HP 5500 Ei 5500 Si Switch Series Configuration Guide

 186 
•  Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is 
in the IP group. 
•   Select a service group. By default, the group  Ungrouped is used. 
•   Select the IP group type  Normal. 
Figure 79  Adding an IP address group 
 
 
# Add a portal device. 
Select User Access Manager  > Portal Service Management  > Device from the navigation tree to enter the 
portal device configuration page. Then, click  Add to enter the page shown in  Figure 63.  
•...

 187 
# Associate the portal device with the IP address group. 
As shown in Figure 64, c
lick the icon in the  Port Group Information Management  column of device NAS 
to enter the port group configuration page.  
Figure 81  Device list 
 
 
On the port group configuration page, click Add to enter the page shown in  Figure 65. P erform the 
following configurations: 
•   Enter the port group name. 
•   Select the configured IP address group. The IP address used by the user to access the network must 
be...

 188 
# Specify the primary authentication server and primary accounting server, and configure the keys 
for communication with the servers.  
[Switch-radius-rs1] primary authentication 192.168.0.112 
[Switch-radius-rs1] primary accounting 192.168.0.112 
[Switch-radius-rs1] key authentication radius 
[Switch-radius-rs1] key accounting radius 
# Configure the access device to not carry the ISP domain name in the username sent to the 
RADIUS server. 
[Switch-radius-rs1] user-name-format without-domain...

 189 
[Switch] portal server newpt user-sync interval 600 retry 2 
The product of interval and retry must be greater than or equal to  the portal user heartbeat interval, 
and HP recommends configuring the  interval as a value greater than the portal user heartbeat 
interval configured on the portal server. 
Verifying the configuration 
Use the following command to view information about the portal server: 
 display portal server newpt 
 Portal server: 
  1)newpt: 
      IP   : 192.168.0.111 
      Key...

 190 
Figure 83 Network diagram 
 
 
Configuration procedures 
Follow these guidelines to configure Layer 2 portal authentication: 
•  Make sure that the host, switch, and servers can reach each other before portal authentication is 
enabled. 
•   Configure the RADIUS server properly to provide normal authentication/authorization/accounting 
functions for users. In this example, you must create a portal user account with the account name 
userpt  on the RADIUS server, and configure an authorized VLAN for...

 191 
# Configure the local portal server to support HTTPS and reference SSL server policy  sslsvr. 
[Switch] portal local-server https server-policy sslsvr 
# Configure the IP address of loopback interface 12 as 4.4.4.4. 
[Switch] interface loopback 12 
[Switch-LoopBack12] ip address 4.4.4.4 32 
[Switch-LoopBack12] quit 
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal 
authentication. 
[Switch] portal local-server ip 4.4.4.4 
# Enable portal...

 192 
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. 
[Switch] dhcp relay server-group 1 ip 1.1.1.3 
# Enable the DHCP relay agent on VLAN-interface 8. 
[Switch] interface vlan-interface 8 
[Switch-Vlan-interface8] dhcp select relay 
# Correlate DHCP server group 1 with VLAN-interface 8. 
[Switch-Vlan-interface8] dhcp relay server-select 1 
[Switch-Vlan-interface8] quit 
# Enable the DHCP relay agent on VLAN-interface 2. 
[Switch] interface vlan-interface 2...

 193 
  S:Static  D:Dynamic 
  MAC ADDR         MASK             VLAN ID   PRIO   STATE 
  -------------------------------------------------------- 
  0015-e9a6-7cfe   ffff-ffff-ffff   3         0      D 
  Total MAC VLAN address count:1 
If a client fails authentication, it is added to VLAN 2. Use the previously mentioned commands to view the 
assigned IP address and the generated MAC-VLAN entry for the client. 
Troubleshooting portal 
Inconsistent keys on the access device and the portal server...

 194 
Solution 
Use the display portal server  command to display the listening port of the portal server configured on the 
access device and use the  portal server command in the system view to modify it to make sure that it is 
the actual listening port of the portal server.  

 195 
Configuring triple authentication 
Overview 
Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. 
A terminal can access the network if it passes one type of authentication.  
Triple authentication is suitable for a LAN that comprises terminals that require different authentication 
services. For example, the triple authentication-enabled access port in  Figure 84 ca
 n perform MAC 
authentication for the printer, 802.1X authentication for a PC...