Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1851 to Favourites
    image text
    Enable zoom 
    							 186 
•  Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is 
in the IP group. 
•   Select a service group. By default, the group  Ungrouped is used. 
•   Select the IP group type  Normal. 
Figure 79  Adding an IP address group 
 
 
# Add a portal device. 
Select User Access Manager  > Portal Service Management  > Device from the navigation tree to enter the 
portal device configuration page. Then, click  Add to enter the page shown in  Figure 63.  
•   En

ter the device name  NAS. 
•   Enter the IP address of the switchs  interface connected to the user. 
•   Enter the key, which must be the same as that configured on the switch. 
•   Set whether to enable IP address reallocation. This  example uses direct portal authentication, and 
therefore select  No from the Reallocate IP  list. 
•   Set whether to support the portal server heartbeat  and user heartbeat functions. In this example, 
select  Ye s for both Support Server Heartbeat  and Support User Heartbeat . 
Figure 80  Adding a portal device
    Add page 1852 to Favourites
    image text
    Enable zoom 
    							 187 
# Associate the portal device with the IP address group. 
As shown in Figure 64, c
lick the icon in the  Port Group Information Management  column of device NAS 
to enter the port group configuration page.  
Figure 81  Device list 
 
 
On the port group configuration page, click Add to enter the page shown in  Figure 65. P erform the 
following configurations: 
•   Enter the port group name. 
•   Select the configured IP address group. The IP address used by the user to access the network must 
be within this IP address group. 
•   Use the default settings for other parameters. 
Figure 82  Adding a port group 
 
 
# Select User Access Manager  > Service Parameters  > Validate System Configuration  from the 
navigation tree to validate the configurations. 
Configure the switch 
1.  Configure a RADIUS scheme: 
# Create RADIUS scheme rs1  and enter its view. 
 system-view 
[Switch] radius scheme rs1 
# Configure the server type for the RADIUS scheme. When using the IMC server, configure the 
RADIUS server type as extended. 
[Switch-radius-rs1] server-type extended
    Add page 1853 to Favourites
    image text
    Enable zoom 
    							 188 
# Specify the primary authentication server and primary accounting server, and configure the keys 
for communication with the servers.  
[Switch-radius-rs1] primary authentication 192.168.0.112 
[Switch-radius-rs1] primary accounting 192.168.0.112 
[Switch-radius-rs1] key authentication radius 
[Switch-radius-rs1] key accounting radius 
# Configure the access device to not carry the ISP domain name in the username sent to the 
RADIUS server. 
[Switch-radius-rs1] user-name-format without-domain 
[Switch-radius-rs1] quit 
2.  Configure an authentication domain: 
# Create ISP domain  dm1 and enter its view. 
[Switch] domain dm1 
# Configure AAA methods for the ISP domain. 
[Switch-isp-dm1] authentication portal radius-scheme rs1 
[Switch-isp-dm1] authorization portal radius-scheme rs1 
[Switch-isp-dm1] accounting portal radius-scheme rs1 
[Switch-isp-dm1] quit 
# Configure domain  dm1 as the default ISP domain for all users. Then, if a user enters a username 
without the ISP domain at logon, the authenticati on and accounting methods of the default domain 
are used for the user. 
[Switch] domain default enable dm1 
3.  Configure portal authentication: 
# Configure a portal server on the switch, making  sure that the IP address, port number and URL 
match those of the actual portal server. 
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal 
# Enable portal authentication on  the interface connecting the host. 
[Switch] interface vlan-interface 100 
[Switch–Vlan-interface100] portal server newpt method direct 
[Switch–Vlan-interface100] quit 
4. Configure the portal server detection function: 
# Configure the access device  to detect portal server newpt, specifying the detection method as 
portal heartbeat probe, setting the server probe  interval to 40 seconds, and specifying the access 
device to send a server unreac hable trap message and disable portal authentication to permit 
unauthenticated portal users if  two consecutive probes fail.  
[Switch] portal server newpt server-detect method portal-heartbeat actio\
n trap 
permit-all interval 40 retry 2 
The product of interval and retry must be greater than or equal to the portal server heartbeat 
interval, and HP recommends configuring the  interval as a value greater than the portal server 
heartbeat interval configured on the portal server. 
5.  Configure portal user synchronization: 
# Configure the access device to synchronize  portal user information with portal server newpt, 
setting the synchronization probe interval to 600 se conds, and specifying the access device to log 
off users if the users do not appear in the user sy nchronization packets sent from the server in two 
consecutive probe intervals.
    Add page 1854 to Favourites
    image text
    Enable zoom 
    							 189 
[Switch] portal server newpt user-sync interval 600 retry 2 
The product of interval and retry must be greater than or equal to  the portal user heartbeat interval, 
and HP recommends configuring the  interval as a value greater than the portal user heartbeat 
interval configured on the portal server. 
Verifying the configuration 
Use the following command to view information about the portal server: 
 display portal server newpt 
 Portal server: 
  1)newpt: 
      IP   : 192.168.0.111 
      Key  : ****** 
      Port : 50100 
      URL  : http://192.168.0.111:8080/portal 
   Status  : Up 
Configuring Layer 2 portal authentication 
Network requirements 
As shown in Figure 83 , a host is directly connected to a switch. The switch performs Layer 2 portal 
authentication on users connected to port GigabitEthernet 1/0/1. More specifically, 
•   Use the remote RADIUS server for authentication, authorization and accounting. 
•   Use the remote DHCP server to assign IP addresses to users. 
•   The listening IP address of the local portal server  is 4.4.4.4. The local portal server pushes the 
user-defined authentication pages to users and uses HTTPS to transmit authentication data. 
•   Add users passing authentication to VLAN 3. 
•   Add users failing authentication to VLAN 2, to allow the users to access resources on the update 
server. 
•   The host obtains an IP address through DHCP. Before authentication, the DHCP server assigns an IP 
address in segment 192.168.1.0/24 to the host. When the host passes the authentication, the DHCP 
server assigns an IP address in segment 3.3.3.0/24 to the host. When the host fails authentication, 
the DHCP server assigns an IP address in segment 2.2.2.0/24 to the host.
    Add page 1855 to Favourites
    image text
    Enable zoom 
    							 190 
Figure 83 Network diagram 
 
 
Configuration procedures 
Follow these guidelines to configure Layer 2 portal authentication: 
•  Make sure that the host, switch, and servers can reach each other before portal authentication is 
enabled. 
•   Configure the RADIUS server properly to provide normal authentication/authorization/accounting 
functions for users. In this example, you must create a portal user account with the account name 
userpt  on the RADIUS server, and configure an authorized VLAN for the account. 
•   On the DHCP server, you must specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24, 
2.2.2.0/24), specify the default gateway addresses (192.168.1.1, 3.3.3.1, 2.2.2.1), exclude the 
update servers address 2.2.2.2 from the address ranges for address allocation, specify the leases 
for the assigned IP addresses and make sure there  is a route to the host. To shorten the IP address 
update time in case of an authentication st ate change, set a short lease for each address. 
•   Because the DHCP server and the DHCP client are not in the same subnet, you need to configure 
a DHCP relay agent on the subnet of the client. For more information about DHCP relay agent, see 
Layer 3—IP Services Configuration Guide . 
Perform the following configuration on the switch to implement Layer 2 portal authentication: 
1.  Configure portal authentication: 
# Add Ethernet ports to related VLANs and configure IP addresses fo r the VLAN interfaces. (Details 
not shown.) 
# Configure PKI domain  pkidm, and apply for a local certificate and CA certificate. For more 
configuration information, see 
1Configuring PKI . 
# Edit the user-defined authentication pages file, compress it into a zip file named  defaultfile, and 
save the file in the root directory of the access device. 
# Configure SSL server policy  sslsvr, and specify to use PKI domain  pkidm. 
 system-view 
[Switch] ssl server-policy sslsvr 
[Switch-ssl-server-policy-sslsvr] pki pkidm 
[Switch-ssl-server-policy-sslsvr] quit 
IP network
RADIUS server
Switch
1.1.1.2/24
Host 
Vlan-int3
3.3.3.1
Vlan-int8
192.168.1.1/24
GE1/0/1 Vlan-int1
1.1.1.1
DHCP server
Update server2.2.2.2/24
1.1.1.3/24
(DHCP relay)
Vlan-int2
2.2.2.1/24
    Add page 1856 to Favourites
    image text
    Enable zoom 
    							 191 
# Configure the local portal server to support HTTPS and reference SSL server policy  sslsvr. 
[Switch] portal local-server https server-policy sslsvr 
# Configure the IP address of loopback interface 12 as 4.4.4.4. 
[Switch] interface loopback 12 
[Switch-LoopBack12] ip address 4.4.4.4 32 
[Switch-LoopBack12] quit 
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal 
authentication. 
[Switch] portal local-server ip 4.4.4.4 
# Enable portal authentication on port GigabitEth ernet 1/0/1, and specify the Auth-Fail VLAN of 
the port as VLAN 2. 
[Switch] interface gigabitethernet 1/0/1 
[Switch–GigabitEthernet1/0/1] port link-type hybrid 
[Switch–GigabitEthernet1/0/1] mac-vlan enable 
[Switch–GigabitEthernet1/0/1] portal local-server enable 
[Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 
[Switch–GigabitEthernet1/0/1] quit 
2.  Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rs1 and enter its view.  
 system-view 
[Switch] radius scheme rs1 
# Set the server type for the RADIUS scheme. When  using the IMC server, set the server type to 
extended .  
[Switch-radius-rs1] server-type extended 
# Specify the primary authentication server and primary accounting server, and configure the keys 
for communication with the servers. 
[Switch-radius-rs1] primary authentication 1.1.1.2 
[Switch-radius-rs1] primary accounting 1.1.1.2 
[Switch-radius-rs1] key accounting radius 
[Switch-radius-rs1] key authentication radius 
[Switch-radius-rs1] quit 
3. Configure an authentication domain: 
# Create and enter ISP domain  triple. 
[Switch] domain triple 
# Configure AAA methods for the ISP domain. 
[Switch-isp-triple] authentication portal radius-scheme rs1 
[Switch-isp-triple] authorization portal radius-scheme rs1 
[Switch-isp-triple] accounting portal radius-scheme rs1 
[Switch-isp-triple] quit 
# Configure domain triple  as the default ISP domain for all users. Then, if a user enters a username 
without any ISP domain at logon, the authenti cation and accounting methods of the default 
domain are used for the user. 
[Switch] domain default enable triple 
4.  Configure the DHCP relay agent: 
# Enable DHCP. 
[Switch] dhcp enable
    Add page 1857 to Favourites
    image text
    Enable zoom 
    							 192 
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. 
[Switch] dhcp relay server-group 1 ip 1.1.1.3 
# Enable the DHCP relay agent on VLAN-interface 8. 
[Switch] interface vlan-interface 8 
[Switch-Vlan-interface8] dhcp select relay 
# Correlate DHCP server group 1 with VLAN-interface 8. 
[Switch-Vlan-interface8] dhcp relay server-select 1 
[Switch-Vlan-interface8] quit 
# Enable the DHCP relay agent on VLAN-interface 2. 
[Switch] interface vlan-interface 2 
[Switch-Vlan-interface2] dhcp select relay 
# Correlate DHCP server group 1 with VLAN-interface 2. 
[Switch-Vlan-interface2] dhcp relay server-select 1 
[Switch-Vlan-interface2] quit 
# Enable the DHCP relay agent on VLAN-interface 3. 
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] dhcp select relay 
# Correlate DHCP server group 1 with VLAN-interface 3. 
[Switch-Vlan-interface3] dhcp relay server-select 1 
[Switch-Vlan-interface3] quit 
Verifying the configuration 
Before user userpt accesses a web page, the user is in VLAN 8 (the initial VLAN), and is assigned with 
an IP address on subnet 192.168.1.0/24. When the user accesses a web page on the external network, 
the web request will be redirected to authentication page  https://4.4.4.4/portal/logon.htm. After 
entering the correct username and password, the user can pass the authentication. Then, the device will 
move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the  display connection 
ucibindex  command to view the online user information  
 display connection ucibindex 30 
Slot:  1 
Index=30  , Username=userpt@triple 
MAC=0015-e9a6-7cfe 
IP=192.168.1.2 
IPv6=N/A 
Access=PORTAL  ,AuthMethod=PAP 
Port Type=Ethernet,Port Name=GigabitEthernet1/0/1 
Initial VLAN=8, Authorization VLAN=3 
ACL Group=Disable 
User Profile=N/A 
CAR=Disable 
Priority=Disable 
Start=2009-11-26 17:40:02 ,Current=2009-11-26 17:48:21 ,Online=00h08m19s\
 
 Total 1 connection matched. 
Use the display mac-vlan all  c o m m a n d  t o  v i e w  t h e  g e n e r a t e d  M AC - V L A N  e n t r i e s ,  w h i c h  r e c o r d  t h e  M AC  
addresses passing authentication and the corresponding VLANs. 
[Switch] display mac-vlan all 
  The following MAC VLAN addresses exist:
    Add page 1858 to Favourites
    image text
    Enable zoom 
    							 193 
  S:Static  D:Dynamic 
  MAC ADDR         MASK             VLAN ID   PRIO   STATE 
  -------------------------------------------------------- 
  0015-e9a6-7cfe   ffff-ffff-ffff   3         0      D 
  Total MAC VLAN address count:1 
If a client fails authentication, it is added to VLAN 2. Use the previously mentioned commands to view the 
assigned IP address and the generated MAC-VLAN entry for the client. 
Troubleshooting portal 
Inconsistent keys on the access device and the portal server 
Symptom 
When a user is forced to access the portal server, the portal server displays a blank web page, rather 
than the portal authentication page or an error message. 
Analysis 
The keys configured on the access device and the portal server are inconsistent, causing CHAP message 
exchange failure. As a result, the portal server does not display the authentication page. 
Solution 
•   Use the  display portal server  command to display the key for the po r t a l  s e r ve r  o n  t h e  a c c e s s  d evi c e  
and view the key for the access device on the portal server. 
•   Use the  portal server  command to modify the key on the access device or modify the key for the 
access device on the portal server to make sure that the keys are consistent. 
Incorrect server port number on the access device 
Symptom  
After a user passes the portal authentication, you cannot force the user to log off by executing the portal 
delete-user  command on the access device, but the user can log off by using the  disconnect attribute on 
the authentication client. 
Analysis 
When you execute the  portal delete-user command on the access device to force the user to log off, the 
access device actively sends a REQ_LOGOUT message to  the portal server. The default listening port of 
the portal server is 50100. However, if the listening port configured on the access device is not 50100, 
the destination port of the REQ_LOGOUT message is no t the actual listening port on the server, and the 
p o r t a l  s e r ve r  c a n n o t  re c e ive  t h e  R EQ _ LO G O U T  m e s s a g e.  A s  a  re s u l t,  yo u  c a n n o t  fo rc e  t h e  u s e r  t o  l o g  o f f  
the portal server. 
When the user uses the  disconnect attribute on the client to log off, the portal server actively sends a 
REQ_LOGOUT message to the access device. The source port is 50100 and the destination port of the 
ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that 
the portal server can receive the ACK_LOGOUT message  correctly, no matter whether the listening port 
is configured on the access device. The user can log off the portal server.
    Add page 1859 to Favourites
    image text
    Enable zoom 
    							 194 
Solution 
Use the display portal server  command to display the listening port of the portal server configured on the 
access device and use the  portal server command in the system view to modify it to make sure that it is 
the actual listening port of the portal server.
    Add page 1860 to Favourites
    image text
    Enable zoom 
    							 195 
Configuring triple authentication 
Overview 
Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. 
A terminal can access the network if it passes one type of authentication.  
Triple authentication is suitable for a LAN that comprises terminals that require different authentication 
services. For example, the triple authentication-enabled access port in  Figure 84 ca
 n perform MAC 
authentication for the printer, 802.1X authentication for a PC installed with the 802.1X client, and port 
authentication for the other PC.  
Figure 84  Triple authentication network diagram 
 
 
For more information about portal authentication, MAC authentication and 802.1X authentication, see 
Configuring portal authentication , Configuring MAC authentication , and   Configuring 802.1X . 
Triple authentication mechanism 
The three types of authentication are triggered by different packets: 
•  The access port performs MAC authentication for a terminal when it receives an ARP or DHCP 
broadcast packet from the terminal for the first time. If the terminal passes MAC authentication, the 
terminal can access the network. If the MAC authentication fails, the access port performs 802.1X 
or portal authentication.  
•   The access port performs 802.1X authentication when it receives an EAP packet from an 802.1X 
client. If the unicast trigger function of 802.1X is enabled on the access port, any packet from an 
802.1X client can trigger an 802.1X authentication.  
•   The access port performs portal authentication wh en it receives an HTTP packet from a terminal. 
If a terminal triggers different types of authentication, the authentications are processed at the same time. 
The failure of one type of authentication does not affect the others. When a terminal passes one type of 
authentication, the other types of authentication being performed are terminated. Then, whether the 
other types of authentication can be triggered varies:
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide