HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
106 [Device] domain default enable aabbcc.net 7. Configure 802.1X: # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on port GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based ac cess control is the default setting.) [Device] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed. 802.1X with guest VLAN and VLAN assignment configuration example Network requirements As shown in Figure 45: • A h ost is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. • GigabitEthernet 1/0/2 implements port-based access control. • GigabitEthernet 1/0/3 is in VLAN 5 and is for accessing the Internet. • The authentication server runs RADIUS and is in VLAN 2. • The update server in VLAN 10 is for client software download and upgrade. If no user performs 802.1X authentication on GigabitEthernet 1/0/2 within a period of time, the device adds GigabitEthernet 1/0/2 to its guest VLAN, VLAN 10. The host and the update server are both in VLAN 10 and the host can access the update server and download the 802.1X client software. After the host passes 802.1X authentication, the network access device assigns the host to VLAN 5 where GigabitEthernet 1/0/3 is. The host can access the Internet.
107 Figure 45 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. 1. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN. (Details not shown.) 2. Configure the RADIUS server to provide authenti cation, authorization, and accounting services. Configure user accounts and server-assigned VLAN, VLAN 5 in this example. (Details not shown.) 3. Create VLANs, and assign ports to the VLANs. system-view [Device] vlan 1 [Device-vlan1] port gigabitethernet 1/0/2 [Device-vlan1] quit [Device] vlan 10 [Device-vlan10] port gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit
108 4. Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. system-view [Device] radius scheme 2000 # Specify primary and secondary authentication an d accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc # Exclude the ISP domain name from the username sent to the RADIUS server. [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit 5. Configure an ISP domain: # Create ISP domain bbb and enter its view. [Device] domaim bbb # Apply RADIUS scheme 2000 to the ISP doma in for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit 6. Configure 802.1X: # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VL AN for port GigabitEthernet 1/0/2. [Device] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 Verifying the configuration Use the display dot1x interface gigabitethernet 1/0/2 command to verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. If no user passes authentication on the port within a specific period of time, use the display vlan 10 command to verify whether GigabitEthernet 1/0/2 is assigned to VLAN 10. After a user passes authentication, you can use the display interface gigabitethernet 1/0/2 command to verity that port GigabitEthernet 1/0/2 has been added to VLAN 5.
109 802.1X with ACL assignment configuration example Network requirements As shown in Figure 46, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server. Assign an ACL to GigabitEthernet 1/0/1 to deny the access of 802.1X users to the FTP server at 10.0.0.1/24 on weekdays during business hours from 8:00 to 18:00. Figure 46 Network diagram Configuration procedure The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference . 1. Configure 802.1X client. Make sure the client is abl e to update its IP address after the access port is assigned to the 802.1X guest VLAN or a server-assigned VLAN. (Details not shown.) 2. Configure the RADIUS servers, user accounts, and authorization ACL, ACL 3000 in this example. (Details not shown.) 3. Configure the access device: # Assign IP addresses to inte rfaces. (Details not shown.) # Configure the RADIUS scheme. system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Internet Device Host192.168.1.10/24 GE1/0/1 Vlan-int2 192.168.1.1/24FTP server10.0.0.1/24 GE1/0/2 GE1/0/3 RADIUS server clusterAuth: 10.1.1.1 Acct: 10.1.1.2
110 # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined fo r the FTP server at 10.0.0.1 on the weekdays during business hours. [Device] acl number 3000 [Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range f\ tp [Device-acl-adv-3000] quit # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on port GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x Verifying the configuration Use the user account to pass authentication, and then ping the FTP server on any weekday during business hours. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
111 Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication. EAD fast deployment enables the access device to redirect a user seeking to access the network to download and install EAD client. This function eliminates the tedious job of the administrator to deploy EAD clients. EAD fast deployment is implemen ted by the following functions: • Free IP • URL redirection Free IP A free IP is a freely accessible network segment, which has a limited set of network resources such as software and DHCP servers. An unauthenticated user can access only this segment to download EAD client, obtain a dynamic IP address from a DHCP server, or perform some other tasks to be compliant with the network security strategy. URL redirection If an unauthenticated 802.1X user is using a web brow ser to access the network, the EAD fast deployment function redirects the user to a specific URL, for example, the EAD client software download page. The server that provides the URL must be on the free IP accessible to unauthenticated users. Configuration prerequisites • Enable 802.1X globally. • Enable 802.1X on the port, and set the port authorization mode to auto. Configuring a free IP Follow these guidelines when you configure a free IP: • When a free IP is configured, the EAD fast deploy ment is enabled. To allow a user to obtain a dynamic IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment. • When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP does not take effect. • If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VL AN. Users can access only the free IP segments.
112 To configure a free IP: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a free IP. dot1x free-ip ip-address { mask-address | mask-length } By default, no free IP is configured. Configuring the redirect URL Follow these guidelines when you configure the redirect URL: • The redirect URL must be on the free IP subnet. To configure a redirect URL: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the redirect URL. dot1x url url-string By default, no redirect URL is configured. Setting the EAD rule timer EAD fast deployment automatically creates an ACL rule , or an EAD rule, to open access to the redirect URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP. To prevent ACL rule resources from being used up, you can shorten the timer when the amount of EAD users is large. To set the EAD rule timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the EAD rule timer. dot1x timer ead-timeout ead-timeout-value Optional. The default timer is 30 minutes. Displaying and maintaining EAD fast deployment
113 Task Command Remarks Display 802.1X session information, statistics, or configuration information. display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view EAD fast deployment configuration example Network requirements As shown in Figure 47 , the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network. To allow all intranet users to inst all and update 802.1X client program from a web server, configure the following: • Allow unauthenticated users to access the segment of 192.168.2.0/24, and to obtain IP address on the segment of 192.168.1.0/24 through DHCP. • Redirect unauthenticated users to a preconfigured web page when the users use a web browser to access any external network except 192.168.2.0/24. The web page allows users to download the 802.1X client program. • Allow authenticated 802.1X users to access the network. Figure 47 Network diagram In addition to the configuration on the access device, complete the following tasks: • Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. • Configure the web server so that users can log in to the web page to download 802.1X clients.
114 • Configure the authentication server to provide authentication, authorization, and accounting services. Configuration procedure 1. Configure an IP address for each interface. (Details not shown.) 2. Configure DHCP relay: # Enable DHCP. system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Device-Vlan-interface2] dhcp relay server-select 1 [Device-Vlan-interface2] quit 3. Configure a RADIUS scheme and an ISP domain. For more information about co nfiguration procedure, see Configuring 802.1X. 4. Configure 802.1X: # Configure the free IP. [Device] dot1x free-ip 192.168.2.0 24 # Configure the redirect URL fo r client software download. [Device] dot1x url http://192.168.2.3 # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on the port. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x Verifying the configuration Use the display dot1x command to display the 802.1X configuration. After the host obtains an IP address from a DHCP server, use the ping command from the host to ping an IP address on the network segment specified by free IP. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time
115 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3 , in the address bar. Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users are not redirected to the specif ied redirect URL after they enter external website addresses in their web browsers. Analysis Redirection will not happen for one of the following reasons: • The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve it. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation. The redirection function does redirect this kind of ARP request. • The address is within a free IP segment. No redirection will take place, even if no host is present with the address. • T h e re d i re c t U R L i s n o t i n a f re e I P s e g m e n t, n o s e r ve r i s u s i n g t h e re d i re c t U R L, o r t h e s e r ve r wi t h t h e URL does not provide web services. Solution 1. Enter a dotted decimal IP address that is not in any free IP segment. 2. Make sure that the network access device and the server are correctly configured.