HP A 5120 Manual
Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 136
126
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
#...](http://img.usermanuals.tech/thumb/36/96159/w64_a-5120-manual-1505837221_d-135.png "Page 136
126
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
#...")
![Page 137
127
# Enable DHCP.
[Switch] dhcp enable
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.
[Switch] dhcp relay server-group 1 ip 1.1.1.3
# Enable the DHCP relay agent on VLAN-interface 8.
[Switch] interface vlan-interface 8
[Switch-Vlan-interface8] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 8.
[Switch-Vlan-interface8] dhcp relay server-select 1
[Switch-Vlan-interface8] quit
# Enable the DHCP relay agent on VLAN-interface 2.
[Switch] interface...](http://img.usermanuals.tech/thumb/36/96159/w64_a-5120-manual-1505837221_d-136.png "Page 137
127
# Enable DHCP.
[Switch] dhcp enable
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.
[Switch] dhcp relay server-group 1 ip 1.1.1.3
# Enable the DHCP relay agent on VLAN-interface 8.
[Switch] interface vlan-interface 8
[Switch-Vlan-interface8] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 8.
[Switch-Vlan-interface8] dhcp relay server-select 1
[Switch-Vlan-interface8] quit
# Enable the DHCP relay agent on VLAN-interface 2.
[Switch] interface...")
![Page 138
128
Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC
addresses passing authentication and the corresponding VLANs.
[Switch] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
0015-e9a6-7cfe ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:1
If a client fails...](http://img.usermanuals.tech/thumb/36/96159/w64_a-5120-manual-1505837221_d-137.png "Page 138
128
Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC
addresses passing authentication and the corresponding VLANs.
[Switch] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
0015-e9a6-7cfe ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:1
If a client fails...")
![Page 144
134
[Switch-radius-rs1] server-type extended
# Specify the primary authentication and accounting servers and keys.
[Switch-radius-rs1] primary authentication 1.1.1.2
[Switch-radius-rs1] primary accounting 1.1.1.2
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] key accounting radius
# Specify usernames sent to the RADIUS server to carry no domain names.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
5. Configure an ISP domain.
# Create an ISP...](http://img.usermanuals.tech/thumb/36/96159/w64_a-5120-manual-1505837221_d-143.png "Page 144
134
[Switch-radius-rs1] server-type extended
# Specify the primary authentication and accounting servers and keys.
[Switch-radius-rs1] primary authentication 1.1.1.2
[Switch-radius-rs1] primary accounting 1.1.1.2
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] key accounting radius
# Specify usernames sent to the RADIUS server to carry no domain names.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
5. Configure an ISP domain.
# Create an ISP...")
131 Upon receiving an HTTP packet from a terminal, the access port performs portal authentication on the terminal. If a terminal triggers different types of authentication, the authentications are processed at the same time. A failure of one type of authentication does not affect the others. When a terminal passes one type of authentication, the other types of authentication being performed are terminated. Then, whether the other types of authentication can be triggered varies: If a terminal passes 802.1X authentication or portal authentication, no other types of authentication will be triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal. Using triple authentication with other features A port enabled with the three types of authentication also supports the following extended functions. VLAN assignment After a terminal passes authentication, the authentication server assigns a VLAN to the access port for the access terminal. The terminal can then access the network resources in the server-assigned VLAN. Auth-Fail VLAN or MAC authentication guest VLAN After a terminal fails authentication, the access port: Adds the terminal to an Auth-Fail VLAN, if it uses 802.1X or portal authentication service. Adds the terminal to a MAC authentication guest VLAN, if it uses MAC authentication service. A terminal may undergo all three types of authentication. If it fails to pass all types of authentication, the access port adds the terminal to the 802.1X Auth-Fail VLAN. Detection of online terminals You can enable an online detection timer to detect online portal clients. The timer defaults to 5 minutes, and is not configurable. You can enable the online handshake or periodic online user re-authentication function to detect online 802.1X clients at a configurable interval. You can enable an offline detection timer to detect online MAC authentication terminals at a configurable interval. NOTE: For more information about the extended functions, see the chapters “802.1X configuration,” “MAC authentication configuration,” and “Portal configuration.” Configuring triple authentication Follow these steps to configure triple authentication: To do… Use the command… Remarks Configure 802.1X authentication See the chapter ―802.1X configuration‖ Required
132 To do… Use the command… Remarks Configure MAC authentication See the chapter ―MAC authentication configuration‖ Configure at least one type of authenticationK Configure Layer-2 portal authentication See the chapter ―Portal configuration‖ NOTE: 802.1X authentication must use MAC-based access control. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 45, the terminals are connected to a switch to access the IP network. It is required to configure triple authentication on the Layer-2 interface of the switch that connects to the terminals, so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. More specifically, Configure static IP addresses in network 192.168.1.0/24 for the terminals. Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server. The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data using HTTP. Figure 45 Network diagram for triple authentication basic configuration Configuration procedure IP network RADIUS server Switch 1.1.1.2/24 802.1X client Printer Web user Vlan-int33.3.3.1 Vlan-int8192.168.1.1/24GE1/0/1 Vlan-int11.1.1.1
133 NOTE: Make sure that the terminals, the server, and the switch can reach each other. The host of the web user must have a route to the listening IP address of the local portal server. Complete the configuration on the RADIUS server and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), and a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7). 1. Configure portal authentication. # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown) # Configure the local portal server to support HTTP. system-view [Switch] portal local-server http # Configure the IP address of interface loopback 12 as 4.4.4.4. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] quit 2. Configure 802.1X authentication. # Enable 802.1X authentication globally. [Switch] dot1x # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] dot1x port-method macbased [Switch–GigabitEthernet1/0/1] dot1x [Switch–GigabitEthernet1/0/1] quit 3. Configure MAC authentication. # Enable MAC authentication globally. [Switch] mac-authentication # Enable MAC authentication on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] quit 4. Configure a RADIUS scheme. # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the iMC server is used.
134 [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 5. Configure an ISP domain. # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used. [Switch] domain default enable triple Verification User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network. Use the display connection command to view online users. [Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=192.168.1.3 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=192.168.1.4 IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched.
135 Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 46, the terminals are connected to a switch to access the IP network. It is required to configure triple authentication on the Layer-2 interface of the switch which connects to the terminals, so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. More specifically, Portal terminals request IP addresses through DHCP. They obtain IP addresses in 192.168.1.0/24 before authentication and in 3.3.3.0/24 after passing authentication. 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. After passing authentication, the printer obtains the IP address 3.3.3.111/24 that is bound with its MAC address through DHCP. Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server. The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data using HTTPS. Configure VLAN 3 as the authorized VLAN on the RADIUS server. Users passing authentication are added to this VLAN. Configure VLAN 2 as the Auth-Fail VLAN on the access device. Users failing authentication are added to this VLAN, and are allowed to access only the Update server. Figure 46 Network diagram for triple authentication supporting VLAN assignment and Auth-Fail VLAN Configuration procedure IP network RADIUS server Switch 1.1.1.2/24 802.1X client Printer Web user Update server2.2.2.2/24 Vlan-int33.3.3.1 Vlan-int8192.168.1.1/24 Vlan-int22.2.2.1/24 GE1/0/1 Vlan-int11.1.1.1
136 NOTE: Make sure that the terminals, the servers, and the switch can reach each other. When using an external DHCP server, ensure that the terminals can get IP addresses from the server before and after authentication. Complete the configuration on the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7), and an authorized VLAN (VLAN 3). Complete the configuration of PKI domain pkidm and acquire the local and CA certificates. For more information, see the chapter “PKI configuration.” Complete the editing of a self-defined default authentication page file, compress the file to a zip file named defaultfile and save the zip file at the root directory. 1. Configure DHCP. # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown) # Enable DHCP. system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals passing or failing authentication. [Switch] dhcp server ip-pool 1 [Switch-dhcp-pool-1] network 192.168.1.0 mask 255.255.255.0 [Switch-dhcp-pool-1] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-1] gateway-list 192.168.1.1 [Switch-dhcp-pool-1] quit NOTE: A short lease is recommended to shorten the time that terminals use to re-acquire IP addresses after passing or failing authentication. However, in some applications, a terminal can require a new IP address before the lease duration expires. For example, the iNode 802.1X client automatically renews its IP address after disconnecting from the server. # Configure IP address pool 2, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals pass authentication. [Switch] dhcp server ip-pool 2 [Switch-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0 [Switch-dhcp-pool-2] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-2] gateway-list 2.2.2.1 [Switch-dhcp-pool-2] quit # Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals are offline. [Switch] dhcp server ip-pool 3
137 [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-3] gateway-list 3.3.3.1 [Switch-dhcp-pool-3] quit # Configure IP address pool 4, and bind the printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.111/24 in this address pool. [Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe [Switch-dhcp-pool-4] quit 2. Configure portal authentication. # Create SSL server policy sslsvr and specify it to use PKI domain pkidm. [Switch] ssl server-policy sslsvr [Switch-ssl-server-policy-sslsvr] pki pkidm [Switch-ssl-server-policy-sslsvr] quit # Configure the local portal server to support HTTPS and use SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] port link-type hybrid [Switch–GigabitEthernet1/0/1] mac-vlan enable [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit 3. Configure 802.1X authentication. # Enable 802.1X authentication globally. [Switch] dot1x # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] dot1x port-method macbased [Switch–GigabitEthernet1/0/1] dot1x [Switch–GigabitEthernet1/0/1] dot1x auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit 4. Configure MAC authentication. # Enable MAC authentication globally. [Switch] mac-authentication
138 # Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] mac-authentication guest-vlan 2 [Switch–GigabitEthernet1/0/1] quit 5. Configure a RADIUS scheme. # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the iMC server is used. [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 6. Configure an ISP domain. # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used. [Switch] domain default enable triple Verification User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting the correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network. Use the display connection command to view connection information about online users. [Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple
139
IP=3.3.3.2
IPv6=N/A
MAC=0002-0002-0001
Index=32 , Username=001588f80dd7@triple
IP=N/A
IPv6=N/A
MAC=0015-88f8-0dd7
Total 3 connection(s) matched on slot 1.
Total 3 connection(s) matched.
Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the
authorized VLAN.
[Switch] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC ADDR MASK VLAN ID PRIO STATE
--------------------------------------------------------
0015-e9a6-7cfe ffff-ffff-ffff 3 0 D
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Feb 15 2011 17:40:52 Auto:COMMITTED
3.3.3.2 0002-0002-0001 Feb 15 2011 17:41:02 Auto:COMMITTED
3.3.3.3 0015-e9a6-7cfe Unlimited Manual
--- total 3 entry ---
When a terminal fails authentication, it is added to VLAN 2. You can also use the display commands to
view the MAC-VLAN entry and IP address of the terminal.
140 Port security configuration Port security overview Port security is a MAC address-based security mechanism for network access control. It is an extension to the existing 802.1X authentication and MAC authentication. It prevents access of unauthorized devices to a network by checking the source MAC address of inbound traffic and access to unauthorized devices by checking the destination MAC address of outbound traffic. Port security enables you to control MAC address learning and authentication on ports. This enables the port to learn legal source MAC addresses. With port security enabled, frames whose source MAC addresses cannot be learned by the device in a security mode are considered illegal; the events that users do not pass 802.1X authentication or MAC authentication are considered illegal. Upon detection of illegal frames or events, the device takes the pre-defined action automatically. When enhancing the system security, this also greatly reduces your maintenance burden. NOTE: The security modes of the port security feature provide extended and combined use of 802.1X authentication and MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For information about 802.1X and MAC authentication, see the chapters “802.1X configuration” and “MAC authentication configuration.” Port security features NTK The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices and hosts that have passed authentication or are using MAC addresses on the MAC address list. This prevents illegal devices from intercepting network traffic. Intrusion protection The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and takes a pre-defined action on each detected illegal frame. The action can be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for three minutes (not user configurable). Port security traps You can configure the port security module to send traps for port security events such as login, logoff, and MAC authentication. These traps help you monitor user behaviors. Port security modes Port security supports the following categories of security modes: