HP 5500 Ei 5500 Si Switch Series Configuration Guide
Here you can view all the pages of manual HP 5500 Ei 5500 Si Switch Series Configuration Guide. The HP manuals for Printer are available online for free. You can easily download all the documents as PDF.
Page 1861
196 • If a terminal passes 802.1X or portal authentication, no other types of authentication will be triggered for the terminal. • If the terminal passes MAC authentication, no portal authentication can be triggered for the terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal. Using triple authentication with other features A triple...
Page 1862
197 Step Command Remarks 3. Configure Layer-2 portal authentication. See Configuring portal authentication MAC -based access control. HP does not recommend you configure 802.1X guest VLANs for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 85, the ter minals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface...
Page 1863
![Page 1863
198
# Configure the local portal server to support HTTP.
system-view
[Switch] portal local-server http
# Configure the IP address of interface loopback 0 as 4.4.4.4.
[Switch] interface loopback 0
[Switch-LoopBack0] ip address 4.4.4.4 32
[Switch-LoopBack0] quit
# Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as
4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1.
[Switch] interface...](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1862.png "Page 1863
198
# Configure the local portal server to support HTTP.
system-view
[Switch] portal local-server http
# Configure the IP address of interface loopback 0 as 4.4.4.4.
[Switch] interface loopback 0
[Switch-LoopBack0] ip address 4.4.4.4 32
[Switch-LoopBack0] quit
# Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as
4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1.
[Switch] interface...")
198 # Configure the local portal server to support HTTP. system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit # Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1. [Switch] interface...
Page 1864
![Page 1864
199
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP
domain name, the authentication sche me of the default domain is used.
[Switch] domain default...](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1863.png "Page 1864
199
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP
domain name, the authentication sche me of the default domain is used.
[Switch] domain default...")
199 [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication sche me of the default domain is used. [Switch] domain default...
Page 1865
200 • 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. • After passing authentication, the printer obtains the IP address 3.3.3.1 11/24 that is bound with its MAC address through DHCP. • Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to remove the...
Page 1866
![Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1865.png "Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...")
201 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address. A short lease is recommended to shorten the time term inals use to re-acquire IP addresses after the terminals passing or failing...
Page 1867
![Page 1867
202
[Switch] portal local-server https server-policy sslsvr
# Configure IP address 4.4.4.4 for interface loopback 12.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify the listening IP address of the local portal server as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the
Auth-Fail VLAN, to which terminals failing authentication are added.
[Switch]...](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1866.png "Page 1867
202
[Switch] portal local-server https server-policy sslsvr
# Configure IP address 4.4.4.4 for interface loopback 12.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify the listening IP address of the local portal server as 4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the
Auth-Fail VLAN, to which terminals failing authentication are added.
[Switch]...")
202 [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added. [Switch]...
Page 1868
![Page 1868
203
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
9. Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain....](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1867.png "Page 1868
203
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
9. Configure an ISP domain:
# Create an ISP domain named triple.
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain....")
203 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 9. Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain....
Page 1869
![Page 1869
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED...](http://img.usermanuals.tech/thumb/36/58909/w300_hp-5500-ei-5500-si-switch-series-configuration-guide-1868.png "Page 1869
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED...")
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED...
Page 1870
205 Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to a network that requires different authentication methods for different users on a port. Port security prevents unauthorized access to the network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic. Port security can control MAC...