HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1788
123
Figure 48 Network diagram
Configuration procedure
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address
of the user host, and enable LAN access service for the account.
system-view
[Device] local-user 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-00-e0-fc-12-34-56] quit
# Configure ISP domain aabbcc.net to perform local...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1787.png "Page 1788
123
Figure 48 Network diagram
Configuration procedure
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address
of the user host, and enable LAN access service for the account.
system-view
[Device] local-user 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-00-e0-fc-12-34-56] quit
# Configure ISP domain aabbcc.net to perform local...")
![Page 1790
125
# Configure a RADIUS scheme.
system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1789.png "Page 1790
125
# Configure a RADIUS scheme.
system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000]...")
![Page 1792
127
3.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication simple abc
[Sysname-radius-2000] key accounting simple abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain fo r authentication, authorization,...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1791.png "Page 1792
127
3.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication simple abc
[Sysname-radius-2000] key accounting simple abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain fo r authentication, authorization,...")
126
Max number of on-line users is 256
Current online user number is 1
MAC ADDR Authenticate state Auth Index
00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 29
# After a user passes MAC authentication, use the display connection command to display online user
information.
display connection
Slot: 1
Index=29 ,Username=aaa@2000
IP=N/A
IPv6=N/A
MAC=00e0-fc12-3456
Total 1 connection(s) matched on slot 1.
Total 1 connection(s) matched.
ACL assignment configuration example
Network requirements
As shown in Figure 50, a h ost connects to the device’s port GigabitEthernet 1/0/1, and the device uses
RADIUS servers to perform authentication, authorization, and accounting.
Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that an
authenticated user can access the Internet but the FTP server at 10.0.0.1.
Use MAC-based user accounts for MAC authentication users. The MAC addresses are hyphen separated
and in lower case.
Figure 50 Network diagram
Configuration procedure
1. Make sure the RADIUS server and the access device can reach each other.
2. Configure the ACL assignment:
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit
127 3. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication simple abc [Sysname-radius-2000] key accounting simple abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain fo r authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain 2000 # Configure the device to use MAC-based user accounts, and the MAC addresses are hyphen separated and in lowercase. [Sysname] mac-authentication user-name-format mac-address with-hyphen lo\ wercase # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication 4. Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization AC L for the user account. (Details not shown.) Verifying the configuration After the host passes authentication, perform the display connection command on the device to view online user information. [Sysname-GigabitEthernet1/0/1] display connection Slot: 1 Index=9 , Username=00-e0-fc-12-34-56@2000 IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 1. Total 1 connection(s) matched. Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data:
128
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
129 Configuring portal authentication The IPv6 portal configuration is available only on the HP 5500 EI switch series. Overview Portal authentication helps control access to the Internet. It is also called web authentication. A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the port al website; but to access the Internet, a user must pass portal authentication. A user can access a known portal website and enter a username and password for authentication. This authentication mode is called active authenticati on. There is another authentication mode, forced authentication, in which the access device forces a user who is trying to access the Internet through Hypertext Transfer Protocol (HTTP) to log on to a portal website for authentication. The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements an d deliver community and personalized services. In this way, broadband network providers, equipment vendors, and content service providers form an industrial ecological system. Extended portal functions By forcing patching and anti-v irus policies, extended portal functions help users to defend against viruses. Portal authentication supports the following extended functions: • Security check —Works after identity authentication succeeds to check whether the required anti-virus software, virus definition file, and operating system patches are installed, and whether there is any unauthorized software installed on the user host. • Resource access restriction —Allows users passing identity authentication to access only network resources in the quarantined area, such as the an ti-virus server and the patch server. Only users passing both identity authentication and security check can access restricted network resources. Portal system components A typical portal system comprises these basic components: authentication client, access device, portal server, authentication/accounting server, and security policy server.
130 Figure 51 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server. Access device Access devices control user access. An access devi ce can be a switch or router that provides the following functions: • Redirecting all HTTP requests from unauthenticated users to the portal server. • Interacting with the portal server, the security policy server, and the authentication/accounting server for identity authentication, security check, and accounting. • Allowing users who have passed identity authentication and security check to access granted Internet resources. Portal server A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device. It provides free portal services and pushes web authentication pages to users. NOTE: A portal server can be an entity independent of th e access device or an entity embedded in the access device. In this document, the term portal server refers to an independen t portal server, and the term local portal server refers to an embedded portal server. Only the HP 5500 EI series support an independent portal server. Authentication/accounting server An authentication/accounting server implements user authentication and accounting through interaction with the access device. Only a RADIUS server can serve as the remote authentication/accounting server in a portal system.
131 Security policy server A security policy server interacts with authentication clients and access devices for security check and resource authorization. The components of a portal system interact in the following procedure: 1. When an unauthenticated user enters a website address in the browser’s address bar to access the Internet, an HTTP request is crea ted and sent to the access device, which redirects the HTTP request to the portal server’s web authentication homepage. For extended portal functions, authentication clients must run the portal client software. 2. On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal se rver then transfers to the access device. 3. Upon receipt of the authentication informatio n, the access device communicates with the authentication/accounting server fo r authentication and accounting. 4. After successful authentication, th e access device checks whether there is a corresponding security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the access device and the security policy server for security check. If the client passes security check, the security policy server authorizes the user to access the Internet resources. NOTE: To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, netw ork address translations performed on the access device do not affect portal authentication. However, in such a case, HP recommends using an interface’s public IP address as the source address of outgoing portal packets. Portal system using the local portal server System components In addition to use a separate device as the portal se rver, a portal system can also use the local portal server function of the access device to authenticate web users directly. A portal system using the local portal server does not support extended portal functi ons. No security policy server is needed for local portal service. In this case, the portal system cons ists of only three components: authentication client, access device, and authentication/accounting server, as shown in Figure 52. Figure 52 Portal system using the local portal server NOTE: The local portal server function of the access device implements only some simple portal server functions. It only allows users to log on and log off through the web interface. It cannot take the place of an independent portal server.
132 Protocols used for interaction between the client and local portal server HTTP and Hypertext Transfer Protocol Secure (HTTPS) can be used for interaction between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text; if HTTPS is used, secure data transmission is ensured because HTTPS pack ets are transferred in cipher text based on SSL. Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files and then compress and save the files to the storage medium of the device. A set of customized authentication pages consists of six authentication pages—the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page. A local port al server will push a corresponding authentication page at each authentication phase. If you do not customize the authentication pages, the local portal server will push the default authentication pages. For the rules of customizing authentication pages, see Customizing authentication pages. Portal authentication modes Portal authentication may work at Layer 2 or Layer 3 of the OSI model. Layer 2 portal authentication You can enable Layer 2 portal authentication on an access device’s Layer 2 ports that connect authentication clients, so that only clients whose MAC addresses pass authentication can access the external network. Only the local portal server provided by the access device supports Layer 2 portal authentication. Layer 2 portal authentication allows the authentication server to assign different VLANs according to user authentication results so that access devices can thereby control user access to resources. After a client passes authentication, the authentication server can assign an authorized VLAN to allow the user to access the resources in the VLAN. If a client fails authentication, the authentication server can assign an Auth-Fail VLAN. Layer 3 portal authentica tion does not support VLAN assignment. Layer 3 portal authentication (available only on the HP 5500 EI series) You can enable Layer 3 authentication on an access device’s Layer 3 interfaces that connect authentication clients. Portal authentication performed on a Layer 3 interface can be direct authentication, re-DHCP authentication, or cross-subnet authentication. In direct authentication and re-DHCP authentication, no Layer-3 forwarding devices exist between the authentication client and the access device. In cross-subnet authentication, Layer-3 forwarding devices may exist between the authentication client and the access device. • Direct authentication Before authentication, a user manu ally configures a public IP address or directly obtains a public IP address through DHCP, and can access only the portal server and predefined free websites. After passing authentication, the user can access the network resources. The process of direct authentication is simpler than that of re-DHCP authentication. • Re-DHCP authentication Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the network resour ces. No public IP address is allocated to those who fail authentication. This solves the IP addr ess planning and allocation problem and can be
133 useful. For example, a service provider can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. The local portal server does not su pport re-DHCP portal authentication. IPv6 portal authentication does not su pport the re-DHCP authentication mode. • Cross-subnet authentication Cross-subnet authentication is si milar to direct authentication, bu t it allows Layer 3 forwarding devices to be present between the authen tication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client’s IP address is used for client identification. After a client passes authentication, the access device generates an access control list (ACL) for the cl ient based on the clients IP address to permit packets from the client to go through the acce ss port. Because no Layer 3 devices are present between the authentication clients and the access device in direct authentication and re-DHCP authentication, the access device can directly le arn the clients’ MAC addresses, and can enhance the capability of controlling packet forwarding by also using the learned MAC addresses. Portal support for EAP (available only on the HP 5500 EI series) Authentication by using the username and password is less secure. Digital certificate authentication is usually used to ensure higher security. The Extensible Authentication Protocol (EAP) support s several digital certificate-based authentication methods, for example, EAP-TLS. Working together with EAP, portal authentication can implement digital certificate-based user authentication. Figure 53 Portal support for EAP working flow diagram As shown in Figure 53, the authentication client and the portal server exchange EAP authentication packets. The portal server and the access device exch ange portal authentication packets that carry the EAP-Message attributes. The access device and the RADIUS server exchange RADIUS packets that carry the EAP-Message attributes. The RADIUS server that supports the EAP server function processes the EAP packets encapsulated in the EAP-Message attributes, and provides the EAP authentication result. During the whole EAP authentication process, the access device does not process the packets that carry the EAP-Message attributes but only transports them between the portal server and the RADIUS server. Therefore, no additional configuration is needed on the access device. NOTE: • To use portal authentication that supports EAP, the portal server and client must be the IMC portal server and the iNode portal client. • Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication.
134 Layer 2 portal authentication process Figure 54 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: 1. The portal authentication client sends an HTTP or HTTPS request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which then pushes a web authentication page to the authentication client. The user types the username and password on the web authentication page. The listening IP addr ess of the local portal server is the IP address of a Layer 3 interface on the access device that can communicate with the portal client. Usually, it is a loopback interface’s IP address. 2. The access device and the RADIUS server exchan ge RADIUS packets to authenticate the user. 3. If the user passes RADIUS authentication, the local portal server pushes a logon success page to the authentication client. Authorized VLAN Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes portal authentication, if the authentication server is configured with an authorized VLAN for the user, the authentication server assigns the authorized VLAN to the access device. Then, the access device adds the user to the authorized VLAN and generates a MAC VLAN entry. If the authorized VLAN does not exist, the access device first creates the VLAN. By deploying the authorized VLAN assignment function, you can control which authenticated users can access which network resources. Auth-Fail VLAN The Auth-Fail VLAN feature allows users failing au thentication to access a VLAN that accommodates network resources such as the patches server, virus definitions server, client software server, and anti-virus software server, so that the users can upgrade their client software or other programs. Such a VLAN is called an Auth-Fail VLAN. Layer 2 portal authentication support s Auth-Fail VLAN on a port that performs MAC-based access control. With an Auth-Fail VLAN configured on a port, if a user on the port fails authentication, the access devices creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail VLAN. Then, the user can access the non-HTTP resources in the Auth-Fail VLAN, and all HTTP requests of the user will be redirected to the authentication page. If the user passes authentication, the access device adds the user to the assigned VLAN or return the us er to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN. If the user fails the authentication, the access device keeps the user in the Auth-Fail VLAN. If an access port receives no traffic from a user in the Auth-Fail VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail VLAN and adds the user to the initial VLAN of the port.
135 NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN. Assignment of authorized ACLs The device can use ACLs to control user access to network resources and limit user access rights. With authorized ACLs specified on the authentication server, when a user passes authentication, the authentication server assigns an authorized ACL for the user, and the device filters traffic from the user on the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device. Layer 3 portal authentication process (available only on the HP 5500 EI series) Direct authentication and cross-subnet authentication share the same authentication process, while re-DHCP authentication has a different process be cause of the presence of two address allocation procedures. Direct authentication/cross-subnet authentica tion process (with CHAP/PAP authentication) Figure 55 Direct authentication/cross-s ubnet authentication process The direct authentication/cross-subnet authentication takes the following procedure: 1. An authentication client initiates authentication by sending an HTTP request. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites. The portal server pushes a web authenti cation page to the user and the user enters the username and password. 2. The portal server and the access device exchan ge Challenge Handshake Authentication Protocol (CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.