Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: 802.1X Authentication Authenticator Overview 384 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 •force-unauthorized Port authentication is disabled and the port transmits all traffic via the guest VLAN and unauthenticated VLANs. For more information see Defining Host and Session Authentication. The switch sends 802.1x EAP packets with EAP failure messages inside when it receives 802.1x EAPOL-Start messages. •auto Enables 802.1 x authentications in accordance with the configured port host mode and authentication methods configured on the port. Port Host Modes Ports can be placed in the following port host modes (configured in the Security > 802.1X/MAC/Web Authentication > Host and Authentication page): •Single-Host Mode A port is authorized if there is an authorized client. Only one host can be authorized on a port. When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless it belongs to the guest VLAN or to an unauthenticated VLAN. If a guest VLAN is not enabled on the port, only tagged traffic belonging to the unauthenticated VLANs is bridged. When a port is authorized, untagged and tagged traffic from the authorized host is bridged based on the static VLAN membership port configuration. Traffic from other hosts is dropped. A user can specify that untagged traffic from the authorized host will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process. Tagged traffic is dropped unless it belongs to the RADIUS-assigned VLAN or the unauthenticated VLANs. Radius VLAN assignment on a port is set in the Security > 802.1X/MAC/Web Authentication > Port Authentication page. •Multi-Host Mode A port is authorized if there is if there is at least one authorized client.
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 385 19 When a port is unauthorized and a guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless it belongs to the guest VLAN or to an unauthenticated VLAN. If guest VLAN is not enabled on a port, only tagged traffic belonging to unauthenticated VLANs is bridged. When a port is authorized, untagged and tagged traffic from all hosts connected to the port is bridged, based on the static VLAN membership port configuration. You can specify that untagged traffic from the authorized port will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process. Tagged traffic is dropped unless it belongs to the RADIUS-assigned VLAN or to the unauthenticated VLANs. Radius VLAN assignment on a port is set in the Port Authentication page. •Multi-Sessions Mode Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an authentication status. This status is assigned to each client connected to the port. This mode requires a TCAM lookup. Since Layer 3 mode switches (see Multi-Sessions Mode Support) do not have a TCAM lookup allocated for multi-sessions mode, they support a limited form of multi-sessions mode, which does not support guest VLAN and RADIUS VLAN attributes. The maximum number of authorized hosts allowed on the port is configured in the Port Authentication page. Tagged traffic belonging to an unauthenticated VLAN is always bridged regardless of whether the host is authorized or not. Tagged and untagged traffic from unauthorized hosts not belonging to an unauthenticated VLAN is remapped to the guest VLAN if it is defined and enabled on the VLAN, or is dropped if the guest VLAN is not enabled on the port. If an authorized host is assigned a VLAN by a RADIUS server, all its tagged and untagged traffic not belonging to the unauthenticated VLANs is bridged via the VLAN; if the VLAN is not assigned, all its traffic is bridged based on the static VLAN membership port configuration.
Security: 802.1X Authentication Authenticator Overview 386 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 The Sx300 in Layer 3 router mode supports the multi-sessions mode without guest VLAN and RADIUS-VLAN assignment: Multiple Authentication Methods If more than one authentication method is enabled on the switch, the following hierarchy of authentication methods is applied: •802.1x Authentication: Highest •WEB-Based Authentication •MAC-Based Authentication: Lowest Multiple methods can run at the same time. When one method finishes successfully, the client becomes authorized, the methods with lower priority are stopped and the methods with higher priority continue. When one of authentication methods running simultaneously fails, the other methods continue. When an authentication method finishes successfully for a client authenticated by an authentication method with a lower priority, the attributes of the new authentication method are applied. When the new method fails, the client is left authorized with the old method. 802.1x-Based Authentication The 802.1x-based authenticator relays transparent EAP messages between 802.1x supplicants and authentication servers. The EAP messages between supplicants and the authenticator are encapsulated into the 802.1x messages, and the EAP messages between the authenticator and authentication servers are encapsulated into the RADIUS messages.
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 387 19 This is described in the following: Figure 1 802.1x-Based Authentication MAC-Based Authentication MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access. In this case, the switch supports EAP MD5 functionality with the username and password equal to the client MAC address, as shown below. Figure 2 MAC-Based Authentication The method does not have any specific configuration.
Security: 802.1X Authentication Authenticator Overview 388 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 WEB-Based Authentication WEB-based authentication is used to authenticate end users who request access to a network through a switch. It enables clients directly connected to the switch to be authenticated using a captive-portal mechanism before the client is given access to the network. Web-based authentication is client-based authentication and is supported in the multi-sessions mode in both Layer 2 and Layer 3. This method of authentication is enabled per port, and when a port is enabled, each host must authenticate itself in order to access the network. So on an enabled port, you can have authenticated and unauthenticated hosts. When web-based authentication is enabled on a port, the switch drops all traffic coming onto the port from unauthorized clients, except for ARP, DHCP, DNS and NETBIOS packets. These packets are allowed to be forwarded by the switch so that even unauthorized clients can get an IP address and be able to resolve the host or domain names. All HTTP/HTTPS over IPv4 packets from unauthorized clients are trapped to the CPU on the switch. When an end user requests access to the network, if Web- based authentication is enabled on the port, a login page is displayed, before the requested page is displayed. The user must enter his username/password, which is authenticated by a RADIUS server using the EAP protocol. If authentication is successful, the user is informed. The user now has an authenticated session. The session remains open while it is being used. If it is not used for a specific time interval, the session is closed . This time interval is configured by the system administrator and is called Quiet Time. When the session is timed-out, the username/password is discarded, and the guest must re-enter them to open a new session. See Table 1 Port Modes and Authentication Methods.
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 389 19 After authentication is completed, the switch forwards all traffic arriving from the client on the port, as shown in the figure below. Figure 3 WEB-Based Authentication Web-based authentication cannot be configured on a port that has the guest VLAN or RADIUS-Assigned VLAN feature enabled. Web-based authentication supports the following pages: •Login page •Login Success page There is a predefined, embedded set of these pages. These pages can be modified in the Security > 802.1X/MAC/Web Authentication > Web Authentication Customization page. You can preview each of the customized pages. The configuration is saved into the Running Configuration file. The following table describes which SKUs support web-based authentication and in which system modes: SKU System Mode WBA Supported Sx300 Layer 2Ye s Layer 3No Sx500, Sx500ESW2- 550X Layer 2Ye s Layer 3No
Security: 802.1X Authentication Authenticator Overview 390 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 NOTE •When web-based authentication is not supported, guest VLAN and DVA cannot be configured in multi-session mode. •When web-based authentication is supported, guest VLAN and DVA can be configured in multi-session mode Unauthenticated VLANs and the Guest VLAN Unauthenticated VLANs and the guest VLAN provide access to services that do not require the subscribing devices or ports to be 802.1X or MAC-Based authenticated and authorized. The guest VLAN is the VLAN that is assigned to an unauthorized client. You can configure the guest VLAN and one or more VLANs to be unauthenticated in the Security > 802.1X/MAC/Web Authentication > Properties page. An unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports. An unauthenticated VLAN has the following characteristics: •It must be a static VLAN, and cannot be the guest VLAN or the default VLAN. •The member ports must be manually configured as tagged members. •The member ports must be trunk and/or general ports. An access port cannot be member of an unauthenticated VLAN. The guest VLAN, if configured, is a static VLAN with the following characteristics: •It must be manually defined from an existing static VLAN. •The guest VLAN cannot be used as the Voice VLAN or an unauthenticated VLAN. See “Table 3 Guest VLAN Support and RADIUS-VLAN Assignment Support” to see a summary of the modes in which guest VLAN is supported.SG500X NativeYe s Basic Hybrid - Layer 2Ye s Basic Hybrid - Layer 3No SG500XG Same as Sx500Ye s SKU System Mode WBA Supported
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 391 19 Host Modes with Guest VLAN The host modes work with guest VLAN in the following way: •Single-Host and Multi-Host Mode Untagged traffic and tagged traffic belonging to the guest VLAN arriving on an unauthorized port are bridged via the guest VLAN. All other traffic is discarded. The traffic belonging to an unauthenticated VLAN is bridged via the VLAN. •Multi-Sessions Mode in Layer 2 Untagged traffic and tagged traffic, which does not belong to the unauthenticated VLANs and that arrives from unauthorized clients, are assigned to the guest VLAN using the TCAM rule and are bridged via the guest VLAN. The tagged traffic belonging to an unauthenticated VLAN is bridged via the VLAN. This mode cannot be configured on the same interface with policy-based VLANs. •Multi-Sessions Mode in Layer 3 The mode does not support the guest VLAN. RADIUS VLAN Assignment or Dynamic VLAN Assignment An authorized client can be assigned a VLAN by the RADIUS server, if this option is enabled in the Port Authentication page. This is called either Dynamic VLAN Assignment (DVA) or RADIUS-Assigned VLAN. In this guide, the term RADIUS- Assigned VLAN is used. When a port is in multi-session mode and RADIUS-Assigned VLAN is enabled, the device automatically adds the port as an untagged member of the VLAN that is assigned by the RADIUS server during the authentication process. The device classifies untagged packets to the assigned VLAN if the packets originated from the devices or ports that are authenticated and authorized. See Table 3 Guest VLAN Support and RADIUS-VLAN Assignment Support and The following table describes how authenticated and non-authenticated traffic is handled in various situations. for further information about how the different modes behave when RADIUS-Assigned VLAN is enabled on the device. NOTE. In multi-session mode, RADIUS VLAN assignment is only supported when the device is in Layer 2 system mode.
Security: 802.1X Authentication Authenticator Overview 392 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 For a device to be authenticated and authorized at a port which is DVA-enabled: •The RADIUS server must authenticate the device and dynamically assign a VLAN to the device. You can set the RADIUS VLAN Assignment field to static in the Port Authentication page. This enables the host to be bridged according to static configuration. •A RADIUS server must support DVA with RADIUS attributes tunnel-type (64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private- group-id = a VLAN ID. When the RADIUS-Assigned VLAN feature is enabled, the host modes behave as follows: •Single-Host and Multi-Host Mode Untagged traffic and tagged traffic belonging to the RADIUS-assigned VLAN are bridged via this VLAN. All other traffic not belonging to unauthenticated VLANs is discarded. •Full Multi-Sessions Mode Untagged traffic and tagged traffic not belonging to the unauthenticated VLANs arriving from the client are assigned to the RADIUS-assigned VLAN using TCAM rules and are bridged via the VLAN. •Multi-Sessions Mode in Layer 3 System Mode This mode does not support RADIUS-assigned VLAN, The following table describes guest VLAN and RADIUS-VLAN assignment support depending on authentication method and port mode. Legend: †—The port mode supports the guest VLAN and RADIUS-VLAN assignment N/S—The port mode does not support the authentication method. Authentication MethodSingle-host Multi-host Multi-sessions Device in L3 Device in L2 802.1x ††N/S† MAC ††N/S† WEB N/S N/S N/S N/S
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 393 19 Violation Mode In single-host mode you can configure the action to be taken when an unauthorized host on authorized port attempts to access the interface. This is done in the Host and Session Authentication page. The following options are available: •restrict—Generates a trap when a station, whose MAC address is not the supplicant MAC address, attempts to access the interface. The minimum time between the traps is 1 second. These frames are forwarded, but their source addresses are not learned. •protect—Discard frames with source addresses that are not the supplicant address. •shutdown—Discard frames with source addresses that are not the supplicant address and shutdown the port. You can also configure the device to send SNMP traps, with a configurable minimum time between consecutive traps. If seconds = 0, traps are disabled. If minimum time is not specified, it defaults to 1 second for the restrict mode and 0 for the other modes. Quiet Period The Quiet period is a period when the port (single-host or multi-host modes) or the client (multi-sessions mode) cannot attempt authentication, following a failed authentication exchange. In single-host or multi-host mode, the period is defined per port, and in the multi-sessions mode the period is defined per client. During the quiet period, the switch does not accept or initiate authentication requests. The period is only applied to 802.1x-based and Web-based authentications. You can also specify the maximum number of login attempts before the quiet period is started. A value of 0 specifies the unlimited number of login attempts. The duration of the quiet period and the maximum number of login attempts can be set in the Port Authentication page.