Access Lists; Concept - ABB EDS500 Series Function Manual

Ethernet & dsl switches

Hide thumbs Also See for EDS500 Series:

Manual (46 pages)

Operating instruction (7 pages)

Operating instructions manual (6 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

Access Lists

The presence of a RADIUS server in the device config and the fact that this server can be

reached over the network is mandatory for the function of 802.1X.

The method of access control negotiation must be synchronized between Supplicant and

Authentication Server (RADIUS).

The setting < s e t d o t 1 x r e a u t h e n t i c a t i o n p o r t - d o w n [ n o ] a l l o w > allows

to configure, whether a port may renegotiate the access following a loss of link.

MAC-Authentication-Bypass (MAB)

If 802.1X is to be used but a Supplicant does not support this, access control can fall back to

MAC-Authentication-Bypass (MAB). This mechanism performed the authentication using the

MAC address of the Supplicants.

To activate MAB configure the setting < s e t d o t 1 x m a b { ... } e n a b l e > , additional to

< s e t d o t 1 x p o r t c o n t r o l { ... } p a e - a u t o > .

RADIUS Attribute

1 (Username)

2 (Password)

31(Calling-Station-Id)

Table 37:

Configuration of the RADIUS server for a Supplicant with MAB

Commands to related 802.1X:

< s e t d o t 1 x [ n o ] e n a b l e >

< s e t d o t 1 x p o r t c o n t r o l { f a s t e t h e r n e t 0 | f o 1 | f o 2 | p o r t 1

| p o r t 2 | p o r t 3 | p o r t 4 } { a u t h - f o r c e | p a e - a u t o | u n a u t h -

f o r c e } >

< s e t d o t 1 x m a b { p o r t 1 | p o r t 2 | p o r t 3 | p o r t 4 } [ n o ] e n a b l e >

< s e t d o t 1 x r e a u t h e n t i c a t i o n p o r t - d o w n [ n o ] a l l o w >

< s h o w d o t 1 x >

The setting <set dot1x reauthentication port-down allow> includes the danger that by

plugging in an Ethernet switch or something similar between Supplicant and Authenticator

potential illegal network access is possible. When using a hub the 802.1X authentication

can be recorded.

2.25

Access Lists

2.25.1

Concept

EDS500 devices offer 16 access lists that help to classify Ethernet frames. If at least one

rule from a list matches an Ethernet frame then the linked action is carried out (forwarding,

blocking, change Class-of-Service).

Access lists can either be defined as deny lists (blacklist, allowed is anything outside the

specified criteria) or as permit list (whitelist, allowed is everything from the list).

Default configuration:

Access lists are disabled.

Format

12 hexadecimal digits, all low-

ercase, and no punctuation

The username (encrypted)

6 groups of 2 hexadecimal

digits, all uppercase, and sep-

arated by hyphens

A D V I C E

Functions

Example

30b216002f3a

30-B2-16-00-2F-3A

1KGT151021 V000 1

Table of Contents

Show Quick Links

Quick Links:
Configuration Via the Serial Interface

Hide quick links:

Table of Contents

Access Lists; Concept - ABB EDS500 Series Function Manual

Access Lists

Concept

Hide quick links:

Related Manuals for ABB EDS500 Series

Related Content for ABB EDS500 Series

Table of Contents