Contents

Controlling Devices with AMF Application Proxy

Configuration Examples > Controlling Devices with AMF Application Proxy

---

---

Configuring AMF Application Proxy

In this section, this is an example of setting the AMF Application Pproxy.

For each device connected to the AMF Member, AT-SESC performs authentication and assigns an appropriate VLAN.
If AT-SESC is configured to work with external applications, AT-SESC also performs the action defined on the System Settings > Trap Monitor Settings page when it's notified of a suspected node by the application.
Those elements are collectively referred to as security policies. Here is a list of elements of security policies:

Note

To use this function, the feature license is required on the AMF master side. AMF Cloud and SwitchBlade come with the feature license as standard, and other AMF Master devices require an optional AMF Application Proxy license. Please check our website for details.

◼ Configuration
As an example, configure the following network:

◼ AT-SESC Configuration

Table 1: Sample Configuration Data

Item Name	Value
IPv4 address	192.168.1.10
AMF Master IP Address	192.168.1.1
AMF Master Username	manager
AMF Master Password	friend
Pre-shared key (between AT-SESC and AMF Master)	password

◼ Device Authentication Data to register on AT-SESC

Table 2: Sample Configuration Data

Item Name	Value
Device1
Device ID	Device1
MAC Address	00:00:00:00:00:01
VLAN to assign	VLAN100
Device2
Device ID	Device2
MAC Address	00:00:00:00:00:02
VLAN to assign	VLAN101
Device3
Device ID	Device3
MAC Address	00:00:00:00:00:03
VLAN to assign	None

◼ AMF Master Configuration

Table 3: Sample Configuration Data

Item Name	Value
Username	manager
Password	friend
Hostname	AMF-Master
AMF Network Name	AMF001
IP Address	192.168.1.1
AT-SESC IP Address	192.168.1.10
Pre-shared key (between AT-SESC and AMF Master)	password

◼ AMF Member Configuration

Table 4: Sample Configuration Data

Item Name	Value
Hostname	AMF-Member
AMF Network Name	AMF001
AMF Actions	Drop Packets

Note

In this setting example, the account (Username and Password) uses the default “manager and friend”. However, it is recommended that you create a user account with a privilege level of 15 on AMF Master and AMF Member and separate it from the user account used for console connection.

Configuring AMF Master

The case of using AT-x930-28GTX is explained as an example.
Refer to the AlliedWare Plus Product's command reference manual for the commands described below.

1. Configure the hostname.
   
   awplus(config)# hostname AMF-Master ↓
   
   
   
2. Configure the AMF network name.
   
   AMF-Master(config)# atmf network-name AMF001 ↓
   
   
   
3. Enable AMF Master functionality.
   
   AMF-Master(config)# atmf master ↓
   
   
   
4. Enable GUI support function for AT-SESC.
   
   AMF-Master(config)# atmf topology-gui enable ↓
   
   
   
5. Enable AMF Application Proxy.
   
   AMF-Master(config)# service atmf-application-proxy ↓
   
   
   
6. Configure the AMF Application Proxy Whitelist server (AT-SESC)'s IP address and a pre-shared key.
   
   AMF-Master(config)# application-proxy whitelist server 192.168.1.10 key password ↓
   
   
   
7. Create VLANs for packet forwarding.
   
   AMF-Master(config)# vlan database ↓
   AMF-Master(config-vlan)# vlan 100-105 ↓
   
   
   
8. Assign the VLANs to a port and configure it as an AMF link to the AMF Member.
   
   AMF-Master(config)# interface port1.0.1 ↓
   AMF-Master(config-if)# switchport mode trunk ↓
   AMF-Master(config-if)# switchport trunk allowed vlan add 100-105 ↓
   AMF-Master(config-if)# switchport atmf-link ↓
   
   
   
9. Assign an IP address to vlan1 for communicating with AT-SESC.
   
   AMF-Master(config)# interface vlan1 ↓
   AMF-Master(config-if)#ip address 192.168.1.1/24 ↓
   

AMF Master configuration is done.

Configuring AMF Members

The case of using AT-x510-28GTX is explained as an example.
Refer to the AlliedWare Plus Product's command reference manual for the commands described below.

1. Configure the hostname.
   
   awplus(config)# hostname AMF-Member ↓
   
   
   
2. Configure the AMF network name.
   
   AMF-Member(config)# atmf network-name AMF001 ↓
   
   
   
3. Enable AMF Application Proxy.
   
   AMF-Member(config)# service atmf-application-proxy ↓
   
   
   
4. Create VLANs for packet forwarding.
   
   AMF-Member(config)# vlan database ↓
   AMF-Member(config-vlan)# vlan 100-105 ↓
   
   
   
5. Assign the VLANs to a port and configure it as an AMF link to the AMF Master.
   
   AMF-Member(config)# interface port1.0.1 ↓
   AMF-Member(config-if)# switchport mode trunk ↓
   AMF-Member(config-if)# switchport trunk allowed vlan add 100-105 ↓
   AMF-Member(config-if)# switchport atmf-link ↓
   
   
   
6. Assign a VLAN to device ports.
   
   AMF-Member(config)interface port1.0.2-1.0.28 ↓
   AMF-Member(config-if)# switchport access vlan 105 ↓
   
   This VLAN is used by the devices which are not assigned a VLAN by AT-SESC.
   
   
7. Enable AMF Application Proxy Whitelist on device ports.
   
   AMF-Member(config-if)# application-proxy whitelist enable ↓
   

   Note

   For the target port, the default setting of the authentication suppression period (quietPeriod) after authentication failure is 60 seconds. To shorten the authentication suppression period, use the "auth timeout quiet-period" command.

   
   
8. Enable AMF Application Proxy Whitelist's session timeout on the device ports.
   With the session timeout enabled, authentication state for a device is deleted when the time configured on the AMF > AMF Application Proxy Settings page has passed after the device was successfully authenticated.
   When the session timeout is set to 0, authentication state of a device is not deleted due to the time passed since a successful authentication.
   
   AMF-Member(config-if)# auth session-timeout ↓
   

   Note

   Make sure to configure the session timeout when you are going to use schedule-based authentication.

   
   
9. Set the authentication mode for the device ports to "Multi-Supplicant".
   
   AMF-Member(config-if)# auth host-mode multi-supplicant ↓
   
   When the device ports are in the default "Single-Host" mode, only the first authenticated device is allowed.
   
   
10. Enable dynamic vlan on the device ports.
    
    AMF-Member(config-if)# auth dynamic-vlan-creation type multi ↓
    

    Note

    If the device may move to another port, disable ingress filtering on all ports involved in the device movement. (Specify "disable" in the "ingress-filter" parameter of the "switchport mode" command.)
    If ingress filtering is enabled, device information remains on the port before the move, and you are not able to authenticate on the destination port.

    
    When dynamic vlan is not enabled, a vlan configured on the device ports is used for authenticated devices even if AT-SESC assigned a specific vlan to each device.
    
    
11. Set AMF Application Proxy's blocking action to 'Drop'.
    
    AMF-Member(config-if)# application-proxy threat-protection drop ↓
    

AMF Member configuration is done.

Configuring AT-SESC

1. Registering AMF Master
   Register the AMF Master on the AMF > AMF Application Proxy Settings page.
   Click "Add" in "AMF Master/VistaManagerEX" section.
   Enter the AMF Master's IP address, username, password and pre-shared key, check all boxes and click "Submit".
   Those elements are collectively referred to as security policies. Here is a list of elements of security policies:

   

   You can view the registered AMF Master on the AMF > AMF Application Proxy Settings page.
   
   

   

   
   
2. Registering Network
   Open Add Network page from the Policy Settings > Network List page to register a network to which devices is assigned.
   Enter a Network ID and a VLAN ID, then click "Submit".
   

   

   
   You can view the added network on the Policy Settings > Network List page. Repeat this process until you add all required networks.
   

   

   
   
3. Registering Device
   Open Add Device page from the Device > Device List page to register devices.
   Enter a device ID, then click the "Add Interface" button to open the "Edit Interface" dialog.
   Enter the device's MAC address and click "Submit".
   Those elements are collectively referred to as security policies. Here is a list of elements of security policies:

   

   
   Click "Add" in "Policies" section to specify a network to assign to the device.
   Enter a priority, select a network to assign and click "Submit".
   

   

   
   Once the interface and the policy are added, click "Submit" to register the device.
   

   

   
   You can view the added device on the Device > Device List page. Repeat this process until you add all devices.
   

   

   
   
4. Registering AMF Members
   Connect the AT-SESC, the AMF Master and the AMF Member to the network.
   Once the connection between AT-SESC and the AMF Master is established, connected AMF nodes are displayed on the Switches > Active AMF Member List page.
   

   

   
   Click "Register" in "Register Status" column to open AMF Member Add page.
   If the default name looks good, just click "Submit".
   

   Note

   Name must be the same as the host name of AMF Member. This is because AMF Member is managed by the host name of AMF Member.

   

   
   You can view the added AMF Member on the Switches > AMF Member List page.
   

   

   Note

   If you are not using location-based authentication, you do not have to register AMF Members.

Now you finished the configuration of AT-SESC.

AT-SESC authenticates devices connected to the AMF Member using the registered authentication data.
You can view the authentication results on the Device > Active Device List page.
Those elements are collectively referred to as security policies. Here is a list of elements of security policies:

AMF Master Configuration (AT-x930-28GTX)

! hostname AMF-Master ! atmf network-name AMF001 atmf master atmf topology-gui enable ! service atmf-application-proxy application-proxy whitelist server 192.168.1.10 key password ! vlan database vlan 100-105 ! interface port1.0.1 switchport mode trunk switchport trunk allowed vlan add 100-105 switchport atmf-link ! interface vlan1 ip address 192.168.1.1/24 ! end

AMF Member Configuration (AT-x510-28GTX)

! hostname AMF-Member ! atmf network-name AMF001 ! service atmf-application-proxy ! vlan database vlan 100-105 ! interface port1.0.1 switchport mode trunk switchport trunk allowed vlan add 100-105 switchport atmf-link ! interface port1.0.2-1.0.28 switchport access vlan 105 application-proxy whitelist enable auth session-timeout auth host-mode multi-supplicant auth dynamic-vlan-creation type multi application-proxy threat-protection drop ! end

---

(C) 2021 Allied Telesis, Inc. All rights reserved.

C613-04088-00 Rev B

14 Jun 2021 09:30