Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 1691

    Page 1691 26 When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software , either RADIUS server type applies. For the switch to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to standard . To set the RADIUS server type: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Set the RADIUS... 
    26 
When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the 
RADIUS server runs third-party RADIUS server software , either RADIUS server type applies. For the switch 
to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to 
standard . 
To set the RADIUS server type: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter RADIUS scheme view.  radius scheme
 
radius-scheme-name  N/A 
3.
  Set the RADIUS...

    Page 1692

    Page 1692 27 are not available anymore. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally, the switch chooses servers based on these rules: • When the primary server is in active state, the switch communicates with the primary server. If the primary server fails, the switch changes the server’s status to blocked and starts a quiet timer for the server, and then turns to a... 
    27 
are not available anymore. In practice, you can specify one primary RADIUS server and multiple 
secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. 
Generally, the switch chooses servers based on these rules: 
•  When the primary server is in active  state, the switch communicates with the primary server. If the 
primary server fails, the switch changes the server’s  status to blocked and starts a quiet timer for the 
server, and then turns to a...

    Page 1693

    Page 1693 28 Step Command Remarks 3. Set the RADIUS server status. • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } • Set the status of a secondary RADIUS authentication/authorization server: state secondary authentication [ ip ipv4-address | ipv6 ipv6-address ] { active | block } • Set the status of a... 
    28 
Step Command  Remarks 
3.  Set the RADIUS server 
status. 
• Set the status of the primary RADIUS 
authentication/authorization server: 
state  primary  authentication  { active  | block  } 
• Set the status of the primary RADIUS 
accounting server: 
state  primary  accounting  { active  | block  } 
• Set the status of a secondary RADIUS 
authentication/authorization server: 
state  secondary  authentication  [ ip 
ipv4-address  | ipv6  ipv6-address  ] { active  | 
block  } 
• Set the status of a...

    Page 1694

    Page 1694 29 Step Command Remarks 2. Specify a source IP address for outgoing RADIUS packets. radius nas-ip { ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a source IP address... 
    29 
Step Command Remarks 
2.  Specify a source IP 
address for outgoing 
RADIUS packets.  radius nas-ip 
{ ip-address  | 
ipv6  ipv6-address } 
[  vpn-instance 
vpn-instance-name  ] By default, the IP address of the outbound 
interface is used as the source IP address.
 
 
To specify a source IP address for a specific RADIUS scheme:  
Step Command Remarks 
1.
  Enter system view. 
system-view  N/A 
2.  Enter RADIUS scheme view.  radius scheme
 
radius-scheme-name  N/A 
3.
  Specify a source IP address...

    Page 1695

    Page 1695 30 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A 3. Specify a backup source IP address for outgoing RADIUS packets. nas-backup-ip ip-address Not specified by default. NOTE: The backup source IP address specified for outgoing RADIUS packets ta kes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is confi gured on the standby switch.... 
    30 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter RADIUS scheme view.  radius scheme
 
radius-scheme-name  N/A 
3.
  Specify a backup source IP 
address for outgoing RADIUS 
packets.  nas-backup-ip 
ip-address  Not specified by default. 
 
 NOTE: 
The backup source IP address specified for outgoing RADIUS packets ta kes effect only when stateful 
failover is configured, and it must be the source  IP address for outgoing RADIUS packets that is confi
gured
on the standby switch....

    Page 1696

    Page 1696 31 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place. For example, the product of the two parameters must be less than 10 seconds for voice users, and less than 30 seconds for Telnet users because the client connection timeout period for voice users is 10 seconds and that for Telnet users is 30 seconds. • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response... 
    31 
75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the 
primary/secondary server switchover cannot take place. For example, the product of the two 
parameters must be less than 10 seconds for voice users, and less than 30 seconds for Telnet users 
because the client connection timeout period for voice users is 10 seconds and that for Telnet users 
is 30 seconds. 
•   When you configure the maximum number of RADIUS packet transmission attempts and the 
RADIUS server response...

    Page 1697

    Page 1697 32 The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the IMC security policy server and that of the IMC Platform on the NAS. To configure the IP address of the security policy server for a scheme: Step Command Remarks 1.... 
    32 
The NAS checks the validity of received control packets and accepts only control packets from known 
servers. To use a security policy server that is independent of the AAA servers, you must configure the IP 
address of the security policy server on the NAS. To implement all EAD functions, configure both the IP 
address of the IMC security policy server and that of the IMC Platform on the NAS.  
To configure the IP address of the security policy server for a scheme: 
 
Step Command Remarks 
1....

    Page 1698

    Page 1698 33 The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration on and the communication between the NAS and the RADIUS server. To enable the trap function for RADIUS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the trap function for RADIUS. radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down } Disabled by default.... 
    33 
The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than 
the threshold, troubleshoot the configuration on and the communication between the NAS and the 
RADIUS server. 
To enable the trap function for RADIUS: 
 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.
  Enable the trap 
function for RADIUS.  radius trap
 { accounting-server-down  | 
authentication-error-threshold | 
authentication-server-down  } Disabled by default....

    Page 1699

    Page 1699 34 Displaying and maintaining RADIUS Task Command Remarks Display the configuration information of RADIUS schemes. display radius scheme [ radius-scheme-name ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the statistics for RADIUS packets . display radius statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view Display information about buffered stop-accounting... 
    34 
Displaying and maintaining RADIUS 
 
Task Command Remarks 
Display the configuration information 
of RADIUS schemes. display radius scheme 
[ radius-scheme-name
 ] [ slot 
slot-number  ] [ | { begin |  exclude | 
include  } regular-expression ]  Available in any view 
Display the statistics for RADIUS 
packets .  display radius statistics
 [ slot 
slot-number  ] [ | { begin |  exclude | 
include  } regular-expression ]  Available in any view 
Display information about buffered 
stop-accounting...

    Page 1700

    Page 1700 35 Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an HWTACACS scheme and enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name Not defined by default. NOTE: • Up to 16 HWTACACS schemes can be configured. • A scheme can be deleted... 
    35 
Creating an HWTACACS scheme 
The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS 
configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme 
view: 
 
Step Command Remarks 
1.  Enter system view.  system-view  N/A 
2.  Create an HWTACACS scheme 
and enter HWTACACS scheme 
view.  hwtacacs scheme
 
hwtacacs-scheme-name  Not defined by default. 
 
 
NOTE: 
•  Up to 16 HWTACACS schemes can be configured.  
•   A scheme can be deleted...
    Start reading HP 5500 Ei 5500 Si Switch Series Configuration Guide

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

    All HP manuals