HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1716
51
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Create HWTACACS scheme hwtac.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server.
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Specify the primary accounting server.
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the shared keys for secure authentication,...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1715.png "Page 1716
51
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Create HWTACACS scheme hwtac.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Specify the primary authorization server.
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49
# Specify the primary accounting server.
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49
# Set the shared keys for secure authentication,...")
![Page 1717
52
Figure 12 Network diagram
Configuration procedure
1. Configure the switch:
# Assign IP addresses to inte rfaces. (Details not shown.)
# Enable the Telnet server on the switch.
system-view
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Configure the HWTACACS scheme.
[Switch] hwtacacs scheme hwtac
[Switch-hwtacacs-hwtac] primary authorization...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1716.png "Page 1717
52
Figure 12 Network diagram
Configuration procedure
1. Configure the switch:
# Assign IP addresses to inte rfaces. (Details not shown.)
# Enable the Telnet server on the switch.
system-view
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4
[Switch-ui-vty0-4] authentication-mode scheme
[Switch-ui-vty0-4] quit
# Configure the HWTACACS scheme.
[Switch] hwtacacs scheme hwtac
[Switch-hwtacacs-hwtac] primary authorization...")
![Page 1720
55
Figure 15 Adding an account for device management
Configuring the switch
# Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch.
system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch access the server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1719.png "Page 1720
55
Figure 15 Adding an account for device management
Configuring the switch
# Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch.
system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch access the server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2...")
![Page 1721
56
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key for secure authentication communication to expert.
[Switch-radius-rad] key authentication expert
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain
# Specify the service type for the RADIUS server, which must be extended when the R ADIUS ser ver runs...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1720.png "Page 1721
56
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key for secure authentication communication to expert.
[Switch-radius-rad] key authentication expert
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain
# Specify the service type for the RADIUS server, which must be extended when the R ADIUS ser ver runs...")
56 [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the R ADIUS ser ver runs on IMC. [Switch-radius-rad] server-type extended [Switch-radius-rad] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] quit Verifying the configuration After you complete the configuration, the SSH user should be able to use the configured account to access the user interface of the switch and can access the demands of level 0 through level 3. . # Use the display connection command to view the connection information on the switch. [Switch] display connection Index=1 ,Username=hello@bbb IP=192.168.1.58 IPv6=N/A Total 1 connection(s) matched. AAA for portal users by a RADIUS server Network requirements As shown in Figure 16, the ho st automatically obtains a public network IP address through DHCP. Configure the switch to: • Use the RADIUS server for authentication, authorization, and accounting of portal users. • Provide direct portal authentication so that the host can access only the portal server before passing portal authentication and can access the In ternet after passing portal authentication. • Keep the domain names in usernames sent to the RADIUS server. On the RADIUS server, add a service that charges 120 dollars for up to 120 hours per month, create an account for portal users, and assign the service to the account. Set the shared keys for secure RADIUS communication to expert. Set the ports for authentication/authorization and accounting to 1812 and 1813, respectively.
57 Figure 16 Network diagram Configuration prerequisites Configure IP addresses for the devices as shown in Figure 16 and mak e sure devices can reach each other. Configuring the RADIUS server T h i s e x a m p l e a s s u m e s t h a t t h e R A D I U S / p o r t a l s e r v e r r u n s o n I M C P L AT 5 . 0 ( E 0101) , I M C U A M 5 . 0 ( E 0101) , a n d I M C C A M S 5 . 0 ( E 0101) . 1. Add the switch to IMC as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device from the navigation tree. b. Click Add. c. Configure the following parameters: Set the shared key for secure authentica tion and accounting communication to expert. Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP as the access device type. Select the switch from the device list or manu ally add the switch whose IP address is 10.1.1.2. Leave the default settings in other fields. d. Click OK. NOTE: The IP address of the access device sp ecified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch.
58 Figure 17 Adding the switch to IMC as an access device 2. Define a charging policy: a. Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree. b. Click Add. c. Configure the following parameters: Enter UserAcct as the plan name. Select Flat rate as the charging template. In the Basic Plan Settings field, configure the fixed fee as 120 dollars per month. In the Service Usage Limit field, set the Usage Threshold to 120 hours, allowing the user to access the Internet for up to 120 hours per month. Leave the default settings in other fields. d. Click OK.
59 Figure 18 Defining a charging policy 3. Add a service: a. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. b. Click Add. c. Configure the following parameters: Enter Portal-auth/acct as the service name and dm1 as the service suffix. The service suffix indicates the authentication domain for portal us ers. When the service suffix is configured, you must configure the switch to keep the domain names of usernames to be sent to the RADIUS server. Enter UserAcct as the Charging Plan . Configure other parameters as needed. d. Click OK. Figure 19 Adding a service
60 4. Create an account for portal users: a. Click the User tab, and select All Access Users from the navigation tree. b. Click Add. c. Configure the following parameters: Select the user hello , or add the user if it does not exist. Enter portal as the account name and set the password. Select the access service Portal-auth/acct. Configure other parameters as needed. d. Click OK. Figure 20 Creating an account for portal users Configuring the portal server 1. Configuring the portal server: a. Click the Service tab, and select User Access Manager > Portal Service Management > Server from the navigation tree. b. Enter the URL address of the portal authentication main page in the format http://ip :port /portal , where ip and port are those configured during UAM installation. Usually, the default port 8080 is used. Leav e the default settings for other parameters. c. Click OK.
61 Figure 21 Portal server configuration 2. Configure an IP address group permitted for portal access: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree. b. Click Add. c. Configure the following parameters: Enter Portal_user as the IP group name. Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255 . The host IP address must be within this IP address group. Select Normal as the action. d. Click OK. Figure 22 Adding an IP address group
62 3. Add the switch to IMC as a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure 23. b. Click Add. c. Configure the following parameters: Enter NAS as the device name. Enter 192.168.1.70 as the IP address of the interface on th e switch that uses the portal service. Enter portal as the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation. Beca use direct portal authentication is used in this example, select No from the Reallocate IP list. d. Click OK. Figure 23 Adding a portal device 4. Associate the portal device with the IP address group: a. Click the Port Group Information Management icon for the access device NAS. b. Click Add. c. Configure the following parameters: Enter the port group name. Select Portal_user as the IP address group. The IP addr ess used by the user to access the network must be within this IP address group. Leave the default settings in other fields. d. Click OK.
63 Figure 24 Portal device list Figure 25 Port group configuration 5. Validate the configuration: Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree. Configuring the switch 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When you use IMC, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and pr imary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 10.1.1.1 [Switch-radius-rs1] primary accounting 10.1.1.1
64 [Switch-radius-rs1] key authentication expert [Switch-radius-rs1] key accounting expert # Configure the scheme to keep the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rs1] user-name-format with-domain [Switch-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and a ccounting methods of the default domain is used for the user. [Switch] domain default enable dm1 3. Configure portal authentication: # Configure the portal server. [Switch] portal server newpt ip 10.1.1.1 key portal port 50100 url http://10.1.1.1:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] portal server newpt method direct [Switch-Vlan-interface2] quit Verifying the configuration The user can initiate portal authentication by using HP iNode client or by accessing a Web page. All initiated Web requests are redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page. After passing portal authentication, the user can access the Internet. After the user passes the portal authentication, use the following command to view the portal user information on the switch. [Switch] display portal user interface vlan-interface 2 Index:19 State:ONLINE SubState:NONE ACL:NONE Work-mode:stand-alone MAC IP Vlan Interface --------------------------------------------------------------------- 0015-e9a6-7cfe 192.168.1.58 2 Vlan-interface2 Total 1 user(s) matched, 1 listed. # Use the display connection command to view the connection information on the switch. [Switch] display connection Index=20 ,Username=portal@dm1
65 IP=192.168.1.58 IPv6=N/A MAC=00-15-E9-A6-7C-FE Total 1 connection(s) matched. AAA for 802.1X users by a RADIUS server Network requirements As shown in Figure 26, c onfigure the switch to: • Use the RADIUS server for authentication, authorization, and accounting of 802.1X users. • Use MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the port separately. • Keep the domain names in usernames sent to the RADIUS server. On the RADIUS server, add a service that charges 120 dollars for up to 120 hours per month and assigns authenticated users to VLAN 4, create an account named dot1x@bbb for 802.1X users, and assign the service to the account. Set the shared keys for secure RADIUS communication to expert. Set the ports for authentication/authorization and accounting to 1812 and 1813, respectively. Figure 26 Network diagram Configuration prerequisites Configure the interfaces and VLANs as shown in Figure 26. Mak e sure the host can get a new IP address manually or automatically and can access resources in the authorized VLAN after passing authentication. Configuring the RADIUS server T h i s e x a m p l e a s s u m e s t h a t t h e R A D I U S s e r v e r r u n s o n I M C P L AT 5 . 0 ( E 0101) , I M C U A M 5 . 0 ( E 0101) , a n d IMC CAMS 5.0 (E0101). 1. Add the switch to IMC as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device from the navigation tree. b. Click Add. c. Configure the following parameters: Set the shared key for secure authentica tion and accounting communication to expert.