manualshive.com logo in svg

Quidway S3000 Series, Operation Manual

The Philips S3000 Series is a high-quality grooming product designed for precise and effortless facial hair trimming. Ensure maximum performance and optimal usage of your device by downloading the free user manual from manualshive.com. This manual provides detailed instructions and helpful tips for a seamless grooming experience.

Share
Download
background image

Operation Manual - Security 
Quidway S3000 Series Ethernet Switches

 

Chapter 1  802.1x Configuration

 

1-3

 

z

 

EAPoL-Start: Authentication originating frame, actively originated by the 

Supplicant.  

z

 

EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.  

z

 

EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.  

z

 

EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard 

Forum (ASF).  

The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant 

and the Authenticator. The EAP-Packet information is re-encapsulated by the 

Authenticator System and then transmitted to the Authentication Server System. The 

EAPoL-Encapsulated-ASF-Alert is related to the network management information and 

terminated by the Authenticator. 

From the above fundamentals we can see that 802.1x provides an implementation 

solution of user ID authentication. However, 802.1x itself is not enough to implement 

the scheme. The administrator of the access device should configure the AAA scheme 

by selecting RADIUS or local authentication so as to assist 802.1x to implement the 

user ID authentication. For detailed description of AAA, refer to the corresponding AAA 

configuration.  

1.1.4  Implement 802.1x on Ethernet Switch  

Quidway Series Ethernet Switches not only support the port access authentication 

method regulated by 802.1x, but also extend and optimize it in the following way: 

z

 

Support to connect several End Stations in the downstream via a physical port.  

z

 

The access control (or the user authentication method) can be based on port or 

MAC address.  

In this way, the system becomes much securer and easier to manage.  

1.2  Configure 802.1x 

The configuration tasks of 802.1x itself can be fulfilled in system view of the Ethernet 

switch. When the global 802.1x is not enabled, the user can configure the 802.1x state 

of the port. The configured items will take effect after the global 802.1x is enabled.  

 

 

  Note:  

1) Do not enable 802.1x and RSTP( or MSTP)  simultaneously, otherwise switch may not work normally.  
2) When 802.1x is enabled on a port, the max number of MAC address learning which is configured by the 
command 

mac-address max-mac-count

 cannot be configured on the port, and vice versa. 

 

Summary of Contents for S3000 Series

Page 1: ...message retransmission 1 7 1 2 9 Set the handshake period of 802 1x 1 8 1 2 10 Configure Timers 1 8 1 2 11 Enable Disable quiet period Timer 1 9 1 3 Display and Debug 802 1x 1 9 1 4 802 1x Configuration Example 1 10 Chapter 2 AAA and RADIUS Protocol Configuration 2 1 2 1 AAA and RADIUS Protocol Overview 2 1 2 1 1 AAA Overview 2 1 2 1 2 RADIUS Protocol Overview 2 1 2 1 3 Implement AAA RADIUS on Eth...

Page 2: ...smitted to RADIUS Server 2 15 2 3 13 Set the Unit of Data Flow that Transmitted to RADIUS Server 2 15 2 3 14 Configure Local RADIUS Server Group 2 16 2 4 Display and Debug AAA and RADIUS Protocol 2 16 2 5 AAA and RADIUS Protocol Configuration Examples 2 17 2 5 1 Configuring FTP Telnet User Authentication at Remote RADIUS Server 2 17 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS ...

Page 3: ...ice etc the LAN providers generally hope to control the user s access In these cases the requirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the us...

Page 4: ...s to go through the complicated network to reach the Authentication Server Such procedure is called EAP Relay There are two types of ports for the Authenticator One is the Uncontrolled Port and the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be...

Page 5: ...re the AAA scheme by selecting RADIUS or local authentication so as to assist 802 1x to implement the user ID authentication For detailed description of AAA refer to the corresponding AAA configuration 1 1 4 Implement 802 1x on Ethernet Switch Quidway Series Ethernet Switches not only support the port access authentication method regulated by 802 1x but also extend and optimize it in the following...

Page 6: ... requirements 1 2 1 Enable Disable 802 1x The following commands can be used to enable disable the 802 1x on the specified port When no port is specified in system view the 802 1x is enabled disabled globally Perform the following configurations in system view or Ethernet port view Table 1 1 Enable Disable 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x...

Page 7: ... state and permit the user to access the network resources This is the most common case 1 2 3 Set Port Access Control Method The following commands are used for setting 802 1x access control method on the specified port When no port is specified in system view the access control method of port is configured globally Perform the following configurations in system view or Ethernet port view Table 1 ...

Page 8: ... in system view or Ethernet port view Table 1 5 Set maximum number of users via specified port Operation Command Set maximum number of users via specified port dot1x max user user number interface interface list Restore the maximum number of users on the port to the default value undo dot1x max user interface interface list By default 802 1x allows up to 256 supplicants on each port for S3000 Seri...

Page 9: ...02 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap md5 challenge Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Set the Maximum times of authentication request message retransmission The following commands are use...

Page 10: ...commands are used for configuring the 802 1x timers Perform the following configurations in system view Table 1 10 Configure timers Operation Command Configure timers dot1x timer quiet period quiet period value tx period tx period value supp timeout supp timeout value server timeout server timeout value Restore default settings of the timers undo dot1x timer quiet period tx period supp timeout ser...

Page 11: ... period value is 60s the tx period value is 30s the supp timeout value is 30s the server timeout value is 100s 1 2 11 Enable Disable quiet period Timer You can use the following commands to enable disable a quiet period timer of an Authenticator which can be a Quidway Series Ethernet Switch If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is s...

Page 12: ... response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2kbps consistently over 20 minutes he will be disconnected A server group consisting of two RADIUS servers at 10 11 1...

Page 13: ...refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified port Ethernet 0 1 Quidway dot1x interface ethernet 0 1 Set the access control mode This command could not be configured when it is configured as MAC based by default Quidway dot1x port method macbased interface ...

Page 14: ...he system to transmit real time accounting packets to the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei16...

Page 15: ...curity Quidway S3000 Series Ethernet Switches Chapter 1 802 1x Configuration 1 13 Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Page 16: ...horizes the user with specified services z Accounting traces network resources consumed by the user Generally applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As ...

Page 17: ...on with UDP packets During the interaction both sides encrypt the packets with keys before uploading user configuration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client u...

Page 18: ...reating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Create Delete ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010608 huawei163 net a...

Page 19: ...evant attributes of ISP domain include the adopted RADIUS server group state and maximum number of supplicants Where z The adopted RADIUS server group is the one used by all the users in the ISP domain The RADIUS server group can be used for RADIUS authentication or accounting By default the default RADIUS server group is used The command shall be used together with the commands of setting RADIUS ...

Page 20: ...is chapter the state of domain is active there is no limit to the amount of supplicants and disable the idle cut configure 2 2 3 Create a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perform the following configu...

Page 21: ...Set the state of the specified user state active block Set a service type for the specified user For S3026 service type telnet level level ftp ftp directory directory lan access Cancel the service type of the specified user For S3026 undo service type telnet level ftp ftp directory lan access Set a service type for the specified user Except S3026 service type ftp ftp directory directory lan access...

Page 22: ... parameters using for information interaction between NAS and RADIUS Server To make these parameters effective it is necessary to configure in the view an ISP domain to use the RADIUS server group and specify it to use RADIUS AAA schemes For more about the configuration commands refer to the AAA Configuration section above RADIUS protocol configuration includes z Create Delete a RADIUS server grou...

Page 23: ...alues will be introduced in the following text 2 3 2 Set IP Address and Port Number of RADIUS Server After creating a RADIUS server group you are supposed to set IP addresses and UDP port numbers for the RADIUS servers including primary second authentication authorization servers and accounting servers So you can configure up to 4 groups of IP addresses and UDP port numbers However at least you ha...

Page 24: ...imary and second AAA server To guarantee the normal interaction between NAS and RADIUS server you are supposed to guarantee the normal routes between RADIUS server and NAS before setting IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports a...

Page 25: ...n authorization or accounting request packet has been transmitted for a period of time if NAS has not received the response from RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS server group view Table 2 10 Set response timeout timer...

Page 26: ...n of online users to the RADIUS server regularly You can use the following command to set a real time accounting interval Perform the following configurations in RADIUS server group view Table 2 12 Set a real time accounting interval Operation Command Set a real time accounting interval timer realtime accounting minute Restore the default value of the interval undo timer realtime accounting minute...

Page 27: ...imes You can use the following command to set the maximum times of real time accounting request failing to be responded Perform the following configurations in RADIUS server group view Table 2 14 Set maximum times of real time accounting request failing to be responded Operation Command Set maximum times of real time accounting request failing to be responded retry realtime accounting retry times ...

Page 28: ...t will be saved in the buffer 2 3 9 Set the Maximum Retransmitting Times of Stopping Accounting Request Because the stopping accounting request concerns account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to RADIUS accounting server Accordingly if the message from Quidway Series Etherne...

Page 29: ...entication authorization server or accounting server if the primary is disconnected to NAS for some fault NAS will automatically turn to exchange packets with the second server However after the primary one recovers NAS will not resume the communication with it at once instead it continues communicating with the second one When the second one fails to communicate NAS will turn to the primary one a...

Page 30: ...user name format with domain without domain Note If a RADIUS server group is configured not to allow usernames including ISP domain names the RADIUS server group shall not be simultaneously used in more than one ISP domain Otherwise the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username excluding their respective domain names By ...

Page 31: ...used for authentication is 1645 and that for authorization is 1646 2 4 Display and Debug AAA and RADIUS Protocol After the above configuration execute display command in any view to display the running of the AAA and RADIUS configuration and to verify the effect of the configuration Execute reset command in user view to reset AAA and RADIUS configuration Execute debugging command in user view to d...

Page 32: ...ing of localRADIUS server group debugging local server all error event packet Disable debugging of localRADIUS server group undo debugging local server all error event packet 2 5 AAA and RADIUS Protocol Configuration Examples For the hybrid configuration example of AAA RADIUS protocol and 802 1x protocol refer to Configuration Example in 802 1x Configuration It will not be detailed here 2 5 1 Conf...

Page 33: ...I Configurtion Schedule Add a Telnet user Omitted Note For details about configuring FTP and Telnet users refer to User Interface Configuration in Getting Started Configure remote authentication mode for the Telnet user i e scheme mode Quidway ui vty0 4 authentication mode scheme Configure domain Quidway domain cams Quidway isp cams quit Configure RADIUS scheme Quidway radius scheme cams Quidway r...

Page 34: ...cation of Telnet FTP users refer to Configuring local RADIUS Server Group 2 6 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting RADIUS protocol of TCP IP protocol suite is located on the application layer It mainly specifies how to exchange user information between NAS and RADIUS server of ISP So it is very likely to be invalid z Fault one User authentication authorization always fails T...

Page 35: ... well So please ensure the lines work well z The IP address of the corresponding RADIUS server may not have been set on NAS Please set a proper IP address for RADIUS server z UDP ports of authentication authorization and accounting services may not be set properly So make sure they are consistent with the ports provided by RADIUS server z Fault three After being authenticated and authorized the us...

Page 36: ...s is possible HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better ...

Page 37: ... the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute After the above configurations...

Reviews:

No comments

Related manuals for S3000 Series

AbleNet HouseMate Quick Start Manual preview
HouseMate
Brand: AbleNet Pages: 2
Rack World CAT5 Quick Setting Manual preview
CAT5
Brand: Rack World Pages: 4
Qlogic SANbox 5802V Supplementary Manual preview
SANbox 5802V
Brand: Qlogic Pages: 4
Raritan dominion kx III Quick Setup Manual preview
dominion kx III
Brand: Raritan Pages: 6
Raritan Dominion KX II Quick Installation And Setup Manual preview
Dominion KX II
Brand: Raritan Pages: 5
Raritan DOMINION KSX II Quick Setup Manual preview
DOMINION KSX II
Brand: Raritan Pages: 7
Raritan Dominion KX Quick Installation And Setup Manual preview
Dominion KX
Brand: Raritan Pages: 2
IBM 8237 Installation And User Manual preview
8237
Brand: IBM Pages: 166
RDL EZ-HSX4 Installation And Operation Manual preview
EZ-HSX4
Brand: RDL Pages: 4
Thinklogical TXL 640 User Manual preview
TXL 640
Brand: Thinklogical Pages: 27
Sangamo RPTS Q550 Installation & User'S Instructions preview
RPTS Q550
Brand: Sangamo Pages: 2
H3C S6520X-30QC-EI Manual preview
S6520X-30QC-EI
Brand: H3C Pages: 57
3Com 3C16987 User Manual preview
3C16987
Brand: 3Com Pages: 62
B&B Electronics Elinx EIR510-2MC-T User Manual preview
Elinx EIR510-2MC-T
Brand: B&B Electronics Pages: 107
N-Tron 709FX Series User Manual & Installation Manual preview
709FX Series
Brand: N-Tron Pages: 196
PABX 208AC Instruction Manual preview
208AC
Brand: PABX Pages: 46
Shinybow USA SB-8804LCM Instruction Manual preview
SB-8804LCM
Brand: Shinybow USA Pages: 16
Xantech HD88C Installation Instructions Manual preview
HD88C
Brand: Xantech Pages: 12

Brands by name

Popular brands

Load more brands