manualshive.com logo in svg

Quidway S3000 Series, Operation Manual

The Philips S3000 Series is a high-quality grooming product designed for precise and effortless facial hair trimming. Ensure maximum performance and optimal usage of your device by downloading the free user manual from manualshive.com. This manual provides detailed instructions and helpful tips for a seamless grooming experience.

Share
Download
background image

Operation Manual - Security 
Quidway S3000 Series Ethernet Switches

 

Chapter 1  802.1x Configuration

 

1-1

 

Chapter 1  802.1x Configuration 

1.1  802.1x Overview 

1.1.1  802.1x Standard Overview 

IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control 

protocol. IEEE issued it in 2001 and suggested the related manufacturers should use 

the protocol as the standard protocol for LAN user access authentication. The 802.1x 

originated from the IEEE 802.11 standard, which is the standard for wireless LAN user 

access. The initial purpose of 802.1x was to implement the wireless LAN user access 

authentication. Since its principle is commonly applicable to all the LANs complying 

with the IEEE 802 standards, the protocol finds wide application in wired LANs. 

In the LANs complying with the IEEE 802 standards, the user can access the devices 

and share the resources in the LAN through connecting the LAN access control device 

like the LAN Switch. However, in telecom access, commercial LAN (a typical example 

is the LAN in the office building) and mobile office etc., the LAN providers generally 

hope to control the user’s access. In these cases, the requirement on the 

above-mentioned “Port Based Network Access Control” originates.  

As the name implies, “Port Based Network Access Control” means to authenticate and 

control all the accessed devices on the port of LAN access control device. If the user’s 

device connected to the port can pass the authentication, the user can access the 

resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It 

equals that the user is physically disconnected. 

802.1x defines port based network access control protocol and only defines the 

point-to-point connection between the access device and the access port.  The port can 

be either physical or logical.  The typical application environment is as follows: Each 

physical port of the LAN Switch only connects to one user workstation (based on the 

physical port) and the wireless LAN access environment defined by the IEEE 802.11 

standard (based on the logical port), etc.  

1.1.2  802.1x System Architecture 

The system using the 802.1x is the typical C/S (Client/Server) system architecture. It 

contains three entities, which are illustrated in the following figure: Supplicant System, 

Authenticator System and Authentication Sever System. 

Summary of Contents for S3000 Series

Page 1: ...message retransmission 1 7 1 2 9 Set the handshake period of 802 1x 1 8 1 2 10 Configure Timers 1 8 1 2 11 Enable Disable quiet period Timer 1 9 1 3 Display and Debug 802 1x 1 9 1 4 802 1x Configuration Example 1 10 Chapter 2 AAA and RADIUS Protocol Configuration 2 1 2 1 AAA and RADIUS Protocol Overview 2 1 2 1 1 AAA Overview 2 1 2 1 2 RADIUS Protocol Overview 2 1 2 1 3 Implement AAA RADIUS on Eth...

Page 2: ...smitted to RADIUS Server 2 15 2 3 13 Set the Unit of Data Flow that Transmitted to RADIUS Server 2 15 2 3 14 Configure Local RADIUS Server Group 2 16 2 4 Display and Debug AAA and RADIUS Protocol 2 16 2 5 AAA and RADIUS Protocol Configuration Examples 2 17 2 5 1 Configuring FTP Telnet User Authentication at Remote RADIUS Server 2 17 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS ...

Page 3: ...ice etc the LAN providers generally hope to control the user s access In these cases the requirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the us...

Page 4: ...s to go through the complicated network to reach the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be...

Page 5: ...re the AAA scheme by selecting RADIUS or local authentication so as to assist 802 1x to implement the user ID authentication For detailed description of AAA refer to the corresponding AAA configuration 1 1 4 Implement 802 1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802 1x but also extend and optimize it in the following...

Page 6: ... requirements 1 2 1 Enable Disable 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 1 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x...

Page 7: ... state and permit the user to access the network resources This is the most common case 1 2 3 Set Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of port is configured globally Perform the following configurations in system view or Ethernet port view Table 1 ...

Page 8: ... in system view or Ethernet port view Table 1 5 Set maximum number of users via specified port Operation Command Set maximum number of users via specified port dot1x max user user number interface interface list Restore the maximum number of users on the port to the default value undo dot1x max user interface interface list By default 802 1x allows up to 256 supplicants on each port for S3000 Seri...

Page 9: ...02 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Set the Maximum times of authentication request message retransmission The following commands are use...

Page 10: ...commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 1 10 Configure timers Operation Command Configure timers dot1x timer quiet period quiet period value tx period tx period value supp timeout supp timeout value server timeout server timeout value Restore default settings of the timers undo dot1x timer quiet period tx period supp timeout ser...

Page 11: ... period value is 60s the tx period value is 30s the supp timeout value is 30s the server timeout value is 100s 1 2 11 Enable Disable quiet period Timer You can use the following commands to enable disable a quiet period timer of an Authenticator which can be a Quidway Series Ethernet Switch If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is s...

Page 12: ... response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1...

Page 13: ...refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified port Ethernet 0 1 Quidway dot1x interface ethernet 0 1 Set the access control mode This command could not be configured when it is configured as MAC based by default Quidway dot1x port method macbased interface ...

Page 14: ...he system to transmit real time accounting packets to the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei16...

Page 15: ...curity Quidway S3000 Series Ethernet Switches Chapter 1 802 1x Configuration 1 13 Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Page 16: ...horizes the user with specified services z Accounting traces network resources consumed by the user Generally applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As ...

Page 17: ...on with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client u...

Page 18: ...reating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Create Delete ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 huawei163 net a...

Page 19: ...evant attributes of ISP domain include the adopted RADIUS server group state and maximum number of supplicants Where z The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used The command shall be used together with the commands of setting RADIUS ...

Page 20: ...is chapter the state of domain is active there is no limit to the amount of supplicants and disable the idle cut configure 2 2 3 Create a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perform the following configu...

Page 21: ...Set the state of the specified user state active block Set a service type for the specified user For S3026 service type telnet level level ftp ftp directory directory lan access Cancel the service type of the specified user For S3026 undo service type telnet level ftp ftp directory lan access Set a service type for the specified user Except S3026 service type ftp ftp directory directory lan access...

Page 22: ... parameters using for information interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to the AAA Configuration section above RADIUS protocol configuration includes z Create Delete a RADIUS server grou...

Page 23: ...alues will be introduced in the following text 2 3 2 Set IP Address and Port Number of RADIUS Server After creating a RADIUS server group you are supposed to set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers So you can configure up to 4 groups of IP addresses and UDP port numbers However at least you ha...

Page 24: ...imary and second AAA server To guarantee the normal interaction between NAS and RADIUS server you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports a...

Page 25: ...n authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS server group view Table 2 10 Set response timeout timer...

Page 26: ...n of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS server group view Table 2 12 Set a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting minute...

Page 27: ...imes You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configurations in RADIUS server group view Table 2 14 Set maximum times of real time accounting request failing to be responded Operation Command Set maximum times of real time accounting request failing to be responded retry realtime accounting retry times ...

Page 28: ...t will be saved in the buffer 2 3 9 Set the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to RADIUS accounting server Accordingly if the message from Quidway Series Etherne...

Page 29: ...entication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the second server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the second one When the second one fails to communicate NAS will turn to the primary one a...

Page 30: ...user name format with domain without domain Note If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By ...

Page 31: ...used for authentication is 1645 and that for authorization is 1646 2 4 Display and Debug AAA and RADIUS Protocol After the above configuration execute display command in any view to display the running of the AAA and RADIUS configuration and to verify the effect of the configuration Execute reset command in user view to reset AAA and RADIUS configuration Execute debugging command in user view to d...

Page 32: ...ing of localRADIUS server group debugging local server all error event packet Disable debugging of localRADIUS server group undo debugging local server all error event packet 2 5 AAA and RADIUS Protocol Configuration Examples For the hybrid configuration example of AAA RADIUS protocol and 802 1x protocol refer to Configuration Example in 802 1x Configuration It will not be detailed here 2 5 1 Conf...

Page 33: ...I Configurtion Schedule Add a Telnet user Omitted Note For details about configuring FTP and Telnet users refer to User Interface Configuration in Getting Started Configure remote authentication mode for the Telnet user i e scheme mode Quidway ui vty0 4 authentication mode scheme Configure domain Quidway domain cams Quidway isp cams quit Configure RADIUS scheme Quidway radius scheme cams Quidway r...

Page 34: ...cation of Telnet FTP users refer to Configuring local RADIUS Server Group 2 6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting RADIUS protocol of TCP IP protocol suite is located on the application layer It mainly specifies how to exchange user information between NAS and RADIUS server of ISP So it is very likely to be invalid z Fault one User authentication authorization always fails T...

Page 35: ... well So please ensure the lines work well z The IP address of the corresponding RADIUS server may not have been set on NAS Please set a proper IP address for RADIUS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS server z Fault three After being authenticated and authorized the us...

Page 36: ...s is possible HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better ...

Page 37: ... the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute After the above configurations...

Reviews:

No comments

Related manuals for S3000 Series

KE2 20543 Quick Start Manual preview
20543
Brand: KE2 Pages: 4
IBM RackSwitch G8332 Product Manual preview
RackSwitch G8332
Brand: IBM Pages: 18
Balluff BNI IOL-727-S51-P012 Assembly Instructions Manual preview
BNI IOL-727-S51-P012
Brand: Balluff Pages: 20
Jabra LINK 14201-20 - DATASHEET FOR TOSHIBA PHONES How To Connect preview
LINK 14201-20 - DATASHEET FOR TOSHIBA PHONES
Brand: Jabra Pages: 4
Lucent Technologies LambdaUnite MSS Installation Manual preview
LambdaUnite MSS
Brand: Lucent Technologies Pages: 388
QCT QuantaMesh T1048-LB9M Installation Manual preview
QuantaMesh T1048-LB9M
Brand: QCT Pages: 34
SMART-AVI HDR4X2 Installation Manual preview
HDR4X2
Brand: SMART-AVI Pages: 2
Green Brook KingShield T206-C Installation And Operating Instruction preview
KingShield T206-C
Brand: Green Brook Pages: 2
Lakeshore 3f Delta Operation & Maintenance Manual preview
3f Delta
Brand: Lakeshore Pages: 82
H3C S6812 Series Installation Manual preview
S6812 Series
Brand: H3C Pages: 77
OTS ET2212PpH-S-DR Quick Installation Manual preview
ET2212PpH-S-DR
Brand: OTS Pages: 3
Sven HB-012 User Manual preview
HB-012
Brand: Sven Pages: 4
S&T kontron KSwitch D1 UGPD User Manual preview
kontron KSwitch D1 UGPD
Brand: S&T Pages: 40
jbc P105 Instruction Manual preview
P105
Brand: jbc Pages: 4
StarTech.com VS122HDMIU Instruction Manual preview
VS122HDMIU
Brand: StarTech.com Pages: 2
Zigen hxl-88 User Manual preview
hxl-88
Brand: Zigen Pages: 72
NIVELCO NIVOMAG MK-21 Series User Manual preview
NIVOMAG MK-21 Series
Brand: NIVELCO Pages: 2
N-Tron 7014FX2 User Manual & Installation Manual preview
7014FX2
Brand: N-Tron Pages: 152

Brands by name

Popular brands

Load more brands