HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1737
72
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the
server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable the switch to provide Telnet service.
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1736.png "Page 1737
72
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Configure the IP address of VLAN-interface 3, through which the switch communicates with the
server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable the switch to provide Telnet service.
[Switch] telnet server enable
# Configure the switch to use AAA for Telnet users.
[Switch] user-interface vty 0 4...")
![Page 1740
75
Figure 33 Network diagram
Configuration procedure
1. Assign an IP address to each interface as shown in Figure 33. (Det ails not shown.)
2. Configure the NAS:
# Enable the Telnet server on Switch A.
system-view
[SwitchA] telnet server enable
# Configure Switch A to use AAA for Telnet users.
[SwitchA] user-interface vty 0 4
[SwitchA-ui-vty0-4] authentication-mode scheme
[SwitchA-ui-vty0-4] quit
# Create RADIUS scheme rad.
[SwitchA] radius scheme rad
# Specify the IP address for the...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1739.png "Page 1740
75
Figure 33 Network diagram
Configuration procedure
1. Assign an IP address to each interface as shown in Figure 33. (Det ails not shown.)
2. Configure the NAS:
# Enable the Telnet server on Switch A.
system-view
[SwitchA] telnet server enable
# Configure Switch A to use AAA for Telnet users.
[SwitchA] user-interface vty 0 4
[SwitchA-ui-vty0-4] authentication-mode scheme
[SwitchA-ui-vty0-4] quit
# Create RADIUS scheme rad.
[SwitchA] radius scheme rad
# Specify the IP address for the...")
![Page 1741
76
system-view
[SwitchB] radius-server user aaa
# Configure plaintext password aabbcc for user aaa.
[SwitchB-rdsuser-aaa] password simple aabbcc
[SwitchB-rdsuser-aaa] quit
# Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc.
[SwitchB] radius-server client-ip 10.1.1.1 key simple abc
4. Verify the configuration:
After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.
Use the display connection command to view...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1740.png "Page 1741
76
system-view
[SwitchB] radius-server user aaa
# Configure plaintext password aabbcc for user aaa.
[SwitchB-rdsuser-aaa] password simple aabbcc
[SwitchB-rdsuser-aaa] quit
# Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc.
[SwitchB] radius-server client-ip 10.1.1.1 key simple abc
4. Verify the configuration:
After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A.
Use the display connection command to view...")
76 system-view [SwitchB] radius-server user aaa # Configure plaintext password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the plaintext shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key simple abc 4. Verify the configuration: After entering username aaa@bbb or aaa and password aabbcc, user aaa can telnet to Switch A. Use the display connection command to view the connection information on Switch A. display connection Index=1 ,Username=aaa@bbb IP=192.168.1.2 IPv6=N/A Total 1 connection(s) matched. Troubleshooting AAA Troubleshooting RADIUS Symptom 1 User authentication/authorization always fails. Analysis 1. A communication failure exists between the NAS and the RADIUS server. 2. The username is not in the format of userid@isp-name or the ISP domain for the user authentication is not correctly configured on the NAS. 3. The user is not configured on the RADIUS server. 4. The password entered by the user is incorrect. 5. The RADIUS server and the NAS are configured with different shared key. Solution Check that: 1. The NAS and the RADIUS server can ping each other. 2. The username is in the userid@isp-name format and the ISP domain for the user authentication is correctly configured on the NAS. 3. The user is configured on the RADIUS server. 4. The correct password is entered. 5. The same shared key is configured on both the RADIUS server and the NAS. Symptom 2 RADIUS packets cannot reach the RADIUS server.
77 Analysis 1. The NAS and the RADIUS server cannot communicate with each other. 2. The NAS is not configured with the IP address of the RADIUS server. 3. The UDP ports for authentication/authoriza tion and accounting are not correct. 4. The port numbers of the RADIUS server for authen tication, authorization and accounting are being used by other applications. Solution Check that: 1. The communication links between the NAS and the RADIUS server work well at both physical and link layers. 2. The IP address of the RADIUS server is correctly configured on the NAS. 3. UDP ports for authentication/aut horization/accounting configured on the NAS are the same as those configured on the RADIUS server. 4. The port numbers of the RADIUS server for au thentication, authorization and accounting are available. Symptom 3 A user is authenticated and authorized, but accounting for the user is not normal. Analysis 1. The accounting port number is not correct. 2. Configuration of the authentication /authorization server and the accounting server are not correct on the NAS. For example, one server is configur ed on the NAS to provide all the services of authentication/authorization and accounting, but in fact the services are provided by different servers. Solution Check that: 1. The accounting port numb er is correctly set. 2. The authentication/authorization server and the ac counting server are correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See Trou b l es ho o t i n g R A D I US.
78 802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model. It comprises three entities: the client (the supplicant), the network access device (the authenticator), and the authentication server. Figure 34 802.1X architecture • The client — A u s e r t e r m i n a l s e e k i n g a c c e s s t o t h e L A N . I t m u s t h a ve 8 02.1 X s o f t w a re t o a u t h e n t i c a t e to the network access device. • The network access device —Authenticates the client to control access to the LAN. In a typical 802.1X environment, the network access device uses an authentication server to perform authentication. • The authentication server —Provides authentication services for the network access device. It authenticates 802.1X clients by using the data sent from the network access device, and returns the authentication results for the network access device to make access decisions. The authentication server is typically a Remote Authentication Dial-i n User Service (RADIUS) server. In a small LAN, you can also use the network access device as the authentication server. Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. • Controlled port —Allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic wh en it is in the unauthorized state, as shown in Figure 35 . T he controlled port is set in the authorized state if the client has passed authentication, and in the unauthorized state, if the client has failed authentication. • Uncontrolled port—Is always open to receive and transmit EAPOL frames.
79 Figure 35 Authorization state of a controlled port In the unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP). 802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the network access device over a wired or wireless LAN. Betwee n the network access device and the authentication server, 802.1X delivers authentication information in one of the following methods: • Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in EAP re lay . • Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in EAP termination. Controlled port Uncontrolled portAuthenticator system 1 LAN Controlled port Uncontrolled portAuthenticator system 2 LAN Port unauthorized Port authorized
80 Packet formats EAP packet format Figure 36 shows the EAP packet format. Figure 36 EAP packet format • Code —Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4) . • Identifier —Used for matching Responses with Requests. • Length —Length (in bytes) of the EAP packet. The EAP packet length is the sum of the Code, Identifier, Length, and Data fields. • Data —Content of the EAP packet. This field appears only in a Request or Response EAP packet. The field comprises the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 37 shows the EAPOL packet format. Figure 37 EAPOL packet format • PAE Ethernet type —Protocol type. It takes the value 0x888E for EAPOL. • Protocol version —The EAPOL protocol version used by the EAPOL packet sender. • Ty p e —Type of the EAPOL packet. Tabl e 5 lists the t ypes of EAPOL packets supported by HP implementation of 802.1X. Table 5 EAPOL packet types Value Type Description 0x00 EAP-Packet The client and the network access device uses EAP-Packets to transport auth entication information. 0x01 EAPOL-Start The client sends an EAPOL-Start message to initiate 802.1X authentication to the network access device.
81 Value Type Description 0x02 EAPOL-Logoff The client sends an EAPOL-Logoff message to tell the network access device that it is logging off. • Length —Data length in bytes, or length of the Pa cket body. If packet type is EAPOL-Start or EAPOL-Logoff, this field is set to 0, and no Packet body field follows. • Pac ke t body —Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see Configuring AAA. EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 38. The Type field takes 79, and the Value field can be up to 253 bytes. If an EAP packet is longer than 253 bytes, RADIUS encapsulates it in multiple EAP-Message attributes. Figure 38 EAP-Message attribute format Message-Authenticator RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different than the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication. Figure 39 Message-Authenticator attribute format Initiating 802.1X authentication Both the 802.1X client and the access device can initiate 802.1X authentication. 802.1X client as the initiator The client sends an EAPOL-Start packet to the access device to initiate 802.1X authentication. The destination MAC address of the packet is the IEEE 802.1X specified multicast address 01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and 01 5 Type=79Value 7Length N EAP packets
82 the authentication server does not support the multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client, the 802.1X client available with Windows XP for example, cannot send EAPOL-Start packets. The access device supports the following modes: • Multicast trigger mode —The access device multicasts Identi ty EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. • Unicast trigger mode —Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address. It retransmits the packet if no response has been received within a certain time interval. 802.1X authentication procedures 802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode depending on the support of the RADIUS server fo r EAP packets and EAP authentication methods. • EAP relay mode EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send authentication information to the RADIUS server, as shown in Figure 40. In EAP relay mode, the cli ent must use the same authentication method as the RADIUS server. On the network access device, you only need to execute the dot1x authentication-method eap command to enable EAP relay. Figure 40 EAP relay • EAP termination mode In EAP termination mode, the netw ork access device terminates the EAP packets received from the client, encapsulates the client authentication information in standard RADIUS packets, and uses (Password Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS server, as shown in Figure 41. Figure 41 EAP termination
83 A comparison of EAP relay and EAP termination Packet exchange method Benefits Limitations EAP relay • Supports various EAP authentication methods. • The configuration and processing is simple on the network access device The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and the EAP authentication method used by the client. EAP termination Works with any RADIUS server that supports PAP or CHAP authentication. • Supports only MD5-Challenge EAP authentication and the username + password EAP authentication initiated by an HP iNode 802.1X client. • The processing is complex on the network access device. EAP relay Figure 42 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used.
84 Figure 42 802.1X authentication procedure in EAP relay mode 1. When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL- Start packet to the network access device. 2. The network access device responds with an Id entity EAP-Request packet to ask for the client username. 3. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to th e network access device. 4. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. 5. The authentication server uses the identity inform ation in the RADIUS Access-Request to search its user database. If a matching entry is found, th e server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the passw ord in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device. 6. The network access device relays the EAP- Request/MD5 Challenge packet in a RADIUS Access-Request packet to the client. 7. The client uses the received challenge to encr ypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge pac ket to the network access device. 8. The network access device relays the EAP- Response/MD5 Challenge packet in a RADIUS Access-Request packet to th e authentication server.
85 9. The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. 10. Upon receiving the RADIUS Access-Accept pac ket, the network access device sends an EAP-Success packet to the client, an d sets the controlled port in the authorized state so the client can access the network. 11. After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online. By defaul t, if two consecutive handshake attempts fail, the device logs off the client. 12. Upon receiving a handshake request, the client retu rns a response. If the client fails to return a response after a certain number of consecutive ha ndshake attempts (two by default), the network access device logs off the client . This handshake mechanism enables timely release of the network resources used by 802.1X users that have abnormally gone offline. 13. The client can also send an EAPOL-Logoff packet to ask the network access device for a logoff. Then 14. In response to the EAPOL-Logoff packet, the ne twork access device changes the status of the controlled port from authorized to unauthorized and sends an EAP-Failure packet to the client.