Contents

Manually Adding Devices

Quick Tour > Manually Adding Devices

---

---

This section explains how to register (add) devices manually. This is the most fundamental operation for using AT-SESC.
To manually add a device into AT-SESC's database, you have to know the interface MAC address of the device.

Registering OpenFlow Switch

You can view the status of OpenFlow Switches which are connecting to the AT-SESC on the Switches > Active OpenFlow Switch List page.

1. Open the Switches > Active OpenFlow Switch List page.
   

   

   Because no configuration has been made for any OpenFlow Switch, the lowest number OpenFlow port is selected for the upstream port for each switch.
   
   
2. Clicking the Datapath ID navigates you to the Switches > OpenFlow Switch Detail page.
   

   

   The Switches > OpenFlow Switch Detail page gives you detailed information about the selected OpenFlow Switch.
   You can also see the OpenFlow port number for each data plane port on the switch.
   
   
3. Click the "Back" button at the top right corner to go back to the Switches > Active OpenFlow Switch List page.
   

   

   
   
4. Before registration, Switch ID column shows a string "Unregistered" and you can see the "Register" button next to it. To register this OpenFlow Switch, click "Register" to open the Switches > Add OpenFlow Switch page.
   

   

   
   
5. Specify "Switch ID", "Upstream port" and "Note".
   

   Note

   You do not need to specify Datapath ID because it is automatically configured uniquely for each switch.

   Note

   Account Group ID to which you belong must be set in advance. In this chapter, no Account Group ID is set.

   

   As an example, configure the settings shown in the following table:
   
   

   Table 1: Sample Configuration Data

   Item Name	Value	Description
   Switch ID (Mandatory)	x230-18GT (Not changed)	Name of the OpenFlow Switch. Switch ID must be unique. Max 255 characters. By default, the model name shown in "Hardware Information" is automatically set.
   Datapath ID (Mandatory)	auto-generated (No Change)	OpenFlow Switch's Datapath ID (used by OpenFlow controller to identify this switch). There's no need to change this in most cases because it is automatically generated or configured. Auto-generated Datapath ID is a 16 character HEX string which added leading zeros to the switch's MAC address. Datapath ID must be unique.
   Upstream Port	port1.0.5 (Not Changed)	Upstream port of the switch. Only one upstream port can be specified for a switch. Port can be specified as either a port name or an OpenFlow port number.
   Account Group ID	(None)	Select Account Group ID to which OpenFlow Switch belongs.
   Note	#1F Switch	Arbitrary string (comment) for the switch. Max 255 characters.

   Note

   If datapath ID is inconsistent between the AT-SESC and the switch, packet forwarding ceases on its OpenFlow ports.

   
   
6. Click "Submit".
   Once the OpenFlow Switch is registered, the Switches > OpenFlow Switch List page reflects the newly added information.
   

   

Registering AMF Members

You can view the status of AMF Members which are connecting to the AT-SESC on the Switches > Active AMF Member List page.

1. Open the Switches > Active AMF Member List page.
   

   

2. Before registration, Register Status column shows a string "Unregistered" and you can see the "Register" button next to it. To register an AMF Member, click "Register" to open the Switches > AMF Member Add page.
   

   

3. Enter something in Note.
   

   Note

   Account Group ID to which you belong must be set in advance. In this chapter, no Account Group ID is set.

   

   As an example, configure the settings shown in the following table:
   
   

   Table 2: Sample Configuration Data

   Item Name	Value	Description
   Name (Mandatory)	AMF-Member (Not Changed)	Name of the AMF Member. Must be unique in the AMF Member List. Max 255 characters. Can use alphanumeric, hyphen (-) and underscore (_).
   Account Group ID	(None)	Select Account Group ID to which AMF Member belongs.
   Note	#1F Switch	Arbitrary string (comment) for the AMF Member. Max 255 characters.

   Note

   Name must be the same as the host name of AMF Member. This is because AMF Member is managed by the host name of AMF Member.

   
   
4. Click "Submit".
   Once the AMF Member is registered, the Switches > AMF Member List page reflects the newly added information.
   

   

Registering Guest Network

Networks can be added on the Policy Settings > Add Network page.

1. Open the Policy Settings > Network List page.
   

   

   This page shows the list of networks registered in AT-SESC's database. As you see, no network is registered yet.
   
   
2. Click the "Add Network" button at the top right corner to move to the Policy Settings > Add Network page.
   

   

   This page lets you specify a network ID (network name) and a VLAN ID for the network.
   Later you can use the network to specify which VLAN a device can belong to. AT-SESC achieves this by telling switches to add appropriate VLAN tags to the packet originating from the allowed devices.
   
   
3. Enter information for the network to add.
   

   

   As an example of registering the network "Sales", configure the settings shown in the following table:
   
   

   Table 3: Sample Configuration Data

   Item Name	Value	Description
   Network ID (Mandatory)	Sales	ID (Name) of the network. Network ID must be unique. Max 255 characters
   VLAN ID (Mandatory)	123	A VLAN ID for the network. You cannot specify a VLAN ID which is already assigned to another network. If you specify VLAN ID 0, VLAN tag is not added for the network. This is the same as the network is not specified in a policy. VLAN ID must be in the range of 0 to 4094.
   Note	Sales Network	Arbitrary string (comment) for the network. Max 255 characters.

   
   
4. Click "Submit".
   Once the network is registered, the Policy Settings > Network List page reflects the newly added information.
   

   

Registering Location

In AT-SESC, a physical location where a device can access the network is called Location.
Location can be added on the Policy Settings > Add Location page.

1. Open the Policy Settings > Location List page.
   

   

   This page lists registered locations in AT-SESC. As you see, no location is registered at this point.
   
   
2. Click the "Add Location" button at the top right corner of the Policy Settings > Location List page to move to the Policy Settings > Add Location page.
   

   

   A location consists of a Location ID (its name) and a list of OpenFlow Switches or AMF Members which are installed in the location.
   Using locations, you can control the OpenFlow Switches or AMF Members to which a device can connect by location such as an office floor or a meeting room.
   
   
3. Enter information about the new location.
   

   

   As an example of registering the location "1F", configure the settings shown in the following table:
   
   

   Table 4: Sample Configuration Data

   Item Name	Value	Description
   Location ID (Mandatory)	1F	ID (Name) of the location. Location ID must be unique. Max 255 characters
   Note	1F area	Arbitrary string (comment) for the location. Max 255 characters.

   
   
4. Click the "Select" button next to "OpenFlow Switches / AMF Members".
   The Policy Settings > OpenFlow Switches / AMF Members dialog appears and shows OpenFlow Switches and AMF Members which has been added in "Adding OpenFlow Switch" and "Adding AMF Member".
   Assuming that the "x230-18GT" and "AMF-Member" are installed in the physical location "1F", select a checkbox for those switches.
   

   

   
   
5. Click "Submit".
   Now the "x230-18GT" and "AMF-Member" have been added and listed in the "OpenFlow Switches / AMF Members" section of the Policy Settings > Add Location page.
   

   

   
   
6. Click "Submit".
   Once the location was added, the Policy Settings > Location List page reflects the newly added information.
   

   

Registering Schedule

A schedule can be added on the Policy Settings > Add Schedule page.

1. Open the Policy Settings > Schedule List page.
   

   

   This page shows the list of schedules. As you see, there is no schedule at this point.
   
   
2. Click the "Add Schedule" button at the top right corner of the Policy Settings > Schedule List page to move to the Policy Settings > Add Schedule page.
   

   

   By adding schedules, you can control when a device can connect to the network. If one of the Starting or End Date / Time is not specified in a schedule, AT-SESC treats it as if it has no time limitation.
   
   
3. Enter information about the new schedule.
   

   

   As an example of registering the schedule "March Events", configure the settings shown in the following table:
   
   

   Table 5: Sample Configuration Data

   Item Name	Value	Description
   Schedule ID (Mandatory)	March Events	ID (Name) of the schedule. Schedule ID must be unique. Max 255 characters
   Start Date / Time	20XX-03-01 00:00:00	The beginning of the time range when a device is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
   End Date / Time	(empty)	The end of the time range when a device is allowed to connect to the network. Date / Time can be selected using calendar controls or entered manually. When you enter them manually, use the format "YYYY-mm-dd" for date and "HH:MM:SS" for time.
   Note	Sales meeting	Arbitrary string (comment) for the schedule. Max 255 characters.

   When the End Date / Time is not specified, this schedule is effective indefinitely after the Start Date / Time.
   
   
4. Click "Submit".
   Once the schedule was added, the Policy Settings > Schedule List page reflects the newly added information.
   

   

Registering Device

AT-SESC can control access to the network by registered devices.
Devices can be added on the Device > Add Device page.

Note

A device which is not attached any security policy is temporarily assigned to the untagged VLAN. When you are going to add the device which has already been used by its user, Allied Telesis rcommends you to take the following steps so that you can perform the whole process from adding the device to applying a security policy to it in a batch.

1. Open the Device > Device List page.
   

   

   This page shows the list of devices registered in AT-SESC's database. As you see, no device is registered at this point.
   
   
2. Click the "Add Device" button at the top right corner of the Device > Device List page to move to the Device > Add Device page.
   

   

   This page lets you enter an ID for the device, plus a tag and a note if required.
   
   
3. Enter information about the new device.
   

   

   As an example, configure the settings shown in the following table:
   
   

   Table 6: Sample Configuration Data

   Item Name	Value	Description
   Device ID (Mandatory)	Device_1	ID (Name) of the device to register. Device ID must be unique. Max 255 characters
   Tag	User_A	Secondary name of the device which can be used by administrators to easily distinguish, categorize or filter devices. Max 255 characters
   Note	Sales division	Arbitrary string (comment) for the device. Max 255 characters.

   
   
4. Next, you have to enter the interface MAC address of the device. AT-SESC denies all network connections from unregistered MAC addresses.
   Click the "Add" button next to "Interfaces" to open the Device > Edit Interface dialog.
   

   

   Note

   You can temporarily allow unregistered devices to access the network in a specific VLAN segment. To do so, you have to set up the UnAuth Group in the Group > Adding UnAuth Group page.

   
   
5. Enter the MAC address of an interface of the device. You can optionally input a name and a note for the interface too.
   

   

   
   
6. Click "Submit".
   "Interfaces" section of the Device > Add Device page now shows the interface MAC address which you just entered.
   

   

   
   
7. Next, you have to apply a security policy to the device.
   Click the "Add" button next to "Policies" to open the Device > Edit Policy dialog.
   

   

   To each device, you can apply a security policy which defines from where and when the device can connect to the network.
   A device which is not applied any security policy can connect to the untagged VLAN network anytime and from anywhere.
   

   Note

   If OpenFlow Switch has access to untagged VLAN (subnet without VLAN) and AMF Member to the VLAN set as AMF Member, depending on the switch setting, the device may be able to connect to the equipment on the control plane.

   
   
8. Enter the policy's priority in the range of 0 to 255.
   When a device has multiple security policies attached, AT-SESC searches for a matching policy from the one with the lowest priority value to the highest.
   In this example, set the security policy priority to "10".
   
   
9. The registered information is listed in the drop-down lists of "Network", "Location", and "Schedule". You can choose the elements from the dropdown lists for the device.
   The dropdown lists can contain maximum 100 elements at a time. If you enter text in the field, elements in the dropdown list are dynamically filtered to the ones which contain the input text (it shows maximum 100 elements). From the dropdown list, select a policy element to apply to the device.
   With the following policy settings, the device can access the network "Sales" from the location "1F" during the time period specified by the schedule "March Events".
   In this example, there is only one element each for the Network, Location and Schedule. So you do not have to filter elements. Just click the element in each of the dropdown list.
   Also, in this example, OpenFlow Switch and switch port are not specified. Assume that new switches are added to the location "1F" later. If you want to restrict the access from the device to only from "x230-18GT", you can add the OpenFlow Switch to the security policy.
   

   

   
   
10. Click "Submit".
    "Policies" section of the Device > Device List page shows the security policy which you just added.
    

    

    
    
11. Click "Submit".
    Once the device is added, the Device > Device List page reflects the updated information.
    

    

You are done with the basic configurations.

---

(C) 2021 Allied Telesis, Inc. All rights reserved.

C613-04088-00 Rev B

14 Jun 2021 09:30