3Com 3C17300-US Implementation Manual

Contents

84 C HAPTER 10: M AKING YOUR N ETWORK S ECURE■ Before you enable Network Login or Rada you must ensure that:■ RADIUS has been configured on the Switch.■ The RADIUS server in your network is operational.■ If the RADIUS server fails or is unavailable, client devices will be unableto access the network or be restricted to the default access.■ Network Login and Rada are not supported on ports configured tooperate as members of an aggregated link.■ Some client devices that are connected to the Switch port may notsupport network login, for example printers. You should configure theSwitch port to operate in Automatic Learning mode, so that networktraffic that does not match the MAC address for the client device isfiltered, or use the basic Rada mode.■ You should enable Network Login or Rada on all relevant Switch ports.Failure to enable authentication on a single port could compromisethe security of the entire network.RADIUS Server settings for Auto VLANWhen setting up Auto VLAN on a RADIUS server the following attributesmust be set to supply VLAN data to the Switch:Table 8 Setting Auto VLAN attributesThe Tunnel-Private-Group-ID attribute specifies the VLAN to be assigned.This can take various forms to indicate if the port is untagged or taggedmember, for example ‘2u 3t' means that the port is an untagged memberof VLAN 2 and a tagged member of VLAN 3.The switch will assign the first VLAN number with no suffix, or with a ‘U’or ‘u’ suffix, as an untagged VLAN for the port. Any further VLANnumbers with no suffix, or with the ‘U’ or ‘u’ suffix, will be assigned as atagged VLAN on the same port. For example; all the following strings areidentical after processing: “23 7T 88T”, “7T 88t 23u”, “88T 23 7t “,”23 7 88”, “7T 23u 88u”.Attribute ValueTunnel-Type VLANTunnel-Medium-Type 802Tunnel-Private-Group-ID dua1730-0bAA03.book Page 84 Monday, July 11, 2005 11:14 AM