HP 5500 Ei 5500 Si Switch Series Configuration Guide

66 
Specify the ports for authentication and accounting as 1812 and 1813, respectively. 
Select LAN Access Service  as the service type. 
Select  HP as the access device type. 
Select the switch from the device list or manu ally add the switch whose IP address is 10.1.1.2. 
Leave the default settings in other fields. 
d.  Click  OK.  
  NOTE: 
The IP address of the access device sp ecified here must be the same as the source IP address of the RADIUS
packets sent from the switch, which is the IP address...

67 
Figure 28 Defining a charging policy 
 
 
3. Add a service: 
a. Click the  Service tab, and select  User Access Manager  > Service Configuration  from the 
navigation tree. 
b.  Click  Add. 
c. Configure the following parameters: 
Enter  Dot1x auth  as the service name and  bbb as the service suffix. The service suffix indicates 
the authentication domain for 802.1X users. When  the service suffix is configured, you must 
configure the switch to keep the domain names of  usernames to be sent to the...

68 
Figure 29 Adding a service 
 
 
4. Create an account for 802.1X users: 
a. Click the  User tab, and select  All Access Users  from the navigation tree. 
b. Click  Add. 
c. Configure the following parameters: 
Select the user test , or add the user if it does not exist. 
Enter  dot1x  as the account name and set the password.  
Select the access service  Dot1x auth. 
Configure other parameters as needed. 
d.  Click  OK.  

69 
Figure 30 Creating an account for 802.1X users 
  
 
Configuring the switch 
1. Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rad and enter its view. 
 system-view 
[Switch] radius scheme rad 
# Set the server type for the RADIUS scheme.  When you use IMC, set the server type to extended. 
[Switch-radius-rad] server-type extended 
# Specify the primary authentication server and pr imary accounting server, and configure the keys 
for communication with the servers. 
[Switch-radius-rad]...

70 
# Configure bbb as the default ISP domain for all users. Then, if a user enters a username without 
any ISP domain at login, the authentication and a ccounting methods of the default domain is used 
for the user. 
[Switch] domain default enable bbb 
3.  Configure 802.1X authentication: 
# Enable 802.1X globally. 
[Switch] dot1x 
# Enable 802.1X for port GigabitEthernet 1/0/1. 
[Switch] interface gigabitethernet 1/0/1 
[Switch-GigabitEthernet1/0/1] dot1x 
[Switch-GigabitEthernet1/0/1] quit 
#...

71 
 Total 1 connection matched.   
As the Authorized VLAN  field in the output shows, VLAN 4 has been assigned to the user.  
Level switching authentication for Telnet users by an 
HWTACACS server 
Network requirements 
As shown in Figure 31, configure the switch to: 
•   Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the 
user passes authentication. 
•   Use the HWTACACS server for level switching authentication of the Telnet user, and use local...

72 
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 
[Switch-Vlan-interface2] quit 
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the 
server.  
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 
[Switch-Vlan-interface3] quit 
# Enable the switch to provide Telnet service. 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users.  
[Switch] user-interface vty 0 4...

73 
 NOTE: 
The HWTACACS server in this example runs ACSv4.0. 
 
Add a user named  test on the HWTACACS server and config ure advanced attributes for the user 
as shown in  Figure 32:  
{ Select  Max Privilege for any AAA Client  and set the privilege level to level 3. After these 
configurations, the user uses the password  enabpass when switching to level 1, level 2, or level 
3.  
{  Select  Use separate password  and specify the password as  enabpass.  
Figure 32  Configuring advanced attributes for...

74 
Login authentication 
 
Username:test@bbb 
Password: 
 ? 
User view commands: 
  display  Display current system information 
  ping     Ping function 
  quit     Exit from current command view 
  ssh2     Establish a secure shell client connection 
  super    Set the current user priority level 
  telnet   Establish one TELNET connection 
  tracert  Trace route function 
When switching to user privilege level 3, the Telnet user only needs to enter password enabpass 
as prompted. 
 super 3...

75 
Figure 33 Network diagram 
 
Configuration procedure 
1. Assign an IP address to each interface as shown in  Figure 33. (Det ails not shown.) 
2. Configure the NAS: 
# Enable the Telnet server on Switch A.  
 system-view 
[SwitchA] telnet server enable 
# Configure Switch A to use AAA for Telnet users. 
[SwitchA] user-interface vty 0 4 
[SwitchA-ui-vty0-4] authentication-mode scheme 
[SwitchA-ui-vty0-4] quit 
# Create RADIUS scheme rad. 
[SwitchA] radius scheme rad 
# Specify the IP address for the...