HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1778
113
Task Command Remarks
Display 802.1X session
information, statistics, or
configuration information. display dot1x
[ sessions | statistics ]
[ interface interface-list ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
EAD fast deployment configuration example
Network requirements
As shown in Figure 47 , the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet
1/0/1 of the network access device, and they use DHCP to obtain IP...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1777.png "Page 1778
113
Task Command Remarks
Display 802.1X session
information, statistics, or
configuration information. display dot1x
[ sessions | statistics ]
[ interface interface-list ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
EAD fast deployment configuration example
Network requirements
As shown in Figure 47 , the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet
1/0/1 of the network access device, and they use DHCP to obtain IP...")
![Page 1779
114
• Configure the authentication server to provide authentication, authorization, and accounting
services.
Configuration procedure
1. Configure an IP address for each interface. (Details not shown.)
2. Configure DHCP relay:
# Enable DHCP.
system-view
[Device] dhcp enable
# Configure a DHCP server for a DHCP server group.
[Device] dhcp relay server-group 1 ip 192.168.2.2
# Enable the relay agent on VLAN interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1778.png "Page 1779
114
• Configure the authentication server to provide authentication, authorization, and accounting
services.
Configuration procedure
1. Configure an IP address for each interface. (Details not shown.)
2. Configure DHCP relay:
# Enable DHCP.
system-view
[Device] dhcp enable
# Configure a DHCP server for a DHCP server group.
[Device] dhcp relay server-group 1 ip 192.168.2.2
# Enable the relay agent on VLAN interface 2.
[Device] interface vlan-interface 2
[Device-Vlan-interface2] dhcp...")
116 Configuring MAC authentication MAC authentication overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a short time. NOTE: If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentica tion, the device does not mark it as a silent address. User account policies MAC authentication supports the fo llowing user account policies: • One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insecure environment. • One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment. Authentication approaches You can perform MAC authentication on the access de vice (local authentication) or through a Remote Authentication Dial-In User Service (RADIUS) server. Suppose a source MAC unknown packet arrives at a MAC authentication enabled port. In the local authentication approach: • If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search its local account database for a match. • If a shared account is used, the access device uses the shared account username and password to search its local account database for a match. In the RADIUS authentication approach: • If MAC-based accounts are used, the access device sends the source MAC address as the username and password to the RADIUS server for authentication. • If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication.
117 For more information about configuring local authentication and RADIUS authentication, see Configuring AAA . MAC authentication timers MAC authentication uses the following timers: • Offline detect timer —Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user. • Quiet timer —Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance. • Server timeout timer —Sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network. Using MAC authentication with other features VLAN assignment You can specify a VLAN in the user account for a MAC authentication user to control the accounts access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN applies. A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC address of the user. The default VLAN of the hybrid port does not change. ACL assignment You can specify an ACL in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must configure the ACL on the access device for the ACL assignment function. You can change ACL rules while the user is online. Guest VLAN You can configure a guest VLAN to accommodate MAC authentication users that have failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. If no MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources.
118 If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. Critical VLAN You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access a limit set of network resources depending on your configuration. The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about RADIUS configuration, see Configuring AAA . Any of the following RADIUS authentication server changes in the ISP domain for MAC authentication users on a port can cause users to be removed from the critical VLAN: • An authentication server is reconfigured, added, or removed. • The status of any RADIUS authentication server automatically changes to active or is administratively set to active. • The RADIUS server probing function detects that a RADIUS authentication server is reachable and sets its state to active. Configuration task list Task Remarks Basic configuration for MAC authentication Configuring MAC authentication globally Required Configuring MAC authentication on a port Required Specifying a MAC authentication domain Optional Configuring a MAC authentication guest VLAN Optional Configuring a MAC authentication critical VLAN Optional Basic configuration for MAC authentication • Create and configure an authentication domain, also called an ISP domain. • For local authentication, create local user accounts, and specify the lan-access service for the accounts. • For RADIUS authentication, check that the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure that the username and password for each account is the same as the MAC address of the MAC authentication users. MAC authentication can take effect on a port only when it is enabled globally and on the port.
119
Configuring MAC authentication globally
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable MAC
authentication globally. mac-authentication
Disabled by default.
3. Configure MAC
authentication timers. mac-authentication
timer
{ offline-detect offline-detect-value |
quiet quiet-value | server-timeout
server-timeout-value } Optional.
By default, the offline detect timer is
300 seconds, the quiet timer is 60
seconds, and the server timeout
timer is 100 seconds.
4.
Configure the properties
of MAC authentication
user accounts. mac-authentication user-name-format
{
fixed [ account name ] [ password
{ cipher | simple } password ] |
mac-address [ { with-hyphen |
without-hyphen } [ lowercase |
uppercase ] ] } Optional.
By default, the username and
password for a MAC
authentication user account must
be a MAC address in lower case
without hyphens.
NOTE:
When global MAC authentication is enabled, the EAD fast deployment function cannot take effect.
Configuring MAC authentication on a port
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable MAC authentication.
• (Approach 1) In system view:
mac-authentication interface
interface-list
• (Approach 2) In interface
view:
a. interface interface-type
interface-number
b. mac-authentication Disabled by default.
Enable MAC authentication for
p o r t s i n b u l k i n s y s t e m v i e w o r a n
individual port in Ethernet
interface view.
3.
Set the maximum number of
concurrent MAC authentication
users allowed on a port. mac-authentication max-user
user-number
Optional.
By default, the maximum number
of concurrent MAC
authentication users is 256.
NOTE:
You cannot add a MAC authentication enabled port in to a link aggregation group, or enable MAC
authentication on a port already in a link aggregation group.
120 Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: • Specify a global authentication domain in system view. This domain setting applies to all ports. • Specify an authentication domain for an indi vidual port in Ethernet interface view. MAC authentication chooses an authentication domain for users on a port in this order: the interface-specific domain, the global domain, and the default domain. For more information about authentication domains, see Configuring AAA. To specify an authentication domain for MAC authentication users: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify an authentication domain for MAC authentication users. • (Approach 1) In system view: mac-authentication domain domain-name • (Approach 2) In interface view: a. interface interface-type interface-number b. mac-authentication domain domain-name Use either approach. By default, the system default authentication domain is used for MAC authentication users. Configuring a MAC authentication guest VLAN Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: • Enable MAC authentication. • Enable MAC-based VLAN on the port. • Create the VLAN to be specified as the MAC authentication guest VLAN. To configure a MAC authentication guest VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet port view. interface interface-type interface-number N/A 3. Specify a MAC authentication guest VLAN. mac-authentication guest-vlan guest-vlan-id By default, no MAC authentication guest VLAN is configured. You can configure only one MAC authentication guest VLAN on a port. Follow the guidelines in Tabl e 8 when configuring a MAC authentication guest VLAN on a port.
121 Table 8 Relationships of the MAC authentication gu est VLAN with other security features Feature Relationship description Reference Quiet function of MAC authentication The MAC authentication guest VLAN function has higher priority. A user can access any resources in the guest VLAN. See MAC authentication timers Super VLAN You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN. See Layer 2—LAN Switching Configuration Guide Port intrusion protection The MAC authentication guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. See Configuring port security 802.1X guest VLAN on a port that performs MAC-based access control The MAC authentication guest VLAN has a lower priority. See Configuring 802.1X Configuring a MAC authentication critical VLAN Before you configure a MAC authentication critical VLAN on a port, complete the following tasks: • Enable MAC authentication. • Enable MAC-based VLAN on the port. • Create the VLAN to be specified as the MAC authentication critical VLAN. To configure a MAC authentication critical VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet port view. interface interface-type interface-number N/A 3. Specify a MAC authentication critical VLAN. mac-authentication critical vlan critical-vlan-id By default, no MAC authentication critical VLAN is configured. You can configure only one MAC authentication critical VLAN on a port. Follow the guidelines in Tabl e 9 when you configure a MAC authentication critical VLAN on a port.
122
Table 9 Relationships of the MAC authentication crit ical VLAN with other security features
Feature Relationship description Reference
Quiet function of MAC
authentication The MAC authentication critical VLAN
function has higher priority.
When a user fails MAC authentication
because no RADIUS authentication server is
reachable, the user can access the resources
in the critical VLAN, and the user’s MAC
address is not marked as a silent MAC
address.
See
MAC authentication timers
Super VLAN You cannot specify a VLAN as both a super
VLAN and a MAC authentication critical
VLAN. See
Layer 2—LAN Switching
Configuration Guide
Port intrusion protection The MAC authentication critical VLAN
function has higher priority than the block
MAC action but lower priority than the shut
down port action of the port intrusion
protection feature. See
Configuring port security
Displaying and maintaining MAC authentication
Task Command Remarks
Display MAC authentication
information. display mac-authentication
[ interface interface-list ] [ | { begin
| exclude | include }
regular-expression ] Available in any view
Clear MAC authentication
statistics.
reset mac-authentication statistics
[ interface
interface-list ] Available in user view
MAC authentication configuration examples
Local MAC authentication configuration example
Network requirements
In the network in Figure 48
, perform local MAC authentication on port GigabitEthernet 1/0/1 to control
Internet access. Make sure that:
• All users belong to domain aabbcc.net.
• Local users use their MAC address as the username and password for MAC authentication. The
MAC addresses are hyphen separated and in lower case.
• The access device detects whether a user has gone offline every 180 seconds. When a user fails
authentication, the device does not authenticate the user within 180 seconds.
123
Figure 48 Network diagram
Configuration procedure
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address
of the user host, and enable LAN access service for the account.
system-view
[Device] local-user 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-00-e0-fc-12-34-56] quit
# Configure ISP domain aabbcc.net to perform local authentication for LAN access users.
[Device] domain aabbcc.net
[Device-isp-aabbcc.net] authentication lan-access local
[Device-isp-aabbcc.net] quit
# Enable MAC authentication globally.
[Device] mac-authentication
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[Device] mac-authentication interface gigabitethernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain aabbcc.net
# Set the MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and
passwords are hyphenated and in lowercase.
[Device] mac-authentication user-name-format mac-address with-hyphen low\
ercase
Verifying the configuration
# Display MAC authentication settings and statistics.
display mac-authentication
MAC address authentication is enabled.
User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 180s
Quiet period is 180s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is aabbcc.net
Silent Mac User info:
124
MAC Addr From Port Port Index
Gigabitethernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Max number of on-line users is 256
Current online user number is 1
MAC Addr Authenticate state Auth Index
00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 29
# After the user passes authentication, use the display connection command to display the online user
information.
display connection
Slot: 1
Index=29 ,[email protected]
IP=N/A
IPv6=N/A
MAC=00e0-fc12-3456
Total 1 connection(s) matched on slot 1.
Total 1 connection(s) matched.
RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 49 , a host connects to port GigabitEthernet 1/0/1 on the access device. The device
uses RADIUS servers for authentication, authorization, and accounting.
Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that:
• The device detects whether a user has gone offline every 180 seconds. If a user fails authentication,
the device does not authenticate the user within 180 seconds.
• All MAC authentication users belong to ISP domain 2000 and share the user account aaa with
password 123456 .
Figure 49 Network diagram
Configuration procedure
1. Make sure the RADIUS server and the access device can reach each other.
2. Create a shared account for MA C authentication users on the RADIUS server, and set the
username aaa and password 123456 for the account.
3. Configure the device:
IP networkGE1/0/1
Device
Host RADIUS servers
Auth:10.1.1.1
Acct:10.1.1.2
125
# Configure a RADIUS scheme.
system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and
accounting.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Enable MAC authentication globally.
[Device] mac-authentication
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[Device] mac-authentication interface gigabitethernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Set the MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Specify username aaa and plaintext password 123456 for the account shared by MAC
authentication users.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
Verifying the configuration
# Display MAC authentication settings and statistics.
display mac-authentication
MAC address authentication is enabled.
User name format is fixed account
Fixed username:aaa
Fixed password: ******
Offline detect period is 180s
Quiet period is 180s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is 2000
Silent Mac User info:
MAC ADDR From Port Port Index
Gigabitethernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0