HP 5500 Ei 5500 Si Switch Series Configuration Guide

 126 
 Max number of on-line users is 256 
  Current online user number is 1 
    MAC ADDR         Authenticate state           Auth Index 
    00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29 
# After a user passes MAC authentication, use the display connection command to display online user 
information. 
 display connection 
Slot:  1 
Index=29  ,Username=aaa@2000 
 IP=N/A 
 IPv6=N/A 
 MAC=00e0-fc12-3456 
 Total 1 connection(s) matched on slot 1. 
 Total 1 connection(s) matched. 
ACL assignment...

 127 
3.
 
Configure RADIUS-based MAC authentication on the device: 
# Configure a RADIUS scheme. 
[Sysname] radius scheme 2000 
[Sysname-radius-2000] primary authentication 10.1.1.1 1812 
[Sysname-radius-2000] primary accounting 10.1.1.2 1813 
[Sysname-radius-2000] key authentication simple abc 
[Sysname-radius-2000] key accounting simple abc 
[Sysname-radius-2000] user-name-format without-domain 
[Sysname-radius-2000] quit 
# Apply the RADIUS scheme to an ISP domain fo r authentication, authorization,...

 128 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
 
Ping statistics for 10.0.0.1: 
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),  

 129 
Configuring portal authentication 
The IPv6 portal configuration is available only on the HP 5500 EI switch series. 
Overview 
Portal authentication helps control access to the Internet. It is also called web authentication. A website 
implementing portal authentication is called a portal website. 
With portal authentication, an access device redirects all users to the portal authentication page. All 
users can access the free services provided on the port al website; but to access the Internet, a...

 130 
Figure 51 Portal system components 
 
 
Authentication client 
An authentication client is an entity seeking access to network resources. It is typically an end-user 
terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. 
Client security check is implemented through communications between the client and the security policy 
server.  
Access device 
Access devices control user access. An access devi ce can be a switch or router that provides the...

 131 
Security policy server 
A security policy server interacts with authentication clients and access devices for security check and 
resource authorization. 
The components of a portal system interact in the following procedure: 
1. When an unauthenticated user enters a website  address in the browser’s address bar to access the 
Internet, an HTTP request is crea ted and sent to the access device,  which redirects the HTTP request 
to the portal server’s web authentication homepage.  For extended...

 132 
Protocols used for interaction between the client and local portal server 
HTTP and Hypertext Transfer Protocol Secure (HTTPS) can be used for interaction between an 
authentication client and an access device providing the local portal server function. If HTTP is used, 
there are potential security problems because HTTP packets are transferred in plain text; if HTTPS is used, 
secure data transmission is ensured because HTTPS pack ets are transferred in cipher text based on SSL. 
Authentication...

 133 
useful. For example, a service provider can allocate public IP addresses to broadband users only 
when they access networks beyond the residential community network. 
The local portal server does not su pport re-DHCP portal authentication. 
IPv6 portal authentication does not su pport the re-DHCP authentication mode. 
•   Cross-subnet authentication 
Cross-subnet authentication is si milar to direct authentication, bu t it allows Layer 3 forwarding 
devices to be present between the authen tication...

 134 
Layer 2 portal authentication process 
Figure 54 Local Layer 2 portal authentication process 
 
 
Local Layer 2 portal authentication takes the following procedure: 
1. The portal authentication client sends an HTTP or  HTTPS request. Upon receiving the HTTP request, 
the access device redirects it to the listening IP address of the local portal server, which then pushes 
a web authentication page to the authentication  client. The user types the username and password 
on the web authentication...

 135 
 NOTE: 
After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be
automatically or manually updated to make sure that  the client can communicate with the hosts in the 
VLAN.  
Assignment of authorized ACLs 
The device can use ACLs to control user access to network resources and limit user access rights. With 
authorized ACLs specified on the authentication server, when a user passes authentication, the 
authentication server assigns an authorized ACL...