Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1731 to Favourites
    image text
    Enable zoom 
    							66 
Specify the ports for authentication and accounting as 1812 and 1813, respectively. 
Select LAN Access Service  as the service type. 
Select  HP as the access device type. 
Select the switch from the device list or manu ally add the switch whose IP address is 10.1.1.2. 
Leave the default settings in other fields. 
d.  Click  OK.  
  NOTE: 
The IP address of the access device sp ecified here must be the same as the source IP address of the RADIUS
packets sent from the switch, which is the IP address of  the outbound interface by default, or otherwise the
IP address specified with the  nas-ip or radius nas-ip command on the switch. 
 
Figure 27  Adding the switch to IMC as an access device 
 
 
2. Define a charging policy:  
a. Click the  Service tab, and select  Accounting Manager  > Charging Plans  from the navigation 
tree. 
b.  Click  Add. 
c. Configure the following parameters: 
Enter  UserAcct  as the plan name. 
Select Flat rate  as the charging template. 
In the  Basic Plan Settings  field, configure to charge the fi xed fee of 120 dollars per month. 
In the  Service Usage Limit  field, set the Usage Threshold  to 120 hours, allowing the user to 
access the Internet for up to 120 hours per month. 
Leave the default settings in other fields. 
d.  Click  OK. 
 
    Add page 1732 to Favourites
    image text
    Enable zoom 
    							67 
Figure 28 Defining a charging policy 
 
 
3. Add a service: 
a. Click the  Service tab, and select  User Access Manager  > Service Configuration  from the 
navigation tree. 
b.  Click  Add. 
c. Configure the following parameters: 
Enter  Dot1x auth  as the service name and  bbb as the service suffix. The service suffix indicates 
the authentication domain for 802.1X users. When  the service suffix is configured, you must 
configure the switch to keep the domain names of  usernames to be sent to the RADIUS server.  
Enter  UserAcct  as the Charging Plan .  
Select  Deploy VLAN  and set the ID of the VLAN to be assigned to 4.  
Configure other parameters as needed. 
d.  Click  OK.
    Add page 1733 to Favourites
    image text
    Enable zoom 
    							68 
Figure 29 Adding a service 
 
 
4. Create an account for 802.1X users: 
a. Click the  User tab, and select  All Access Users  from the navigation tree. 
b. Click  Add. 
c. Configure the following parameters: 
Select the user test , or add the user if it does not exist. 
Enter  dot1x  as the account name and set the password.  
Select the access service  Dot1x auth. 
Configure other parameters as needed. 
d.  Click  OK.
    Add page 1734 to Favourites
    image text
    Enable zoom 
    							69 
Figure 30 Creating an account for 802.1X users 
  
 
Configuring the switch 
1. Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rad and enter its view. 
 system-view 
[Switch] radius scheme rad 
# Set the server type for the RADIUS scheme.  When you use IMC, set the server type to extended. 
[Switch-radius-rad] server-type extended 
# Specify the primary authentication server and pr imary accounting server, and configure the keys 
for communication with the servers. 
[Switch-radius-rad] primary authentication 10.1.1.1 
[Switch-radius-rad] primary accounting 10.1.1.1 
[Switch-radius-rad] key authentication expert 
[Switch-radius-rad] key accounting expert 
# Configure the scheme to include the domain names in usernames to be sent to the RADIUS 
server. 
[Switch-radius-rad] user-name-format with-domain 
[Switch-radius-rad] quit 
2.  Configure an authentication domain: 
# Create an ISP domain named  bbb and enter its view. 
[Switch] domain bbb 
# Configure the ISP domain to use RADIUS scheme  rad. 
[Switch-isp-bbb] authentication lan-access radius-scheme rad 
[Switch-isp-bbb] authorization lan-access radius-scheme rad 
[Switch-isp-bbb] accounting lan-access radius-scheme rad 
[Switch-isp-bbb] quit
    Add page 1735 to Favourites
    image text
    Enable zoom 
    							70 
# Configure bbb as the default ISP domain for all users. Then, if a user enters a username without 
any ISP domain at login, the authentication and a ccounting methods of the default domain is used 
for the user. 
[Switch] domain default enable bbb 
3.  Configure 802.1X authentication: 
# Enable 802.1X globally. 
[Switch] dot1x 
# Enable 802.1X for port GigabitEthernet 1/0/1. 
[Switch] interface gigabitethernet 1/0/1 
[Switch-GigabitEthernet1/0/1] dot1x 
[Switch-GigabitEthernet1/0/1] quit 
# Configure the access control method. (Optional. The default setting meets the requirement.) 
[Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 
Verifying the configuration 
When you use HP iNode client, no advanced authentication options are required, and the user can pass 
authentication after entering username  dot1x@bbb and the correct password in the client property 
page.  
I f  t h e  802.1 X  cl i e n t  o f  Wi n d ows  X P  i s  us e d,  s e l e c t  t h e   Enable IEEE 802.1X authentication for this network 
option and select  MD5-Challenge as the EAP type on the  Authentication tab of the network connection 
properties window. The user passes authentication after entering the correct username and password in 
the pop-up authentication page.  
After the user passes authentication, the server assigns the port connecting the client to VLAN 4.   
Use the  display connect  command to view the connection information on the switch. 
[Switch] display connection 
Slot:  1 
Index=22  , Username=dot1x@bbb 
 IP=192.168.1.58 
 IPv6=N/A 
 MAC=0015-e9a6-7cfe 
 Total 1 connection(s) matched on slot 1. 
 Total 1 connection(s) matched. 
# View the information of the specified connection on the switch. 
[Switch] display connection ucibindex 22 
Slot:  1 
Index=22  , Username=dot1x@bbb 
IP=192.168.1.58 
IPv6=N/A 
MAC=0015-e9a6-7cfe 
Access=8021X   ,AuthMethod=CHAP 
Port Type=Ethernet,Port Name=GigabitEthernet1/0/1 
Initial VLAN=2, Authorization VLAN=4 
ACL Group=Disable 
User Profile=N/A 
CAR=Disable 
Priority=Disable 
Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s\
    Add page 1736 to Favourites
    image text
    Enable zoom 
    							71 
 Total 1 connection matched.   
As the Authorized VLAN  field in the output shows, VLAN 4 has been assigned to the user.  
Level switching authentication for Telnet users by an 
HWTACACS server 
Network requirements 
As shown in Figure 31, configure the switch to: 
•   Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the 
user passes authentication. 
•   Use the HWTACACS server for level switching authentication of the Telnet user, and use local 
authentication as the backup. 
Figure 31  Network diagram 
 
 
Configuration considerations 
1. Configure the switch to use AAA, particularly, local authentication for Telnet users:  
{  Create ISP domain  bbb and configure it to use local authentication for Telnet users.  
{ Create a local user account, configure the password, and assign the user privilege level.  
2. On the switch, configure the au thentication method for user privilege level switching: 
{ Specify to use HWTACACS authentication and, if HWTACACS authentication is not available, 
use local authentication for user level switching authentication. 
{ Configure HWTACACS scheme  hwtac and assign an IP address to the HWTACACS server. Set 
the shared keys for message exchange and specify that usernames sent to the HWTACACS 
server carry no domain name. Configure the domain to use the HWTACACS scheme  hwtac for 
user privilege level switching authentication.  
{  Configure the password for local privilege level switching authentication.  
3. On the HWTACACS server, add the username and  password for user privilege level switching 
authentication.  
Configuration procedure 
1.  Configure the switch: 
# Configure the IP address of VLAN-i nterface 2, through which the Telnet user accesses the switch.   
 system-view 
[Switch] interface vlan-interface 2
    Add page 1737 to Favourites
    image text
    Enable zoom 
    							72 
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 
[Switch-Vlan-interface2] quit 
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the 
server.  
[Switch] interface vlan-interface 3 
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 
[Switch-Vlan-interface3] quit 
# Enable the switch to provide Telnet service. 
[Switch] telnet server enable 
# Configure the switch to use AAA for Telnet users.  
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
[Switch-ui-vty0-4] quit 
# Use HWTACACS authentication for user level  switching authentication and, if HWTACACS 
authentication is not availabl e, use local authentication.  
[Switch] super authentication-mode scheme local 
# Create an HWTACACS scheme named  hwtac.  
[Switch] hwtacacs scheme hwtac 
# Specify the IP address for the primary authenti cation server as 10.1.1.1 and the port for 
authentication as 49. 
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 
# Set the shared key for secure  authentication communication to  expert. 
[Switch-hwtacacs-hwtac] key authentication simple expert 
# Configure the scheme to remove the domain  name from a username before sending the 
username to the HWTACACS server.  
[Switch-hwtacacs-hwtac] user-name-format without-domain 
[Switch-hwtacacs-hwtac] quit 
# Create ISP domain  bbb. 
[Switch] domain bbb 
# Configure the ISP domain to use local authentication for Telnet users.  
[Switch-isp-bbb] authentication login local 
# Configure to use HWTACACS scheme  hwtac for privilege level switching authentication.  
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac 
[Switch-isp-bbb] quit 
# Create a local Telnet user named  test.  
[Switch] local-user test 
[Switch-luser-test] service-type telnet 
[Switch-luser-test] password simple aabbcc 
# Configure the user level of the Telnet user to 0 after user login.  
[Switch-luser-test] authorization-attribute level 0 
[Switch-luser-test] quit 
# Configure the password for local privilege level switching authentication to  654321.  
[Switch] super password simple 654321 
[Switch] quit 
2. Configure the HWTACACS server:
    Add page 1738 to Favourites
    image text
    Enable zoom 
    							73 
 NOTE: 
The HWTACACS server in this example runs ACSv4.0. 
 
Add a user named  test on the HWTACACS server and config ure advanced attributes for the user 
as shown in  Figure 32:  
{ Select  Max Privilege for any AAA Client  and set the privilege level to level 3. After these 
configurations, the user uses the password  enabpass when switching to level 1, level 2, or level 
3.  
{  Select  Use separate password  and specify the password as  enabpass.  
Figure 32  Configuring advanced attributes for the Telnet user 
 
 
3. Verify the configuration: 
After you complete the configuration, the Telnet user  should be able to telnet to the switch and use 
username  test@bbb and password  aabbcc to enter the user interface of the switch, and access all 
level 0 commands. 
 telnet 192.168.1.70 
Trying 192.168.1.70 ... 
Press CTRL+K to abort 
Connected to 192.168.1.70 ... 
************************************************************************\
****** 
* Copyright (c) 2004-2012 Hewlett-Packard Development Company,L.P..  *\
 
* Without the owners prior written consent,                            \
     * 
* no decompiling or reverse-engineering shall be allowed.               \
     * 
************************************************************************\
******
    Add page 1739 to Favourites
    image text
    Enable zoom 
    							74 
Login authentication 
 
Username:test@bbb 
Password: 
 ? 
User view commands: 
  display  Display current system information 
  ping     Ping function 
  quit     Exit from current command view 
  ssh2     Establish a secure shell client connection 
  super    Set the current user priority level 
  telnet   Establish one TELNET connection 
  tracert  Trace route function 
When switching to user privilege level 3, the Telnet user only needs to enter password enabpass 
as prompted. 
 super 3 
 Password: 
User privilege level is 3, and only those commands can be used 
whose level is equal or less than this. 
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 
If the HWTACACS server is not available, the Telnet user needs to enter password  654321 as 
prompted for local authentication.  
 super 3 
 Password:  Å Enter the password for HWTACACS privilege level switch authentication   
 Error: Invalid configuration or no response from the authentication ser\
ver. 
 Info: Change authentication mode to local. 
 Password:  Å Enter the password for local privilege level switch authentication 
User privilege level is 3, and only those commands can be used 
whose level is equal or less than this. 
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE 
RADIUS authentication and author ization for Telnet users by a 
switch 
Network requirements 
As shown in  Figure 33, co nfigure Switch B to act as a RADIUS server to provide authentication and 
authorization for the Telnet user on port 1645. 
Configure Switch A to use the RADIUS server for Teln et user authentication and authorization, and to 
remove the domain name in a username sent to the server. 
Set the shared keys for secure communication between the NAS and the RADIUS server to  abc.
    Add page 1740 to Favourites
    image text
    Enable zoom 
    							75 
Figure 33 Network diagram 
 
Configuration procedure 
1. Assign an IP address to each interface as shown in  Figure 33. (Det ails not shown.) 
2. Configure the NAS: 
# Enable the Telnet server on Switch A.  
 system-view 
[SwitchA] telnet server enable 
# Configure Switch A to use AAA for Telnet users. 
[SwitchA] user-interface vty 0 4 
[SwitchA-ui-vty0-4] authentication-mode scheme 
[SwitchA-ui-vty0-4] quit 
# Create RADIUS scheme rad. 
[SwitchA] radius scheme rad 
# Specify the IP address for the primary authen tication server as 10.1.1.2, the port for 
authentication as 1645, and the shared key fo r secure authentication communication as abc. 
[SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc 
# Configure the scheme to remove the domain  name from a username before sending the 
username to the RADIUS server. 
[SwitchA-radius-rad] user-name-format without-domain 
# Set the source IP address for RADIUS packets as 10.1.1.1. 
[SwitchA-radius-rad] nas-ip 10.1.1.1 
[SwitchA-radius-rad] quit 
# Create ISP domain  bbb. 
[SwitchA] domain bbb 
# Specify the authentication method for Telnet users as rad.  
[SwitchA-isp-bbb] authentication login radius-scheme rad 
# Specify the authorization method for Telnet users as  rad. 
[SwitchA-isp-bbb] authorization login radius-scheme rad 
# Specify the accounting method for Telnet users as none. 
[SwitchA-isp-bbb] accounting login none 
# Configure the RADIUS server type as  standard. When a switch is configured to serve as a 
RADIUS server, the server  type must be set to standard.  
[SwitchA-isp-bbb] server-type standard 
[SwitchA-isp-bbb] quit 
# Configure bbb  as the default ISP domain. Then, if a user enters a username without any ISP 
domain at login, the authentication and accounting  methods of the default domain is used for the 
user. 
[SwitchA] domain default enable bbb 
3.  Configure the RADIUS server: 
# Create RADIUS user  aaa and enter its view.  
Telnet user192.168.1.2Switch A Switch B
NAS
RADIUS server
Vlan-int2
10.1.1.1/24Vlan-int2
10.1.1.2/24
Vlan-int3
192.168.1.1/24
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide