HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1699
34
Displaying and maintaining RADIUS
Task Command Remarks
Display the configuration information
of RADIUS schemes. display radius scheme
[ radius-scheme-name
] [ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the statistics for RADIUS
packets . display radius statistics
[ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about buffered
stop-accounting...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1698.png "Page 1699
34
Displaying and maintaining RADIUS
Task Command Remarks
Display the configuration information
of RADIUS schemes. display radius scheme
[ radius-scheme-name
] [ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the statistics for RADIUS
packets . display radius statistics
[ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about buffered
stop-accounting...")
![Page 1702
37
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Specify HWTACACS
accounting servers.
• Specify the primary HWTACACS
accounting server:
primary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] *
• Specify the secondary
HWTACACS accounting server:
secondary accounting...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1701.png "Page 1702
37
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Specify HWTACACS
accounting servers.
• Specify the primary HWTACACS
accounting server:
primary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] *
• Specify the secondary
HWTACACS accounting server:
secondary accounting...")
36 Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to one secondary authorization server for an HWTACACS scheme. When the primary server is not available, any secondary server is used. In a scenario where redundancy is not required, specify only the primary server. Follow these guidelines when you specify HWTACACS authorization servers: • An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time. • The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails. • You can remove an authorization server only when no active TCP connection for sending authorization packets is using it. To specify HWTACACS authorization servers for an HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify HWTACACS authorization servers. • Specify the primary HWTACACS authorization server: primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * • Specify the secondary HWTACACS authorization server: secondary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. No authorization server is specified by default. Specifying the HWTACACS accounting servers and the relevant parameters You can specify one primary accounting server and up to one secondary accounting server for an HWTACACS scheme. When the primary server is not available, any secondary server is used. In a scenario where redundancy is not required, specify only the primary server. When the switch receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requ ests to allow the switch to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet. Follow these guidelines when you specify HWTACACS accounting servers: • An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. • The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails. • You can remove an accounting server only when no active TCP connection for sending accounting packets is using it. • HWTACACS does not support accounting for FTP users.
37
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Specify HWTACACS
accounting servers.
• Specify the primary HWTACACS
accounting server:
primary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] *
• Specify the secondary
HWTACACS accounting server:
secondary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] * Configure at least one
command.
No accounting server is
specified by default.
4.
Enable buffering of
stop-accounting requests to
which no responses are
received. stop-accounting-buffer enable
Optional.
Enabled by default.
5.
Set the maximum number of
stop-accounting attempts. retry stop-accounting
retry-times Optional.
The default setting is 100.
Specifying the shared keys for
secure HWTACACS communication
The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets
exchanged between them and use shared keys for packet authentication and user passwords encryption.
They must use the same key for the same type of communication.
To specify a shared key for secure HWTACACS communication:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Specify a shared key for
secure HWTACACS
authentication, authorization,
or accounting
communication. key
{ accounting | authentication |
authorization } [ cipher | simple ] key
No shared key is specified by
default.
NOTE:
A shared key configured on the switch must be th e same as that configured on the HWTACACS server.
Specifying the VPN to which the servers belong (available only on the HP 5500 EI)
After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and
accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when
specifying a server for the scheme, the server belongs to the specific VPN.
To specify a VPN for an HWTACACS scheme:
38
Step Command
1. Enter system view.
system-view
2. Enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
3. Specify a VPN for the HWTACACS scheme. vpn-instance vpn-instance-name
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name , where isp-name represents the name of the ISP
domain the user belongs to and is used by the sw itch to determine which users belong to which ISP
domai ns. However, some HW TACACS ser vers c annot recognize usernames that contain an ISP domain
name. In this case, the switch must remove the domain name of each username before sending the
username. You can set the username format on the switch for this purpose.
The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic
statistics of online users. For norm al and accurate traffic statistics, make sure the unit for data flows and
that for packets on the switch are consistent with those configured on the HWTACACS servers.
Follow these guidelines when you set the username format and the traffic statistics units for an
HWTACACS scheme:
• If an HWTACACS server does not support a username that carries the domain name, configure the
switch to remove the domain name before sending the username to the server.
• For level switching authentication, the user-name-format keep-original and user-name-format
without-domain commands produce the same results. They make sure usernames sent to the
HWTACACS server carry no ISP domain name.
To set the username format and the traffic statistics units for an HWTACACS scheme:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Set the format for usernames
sent to the HWTACACS
servers. user-name-format
{ keep-original |
with-domain | without-domain } Optional.
By default, the ISP domain name
is included in a username.
4.
Specify the unit for data flows
or packets sent to the
HWTACACS servers. data-flow-format
{ data { byte |
giga-byte | kilo-byte | mega-byte }
| packet { giga-packet | kilo-packet
| mega-packet | one-packet } }* Optional.
The default unit is
byte for data
flows and is one-packet for data
packets.
Specifying a source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS
configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon
receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the
packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server
drops the packet.
Usually, the source address of outgoing HWTACACS packets can be the IP address of the NAS’s any
interface that can communicate with the HWTACACS server. In some special scenarios, however, you
39 must change the source IP address. For example, if a Network Address Translation (NAT) device is present between the NAS and the HWTACACS server, the source IP address of outgoing HWTACACS packets must be a public IP address of the NAS. If the NAS is configured with the Virtual Router Redundancy Protocol (VRRP) for stateful failover, the source IP address of HWTACACS packets can be the virtual IP address of the VRRP group to which the uplink belongs. You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, a NAS selects a source IP address in this order: 1. The source IP address specified for the HWTACACS scheme. 2. The source IP address specified in system view fo r the VPN or public network, depending on where the HWTACACS server resides. 3. The IP address of the outbound interface specified by the route. To specify a source IP address for all HWTACACS schemes of a VPN or the public network: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a source IP address for outgoing HWTACACS packets. hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ] By default, the IP address of the outbound interface is used as the source IP address. To specify a source IP address for a specific HWTACACS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name N/A 3. Specify a source IP address for outgoing HWTACACS packets. nas-ip ip-address By default, the IP address of the outbound interface is used as the source IP address. Setting timers for controlling commu nication with HWTACACS servers The switch uses the following timers to control the communication with an HWTACACS server: • Server response timeout timer (response-timeout )—Defines the HWTACACS request retransmission interval. After sending an HWTACA CS request (authentication, authorization, or accounting request), the switch starts this timer. If the switch receives no response from the server before this timer expires, it resends the request. • Server quiet timer (quiet )—Defines the duration to keep an unreachable server in blocked state. If a server is not reachable, the switch changes the serv er’s status to blocked, starts this timer for the server, and tries to communicate with another server in active state. After this timer expires, the switch changes the status of the server back to active. • Real-time accounting timer (realtime-accounting)—Defines the interval at which the switch sends real-time accounting updates to the HWTACACS acco unting server for online users. To implement real-time accounting, the switch must send real-time accounting packets to the accounting server for online users periodically.
40
To set timers for controlling communication with HWTACACS servers:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme
hwtacacs-scheme-name N/A
3.
Set the HWTACACS server
response timeout timer. timer response-timeout seconds Optional.
The default HWTACACS server
response timeout timer is 5
seconds.
4.
Set the quiet timer for the
primary server. timer quiet
minutes Optional.
The default quiet timer for the
primary server is 5 minutes.
5. Set the real-time accounting
interval. timer realtime-accounting
minutes Optional.
The default real-time accounting
interval is 12 minutes.
NOTE:
Consider the performance of the NAS and the HWTACACS server when you set the real-time accountin
g
interval. A shorter interval requires higher performance. A shorter interval requires higher performance.
Displaying and maintaining HWTACACS
Task Command Remarks
Display the configuration information
or statistics of HWTACACS schemes . display hwtacacs
[ hwtacacs-server-name [ statistics
] ]
[ slot slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about buffered
stop-accounting requests for which no
responses have been received . display stop-accounting-buffer
hwtacacs-scheme
hwtacacs-scheme-name [ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Clear HWTACACS statistics .
reset hwtacacs statistics
{ accounting |
all | authentication | authorization }
[ slot slot-number ] Available in user view
Clear buffered stop-accounting
requests that get no responses. reset stop-accounting-buffer
hwtacacs-scheme
hwtacacs-scheme-name [ slot
slot-number ] Available in user view
Configuring AAA methods for ISP domains
You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain
view. Each ISP domain has a set of default AAA
methods, which are local authentication, local
authorization, and local accounting by default and can be customized. If you do not configure any AAA
41 methods for an ISP domain, the switch uses the system default AAA methods for authentication, authorization, and accounting of the users in the domain. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts (see Configuring local u ser attributes ) on the switch. To use remote authentication, authorization, and accounting, create the required RADIUS, and HWTACACS, schemes as described in Configuring RADIUS schemes, Configuring HWTACACS sc hemes . Creating an ISP domain In a networking scenario with multiple ISPs, the switch may connect users of different ISPs, and users of different ISPs may have different user attributes, such as different username and password structures, different service types, and differ ent rights. To distinguish the users of different ISPs, configure ISP domains, and configure differen t AAA methods and domain attributes for the ISP domains. The switch can accommodate up to 16 ISP domains, including the system predefined ISP domain system. You can specify one of the ISP domains as the default domain. On the switch, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the switch considers the user belongs to the default ISP domain. To create an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an ISP domain and enter ISP domain view. domain isp-name N/A 3. Return to system view. quit N/A 4. Specify the default ISP domain. domain default enable isp-name Optional. By default, the default ISP domain is the system predefined ISP domain system. NOTE: To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-defaul t ISP domain by using the undo domain default enable command. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes for all users in the domain: • Domain status: By placing the ISP domain to the active or bl ocked state, you allow or deny network service requests from users in the domain. • Maximum number of online users: The switch controls the number of online users in a domain to ensure the system performance and service reliability.
42
• Idle cut:
This function enables the switch to check the traffi c of each online user in the domain at the idle
timeout interval, and to log out any user in the do main whose traffic during the idle timeout period
is less than the specified minimum traffic.
• Self-service server location:
By using the information defined in this attribute, users can access the self-service server to manage
their own accounts and passwords.
• Default authorization user profile:
If a user passes authentication bu t is authorized with no user profile, the switch authorizes the
default user profile of the ISP domain to the user and restricts the user’s behavior based on the
profile.
To configure ISP domain attributes:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Place the ISP domain to the
state of active or blocked. state
{ active | block } Optional.
By default, an ISP domain is in active
state, and users in the domain can
request network services.
4.
Specify the maximum number
of online users in the ISP
domain. access-limit enable
max-user-number Optional.
No limit by default.
5.
Configure the idle cut function.
idle-cut enable minute [ flow ] Optional.
Disabled by default.
This command is effective for only
LAN users and portal users.
6.
Enable the self-service server
location function and specify
the URL of the self-service
server. self-service-url enable
url-string
Optional.
Disabled by default.
7. Specify the default
authorization user profile. authorization-attribute
user-profile
profile-name Optional.
By default, an ISP domain has no
default authorization user profile.
NOTE:
• For more information about user profiles, see Configuring a user profile.
• A self-service RADIUS server, such as IMC, is required for the self-service server location function to
work.
Configuring AAA authentication methods for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to
the interactive authentication process of username/password/user information during an access or
service request. The authentication process does no t send authorization information to a supplicant or
trigger accounting.
43 AAA supports the following authentication methods: • No authentication (none )—All users are trusted and no authenti cation is performed. Generally, do not use this method. • Local authentication (local )—Authentication is performed by the NAS, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space. • Remote authentication (scheme )—The NAS cooperates with a RADIUS, or HWTACACS server to authenticate users. Remote authentication provides centralized information management, high capacity, high reliability, and support for centralized authentication service for multiple NASs. You can configure local or no authentication as the backup method, which is used when the remote server is not available. No authentication can only be configured for LAN users as the backup method of remote authentication. You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method. Before configuring authentication meth ods, complete the following tasks: 1. For RADIUS or HWTACACS authentication, config ure the RADIUS or HWTACACS scheme to be referenced first. The local and none authen tication methods do not require a scheme. 2. Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each a ccess type and service type, limiti ng the authentication protocols that can be used for access. 3. Determine whether to configure an authentication method for all access types or service types. Follow these guidelines when you configure AA A authentication methods for an ISP domain: • The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access type. • With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the authorization information, but the authentication process ignores the information. • If you specify the radius-scheme radius-scheme-name local , hwtacacs-scheme hwtacacs-scheme -name local option when you configure an authentication method, local authentication is the backup method and is used only when the remote server is not available. • If you specify only the local or none keyword in an authentication method configuration command, the switch has no backup authentication method and performs only local authentication or does not perform any authentication. • If the method for level switching authentication references an HWTACACS scheme, the switch uses the login username of a user for level switching authentication of the user by default. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on the RADIUS server for level switching authentication, rather than the login username. A username configured on the RADIUS server is in the format of $enablevel$, where level specifies the privilege level to which the user wants to switch. For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for authentication when the domain name is not required. To configure AAA authentication methods for an ISP domain:
44
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authentication method
for all types of users. authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is
local for all types of
users.
4. Specify the
authentication method
for LAN users. authentication lan-access
{ local | none |
radius-scheme radius-scheme-name [ local |
none ] } Optional.
The default authentication
method is used by default.
5.
Specify the
authentication method
for login users. authentication login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is used by default.
6.
Specify the
authentication method
for portal users. authentication portal
{ local | none |
radius-scheme radius-scheme-name [ local ] }
Optional.
The default authentication
method is used by default.
7. Specify the
authentication method
for privilege level
switching. authentication super
{ hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name } Optional.
The default authentication
method is used by default.
Configuring AAA authorization methods for an ISP domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful au
thorization. Authorization method configuration is
optional in AAA configuration.
AAA supports the following authorization methods:
• No authorization ( none)—The NAS performs no authorization exchange. After passing
authentication, non-login users can access the network, FTP users can access the root directory of
the NAS, and other login users have only the rights of Level 0 (visiting).
• Local authorization (local )—The NAS performs authorization according to the user attributes
configured for users.
• Remote authorization ( scheme)—The NAS cooperates with a RADIUS, or HWTACACS server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS
authentication, and the authorization information is carried in the authorization response after
successful authentication. You can configure local authorization or no authorization as the backup
method, which is used when the remote server is not available.
Before configuring authorization methods, complete the following tasks:
1. For HWTACACS authorization, configure the HWTACACS scheme to be re ferenced first. For
RADIUS authorization, the RADIUS authorizatio n scheme must be the same as the RADIUS
authentication scheme. Otherwis e, it does not take effect.
45
2.
Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type, limi ting the authorization protocols
that can be used for access.
3. Determine whether to configure an authorization method for all access types or service types.
Follow these guidelines when you configure AAA authorization methods for an ISP domain:
• The authorization method specified with the authorization default command is for all types of users
and has a priority lower than that for a specific access type.
• If you configure an authentication method and an authorization method that use RADIUS schemes
for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication.
If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS
a u t h e n t i c a t i o n a l s o f a i l s . W h e n e v e r R A D I U S a u t h o r i z a t i o n f a i l s , a n e r r o r m e s s a g e i s s e n t t o t h e N A S ,
indicating that the server is not responding.
• If you specify the radius-scheme radius-scheme-name local , hwtacacs-scheme
hwtacacs-scheme -name [ local | none ] option when you configure an authorization method, local
authorization or no authorization is the backup method and is used only when the remote ser ver is
not available.
• If you specify only the local or none keyword in an authorization method configuration command,
the switch has no backup authorization method and performs only local authorization or does not
perform any authorization.
To configure AAA authorization methods for an ISP domain:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authorization method for
all types of users. authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The authorization method is
local for all types of users.
4.
Specify the command
authorization method. authorization command {
hwtacacs-scheme
hwtacacs-scheme-name [ local | none ] |
local | none } Optional.
The default authorization
method is used by default.
5.
Specify the authorization
method for LAN users. authorization lan-access
{ local | none |
radius-scheme radius-scheme-name [ local |
none ] } Optional.
The default authorization
method is used by default.
6.
Specify the authorization
method for login users. authorization login {
hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authorization
method is used by default.
7.
Specify the authorization
method for portal users. authorization portal
{ local | none |
radius-scheme radius-scheme-name
[ local ] } Optional.
The default authorization
method is used by default.