HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 51 to Favourites

image text

Enable zoom

41
 Local accounting (local)—Local accounting is implemented on the access device. It is for counting
and controlling the number of concurrent users who use the same local user account; it does not
provide statistics for charging. The maximum number of concurrent users using the same local user
account is set by the access-limit command in local user view.
 Remote accounting (scheme)—The access device cooperates with a RADIUS server or HWTACACS
server for accounting of users. You can configure local or no accounting as the backup method to
be used when the remote server is not available.
By default, an ISP domain uses the local accounting method.
Before configuring accounting methods, complete the following tasks:
1. For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require any scheme.
2. Determine the access mode or service type to be configured. With AAA, you can configure an
accounting method for each access mode and service type, limiting the accounting protocols that
can be used for access.
3. Determine whether to configure an accounting method for all access modes or service types.
Follow these steps to configure AAA accounting methods for an ISP domain:
To do… Use the command… Remarks
Enter system view system-view —
Enter ISP domain view domain isp-name —
Enable the accounting optional
feature accounting optional Optional
Disabled by default
Specify the default accounting
method for all types of users
accounting default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme radius-
scheme-name [ local ] }
Optional
local by default
Specify the command accounting
method
accounting command hwtacacs-
scheme hwtacacs-scheme-name
Optional
The default accounting method
is used by default.
Specify the accounting method for
LAN users
accounting lan-access { local | none |
radius-scheme radius-scheme-name [
local | none ] }
Optional
The default accounting method
is used by default.
Specify the accounting method for
login users
accounting login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme radius-
scheme-name [ local ] }
Optional
The default accounting method
is used by default.
Specify the accounting method for
portal users
accounting portal { local | none |
radius-scheme radius-scheme-name [
local ] }
Optional
The default accounting method
is used by default.

Add page 52 to Favourites

image text

Enable zoom

							42 
 NOTE: 
 With the accounting optional command configured, a user that would be otherwise disconnected can still use 
the network resources even when no accounting server is available or communication with the current 
accounting server fails. 
 The local accounting method is not used to implement accounting, but to work together with the access-limit 
command, which is configured in local user view, to limit the number of local user connections. However, with 
the accounting optional command configured, the limit on the number of local user connections is not effective. 
 The accounting method specified with the accounting default command is for all types of users and has a 
priority lower than that for a specific access mode. 
 With the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local keyword 
and argument combination configured, local accounting is the backup method and is used only when the 
remote server is not available.  
 If you specify only the local or none keyword in an accounting method configuration command, the device has 
no backup accounting method and performs only local accounting or does not perform any accounting. 
 Accounting is not supported for FTP services.  
Tearing down user connections forcibly 
Follow these steps to tear down user connections forcibly: 
To do… Use the command… Remarks 
Enter system view system-view — 
Tear down AAA user 
connections forcibly 
cut connection { access-type { dot1x | mac-
authentication | portal } | all | domain isp-name 
| interface interface-type interface-number | ip 
ip-address | mac mac-address | ucibindex ucib-
index | user-name user-name | vlan vlan-id } [ 
slot slot-number ] 
Required 
Applicable to only 
LAN access, and 
portal user 
connections. 
 
Configuring a network device as a RADIUS server 
RADIUS server functions configuration task list 
Task Remarks 
Configuring a RADIUS user  Required 
Specifying a RADIUS client Required 
 
Configuring a RADIUS user 
This task is to create a RADIUS user and configure a set of attributes for the user on a network device that 
serves  as the RADIUS  server.  The  user  attributes  include the password,  authorization  attribute,  expiration 
time,  and  user  description. After  completing  this  task,  the  specified  RADIUS  user  can  use  the  username 
and password for RADIUS authentication on the device. 
Follow these steps to configure a RADIUS user:

Add page 53 to Favourites

image text

Enable zoom

43
To do… Use the command… Remarks
Enter system view system-view —
Create a RADIUS user and
enter RADIUS server user view radius-server user user-name Required
No RADIUS user exists by default.
Configure a password for the
RADIUS user
password [ cipher | simple ]
password
Optional
By default, no password is specified.
Configure the authorization
attribute for the RADIUS user
authorization-attribute { acl
acl-number | vlan vlan-id } *
Optional
Not configured by default.
Configure the expiration time
for the RADIUS user expiration-date time
Optional
By default, no expiration time is
configured, and the system does not
check users’ expiration time.
Configure a description for the
RADIUS user description text Optional
Not configured by default.

NOTE:
You can use the authorization-attribute command to specify an authorization ACL and authorized
VLAN, which will be assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS
user passes authentication. The NAS then uses the assigned ACL and VLAN to control user access. If
the assigned ACL does not exist on the NAS, ACL assignment will fail and the NAS will log the RADIUS
user out forcibly. If the assigned VLAN does not exist on the NAS, the NAS will create the VLAN and
add the RADIUS user or the access port to the VLAN.
Specifying a RADIUS client
This task is to specify the IP address of a client to be managed by the RADIUS server and configure the
shared key. The RADIUS server processes only the RADIUS packets sent from the specified clients.
Follow these steps to specify a RADIUS client
To do… Use the command… Remarks
Enter system view system-view —
Specify a RADIUS client radius-server client-ip ip-address [ key string ]
Required
No RADIUS client is
specified by default.

NOTE:
 The IP address of a RADIUS client specified on the RADIUS server must be consistent with the source IP address
of RADIUS packets configured on the RADIUS client.
 The shared key configured on the RADIUS server must be consistent with that configured on the RADIUS client.

Add page 54 to Favourites

image text

Enable zoom

							44 
Displaying and maintaining AAA 
To do… Use the command… Remarks 
Display the configuration 
information of ISP domains 
display domain [ isp-name ] [ | { begin | 
exclude | include } regular-expression ] Available in any view 
Display information about user 
connections 
display connection [ access-type { dot1x | 
mac-authentication | portal } |  domain isp-
name | interface interface-type interface-
number | ip ip-address | mac mac-address | 
ucibindex ucib-index | user-name user-name | 
vlan vlan-id ] [ slot slot-number ] [ | { begin | 
exclude | include } regular-expression ] 
Available in any view 
 
AAA configuration examples 
AAA for Telnet users by an HWTACACS server 
Network requirements 
As  shown  in Figure  10, configure  the switch to  use the HWTACACS  server  to  provide  authentication, 
authorization,  and  accounting services for Telnet users. Set  the  shared  keys  for  authentication, 
authorization, and accounting packets exchanged with the HWTACACS server to expert. Specify that the 
switch remove the domain names in usernames before sending usernames to the HWTACACS server. 
Figure 10 Configure AAA for Telnet users by an HWTACACS server 
 
 
Configuration procedure 
# Configure the IP addresses of the interfaces (omitted). 
# Enable the Telnet server on the switch. 
 system-view 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users. 
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
# Create HWTACACS scheme hwtac. 
[Switch] hwtacacs scheme hwtac  Internet
SwitchTelnet user
Authentication/Accounting server10.1.1.1/24

Add page 55 to Favourites

image text

Enable zoom

							45 
# Specify the primary authentication server. 
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 
# Specify the primary authorization server. 
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 
# Specify the primary accounting server. 
[Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 
# Set the shared key for authentication, authorization, and accounting packets to expert. 
[Switch-hwtacacs-hwtac] key authentication expert 
[Switch-hwtacacs-hwtac] key authorization expert 
[Switch-hwtacacs-hwtac] key accounting expert 
# Configure the  scheme  to remove the  domain  names  in usernames before sending  usernames to  the 
HWTACACS server. 
[Switch-hwtacacs-hwtac] user-name-format without-domain 
[Switch-hwtacacs-hwtac] quit  
# Configure the  AAA methods for the  domain,  or set default AAA methods  for  all  types  of  users in the 
domain.  
[Switch] domain bbb 
[Switch-isp-bbb] authentication login hwtacacs-scheme hwtac 
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac 
[Switch-isp-bbb] accounting login hwtacacs-scheme hwtac 
[Switch-isp-bbb] quit 
Or 
[Switch] domain bbb 
[Switch-isp-bbb] authentication default hwtacacs-scheme hwtac 
[Switch-isp-bbb] authorization default hwtacacs-scheme hwtac 
[Switch-isp-bbb] accounting default hwtacacs-scheme hwtac 
When telnetting to the switch, a user enters username userid@bbb for authentication using domain bbb. 
AAA for Telnet users by separate servers 
Network requirements 
As  shown  in Figure  11,  configure  the switch to  provide local authentication, HWTACACS authorization, 
and RADIUS accounting services for Telnet users. The  username  and  the  password  for  Telnet  users  are 
both hello. 
Set the shared keys for packets exchanged with the HWTACACS server and the RADIUS server to expert. 
Configure the switch to remove the domain names in usernames before sending usernames to the servers.  
 NOTE: 
Configuration of separate AAA for other types of users is similar to that given in this example. The only 
difference is in the access type.

Add page 56 to Favourites

image text

Enable zoom

							46 
Figure 11 Configure AAA by separate servers for Telnet users 
 
 
Configuration procedure 
# Configure the IP addresses of various interfaces (omitted). 
# Enable the Telnet server on the switch. 
 system-view 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users. 
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
# Configure the HWTACACS scheme. 
[Switch] hwtacacs scheme hwtac 
[Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 
[Switch-hwtacacs-hwtac] key authorization expert 
[Switch-hwtacacs-hwtac] user-name-format without-domain 
[Switch-hwtacacs-hwtac] quit  
# Configure the RADIUS scheme. 
[Switch] radius scheme rd 
[Switch-radius-rd] primary accounting 10.1.1.1 1813 
[Switch-radius-rd] key accounting expert 
[Switch-radius-rd] server-type extended 
[Switch-radius-rd] user-name-format without-domain 
[Switch-radius-rd] quit 
# Create a local user named hello. 
[Switch] local-user hello 
[Switch-luser-hello] service-type telnet 
[Switch-luser-hello] password simple hello 
[Switch-luser-hello] quit 
# Configure the AAA methods for the ISP domain, or set default AAA methods for all types of users in the 
domain.  
[Switch] domain bbb 
[Switch-isp-bbb] authentication login local 
[Switch-isp-bbb] authorization login hwtacacs-scheme hwtac 
[Switch-isp-bbb] accounting login radius-scheme rd 
[Switch-isp-bbb] quit  Internet
SwitchTelnet user
 RADIUS accounting server10.1.1.1/24
 HWTACACS authorization server10.1.1.2/24

Add page 57 to Favourites

image text

Enable zoom

47
Or
[Switch] domain bbb
[Switch-isp-bbb] authentication default local
[Switch-isp-bbb] authorization default hwtacacs-scheme hwtac
[Switch-isp-bbb] accounting default radius-scheme rd
When telnetting to the switch, a user enters username telnet@bbb for authentication using domain bbb.
Authentication/Authorization for SSH/Telnet users by a
RADIUS server
NOTE:
The configuration of authentication and authorization for SSH users is similar to that for Telnet users.
The following takes SSH users as an example.
Network requirements
As shown in Figure 12, configure an iMC server to act as the RADIUS server to provide authentication
and authorization services for SSH users.
Set both the shared keys for packets exchanged with the RADIUS server to expert, and configure the
switch to include the domain names in usernames to be sent to the RADIUS server.
Add an account on the RADIUS server, with the username hello@bbb. The SSH user uses the username
and the configured password to log in to the switch and is authorized with the privilege level of 3 after
login.
Figure 12 Configure authentication/authorization for SSH users by a RADIUS server

Configuration procedure
1. Configure the RADIUS server (iMC PLAT 5.0)
NOTE:
This example assumes that the RADIUS server runs iMC PLAT 5.0 (E0101) and iMC UAM 5.0 (E0101).
# Add an access device.
Log in to the iMC management platform, select the Service tab, and select User Access Manager > Access
Device from the navigation tree to enter the Access Device page. Then, click Add to enter the Add Access
Device window and perform the following configurations as shown in Figure 13.
 Set the shared key for authentication and accounting to expert Internet
SwitchSSH user
RADIUS server10.1.1.1/24
Vlan-int2192.168.1.70/24
Vlan-int310.1.1.2/24

Add page 58 to Favourites

image text

Enable zoom

							48 
 Specify the ports for authentication and accounting as 1812 and 1813 respectively 
 Select Device Management Service as the service type 
 Select HP(A-Series) as the access device type  
 Select  the  access  device  from  the  device  list  or  manually  add  the  device  with  the  IP  address  of 
10.1.1.2 
 Click OK to finish the operation  
 NOTE: 
The IP address of the access device specified above must be the same as the source IP address of the 
RADIUS packets sent from the device, which is the IP address of the outbound interface by default, or 
otherwise the IP address specified with the nas-ip or radius nas-ip command on the device.    
Figure 13 Add an access device 
 
 
# Add a user for device management 
Log  in  to the  iMC  management  platform,  select  the User tab,  and  select Device  Management  User from 
the  navigation  tree  to  enter  the Device  Management  User page. Then,  click Add to  enter  the Add  Device 
Management User window and perform the following configurations as shown in Figure 14. 
 Add a user named hello@bbb and specify the password 
 Select SSH as the service type 
 Set  the  EXEC  privilege  level to 3.  This  value  identifies  the  privilege  level  of  the SSH user  after login 
and defaults to 0. 
 Specify the IP address range of the hosts to be managed as 10.1.1.0 to 10.1.1.255 
 Click OK to finish the operation

Add page 59 to Favourites

image text

Enable zoom

							49 
Figure 14 Add an account for device management 
 
 
2. Configure the switch 
# Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. 
 system-view 
[Switch] interface vlan-interface 2 
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 
[Switch-Vlan-interface2] quit 
# Configure the IP address of VLAN-interface 3, through which the switch access the server.  
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 
[Switch-Vlan-interface3] quit 
# Generate RSA and DSA key pairs and enable the SSH server.  
[Switch] public-key local create rsa 
[Switch] public-key local create dsa 
[Switch] ssh server enable 
# Configure the switch to use AAA for SSH users. 
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
# Configure the user interfaces to support SSH. 
[Switch-ui-vty0-4] protocol inbound ssh 
[Switch-ui-vty0-4] quit 
# Create RADIUS scheme rad.

Add page 60 to Favourites

image text

Enable zoom

50
[Switch] radius scheme rad
# Specify the primary authentication server.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key for authentication packets to expert.
[Switch-radius-rad] key authentication expert
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server.
[Switch-radius-rad] user-name-format with-domain
# Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs
iMC.
[Switch-radius-rad] server-type extended
[Switch-radius-rad] quit
# Configure the AAA methods for the domain.
[Switch] domain bbb
[Switch-isp-bbb] authentication login radius-scheme rad
[Switch-isp-bbb] authorization login radius-scheme rad
[Switch-isp-bbb] quit
3. Verify the configuration
After you complete the configuration, the SSH user should be able to use the configured account to
access the user interface of the switch and can access the demands of level 0 through level 3. .
# Use the display connection command to view the connection information on the switch.
[Switch] display connection
Index=1 ,Username=hello@bbb
IP=192.168.1.58
IPv6=N/A
Total 1 connection(s) matched.
AAA for 802.1X users by a RADIUS server
Network requirements
As shown in Figure 15, configure the switch to use the RADIUS server to perform authentication,
authorization, and accounting for 802.1X users. Set the shared keys for authentication and authorization
packets exchanged between the switch and the RADIUS server to expert and set the ports for
authentication/authorization and accounting to 1812 and 1813 respectively. Configure the switch to
include the domain names in usernames to be sent to the RADIUS server.
Configure MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the
port separately.
Configure an account for the user, with the username dot1x@bbb. Configure the authentication server to
assign the host to VLAN 4 after the host passes authentication. Register a monthly service that charges
120 dollars for up to 120 hours per month for the user.

All HP manuals Comments (0)