HP A 5120 Manual

							51 
Figure 15 Configure AAA for 802.1X users by a RADIUS server 
 
 
Configuration procedure 
 
 NOTE: 
 Configure the interfaces and VLANs as shown in Figure 15. Make sure that the host can get a new IP address 
manually or automatically and can access resources in the authorized VLAN after passing authentication.  
1. Configure the RADIUS server (iMC PLAT 5.0)  
 NOTE: 
This example assumes that the RADIUS server runs iMC PLAT 5.0 (E0101), iMC UAM 5.0 (E0101), and 
iMC CAMS 5.0 (E0101).  
# Add an access device. 
Log in to the iMC management platform, select the Service tab, and select User Access Manager > Access 
Device from  the  navigation  tree  to  enter  the Access  Device  List page. Then,  click Add to  enter  the Add 
Access Device page and perform the following configurations: 
 Set the shared key for authentication and accounting to expert 
 Specify the ports for authentication and accounting as 1812 and 1813 respectively 
 Select LAN Access Service as the service type 
 Select HP(A-Series) as the access device type 
 Select the access device from the device list or manually add the device whose IP address is 10.1.1.2 
 Adopt the default settings for other parameters and click OK to finish the operation.  
 NOTE: 
The IP address of the access device specified above must be the same as the source IP address of the 
RADIUS packets sent from the device, which is the IP address of the outbound interface by default, or 
otherwise the IP address specified with the nas-ip or radius nas-ip command on the access device.  Internet
Switch802.1X user
RADIUS server
Vlan-int2
10.1.1.1/24
Vlan-int310.1.1.2/24
Vlan-int4
GE1/0/1  
						

							52 
Figure 16 Add an access device 
 
 
# Add a charging policy.  
Select the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter 
the charging  policy  configuration page. Then,  click Add to  enter  the Add Charging  Plan page  and 
perform the following configurations: 
 Add a plan named UserAcct  
 Select Flat rate as the charging template 
 In the Basic Plan Settings field, configure to charge the fixed fee of 120 dollars per month 
 In  the Service  Usage  Limit field,  set  the Usage  Threshold to  120  hours,  allowing  the  user  to  access 
the Internet for up to 120 hours per month 
 Adopt the default settings for other parameters and click OK to finish the operation. 
Figure 17 Add a charging policy 
 
 
# Add a service.  
						

							53 
Select  the Service tab,  and  select User  Access  Manager > Service  Configuration from  the  navigation  tree 
to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and 
perform the following configurations: 
 Add  a service named Dot1x  auth and  set  the Service  Suffix to bbb,  which  indicates the 
authentication  domain  for  the  802.1X  user.  With  the  service  suffix  configured,  you must  configure 
usernames to be sent to the RADIUS service to carry the domain name.  
 Specify UserAcct as the Charging Plan.  
 Select Deploy VLAN and set the ID of the VLAN to be assigned to 4.  
 Configure other parameters according to the actual situation. 
 Click OK to finish the operation.  
Figure 18 Add a service 
 
 
# Add a user. 
Select  the User tab,  and  select All  Access  Users from  the  navigation  tree  to  enter  the All  Access  Users 
page. Then, click Add to enter the Add Access User page and perform the following configurations: 
 Select the user or add a user named test  
 Specify the account name as dot1x and configure the password  
 Select the access service Dot1x auth 
 Configure other parameters accordingly and click OK to finish the operation  
						

							54 
Figure 19 Add an access user account 
  
 
2. Configure the switch 
 Configure a RADIUS scheme 
# Create a RADIUS scheme named rad and enter its view. 
 system-view 
[Switch] radius scheme rad 
#  Set  the  server  type for  the  RADIUS  scheme.  When  using  the  iMC  server,  set the  server  type to 
extended. 
[Switch-radius-rad] server-type extended 
# Specify the  primary  authentication  server and primary  accounting  server,  and configure the keys  for 
communication with the servers. 
[Switch-radius-rad] primary authentication 10.1.1.1 
[Switch-radius-rad] primary accounting 10.1.1.1 
[Switch-radius-rad] key authentication expert 
[Switch-radius-rad] key accounting expert 
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. 
[Switch-radius-rad] user-name-format with-domain 
[Switch-radius-rad] quit 
 Configure an authentication domain 
# Create an ISP domain named bbb and enter its view. 
[Switch] domain bbb 
# Configure the ISP domain to use RADIUS scheme rad. 
[Switch-isp-bbb] authentication lan-access radius-scheme rad 
[Switch-isp-bbb] authorization lan-access radius-scheme rad 
[Switch-isp-bbb] accounting lan-access radius-scheme rad 
[Switch-isp-bbb] quit  
						

							55 
# Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP 
domain at  login,  the authentication  and  accounting  methods  of  the  default  domain will  be  used for  the 
user. 
[Switch] domain default enable bbb 
 Configure 802.1X authentication 
# Enable 802.1X globally. 
[Switch] dot1x 
# Enable 802.1X for port GigabitEthernet 1/0/1.   
[Switch] interface gigabitethernet 1/0/1 
[Switch-GigabitEthernet1/0/1] dot1x 
[Switch-GigabitEthernet1/0/1] quit 
# Configure the access control method. (Optional. The default setting meets the requirement.) 
[Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 
3. Verification  
 NOTE: 
 If the 802.1X client of Windows XP is used, the properties of the 802.1X connection should be specifically 
configured in the Authentication tab on the Properties page, where you must select the Enable IEEE 802.1X 
authentication for this network option and specify the EAP type as MD5-Challenge.  
 If the iNode client is used, no advanced authentication options need to be enabled.   
When using the  iNode  client,  the  user can  pass authentication after entering username dot1x@bbb and 
the correct password in  the  client  property  page. When  using  the Windows  XP  802.1X  client, the  user 
can  pass  authentication  after entering  the  correct  username  and  password  in  the  pop-up authentication 
page. After the user passes authentication, the server assigns the port connecting the client to VLAN 4.  
Use the display connect command to view the connection information on the switch. 
[Switch] display connection 
Slot:  1 
Index=22  , Username=dot1x@bbb 
 IP=192.168.1.58 
 IPv6=N/A 
 MAC=0015-e9a6-7cfe 
 Total 1 connection(s) matched on slot 1. 
 Total 1 connection(s) matched. 
# View the information of the specified connection on the switch. 
[Switch] display connection ucibindex 22 
Slot:  1 
Index=22  , Username=dot1x@bbb 
MAC=0015-e9a6-7cfe 
IP=192.168.1.58 
IPv6=N/A 
Access=8021X   ,AuthMethod=CHAP 
Port Type=Ethernet,Port Name=GigabitEthernet1/0/1 
Initial VLAN=2, Authorized VLAN=4 
ACL Group=Disable 
User Profile=N/A 
CAR=Disable  
						

							56 
Priority=Disable 
Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s 
 Total 1 connection matched.   
As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user.  
Level switching authentication for Telnet users by an 
HWTACACS server 
Network requirements 
As shown in Figure 20, configure the switch to use local authentication for the Telnet user and assign the 
privilege level of 0 to the user after the user passes authentication. 
Configure the  switch  to  use  the  HWTACACS  server for  level  switching  authentication  of  the  Telnet  user, 
and to use local authentication as the backup method.  
Figure 20 Configure level switching authentication for Telnet users by an HWTACACS server 
 
 
Configuration considerations 
1. Configure the switch to use AAA, particularly, local authentication for Telnet users.  
 Create ISP domain bbb and configure it to use local authentication for Telnet users.  
 Create  a  local  user  account,  configure  the  password,  and  assign  the  privilege  level  for  the  user  to 
enjoy after login.  
2. On the switch, configure the authentication method for user privilege level switching. 
 Specify  to  use  HWTACACS  authentication  and,  if  HWTACACS authentication is  not  available,  use 
local authentication for user level switching authentication. 
 Configure  HWTACACS  scheme hwtac and assign an  IP  address  to  the  HWTACACS  server. Set  the 
shared keys for message exchange and specify that usernames sent to the HWTACACS server carry 
no  domain  name.  Configure the  domain to  use  the  HWTACACS  scheme hwtac for user privilege 
level switching authentication.  
 Configure the password for local privilege level switching authentication.  
3. On the HWTACACS server, add the username and password for user privilege level switching 
authentication.  
Configuration procedure 
1. Configure the switch 
# Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch.   Internet
SwitchTelnet user192.168.1.58/24
HWTACACS server
10.1.1.1/24
Vlan-int2192.168.1.70/24
Vlan-int310.1.1.2/24   
						

							57 
 system-view 
[Switch] interface vlan-interface 2 
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 
[Switch-Vlan-interface2] quit 
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.  
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 
[Switch-Vlan-interface3] quit 
# Enable the switch to provide Telnet service. 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users.  
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
#  Use  HWTACACS  authentication  for  user  level  switching  authentication  and,  if  HWTACACS 
authentication is not available, use local authentication.  
[Switch] super authentication-mode scheme local 
# Create an HWTACACS scheme named hwtac.  
[Switch] hwtacacs scheme hwtac 
#  Specify  the  IP  address  for  the  primary  authentication  server  as  10.1.1.1  and  the  port  for  authentication 
as 49. 
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 
# Set the shared key for authentication packets to expert. 
[Switch-hwtacacs-hwtac] key authentication expert 
# Configure the  scheme  to remove the  domain  names  in usernames before sending  usernames to  the 
HWTACACS server.  
[Switch-hwtacacs-hwtac] user-name-format without-domain 
[Switch-hwtacacs-hwtac] quit 
# Create ISP domain bbb. 
[Switch] domain bbb 
# Configure the ISP domain to use local authentication for Telnet users.  
[Switch-isp-bbb] authentication login local 
# Configure to use HWTACACS scheme hwtac for privilege level switching authentication.  
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac 
[Switch-isp-bbb] quit 
# Create a local Telnet user named test.  
[Switch] local-user test 
[Switch-luser-test] service-type telnet 
[Switch-luser-test] password simple aabbcc 
# Configure the user level of the Telnet user to 0 after user login.  
[Switch-luser-test] authorization-attribute level 0 
[Switch-luser-test] quit 
# Configure the password for local privilege level switching authentication to 654321.  
[Switch] super password simple 654321  
						

							58 
[Switch] quit 
2. Configure the HWTACACS server  
 NOTE: 
The HWTACACS server in this example runs ACSv4.0.   
Add  a user  named tester on  the  HWTACACS  server  and  configure  advanced  attributes  for  the  user  as 
follows and as shown in Figure 21:  
 Select Max  Privilege  for  any  AAA  Client and  set  the  privilege  level  to  level  3.  After these 
configurations,  the  user  needs  to  use  the  password enabpass when  switching  to  level  1,  level  2,  or 
level 3.  
 Select Use separate password and specify the password as enabpass.  
Figure 21 Configure advanced attributes for the Telnet user 
 
 
3. Verify the configuration 
After  you  complete  the  configuration,  the  Telnet  user  should  be  able  to  telnet  to  the  switch  and  use 
username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 
commands. 
 telnet 192.168.1.70 
Trying 192.168.1.70 ... 
Press CTRL+K to abort     
						

							59 
Connected to 192.168.1.70 ... 
****************************************************************************** 
* Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.          * 
* Without the owners prior written consent,                                 * 
* no decompiling or reverse-engineering shall be allowed.                    * 
****************************************************************************** 
 
Login authentication 
 
Username:test@bbb 
Password: 
 ? 
User view commands: 
  cluster  Run cluster command 
  display  Display current system information 
  ping     Ping function 
  quit     Exit from current command view 
  ssh2     Establish a secure shell client connection 
  super    Set the current user priority level 
  telnet   Establish one TELNET connection 
  tracert  Trace route function 
When  switching  to  user  privilege  level  3,  the  Telnet  user  only  needs  to  enter  password enabpass as 
prompted.   
 super 3 
 Password: 
User privilege level is 3, and only those commands can be used 
whose level is equal or less than this. 
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 
If  the  HWTACACS  server  is  not  available,  the  Telnet  user  needs  to  enter  password 654321 as  prompted 
for local authentication.  
 super 3 
 Password:  Enter the password for HWTACACS privilege level switch authentication  
 Error: Invalid configuration or no response from the authentication server. 
 Info: Change authentication mode to local. 
 Password:  Enter the password for local privilege level switch authentication 
User privilege level is 3, and only those commands can be used 
whose level is equal or less than this. 
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 
RADIUS authentication and authorization for Telnet users by a 
network device 
Network requirements 
As  shown  in Figure  22, configure Switch  B to  act as a RADIUS  server  to provide authentication  and 
authorization for the Telnet user on port 1645.   
						

							60 
Set  the shared  keys  for  authentication  and  authorization  packets  exchanged  between  the  NAS  and  the 
RADIUS  server to abc. Configure  the  switch  to remove  the  domain  names  in usernames before sending 
usernames to the RADIUS server.  
Figure 22 RADIUS authentication and authorization for Telnet users by a network device 
 
 
Configuration procedure 
# Configure an IP address for each interface as shown in Figure 22. The detailed configuration is omitted 
here.  
1. Configure the NAS 
# Enable the Telnet server on Switch A.  
 system-view 
[SwitchA] telnet server enable 
# Configure Switch A to use AAA for Telnet users. 
[SwitchA] user-interface vty 0 4 
[SwitchA-ui-vty0-4] authentication-mode scheme 
[SwitchA-ui-vty0-4] quit 
# Create RADIUS scheme rad. 
[SwitchA] radius scheme rad 
#  Specify  the  IP  address  for  the  primary  authentication  server  as  10.1.1.2, the  port  for  authentication  as 
1645, and the shared key for authentication packets as abc. 
[SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc 
# Configure the  scheme  to remove  the  domain  names  in usernames before sending  usernames to  the 
RADIUS server. 
[SwitchA-radius-rad] user-name-format without-domain 
# Specify the source IP address for RADIUS packets as 10.1.1.1. 
[SwitchA-radius-rad] nas-ip 10.1.1.1 
[SwitchA-radius-rad] quit 
# Create ISP domain bbb. 
[SwitchA] domain bbb 
# Specify the authentication method for Telnet users as rad.  
[SwitchA-isp-bbb] authentication login radius-scheme rad 
# Specify the authorization method for Telnet users as rad. 
[SwitchA-isp-bbb] authorization login radius-scheme rad 
# Specify the accounting method for Telnet users as none.   
[SwitchA-isp-bbb] accounting login none 
# Configure the  RADIUS  server type as standard.  When  a  network  device  is  configured  to  serve  as  a 
RADIUS server, the server type must be set to standard.  
[SwitchA-isp-bbb] server-type standard 
[SwitchA-isp-bbb] quit Telnet user192.168.1.2Switch ASwitch B
NASRADIUS serverVlan-int210.1.1.1/24Vlan-int210.1.1.2/24Vlan-int3192.168.1.1/24