User`s guide
Table Of Contents
- Title
- Notice
- Contents
- Figures
- Tables
- About This Guide
- Introduction
- Local Management Requirements
- Accessing Local Management
- 3.1 Navigating Local Management Screens
- 3.2 Password Screen
- 3.3 Main Menu Screen
- 3.4 Module Selection Screen
- 3.5 Module Menu Screen
- 3.6 Overview of Security Methods
- 3.7 Security Menu Screen
- 3.8 Passwords Screen
- 3.9 Radius Configuration Screen
- 3.10 Name Services Configuration Screen
- 3.11 System Authentication Configuration Screen
- 3.12 EAP (Port) Configuration Screen
- 3.13 EAP Statistics Menu Screen
- 3.14 MAC Port Configuration Screen
- 3.15 MAC Supplicant Configuration Screen
- Chassis Menu Screens
- 4.1 Chassis Menu Screen
- 4.2 Chassis Configuration Screen
- 4.3 SNMP Configuration Menu Screen
- 4.4 SNMP Community Names Configuration Screen
- 4.5 SNMP Traps Configuration Screen
- 4.6 Chassis Environmental Information Screen
- 4.7 Redirect Configuration Menu Screen (Chassis)
- 4.8 Port Redirect Configuration Screen
- 4.9 VLAN Redirect Configuration Screen
- Module Configuration Menu Screens
- 5.1 Module Configuration Menu Screen
- 5.2 General Configuration Screen
- 5.2.1 Setting the IP Address
- 5.2.2 Setting the Subnet Mask
- 5.2.3 Setting the Default Gateway
- 5.2.4 Setting the TFTP Gateway IP Address
- 5.2.5 Setting the Module Name
- 5.2.6 Setting the Module Date
- 5.2.7 Setting the Module Time
- 5.2.8 Entering a New Screen Refresh Time
- 5.2.9 Setting the Screen Lockout Time
- 5.2.10 Configuring the COM Port
- 5.2.11 Clearing NVRAM
- 5.2.12 Enabling/Disabling IP Fragmentation
- 5.3 SNMP Configuration Menu Screen
- 5.4 SNMP Community Names Configuration Screen
- 5.5 SNMP Traps Configuration Screen
- 5.6 Access Control List Screen
- 5.7 System Resources Information Screen
- 5.8 FLASH Download Configuration Screen
- Port Configuration Menu Screens
- 6.1 Port Configuration Menu Screen
- 6.2 Ethernet Interface Configuration Screen
- 6.3 Ethernet Port Configuration Screen
- 6.4 HSIM/VHSIM Configuration Screen
- 6.5 Redirect Configuration Menu Screen
- 6.6 Port Redirect Configuration Screen
- 6.7 VLAN Redirect Configuration Screen
- 6.8 Link Aggregation Screen (802.3ad Main Menu Screen)
- 6.9 Broadcast Suppression Configuration Screen
- 802.1 Configuration Menu Screens
- 802.1Q VLAN Configuration Menu Screens
- 8.1 Summary of VLAN Local Management
- 8.2 802.1Q VLAN Configuration Menu Screen
- 8.3 Static VLAN Configuration Screen
- 8.4 Static VLAN Egress Configuration Screen
- 8.5 Current VLAN Configuration Screen
- 8.6 Current VLAN Egress Configuration Screen
- 8.7 VLAN Port Configuration Screen
- 8.8 VLAN Classification Configuration Screen
- 8.9 Protocol Port Configuration Screen
- 802.1p Configuration Menu Screens
- 9.1 802.1p Configuration Menu Screen
- 9.2 Port Priority Configuration Screen
- 9.3 Traffic Class Information Screen
- 9.4 Traffic Class Configuration Screen
- 9.5 Transmit Queues Configuration Screen
- 9.6 Priority Classification Configuration Screen
- 9.7 Protocol Port Configuration Screen
- 9.8 Rate Limiting Configuration Screen
- Layer 3 Extensions Menu Screens
- Module Statistics Menu Screens
- Network Tools Screens
- VLAN Operation and Network Applications
- 13.1 Defining VLANs
- 13.2 Types of VLANs
- 13.3 Benefits and Restrictions
- 13.4 VLAN Terms
- 13.5 VLAN Operation
- 13.6 Configuration Process
- 13.7 VLAN Switch Operation
- 13.8 VLAN Configuration
- 13.9 Summary of VLAN Local Management
- 13.10 Quick VLAN Walkthrough
- 13.11 Examples
- 13.12 Example 1, Single Switch Operation
- 13.13 Example 2, VLANs Across Multiple Switches
- 13.14 Example 3, Filtering Traffic According to a Layer 4 Classification Rule
- 13.15 Example 4, Securing Sensitive Information According to Subnet
- 13.16 Example 5, Using Dynamic Egress to Control Traffic
- 13.17 Example 6, Locking a MAC Address to a Port Using Classification Rules
- Generic Attribute Registration Protocol (GARP)
- About IGMP
- Index
Overview of Security Methods
3-18 Accessing Local Management
When the Radius Client is active on the switch module, the user is presented with an authorization
screen, prompting for a user login name and password when attempting to access the host IP
address via the local console LM, Telnet to LM, or WebView application. The embedded Radius
Client encrypts the information entered by the user and sends it to the Radius Server for validation.
Then the server returns an access-accept or access-reject response back to the client, allowing or
denying the user to access the host application with the proper access level.
An access-accept response returns a message USER AUTHORIZATION = <ACCESS LEVEL>
for 3 seconds and then the main screen of the application is displayed. An access-denied response
causes an audible “beep” and the screen to return to the user name prompt.
If the Radius Client is unable to receive a response from the Radius Server, because the Radius
Server is down or inaccessible, the Radius Client will time out to a default value of 20 seconds.
If the server returns an “access-accept” response (the user successfully authenticated), it must also
return a Radius “FilterID” attribute containing an ASCII string with the following fields in the
specified format:
“Enterasys:version=V:mgmt=M:policy=N”
Where:
V is the version number (currently V=1)
M is the access level for management, one of the following strings:
“su” for super-user access
“rw” for read-write access
“ro” for read-only access
N is the policy profile number (see the policy profile MIB)
If the Radius client does not receive a response from the primary server, it will consult the
secondary server if one has been configured. If the secondary server also does not respond then the
switch module reverts to the last-resort authentication action. Last-resort authentication is
individually selectable for both local (COM port) and remote (TELNET or WebView). The
last-resort action may be to accept the user, reject the user, or challenge the user for the Local
Management passwords (resort to legacy authentication).
NOTES:
1. Quotation marks (“ ”) are used for clarification only and are not part of the command
strings.
2. If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an
unrecognizable value, access is denied.
3. Policy profiles are not yet deployed and the “policy=N” part may be omitted.