Note that if the images you see or the steps you follow look different from the actual page, here are alternative instructions/information.
1. Access the web interface of your switch.
2. Click on Security.
2. Click on Security.
3. The following settings can be configured under Security:
802.1x
Radius Server
Access
Port Security
Port Isolation
DoS
802.1x
The IEEE 802.1x standard authentication uses the Remote Authentication Dial In User Service (RADIUS) protocol to validate users and provide a security standard for network access control. The user that wishes to be authenticated is called a supplicant.
The actual server doing the authentication is called the authentication server (typically a RADIUS server). The mediating device, such as a switch, is called the authenticator. Clients connected to a port on the switch must be authenticated by the RADIUS server before accessing any services offered by the switch on the LAN. Use a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPoL) packets between the client and server. This establishes the requirements needed for a protocol between the authenticator (the system that passes an authentication request to the authentication server) and the supplicant (the system that requests for authentication), as well as between the authenticator and the authentication server.
The following settings can be configured under 802.1x:
Global Settings
Port Settings
Authenticated Host
Statistics
Global Settings
When a supplicant is connected to a switch port, the port issues an 802.1x authentication request to the attached 802.1x supplicant. The supplicant replies with the given username and password in an authentication request, then passed to a configured RADIUS server. The authentication server's user database supports Extensible Authentication Protocol (EAP), which allows particular guest VLAN memberships to be defined based on each individual user. Before successful authorization, the port connected to the authenticated supplicant becomes a member of the specified guest VLAN. When the supplicant is successfully authenticated, traffic will be automatically assigned to the VLAN user configured in 802.1Q VLAN.
The EAP authentication methods supported by the switch are:
When a supplicant is connected to a switch port, the port issues an 802.1x authentication request to the attached 802.1x supplicant. The supplicant replies with the given username and password in an authentication request, then passed to a configured RADIUS server. The authentication server's user database supports Extensible Authentication Protocol (EAP), which allows particular guest VLAN memberships to be defined based on each individual user. Before successful authorization, the port connected to the authenticated supplicant becomes a member of the specified guest VLAN. When the supplicant is successfully authenticated, traffic will be automatically assigned to the VLAN user configured in 802.1Q VLAN.
The EAP authentication methods supported by the switch are:
- EAP-MD5
- EAPTLS
- EAP-TTLS
- EAP-PEAP
- Guest VLAN: Select Guest VLAN as Enabled or Disabled on the switch. The default is Disabled.
- Guest VLAN ID: Select the guest VLAN ID from the list of currently defined VLANs.
Click Apply to save the system settings.
Port Settings
The IEEE 802.1x port-based authentication provides a security standard for network access control with RADIUS servers and holds a network port block until authentication is completed. With 802.1x port-based authentication, the supplicant provides the required credentials, such as username, password, or digital certificate to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant is allowed to access resources located on the protected side of the network.
From here, you can configure the port settings as they relate to 802.1x. To make your changes, select a port, then use the open fields (located on the first row) to change the settings of the selected port. Then scroll down to click on Apply to save your settings.
The IEEE 802.1x port-based authentication provides a security standard for network access control with RADIUS servers and holds a network port block until authentication is completed. With 802.1x port-based authentication, the supplicant provides the required credentials, such as username, password, or digital certificate to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant is allowed to access resources located on the protected side of the network.
From here, you can configure the port settings as they relate to 802.1x. To make your changes, select a port, then use the open fields (located on the first row) to change the settings of the selected port. Then scroll down to click on Apply to save your settings.
- Port: The port number on the switch.
- Mode: You can select Auto, Force_UnAuthorized, or Force_Authorized mode from the list.
- Reauthentication: You can select if port reauthentication is Enabled or Disabled.
- Reauthentication Period: You can enter the time span in which the selected port is reauthenticated. The default is 3600 seconds.
- Quiet Period: You can enter the number of the devices that remain in the quiet state following a failed authentication exchange. The default is 60 seconds.
- Supplicant Period: You can enter the amount of time that lapses before an EAP request is resent to the supplicant. The default is 30 seconds.
- Authorized Status: Displays the authorized status of 802.1x information.
- Guest VLAN: This shows whether the guest VLAN is Enabled or Disabled on specific ports.
- RADIUS VLAN Assign: If this is Enabled, the client will get the VLAN from the RADIUS server.
Authenticated Host
Some of the fields in the Authenticated Host section are Port, Authenticated Method, and MAC Address.
- User Name: Displays the client’s username via 802.1x RADIUS server authentication.
- Port: Displays the client’s authenticated port number.
- Session Time: Displays the client’s 802.1x session time.
- Authenticate Method: Displays the client’s authenticated method.
- MAC Address: Displays the client’s MAC address.
- Dynamic VLAN Cause: Displays the client’s VLAN information.
- Dynamic VLAN ID: Displays the client’s VLAN ID (if the RADIUS server assigns it).
Statistics
Displays 802.1x related packet counters and source MAC address of the last received 802.1x on each port. Click the Clear button located at the bottom to clear 802.1x packet counters on specific ports.
Radius Server
RADIUS servers are used for centralized administration. It is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service for greater convenience. RADIUS is a server protocol that runs in the application layer, using UDP as transport. A network switch with port-based authentication has a RADIUS client component that communicates with the RADIUS server. Clients connected to a port on the switch must be authenticated by the authentication server before accessing services offered by the switch on the LAN. Use a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPoL) packets between the client and server. The RADIUS server maintains a user database, which contains authentication information. The switch passes information to the configured RADIUS server which can authenticate a username and password before authorizing the use of the network.
- Index: Displays the index for the RADIUS server.
- Server IP: Enter the RADIUS server IP address into this field.
- Authorized Port: Enter the authorized port number into this field. The default port is 1812.
- Key String: Enter the key string used for encrypting all RADIUS communication between the device and the RADIUS server.
- Timeout Reply: Enter the time a device waits for an answer from the RADIUS server before switching to the next server. The default value is 3.
- Retry: Enter the number of transmitted requests sent. The default value is 3.
Click the Apply button to accept the changes or the Cancel button to discard them.
Access
The switch provides a built-in web interface that you can use to configure and manage the switch via Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) to help prevent security breaches on the network. You can manage your HTTP and HTTPS settings for each switch further by configuring Session Timeout settings for HTTP and HTTPS requests.
Port Security
Network security can be increased by limiting access on a specific port to users with specific MAC addresses. Port Security prevents unauthorized device access to the switch prior to stopping auto-learning processing.
To change the settings, select a Port and then edit your settings using the open fields on the first row and click Apply at the bottom.
- Port: Displays the port number on the switch.
- State: Select Enabled or Disabled port security for the selected port.
- Max MAC Address: Enter the maximum number of MAC addresses that can be learned on the port. The range is from 1 to 256.
The Port Isolation feature provides L2 isolation between ports within the same broadcast domain. When enabled, Isolated ports can forward traffic to Not Isolated ports, but not to other Isolated ports. Not Isolated ports can send traffic to any port; whether Isolated or Not Isolated. The default setting is Not Isolated.
To change the setting, select a Port and then edit your settings using the open fields on the first row and click Apply at the bottom.
DoS
Denial of Service (DoS) is used for classifying and blocking specific types of DoS attacks. From here, you can configure the switch to monitor and block different types of attacks.
By default DoS is disabled. Click the drop-down to enable it and click on Apply.