Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Download as PDF Print this page Share this page

Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

Add page 1701 to Favourites

image text

Enable zoom

36
Specifying the HWTACACS authorization servers
You can specify one primary authorization server and up to one secondary authorization server for an
HWTACACS scheme. When the primary server is not available, any secondary server is used. In a
scenario where redundancy is not required, specify only the primary server.
Follow these guidelines when you specify HWTACACS authorization servers:
• An HWTACACS server can function as the primary authorization server of one scheme and as the
secondary authorization server of another scheme at the same time.
• The IP addresses of the primary and secondary authorization servers cannot be the same.
Otherwise, the configuration fails.
• You can remove an authorization server only when no active TCP connection for sending
authorization packets is using it.
To specify HWTACACS authorization servers for an HWTACACS scheme:

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter HWTACACS
scheme view. hwtacacs scheme

hwtacacs-scheme-name N/A
3.
Specify HWTACACS
authorization servers.
• Specify the primary HWTACACS
authorization server:
primary authorization ip-address
[ port-number | vpn-instance
vpn-instance-name ] *
• Specify the secondary HWTACACS
authorization server:
secondary authorization ip-address
[ port-number | vpn-instance
vpn-instance-name ] * Configure at least one command.
No authorization server is
specified by default.

Specifying the HWTACACS accounting
servers and the relevant parameters
You can specify one primary accounting server and up to one secondary accounting server for an
HWTACACS scheme. When the primary server is not available, any secondary server is used. In a
scenario where redundancy is not required, specify only the primary server.
When the switch receives a connection teardown request from a host or a connection teardown
command from an administrator, it sends a stop-accounting request to the accounting server. You can
enable buffering of non-responded stop-accounting requ ests to allow the switch to buffer and resend a
stop-accounting request until it receives a response or the number of stop-accounting attempts reaches
the configured limit. In the latter case, the switch discards the packet.
Follow these guidelines when you specify HWTACACS accounting servers:
• An HWTACACS server can function as the primary accounting server of one scheme and as the
secondary accounting server of another scheme at the same time.
• The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise,
the configuration fails.
• You can remove an accounting server only when no active TCP connection for sending accounting
packets is using it.
• HWTACACS does not support accounting for FTP users.

Add page 1702 to Favourites

image text

Enable zoom

37
To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme

hwtacacs-scheme-name N/A
3.
Specify HWTACACS
accounting servers.
• Specify the primary HWTACACS
accounting server:
primary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] *
• Specify the secondary
HWTACACS accounting server:
secondary accounting ip-address
[ port-number | vpn-instance
vpn-instance-name ] * Configure at least one
command.
No accounting server is
specified by default.
4.
Enable buffering of
stop-accounting requests to
which no responses are
received. stop-accounting-buffer enable
Optional.
Enabled by default.
5.
Set the maximum number of
stop-accounting attempts. retry stop-accounting
retry-times Optional.
The default setting is 100.

Specifying the shared keys for
secure HWTACACS communication
The HWTACACS client and HWTACACS server use the MD5 algorithm to authenticate packets
exchanged between them and use shared keys for packet authentication and user passwords encryption.
They must use the same key for the same type of communication.
To specify a shared key for secure HWTACACS communication:

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme

hwtacacs-scheme-name N/A
3.
Specify a shared key for
secure HWTACACS
authentication, authorization,
or accounting
communication. key
{ accounting | authentication |
authorization } [ cipher | simple ] key

No shared key is specified by
default.

NOTE:
A shared key configured on the switch must be th e same as that configured on the HWTACACS server.
Specifying the VPN to which the servers belong (available only on the HP 5500 EI)
After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and
accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when
specifying a server for the scheme, the server belongs to the specific VPN.
To specify a VPN for an HWTACACS scheme:

Add page 1703 to Favourites

image text

Enable zoom

38
Step Command
1. Enter system view.
system-view
2. Enter HWTACACS scheme view.
hwtacacs scheme hwtacacs-scheme-name
3. Specify a VPN for the HWTACACS scheme. vpn-instance vpn-instance-name

Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name , where isp-name represents the name of the ISP
domain the user belongs to and is used by the sw itch to determine which users belong to which ISP
domai ns. However, some HW TACACS ser vers c annot recognize usernames that contain an ISP domain
name. In this case, the switch must remove the domain name of each username before sending the
username. You can set the username format on the switch for this purpose.
The switch periodically sends accounting updates to HWTACACS accounting servers to report the traffic
statistics of online users. For norm al and accurate traffic statistics, make sure the unit for data flows and
that for packets on the switch are consistent with those configured on the HWTACACS servers.
Follow these guidelines when you set the username format and the traffic statistics units for an
HWTACACS scheme:
• If an HWTACACS server does not support a username that carries the domain name, configure the
switch to remove the domain name before sending the username to the server.
• For level switching authentication, the user-name-format keep-original and user-name-format
without-domain commands produce the same results. They make sure usernames sent to the
HWTACACS server carry no ISP domain name.
To set the username format and the traffic statistics units for an HWTACACS scheme:

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme

hwtacacs-scheme-name N/A
3.
Set the format for usernames
sent to the HWTACACS
servers. user-name-format
{ keep-original |
with-domain | without-domain } Optional.
By default, the ISP domain name
is included in a username.
4.
Specify the unit for data flows
or packets sent to the
HWTACACS servers. data-flow-format
{ data { byte |
giga-byte | kilo-byte | mega-byte }
| packet { giga-packet | kilo-packet
| mega-packet | one-packet } }* Optional.
The default unit is
byte for data
flows and is one-packet for data
packets.

Specifying a source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS
configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon
receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the
packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server
drops the packet.
Usually, the source address of outgoing HWTACACS packets can be the IP address of the NAS’s any
interface that can communicate with the HWTACACS server. In some special scenarios, however, you

Add page 1704 to Favourites

image text

Enable zoom

							39 
must change the source IP address. For example, if a Network Address Translation (NAT) device is 
present between the NAS and the HWTACACS server, the source IP address of outgoing HWTACACS 
packets must be a public IP address of the NAS. If the NAS is configured with the Virtual Router 
Redundancy Protocol (VRRP) for stateful failover, the source IP address of HWTACACS packets can be 
the virtual IP address of the VRRP group to which the uplink belongs. 
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for 
a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in a 
VPN or the public network.  
Before sending an HWTACACS packet, a NAS selects a source IP address in this order: 
1. The source IP address specified for the HWTACACS scheme. 
2. The source IP address specified in system view fo r the VPN or public network, depending on where 
the HWTACACS server resides. 
3.  The IP address of the outbound interface specified by the route. 
To specify a source IP address for all HWTACACS schemes of a VPN or the public network: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Specify a source IP address 
for outgoing HWTACACS 
packets.  hwtacacs nas-ip
 ip-address 
[  vpn-instance  vpn-instance-name  ]
 
By default, the IP address of the 
outbound interface is used as the 
source IP address. 
 
To specify a source IP address for a specific HWTACACS scheme:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter HWTACACS scheme 
view.  hwtacacs scheme
 
hwtacacs-scheme-name  N/A 
3.
  Specify a source IP address 
for outgoing HWTACACS 
packets.  nas-ip
 ip-address   By default, the IP address of the 
outbound interface is used as the 
source IP address. 
 
Setting timers for controlling commu
nication with HWTACACS servers 
The switch uses the following timers to control the communication with an HWTACACS server:  
•  Server response timeout timer  (response-timeout )—Defines the HWTACACS request 
retransmission interval. After sending an HWTACA CS request (authentication, authorization, or 
accounting request), the switch starts this timer. If  the switch receives no response from the server 
before this timer expires, it resends the request. 
•   Server quiet timer  (quiet )—Defines the duration to keep an unreachable server in blocked state. If 
a server is not reachable, the switch changes the serv er’s status to blocked, starts this timer for the 
server, and tries to communicate with another server in active state. After this timer expires, the 
switch changes the status of the server back to active.  
•   Real-time accounting timer  (realtime-accounting)—Defines the interval at which the switch sends 
real-time accounting updates to the HWTACACS acco unting server for online users. To implement 
real-time accounting, the switch must send real-time accounting packets to the accounting server for 
online users periodically.

Add page 1705 to Favourites

image text

Enable zoom

40
To set timers for controlling communication with HWTACACS servers:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter HWTACACS scheme
view. hwtacacs scheme

hwtacacs-scheme-name N/A
3.
Set the HWTACACS server
response timeout timer. timer response-timeout seconds Optional.
The default HWTACACS server
response timeout timer is 5
seconds.
4.
Set the quiet timer for the
primary server. timer quiet
minutes Optional.
The default quiet timer for the
primary server is 5 minutes.

5. Set the real-time accounting
interval. timer realtime-accounting
minutes Optional.
The default real-time accounting
interval is 12 minutes.

NOTE:
Consider the performance of the NAS and the HWTACACS server when you set the real-time accountin
g
interval. A shorter interval requires higher performance. A shorter interval requires higher performance.
Displaying and maintaining HWTACACS

Task Command Remarks
Display the configuration information
or statistics of HWTACACS schemes . display hwtacacs
[ hwtacacs-server-name [ statistics
] ]
[ slot slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about buffered
stop-accounting requests for which no
responses have been received . display stop-accounting-buffer

hwtacacs-scheme
hwtacacs-scheme-name [ slot
slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Clear HWTACACS statistics .
reset hwtacacs statistics
{ accounting |
all | authentication | authorization }
[ slot slot-number ] Available in user view
Clear buffered stop-accounting
requests that get no responses. reset stop-accounting-buffer

hwtacacs-scheme
hwtacacs-scheme-name [ slot
slot-number ] Available in user view

Configuring AAA methods for ISP domains
You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain
view. Each ISP domain has a set of default AAA
methods, which are local authentication, local
authorization, and local accounting by default and can be customized. If you do not configure any AAA

Add page 1706 to Favourites

image text

Enable zoom

41
methods for an ISP domain, the switch uses the system default AAA methods for authentication,
authorization, and accounting of the users in the domain.
Configuration prerequisites
To use local authentication for users in an ISP domain, configure local user accounts (see Configuring
local u
ser attributes ) on the switch.
To use remote authentication, authorization, and accounting, create the required RADIUS, and
HWTACACS, schemes as described in Configuring RADIUS schemes, Configuring HWTACACS
sc

hemes .
Creating an ISP domain
In a networking scenario with multiple ISPs, the switch may connect users of different ISPs, and users of
different ISPs may have different user attributes, such as different username and password structures,
different service types, and differ ent rights. To distinguish the users of different ISPs, configure ISP
domains, and configure differen t AAA methods and domain attributes for the ISP domains.
The switch can accommodate up to 16 ISP domains, including the system predefined ISP domain system.
You can specify one of the ISP domains as the default domain.
On the switch, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the
switch considers the user belongs to the default ISP domain.
To create an ISP domain:

Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an ISP domain and
enter ISP domain view. domain
isp-name N/A
3. Return to system view. quit N/A
4. Specify the default ISP
domain. domain default enable

isp-name Optional.
By default, the default ISP domain is the
system predefined ISP domain
system.

NOTE:
To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-defaul
t
ISP domain by using the undo domain default enable command.
Configuring ISP domain attributes
In an ISP domain, you can configure the following attributes for all users in the domain:
• Domain status:
By placing the ISP domain to the active or bl ocked state, you allow or deny network service
requests from users in the domain.
• Maximum number of online users:
The switch controls the number of online users in a domain to ensure the system performance and
service reliability.

Add page 1707 to Favourites

image text

Enable zoom

							42 
•  Idle cut: 
This function enables the switch to check the traffi c of each online user in the domain at the idle 
timeout interval, and to log out any user in the do main whose traffic during the idle timeout period 
is less than the specified minimum traffic. 
•   Self-service server location: 
By using the information defined in this attribute,  users can access the self-service server to manage 
their own accounts and passwords. 
•   Default authorization user profile: 
If a user passes authentication bu t is authorized with no user profile, the switch authorizes the 
default user profile of the ISP domain to the user and restricts the user’s behavior based on the 
profile. 
To configure ISP domain attributes: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter ISP domain view. 
domain isp-name   N/A 
3.  Place the ISP domain to the 
state of active or blocked.  state
 { active |  block }  Optional. 
By default, an ISP domain is in active 
state, and users in the domain can 
request network services. 
4.
  Specify the maximum number 
of online users in the ISP 
domain.  access-limit enable
 
max-user-number   Optional. 
No limit by default. 
5.
  Configure the idle cut function. 
idle-cut enable minute [ flow ] Optional. 
Disabled by default. 
This command is effective for only 
LAN users and portal users.  
6.
  Enable the self-service server 
location function and specify 
the URL of the self-service 
server.  self-service-url enable
 url-string
 Optional. 
Disabled by default. 
7.   Specify the default 
authorization user profile.  authorization-attribute 
user-profile 
profile-name  Optional. 
By default, an ISP domain has no 
default authorization user profile. 
 
 
NOTE: 
•  For more information about user profiles, see  Configuring a user profile.
  
•   A self-service RADIUS server, such as IMC, is required for the self-service server location function to 
work. 
 
Configuring AAA authentication methods for an ISP domain 
In AAA, authentication, authorization, and accounting  are separate processes. Authentication refers to 
the interactive authentication process of username/password/user information during an access or 
service request. The authentication process does no t send authorization information to a supplicant or 
trigger accounting.

Add page 1708 to Favourites

image text

Enable zoom

43
AAA supports the following authentication methods:
• No authentication (none )—All users are trusted and no authenti cation is performed. Generally, do
not use this method.
• Local authentication (local )—Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication allows
high speed and low cost, but the amount of information that can be stored is limited by the size of
the storage space.
• Remote authentication (scheme )—The NAS cooperates with a RADIUS, or HWTACACS server to
authenticate users. Remote authentication provides centralized information management, high
capacity, high reliability, and support for centralized authentication service for multiple NASs. You
can configure local or no authentication as the backup method, which is used when the remote
server is not available. No authentication can only be configured for LAN users as the backup
method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting. By default,
an ISP domain uses the local authentication method.
Before configuring authentication meth ods, complete the following tasks:
1. For RADIUS or HWTACACS authentication, config ure the RADIUS or HWTACACS scheme to be
referenced first. The local and none authen tication methods do not require a scheme.
2. Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each a ccess type and service type, limiti ng the authentication protocols
that can be used for access.
3. Determine whether to configure an authentication method for all access types or service types.
Follow these guidelines when you configure AA A authentication methods for an ISP domain:
• The authentication method specified with the authentication default command is for all types of
users and has a priority lower than that for a specific access type.
• With an authentication method that references a RADIUS scheme, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS server
also carries the authorization information, but the authentication process ignores the information.
• If you specify the radius-scheme radius-scheme-name local , hwtacacs-scheme
hwtacacs-scheme -name local option when you configure an authentication method, local
authentication is the backup method and is used only when the remote server is not available.
• If you specify only the local or none keyword in an authentication method configuration command,
the switch has no backup authentication method and performs only local authentication or does not
perform any authentication.
• If the method for level switching authentication references an HWTACACS scheme, the switch uses
the login username of a user for level switching authentication of the user by default. If the method
for level switching authentication references a RADIUS scheme, the system uses the username
configured for the corresponding privilege level on the RADIUS server for level switching
authentication, rather than the login username. A username configured on the RADIUS server is in
the format of $enablevel$, where level specifies the privilege level to which the user wants to switch.
For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses
$enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for
authentication when the domain name is not required.
To configure AAA authentication methods for an ISP domain:

Add page 1709 to Favourites

image text

Enable zoom

44
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authentication method
for all types of users. authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is
local for all types of
users.
4. Specify the
authentication method
for LAN users. authentication lan-access
{ local | none |
radius-scheme radius-scheme-name [ local |
none ] } Optional.
The default authentication
method is used by default.
5.
Specify the
authentication method
for login users. authentication login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authentication
method is used by default.
6.
Specify the
authentication method
for portal users. authentication portal
{ local | none |
radius-scheme radius-scheme-name [ local ] }

Optional.
The default authentication
method is used by default.
7. Specify the
authentication method
for privilege level
switching. authentication super
{ hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name } Optional.
The default authentication
method is used by default.
Configuring AAA authorization methods for an ISP domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful au
thorization. Authorization method configuration is
optional in AAA configuration.
AAA supports the following authorization methods:
• No authorization ( none)—The NAS performs no authorization exchange. After passing
authentication, non-login users can access the network, FTP users can access the root directory of
the NAS, and other login users have only the rights of Level 0 (visiting).
• Local authorization (local )—The NAS performs authorization according to the user attributes
configured for users.
• Remote authorization ( scheme)—The NAS cooperates with a RADIUS, or HWTACACS server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS
authentication, and the authorization information is carried in the authorization response after
successful authentication. You can configure local authorization or no authorization as the backup
method, which is used when the remote server is not available.
Before configuring authorization methods, complete the following tasks:
1. For HWTACACS authorization, configure the HWTACACS scheme to be re ferenced first. For
RADIUS authorization, the RADIUS authorizatio n scheme must be the same as the RADIUS
authentication scheme. Otherwis e, it does not take effect.

Add page 1710 to Favourites

image text

Enable zoom

45
2.

Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type, limi ting the authorization protocols
that can be used for access.
3. Determine whether to configure an authorization method for all access types or service types.
Follow these guidelines when you configure AAA authorization methods for an ISP domain:
• The authorization method specified with the authorization default command is for all types of users
and has a priority lower than that for a specific access type.
• If you configure an authentication method and an authorization method that use RADIUS schemes
for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication.
If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS
a u t h e n t i c a t i o n a l s o f a i l s . W h e n e v e r R A D I U S a u t h o r i z a t i o n f a i l s , a n e r r o r m e s s a g e i s s e n t t o t h e N A S ,
indicating that the server is not responding.
• If you specify the radius-scheme radius-scheme-name local , hwtacacs-scheme
hwtacacs-scheme -name [ local | none ] option when you configure an authorization method, local
authorization or no authorization is the backup method and is used only when the remote ser ver is
not available.
• If you specify only the local or none keyword in an authorization method configuration command,
the switch has no backup authorization method and performs only local authorization or does not
perform any authorization.
To configure AAA authorization methods for an ISP domain:

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authorization method for
all types of users. authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The authorization method is
local for all types of users.
4.
Specify the command
authorization method. authorization command {
hwtacacs-scheme
hwtacacs-scheme-name [ local | none ] |
local | none } Optional.
The default authorization
method is used by default.
5.
Specify the authorization
method for LAN users. authorization lan-access
{ local | none |
radius-scheme radius-scheme-name [ local |
none ] } Optional.
The default authorization
method is used by default.
6.
Specify the authorization
method for login users. authorization login {
hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] } Optional.
The default authorization
method is used by default.
7.
Specify the authorization
method for portal users. authorization portal
{ local | none |
radius-scheme radius-scheme-name
[ local ] } Optional.
The default authorization
method is used by default.

All HP manuals Comments (0)

Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP C4280 User Manual
155 pages | HP Printer
HP CM8060 User Manual
306 pages | HP Printer
HP Color LaserJet 1600 User Manual
142 pages | HP Printer
HP Business InkJet 1000 User Manual
96 pages | HP Printer
HP Business InkJet 1100 User Manual
102 pages | HP Printer
HP Business InkJet 1200D User Manual
112 pages | HP Printer
HP Business InkJet 2800 User Manual
114 pages | HP Printer
HP Business InkJet 2800dtn User Manual
114 pages | HP Printer
HP Business InkJet 3000 User Manual
114 pages | HP Printer
HP CM8050 User Manual
104 pages | HP Printer
HP Color LaserJet 2550L User Manual
176 pages | HP Printer