module is ready to accept access attempts Dead X seconds left RADIUS Server failed to reply to a...

Page 69: ...to any aggregation group Only full duplex ports can join an aggregation The ports in each group must be in the same speed Mode This parameter determines the mode for the aggregation group Disabled Th...

Page 70: ...bled IP Address The IP address can be used to calculate the destination port for the frame Check to enable the use of the IP Address or uncheck to disable By default IP Address is enabled TCP UDP Port...

Page 71: ...Fast will transmit LACP packets each second while Slow will wait for 30 seconds before sending a LACP packet Prio The Priority controls the priority of the port range 1 65535 If the LACP partner want...

Page 72: ...al i e local system status for all ports Only ports that are part of an LACP group are shown Figure 11 5 View LACP Internal Port Status Port The switch port number State The current port state Down Th...

Page 73: ...artner Partner Port The partner port number associated with this link Partner Port Priority The priority assigned to this partner port Activity The LACP mode of the group Active or Passive Timeout The...

Page 74: ...ics This page provides an overview for LACP statistics for all ports Figure 11 7 View LACP Port Statistics Port The switch port number LACP Received Shows how many LACP frames have been received at ea...

Page 75: ...2 10 times Tx Delay If a configuration is changed e g the IP address a new LLDP frame is transmitted but the time between the LLDP frames will always be at least the value of Tx Delay seconds Tx Delay...

Page 76: ...e addresses but only the first address is shown in the LLDP neighbors table o CDP TLV Port ID is mapped to the LLDP Port ID field o CDP TLV Version and Platform is mapped to the LLDP System Descriptio...

Page 77: ...s Port ID The identification of the neighbor port Port Description The port description advertised by the neighbor unit System Name The name advertised by the neighbor unit System Capabilities Describ...

Page 78: ...ies added since switch reboot Total Neighbors Entries Deleted Shows the number of new entries deleted since switch reboot Total Neighbors Entries Dropped Shows the number of LLDP frames dropped due to...

Page 79: ...Type Length Value If a TLV is malformed it is counted and discarded TLVs Unrecognized The number of well formed TLVs but with an unknown type value Org Discarded If LLDP frame is received with an org...

Page 80: ...created internally incoming traffic on port 1 will be sent only to ports 5 6 8 Incoming traffic on port 5 will be sent only to ports 1 6 Incoming traffic on port 6 will be sent to ports 1 5 8 Incomin...

Page 81: ...tion Microsemi PDS 408G Web Management User Guide Ver 1 0 1 03 2019 81 Figure 13 2 Port Isolation Configuration 13 2 2 Port Isolation configuration parameters Port Members Select the ports that are no...

Page 82: ...1 to 10 seconds Default value is 5 seconds Shutdown Time The period in seconds for which a port will be kept disabled in a loop is detected and the port action shuts down the port Valid values are 0 t...

Page 83: ...15 2 1 IGMP Snooping Configuration Enable IGMP Snooping Enable the Global IGMP Snooping Unregistered IPMCv4 Flooding Enabled Enable unregistered IPMCv4 traffic flooding The flooding control takes eff...

Page 84: ...Pv1 v3 Auto set Querier etc for the VLANs which is already configured The page shows up to VLAN 99 entries sorted from lowest highest VLAN ID Figure 15 2 IGMP Snooping VLAN Configuration 15 3 1 IGMP S...

Page 85: ...Querier The allowed range is 1 to 31744 seconds the default query interval is 125 seconds QRI Query Response Interval The Maximum Response Delay is used to calculate the Maximum Response Code inserted...

Page 86: ...as an EXCLUDE NULL report An EXCLUDE NULL report indicates that the host wants to join the multicast group and receive packets from all sources Source Address IP Address of the source Currently the m...

Page 87: ...plays V2 Leaves Received The number of Received V2 Leaves 15 5 2 Router Port Display which ports act as router ports A router port is a port on the Ethernet switch that leads towards the Layer 3 multi...

Page 88: ...m one or more ports to a dedicated mirroring port 16 1 2 Port Configuration Source Source port mirroring mode o Disabled No mirroring of the traffic on this port o Both Frames received and frames tran...

Page 89: ...ring Port Mirroring General Microsemi PDS 408G Web Management User Guide Ver 1 0 1 03 2019 89 NOTE MAC Table learning under network Configuration MAC Table learning needs to be disabled on the destina...

Page 90: ...ed by device reset Restore to full factory Defaults Restores the device to full factory default configuration including device default IP address default VLAN etc 17 2 Maintenance Unit Configuration 1...

Page 91: ...18 3 Maintenance Upload unit configuration It is possible to upload a file from the web browser to all the files on the switch except default config which is read only Select the file to upload select...

Page 92: ...eration this effectively resets the switch to default configuration 17 3 Maintenance Software Update 17 3 1 Upload New Version Figure 18 6 Software Update Upload new version This Page allows the user...

Page 93: ...reverting process the image bellow will be displayed during the software reverting process Figure 17 6 Switching active image NOTES 1 If the active firmware image is the alternate image only the Activ...

Page 94: ...o revert to the previous version before performing software update by executing the following steps 1 Connect to the unit USB interface with a USB Serial Virtual COMM interface with baud rate of 11520...

Page 95: ...elect which specific SysLog message severity level to display Possible SysLog message levels are o Informational lowest priority SysLog message level o Notice higher than Informational o Warning highe...

Page 96: ...Hostname or IPv4 IPv6 Address The address of the destination host such as 192 168 0 50 for IPv4 or 2345 15 for IPv6 or Hostname such as my computer com Payload Size Sets the size of the ICMPv4 v6 dat...

Page 97: ...ports will be linked down while running VeriPHY Therefore running VeriPHY on a 10 or 100 Mbps management port will cause the switch to stop responding until the VeriPHY RJ45 test is complete Port The...

Page 98: ...Diagnostics Diagnostics View CPU Load Microsemi PDS 408G Web Management User Guide Ver 1 0 1 03 2019 98 18 4 Diagnostics View CPU Load This page shows the Switch CPU load Figure 18 6 Switch CPU load...

Page 99: ...r software rebooted it will use the same configuration as before it had been restarted Revision History Revision Level Date Para Affected Description 1 0 1 19 3 19 Whole Document initial document For...

Reviews:

No comments