HP 5500 Ei 5500 Si Switch Series Configuration Guide

56 
[Switch] radius scheme rad 
# Specify the primary authentication server. 
[Switch-radius-rad] primary authentication 10.1.1.1 1812 
# Set the shared key for secure authentication communication to expert. 
[Switch-radius-rad] key authentication expert 
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. 
[Switch-radius-rad] user-name-format with-domain 
# Specify the service type for the RADIUS server, which must be  extended when the R ADIUS ser ver runs...

57 
Figure 16 Network diagram 
 
 
Configuration prerequisites 
Configure IP addresses for the devices as shown in Figure 16 and mak e sure devices can reach each 
other. 
Configuring the RADIUS server 
T h i s  e x a m p l e  a s s u m e s  t h a t  t h e  R A D I U S / p o r t a l  s e r v e r  r u n s  o n  I M C  P L AT  5 . 0  ( E 0101) ,  I M C  U A M  5 . 0  
( E 0101) ,  a n d  I M C  C A M S  5 . 0  ( E 0101) .  
1.  Add the switch to IMC as an access device: 
a. Log in to IMC, click the Service...

58 
Figure 17 Adding the switch to IMC as an access device 
 
 
2. Define a charging policy:  
a. Click the  Service tab, and select  Accounting Manager  > Charging Plans  from the navigation 
tree.  
b.  Click  Add. 
c. Configure the following parameters: 
Enter  UserAcct  as the plan name. 
Select Flat rate  as the charging template. 
In the  Basic Plan Settings  field, configure the fixed fee as 120 dollars per month. 
In the  Service Usage Limit  field, set the Usage Threshold  to 120 hours, allowing...

59 
Figure 18 Defining a charging policy 
 
 
3. Add a service: 
a. Click the  Service tab, and select  User Access Manager  > Service Configuration  from the 
navigation tree. 
b.  Click  Add. 
c. Configure the following parameters: 
Enter  Portal-auth/acct  as the service name and  dm1 as the service suffix. The service suffix 
indicates the authentication domain for portal us ers. When the service suffix is configured, you 
must configure the switch to keep the domain names of usernames to be sent to...

60 
4.
 
Create an account for portal users: 
a. Click the  User tab, and select  All Access Users  from the navigation tree. 
b. Click  Add. 
c. Configure the following parameters: 
Select the user hello , or add the user if it does not exist. 
Enter  portal  as the account name and set the password.  
Select the access service  Portal-auth/acct. 
Configure other parameters as needed. 
d.  Click  OK. 
Figure 20  Creating an account for portal users 
 
 
Configuring the portal server 
1. Configuring the...

61 
Figure 21 Portal server configuration 
 
 
2. Configure an IP address group permitted for portal access: 
a. Select  User Access Manager  > Portal Service Management  > IP Group  from the navigation 
tree.  
b.  Click  Add. 
c. Configure the following parameters: 
Enter  Portal_user  as the IP group name. 
Set the start IP address to  192.168.1.1 and the end IP address to 192.168.1.255 . The host IP 
address must be within this IP address group. 
Select  Normal  as the action.  
d. Click  OK. 
Figure...

62 
3.
 
Add the switch to IMC as a portal device: 
a. Select  User Access Manager  > Portal Service Management  > Device from the navigation tree to 
enter the portal device configuration page. Then, click  Add to enter the page for adding a 
portal device, as shown in  Figure 23. 
b. Click  Add. 
c. Configure the following parameters: 
Enter  NAS as the device name. 
Enter  192.168.1.70 as the IP address of the interface on th e switch that uses the portal service. 
Enter  portal  as the key, which...

63 
Figure 24 Portal device list 
 
 
Figure 25 Port group configuration 
 
 
5. Validate the configuration: 
Select  User Access Manager  > Service Parameters  > Validate System Configuration  from the 
navigation tree. 
Configuring the switch 
1.  Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rs1 and enter its view. 
 system-view 
[Switch] radius scheme rs1 
# Set the server type for the RADIUS scheme.  When you use IMC, set the server type to extended. 
[Switch-radius-rs1] server-type...

64 
[Switch-radius-rs1] key authentication expert 
[Switch-radius-rs1] key accounting expert 
# Configure the scheme to keep the domain names in usernames to be sent to the RADIUS server. 
[Switch-radius-rs1] user-name-format with-domain 
[Switch-radius-rs1] quit 
2. Configure an authentication domain: 
# Create an ISP domain named  dm1 and enter its view. 
[Switch] domain dm1 
# Configure the ISP domain to use RADIUS scheme  rs1. 
[Switch-isp-dm1] authentication portal radius-scheme rs1...

65 
IP=192.168.1.58 
IPv6=N/A 
MAC=00-15-E9-A6-7C-FE 
 
Total 1 connection(s) matched. 
AAA for 802.1X users by a RADIUS server 
Network requirements 
As shown in Figure 26, c onfigure the switch to: 
•   Use the RADIUS server for authentication, authorization, and accounting of 802.1X users. 
•   Use MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the 
port separately. 
•   Keep the domain names in usernames sent to the RADIUS server. 
On the RADIUS server, add a...