Cisco switch
Páginas: 21 (5014 palabras)
Publicado: 29 de marzo de 2011
Smart Tips
Authenticated and Time-Based Network Access with 802.1x
802.1x is an IEEE standard for controlling access to a network on a per-port basis. Cisco Small Business 300 Series switches support 802.1x to provide better network security. In an 802.1x-enabled network, a user device such as a laptop or an IP phone requests port access to its directly connected switch. The switch gets theuser ID and password of the user (or device) and forwards them to a RADIUS server for authentication. The switch allows access to the port only if the user authentication is successful. Such authenticated access to a LAN improves network security.
802.1x-Enabled Network Design
The main components of a network with 802.1x-based authentication, as shown in Figure 1, are as follows: • • •Laptop/IP phones (or other similar end-user devices that can request 802.1x-based access to a network) A switch that authenticates the user using a RADIUS server, and allows network access only when authentication is successful A RADIUS server to authenticate the user
Featured Products
This Smart Tip describes using 802.1x based authentication on a Cisco Small Business 300 Series Managed Switch (modelSF300-48P) with various Power over Ethernet (PoE) and non-PoE switch ports. For details about other Cisco 300 Series Managed Switches, visit: http://www.cisco.com/go/300switches. Figure 1 Authenticated Network Access using 802.1x
When 802.1x authentication is enabled in a LAN, it is typical to enable it on all switch ports that are intended to be connected to end-user devices or other devicesrequiring such authenticated port access.
IP
VLAN 10 (DATA VLAN) VLAN 100 (Voice VLAN)
Uplink to Router or Aggregation switch
10.11.4.30 Radius Server (Stores/accesses user credentials, Authenticates users)
VLAN 1 (not 802.1x enabled) E1 G3
802.1q Trunk (VLAN 1 - untagged VLAN 10 - tagged VLAN 100 - tagged)
Cisco SF 300-48P Switch
Fast Ethernet Ports E2 through E48, connectedto user devices (802.1x enabled)
213475
Management VLAN – VLAN 1, Switch IP address: 192.168.1.250
Authenticated and Time-Based Network Access with 802.1x
Page 1
Smart Tips for Small Businesses
Authentication
management VLAN to reach the RADIUS server. If the RADIUS server is on a different VLAN (as assumed in Figure 1), the WAN router typically performs the necessary inter-VLANrouting. The WAN router terminates the management VLAN. If the factory-default management VLAN (VLAN 1) is used, the LAN switches must be configured to forward the untagged VLAN 1 along with other VLANs, if any, through their trunk ports to the WAN router.
Authentication
To authenticate a user, the RADIUS server accesses a user database that contains information such as user ID, password, andother optional information that it provides the switch on successful authentication. The database can be integrated into the RADIUS server, or be an external one such as an Active Directory.
Which Ports to Authenticate?
802.1x-based authentication is primarily intended for end-user devices such as laptops or IP phones that are untrusted devices from a security standpoint. Therefore, 802.1x isnot configured on ports connected to network devices such as routers, switches, or servers, or any such trusted devices. It is configured on ports intended for connecting user devices on an access switch, and also on an aggregation switch if user devices can be directly connected to it.
Authenticating IP Phones
IP phones can be 802.1x authenticated as well as PCs and laptops. Cisco IP phonesare 802.1x enabled. For details on enabling 802.1x authentication on the IP phone and to create an appropriate user ID for the IP phone in the RADIUS server, see the administrator guide for the specific IP phone.
Port Authentication Policy
The Cisco Small Business 300 Series switch port can be configured with one of the following three policies that determine how 802.1x-based authentication...
Authenticated and Time-Based Network Access with 802.1x
802.1x is an IEEE standard for controlling access to a network on a per-port basis. Cisco Small Business 300 Series switches support 802.1x to provide better network security. In an 802.1x-enabled network, a user device such as a laptop or an IP phone requests port access to its directly connected switch. The switch gets theuser ID and password of the user (or device) and forwards them to a RADIUS server for authentication. The switch allows access to the port only if the user authentication is successful. Such authenticated access to a LAN improves network security.
802.1x-Enabled Network Design
The main components of a network with 802.1x-based authentication, as shown in Figure 1, are as follows: • • •Laptop/IP phones (or other similar end-user devices that can request 802.1x-based access to a network) A switch that authenticates the user using a RADIUS server, and allows network access only when authentication is successful A RADIUS server to authenticate the user
Featured Products
This Smart Tip describes using 802.1x based authentication on a Cisco Small Business 300 Series Managed Switch (modelSF300-48P) with various Power over Ethernet (PoE) and non-PoE switch ports. For details about other Cisco 300 Series Managed Switches, visit: http://www.cisco.com/go/300switches. Figure 1 Authenticated Network Access using 802.1x
When 802.1x authentication is enabled in a LAN, it is typical to enable it on all switch ports that are intended to be connected to end-user devices or other devicesrequiring such authenticated port access.
IP
VLAN 10 (DATA VLAN) VLAN 100 (Voice VLAN)
Uplink to Router or Aggregation switch
10.11.4.30 Radius Server (Stores/accesses user credentials, Authenticates users)
VLAN 1 (not 802.1x enabled) E1 G3
802.1q Trunk (VLAN 1 - untagged VLAN 10 - tagged VLAN 100 - tagged)
Cisco SF 300-48P Switch
Fast Ethernet Ports E2 through E48, connectedto user devices (802.1x enabled)
213475
Management VLAN – VLAN 1, Switch IP address: 192.168.1.250
Authenticated and Time-Based Network Access with 802.1x
Page 1
Smart Tips for Small Businesses
Authentication
management VLAN to reach the RADIUS server. If the RADIUS server is on a different VLAN (as assumed in Figure 1), the WAN router typically performs the necessary inter-VLANrouting. The WAN router terminates the management VLAN. If the factory-default management VLAN (VLAN 1) is used, the LAN switches must be configured to forward the untagged VLAN 1 along with other VLANs, if any, through their trunk ports to the WAN router.
Authentication
To authenticate a user, the RADIUS server accesses a user database that contains information such as user ID, password, andother optional information that it provides the switch on successful authentication. The database can be integrated into the RADIUS server, or be an external one such as an Active Directory.
Which Ports to Authenticate?
802.1x-based authentication is primarily intended for end-user devices such as laptops or IP phones that are untrusted devices from a security standpoint. Therefore, 802.1x isnot configured on ports connected to network devices such as routers, switches, or servers, or any such trusted devices. It is configured on ports intended for connecting user devices on an access switch, and also on an aggregation switch if user devices can be directly connected to it.
Authenticating IP Phones
IP phones can be 802.1x authenticated as well as PCs and laptops. Cisco IP phonesare 802.1x enabled. For details on enabling 802.1x authentication on the IP phone and to create an appropriate user ID for the IP phone in the RADIUS server, see the administrator guide for the specific IP phone.
Port Authentication Policy
The Cisco Small Business 300 Series switch port can be configured with one of the following three policies that determine how 802.1x-based authentication...
Leer documento completo
Regístrate para leer el documento completo.