9.2.3.1. 3COM
9.2.3.1.1. SuperStack 3 Switch 4200 and 4500
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: 3COM/Generic
9.2.3.1.1.1. RADIUS Global Configuration
Define the RADIUS servers to be used for authentications and their format:
port-security enable
MAC-authentication domain openNAC
radius scheme system
radius scheme openNAC
server-type extended
primary authentication <Radius_Server_IP>
primary accounting <Radius_Server_IP>
key authentication <Radius_Shared_Key>
key accounting cipher <Radius_Shared_Key>
user-name-format without-domain
domain openNAC
authentication radius-scheme openNAC
accounting radius-scheme openNAC
vlan-assignment-mode string
accounting optional
domain system
Interface configuration
interface Ethernet1/0/1
stp edged-port enable
lldp compliance admin-status cdp txrx
port link-type hybrid
port hybrid vlan 6 tagged
port hybrid vlan 1 2 3 untagged
undo voice vlan mode auto
voice vlan enable
port-security max-mac-count 3
port-security port-mode mac-authentication
port-security intrusion-mode blockmac
undo enable snmp trap updown
9.2.3.1.1.2. Dot1x Features
Voice VLAN
The voice VLAN will be used to separate the voice traffic from the data traffic.
voice vlan mac-address f4ea-6700-0000 mask ffff-ff00-0000 description Cisco IP Phone
undo voice vlan security enable
voice vlan 6 enable
Also, enable the voice VLAN on the desired interface:
interface Ethernet1/0/1
port hybrid vlan 6 tagged
undo voice vlan mode auto
voice vlan enable
9.2.3.1.1.3. LLDP
lldp enable
lldp timer tx-interval 5
lldp compliance cdp
lldp compliance cdp
9.2.3.1.1.4. SNMP Traps
OpenNAC Enterprise supports 3Com switches without VoIP using the following trap types:
linkUp/linkDown
snmp-agent
snmp-agent target-host trap address udp-domain <opennac-ip> params securityname public
snmp-agent trap enable standard linkup linkdown
Port Security (with static MACs)
Global configuration
snmp-agent
snmp-agent target-host trap address udp-domain <opennac-ip> params securityname public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
Interface configuration
port access vlan 4
port-security max-mac-count 1
port-security port-mode secure
port-security intrusion-mode blockmac
undo enable snmp trap updown
9.2.3.1.2. E4800G
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: 3COM/Generic
9.2.3.1.2.1. RADIUS Global Configuration
Define the RADIUS servers to be used for authentications and their format
radius scheme openNAC
server-type extended
primary authentication <Radius_Server_IP>
primary accounting <Radius_Server_IP>
key authentication <Radius_Shared_Key>
key accounting cipher <Radius_Shared_Key>
user-name-format without-domain
domain openNAC
authentication radius-scheme openNAC
accounting radius-scheme openNAC
vlan-assignment-mode string
accounting optional
domain default enable openNAC
dot1x authentication-method eap
port-security enable
quit
If your switch’s management authentication is currently set to the default, applying the above configuration will switch the authentication method to RADIUS-based, with the ON Core server serving as the authentication server. It is almost certain that you do not want that!
In the following code block, we will just create a local password for vty accesses (telnet) and nothing on the console. In order to avoid locking yourself out, make sure to verify your configuration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple Testing123
quit
Interface configuration
interface Ethernet1/0/1
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
undo enable snmp trap updown
quit
9.2.3.1.2.2. SNMP Traps
OpenNAC Enterprise supports 3Com switches without VoIP using the following trap types:
linkUp/linkDown
snmp-agent
snmp-agent target-host trap address udp-domain <opennac-ip> params securityname public
snmp-agent trap enable standard linkup linkdown
9.2.3.1.3. E5500G and 4200G
Firmware: Generic
Administration Portal > ON CMDB > Network Devices Brand/Model: 3COM/Generic
9.2.3.1.3.1. RADIUS Global Configuration
Define the RADIUS servers to be used for authentications and their format:
port-security enable
MAC-authentication domain openNAC
radius scheme system
radius scheme openNAC
server-type extended
primary authentication <Radius_Server_IP>
primary accounting <Radius_Server_IP>
key authentication <Radius_Shared_Key>
key accounting cipher <Radius_Shared_Key>
user-name-format without-domain
domain openNAC
authentication radius-scheme openNAC
accounting radius-scheme openNAC
vlan-assignment-mode string
accounting optional
domain system
Interface configuration
interface Ethernet1/0/1
stp edged-port enable
lldp compliance admin-status cdp txrx
port link-type hybrid
port hybrid vlan 6 tagged
port hybrid vlan 1 2 3 untagged
undo voice vlan mode auto
voice vlan enable
port-security max-mac-count 3
port-security port-mode mac-authentication
port-security intrusion-mode blockmac
undo enable snmp trap updown
9.2.3.1.3.2. Dot1x Features
Voice VLAN
The voice VLAN will be used to separate the voice traffic from the data traffic.
voice vlan mac-address f4ea-6700-0000 mask ffff-ff00-0000 description Cisco IP Phone
undo voice vlan security enable
voice vlan 6 enable
Also, enable the voice VLAN on the desired interface:
interface Ethernet1/0/1
port hybrid vlan 6 tagged
undo voice vlan mode auto
voice vlan enable
9.2.3.1.3.3. LLDP
lldp enable
lldp timer tx-interval 5
lldp compliance cdp
lldp compliance cdp
9.2.3.1.3.4. SNMP Traps
OpenNAC Enterprise supports 3Com switches without VoIP using the following trap types:
linkUp/linkDown
snmp-agent
snmp-agent target-host trap address udp-domain <opennac-ip> params securityname public
snmp-agent trap enable standard linkup linkdown
Port Security (with static MACs)
Global configuration
snmp-agent
snmp-agent target-host trap address udp-domain <opennac-ip> params securityname public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
Interface configuration
port access vlan 4
port-security max-mac-count 1
port-security port-mode secure
port-security intrusion-mode blockmac
undo enable snmp trap updown
9.2.3.1.4. 3COM 3CR17254-91 - 3COM 3CRS45G-24-91+++
Global Configuration
radius scheme openNAC
server-type standard
primary authentication <IP radius server> 1812
primary accounting <IP radius server> 1812
accounting optional
key authentication <Pre shared key>
user-name-format without-domain // Use to authenticate by default without insert the domain in user name.
quit
To authentications with included domain into username “user@domain”
domain <name.domain>
radius-scheme <scheme-name>
vlan-assignment-mode string
quit
domain default enable <name.domain>
dot1x authentication-method eap
port-security enable
Interface configuration
interface GigabitEthernet1/0/1
dot1x port-method portbased
dot1x