Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: 802.1X Authentication Common Tasks 394 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 Common Tasks Workflow 1: To enable 802.1x authentication on a por t: STEP 1Click Security > 802.1X/MAC/Web Authentication > Properties. STEP 2Enable Port-based Authentication. STEP 3Select the Authentication Method . STEP 4Click Apply, and the Running Configuration file is updated. STEP 5Click Security > 802.1X/MAC/Web Authentication> Host and Session. STEP 6Select the required port and click Edit. STEP 7Set the Host Authentication mode. STEP 8Click Apply, and the Running Configuration file is updated. STEP 9Click Security > 802.1X/MAC/Web Authentication > Port Authentication. STEP 10Select a port, and click Edit. STEP 11Set the Administrative Port Control field to Auto. STEP 12Define the authentication methods. STEP 13Click Apply, and the Running Configuration file is updated. Workflow 2: To configure traps STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties. STEP 2Select the required traps. STEP 3Click Apply, and the Running Configuration file is updated. Workflow 3: To configure 802.1x-based or Web-based authentication STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication . STEP 2Select the required port and click Edit. STEP 3Enter the fields required for the port. The fields in this page are described in Defining 802.1X Port Authentication.
Security: 802.1X Authentication Common Tasks Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 395 19 STEP 4Click Apply, and the Running Configuration file is updated. Use the Copy Settings button to copy settings from one port to another. Workflow 4: To configure the quiet period STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication . STEP 2Select a port, and click Edit. STEP 3Enter the quiet period in the Quiet Period field. STEP 4Click Apply, and the Running Configuration file is updated. Workflow 5: To configure the guest VL AN: STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties. STEP 2Select Enable in the Guest VLAN field. STEP 3Select the guest VLAN in the Guest VLAN ID field. STEP 4Configure the Guest VLAN Timeout to be either Immediate or enter a value in the User defined field. STEP 5Click Apply, and the Running Configuration file is updated. Workflow 6: To configure unauthenticated VL ANs STEP 1Click Security > 802.1X/MAC/ Web Authentication > Properties. STEP 2Select a VLAN, and click Edit. STEP 3Select a VLAN. STEP 4Optionally, uncheck Authentication to make the VLAN an unauthenticated VLAN. STEP 5Click Apply, and the Running Configuration file is updated.
Security: 802.1X Authentication 802.1X Configuration Through the GUI 396 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 802.1X Configuration Through the GUI Defining 802.1X Properties The 802.1X Properties page is used to globally enable 802.1X and define how ports are authenticated. For 802.1X to function, it must be activated both globally and individually on each port. To define port-based authentication: STEP 1Click Security > 802.1X/MAC/Web Authentication > Properties. STEP 2Enter the parameters. •Port-Based Authentication—Enable or disable port-based authentication. If this is disabled 802.1X, MAC-based and web-based authentication is disabled. •Authentication Method—Select the user authentication methods. The options are: -RADIUS, None—Perform port authentication first by using the RADIUS server. If no response is received from RADIUS (for example, if the server is down), then no authentication is performed, and the session is permitted . If the server is available but the user credentials are incorrect, access is denied and the session terminated. -RADIUS—Authenticate the user on the RADIUS server. If no authentication is performed, the session is not permitted. -None—Do not authenticate the user. Permit the session. •Guest VLAN—Select to enable the use of a guest VLAN for unauthorized ports. If a guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VL AN ID field. If a port is later authorized, it is removed from the guest VLAN. •Guest VLAN ID—Select the guest VLAN from the list of VLANs. •Guest VLAN Timeout—Define a time period: -After linkup, if the software does not detect the 802.1X supplicant, or the authentication has failed, the port is added to the guest VLAN, only after the Guest VL AN timeout period has expired.
Security: 802.1X Authentication 802.1X Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 397 19 -If the port state changes from Authorized to Not Authorized, the port is added to the guest VLAN only after the Guest VL AN timeout has expired. •Tr a p s—To enable traps, select one of more of the following options: -802.1x Authentication Failure Traps—Select to generate a trap if 802.1x authentication fails. -802.1x Authentication Success Traps—Select to generate a trap if 802.1x authentication succeeds. -MAC Authentication Failure Traps—Select to generate a trap if MAC authentication fails. -MAC Authentication Success Traps—Select to generate a trap if MAC authentication succeeds. •When the switch is in Layer 2 switch mode: -Web Authentication Failure Traps—Select to generate a trap if Web authentication fails. -Web Authentication Success Traps—Select to generate a trap if Web authentication succeeds. -Web Authentication Quiet Traps—Select to generate a trap if a quiet period commences. When the device is in Layer 3 router mode, the VLAN Authentication Table displays all VLANs, and indicates whether authentication has been enabled on them. STEP 3Click Apply. The 802.1X properties are written to the Running Configuration file. Defining 802.1X Port Authentication The Port Authentication page enables configuration of 802.1X parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as host authentication, it is recommended that you change the port control to Force Authorized before making changes. When the configuration is complete, return the port control to its previous state. NOTEA port with 802.1x defined on it cannot become a member of a LAG. To define 802.1X authentication:
Security: 802.1X Authentication 802.1X Configuration Through the GUI 398 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 STEP 1Click Security > 802.1X/MAC/Web Authentication > Port Authentication. This page displays authentication settings for all ports. STEP 2Select a port, and click Edit. STEP 3Enter the parameters. •Interface—Select a port. •Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Por t Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Por t Control is Force Unauthorized. •Administrative Port Control—Select the Administrative Port Authorization state. The options are: -Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device does not provide authentication services to the client through the interface. -Auto—Enables port-based authentication and authorization on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client. -Force Authorized—Authorizes the interface without authentication. •RADIUS VLAN Assignment—Select to enable Dynamic VLAN assignment on the selected port. -Disable—Feature is not enabled. -Reject—If the RADIUS server authorized the supplicant, but did not provide a supplicant VLAN, the supplicant is rejected. -Static—If the RADIUS server authorized the supplicant, but did not provide a supplicant VLAN, the supplicant is accepted. •Guest VLAN—Select to indicate that the usage of a previously-defined guest VLAN is enabled for the device. The options are: -Selected—Enables using a guest VLAN for unauthorized ports. If a guest VLAN is enabled, the unauthorized port automatically joins the VLAN selected in the Guest VLAN ID field in the 802.1X Port Authentication page.
Security: 802.1X Authentication 802.1X Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 399 19 After an authentication failure, and if guest VLAN is activated globally on a given port, the guest VLAN is automatically assigned to the unauthorized ports as an Untagged VLAN. -Cleared—Disables guest VLAN on the port. •802.1X Based Authentication—802.1X authentication is the only authentication method performed on the port. •MAC Based Authentication—Port is authenticated based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port. NOTEFor MAC authentication to succeed, the RADIUS server supplicant username and password must be the supplicant MAC address. The MAC address must be in lower case letters and entered without the . or - separators; for example: 0020aa00bbcc. •Web Based Authentication—This is only available in Layer 2 switch mode. Select to enable web-based authentication on the switch. •Periodic Reauthentication—Select to enable port re-authentication attempts after the specified Reauthentication Period. •Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated. •Reauthenticate Now—Select to enable immediate port re-authentication. •Authenticator State—Displays the defined port authorization state. The options are: -Initialize—In process of coming up. -Force-Authorized—Controlled port state is set to Force-Authorized (forward traffic). -Force-Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). NOTEIf the port is not in Force-Authorized or Force-Unauthorized, it is in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated. •Time Range—Enable a limit on the time that the specific port is authorized for use if 802.1x has been enabled (Port -Based authentication is checked). •Time Range Name—Select the profile that specifies the time range.
Security: 802.1X Authentication 802.1X Configuration Through the GUI 400 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 •Maximum WBA Login Attempts—Available only in Layer 2 switch mode. Enter the maximum number of login attempts allowed on the interface. Select either Infinite for no limit or User Defined to set a limit. •Max WBA Silence Period—Available only in Layer 2 switch mode. Enter the maximum length of the silent period allowed on the interface. Select either Infinite for no limit or User Defined to set a limit. •Max Hosts—Enter the maximum number of authorized hosts allowed on the interface. Select either Infinite for no limit or User Defined to set a limit. NOTESet this value to 1 to simulate single-host mode for web-based authentication in multi-sessions mode. •Quiet Period—Enter the number of seconds that the device remains in the quiet state following a failed authentication exchange. •Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request. •Max EAP Requests—Enter the maximum number of EAP requests that can be sent. If a response is not received after the defined period (supplicant timeout), the authentication process is restarted. •Supplicant Timeout—Enter the number of seconds that lapses before EAP requests are resent to the supplicant. •Server Timeout—Enter the number of seconds that lapses before the device resends a request to the authentication server. STEP 4Click Apply. The port settings are written to the Running Configuration file. Defining Host and Session Authentication The Host and Session Authentication page enables defining the mode in which 802.1X operates on the port and the action to perform if a violation has been detected. See Port Host Modes for an explanation of these modes.
Security: 802.1X Authentication 802.1X Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 401 19 To define 802.1X advanced settings for ports: STEP 1Click Security > 802.1X/MAC/Web Authentication > Host and Session Authentication. 802.1X authentication parameters are described for all ports. All fields except the following are described in the Edit Host and Session Authentication page. •Number of Single Host Violations—Displays the number of packets that arrive on the interface in single-host mode, from a host whose MAC address is not the supplicant MAC address. STEP 2Select a port, and click Edit. STEP 3Enter the parameters. •Interface—Enter a port number for which host authentication is enabled. •Host Authentication—Select one of the modes. These modes are described above in Port Host Modes. The following fields are only relevant if you select Single in the Host Authentication field. Single Host Violation Settings: •Action on Violation—Select the action to be applied to packets arriving in Single Session/Single Host mode, from a host whose MAC address is not the supplicant MAC address. The options are: -Protect (Discard)—Discards the packets. -Restrict (For ward)—Forwards the packets. -Shutdown—Discards the packets and shuts down the port. The ports remains shut down until reactivated, or until the device is rebooted. •Trap s (on single host violation)—Select to enable traps. •Trap Frequency (on Single Host Violation)—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled. •Number of Violations—Displays the number violations (number of packets in Single Session/Single Host mode, from a host whose MAC address is not the supplicant MAC address). STEP 4Click Apply. The settings are written to the Running Configuration file.
Security: 802.1X Authentication 802.1X Configuration Through the GUI 402 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 Viewing Authenticated Hosts To view details about authenticated users: STEP 1Click Security > 802.1X/MAC/Web Authentication > Authenticated Hosts. This page displays the following fields: •User Name—Supplicant names that were authenticated on each port. •Port—Number of the port. •Session Time (DD:HH:MM:SS)—Amount of time that the supplicant was logged on the port. •Authentication Method—Method by which the last session was authenticated. •Authentication Server—RADIUS server. •MAC Address—Displays the supplicant MAC address. •VLAN ID—Port’s VLAN. Locked Clients To view clients who have been locked out because of failed login attempts and to unlock a locked client: STEP 1Click Security > 802.1X/MAC/ Web Authentication > Locked Client. The following fields are displayed: •Interface—Port that is locked. •MAC Address—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Por t Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Por t Control is Force Unauthorized. •Remaining Time(Sec)—The time remaining for the port to be locked. STEP 2Select a port. STEP 3Click Unlock.
Security: 802.1X Authentication 802.1X Configuration Through the GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 403 19 Web Authentication Customization This page enables designing web-based authentication pages in various languages. You can add up to 4 languages. NOTEUp to 5 HTTP users and one HTTPS user can request web-based authentication at the same time. When these users are authenticated, more users can request authentication. To add a language for web-based authentication: STEP 1Click Security > 802.1X/MAC/ Web Authentication > Web Authentication Customization. STEP 2Click Add. STEP 3Select a language from the Language drop-down list. STEP 4Select Set as Default Display Language if this language is the default language. the default language pages are displayed if the end user does not select a language. STEP 5Click Apply and the settings are saved to the Running Configuration file.