HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1683
18
Step Command Remarks
2. Add a local user and enter
local user view. local-user
user-name No local user exists by default.
3. Configure a password for the
local user. password
[ { cipher | simple }
password ] Optional.
A local user with no password
configured directly passes
authentication after providing the
valid local username and
attributes. To enhance security,
configure a password for each
local user.
If none of the parameters is
specified, you enter the interactive...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1682.png "Page 1683
18
Step Command Remarks
2. Add a local user and enter
local user view. local-user
user-name No local user exists by default.
3. Configure a password for the
local user. password
[ { cipher | simple }
password ] Optional.
A local user with no password
configured directly passes
authentication after providing the
valid local username and
attributes. To enhance security,
configure a password for each
local user.
If none of the parameters is
specified, you enter the interactive...")
![Page 1686
21
Task Command Remarks
Display the user group configuration
information. display user-group [ group-name
] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuring RADIUS schemes
A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of
parameters that the switch uses to exchange information with the RADIUS servers. There may be
authentication/authorization servers and accounting servers, or primary servers and...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1685.png "Page 1686
21
Task Command Remarks
Display the user group configuration
information. display user-group [ group-name
] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuring RADIUS schemes
A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of
parameters that the switch uses to exchange information with the RADIUS servers. There may be
authentication/authorization servers and accounting servers, or primary servers and...")
16 Task Remarks Configuring HWTACACS schemes Configuring AAA methods for ISP domains Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring AAA authentication methods for an ISP domain Required. Complete at least one task. Configuring AAA authorization methods for an ISP domain Configuring AAA accounting methods for an ISP domain Tearing down user connections Optional. Configuring a NAS ID-VLAN binding Optional. Specifying the device ID used in stateful failover mode Optional. Configuring a switch as a RADIUS server Optional. NOTE: To use AAA methods to control access of login users, you must configure the user interfaces to use AAA b y using the authentication-mode command. For more information about the configuration command, see Fundamentals Command Reference. Configuring AAA schemes Configuring local users To implement local user authentication, authorizatio n, and accounting, you must create local users and configure user attributes on the switch. The local user s and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows: • Service type: Types of services that the user can use. Local auth entication checks the service types of a local user. If none of the service types is avail able, the user cannot pass authentication. Service types include FTP, LAN access, portal, SSH, Telnet, terminal, and Web. • User state: Indicates whether or not a local user can request ne twork services. There are two user states: active and blocked. A user in active state can request network services, but a user in blocked state cannot. • Maximum number of users using the same local user account: Indicates how many users can use the same local user account for local authentication. • Validity time and expiration time: Indicates the validity time and expiration time of a local user account. A user must use a valid local user account to pass local auth entication. For temporary networ k access requirements, you can
17 create a guest account and specify a validity time and an expiration time for the account to control the validity of the account. • User group: Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attr ibutes. For more information about local user group, see Configuring user group attributes . • Password control attributes: Password control attributes help you control the security of local users’ passwords. Password control attributes include password aging time, minimum password length, and password composition policy. You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective for all local users, all local users in a group, or only the local user. A password control attribute with a smaller effe ctive range has a higher priority. For more information about password management an d global password configuration, see Configuring password c ontrol . • Binding attributes: Binding attributes are used to control the sc ope of users. They are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass au thentication. Binding attributes include the ISDN calling number, IP address, acce ss port, MAC address, and native VLAN. For more information about binding attributes, see Configuring local user attributes . Be cautious when deciding which binding attributes to configure for a local user. • Authorization attributes: Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work dire ctory. For more information about authorization attributes, see Configuring local user attributes . Every c onfigurable authorization attribute has its definite application environments and purposes. When you configure authorization attributes for a local user, consider which attributes are needed and which are not. You can configure an authorization attribute in us er group view or local user view to make the attribute effective for a ll local users in the group or only for the local user. The setting of an authorization attribute in local user view take s precedence over that in user group view. Local user configuration task list Task Remarks Configuring local user attributes Required Configuring user group attributes Optional Displaying and maintaining loca l users and local user groups Optional Configuring local user attributes Step Command Remarks 1. Enter system view. system-view N/A
18
Step Command Remarks
2. Add a local user and enter
local user view. local-user
user-name No local user exists by default.
3. Configure a password for the
local user. password
[ { cipher | simple }
password ] Optional.
A local user with no password
configured directly passes
authentication after providing the
valid local username and
attributes. To enhance security,
configure a password for each
local user.
If none of the parameters is
specified, you enter the interactive
mode to set a plaintext password.
This interactive mode is supported
only on switches that support the
password control feature.
4.
Specify the service types for
the local user. service-type
{ ftp | lan-access |
{ ssh | telnet | terminal } * | portal
| web } By default, no service is authorized
to a local user.
5.
Place the local user to the
state of active or blocked. state
{ active | block } Optional.
When created, a local user is in
active state by default, and the user
can request network services.
6.
Set the maximum number of
concurrent users of the local
user account. access-limit
max-user-number Optional.
By default, there is no limit to the
maximum number of concurrent
users of a local user account.
The limit is effective only for local
accounting, and is not effective for
FTP users.
7.
Configure the password
control attributes for the local
user.
• Set the password aging time:
password-control aging
aging-time
• Set the minimum password
length:
password-control length length
• Configure the password
composition policy:
password-control composition
type-number type-number
[ type-length type-length ] Optional.
By default, the password control
attributes of the user group to
which the local user belongs
apply, and any password control
attribute that is not configured in
the user group uses the global
setting. The global settings include
a 90-day password aging time, a
minimum password length of 10
characters, and at least one
password composition type and at
least one character required for
each password composition type.
8.
Configure the binding
attributes for the local user. bind-attribute
{ call-number
call-number [ : subcall-number ] |
ip ip-address | location port
slot-number subslot-number
port-number | mac mac-address |
vlan vlan-id } * Optional.
By default, no binding attribute is
configured for a local user.
Binding attributes are only
intended for and LAN users.
19
Step Command Remarks
9. Configure the authorization
attributes for the local user. authorization-attribute
{ acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | user-role { guest |
guest-manager | security-audit } |
vlan vlan-id | work-directory
directory-name } * Optional.
By default, no authorization
attribute is configured for a local
user.
For LAN and portal users, only
acl,
idle-cut , user-profile , and vlan are
supported.
For SSH, terminal, and Web users,
only level is supported.
For FTP users, only level and
work-directory are supported.
For Telnet users, only level and
user-role is supported.
For other types of local users, no
binding attribute is supported.
10. Set the validity time of the
local user. validity-date
time Optional.
Not set by default.
11.
Set the expiration time of the
local user. expiration-date
time Optional.
Not set by default.
12.
Assign the local user to a user
group. group
group-name Optional.
By default, a local user belongs to
the default user group system
.
• For more information about password control configuration commands, see Security Command
Reference .
• If the user interface authentication mode (set by the authentication-mode command in user
interface view) is AAA ( scheme), which commands a login user can use after login depends on the
privilege level authorized to the user. If the user interface authentication mode is password
(password) or no authentication ( none), which commands a login user can use after login depends
on the level configured for the user interface (set by the user privilege level command in user
interface view). For an SSH user using public key authentication, which commands are available
depends on the level configured for the user inte rface. For more information about user interface
authentication mode and user interface command level, see Fundamentals Configuration Guide.
• You can configure the user profile authorization attribute in local user view, user group view, and ISP
domain view. The setting in local user view has the highest priority, and that in ISP domain view has
the lowest priority. For more information about user profiles, see Configuring a user profile.
• You cannot delete a local user who is the only security log manager in the system, nor can you
c h a n g e o r d e l e t e t h e s e c u r i t y l o g m a n a g e r r o l e o f t h e u s e r. To d o s o , y o u m u s t s p e c i f y a n e w s e c u r i t y
log manager first.
Configuring user group attributes
User groups simplify local user configuration and management. A user group consists of a group of local
users and has a set of local user attributes. You can configure local user attributes for a user group to
implement centralized user attributes management for the local users in the group. Configurable user
attributes include password control at tributes and authorization attributes.
20
By default, every newly added local user belongs to the system default user group system and bears all
attributes of the group. To change the user group to which a local user belongs, use the user-group
command in local user view.
To configure attributes for a user group:
Step Command Remarks
1. Enter system view.
system-view N/A
2.
Create a user group and enter
user group view. user-group
group-name N/A
3. Configure password control
attributes for the user group.
• Set the password aging time:
password-control aging
aging-time
• Set the minimum password
length:
password-control length length
• Configure the password
composition policy:
password-control composition
type-number type-number
[ type-length type-length ] Optional.
By default, the global settings
apply. The global settings include
a 90-day password aging time, a
minimum password length of 10
characters, and at least one
password composition type and at
least one character required for
each password composition type.
4.
Configure the authorization
attributes for the user group. authorization-attribute
{ acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | vlan vlan-id |
work-directory directory-name } *
Optional.
By default, no authorization
attribute is configured for a user
group.
5. Set the guest attribute for the
user group. group-attribute
allow-guest Optional.
By default, the guest attribute is not
set for a user group, and guest
users created by a guest manager
through the Web interface cannot
join the group.
NOTE:
For more information about password control attributes configuration commands, see
Security Command
Reference.
Displaying and maintaining loca l users and local user groups
Task Command Remarks
Display local user information display local-user [ idle-cut
{ disable |
enable } | service-type { ftp |
lan-access | portal | ssh | telnet |
terminal | web } | state { active |
block } | user-name user-name | vlan
vlan-id ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
21
Task Command Remarks
Display the user group configuration
information. display user-group [ group-name
] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Configuring RADIUS schemes
A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of
parameters that the switch uses to exchange information with the RADIUS servers. There may be
authentication/authorization servers and accounting servers, or primary servers and secondary servers.
The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type.
RADIUS scheme configuration task list
Task Remarks
Creating a RADIUS scheme
Required
Specifying the RADIUS authenti cation/authorization servers Required
Specifying the RADIUS accounting se rvers and the relevant parameters Optional
Specifying the shared keys for secure RADIUS communication Optional
Specifying the VPN to which the servers belong Optional
Setting the username format and traffic statistics units Optional
Setting the supported RADIUS server type Optional
Setting the maximum number of RADIUS request transmission attempts Optional
Setting the status of RADIUS servers Optional
Specifying the source IP address for outgoing RADIUS packets Optional
Specifying a backup source IP address for outgoing RADIUS packets Optional
Setting timers for controlling communication with RADIUS servers Optional
Configuring RADIUS accounting-on Optional
Configuring the IP address of the security policy server Optional
Configuring interpretation of RADIUS class attribute as CAR parameters Optional
Enabling the trap function for RADIUS Optional
Enabling the RADIUS listening port of the RADIUS client Optional
Setting the DSCP value for RADIUS protocol packets Optional
Displaying and maintaining RADIUS Optional
Creating a RADIUS scheme
Before performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter
RADIUS scheme view:
22 Step Command Remarks 1. Enter system view. system-view N/A 2. Create a RADIUS scheme and enter RADIUS scheme view. radius scheme radius-scheme-name No RADIUS scheme exists by default. NOTE: A RADIUS scheme can be referenced by multiple ISP domains at the same time. Specifying the RADIUS authentication/authorization servers You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme. When the primary server is not available, a secondary server is used. In a scenario where redundancy is not required, specify only the primary server. In RADIUS, user authorization information is piggy backed in authentication responses sent to RADIUS clients. There is no separate RADIUS authorization server. You can enable the server status detection feature. With the feature, the switch periodically sends an authentication request to check whether or not the target RADIUS authentication/authorization server is reachable. If yes, the switch sets the status of the server to active. If not, the switch sets the status of the server to block. This feature can promptly notify authentication modules of latest server status information. For example, server status detection can work with the 802.1X critical VLAN feature, so that the switch can trigger 802.1X authentication for users in the critical VLAN immediately on detection of a reachable RADIUS authentication/authorization server. Follow these guidelines when you specify RADIUS authentication/authorization servers: • The IP addresses of the primary and secondary authentication/authorization servers for a scheme must be different from each other. Otherwise, the configuration fails. • All servers for authentication/authorization and accounting, primary or secondary, must use IP addresses of the same IP version. • You can specify a RADIUS authentication/authorization server as the primary authentication/authorization server for one scheme and as the secondary authentication/authorization server for another scheme at the same time. To specify RADIUS authentication/authorization servers for a RADIUS scheme: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A
23
Step Command Remarks
3. Specify RADIUS
authentication/authorization
servers.
• Specify the primary RADIUS
authentication/authorization server:
primary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] *
• Specify a secondary RADIUS
authentication/authorization server:
secondary authentication { ip-address |
ipv6 ipv6-address } [ port-number | key
[ cipher | simple ] key | probe
username name [ interval interval ] |
vpn-instance vpn-instance-name ] * Configure at least one
command.
No
authentication/authorizat
ion server is specified by
default.
Specifying the RADIUS accounting servers and the relevant parameters
You can specify one primary accounting server and up to 16 secondary accounting servers for a RADIUS
scheme. When the primary server is not available, a secondary server is used. When redundancy is not
required, specify only the primary server.
By setting the maximum number of real-time accounting attempts for a scheme, you make the switch
d i s c o n n e c t u s e r s f o r w h o m n o a c c o u n t i n g r e s p o n s e i s r e c e i ve d b e f o r e t h e n u m b e r o f a c c o u n t i n g a t t e m p t s
reaches the limit.
When the switch receives a connection teardown
request from a host or a connection teardown
notification from an administrator, it sends a stop-a ccounting request to the accounting server. You can
enable buffering of non-responded stop-accounting requ ests to allow the switch to buffer and resend a
stop-accounting request until it receives a response or the number of stop-accounting attempts reaches
the configured limit. In the latter case, the switch discards the packet.
Follow these guidelines when you specify RADIUS accounting servers:
• The IP addresses of the primary and secondary accounting servers must be different from each other.
Otherwise, the configuration fails.
• All servers for authentication/authorization and accountings, primary or secondary, must use IP
addresses of the same IP version.
• If you delete an accounting server that is servin g users, the switch can no longer send real-time
accounting requests and stop-accounting requests for the users to that server, or buffer the
stop-accounting requests.
• You can specify a RADIUS accounting server as th e primary accounting server for one scheme and
as the secondary accounting server for another scheme at the same time.
• RADIUS does not support accounting for FTP users.
To specify RADIUS accounting servers and set relevant parameters for a scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme radius-scheme-name N/A
24
Step Command Remarks
3. Specify RADIUS accounting
servers.
• Specify the primary RADIUS accounting
server:
primary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] *
• Specify a secondary RADIUS accounting
server:
secondary accounting { ip-address | ipv6
ipv6-address } [ port-number | key [ cipher
| simple ] key | vpn-instance
vpn-instance-name ] * Configure at least one
command.
No accounting server is
specified by default.
4. Set the maximum number of
real-time accounting
attempts. retry realtime-accounting
retry-times Optional.
The default setting is 5.
5.
Enable buffering of
stop-accounting requests to
which no responses are
received. stop-accounting-buffer enable
Optional.
Enabled by default.
6.
Set the maximum number of
stop-accounting attempts. retry stop-accounting
retry-times Optional.
The default setting is
500.
Specifying the shared keys for secure RADIUS communication
The RADIUS client and RADIUS server use the MD5 algorithm to authenticate packets exchanged
between them and use shared keys for packet authentication and user passwords encryption. They must
use the same key for the same type of communication.
A shared key configured in this task is for all server
s of the same type (accounting or authentication) in
the scheme, and has a lower priority than a shared key configured individually for a RADIUS server.
To specify a shared key for secure RADIUS communication:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Specify a shared key for secure RADIUS
authentication/authorization or
accounting communication. key {
accounting |
authentication } key No shared key is specified by
default.
NOTE:
A shared key configured on the switch must be th e same as that configured on the RADIUS server.
Specifying the VPN to which the servers belong (available only on the HP 5500 EI)
After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers
specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server
for the scheme, the server belongs to the specific VPN.
25
To specify a VPN for a RADIUS scheme:
Step Command
1. Enter system view.
system-view
2. Enter RADIUS scheme view.
radius scheme radius-scheme-name
3. Specify a VPN for the RADIUS scheme. vpn-instance vpn-instance-name
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name , where isp-name represents the name of the ISP
domain the user belongs to and is used by the sw itch to determine which users belong to which ISP
domains. However, some earlier RADIUS servers cannot recognize usernames that contain an ISP
domain name. In this case, the switch must remove the domain name of each username before sending
the username. You can set the username format on the switch for this purpose.
The switch periodically sends accounting updates to RADIUS accounting servers to report the traffic
statistics of online users. For norm al and accurate traffic statistics, make sure the unit for data flows and
that for packets on the switch are consistent with those on the RADIUS server.
Follow these guidelines when you set the username format and the traffic statistics units for a RADIUS
scheme:
• If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply
the RADIUS scheme to more than one ISP domain. Otherwise, users using the same username but
in different ISP domains are considered the same user.
• For level switching authentication, the user-name-format keep-original and user-name-format
without-domain commands produce the same results. They make sure usernames sent to the
RADIUS server carry no ISP domain name.
To set the username format and the traffic statistics units for a RADIUS scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter RADIUS scheme view. radius scheme
radius-scheme-name N/A
3.
Set the format for usernames
sent to the RADIUS servers. user-name-format
{ keep-original
| with-domain | without-domain }
Optional.
By default, the ISP domain name is
included in a username.
4. Specify the unit for data flows
or packets sent to the RADIUS
servers. data-flow-format
{ data { byte |
giga-byte | kilo-byte |
mega-byte } | packet
{ giga-packet | kilo-packet |
mega-packet | one-packet } }* Optional.
The default unit is
byte for data
flows and is one-packet for data
packets.
Setting the supported RADIUS server type
The supported RADIUS server type determines the type of the RADIUS protocol that the switch uses to
communicate with the RADIUS server. It can be standard or extended:
• Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later.
• Extended —Uses the proprietary RADIUS protocol of HP.