HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1826
161
Task Command Remarks
Display information about a
specific portal server or all portal
servers (available only on the HP
5500 EI series). display portal server
[ server-name
] [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). display portal server statistics
{ all
| interface interface-type
interface-number } [ | { begin |
exclude...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1825.png "Page 1826
161
Task Command Remarks
Display information about a
specific portal server or all portal
servers (available only on the HP
5500 EI series). display portal server
[ server-name
] [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). display portal server statistics
{ all
| interface interface-type
interface-number } [ | { begin |
exclude...")
156 Step Command Remarks 3. Specify the portal group to which the portal service backup interface belongs. portal backup-group group-id By default, the portal service backup interface does not belong to any portal group. The portal service backup interfaces on the two devices for stateful failover must belong to the same portal group. 4. Return to system view. quit N/A 5. Specify the device ID in stateful failover mode. nas device-id device-id By default, the device operates in stand-alone mode, and thus has no device ID configured. For more information about the command, see Security Command Reference . 6. Specify the backup source IP address for RADIUS packets to be sent. radius nas-backup-ip ip-address Optional. Use either approach. By default, no backup source IP address is specified. You do not need to specify the backup source IP address if the device uses the virtual IP address of the VRRP group to which the uplink belongs as the source IP address of outgoing RADIUS packets. For more information about the command, see Security Command Reference . radius scheme radius-scheme-name nas-backup-ip ip-address After you configure portal stateful failover for two devices, note the following issues: • In stateful failover mode, the device does not support re-DHCP portal authentication on the portal service backup interface. • In stateful failover mode, if a user on either device is logged out, the information of the user on the other device is deleted, too. You can log off a user on the device or on the portal server. For example, you can use the cut connection and portal delete-user commands on the device to log off users. • Specifying or changing the device ID of a device will log off all online users on the device. Therefore, perform the configuration only when necessary and, after the configuration, save the configuration and restart the device. • Do not delete the configured backup source IP addresses. Otherwise, online users on the backup device may not be able to receive packets from the server. Specifying an auto redirection URL for authenticated portal users After a user passes portal authentication, if the access device is configured with an auto redirection URL, it redirects the user to the URL after a specified period of time.
157 Follow these guidelines to specify an auto redirection URL for authenticated portal users: • To use this feature for remote Layer 3 portal authen tication, the portal server must be the IMC portal server that supports the page auto-redirection function. • The wait-time period option is effective to only local portal authentication. • When no auto redirection URL is specified for auth enticated portal users, an authenticated user is usually redirected to the URL the user typed in the address bar before portal authentication. However, with local portal authentication, if the URL a user typed in the address bar before portal authentication is more than 255 characters, the user cannot be redirected to the page of the URL after passing portal authentication. To specify an auto redirection URL for authenticated portal users: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify an auto redirection URL for authenticated portal users. portal redirect-url url-string [ wait-time period ] By default, an authenticated user is redirected to the URL the user typed in the address bar before portal authentication. Configuring portal detection functions Configuring online Layer 2 portal user detection Only Layer 2 portal authentication supports this feature. After a Layer 2 portal user gets online, the device st arts a detection timer for the user, and checks whether the users MAC address entry has been aged out or the users MAC address entry has been matched (a match means a packet has been received from the us er) at the interval. If the device finds no MAC address entry for the user or receives no packets from the user during two successive detection intervals, the device considers that the user has gone offline and clears the authentication information of the user. To set the Layer 2 portal user detection interval: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Set the Layer 2 portal user detection interval. portal offline-detect interval o ffline-detect-interval 300 seconds by default Configuring the portal server detection function (available only on the HP 5500 EI series) Only Layer 3 portal authentication supports this feature.
158
During portal authentication, if the communication between the access device and portal server is
broken, new portal users are not able to log on and the online portal users are not able to log off normally.
To address this problem, the access device must be able to detect the reachability changes of the portal
server quickly and take corresponding actions to deal with the changes. For example, after the access
device detects that the portal server is unreachable, it allows portal users to access network resources
without authentication. This function is referred to as portal authentication bypass. It allows for flexible
user access control.
With the portal server detection function, the device can detect the status of a specific portal server. The
specific configurations include:
1. Detection methods (you can choose either or both)
{ Probing HTTP connections —The access device periodically sends TCP connection requests to
the HTTP service port of the portal servers configured on its interfaces. If the TCP connection
with a portal server can be established, the access device considers that the probe succeeds
(the HTTP service of the portal server is open and the portal server is reachable). If the TCP
connection cannot be established, the access device considers that the probe fails and the
portal server is unreachable.
{ Probing portal heartbeat packets —A portal server that supports the portal heartbeat function,
(only the IMC portal server supports this functi on), sends portal heartbeat packets to portal
access devices periodically. If an access device receives a portal heartbeat packet or an
authentication packet within a probe interval, the access device considers that the probe
succeeds and the portal server is reachable; othe rwise, it considers that the probe fails and the
portal server is unreachable.
2. Probe parameters
{ Probe interval —Interval at which probe attempts are made.
{ Maximum number of probe attempts —Maximum number of consecutive probe attempts
allowed. If the number of consecutive probes reaches this value, the access device considers
that the portal server is unreachable.
3. Actions to be taken when the server reachability status changes (you can choose one or more)
{ Sending a trap message —When the status of a portal server changes, the access device sends
a trap message to the network management server (NMS). The trap message contains the
portal server name and the current state of the portal server.
{ Sending a log —When the status of a portal server changes, the access device sends a log
message. The log message indicates the portal se rver name and the current state and original
state of the portal server.
{ Disabling portal authentication (enabling portal authentication bypass) —When the device
detects that a portal server is unreachable, it disables portal authentication on the interfaces
that use the portal server (allows all portal user s on the interfaces to access network resources).
When the device receives from the portal server portal heartbeat packets or authentication
packets (such as logon requests and logout reques ts), it re-enables the portal authentication
function.
You can configure any combination of the configuration items described as needed, with respect to the
following:
• If both detection methods are specified, a portal se rver is regarded as unreachable as long as one
detection method fails, and an unreachable portal server is regarded as recovered only when both
detection methods succeed.
• If multiple actions are specified, the access device executes all the specified actions when the status
of a portal server changes.
159
• The detection function configured for a portal server takes effect on an interface only after you
enable portal authentication and referenc e the portal server on the interface.
To configure the portal server detection function:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the portal server
detection function. portal server
server-name
server-detect method { http |
portal-heartbeat } * action { log |
permit-all | trap } * [ interval
interval ] [ retry retries ] Not configured by default.
The portal server specified in the
command must exist.
The portal heartbeat detection method works only when the portal server supports the portal server
heartbeat function. Only the IMC portal server supports the portal server heartbeat function. To
implement detection with this method, you also need to
configure the portal server heartbeat function on
the IMC portal server and make sure that the product of interval and retry is greater than or equal to the
portal server heartbeat interval. HP recommends configuring the interval to be greater than the portal
server heartbeat interval configured on the portal server.
Configuring portal user information synchronization (available
only on the HP 5500 EI series)
Only Layer 3 portal authentication supports this feature.
Once the device loses communication with a portal server, the portal user information on the device and
that on the portal server may be inconsistent after the communication resumes. To solve this problem, the
device provides the portal user information synchron ization function. This function is implemented by
sending and detecting the portal synchroniz ation packet. The process is as follows:
1. The portal server sends the online user informatio n to the access device in a user synchronization
packet at the user heartbeat interval, which is set on the portal server.
2. Upon receiving the user synchronization packet, the access device checks the user information
carried in the packet with its own. If the device fi nds a nonexistent user in the packet, it informs the
portal server of the information and the portal server will delete the user. If the device finds that one
of its users does not appear in the user sy nchronization packets within N consecutive
synchronization probe intervals (N is equal to the value of retries configured in the portal server
user-sync command), it considers that the user does not exist on the portal server and logs the user
off.
To configure the portal user information synchronization function:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the portal user
information synchronization
function. portal server
server-name user-sync
[ interval interval ] [ retry retries ] Not configured by default.
The portal server specified in the
command must exist. This function
can take effect only when the
specified portal server is
referenced on the interface
connecting the users.
160
The user information synchronization function requires that a portal server supports the portal user
heartbeat function. Only the IMC portal server supports the portal user heartbeat function. To implement
the portal user synchronization function, you also need to configure the user heartbeat function on the
portal server and make sure the product of interval and retry is greater than or equal to the portal user
heartbeat interval. HP recommends that you configure the interval to be greater than the portal user
heartbeat interval configured on the portal server.
For redundant user information on the device (information for users who are considered nonexistent on
the portal server), the device deletes the information during the (N+1)th interval, where N is equal to the
value of retries configured in the portal server user-sync command.
Logging off portal users
Logging off a user terminates the authentication process for the user or removes the user from the
authenticated users list.
To l o g of f use rs :
Step Command
1. Enter system view.
system-view
2. Log off users. portal
delete-user { ipv4-address | all | interface
interface-type interface-number | ipv6 ipv6-address }
Displaying and maintaining portal
Task Command Remarks
Display the ACLs on an interface
(available only on the HP 5500 EI
series). display portal acl {
all | dynamic |
static } interface interface-type
interface-number [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal connection statistics
on a specific interface or all
interfaces (available only on the
HP 5500 EI series). display portal connection statistics
{
all | interface interface-type
interface-number } [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display information about a
portal-free rule or all portal-free
rules. display portal free-rule
[
rule-number ] [ | { begin | exclude
| include } regular-expression ] Available in any view
Display the portal configuration of
an interface. display portal interface
interface-type interface-number [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display configuration information
about the local portal server. display portal local-server
[ |
{ begin | exclude | include }
regular-expression ] Available in any view
161
Task Command Remarks
Display information about a
specific portal server or all portal
servers (available only on the HP
5500 EI series). display portal server
[ server-name
] [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). display portal server statistics
{ all
| interface interface-type
interface-number } [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display TCP spoofing statistics. display portal tcp-cheat statistics
[ | { begin | exclude | include }
regular-expression ] Available in any view
Display information about portal
users on a specific interface or all
interfaces. display portal user
{ all | interface
interface-type interface-number }
[ | { begin | exclude | include }
regular-expression ] Available in any view
Clear portal connection statistics
on a specific interface or all
interfaces (available only on the
HP 5500 EI series). reset portal connection statistics
{
all | interface interface-type
interface-number } Available in user view
Clear portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). reset portal server statistics
{ all |
interface interface-type
interface-number } Available in user view
Clear TCP spoofing statistics. reset portal tcp-cheat statistics Available in user view
Portal configuration examples
The HP 5500 EI series supports Layer 2 and Layer 3 portal authentication. The HP 5500 SI series
supports only Layer 2 portal authentication. Therefore, only the example Configuring Layer 2 portal
a
uthentication is applicable to the HP 5500 SI series.
Configuring direct portal authentication
Network requirements
As shown in Figure 60:
• T
he host is directly connected to the switch and the switch is configured for direct authentication. The
host is assigned with a public network IP address either manually or through DHCP. Before passing
portal authentication, users can access only the po rtal server. After passing portal authentication,
users can access Internet resources.
• A RADIUS server serves as the authentication, authorization, and accounting server.
162 Figure 60 Network diagram Configure IP addresses for the host, switch, and servers as shown in Figure 60 and mak e sure that they can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. Configuring the portal server (IMC PLAT 5.0) This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101). # Configure the portal server. Log in to IMC and select the Service tab. Then, select User Access Manager > Po r t a l S e r vi c e Management > Server from the navigation tree to enter the po rtal server configuration page, as shown in Figure 61 . • C onfigure the portal server parameters as needed. This example uses the default settings. Figure 61 Portal server configuration # Configure the IP address group. RADIUS server Switch Host2.2.2.2/24 Gateway :2.2.2.1/24 Vlan-int100 2.2.2.1/24 Vlan-int2 192.168.0.100/24 Portal server192.168.0.111/24 192.168.0.112/24
163 Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure 62. • Enter the I P group name. • Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. • Select a service group. By default, the group Ungrouped is used. • Select the IP group type Normal. Figure 62 Adding an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure 63. • En ter the device name NAS. • Enter the IP address of the switchs interface connected to the user. • Enter the key, which must be the same as that configured on the switch. • Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. • Select whether to support sever heartbeat and user heartbeat functions. In this example, select No for both Support Server Heartbeat and Support User Heartbeat .
164 Figure 63 Adding a portal device # Associate the portal device with the IP address group. As shown in Figure 64, c lick the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 64 Device list On the port group configuration page, click Add to enter the page shown in Figure 65. P erform the following configurations: • Enter the port group name. • Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. • Use the default settings for other parameters.
165 Figure 65 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended . [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit