Des 3800 howto-en_guest-vlan_20060623

466 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
466
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Des 3800 howto-en_guest-vlan_20060623

  1. 1. 1 Configuration Examples Guest VLANGuest VLAN Technical Support Department D-Link Corp. June 2006
  2. 2. 2 What is 802.1x Guest VLAN 1. Guest VLAN members can communicate to each other even if they do not pass the 802.1x authentication. 2. Guest VLAN member can move to the Target VLAN based on RADIUS VLAN attribute after passing 802.1x authentication (Guest vlan only can support port-based 802.1x, not supporting mac-based 802.1x) Guest vlan 1 2 3 4 5 6 X 1. 802.1x 2. 802.1x + guest vlan Radius ServerFTP ServerClient 2 Client 3 Client 1 Be assigned to designated vlan 3. After authentication
  3. 3. 3 Why 802.1x Guest VLAN The 802.1x Guest VLAN can provide limited services to clients before passing the 802.1x authentication. For example, it can be used to download necessary 802.1x client software for those user not install the software yet.. In the diagram, before the client is 802.1x authenticated, Client PCs still can go to the public Web / FTP server at guess vlan to obtain the necessary information. After the client is 802.1x authenticated, the client connected port will be assign a new vlan membership and access the network service in the target VLAN. (assign authenticated ports to vlan v10)Client PC1 Client PC2 Client PC3 802.1x enabled ports at Guest VLAN at VLAN v10 Client need to 802.1x authenticated to access this server. Port 1 Port 8 Port 12 Port 21 Guest Vlan Before Authentication After AuthenticationVlan 10 Radius Server Web/FTP Server 2 Web/FTP Server 1
  4. 4. 4 1. Two VLANs: v10 and v123 v10 static members: port 1-24 v20 static members: port 25-28 2. Guest VLAN VID=10 3. Ports 1-12 are Guest VLAN enabled ports 4. Add interface on both vlans at VLAN v20 10.10.10.101 / 8 Client PC1 11.10.10.11 / 8 Client PC2 11.10.10.12 / 8 Guest VLAN enabled ports at Guest VLAN v10 10.10.10.100 / 8 at VLAN v20 Client need to 802.1x authenticated to access this server. 10.10.10.200 / 8 802.1x Guest VLAN Example Port 1 Port 4 Radius Server Web/FTP Server 2 Web/FTP Server 1 V10 : 11.10.10.1 / 8 V20: 10.10.10.1 / 8 Port 25 Port 26 Port 19 11 10 09
  5. 5. 5 1. DES3828 configuration ## Create VLANs v10 & v123 ## config vlan default delete 1-28 create vlan v20 tag 20 config vlan v20 add untagged 25-28 config ipif System ipaddress 10.10.10.1/8 vlan v20 create vlan v10 tag 10 config vlan v10 add untagged 1-24 config ipif p10 ipaddress 11.10.10.1/8 vlan v10 ## enable 802.1x & guest vlan ## enable 802.1x config 802.1x guest_vlan v10 config 802.1x guest_vlan ports 1-12 state enable ## set authenticator ## config 802.1x capability ports 1-12 authenticator config radius add 1 10.10.10.101 key 123456 default 2. Client PCs configuration: Run the D-Link 802.1x client software. 3. RADIUS Server configuration: Create username and password. Configure following RADIUS attributes for the user: Tunnel-Medium-Type (65) = 802 Tunnel-Pvt-Group-ID (81) = 20 the VID Tunnel-Type (64) = VLAN 802.1x Guest VLAN setup Example 1. Create 2 vlans V10 & V20 1. Enable 802.1x & Guest vlan 2. Set port 1 to 12 to be authenticator 1. Set radius server
  6. 6. 6 About Windows 2003 Radius Server setting Configure following RADIUS attributes for the user: Tunnel-Medium-Type (65) = 802 Tunnel-Pvt-Group-ID (81) = 20 VID Tunnel-Type (64) = VLAN
  7. 7. 7 802.1x Guest VLAN setup example Before DES-3828 Port 1 pass the 802.1x authentication In this stage, DES3828 port 1-24 can communicate to each other, including the Web/FTP server at port 19 of Guest VLAN, but cannot access FTP/Web server at port 26 of vlan20. Command: show vlan VID : 1 VLAN Name : default VLAN TYPE : static Advertisement : Enabled Member ports : Static ports : Current Untagged ports : Static Untagged ports : Forbidden ports : VID : 10 VLAN Name : v10 VLAN TYPE : static Advertisement : Disabled Member ports : 1-24 Static ports : 1-24 Current Untagged ports : 1-24 Static Untagged ports : 1-24 Forbidden ports : VID : 20 VLAN Name : v20 VLAN TYPE : static Advertisement : Disabled Member ports : 25-28 Static ports : 25-28 Current Untagged ports : 25-28 Static Untagged ports : 25-28 Forbidden ports : Command: show 802.1x auth_state Port Auth PAE State Backend State Port Status ------ -------------- ------------- ------------ 1 Connecting Idle Unauthorized 2 Disconnected Idle Unauthorized 3 Disconnected Idle Unauthorized 4 Connecting Idle Unauthorized 5 Disconnected Idle Unauthorized 6 Disconnected Idle Unauthorized 7 Disconnected Idle Unauthorized 8 Disconnected Idle Unauthorized 9 Disconnected Idle Unauthorized 10 Disconnected Idle Unauthorized 11 Disconnected Idle Unauthorized 12 Disconnected Idle Unauthorized 13 ForceAuth Success Authorized 14 ForceAuth Success Authorized 15 ForceAuth Success Authorized 16 ForceAuth Success Authorized 17 ForceAuth Success Authorized 18 ForceAuth Success Authorized 19 ForceAuth Success Authorized 20 ForceAuth Success Authorized 06
  8. 8. 8 Command: show vlan VID : 1 VLAN Name : default VLAN TYPE : static Advertisement : Enabled Member ports : Static ports : Current Untagged ports : Static Untagged ports : Forbidden ports : VID : 10 VLAN Name : v10 VLAN TYPE : static Advertisement : Disabled Member ports : 2-24 Static ports : 2-24 Current Untagged ports : 2-24 Static Untagged ports : 2-24 Forbidden ports : VID : 20 VLAN Name : v20 VLAN TYPE : static Advertisement : Disabled Member ports : 1, 25-28 Static ports : 1, 25-28 Current Untagged ports : 1, 25-28 Static Untagged ports : 1, 25-28 Forbidden ports : Port1 PC can access FTP/Web Server 2 at vlan 20 since it becomes vlan20’s member. 802.1x Guest VLAN setup example After DES-3828 Port 1 pass the 802.1x authentication Command: show 802.1x auth_state Port Auth PAE State Backend State Port Status ------ -------------- ------------- ------------ 1 Authenticated Idle Authorized 2 Disconnected Idle Unauthorized 3 Disconnected Idle Unauthorized 4 Connecting Idle Unauthorized 5 Disconnected Idle Unauthorized 6 Disconnected Idle Unauthorized 7 Disconnected Idle Unauthorized 8 Disconnected Idle Unauthorized 9 Disconnected Idle Unauthorized 10 Disconnected Idle Unauthorized 11 Disconnected Idle Unauthorized 12 Disconnected Idle Unauthorized 13 ForceAuth Success Authorized 14 ForceAuth Success Authorized 15 ForceAuth Success Authorized 16 ForceAuth Success Authorized 17 ForceAuth Success Authorized 18 ForceAuth Success Authorized 19 ForceAuth Success Authorized 20 ForceAuth Success Authorized Port 1 pass authentication, so it will be assign to v123 since Radius has vid=123 attribute 06
  9. 9. 9 802.1x Guest VLAN Test Result Test Result: 1. Before PC1 pass 802.1x authentication, PC1 still can ping/access to PC2 and FTP/WEB server1 at Guest VLAN. 2. After PC1 is 802.1x authenticated, PC1 can access FTP/WEB server2 because PC1 is moved to vlan 20 from guest vlan VID 10. (PC 1 cannot access PC2 and FTP/WEB Server1 any more) 06

×