HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1709
44
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authentication method
for all types of users. authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is
local for all types of
users.
4. Specify the
authentication method
for LAN users. authentication lan-access
{...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1708.png "Page 1709
44
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authentication method
for all types of users. authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is
local for all types of
users.
4. Specify the
authentication method
for LAN users. authentication lan-access
{...")
![Page 1712
47
Step Command Remarks
3. Enable the accounting
optional feature. accounting optional Optional.
Disabled by default.
With the accounting optional
feature, a switch allows users to
use network resources when no
accounting server is available
or communication with all
accounting servers fails.
4.
Specify the default accounting
method for all types of users. accounting default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local
| none | radius-scheme
radius-scheme-name [...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1711.png "Page 1712
47
Step Command Remarks
3. Enable the accounting
optional feature. accounting optional Optional.
Disabled by default.
With the accounting optional
feature, a switch allows users to
use network resources when no
accounting server is available
or communication with all
accounting servers fails.
4.
Specify the default accounting
method for all types of users. accounting default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local
| none | radius-scheme
radius-scheme-name [...")
![Page 1715
50
Displaying and maintaining AAA
Task Command Remarks
Display the configuration
information of ISP domains. display domain
[ isp-name ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display information about user
connections. display
connection [ access-type { dot1x |
mac-authentication | portal } | domain
isp-name | interface interface-type
interface-number | ip ip-address | mac
mac-address | ucibindex ucib-index |
user-name user-name |...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1714.png "Page 1715
50
Displaying and maintaining AAA
Task Command Remarks
Display the configuration
information of ISP domains. display domain
[ isp-name ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display information about user
connections. display
connection [ access-type { dot1x |
mac-authentication | portal } | domain
isp-name | interface interface-type
interface-number | ip ip-address | mac
mac-address | ucibindex ucib-index |
user-name user-name |...")
![Page 1716
51
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Create HWTACACS scheme hwtac.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server.
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Specify the primary accounting server.
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the shared keys for secure authentication,...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1715.png "Page 1716
51
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Create HWTACACS scheme hwtac.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server.
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Specify the primary accounting server.
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the shared keys for secure authentication,...")
46 Configuring AAA accounting methods for an ISP domain In AAA, accounting is a separate process at the same level as authentication and authorization. This process sends accounting start/update/end requests to the specified accounting server. Accounting is optional. AAA supports the following accounting methods: • No accounting (none )—The system does not perform accounting for the users. • Local accounting (local )—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account. It does not provide statistics for charging. The maximum number of concurrent users using the same local user account is set by the access-limit command in local user view. • Remote accounting (scheme )—The NAS works with a RADIUS server or HWTACACS server for accounting. You can configure local or no accounting as the backup method, which is used when the remote server is not available. By default, an ISP domain uses the local accounting method. Before configuring accounting methods, complete the following tasks: 1. For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none acco unting methods do not require a scheme. 2. Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and servic e type, limiting the accounting protocols that can be used for access. 3. Determine whether to configure an accounting method for all access types or service types. Follow these guidelines when you configure AAA accounting methods for an ISP domain: • If you configure the accounting optional command, the limit on the number of local user connections is not effective. • The accounting method specified with the accounting default command is for all types of users and has a priority lower than that for a specific access type. • If you specify the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme -name local option when you configure an accounting method, local accounting is the backup method and is used only when the remote server is not available. • If you specify only the local or none keyword in an accounting method configuration command, the switch has no backup accounting method and perfor ms only local accounting or does not perform any accounting. • Accounting is not supported for FTP services. To configure AAA accounting methods for an ISP domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ISP domain view. domain isp-name N/A
47
Step Command Remarks
3. Enable the accounting
optional feature. accounting optional Optional.
Disabled by default.
With the accounting optional
feature, a switch allows users to
use network resources when no
accounting server is available
or communication with all
accounting servers fails.
4.
Specify the default accounting
method for all types of users. accounting default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local
| none | radius-scheme
radius-scheme-name [ local ] } Optional.
The default accounting method
is
local for all types of users.
5. Specify the command
accounting method. accounting command
hwtacacs-scheme
hwtacacs-scheme-name Optional.
The default accounting method
is used by default.
6.
Specify the accounting
method for LAN users. accounting lan-access {
local | none |
radius-scheme radius-scheme-name
[ local | none ] } Optional.
The default accounting method
is used by default.
7.
Specify the accounting
method for login users. accounting login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local
| none | radius-scheme
radius-scheme-name [ local ] } Optional.
The default accounting method
is used by default.
8.
Specify the accounting
method for portal users. accounting portal
{ local | none |
radius-scheme radius-scheme-name
[ local ] } Optional.
The default accounting method
is used by default.
Tearing down user connections
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Tear down AAA user
connections cut connection {
access-type { dot1x |
mac-authentication | portal } | all | domain
isp-name | interface interface-type
interface-number | ip ip-address | mac
mac-address | ucibindex ucib-index | user-name
user-name | vlan vlan-id } [ slot slot-number ] The command applies
only to LAN and
portal user
connections.
Configuring a NAS ID-VLAN binding
The access locations of users can be identified by their access VLANs. In application scenarios where
identifying the access locations of users is a must, configure NAS ID-VLAN bindings on the switch. Then,
when a user gets online, the switch obtains the NAS
ID by the access VLAN of the user and sends the
NAS ID to the RADIUS server through the NAS-identifier attribute.
To configure a NAS ID-VLAN binding:
48 Step Command Remarks 1. Enter system view. system-view N/A 2. Create a NAS ID profile and enter NAS ID profile view. aaa nas-id profile profile-name You can apply a NAS ID profile to an interface enabled with portal. See Configuring portal authentication . 3. Configure a NAS ID-VLAN binding. nas-id nas-identifier bind vlan vlan-id By default, no NAS ID-VLAN binding exists. Specifying the device ID used in stateful failover mode (available only on the HP 5500 EI) Two switches working in stateful failover mode for portal services are uniquely identified by their device IDs. A device ID can only be 1 or 2. For more info rmation about the stateful failover mode for portal services, see Configuring portal authentication . Follow these guidelines when you specify the device ID used in stateful failover mode: • Configuring or changing the device ID of a swit ch logs out all online users of the switch. • HP recommends to save the configuration and reboot the switch after configuring or changing the device ID. • The device ID is the symbol for stateful failover mode. Do not configure any device ID for a switch working in stand-alone mode. To specify the device ID used in stateful failover mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the device ID used in stateful failover mode. nas device-id device-id By default, a switch works in standalone mode and has no device ID. Configuring a switch as a RADIUS server RADIUS server functions configuration task list Task Remarks Configuring a RADIUS user Required Specifying a RADIUS client Required Configuring a RADIUS user This task is to create a RADIUS user and configure a se t of attributes for the user on a switch that serves as the RADIUS server. The user attributes include the password, authorization attribute, expiration time,
49
and user description. After completing this task, the specified RADIUS user can use the username and
password for RADIUS authentication on the switch.
You can use the authorization-attribute command to specify an authorization ACL and authorized VLAN,
which is assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS user passes
authentication. The NAS then uses the assigned ACL and VLAN to control user access. If the assigned
ACL does not exist on the NAS, ACL assignment fails and the NAS forcibly logs out the RADIUS user. If
the assigned VLAN does not exist on the NAS, the NAS creates the VLAN and adds the RADIUS user or
the access port to the VLAN.
To configure a RADIUS user:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a RADIUS user and
enter RADIUS server user
view. radius-server user
user-name No RADIUS user exists by default.
3. Configure a password for the
RADIUS user. password
[ cipher | simple ]
password Optional.
By default, no password is
specified.
4.
Configure the authorization
attribute for the RADIUS user. authorization-attribute
{ acl
acl-number | vlan vlan-id } * Optional.
Not
configured by default.
5. Set the expiration time for the
RADIUS user. expiration-date
time Optional.
By default, no expiration time is
set, and the system does not check
users’ expiration time.
6.
Configure a description for
the RADIUS user. description
text Optional.
Not configured by default.
Specifying a RADIUS client
This task is to specify the IP address of a client to
be managed by the RADIUS server and configure the
shared key. The RADIUS server processes only the RADIUS packets sent from the specified clients.
To s pe ci f y a R A D I US cl ie nt
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify a RADIUS client. radius-server
client-ip ip-address [ key
[ cipher | simple ] string ] No RADIUS client is
specified by default.
NOTE:
• The IP address of a RADIUS client specified on the RADIUS server must be consistent with the source IP
address of outgoing RADIUS packets configured on the RADIUS client.
• The shared key confi
gu re d o n t h e R A D I US s er ver mus t b e c o n s i s t e nt wi t h t h a t c o n figured on the RADIUS
client.
50
Displaying and maintaining AAA
Task Command Remarks
Display the configuration
information of ISP domains. display domain
[ isp-name ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display information about user
connections. display
connection [ access-type { dot1x |
mac-authentication | portal } | domain
isp-name | interface interface-type
interface-number | ip ip-address | mac
mac-address | ucibindex ucib-index |
user-name user-name | vlan vlan-id ] [ slot
slot-number ] [ | { begin | exclude | include }
regular-expression ] Available in any view
AAA configuration examples
AAA for Telnet users by an HWTACACS server
Network requirements
As shown in
Figure 11, co nfigure the switch to use the HWTACACS server to provide authentication,
authorization, and accounting services for Telnet users.
Set the shared keys for secure communication with the HWTACACS server to expert. Configure the
switch to remove the domain name from a username before sending the username to the HWTACACS
server.
Figure 11 Network diagram
Configuration procedure
1. Configure the switch:
# Assign IP addresses to the in terfaces. (Details not shown.)
# Enable the Telnet server on the switch.
system-view
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4
51 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Create HWTACACS scheme hwtac. [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure authentication, authorization, and accounting communication to expert. [Switch-hwtacacs-hwtac] key authentication simple expert [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] key accounting simple expert # Configure the scheme to remove the domain name from a username before sending the username to the HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac [Switch-isp-bbb] quit 2. Verify the configuration: Telnet to the switch as a user and enter the correct username and password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information about the user connection. AAA for Telnet users by separate servers Network requirements As shown in Figure 12, conf igure the switch to provide local authentication, HWTACACS authorization, and RADIUS accounting services for Telnet users. Set the shared keys for secure communication with the HWTACACS server and the RADIUS server to expert. Configure the switch to remove the domain name from a username before sending the username to the servers.
52 Figure 12 Network diagram Configuration procedure 1. Configure the switch: # Assign IP addresses to inte rfaces. (Details not shown.) # Enable the Telnet server on the switch. system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit
53 2. Verify the configuration: Telnet to the switch as a user and enter the username hello@bbb and the correct password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information about the user connection. Authentication/authorization for SSH/Telnet users by a RADIUS server The configuration of authentication and authorization for SSH users is similar to that for Telnet users. The following example describes the configuration for SSH users. Network requirements As shown in Figure 13, conf igure the switch to use the RADIUS server for SSH user authentication and authorization, and to include the domain name in a username sent to the RADIUS server. Configure IMC to act as the RADIUS server, add an account with the username hello@bbb on the RADIUS server, and configure the RADIUS server to assign the privilege level of 3 to the user after the user passes authentication. Set the shared keys for secure RADIUS communication to expert. Figure 13 Network diagram Configuring the RADIUS server T h i s e x a m p l e a s s u m e s t h a t t h e R A D I U S s e r v e r r u n s o n I M C P L AT 5 . 0 ( E 0101) a n d I M C U A M 5 . 0 ( E 0101) . 1. Add the switch to IMC as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device from the navigation tree. b. Click Add. c. Configure the following parameters: Set the shared key for secure authentica tion and accounting communication to expert. Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2. d. Click OK.
54 NOTE: The IP address of the access device sp ecified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch. Figure 14 Adding the switch to IMC as an access device 2. Add a user for device management: a. Click the User tab, and select Device Management User from the navigation tree. b. Click Add. c. Configure the following parameters: Enter hello@bbb as the username and set the password. Select SSH as the service type. Set the EXEC privilege level to 3. This value iden tifies the privilege level of the SSH user after login and defaults to 0. Specify the IP address range of the hosts to be managed as 10.1.1.0 through 10.1.1.255. d. Click OK.
55 Figure 15 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Generate RSA and DSA key pairs and enable the SSH server. [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure the switch to use AAA for SSH users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create RADIUS scheme rad.