User manual 3COM H3C S3100 8C SI

[. . . ] H3C S3100 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co. , Ltd. http://www. h3c. com Manual Version: 20080710-C-1. 05 Copyright © 2007-2008, Hangzhou H3C Technologies Co. , Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co. , Ltd. Trademarks H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co. , Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. [. . . ] For S3100 Series Ethernet switches, MAC authentication can be implemented locally or on a RADIUS server. After determining the authentication method, users can select one of the following types of user name as required: MAC address mode, where the MAC address of a user serves as both the user name and the password. Fixed mode, where user names and passwords are configured on a switch in advance. In this case, the user name, the password, and the limits on the total number of user names are the matching criterion for successful authentication. For details, refer to AAA of this manual for information about local user attributes. 1. 1. 1 Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS server, the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server. In MAC address mode, the switch sends the MAC addresses detected to the RADIUS server as both the user names and passwords. In fixed mode, the switch sends the user name and password previously configured for the user to the RADIUS server for authentication. A user can access a network upon passing the authentication performed by the RADIUS server. 1. 1. 2 Performing MAC Authentication Locally When authentications are performed locally, users are authenticated by switches. In this case, In MAC address mode, the local user name to be configured is the MAC address of an access user. Hyphens must or must not be included depending on the format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. 1-1 Operation Manual ­ MAC Address Authentication H3C S3100 Series Ethernet Switches Chapter 1 MAC Authentication Configuration In fixed mode, all users' MAC addresses are automatically mapped to the configured local passwords and usernames. The service type of a local user needs to be configured as lan-access. 1. 2 Related Concepts 1. 2. 1 MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the switch checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the switch sends a stop-accounting notice to the RADIUS server. Quiet timer: Whenever a user fails MAC authentication, the switch does not initiate any MAC authentication of the user during a period defined by this timer. Server timeout timer: During authentication of a user, if the switch receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network. 1. 2. 2 Quiet MAC Address When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires. This prevents an invalid user from being authenticated repeatedly in a short time. Caution: If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the quiet function is not effective. The S3100 series Ethernet switches support quiet MAC function on ports. 1-2 Operation Manual ­ MAC Address Authentication H3C S3100 Series Ethernet Switches Chapter 1 MAC Authentication Configuration 1. 3 Configuring Basic MAC Authentication Functions Table 1-1 Configure basic MAC authentication functions Operation Enter system view Enable MAC authentication globally system-view mac-authentication In system view mac-authentication interface interface-list interface interface-type interface-number mac-authentication quit Set the user name in MAC address mode for MAC authentication mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } { lowercase | uppercase } | fixedpassword password ] Set the user name in fixed mode for MAC authenticati on Configure the user name Configure the password Specify an ISP domain for MAC authentication Optional By default, the MAC address of a user is used as the user name. Use either method Disabled by default Command -- Required Disabled by default Remarks Enable MAC authentication for the specified port(s) or the current port In interface view mac-authentication authmode usernamefixed Optional By default, the user name is "mac" and no password is configured. Set the user name in fixed mode for MAC authentication mac-authentication authusername username mac-authentication authpassword password Required mac-authentication domain isp-name The default ISP domain (default domain) is used by default. 1-3 Operation Manual ­ MAC Address Authentication H3C S3100 Series Ethernet Switches Chapter 1 MAC Authentication Configuration Operation Command Remarks Optional The default timeout values are as follows: Configure the MAC authentication timers mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } 300 seconds for offline detect timer; 60 seconds for quiet timer; and 100 seconds for server timeout timer Caution: If MAC authentication is enabled on a port, you cannot configure the maximum number of dynamic MAC address entries for that port (through the mac-address max-mac-count command), and vice versa. If MAC authentication is enabled on a port, you cannot configure port security (through the port-security enable command) on that port, and vice versa. You can configure MAC authentication on a port before enabling it globally. However, the configuration will not take effect unless MAC authentication is enabled globally. 1. 4 MAC Address Authentication Enhanced Function Configuration 1. 4. 1 MAC Address Authentication Enhanced Function Configuration Tasks Table 1-2 MAC address authentication enhanced function configuration tasks Operation Configure a Guest VLAN Configure the maximum number of MAC address authentication users allowed to access a port Configuring quiet MAC function on a port Description Optional Related section Section 1. 4. 2 "Configuring a Guest VLAN" Section 1. 4. 3 "Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port" Section 1. 4. 4 "Configuring the Quiet MAC Function on a Port" Optional Optional 1-4 Operation Manual ­ MAC Address Authentication H3C S3100 Series Ethernet Switches Chapter 1 MAC Authentication Configuration 1. 4. 2 Configuring a Guest VLAN Note: Different from Guest VLANs described in the 802. 1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in 1. 3 Configuring Basic MAC Authentication Functions for a switch, this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords. The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table, thus prevent illegal users from accessing the network. In some cases, if the clients failing in the authentication are required to access some restricted resources in the network (such as the virus library update server), you can use the Guest VLAN. [. . . ] Switch C is configured with a Monitor Link group, where Ethernet1/0/1 is the uplink port, while Ethernet1/0/2 and Ethernet1/0/3 are the downlink ports. Switch A is configured with a Smart Link group, where Ethernet1/0/1 is the master port and Ethernet1/0/2 is the slave port. If Switch C is not configured with Monitor Link group, when the link for the uplink port Ethernet1/0/1 on Switch C fails, the links in the Smart Link group are not switched because the link for the master port Ethernet1/0/1 of Switch A configured with Smart Link group operates normally. Actually, however, the traffic on Switch A cannot be up-linked to Switch E through the link of Ethernet1/0/1. [. . . ]