LINUX ROOT PASSWORD RECOVERY

LINUX İşletim Sistemlerinde Root Şifresinin Resetlenmesi

Linux açılırken işletim sistemini sorduğu ekranda enter' a basıyoruz.

Edit lemek için “e” ye basıyoruz.

Kernel ı editlemek için üzerine gelip “e” ye basıyoruz

Satır sonuna “single” yazarak “enter” a basıyoruz. Kernel ekranı tekrar gelir. Bu sefer

“b” ye basarak boot edilir. Böylece işletim sisteminin kernel satırına girmiş oluruz. Bu satıra

“passwd root” yazarak root kullanıcısının password unu resetlemiş oluruz.

Daha sonra “reboot” yazılarak makina restart edilir ve yeni şifre ile oturum açılır.

First Hop Redundancy Procotols (FHRP)-(HSRP)-(GLBP)

             1   -     Hot Standby Redundancy Protocol(HSRP)

-        HSRP is Cisco’s standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address.

-        Main purpose; protect to Default Gateway.

-        Routers are share Virtual IP Address and Virtual Mac Address. Mac Address’s last 2 digit= HSRP Group Identifier.

-        There is no load balancing.

-        Active – Standby mode

-        Router’s Higher Ip Address=Active Lower Ip address=Standby

-         We change the HSRP priority for select the active Backbone. Default priority = 100

-        Hello packets = 3 sec Dead time = 10 sec

HSRP Preemption: 

Force the router to a new HSRP process. When active router turned off, standy router change to active router. After that; when active router turned on, standby router will continue to work active. Preemption command provide if active router turn on again, the router is active again.

            HSRP Modes:

             Initial: It can be see the HSRP run or not running.

Learn: Router doesnt have any virtual ip, there isn’t any authentication hello packet from                active router.

Listen: Virtual ip is okey, routers dont certain active or standby

Speak: Periodic hello packets, routers know active and standby mode.

Standby: Standby mode

Active: Active mode

Multigroup HSRP: It’s create a Vlan ip address’s HSRP.

HSRP Interface Tracking: If there are some problems routers WAN port, this command will follow the WAN port. If there is a problem with wan port in active router, standby’s wan port will be active.

Object Tracking: Check the routers behind wan port.

HSRP Authenticton: Plain Text and MD5.

HSRP Configuration

Router(config)# int gig 0/0

Router(config-if)# ip address 172.16.30.2 255.255.255.0

Router(config-if)# standby 1 ip 172.16.30.1 (virtual ip address)

Router(config-if)# standby 1 priorty 150 (for work active mode)

Router(config-if)# standby 1 preempt (if turn off the router, turn on again it can be work active mode.)

Router_2(config)# int gig 0/0

Router_2(config-if)# ip address 172.16.30.3 255.255.255.0

Router_2(config-if)# standby 1 ip 172.16.30.1

Multigroup HSRP Config

Router(config)# spanning-tree vlan 10 root secondary

Router(config)# spanning-tree vlan 20 root primary

Router(config)# int vlan 10

Router(config-if)# ip address 10.1.10.3 255.255.255.0

Router(config-if)# standby 10 ip 10.1.10.1

Router(config-if)# standby 10 priortiy 90

Router(config-if)# standby 10 preempt

Router(config-if)#exit

Router(config)# int vlan 20

Router(config-if)# ip address 10.1.20.3 255.255.255.0

Router(config-if)# standby 20 ip 10.1.20.1

Router(config-if)# standby 20 priorty 110

Router(config-if)# stanby 20 preempt

            Interface Group Tracking

            Router(config)# int gig 0/0

            Router(config-if)# ip address 192.168.100.2 255.255.255.0

            Router(config-if)# standby 1 ip 192.168.100.1
            Router(config-if)# standby 1 preempt

Router(config-if)# stanby track serial 0/1 (follow wan port)

(this command will write another router)

            GLBP(Gateway Load Balancing Protocol)

         

          - Automatic and simultaneous use of multiple gateways.

          -The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts configured with a single default gateway on an IEEE 802.3 LAN.

          -Failover between gateways.

          -GLBP provides load balancing over multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses.

          -Each host is configured with the same virtual IP address, and all routers in the virtual router group participate in forwarding packets

          -Best proporties; Load Balancing

          -Using UDP

          -L3 redundancy

          -Traffic can be shared in both directions.

          -Hello packet = 3 sec ; Dead Time = 10 sec

          -Mac Address: 0007.44XX.XXYY XXXX: 64 bit zero and 10 bit GLBP number

           What is the difference of GLBP and HSRP?

         Two GLBP Modes:

         1- Active Virtual Gateway

         2- Active Virtual Forwarding (Max 4 AVF)

         Active Virtual Gateway:

          - The AVG assigns a virtual MAC address to each member of the GLBP group

          - Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the Active Virtual Gateway.

          - The Active Virtual Gateway is responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.

          - A GLBP group allows up to four virtual MAC addresses per group. The AVG is responsible for assigning the virtual MAC addresses to each member of the group.

Active Virtual Forwarding: 

          - We can use max 4 AVF.

          - Transmits packets sent to the virtual mac address provided by AVF.

          GLBP operates virtual gateway redundancy in the same way as HSRP.

          Notes: If Active Virtual Gateway router becomes unavailable, clients will not lose Access to WAN because Active Virtual Forwarding router will assume responsibility for forwarding packets sent to the virtual MAC address of Router A, and for responding to packets sent to its own virtual MAC address. Router B will also assume the role of the AVG for the entire GLBP group. 

           Disable: There is no Virtual Ip Address

           Initial: Virtual Ip Address Ok, Config is not yet complete.

           Listen: Transmit to hello packet

           Speak: Try to be active or standby(avg or avf)

           Standby: If there are some problems from active router, it is ready for be active.

           Active: Responding to arp request. 

           GLBP Benefits 

           Load Sharing 

           You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers. 

           Multiple Virtual Routers 

           GLBP supports up to 1024 virtual routers (GLBP groups) on each physical interface of a router, and up to 4 virtual forwarders per group. 

           Preemption 

           The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a higher priority backup virtual gateway that has become available. Forwarder preemption works in a similar way, except that forwarder preemption uses weighting instead of priority and is enabled by default. 

            Authentication 

            You can use a simple text password authentication scheme between GLBP group members to detect configuration errors. A router within a GLBP group with a different authentication string than other routers will be ignored by other group members. 

            GLBP Gateway Weighting and Tracking

            GLBP uses a weighting scheme to determine the forwarding capacity of each router in the GLBP group. The weighting assigned to a router in the GLBP group determines whether it will forward packets and, if so, the proportion of hosts in the LAN for which it will forward packets. Thresholds can be set to disable forwarding when the weighting falls below a certain value, and when it rises above another threshold, forwarding is automatically reenabled.

            The GLBP group weighting can be automatically adjusted by tracking the state of an interface within the router. If a tracked interface goes down, the GLBP group weighting is reduced by a specified value. Different interfaces can be tracked to decrement the GLBP weighting by varying amounts.

            GLBP Configuration

R1:int f0/0

R1: glbp 123 ip 10.1.1.254

R1: glbp 123 priority 120

R1: glbp 123 preempt

R2: int f0/0

R2: glbp 123 ip 10.1.1.254

R2: glbp 123 priority 110

R2: glbp 123 preempt

R3: int f0/0

R3: glbp 123 ip 10.1.1.254

Verify to GLBP configuration “Show ip glbp brief”

Mac-address assigined by R1

Highest priority select AVG. Default load-balancing Round-Robin.

With round-robin, AVG will reply each ARP request for the GLBP virtual IP with each AVF’s virtual MAC address in turns, so all AVFs will be used equally.

           GLBP Weighted Configuration

Weighted algorithm distribute traffic to each AVF based on the weight value assigned to them. An AVF with bigger weight value will get more traffic redirected to it.

For example, if we assign weight value 1 for R1, 1 for R2, and 2 for R3, then AVG will reply ARP requests for the GLBP virtual IP address using R3’s virtual MAC address two times more often than using R1’s or R2’s. The configuration command for the above example scenario is as follows:

R1: int f0/0

R1: glbp 123 load-balancing weighted

R1: glbp 123 weight 1

R2: int f0/0

R2: glbp 123 load-balancing weighted

R2: glbp 123 weight 1

R3: int f0/0

R3: glbp 123 load-balancing weighted

R3: glbp 123 weight 2

           Host Dependant Algorithm

Host-dependent algorithm guarantees that the same gateway will always be used for a specific client, as long as there is no changes on the AVF number. Under some situations this approach could be the best option, for example in case of stateful NAT.

R1: int f0/0

R1: glbp 123 load-balancing host-dependant

Repeat the same command R2 and R3.

If we try traceroute via Client B or Client C we would probably got different gateway than Client A, but each client will keep redirected using the same gateway until there is a change on AVF number.

Alcatel-Lucent OS6250,OS6350,OS6450,OS6850 And OS6855 AOS Update Methods

!!! Important !!!

Don’t forget to backup the configuration file before updating.

               UPDATE METHODS:

               1 – AOS Update via FTP

               2 – AOS Update via USB

               3 - USB Disaster Recovery Method

               AOS Update via FTP

Steps to Follow :

In order to connect to the Switch via FTP, you need to open the connection to FTP users on the Switch. Make sure the following this command is entered the switch:

               "aaa authentication ftp local"

               "aaa authentication telnet local"

1 – You can create the folder in desktop and add the updating .img file to this folder.

               (KFbase.img, KFeni.img, KFos.img, KFsecu.img)

2 – PC’s command window (Start->Run->cmd) open and enter the folder you created on the desktop folder with the command “cd

               " Example: cd c:/Users/tahir/Desktop/UpdateFolder"

3 – Under this folder "ftp x.x.x.x" enter the command. "x.x.x.x"= Switch ip address

4 – Enter the switch login info.

5 – After the connection "cd /flash/working/" this command to the enter working folder.

6 – We can delete available image file and copy new images. Firstly for this:

               "rm /flash/working/*.img" command we delete files under the working folder

               Enter the “mput” command and the screen will confirm that the image files on your computer. we can accept press enter. And finished copy operation.

7 – After the copy operation switch will start from the working folder. We make it work according to the new image files here. 

      After the device has been restarted, the working folder copies to the certified folder. In this step; we make a sync in two folder.

               "reload working rollback-timeout 0" (Switch will start working file before the restart.)

               "Y" (Accept)

      Switch will be reboot and we connect to telnet.

8 – When the switch is turned on we can connect to telnet and enter this command:

               "copy working certified" (After restarting in this switch copy working to certified.)

9 – Finally; "show system" command we can find out about last version.

              

Should be "6.7.2.113.R05"

Finish the update via FTP.

               AOS Update via USB

Following Steps:

1 – Firstly we can formatting USB flash FAT32 and 8k Cluster. In this step needs; Alcatel switch recognize to USB.

2 – After the formatting; we can create "6450" under the another "certified" folder and we can copy updating image file in this folder. (6450/certified/KFbase.img ... vb.)

3 – After that; We install to usb on this switch and enter the "usb enable" command. After this command if something appears on this switch (Ubulk, mount etc) usb is okey.

4 – After the usb enable;

Under the working folder delete with the command below.

               "rm /flash/working/*.img"

Copy the new image files in your usb to the working folder with the command below.

               "cp /uflash/certified/*.img /flash/working/"

After copying; The switch is reboot starting from the working folder.

               "reload working rollback-timeout 0"

               "Y"

5 - After opening the switch, copy the working folder onto the certified folder to synchronize.

               "copy working certified"

6 – Finally; "show system" command we can find out about last version

Should be "6.7.2.113.R05"

Finish the update via USB

               USB Disaster Recovery Method

In this step flash folder will be deleted, so don’t forget to backup the configuration file before updating and make sure that usb is working.

1 - Firstly we can formatting USB flash FAT32 and 8k Cluster. In this step needs; Alcatel switch recognize to USB.

2 - After the formatting; we can create "6450" under the another "certified" folder and we can copy updating image file in this folder. (6450/certified/KFbase.img ... etc.)

3 – Turn off the switch.

4 – Insert to the USB into the switch.

5 – Connect to the switch with console cable and make ready to emulation program.

6 – When the turn on the switch "auto boot" option will appear. You can press a key within 2 second and run “uboot” mode.

If we can go “uboot” mode consol display it can be appear in this figure " => "

7 – After that we are in this mode enter the following commands and we can go "Miniboot" mode. All operation in this mode.

               "setenv bootflags 0x1000"

               "run miniboot"

8 – When the run Miniboot; display it can be appear in this figure "[Miniboot]->"

9 – We need the format “flash” folder. We will erase everthing inside.

               [Miniboot]->sysNewfs "/flash"

10 – After switch reboot;  Enter the command below to make it work from the Working folder.  

[Miniboot]->setNextRunningVersion 2

11 - Reboot;

               [Miniboot]->reboot

12 - Do not remove the flash memory while rebooting the switch. When to start the reboot switch recognize to the usb and we can run "USB Disaster Recovery" mode. this mode; it will copy the files in memory to the working folder it will create and run it from that folder.

13    Switch will turned on;

               Sync with "copy working certified" command.

14 – Finally; we install the last backup and save the configuration file with; "write memory"

15 - Finally; "show system" command we can find out about last version

               Should be "6.7.2.113.R05"

Finish the update via USB Disaster Recovery 

Basic commands on Alcatel Omniswitch

Introduction

Interface (CLI) commands available on the OmniSwitch 6250 6350 6450 6850 6855 Series. The full documentation can be found on Alcatel-Lucent website.

Managing the configuration files

Alcatel Omniswitchs can operate in two modes: working and certified (show running-directory to know in which mode the switch is). In working mode, the configuration can be modified, while it is no possible in certified mode (well, actually, it is). When booting, if working and certified configuration files are different, the switch will boot in certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg (they can be directly edited with "vi").

• save running -> working: write memory
• save working -> certified: copy working certified [flash-synchro], flash-synchro will synchronize the conf accross all slots
• save running even in certified mode: configuration snapshot all <file> Then move this file to working/boot.cfg
• reboot in working mode without rollback: reload working no rollback-timeout
• view running configuration: show configuration snapshot [all|vlan|ip|...] or write terminal

When modifying the configuration, it can be useful to reload the switch in certified mode if a configuration error occur. It is possible to program the switch to reload a few minutes ahead in case you lose control: reload in <n> where n is the number of minutes to wait before reloading. A reload can be canceled with reload cancel. show reload will show you when the switch will reboot.

Configure VLANs

A layer 2 VLAN is created with vlan <vlan_number> enable name "vlan name" and removed with no vlan <vlan_number>. show vlan lists all VLANs, show vlan <vlan_number> shows vlan <vlan_number> details.
Depending on the microcode version (show microcode), a layer 3 VLAN is created using:

• ip interface "interface name" vlan <vlan_number> address <address> mask <netmask>
• vlan router "interface name" vlan <vlan_number> address <address> mask <netmask>

and destroyed with:

• no ip interface "interface name"
• no vlan router "interface name"

Port association:

• To associate a port to a specific vlan: vlan <vlan_number> port default <slot>/<port>
• To list the ports: show vlan port
• To list the ports of a specified vlan: show vlan <vlan_number> port
• To show a port: show vlan port <slot>/<port>

802.1Q:

• To tag a port: vlan <vlan_number> 802.1Q <slot>/<port> [<"comment">]
• To remove a tag: vlan <vlan_number> no 802.1Q <slot>/<port>
• 
  

Interfaces

Global status: Show interfaces status
Info about an interface (admin status, MAC, speed, duplex, errors, ...): show interfaces [port|status|<slot>/<port>|...]
Summary of interfaces errors: show interfaces counters errors
To clear counters: interfaces <slot>[/port1-port2] no l2 statistics
To change an interface: interface <slot>/<port> [speed <10_100_1000>|duplex <half_full>|autoneg <state>|flood rate <rate>]
To switch from autonegociation to 100FD, set

• autoneg off
• speed 100 and duplex full

If forced in 100FD while autoneg is on, the port will stay down
To disable an interface: interface <slot>/<port> admin down

Link Aggregation

Dynamic LAG (LACP)

lacp linkagg <id> size <size> admin state enable
lacp linkagg <id> actor admin key <key>
lacp agg <slot/port> actor admin key <key>

Static LAG

static linkagg <id> size <size> admin state enable
static linkagg <id> name <name>
static agg <slot/port> agg num <id>

IP Multicast Switching Commands

IP Multicast Switching (IPMS) is a one-to-many communication technique employed by emerging appli­cations such as video distribution, news feeds, conferencing, netcasting, and resource discovery). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any subnet­work that has at least one device requesting the multicast traffic.

ip multicast status enable

ip multicast querying enable

ip multicast spoofing enable

ip multicast source-timeout 360

ip multicast proxying enable

ip multicast querier-forwarding enable

ip multicast vlan 450 status enable

ip multicast vlan 450 querying enable

ip multicast vlan 450 spoofing enable

ip multicast vlan 450 zapping disable

ip multicast vlan 450 version 2

ip multicast vlan 450 last-member-query-interval 1

ip multicast vlan 450 source-timeout 360

ip multicast vlan 450 proxying enable

ip multicast vlan 450 querier-forwarding disable

Hardware

When stacking is operational, one switch is primary, one other secondary, the others idle. If the primary disappears, the secondary becomes primary and the first idle becomes secondary.
Get info about the chassis: show chassis and about the stack: show stack topology.

To monitor the health of the system: show health all (cpu|memory)

Show CMM (Control Management Module – Alcatel ) information: show cmm

System

Uptime, date, name, contact, location: show system
To change:

• system name <"name">
• system contact <"contact">
• system location <"location">

The default prompt is "->". session prompt default "sw1->" changes it to "sw1->". You can get the other session parameters with show session config

When a command outputs to many lines on the screen, it is possible to use "more" to see page by page. Use more to activate the mode and more size <size> to set the number of lines shown. Cancel this mode with no more.

To change the timeout of the telnet/ssh sessions: session timeout cli <timeout>

NTP

Set a server: ntp server <server_ip>. Even if the DNS is configured, you cannot specify a name for the NTP server. Then activate NTP: ntp client enable.
Get NTP info:

• show ntp client: tells if NTP is on or off, when was the last updated, ...
• show ntp server-list: get the list of servers and with which server the swich is synchronized
• 
  

Logs

Show logging conf: show swlog
Get switch logs:

• show log swlog: get all logs
• show log swlog timestamp <mounth/day/year> <hour:minute>: only logs since the specified hour
• empty logs: swlog clear

Enable syslog with: swlog output socket <syslog_server_ip>

STP

STP can operates in two modes: flat and 1x1. In flat mode, there is only one instance for the whole switch whereas in 1x1 mode, there is one instance per VLAN (like pvst on Cisco switches or vstp on Juniper ones). I recommend the 1x1 mode if you do not want to go the MSTP way. Change STP mode: bridge mode (flat|1x1)

Get STP conf: show spantree

It is possible to deactivate STP on specified vlans/ports : vlan <vlan_number> stp (enable|disable) and bridge <vlan_number> <slot>/<port> (enable|disable)

Change STP algorithm: bridge protocol (802.1D|STP|RTSP). (In 2007), I did not manage to set rstp for all vlan as a global config, I had to set it vlan per vlan using: bridge 1x1 <vlan_number> protocol (802.1D|STP|RTSP).

DNS

• Name servers: ip name-server <IP1> <IP2>
• Domain name: ip domain-name <domain-name>
• Activate DNS client: ip domain-lookup

DHCP relay

• ip service udp-relay
• DHCP relay only for specified vlans: ip helper per-vlan only
• DHCP server address: ip helper address <dhcp_server> vlan <vlan_number>
• Enable DHCP relay: ip udp relay BOOTP

Services

Activate/deactivate services: [no] ip service (ftp|ssh|telnet|http|secure-http|udp-relay|snmp|all). List of activated services: show ip service.
For https: ip http ssl

AAA

Authentification can be local or made with a radius
To activate a service, the authentification have to be set: aaa authentification default "local", aaa authentification (console|ssh|ftp|802.1X|vlan|...) "local"

ARP

ARP table: show arp
Mac Address table: show mac-address-table
Add a static MAC/IP entry: arp <IP> <MAC>, no arp <IP> to remove it.
Clear dynamic arp entries: clear arp-table
To specify when an dynamic entry timeouts (default: 300seconds): mac-address-table aging-time <seconds> [vlan <vlan_number>]

SNMP

First, you have to create a user and give it the right to do SNMP:

• user <"username"> read-only (all|ip|interface|...) password <password>
• The only way I found to give the user SNMP capabilities is to use the web interface ..., but you can desactivate it with user <"username"> no snmp

Then configure the snmp server:

• snmp security no security
• Associate the community string with the user you created: snmp community map <"community"> user <"username"> on

• To configure the SNMP trap server: snmp station <server_ip> [<port>] <"user"> (v1|v2c|v3) enable
• snmp authentification trap (enable|disable)

• To filter the traps sent by the switch: snmp trap filter <server_ip> <filter_code>

Port mirroring

Port mirroring works 12 ports by 12 ports. It is possible to configure multiple sources for one session and thus see the traffic of multiple ports in one output.

• show port mirroring status
• port mirroring <session> source <slot>/<port> destination <slot>/<port> enable
• no port mirroring <session>

POE

By default, the POE is disabled on all ports.
To enable the POE on a given port: lanpower start <slot>/<port>
To enable it on the whole slot: lanpower start <slot>

To stop the POE, use the symmetric commande lanpower stop (<slot>/<port>|<slot>)

Show the POE configuration: show lanpower <slot>

To limit the power available for a given port: lanpower <slot>/<port> power <milliwatts>
To limit the power available for a slot: lanpower <slot> maxpower <watts>

A power of 230W is enough for a full slot equipped with IP Phones (note: TBC).
It has been noticed that a switch may prove instable with POE if too many equipments are connected and its PSU is not enough powerfull.

QOS & ACL

In AOS, ACL and QoS are configured in the same "qos" section.
Apply QoS when modified: qos apply
Disable QoS (useful for troubleshooting): qos disable

By default, QOS is not trusted in access ports and all tags are set to 0. It is trusted on trunked ports. To trust everywhere: qos trust ports
To trust on one given port: qos port <slot>/<port> trusted

The rules are a combinaison of the following elements:

• policy network : define subnets
• policy condition : define conditions (from subnet1 to subnet2, ...)
• policy action : define actions (permit, deny, ...)
• policy rule : apply action to condition (if X then Y)

The syntax for the different blocks is the following:
policy network group <gp_name> <subnet1> mask <mask1> <subnet2> mask <mask2> ...
policy condition <c_name> source network group <gp_name1> destination group <gp_name2>
policy action <a_name> disposition <action>
policy rule <r_name> [disable] precedence <p> condition <c_name> action <a_name>, where precedence is the order rules can be applied

As an example:

policy network group VoIP 192.168.1.0 mask 255.255.255.0 192.168.11.0 mask 255.255.254.0

policy network group Data 172.16.0.0 mask 255.255.255.0

policy condition "VoIP-VoIP" source network group VoIP destination network group VoIP

policy condition "VoIP-Data"  source network group VoIP destination network group Data

policy condition "Data-Data" source network group Data destination network group Data

policy condition "Other" source ip any destination ip any

policy action Deny disposition deny

policy action Permit

policy rule "Allow VoIP-VoIP" precedence 200 condition "VoIP-VoIP" action Permit

policy rule "Allow VoIP-Data" disable precedence 200 condition "VoIP-Data" action Permit

policy rule "Allow Data-Data" precedence 200 condition "Data-Data" action Permit

policy rule "Deny Other" precedence 200 condition "Other" action Deny

qos port 1/2 trusted 

qos port 1/3 trusted 

qos apply

802.1X

aaa radius-server "radius_srv1" host <IP Addr> key <auth_key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813

aaa radius-server "radius_srv2" host <IP Addr> key <auth_key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813

# Use the radius for vlan assignement

aaa authentication vlan single-mode "radius_srv1" "radius_srv2"

# use the internal database for authent to the local services

aaa authentication default "local"

aaa authentication console "local"

aaa authentication ftp "local"

aaa authentication snmp "local"

# 801.1X authentication servers

aaa authentication 802.1x radius_srv1 radius_srv2

# MAC base authentication servers (used for devices that can't do 802.1X like IP-Phones)

aaa authentication mac radius_srv1 radius_srv2

AVLAN:

# Authentication portal in the switch. By default, last IP of the subnet.

avlan auth-ip <vlan-ID> <IP address, in same VLAN, different of switch IP address>

VLAN definition

vlan 5 enable name "VoIP"

vlan 10 enable name "Data"

vlan 10 authentication enable

configuration of interface 1/3

vlan 10 port default 1/3

# enable dynamic vlan assignemt

vlan port mobile 1/3

# enable 802.1X

vlan port 1/3 802.1x enable

# 802.1X

# - direction both => control on inbound + outbound traffic

# - port-control auto => port initially in unauthorized state, and put in "authorized mode" automatically by the switch upon the exchanged between the switch and the end station

# - quiet-period 60 => reject the 802.1X authentications during 60s after an authentication failure

# - server-timeout 30 => superseded by the aaa radius-server ... timeout

# - re-authperiod 3600 => 3600s=1h before re-authent is required

# - no reauthentication => disables the reauthent

802.1x 1/3 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication

# length of a captive portal session

802.1x 1/3 captive-portal session-limit 12 retry-count 3

# poll the end device 2 times before stating it is not 802.1X compliant

802.1x 1/3 supp-polling retry 2

# if authentication is successful but returns no VLAN ID ("pass"), use default vlan for the supplicant else ("fail"), block the port

802.1x 1/3 supplicant policy authentication pass group-mobility default-vlan fail block

#idem for non supplicant (not 802.1X) devices - authentication by MAC address with a Radius

802.1x 1/3 non-supplicant policy authentication pass group-mobility block fail block

# used by supplicant and non supplicant when "captive-portal" is used in the "802.1x supplicant policy" or "802.1x non-supplicant policy"

802.1x 1/3 captive-portal policy authentication pass default-vlan fail block