HP 5500 Ei 5500 Si Switch Series Configuration Guide

 106 
[Device] domain default enable aabbcc.net 
7. Configure 802.1X: 
# Enable 802.1X globally. 
[Device] dot1x 
# Enable 802.1X on port GigabitEthernet 1/0/1. 
[Device] interface gigabitethernet 1/0/1 
[Device-GigabitEthernet1/0/1] dot1x 
[Device-GigabitEthernet1/0/1] quit 
# Enable MAC-based access control on the port. (Optional. MAC-based ac cess control is the 
default setting.) 
[Device] dot1x port-method macbased interface gigabitethernet 1/0/1 
Verifying the configuration 
Use the  display dot1x...

 107 
Figure 45 Network diagram 
 
 
Configuration procedure 
The following configuration procedure covers most AAA/RADIUS configuration commands on the 
device. The configuration on the 802.1X client and RADIUS server are not shown. For more information 
about AAA/RADIUS configuration commands, see Security Command Reference. 
1. Make sure the 802.1X client can update its IP address  after the access port is assigned to the guest 
VLAN or a server-assigned  VLAN. (Details not shown.) 
2. Configure the...

 108 
4.
 
Configure a RADIUS scheme: 
# Configure RADIUS scheme  2000 and enter its view. 
 system-view 
[Device] radius scheme 2000 
# Specify primary and secondary authentication an d accounting servers. Set the shared key to abc 
for authentication and accounting packets. 
[Device-radius-2000] primary authentication 10.11.1.1 1812 
[Device-radius-2000] primary accounting 10.11.1.1 1813 
[Device-radius-2000] key authentication abc 
[Device-radius-2000] key accounting abc 
# Exclude the ISP domain name...

 109 
802.1X with ACL assignment configuration 
example 
Network requirements 
As shown in Figure 46, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network 
access device.  
Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and 
authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to 
GigabitEthernet 1/0/1 to deny the access of 802.1X users to the FTP server at 10.0.0.1/24 on weekdays...

 110 
# Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the 
domain. 
[Device] domain 2000 
[Device-isp-2000] authentication default radius-scheme 2000 
[Device-isp-2000] authorization default radius-scheme 2000 
[Device-isp-2000] accounting default radius-scheme 2000 
[Device-isp-2000] quit 
# Configure a time range  ftp for the weekdays from 8:00 to 18:00. 
[Device] time-range ftp 8:00 to 18:00 working-day 
# Configure ACL 3000 to deny packets destined fo r the...

 111 
Configuring EAD fast deployment 
Overview 
Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables 
the security client, security policy server, access device, and third-party server to work together to 
improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, 
it must have an EAD client, which performs 802.1X authentication. 
EAD fast deployment enables the access device to  redirect a user seeking to...

 112 
To configure a free IP:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Configure a free IP.  dot1x free-ip
 ip-address 
{  mask-address |  mask-length } By default, no free IP is configured. 
 
Configuring the redirect URL 
Follow these guidelines when you configure the redirect URL: 
•
  The redirect URL must be on the free IP subnet. 
To configure a redirect URL: 
 
Step Command Remarks 
1.   Enter system view.  system-view  N/A 
2.  Configure the redirect URL.  dot1x url...

 113 
Task Command Remarks 
Display 802.1X session 
information, statistics, or 
configuration information. display dot1x
 [ sessions | statistics ] 
[  interface  interface-list ] [ |  { begin | 
exclude  | include  } regular-expression ]
 
Available in any view 
 
EAD fast deployment configuration example 
Network requirements 
As shown in Figure 47 , the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 
1/0/1 of the network access device, and they use DHCP to obtain IP...

 114 
•  Configure the authentication server to provide authentication, authorization, and accounting 
services. 
Configuration procedure 
1. Configure an IP address for each  interface. (Details not shown.) 
2. Configure DHCP relay: 
# Enable DHCP. 
 system-view 
[Device] dhcp enable 
# Configure a DHCP server for a DHCP server group.  
[Device] dhcp relay server-group 1 ip 192.168.2.2 
# Enable the relay agent on VLAN interface 2.  
[Device] interface vlan-interface 2 
[Device-Vlan-interface2] dhcp...

 115 
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms 
The output shows that you can access that segment before passing 802.1X authentication. If you use a 
web browser to access any external website beyond the free IP segments, you are redirected to the web 
server, which provides the 802.1X client software download service. Enter the external website address 
in dotted decimal notation, for...