HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1648
75
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the shared
resource area of the cell
resource in percentage. buffer egress
[ slot slot-number ]
cell total-shared ratio ratio Optional.
By default, the shared resource area
of the cell resource is 60%.
Configuring the minimum guarant eed resource size for a queue
When configuring the minimum guaranteed resource size for a queue, follow these guidelines:
• Modifying the minimum guaranteed resource size...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1647.png "Page 1648
75
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the shared
resource area of the cell
resource in percentage. buffer egress
[ slot slot-number ]
cell total-shared ratio ratio Optional.
By default, the shared resource area
of the cell resource is 60%.
Configuring the minimum guarant eed resource size for a queue
When configuring the minimum guaranteed resource size for a queue, follow these guidelines:
• Modifying the minimum guaranteed resource size...")
![Page 1656
i
Contents
Configuring AAA ··················\
··················\
··················\
··················\
··················\
··················\
··· ··················\
··················\
······ 1
AAA overview ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
············· 1
RADIUS ··················\
··················\
··················\
··················\
··················\...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1655.png "Page 1656
i
Contents
Configuring AAA ··················\
··················\
··················\
··················\
··················\
··················\
··· ··················\
··················\
······ 1
AAA overview ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
············· 1
RADIUS ··················\
··················\
··················\
··················\
··················\...")
78 Appendix B Packet precedences IP precedence and DSCP values Figure 24 ToS and DS fields As shown in Figure 24, the ToS field in the IPv4 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7; the Traffic Classes field in the IPv6 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field in the IPv4 header or the Traffic Classes field in the IPv6 header is redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and 7) are reserved. Table 8 Description on IP precedence IP precedence (decimal) IP precedence (binary) Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash-override 5 101 critical 6 110 internet 7 111 network Table 9 Description on DSCP values DSCP value (decimal) DSCP value (binar y) Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 M B Z RFC 1122 IP Type of Service (ToS) RFC 791 Must Be Zero RFC 1349 IPv4 ToS byte 07 6 15 432 Bits:Preced ence Type of Service 07 6DSCP Class Selector codepoints Differentiated Services Codepoint (DSCP) RFC 2474 Currently Unused DS-Field(for IPv4,ToS octet,and for IPv6,Traffic Class octet ) 15 432 Bits: CU
79 DSCP value (decimal) DSCP value (binary) Description 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 25 An Ethernet frame with an 802.1Q tag header As shown in Figure 25, the four-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 26 sho ws the format of the 802.1Q tag header. The Priority field in the 802.1Q tag header is called the 802.1p priority, because its use is defined in IEEE 802.1p. Tabl e 10 sh ows the values for 802.1p priority.
80 Figure 26 802.1Q tag header Table 10 Description on 802.1p priority 802.1 p priority (decimal) 802.1p priority (binary) Description 0 000 best-effort 1 001 background 2 010 spare 3 011 excellent-effort 4 100 controlled-load 5 101 video 6 110 voice 7 111 network-management
81 Index A C D I L M N O P Q R T U A ACL configuration task list,4 A pplying the QoS policy, 22 C C hanging the port priority of an interface,30 C lass-based accounting configuration example, 70 C olor-based priority marking, 60 C onfiguration example of using ACL for device management, 12 C onfiguration guidelines, 29 C onfiguration procedure,69 C onfiguration procedure,65 C onfiguration procedure,58 C onfiguration procedure,61 Co nfiguration restrictions and guidelines, 65 C onfiguring a basic ACL, 5 C onfiguring a port to trust packet priority for priority mapping, 30 C onfiguring a priority mapping table, 29 C onfiguring a time range, 4 C onfiguring an advanced ACL, 6 C onfiguring an Ethernet frame header ACL, 9 Co nfiguring GTS, 40 C onfiguring SP queuing, 48 C onfiguring SP+WFQ queuing, 53 Co nfiguring SP+WRR queuing, 52 C onfiguring the line rate, 40 C onfiguring traffic policing, 39 C onfiguring WFQ queuing, 50 C onfiguring WRR queuing, 49 C ongestion management techniques, 44 Co pying an ACL, 9 D D ata buffer configuration approaches, 73 D efining a class, 19 D efining a policy,22 D efining a traffic behavior, 21 Displa ying and maintaining ACLs, 11 Displa ying and maintaining QoS policies, 25 Displa ying and maintaining traffic accounting, 69 Displa ying and maintaining traffic policing, GTS, and line rate, 41 Displa ying and maintaining WRED, 57 Displa ying priority mappings, 31 I In troduction to WRED configuration, 56 I P precedence and DSCP values, 78 I Pv4 packet filtering configuration example, 13 I Pv6 packet filtering configuration example, 14 L L ocal precedence re-marking configuration example, 62 M Man ually configuring the data buffer setup, 74 MQC a pproach, 18 N N on-MQC approach, 18 O Ov erview, 27 Ov erview, 72 Ov erview, 35 Ov erview, 1 Ov erview, 44 Ov erview, 55 Ov erview, 19 P P acket filtering with ACLs, 10 Pr iority mapping table and priority marking configuration example, 32 P riority trust mode configuration example, 31 Q QoS se rvice models, 16
82 QoS techniques,17 R R edirect-to-next hop configuration example, 66 T T raffic filtering configuration example, 59 T raffic policing configuration example, 41 U U ncolored priority mapping tables, 77 U sing the burst function to configure the data buffer setup, 74
i Contents Configuring AAA ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ······ 1 AAA overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ ············· 1 RADIUS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ··················\ ·········· 2 HWTACACS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ··················\ ··· 7 Domain-based user management ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ······· 9 RADIUS server feature of the switch ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ······· 10 AAA for MPLS L3VPNs (availabl e only on the HP 5500 EI) ··················\ ··················\ ··················\ ··················\ ···· 11 Protocols and standards ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ·············· 11 RADIUS attributes ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ··················\ · 12 AAA configuration considerations and task list ··················\ ··················\ ··················\ ··················\ ··················\ ················ 15 Configuring AAA schemes ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ · 16 Configuring local users ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ················ 16 Configuring RADIUS schemes ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ········ 21 Configuring HWTACACS schemes ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ · 34 Configuring AAA methods for ISP domains ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ······· 40 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············· 41 Creating an ISP domain ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ············· 41 Configuring ISP domain attributes ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ········ 41 Configuring AAA authentication methods for an ISP domain ··················\ ··················\ ··················\ ················ ···· 42 Configuring AAA authorization methods for an ISP domain ··················\ ··················\ ··················\ ················· ···· 44 Configuring AAA accounting me thods for an ISP domain ··················\ ··················\ ··················\ ··················\ ·· ····· 46 Tearing down user connections ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ················· 47 Configuring a NAS ID-VLAN binding ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·············· 47 Specifying the device ID used in stateful failover mode (available only on the HP 5500 EI) ··················\ ············· 48 Configuring a switch as a RADIUS server ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·········· 48 RADIUS server functions co nfiguration task list ··················\ ··················\ ··················\ ··················\ ······· ··················\ · 48 Configuring a RADIUS user ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· 48 Specifying a RADIUS client ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ············ 49 Displaying and ma intaining AAA ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ·············· 50 AAA configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·········· 50 AAA for Telnet users by an HWTACACS server ··················\ ··················\ ··················\ ··················\ ············ ··········· 50 AAA for Telnet users by separate servers ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··· 51 Authentication/authorization for SSH/T elnet users by a RADIUS server ··················\ ··················\ ··················\ ·· 53 AAA for portal users by a RADIUS server ··················\ ··················\ ··················\ ··················\ ··············· ··················\ · 56 AAA for 802.1X users by a RADIUS server ··················\ ··················\ ··················\ ··················\ ··············· ················ 65 Level switching authentication for Teln et users by an HWTACACS server ··················\ ··················\ ················· 71 RADIUS authentication and authorization for Telnet users by a switch ··················\ ··················\ ··················\ ····· 74 Troubleshooting AAA ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··················\ ····· 76 Troubleshooting RADIUS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· 76 Troubleshooting HWTACACS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ 77 802.1X fundamentals ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··················\ · 78 802.1X architecture ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··················\ ········ 78 Controlled/uncontrolled port and port authorization status ··················\ ··················\ ··················\ ·············· ··················\ 78 802.1X-related protocols ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ··················\ ···· 79 Packet formats ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ······· 80 EAP over RADIUS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ················· 81 Initiating 802.1X authentication ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ··················\ · 81 802.1X client as the initiator··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ············· 81
ii Access device as the initiator ··················\ ··················\ ··················\ ··················\ ··················\ ························\ ············· 82 802.1X authentication procedures ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ·············· 82 A comparison of EAP rela y and EAP termination ··················\ ··················\ ··················\ ··················\ ········· ············· 83 EAP relay ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ······· 83 EAP termination ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ·· 86 Configuring 802.1X ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· 87 HP implementation of 802.1X ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ················· 87 Access control methods ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ·············· 87 Using 802.1X authenticati on with other features ··················\ ··················\ ··················\ ··················\ ······· ··············· 87 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ···· 92 802.1X configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· 92 Enabling 802.1X ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··········· 93 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·············· 93 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 93 Enabling EAP relay or EAP termination ··················\ ··················\ ··················\ ··················\ ················· ··················\ ············ 93 Setting the port au thorization state ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ 94 Specifying an access control method ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ············· 95 Setting the maximum number of concurrent 802.1X users on a port ··················\ ··················\ ··················\ ················· 95 Setting the maximum number of authentication request attempts ··················\ ··················\ ··················\ ··········· ············ 96 Setting the 802.1X authenti cation timeout timers ··················\ ··················\ ··················\ ··················\ ······ ··················\ ······· 96 Configuring the online us er handshake function ··················\ ··················\ ··················\ ··················\ ········ ··················\ ······ 96 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·············· 97 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 97 Configuring the authentica tion trigger function ··················\ ··················\ ··················\ ··················\ ······· ··················\ ········· 97 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·············· 98 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 98 Specifying a mandatory authentication domain on a port ··················\ ··················\ ··················\ ··················\ ················ 98 Configuring the quiet timer ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ···· 99 Enabling the periodic online user re-authentication function ··················\ ··················\ ··················\ ··················\ ············· 99 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·············· 99 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 99 Configuring an 802. 1X guest VLAN ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ········· 100 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ············ 100 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 100 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 101 Configuring an Auth-Fail VLAN ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··············· 101 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ············ 101 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 102 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 102 Configuring an 802.1X critical VLAN ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ·········· 102 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ············ 102 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 102 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 102 Specifying supported domain name delimiters ··················\ ··················\ ··················\ ··················\ ··················\ ··············· 103 Displaying and maintaining 802.1X ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ·········· 103 802.1X authentication configuration example ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ···· 104 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 104 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 104 Verifying the configuration ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············ 106 802.1X with guest VLAN and VLAN assignment configuration example ··················\ ··················\ ··················\ ······· 106 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 106 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 107 Verifying the configuration ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············ 108 802.1X with ACL assignment configuration example ··················\ ··················\ ··················\ ··················\ ······ ··············· 109
iii Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 109 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 109 Verifying the configuration ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············ 110 Configuring EAD fast deployment ·················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ········ 111 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ···· 111 Free IP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·····························\ ··················\ ········ 111 URL redirection ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ···· 111 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ···························\ ··················\ ·· 111 Configuring a free IP ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··················\ ······ 111 Configuring the redirect URL ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ · 112 Setting the EAD rule timer ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ··················\ ··· 112 Displaying and maintaining EAD fast deployment ··················\ ··················\ ··················\ ··················\ ··················\ ········· 112 EAD fast deployment configuration example ··················\ ··················\ ··················\ ··················\ ············· ··················\ ····· 113 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 113 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 114 Verifying the configuration ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ············ 114 Troubleshooting EAD fast deployment ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ·········· 115 Web browser users cannot be correctly re directed ··················\ ··················\ ··················\ ··················\ ······ ·········· 115 Configuring MAC au thentication ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ········· 116 MAC authentication overview ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··············· 116 User account policies ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··············· 116 Authentication approaches ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ········· 116 MAC authenticati on timers ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ·········· 117 Using MAC authentication with other features ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ····· 117 VLAN assignment ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··············· 117 ACL assignment ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ················· 117 Guest VLAN ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ · 117 Critical VLAN ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··················\ ·· 118 Configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ······· 118 Basic configuration for MAC authentication ··················\ ··················\ ··················\ ··················\ ············ ··················\ ······· 118 Specifying a MAC authentication domain ··················\ ··················\ ··················\ ··················\ ················ ··················\ ······ 120 Configuring a MAC authentication guest VLAN ··················\ ··················\ ··················\ ··················\ ··········· ··················\ · 120 Configuring a MAC authenti cation critical VLAN ··················\ ··················\ ··················\ ··················\ ········ ··················\ ·· 121 Displaying and maintainin g MAC authentication ··················\ ··················\ ··················\ ··················\ ········· ··················\ · 122 MAC authentication configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ 122 Local MAC authentication configuration example··················\ ··················\ ··················\ ··················\ ········· ·········· 122 RADIUS-based MAC authenticati on configuration example··················\ ··················\ ··················\ ··················\ ·· · 124 ACL assignment configuration example··················\ ··················\ ··················\ ··················\ ··················\ · ················· 126 Configuring portal authentication ·················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ··········· 129 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ···· 129 Extended portal functions ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ············ 129 Portal system components ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· 129 Portal system using the local portal server ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··· 131 Portal authentication modes ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ·········· 132 Portal support for EAP (available only on the HP 55 00 EI series) ··················\ ··················\ ··················\ ··········· 133 Layer 2 portal authen tication process ··················\ ··················\ ··················\ ··················\ ················· ··················\ ···· 134 Layer 3 portal authentication process (available only on the HP 5500 EI series) ··················\ ··················\ ··· 135 Portal stateful failover (available only on the HP 5500 EI series) ··················\ ··················\ ··················\ ······ ······ 138 Portal authentication across VPNs (avail able only on the HP 5500 EI series) ··················\ ··················\ ········· 140 Portal configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ ···· 140 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ·· 141 Specifying the portal server ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ·· 142 Specifying the local portal server for Layer 2 portal authentication ··················\ ··················\ ··················\ ···· ···· 142
iv Specifying a portal server for Layer 3 portal authentication (available only on the HP 5500 EI series) ·· 143 Configuring the local portal server ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ··············· 143 Customizing authentication pages ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ···· 143 Configuring the loca l portal server ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ······· 146 Enabling portal authentication ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ 147 Enabling Layer 2 portal authentication ··················\ ··················\ ··················\ ··················\ ················ ··················\ ··· 147 Enabling Layer 3 portal authentication (ava ilable only on the HP 5500 EI series) ··················\ ··················\ · 148 Controlling access of portal users ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ················ 149 Configuring a portal-free rule··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ·········· 149 Configuring an authentication source subnet (a vailable only on the HP 5500 EI series) ··················\ ········· 150 Setting the maximum number of online portal users ··················\ ··················\ ··················\ ··················\ ················ 150 Specifying an authentication domain for portal users ··················\ ··················\ ··················\ ··················\ ············· 151 Configuring Layer 2 portal authentication to support web proxy ·················\ ··················\ ··················\ ············· 151 Enabling support for po rtal user moving ··················\ ··················\ ··················\ ··················\ ··············· ··················\ · 152 Specifying an Auth-Fail VLAN for portal auth entication ··················\ ··················\ ··················\ ··················\ ··················\ 152 Configuring RADIUS re lated attributes ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··········· 153 Specifying NAS-Port-Typ e for an interface ··················\ ··················\ ··················\ ··················\ ············· ··················\ 153 Specifying a NAS ID prof ile for an interface ··················\ ··················\ ··················\ ··················\ ·········· ················· 154 Specifying a source IP address for outgoing portal packets ··················\ ··················\ ··················\ ·············· ··············· 154 Configuring portal stateful failover (ava ilable only on the HP 5500 EI series) ··················\ ··················\ ············ ····· 155 Specifying an auto redirection UR L for authenticated portal users ··················\ ··················\ ··················\ ······· ············ 156 Configuring portal detection functions ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 157 Configuring online Layer 2 portal user detection ··················\ ··················\ ··················\ ··················\ ······ ·············· 157 Configuring the portal server detection function (available only on the HP 5500 EI series) ··················\ ···· 157 Configuring portal user information synchronizat ion (available only on the HP 5500 EI series) ·············· 159 Logging off portal users ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ··················\ ····· 160 Displaying and maintaining portal ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ············· 160 Portal configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ················· 161 Configuring direct portal authentication ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··· 161 Configuring re-DHCP port al authentication ··················\ ··················\ ··················\ ··················\ ············· ················· 166 Configuring cross-subnet portal authen tication ··················\ ··················\ ··················\ ··················\ ········ ················ 168 Configuring direct portal authenti cation with extended functions··················\ ··················\ ··················\ ········· ··· 170 Configuring re-DHCP portal authenti cation with extended functions ··················\ ··················\ ··················\ ······ 172 Configuring cross-subnet portal authentication with extended functions ··················\ ··················\ ··················\ · 174 Configuring portal stateful failover ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ 176 Configuring portal server detection and portal user information synchronization ··················\ ··················\ ··· 184 Configuring Layer 2 portal authentication ··················\ ··················\ ··················\ ··················\ ··················\ ·············· 189 Troubleshooting portal ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··················\ ····· 193 Inconsistent keys on the access device and the portal server ··················\ ··················\ ··················\ ············ ······· 193 Incorrect server port number on the access device ··················\ ··················\ ··················\ ··················\ ··················\ 193 Configuring triple authentication ·················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ············ 195 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ···· 195 Triple authentication mechanism ··················\ ··················\ ··················\ ··················\ ··················\ ·······················\ ······ 195 Using triple authentication with other features ··················\ ··················\ ··················\ ··················\ ······· ··················\ 196 Configuring triple authentication ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ················· 196 Triple authentication co nfiguration examples ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ······· 197 Triple authentication basic fu nction configuration example ··················\ ··················\ ··················\ ·············· ······· 197 Triple authentication supporting VLAN assignme nt and Auth-Fail VLAN configuration example ·············· 199 Configuring port security ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ················· 205 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ···· 205 Port security features ··················\ ··················\ ··················\ ··················\ ··················\ ································\ ················· 205 Port security modes ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ················ 205 Working with guest VLAN and Auth-Fail VLAN ··················\ ··················\ ··················\ ··················\ ············ ·········· 208
v Configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ······· 208 Enabling port security ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··················\ ······ 209 Setting port securitys limit on the number of MAC addresses on a port··················\ ··················\ ··················\ ··· ······ 209 Setting the port security mode ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ··················\ 210 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 210 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 210 Configuring port se curity features ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ················ 211 Configuring NTK ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ················ 211 Configuring intrusion protection ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ········ 211 Enabling port security traps ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· 212 Configuring secure MAC addresses ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ·········· 212 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 213 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 213 Ignoring authorization info rmation from the server ··················\ ··················\ ··················\ ··················\ ···· ··················\ ···· 214 Displaying and maintaining port security ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ 214 Port security configuration examples ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 215 Configuring the au toLearn mode ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ····· 215 Configuring the userLo ginWithOUI mode ··················\ ··················\ ··················\ ··················\ ················· ··············· 217 Configuring the macAddress ElseUserLoginSecure mode ··················\ ··················\ ··················\ ··················\ ········ 222 Troubleshooting port security ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··················\ · 224 Cannot set the port security mode ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ······ 224 Cannot configure se cure MAC addresses ··················\ ··················\ ··················\ ··················\ ················· ··············· 225 Cannot change port security mode when a user is online ··················\ ··················\ ··················\ ··················\ ······ 225 Configuring a user profile ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ················ 227 User profile overview ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··················\ ······ 227 User profile configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ 227 Creating a user profile ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ····· 227 Configuration prerequisites ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··········· 227 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 227 Applying a QoS policy ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··················\ ·· 228 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ············ 228 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··········· 228 Enabling a user profile ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ····· 228 Displaying and maintaining user profiles ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ 229 Configuring password control ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· 230 Password control overview ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ 230 Password control configuration task list ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· 232 Configuring password control ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ················ 233 Enabling password control ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· 233 Setting global password control parameters ··················\ ··················\ ··················\ ··················\ ··················\ ·········· 233 Setting user group password control parameters ··················\ ··················\ ··················\ ··················\ ········ ············ 235 Setting local user passw ord control parameters ··················\ ··················\ ··················\ ··················\ ········ ·············· 235 Setting super password control parameters ··················\ ··················\ ··················\ ··················\ ············· ················ 236 Setting a local user passwor d in interactive mode ··················\ ··················\ ··················\ ··················\ ····· ············· 236 Displaying and maintain ing password control ·················\ ··················\ ··················\ ··················\ ············ ··················\ ···· 236 Password control conf iguration example ··················\ ··················\ ··················\ ··················\ ················ ··················\ ········ 237 Configuring HABP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··················\ · 240 HABP overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ············ 240 Configuring HABP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ······· 241 Configuring the HABP server ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ········ 241 Configuring an HABP client ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ········· 241 Displaying and maintaining HABP ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ················· 242 HABP configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ 242