HP 5500 Ei 5500 Si Switch Series Configuration Guide

46 
Configuring AAA accounting methods for an ISP domain 
In AAA, accounting is a separate process at the same level as authentication and authorization. This 
process sends accounting start/update/end requests to the specified accounting server. Accounting is 
optional. 
AAA supports the following accounting methods:  
•   No accounting  (none )—The system does not perform accounting for the users. 
•   Local accounting  (local )—Local accounting is implemented on the NAS. It counts and controls the...

47 
Step Command Remarks 
3.  Enable the accounting 
optional feature.  accounting optional  Optional. 
Disabled by default. 
With the accounting optional 
feature, a switch allows users to 
use network resources when no 
accounting server is available 
or communication with all 
accounting servers fails. 
4.
  Specify the default accounting 
method for all types of users.  accounting default
 { hwtacacs-scheme  
hwtacacs-scheme-name  [ local ] | local  
|  none  | radius-scheme  
radius-scheme-name  [...

48 
 
Step Command Remarks 
1.  Enter system view.  system-view  N/A 
2.  Create a NAS ID profile and 
enter NAS ID profile view.  aaa nas-id profile 
profile-name You can apply a NAS ID profile to 
an interface enabled with portal. 
See 
Configuring portal 
authentication .

 
3.  Configure a NAS ID-VLAN 
binding.  nas-id 
nas-identifier  bind vlan 
vlan-id   By default, no NAS ID-VLAN 
binding exists. 
 
Specifying the device ID used in stateful failover 
mode (available only on the HP 5500 EI) 
Two...

49 
and user description. After completing this task, the specified RADIUS user can use the username and 
password for RADIUS authentication on the switch. 
You can use the authorization-attribute command to specify an authorization ACL and authorized VLAN, 
which is assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS user passes 
authentication. The NAS then uses the assigned ACL and VLAN to control user access. If the assigned 
ACL does not exist on the NAS, ACL assignment...

50 
Displaying and maintaining AAA 
 
Task Command  Remarks 
Display the configuration 
information of ISP domains. display domain
 [ isp-name ] [ | { begin | 
exclude  | include  } regular-expression ]  Available in any view 
Display information about user 
connections.  display
 connection [ access-type  { dot1x | 
mac-authentication  | portal  } | domain  
isp-name  | interface  interface-type 
interface-number  | ip ip-address  | mac 
mac-address |  ucibindex ucib-index  | 
user-name  user-name |...

51 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
# Create HWTACACS scheme hwtac. 
[Switch] hwtacacs scheme hwtac 
# Specify the primary authentication server. 
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 
# Specify the primary authorization server. 
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 
# Specify the primary accounting server. 
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 
# Set the shared keys for secure  authentication,...

52 
Figure 12 Network diagram 
 
 
Configuration procedure 
1. Configure the switch: 
# Assign IP addresses to inte rfaces. (Details not shown.) 
# Enable the Telnet server on the switch. 
 system-view 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users. 
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
# Configure the HWTACACS scheme. 
[Switch] hwtacacs scheme hwtac 
[Switch-hwtacacs-hwtac] primary authorization...

53 
2.
 
Verify the configuration: 
Telnet to the switch as a user and enter the username  hello@bbb and the correct password. You 
pass authentication and log in to the switch. Issuing the  display connection command on the switch, 
you can see information about the user connection. 
Authentication/authorization for SSH/Telnet users by a 
RADIUS server 
The configuration of authentication and authorization for SSH users is similar to that for Telnet users. The 
following example describes the...

54 
 NOTE: 
The IP address of the access device sp ecified here must be the same as the source IP address of the RADIUS
packets sent from the switch, which is the IP address of  the outbound interface by default, or otherwise the
IP address specified with the  nas-ip or radius nas-ip command on the switch. 
 
Figure 14  Adding the switch to IMC as an access device 
 
 
2. Add a user for device management: 
a. Click the  User tab, and select  Device Management User  from the navigation tree.  
b. Click...

55 
Figure 15 Adding an account for device management 
 
Configuring the switch 
# Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. 
 system-view 
[Switch] interface vlan-interface 2 
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 
[Switch-Vlan-interface2] quit 
# Configure the IP address of VLAN-interface 3, through which the switch access the server.  
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] ip address 10.1.1.2...