You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > Product Overviews > Network Switches > Managed Switch > Overview of the Security settings of the Linksys Managed Switch for Business
Overview of the Security settings of the Linksys Managed Switch for Business
print icon
To configure the Security settings of the Linksys Managed Switches for Business, follow the steps below.
 
1. Access the web interface of your switch. For instructions, click here.

2. Click on the menu icon located at the upper-left corner of the web interface.

3. Click on Security.

4. The following settings can be configured under Security:

802.1x
Access
Port Security
Radius Server
DoS


802.1x

The IEEE 802.1x standard authentication uses the Remote Authentication Dial In User Service (RADIUS) protocol to validate users and provide a security standard for network access control. The user that wishes to be authenticated is called a supplicant. The actual server doing the authentication is called the authentication server (typically a RADIUS server). The mediating device, such as a switch, is called the authenticator. Clients connected to a port on the switch must be authenticated by the RADIUS server before accessing any services offered by the switch on the LAN. Use a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPoL) packets between the client and server. This establishes the requirements needed for a protocol between the authenticator (the system that passes an authentication request to the authentication server) and the supplicant (the system that requests for authentication), as well as between the authenticator and the authentication server.

The following settings can be configured under 802.1x:


Global Settings
Port Settings
Authenticated Host

Global Settings

When a supplicant is connected to a switch port, the port issues an 802.1x authentication request to the attached 802.1x supplicant. The supplicant replies with the given username and password in an authentication request and then passes on to a configured RADIUS server. The authentication server's user database supports Extensible Authentication Protocol (EAP), which allows guest VLAN memberships to be defined based on each individual user. Before successful authorization, the port connected to the authenticated supplicant becomes a member of the specified guest VLAN. When the supplicant is successfully authenticated, traffic will be automatically assigned to the VLAN user configured in 802.1Q VLAN.

The EAP authentication methods supported by the switch are:
 
  • EAP-MD5
  • EAPTLS
  • EAP-TTLS
  • EAP-PEAP
 
  • State – Choose to enable or disable the feature.
  • Guest VLAN – Set Guest VLAN as Enabled or Disabled on the switch. The default option is Disabled.
  • Guest VLAN ID – Select the Guest VLAN ID from the list of currently defined VLANs.

Click Apply to save the settings.

Port Settings

The IEEE 802.1x port-based authentication provides a security standard for network access control with RADIUS servers and holds a network port block until authentication is completed. With 802.1x port-based authentication, the supplicant provides the required credentials such as username, password, or digital certificate to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant is allowed to access resources located on the protected side of the network.

You can configure the port settings as they relate to 802.1x. To make your changes, first, select a port, then click on Edit to make necessary changes. Once done, click on Apply to save your settings.
 
  • Port – This is the port number on the switch.
  • Mode – Select Auto, Force_UnAuthorized, or Force_Authorized mode from the list.
  • Reauthentication – Select if port reauthentication is Enabled or Disabled.
  • Reauthentication Period – Enter the time span in which the selected port is reauthenticated. The default is 3600 seconds.
  • Quiet Period – Enter the number of the devices that remain in a quiet state following a failed authentication exchange. The default is 60 seconds.
  • Supplicant Period – Enter the amount of time that lapses before an EAP request is resent to the supplicant. The default is 30 seconds.
  • Authorized Status – This displays the authorized status of 802.1x information.
  • Guest VLAN – This shows whether the guest VLAN is Enabled or Disabled on specific ports.
  • RADIUS VLAN Assign – If this is Enabled, the client will get the VLAN from the RADIUS server.

Authenticated Host

The following information are found on the Authenticated Host page.
 
  • User Name – This displays the client’s username via 802.1x RADIUS server authentication.
  • Port – This displays the client’s authenticated port number.
  • Session Time – This displays the client’s 802.1x session time.
  • Authenticate Method – This displays the client’s authenticated method.
  • MAC Address – This displays the client’s MAC address.
  • Dynamic VLAN Cause – This displays the client’s VLAN information.
  • Dynamic VLAN ID – This displays the client’s VLAN ID (if the RADIUS server assigns it).

Access

On the Web page, you can change the session timeout, disable or enable HTTP and HTTPS. The default session timeout is 5 minutes. To learn how to configure Access timeout settings, click here.
 
  • Timeout – Enter the duration of time that elapses before HTTP/HTTPS is timed out. The default value is 5 minutes, and the range is from 0 to 10000 minutes.
  • HTTP Service – Set the HTTP service as Enabled or Disabled on the switch. This is Enabled by default.
  • HTTPS Service – Set the HTTPS service as Enabled or Disabled on the switch. This is Disabled by default.

On the CLI page, you can change the session timeout, enable or disable Telnet and SSH access.

NOTE: The CLI access is supported on the Linksys LGS328C, LGS352C, LGS352MPC, LGS328MPC, and LGS310MPC.
 
  • Timeout – Enter the duration of time that elapses before Telnet/SSH is timed out. The default value is 5 minutes, and the range is from 0 to 10000 minutes.
  • Telnet Service – Set the Telnet service as Enabled or Disabled on the switch. This is Enabled by default.
  • SSH Service – Set the SSH service as Enabled or Disabled on the switch. This is Disabled by default.

Port Security

Network security can be increased by limiting access on a specific port to users with specific MAC addresses. Port Security prevents unauthorized devices to the switch prior to stopping auto-learning processing.

To change the settings, select a port and then click on Edit. Once done, click on Apply.


NOTE: The number of ports varies by model.
 
  • Port – This displays the port on the switch for which the port security is defined.
  • State – Set the port security as Enabled or Disabled for the selected port.
  • Max MAC Address – Enter the maximum number of MAC addresses that can be learned on the port. The range is from 1 to 256.

 

Radius Server

A RADIUS server is used for centralized administration. It is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service for greater convenience. RADIUS is a server protocol that runs in the application layer, using UDP as transport. A network switch with port-based authentication has a RADIUS client component that communicates with the RADIUS server. Clients connected to a port on the switch must be authenticated by the authentication server before accessing services offered by the switch on the LAN. Use a RADIUS server to authenticate users trying to access a network by relaying Extensible Authentication Protocol over LAN (EAPoL) packets between the client and server. The RADIUS server maintains a user database, which contains authentication information. The switch passes information to the configured RADIUS server which can authenticate a username and password before authorizing use of the network.
 
  • Index – This displays the index for the RADIUS server.
  • Server IP – Enter the RADIUS server IP address into this field.
  • Authorized Port – Enter the authorized port number into this field. The default port is 1812.
  • Key String – Enter the key string used for encrypting all RADIUS communication between the device and the RADIUS server.
  • Timeout Reply – Enter the time a device waits for an answer from the RADIUS server before switching to the next server. The default value is 3.
  • Retry – Enter the number of transmitted requests sent. The default value is 3.

Click the Add button to add an entry. Once done, click on the Apply button to accept the changes or the Cancel button to abort the process.

DoS

Denial of Service (DoS) is used for classifying and blocking specific types of DoS attacks. You can configure the switch to monitor and block different types of attacks. By default, DoS is Disabled. Click on the radio button for Enabled to enable it and click on Apply.
 
Was this support article useful?
0 out of 0 found this helpful

Contact Us:
Call Us Access our list of global support numbers
Reddit Join and subscribe to our Official Reddit Community
Chat Us We are here to help you with all the questions you have
scroll to top icon