Configure A Secure School Network Based On 802.1x



Similar documents
This How To Note describes one possible basic VRRP configuration.

AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes

Configure WAN Load Balancing

Allow Public and Private Address Access to Servers at a Service Provider Client Site. What information will you find in this document?

Apply Firewall Policies And Rules

What information will you find in this document?

Configure A Secure Network Solution For Schools. What information will you find in this document?

Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

AlliedWare Plus OS How To. Configure QoS to prioritize SSH, Multicast, and VoIP Traffic. Introduction

Configure the Firewall VoIP Support Service (SIP ALG)

What information will you find in this document?

Configure QoS on x900-24, x900-12, and SwitchBlade x908 Series Switches

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, Without Using NAT-T.

How To Create A VPN Between An Allied Telesis Router And A Microsoft Windows XP 1 Client, Without Using NAT-T

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

What information will you find in this document?

How To Behind A Dynamically-Assigned Public IP Address

The example in this Note uses Linux for both the access controller (RADIUS server) and the supplicant (client).

configure WAN load balancing

The network configuration for these examples is shown in the following figure. Load Balancer 1. public address

Network Security. Ensuring Information Availability. Security

Allied Telesis provide virtual customer networks

In fact, the three most common reasons for a network slow down are: congestion data corruption collisions

x900 Switch Access Requestor

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows 7 Client, with or without NAT-T.

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Case Study Ministry of Agriculture, France

Kushiro City Hospital, Japan, selects Allied Telesis to provide a powerful controlled access network in a medical environment.

Government Hospital. Case Study Gaziantep Avukat Cengiz Gokcek. The Customer

Configure Policy-based Routing

Solutions for LAN Protection

How To Use An At9924 For A Long Distance Connection On A Powerline On A Ppltd Network (Powerline) On A Superfast Network (Networking) On An At 9924 (Powerplt) On The P

VLANs. Application Note

How To Configure Some Basic OSPF Routing Scenarios. Introduction. Technical Guide. List of terms

Configure Allied Telesis and Cisco routers to interoperate over L2TP

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

Installation of the On Site Server (OSS)

Chapter 25 DHCP Snooping

Create a VPN between an Allied Telesis and a SonicWALL Router, with NAT-T

Network-in-a-Box Solution. Services already integrated in the core switch Ideal concept for branch offices, schools or other small business networks

Solutions Guide. Education Networks

Management Software. User s Guide AT-S88. For the AT-FS750/24POE Fast Ethernet Smart Switch. Version Rev. B

What is VLAN Routing?

AlliedWare Plus OS How To Use Web-authentication

AT-S95 Version AT-8000GS Layer 2 Stackable Gigabit Ethernet Switch Software Release Notes

AT-S63 Version Patch 5 Management Software for the AT-9400 Basic Layer 3 Gigabit Ethernet Switches Software Release Notes

Product VioCall Express Connect. VioCall Express Connect VoIP Solution for SMB/SME Market

Secure Networks for Process Control

Create a VPN between an Allied Telesis and a NetScreen Router

What information you will find in this document

Solutions Guide. High Availability IPv6

Solutions Guide. Ethernet-based Network Virtualization for the Enterprise

Tested Solution: Protecting your network with Symantec Network Access Control (NAC) and Allied Telesis Switches

Solution Network Virtualization. Allied Telesis - delivering value with Network Virtualization

VCStack - Powerful Simplicity. Network Virtualization for Today's Business

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, over NAT-T.

Network Security Solutions Implementing Network Access Control (NAC)

How To Configure some basic firewall and VPN scenarios

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Starting a Management Session

Load Balancing ContentKeeper With RadWare

UTM10 in multi-ssid, multi-vlan network with WMS5316. Network diagram

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Network Access Control (NAC)

AT-S105 Version Management Software Release Notes AT-FS750/24POE and AT-FS750/48 Fast Ethernet WebSmart Switches

Exhibit n.2: The layers of a hierarchical network

Solutions Guide. Resilient Networking with EPSR

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

IP SAN Best Practices

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Campus Network Best Practices: Core and Edge Networks

Guideline to Windows 2003 Network Load Balancing Clustering with Allied Telesyn Switches. What information will you find in this document?

Chapter 3 LAN Configuration

AlliedWare Plus OS How To Use sflow in a Network

ProSafe Plus Switch Utility

Campus Network Best Practices: Core and Edge Networks

How To Install An At-S100 (Geo) On A Network Card (Geoswitch)

The top 3 network management challenges

AT-S84 Version ( ) Management Software for the AT-9000/24 Gigabit Ethernet Switch Software Release Notes

How to Configure a BYOD Environment with the DWS-4026

CCT vs. CCENT Skill Set Comparison

AT-GS950/8. AT-GS950/8 Web Users Guide AT-S107 [ ] Gigabit Ethernet Smart Switch Rev A

AlliedWare TM OS How To. Use the Allied Telesis GUI Wizard to Create a Site-to-Site VPN through a NAT Gateway Device

Solution Profile. Branch in a Box

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

This is a guide to Network Load Balancing (NLB) clustering options with Allied Telesis managed layer 3 devices.

AT-S63 Version Management Software for the AT-9400 Basic Layer 3 Gigabit Ethernet Switches Software Release Notes

Penola Catholic College

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

AT-S41 Version Management Software for the AT-8326 and AT-8350 Series Fast Ethernet Switches. Software Release Notes

Top-Down Network Design

Transcription:

How To Configure A Secure School Network Based On 802.1x The problem Schools offer a unique set of challenges to network designers. As well as all the usual requirements of modern network users high bandwidth, resiliency, scalability schools demand both stringent security and high flexibility. Firstly, school network users are very mobile. Students and staff typically move between many locations in the course of a day, from classrooms to labs to libraries to dorm rooms. Secondly, restricting physical access to network connection points is very difficult in such a mobile environment. Students, staff, and even members of the public frequently come and go from school buildings, and it is almost impossible to monitor all these people all the time. In spite of this, parts of the network must be kept secure. Staff must have access to certain network resources, particularly server drives, to which students must not have access. Students pose a constant threat to network security. They have the ability, time and often the inclination to probe for every weakness in the network's security set-up. In other words, school networks take the often-discussed security versus flexibility dilemma to an extreme. The solution This How To Note describes a specific example of a highly reproducible school network solution from Allied Telesis. Physically, the solution consists of AT-8624 switches on the edge with gigabit fibre uplinks back to a SwitchBlade in the core. But the real value in the network lies in the features that are implemented on these switches. In particular, the key requirements of simultaneous flexibility and security are provided by the 802.1x authentication process. 802.1x authentication and dynamic VLAN assignment prevent unauthorised access to the network while still giving users appropriate access to network resources, regardless of where they physically connect to the network. 802.1x authentication ensures that users cannot even send packets into the network until they have provided valid authentication credentials. VLAN assignment puts authenticated users into an appropriate VLAN, based on their authentication credentials. Therefore users experience the same network environment no matter where they connect from. Another key part of the solution is hardware filtering on the SwitchBlade. Hardware filters guarantee no leakage of traffic between certain IP subnets, and achieve this with no degradation of data throughput. C613-16089-00 REV B www.alliedtelesis.com

What information will you find in this document? The rest of this How To Note describes the network configuration in the following sections: "Details of the network" on page 3 "Edge Switch Configuration" on page 6 "Core Switch Configuration" on page 9 Which products and software version does it apply to? The core of the network is a SwitchBlade, running Software Version 2.7.5a. Alternatively, you can use an AT-9900 series switch in the core. The edge switches can be any of: AT-8600 series switches (recommended) AT-8700XL series switches Rapier and Rapier i series switches AT-8800 series switches AT-8948 switches AT-9900 series switch x900-48 series switch The edge switches run Software Version 2.7.5 or later. Related How To Notes How To Configure A Secure Network Solution For Schools describes an alternative approach. It uses a firewall to stop students from accessing staff resources. This solution does not offer security for mobile users. How To Use 802.1x EAP-TLS Or PEAP-MS-CHAP v2 With Microsoft Windows Server 2003 To Make A Secure Network describes how to set up Microsoft servers and clients for authentication through an 802.1x-compatible Allied Telesis switch. How to use 802.1x VLAN assignment and How To Configure MAC-based authentication give more information about authentication. How to set up a RADIUS server for user authentication describes RADIUS servers, including server redundancy. How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx and may be found in the Resource Center on the Documentation and Tools CD-ROM that is shipped with your switch. Configure A Secure School Network Based On 802.1x 2

Details of the network The VLANs The network consists of 9 VLANs. Some of the VLANs reach right out to the edge of the network, and some are confined just to the core. The VLANs are: secondary-clients (VID=10) and primary-clients (VID=100) The two staff VLANS, one each for the Secondary School staff and Primary School staff. These VLANs reach to the edge of the network, and staff members are placed into one or other of these VLANS, based on their user IDs. secondary-servers (VID=20) The VLAN that contains the Senior School servers. This VLAN has to extend to the uplink of each edge switch, because it includes the RADIUS servers used by 802.1x. primary-servers (VID=120) The VLAN that contains the Junior School servers. This VLAN is constrained just to the core of the network. secondary-printers (VID=30) and primary-printers (VID=130) The two VLANs that contain the printers for the Senior School and Junior School. These VLANs are constrained just to the core of the network. student (VID=50) The VLAN into which 802.1x places students when they connect. This VLAN gives them access to nothing but the students server. It reaches to the edge of the network. firewall (VID=5) The VLAN that contains the firewall, to provide access from the network out to the Internet. untrusted (VID=500) The guest VLAN that s reside in by default (except for the s that are permanently reserved for servers, printers, edge switches, the firewall, and the uplink from an edge switch to the core). When a receives valid authentication credentials, it is taken from this VLAN and put into the VLAN relevant to the person who has just been authenticated on the. The next page shows a diagram of the network. Note that the diagram doesn t show the untrusted VLAN because the only s that are permanently in the untrusted VLAN are s that are not in any other VLAN. One advantage of using a SwitchBlade is its modularity. The wide range of line cards available for SwitchBlades offers many different combinations of s. This means you can buy the s you currently need and easily expand as your network expands. This example uses four 8- line cards. Configure A Secure School Network Based On 802.1x 3

Primary School servers Secondary School servers Secondary School printers RADIUS server 1.6 1.7 1.5 2.1 2.2 2.3 Core SwitchBlade 2.4 3.1 3.3 3.2 Student server 1.2 3.5 Internet 1.1 Firewall 3.6 3.7 Primary School printers Edge switch 4.1 4.6 Edge switch VLAN key Edge switch 4.2 4.3 4.4 4.5 Edge switch secondary-clients (VID=10) secondary-servers (20) secondary-printers (30) Edge switch Edge switch primary-clients (100) primary-servers (120) primary-printers (130) student (50) firewall (5) secure-school-network Configure A Secure School Network Based On 802.1x 4

Communication between the VLANs This example strictly controls whether hosts in different VLANs can communicate with each other. The untrusted VLAN cannot send data, so in effect it cannot communicate with any other VLAN. The table below shows which of the other VLANs can (Y) and cannot (-) communicate with each other. It also shows each VLAN s IP subnet. VLAN details secondary-clients secondary-servers secondary-printers primary-clients primary-servers primary-printers student firewall secondary-clients 192.168.10.0 secondary-servers 192.168.20.0 secondary-printers 192.168.30.0 primary-clients 192.168.100.0 primary-servers 192.168.120.0 primary-printers 192.168.130.0 student 192.168.50.0 firewall 192.168.5.0 Y - - - - - Y Y Y - Y - - - - Y - - - - - - - - Y - - Y - Y - Y Y - - - - - - Y - - - - - - - - Y Y - - Y - - Y To create the above restrictions, this configuration does the following: On the core SwitchBlade, a set of hardware filters block communication between the IP subnets used on different VLANs. On the edge switches, inter-vlan communication does not need to be blocked by filters. This is because 802.1x puts the edge s of those switches into one of only three possible VLANS primary-clients, secondary-clients or student and these VLANs do not have Layer 3 interfaces on the edge switches. There is no possibility of Layer 3 switching between them. However, a different restriction is necessary on the edge switches: there must be no communication at all between different hosts in the student VLAN, to stop students from looking at each other s accounts. This restriction cannot be achieved by configuring the student VLAN as a private VLAN, because standard private VLANs are incompatible with allocating the s by 802.1x. Instead, this configuration uses a clever set of L3 filters to block any traffic in the student VLAN between pairs of edge s, and to force broadcast/multicast packets in the student VLAN up to the network core. Configure A Secure School Network Based On 802.1x 5

Edge Switch Configuration Enter the following configuration on each edge switch. 1. Configure the switch s time Use NTP to get the correct time from a time server. enable ntp add ntp peer=172.16.249.54 Automatically change the time when summertime (daylight saving) starts and ends. This example uses British Summer Time. enable summertime set summertime=bst startmonth=mar startweek=5 starttime=01:00:00 endmonth=oct endweek=5 endtime=01:00:00 The value 5 for startweek and endweek means the last week in the month. 2. Configure the uplink set switch =25 description=uplink set switch =25 acceptable=vlan 3. Create the VLANs Create the 3 VLANs for staff and students. create vlan=secondary-clients vid=10 create vlan=primary-clients vid=100 create vlan=student vid=50 Create the secondary-servers VLAN. This VLAN needs to extend to the uplink of the edge switches because it contains the RADIUS servers that 802.1x uses. create vlan=secondary-servers vid=20 Create the untrusted VLAN. This VLAN is just a placeholder VLAN that edge s are allocated to when no user is connected. create vlan=untrusted vid=500 4. Put s into the VLANs add vlan=500 =1-24 add vlan=20 =25 frame=tagged add vlan=10 =25 frame=tagged add vlan=100 =25 frame=tagged add vlan=50 =25 frame=tagged Configure A Secure School Network Based On 802.1x 6

Remove the uplink from the default VLAN. delete vlan=1 =25 5. Create classifiers to match packets in the student VLAN Create classifiers to match packets in the student VLAN that enter the switch via the edge s. create classifier=1 i=1 vlan=50 create classifier=2 i=2 vlan=50 create classifier=3 i=3 vlan=50 create classifier=4 i=4 vlan=50 create classifier=5 i=5 vlan=50 create classifier=6 i=6 vlan=50 create classifier=7 i=7 vlan=50 create classifier=8 i=8 vlan=50 create classifier=9 i=9 vlan=50 create classifier=10 i=10 vlan=50 create classifier=11 i=11 vlan=50 create classifier=12 i=12 vlan=50 create classifier=13 i=13 vlan=50 create classifier=14 i=14 vlan=50 create classifier=15 i=15 vlan=50 create classifier=16 i=16 vlan=50 create classifier=17 i=17 vlan=50 create classifier=18 i=18 vlan=50 create classifier=19 i=19 vlan=50 create classifier=20 i=20 vlan=50 create classifier=21 i=21 vlan=50 create classifier=22 i=22 vlan=50 create classifier=23 i=23 vlan=50 create classifier=24 i=24 vlan=50 Create a classifier to match all packets in the student VLAN. create classifier=100 vlan=50 Create classifiers to match packets in the student VLAN that enter and leave the switch via the uplink. create classifier=101 i=25 vlan=50 create classifier=102 e=25 vlan=50 Configure A Secure School Network Based On 802.1x 7

6. Create filters to discard or redirect packets in the student VLAN Make a filter to mark all student VLAN packets for discard. add switch hwfilter classifier=100 action=discard Make filters for broadcasts and multicasts that enter the student VLAN via the edge s, and for packets that are destined for the uplink. add switch hwfilter classifier=1-24 action=sendnonunicastto,nodrop,sende =25 The above filters send matching packets to the uplink, instead of discarding them. They achieve this by the following actions: sendnonunicastto sends multicast and broadcast packets to 25. nodrop and sende together stop the switch from discarding packets that are destined for 25 and came from the classifier s (s 1-24 for classifiers 1-24) Make filters to avoid discarding student VLAN packets that enter or leave the switch via the uplink. add switch hwfilter classifier=101 action=nodrop add switch hwfilter classifier=102 action=nodrop 7. Assign an IP address to the secondary-servers VLAN The switch uses this address for RADIUS communication. Note that each edge switch must have a different IP address. enable ip add ip int=vlan20 ip=192.168.20.200 add ip rou=0.0.0.0 mask=0.0.0.0 int=vlan20 next=192.168.20.254 8. Configure authentication enable auth=macbased enable auth=macbased =1-24 This configuration uses MAC-based authentication on the edge switches. This lets you connect legacy PCs that do not sup 802.1x. If all your PCs are 802.1x capable, we recommend you use 802.1x instead, because it is harder to spoof. Note that it is possible to use 802.1x with Windows 2000, but sup is not enabled by default. See the Microsoft article Using 802.1x authentication on client computers that are running Windows 2000. To get step by step instructions for setting up Microsoft clients and servers to use 802.1x authentication, see How To Use 802.1x EAP-TLS Or PEAP-MS-CHAP v2 With Microsoft Windows Server 2003 To Make A Secure Network. This Allied Telesis How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.. Configure A Secure School Network Based On 802.1x 8

Core Switch Configuration Enter the following configuration on the SwitchBlade. 1. Configure the switch s location and time Name the switch after the school. set system name=hogwarts Use NTP to get the correct time from a time server. enable ntp add ntp peer=172.16.249.54 Automatically change the time when summertime (daylight saving) starts and ends. This example uses British Summer Time. enable summertime set summertime=bst startmonth=mar startweek=5 starttime=01:00:00 endmonth=oct endweek=5 endtime=01:00:00 2. Configure the s set switch =4.1 description=gryffindor set switch =4.2 description=hufflepuff set switch =4.3 description=slytherin set switch =4.4 description="ravenclaw (IT Suite)" set switch =4.5 description="ravenclaw (Tower)" set switch =4.6 description=library 3. Create the VLANs create vlan=firewall vid=5 create vlan=secondary-clients vid=10 create vlan=secondary-servers vid=20 create vlan=secondary-printers vid=30 create vlan=primary-clients vid=100 create vlan=primary-servers vid=120 create vlan=primary-printers vid=130 create vlan=student vid=50 create vlan=untrusted vid=500 Configure A Secure School Network Based On 802.1x 9

4. Put s into the VLANs firewall: add vlan=5 =1.1 secondary-clients: add vlan=10 =4.1-4.6 frame=tagged secondary-servers: add vlan=20 =1.5-1.7 add vlan=20 =4.1-4.6 frame=tagged secondary-printers: add vlan=30 =3.1-3.3 primary-clients: add vlan=100 =4.1-4.6 frame=tagged primary-servers: add vlan=120 =2.1-2.4 primary-printers: add vlan=130 =3.5-3.7 student: add vlan=50 =1.2 add vlan=50 =4.1-4.6 frame=tagged untrusted: add vlan=500 =1.3-1.4,1.8,2.5-2.8,3.4,3.8,4.7-4.8 Putting the unused s into the untrusted VLAN increases security. If an unauthorised user gets access to the SwitchBlade and plugs a device into an unused, they get no access to the network. It also means that you can connect authorised users to these s and use 802.1x to assign them to VLANs. Also, remove s 4.1-4.6 from the default VLAN. These s connect to the edge switches and should not be untagged members of any VLAN. delete vlan=1 =4.1-4.6 5. Create classifiers This configuration stops most VLANs from communicating with each other, by discarding packets. To identify packets that need to be discarded, create the following classifiers. The classifiers check IP addresses and match packets between pairs of VLANs that must not communicate. cre class=1 prot=ip ipsa=192.168.120.0/24 ipda=192.168.10.0/24 cre class=2 prot=ip ipsa=192.168.120.0/24 ipda=192.168.30.0/24 cre class=3 prot=ip ipsa=192.168.120.0/24 ipda=192.168.5.0/24 cre class=4 prot=ip ipsa=192.168.120.0/24 ipda=192.168.50.0/24 cre class=5 prot=ip ipsa=192.168.20.0/24 ipda=192.168.130.0/24 Configure A Secure School Network Based On 802.1x 10

cre class=6 prot=ip ipsa=192.168.20.0/24 ipda=192.168.100.0/24 cre class=7 prot=ip ipsa=192.168.20.0/24 ipda=192.168.5.0/24 cre class=8 prot=ip ipsa=192.168.20.0/24 ipda=192.168.50.0/24 cre class=9 prot=ip ipsa=192.168.10.0/24 ipda=192.168.120.0/24 cre class=10 prot=ip ipsa=192.168.10.0/24 ipda=192.168.30.0/24 cre class=11 prot=ip ipsa=192.168.10.0/24 ipda=192.168.100.0/24 cre class=12 prot=ip ipsa=192.168.10.0/24 ipda=192.168.130.0/24 cre class=13 prot=ip ipsa=192.168.10.0/24 ipda=192.168.50.0/24 cre class=14 prot=ip ipsa=192.168.30.0/24 ipda=192.168.120.0/24 cre class=15 prot=ip ipsa=192.168.30.0/24 ipda=192.168.10.0/24 cre class=16 prot=ip ipsa=192.168.30.0/24 ipda=192.168.100.0/24 cre class=17 prot=ip ipsa=192.168.30.0/24 ipda=192.168.130.0/24 cre class=18 prot=ip ipsa=192.168.30.0/24 ipda=192.168.5.0/24 cre class=19 prot=ip ipsa=192.168.30.0/24 ipda=192.168.50.0/24 cre class=20 prot=ip ipsa=192.168.100.0/24 ipda=192.168.10.0/24 cre class=21 prot=ip ipsa=192.168.100.0/24 ipda=192.168.30.0/24 cre class=22 prot=ip ipsa=192.168.100.0/24 ipda=192.168.130.0/24 cre class=23 prot=ip ipsa=192.168.100.0/24 ipda=192.168.20.0/24 cre class=24 prot=ip ipsa=192.168.100.0/24 ipda=192.168.50.0/24 cre class=25 prot=ip ipsa=192.168.130.0/24 ipda=192.168.20.0/24 cre class=26 prot=ip ipsa=192.168.130.0/24 ipda=192.168.10.0/24 cre class=27 prot=ip ipsa=192.168.130.0/24 ipda=192.168.30.0/24 cre class=28 prot=ip ipsa=192.168.130.0/24 ipda=192.168.100.0/24 cre class=29 prot=ip ipsa=192.168.130.0/24 ipda=192.168.5.0/24 cre class=30 prot=ip ipsa=192.168.130.0/24 ipda=192.168.50.0/24 cre class=31 prot=ip ipsa=192.168.50.0/24 ipda=192.168.20.0/24 cre class=32 prot=ip ipsa=192.168.50.0/24 ipda=192.168.120.0/24 cre class=33 prot=ip ipsa=192.168.50.0/24 ipda=192.168.30.0/24 cre class=34 prot=ip ipsa=192.168.50.0/24 ipda=192.168.10.0/24 cre class=35 prot=ip ipsa=192.168.50.0/24 ipda=192.168.100.0/24 cre class=36 prot=ip ipsa=192.168.50.0/24 ipda=192.168.130.0/24 Also create classifiers to match other traffic that must be forwarded. For example, this classifier matches DHCP packets: create classifier=100 udpd=67 Configure A Secure School Network Based On 802.1x 11

6. Assign IP addresses to the VLANs enable ip add ip int=vlan5 ip=192.168.5.254 add ip int=vlan10 ip=192.168.10.254 add ip int=vlan20 ip=192.168.20.254 add ip int=vlan30 ip=192.168.30.254 add ip int=vlan100 ip=192.168.100.254 add ip int=vlan120 ip=192.168.120.254 add ip int=vlan130 ip=192.168.130.254 add ip int=vlan50 ip=192.168.50.254 add ip route=0.0.0.0 mask=0.0.0.0 int=vlan5 next=192.168.5.1 7. Create a hardware filter Add a filter entry to forward DHCP packets. add switch hwfilter=1 classifier=100 action=forward d=all Add filter entries to discard packets between pairs of VLANs that must not communicate. add switch hwfilter=1 classifier=1-36 action=discard d=all Notes: 1. This solution applies hardware filters to all s on the SwitchBlade and may need to be modified for networks that use a large number of s. If this applies to you, please contact your Allied Telesis representative for more information. 2. If you use an AT-9900 series switch instead of the SwitchBlade, make a hardware filter for each classifier. 8. Specify the RADIUS servers for authentication to use The SwitchBlade can access two RADIUS servers, which provides redundancy if one server goes down. For more information, including how to set up redundant servers, see How To Set Up A RADIUS Server For User Authentication. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx. add radius server=192.168.20.5 secret=secret-password add radius server=192.168.20.6 secret=secret-password Configure A Secure School Network Based On 802.1x 12

9. Configure authentication Enable authentication on the unused s. This increases security by ensuring that only devices with valid authentication credentials can connect to these s. enable auth=8021x enable auth=8021x =1.3-1.4,1.8,2.5-2.8,3.4,3.8,4.7-4.8 type=authenticator quietperiod=0 txperiod=1 servertimeout=5 To get step by step instructions for setting up Microsoft clients and servers to use 802.1x authentication, see How To Use 802.1x EAP-TLS Or PEAP-MS-CHAP v2 With Microsoft Windows Server 2003 To Make A Secure Network. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx. USA Headquar ters 19800 Nor th Cr eek Parkwa y Suite 200 Bothell WA 98011 USA T: +1 800 424 4284 F: +1 425 481 3895 Eur opean Headquar ters Via Motta 24 6830 Chiasso Switzerland T: +41 91 69769.00 F: +41 91 69769.11 Asia-Pacific Headquar ters 11 T ai Seng Link Singapor e 534182 T: +65 6383 3832 F: +65 6383 3830 www.alliedtelesis.com 2007 Allied Tel esis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C613-16089-00 REV B

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information