¶ DCN S5750E
SoftWare Package Version V705R002C011B034
BootRom Version 7.5.28
HardWare Version 2.0.2
¶ Assumed indications
NACVIEW_SERV - Server IP address
RADIUS_KEY - Radius server communication key
RADIUS_GROUP - Server group name for RADIUS protocol
SW_IP - Switch management IP address
SNMP_SECRET - SNMP v2c password
SNMP_AUTH i SNMP_PRIV - SNMP v3 passwords
SNMP_USER i SNMP_GROUP - accordingly the user and SNMP group
CONF_FILE - Configuration file name (.txt or .cfg)
TAC+_KEY - Communication key with the Tacacs+ Server
VLAN_X - Authorization target VLAN
¶ Connection configuration to the RADIUS server
S5750E-28X-SI#config
S5750E-28X-SI(config)#radius nas-ipv4 SW_IP
S5750E-28X-SI(config)#radius-server authentication host NACVIEW_SERV port 1812 key RADIUS_KEY
S5750E-28X-SI(config)#radius-server accounting host NACVIEW_SERV port 1813 key RADIUS_KEY
S5750E-28X-SI(config)#radius-server attributes vlan enable
S5750E-28X-SI(config)#aaa enable
S5750E-28X-SI(config)#aaa-accounting enable
S5750E-28X-SI(config)#aaa-accounting update enable
S5750E-28X-SI(config)#authentication logging enable
NOTE: If more than one RADIUS server is configured on the switch, you can use the ‘primary’ parameter to set it like a priority server.
For example:radius-server authentication host NACVIEW_SERV port 1812 key RADIUS_KEY primary
The disconnection password should be the same as the RADIUS password.
¶ 802.1x Protocol general configuration
S5750E-28X-SI#config
S5750E-28X-SI(config)#dot1x enable
S5750E-28X-SI(config)#dot1x re-authentication
S5750E-28X-SI(config)#dot1x macbased port-down-flush
S5750E-28X-SI(config)#dot1x eapor enable
¶ 802.1x Protocol - portbased
S5750E-52X-P-SI#config
S5750E-52X-P-SI(config)#interface ethernet 1/0/1
S5750E-52X-P-SI(config-if-ethernet1/0/1)#spanning-tree portfast
S5750E-52X-P-SI(config-if-ethernet1/0/1)#dot1x enable
S5750E-52X-P-SI(config-if-ethernet1/0/1)#dot1x port-control auto
S5750E-52X-P-SI(config-if-ethernet1/0/1)#dot1x port-method portbased
S5750E-52X-P-SI(config-if-ethernet1/0/1)#dot1x portbased mode single-mode
¶ 802.1x Protocol - macbased
S5750E-52X-P-SI(config-if-ethernet1/0/1)#dot1x port-method macbased
S5750E-52X-P-SI(config-if-ethernet1/0/1)#switchport access VLAN_X
Assigning a dynamic target VLAN is only possible in the portbased mode.
¶ MAB general configuration
MAC authentication works only for statically set VLAN on the port. If a VLAN is assigned from NACVIEW that does not match those set on the port, no access on the switch will be granted, although in NACVIEW it will appear as a successful authorization. If the 'do not forward VLAN' option is selected on NACVIEW, then the switch will grant access to any VLAN that is set on the port.
S5750E-52X-P-SI(config)#mac-address-learning cpu-control
S5750E-52X-P-SI(config)#mac-authentication-bypass enable
S5750E-52X-P-SI(config)#mac-authentication-bypass re-authentication
S5750E-52X-P-SI(config)#mac-authentication-bypass re-authperiod 300
S5750E-52X-P-SI(config)#authentication logging enable
¶ MAB configuration on port
S5750E-52X-P-SI(config-if-ethernet1/0/1)#switchport access VLAN_X
S5750E-52X-P-SI(config-if-ethernet1/0/1)#mac-authentication-bypass enable
¶ HYBRID port configuration
S5750E-28X-SI#config
S5750E-28X-SI(config)#interface ethernet 1/0/1
S5750E-28X-SI(config-if-ethernet1/0/1)#spanning-tree portfast
S5750E-28X-SI(config-if-ethernet1/0/1)#switchport mode hybrid
S5750E-28X-SI(config-if-ethernet1/0/1)#switchport hybrid native vlan 1
S5750E-28X-SI(config-if-ethernet1/0/1)#switchport hybrid allowed vlan 1;VLAN_X;VLAN_Y untag
S5750E-28X-SI(config-if-ethernet1/0/1)#dot1x enable
S5750E-28X-SI(config-if-ethernet1/0/1)#dot1x port-control auto
S5750E-28X-SI(config-if-ethernet1/0/1)#dot1x port-method macbased
S5750E-28X-SI(config-if-ethernet1/0/1)#dot1x max-user macbased 5
S5750E-28X-SI(config-if-ethernet1/0/1)#mac-authentication-bypass enable
¶ TACACS+ configuration
S5750E-52X-P-SI(config)#tacacs-server authentication host NACVIEW_SERV key 0 TAC+_KEY primary
S5750E-52X-P-SI(config)#tacacs-server nas-ipv4 SW_IP
S5750E-52X-P-SI(config)#authentication line vty login tacacs local
S5750E-52X-P-SI(config)#authentication enable tacacs
S5750E-52X-P-SI(config)#authorization line vty exec tacacs
S5750E-52X-P-SI(config)#authorization line vty command 1 tacacs
S5750E-52X-P-SI(config)#authorization line vty command 7 tacacs
S5750E-52X-P-SI(config)#authorization line vty command 15 tacacs
S5750E-52X-P-SI(config)#accounting line vty command 1 start-stop tacacs
S5750E-52X-P-SI(config)#accounting line vty command 7 start-stop tacacs
S5750E-52X-P-SI(config)#accounting line vty command 15 start-stop tacacs
S5750E-52X-P-SI(config)#accounting line vty exec start-stop tacacs
- Setting Privilege 15 in the TACACS+ settings on the NACVIEW server allows you to enter privileged mode and above
- Privilege 7 setting in TACACS+ settings on NACVIEW server only provides the unprivileged access
- No differences in command availability with Privilege 7 and Privilege 1 settings on NACVIEW server were noticed.
DCN S5750E does not support command authorization (permit and deny settings in the NACVIEW system will not be taken into account)
¶ SNMP settings
¶ 3 Version - recommended
S5750E-52X-P-SI(config)#snmp-server enable
S5750E-52X-P-SI(config)#snmp-server host NACVIEW_SERV v3 authpriv SNMP_USER
S5750E-52X-P-SI(config)#snmp-server securityip NACVIEW_SERV
S5750E-52X-P-SI(config)#snmp-server user SNMP_USER SNMP_GROUP authPriv des SNMP_PRIV auth sha SNMP_AUTH
S5750E-52X-P-SI(config)#snmp-server group SNMP_GROUP authpriv read default write default notify default
S5750E-52X-P-SI(config)#snmp-server view default 1. include
¶ 2c Version - not recommended (ensuring only a minimum level of security)
S5750E-52X-P-SI(config)#snmp-server enable
S5750E-52X-P-SI(config)#snmp-server securityip NV_IP
S5750E-52X-P-SI(config)#snmp-server community ro 0 SNMP_SECRET
¶ Redirection of the system logs to the NACVIEW server
S5750E-52X-P-SI(config)#info-center enable
S5750E-52X-P-SI(config)#info-center loghost 1 config NACVIEW_SERV facility local0
S5750E-52X-P-SI(config)#info-center loghost 1 output-enable
S5750E-52X-P-SI(config)#info-center loghost 1 match level debugging
S5750E-52X-P-SI(config)#info-center loghost 2 match level warnings
S5750E-52X-P-SI(config)#info-center loghost 2 config NACVIEW_SERV facility local0
S5750E-52X-P-SI(config)#info-center loghost 2 output-enable
- loghost 1 - configuration to receive debug notifications
- loghost 2 - configuration to receive normal notifications
¶ Utility
S5750E-52X-P-SI#copy running-config tftp://NACVIEW_SERV/CONF_FILE - copying the current configuration to the TFTP server
S5750E-52X-P-SI#show running-config full - viewing the whole current configuration
S5750E-52X-P-SI(config-if-ethernet1/0/1)#show running-config current-mode - the device viewing in a given area (here: ethernet 1/0/1 interface)
S5750E-52X-P-SI(config)#show running-confignterface ethernet 1/0/1 - viewing interface configuration
S5750E-52X-P-SI#show dot1x interface ethernet 1/0/1 - viewing interface dot1x configuration
S5750E-52X-P-SI#show dot1x user - viewing users authorized by dot1x
S5750E-52X-P-SI#show mac-authentication-bypass - viewing MAB authentication
S5750E-52X-P-SI#terminal monitor - debug messages display in the console
S5750E-52X-P-SI#terminal length 0 - disable page numbering in the console