HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1811
146
\
... ...
... ...
Redirecting authenticated users to a specified web page
To make the device automatically redirect authenticated users to a specified web page, do the following
in logon.htm and logonSuccess.htm:
1. In logon.htm, set the targ et attribute of Form to blank.
See the contents in gray:
2. Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
LogonSuccessed...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1810.png "Page 1811
146
\
... ...
... ...
Redirecting authenticated users to a specified web page
To make the device automatically redirect authenticated users to a specified web page, do the following
in logon.htm and logonSuccess.htm:
1. In logon.htm, set the targ et attribute of Form to blank.
See the contents in gray:
2. Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
LogonSuccessed...")
146
\
... ...
... ...
Redirecting authenticated users to a specified web page
To make the device automatically redirect authenticated users to a specified web page, do the following
in logon.htm and logonSuccess.htm:
1. In logon.htm, set the targ et attribute of Form to blank.
See the contents in gray:
2. Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
LogonSuccessed
\
... ...
HP recommends using browser IE 6.0 or above on the authentication clients. Make sure the browser of
an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user
cannot log off by closing the logon success or online page and can only click Cancel to return back to
the logon success or online page.
If a user refreshes the logon success or online page, or jumps to another web site from either of the pages,
the device also logs off the user.
Only IE, Firefox, and Safari browsers support the device to log off the user when the user closes the logon
success or online page. Other browsers, such as Chrome and Opera do not support this function.
Configuring the local portal server
To make the local portal server take effect, specify the protocol to be used for communication between
the portal client and local portal server.
Configuration prerequisites
To configure the local portal server to support HTTPS, complete these configurations at first:
147
• Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more
information, see
1Configuring PKI .
• Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the
above step. For more information, see Configuring SSL.
W
hen you specify the protocol for the local portal se rver to support, the local portal server will load the
default authentication page file, which is supposed to be saved in the root directory of the device.
Therefore, to make sure that the local portal server uses the user-defined default authentication pages,
you must edit and save them properly. Otherwise, the system default authentication pages are used.
Configuration procedure
To configure the local portal server:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the protocol type
for the local portal server to
support and load the default
authentication page file. portal local-server
{ http | https
server-policy policy-name } By default, the local portal server
does not support any protocol.
3.
Configure the welcome
banner of the default
authentication pages of the
local portal server. portal server banner
banner-string
Optional.
No welcome banner by default.
Enabling portal authentication
Only after you enable portal authentication on an access interface, can the access interface perform
portal authentication for connected clients.
Enabling Layer 2 portal authentication
Before enabling Layer 2 portal authentication, make sure that:
• The listening IP address of the local portal server is specified.
• Layer 3 portal authentication is not enabled on any interface.
Follow these guidelines when you enable Layer 2 portal authentication:
• To ensure normal operation of portal authentication on a Layer 2 port, do not enable port security,
guest VLAN of 802.1X, or EAD fast deployment of 802.1X on the port.
• To support assignment of authorized VLANs, you must enable the MAC-based VLAN function on
the port.
To enable Layer 2 portal authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet port
view. interface
interface-type
interface-number N/A
148
Step Command Remarks
3. Enable Layer 2 portal
authentication on the port. portal local-server enable
Not enabled by default.
Enabling Layer 3 portal authentication (available only on the
HP 5500 EI series)
Before enabling Layer 3 portal authentication on an interface, make sure that:
• An IP address is configured for the interface.
• The interface is not added to any port aggregation group.
• Layer 2 portal authentication is not enabled on any ports.
Follow these guidelines when you enable Layer 3 portal authentication:
• The destination port number that the device uses fo r sending unsolicited packets to the portal server
must be the same as the port number that the remote portal server actually uses.
• Cross-subnet authentication mode ( portal server server-name method layer3 ) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if
Layer 3 forwarding devices exist between the authen tication client and the access device, you must
select the cross-subnet portal authentication mode.
• In re-DHCP authentication mode, a client can use a public IP address to send packets before
passing portal authentication. However, responses to the packets are restricted.
• An IPv6 portal server does not support the re-DHCP portal authentication mode.
• You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal
authentication on an interface, but you cannot en able two IPv4 or two IPv6 portal servers on the
interface.
To enable Layer 3 portal authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Enable Layer 3 portal
authentication on the
interface. portal
server server-name method
{ direct | layer3 | redhcp } Not enabled by default.
NOTE:
The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
149
Controlling access of portal users
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external websites without portal
authentication.
The matching items for a portal-free rule include the source and destination IP address, source MAC
address, inbound interface, and VLAN. Packets matc hing a portal-free rule will not trigger portal
authentication, so that users sending the packets ca n directly access the specified external websites.
For Layer 2 portal authentication, you can configure only a portal-free rule that is from any source
address to any or a specified destination address. If you configure a portal-free rule that is from any
source address to a specified destination address, users can access the specified address directly,
without being redirected to the portal authenticati on page for portal authentication. Usually, you can
configure the IP address of a server that provides certain services (such as software upgrading service)
as the destination IP address of a portal-free rule, so that Layer 2 portal authentication users can access
the services without portal authentication.
Follow these guidelines when you configure a portal-free rule:
• If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the
VLAN. Otherwise, the rule does not take effect.
• You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the
system prompts that the rule already exists.
• A Layer 2 interface in an aggregation group cannot be specified as the source interface of a
portal-free rule, and the source interface of a po rtal-free rule cannot be added to an aggregation
group.
To configure a portal-free rule:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure a portal-free rule.
• To configure an IPv4 portal-free rule:
portal free-rule rule-number
{ destination { any | ip { ip-address
mask { mask-length | netmask } | any } }
| source { any | [ interface
interface-type interface-number | ip
{ ip-address mask { mask-length | mask }
| any } | mac mac-address | vlan
vlan-id ] * } } *
• To configure an IPv6 portal-free rule:
portal free-rule rule-number
{ destination { any | ipv6 { ipv6-address
prefix-length | any } } | source { any |
[ interface interface-type
interface-number | ipv6 { ipv6-address
prefix-length | any } | mac mac-address
| vlan vlan-id ] * } } * Configure at least one
command.
150
NOTE:
Regardless of whether portal authentication is enabled or not, you can only add or remove a portal-free
rule. You cannot modify it.
Configuring an authentication source subnet (available only on
the HP 5500 EI series)
Only Layer 3 portal authentication supports this feature.
By configuring authentication source subnets, you specify that only HTTP packets from users on the
authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any
authentication source subnet, the access device disc ards all the users HTTP packets that do not match
any portal-free rule.
To configure an authentication source subnet:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure an authentication
source subnet. portal auth-network
network-address { mask-length
|
mask } Optional.
By default, the source IPv4 subnet
is 0.0.0.0/0, and the source IPv6
subnet is ::/0, meaning that users
from any IPv4 or IPv6 subnet must
pass portal authentication to
access network resources.
You can configure multiple
authentication source subnets by
executing the
portal auth-network
command repeatedly.
NOTE:
Configuration of authentication source subnets applie s to only cross-subnet authentication. In direct
authentication mode, the authenticati on source subnet is 0.0.0.0/0. In re-DHCP authentication mode, the
authentication source subnet of an interface is the subnet to which the private IP address of the interface
belongs.
Setting the maximum number of online portal users
You can use this feature to control the total number of online portal users in the system.
If the maximum number of online portal users to be set is less than that of the current online portal users,
the limit can be set successfully and does not impact the online portal users, but the system does not allow
new portal users to log on until the number drops down below the limit.
To set the maximum number of online portal users allowed in the system:
151 Step Command Remarks 1. Enter system view. system-view N/A 2. Set the maximum number of online portal users. portal max-user max-number By default, the maximum number is 3000 on the HP 5500 EI series and 1000 on the HP 5500 SI series. NOTE: The maximum number of online portal users the swit ch actually assigns depends on the ACL resources on the switch. Specifying an authentication domain for portal users After you specify an authentication domain for portal users on an interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of all portal users on the interface, ignoring the domain names carried in the usernames. This allows you to specify different authentication domains for different interfaces as needed. To specify an authentication domain for portal users on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify an authentication domain for portal users on the interface. portal domain [ ipv6 ] domain-name By default, no authentication domain is specified for portal users. The switch selects the authentication domain for a portal user on an interface in this order: the authentication domain specified for the interface, the authentication domain carried in the username, and the system default authentication domain. For information about the default authentication domain, see Configuring AAA . Configuring Layer 2 portal authentication to support web proxy By default, proxied HTTP requests cannot trigger Layer 2 portal authentication but are silently dropped. To a l l o w s u c h H T T P r e q u e s t s t o t r i g g e r p o r t a l a u t h e n tication, configure the port numbers of the web proxy servers on the switch. If a users browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, add the port numbers of the web proxy servers on the switch, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication. You must add the port numbers of the web proxy servers on the switch and users must make sure their browsers that use a web proxy server do not use the proxy server for the listening IP address of the local portal server. Thus, HTTP packets that the portal user sends to the local portal server are not sent to the web proxy server. To configure Layer 2 portal authentication to support a web proxy:
152 Step Command Remarks 1. Enter system view. system-view N/A 2. Add a web proxy server port number. portal web-proxy port port-number By default, no web proxy server port number is configured and proxied HTTP requests cannot trigger portal authentication. Enabling support for portal user moving Only Layer 2 portal authentication supports this feature. In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an authenticated user moves from the current access port to another Layer 2-port al-authentication-enabled port of the device without logging off, the user cannot get online when the original port is still up. The reason is that the original port is still maintaining the authentication information of the user and the device does not permit such a user to get online from another port by default. To solve the problem described above, enable support for portal user moving on the device. Then, when a user moves from a port of the device to another, the device provides services in either of the following ways: • If the original port is still up and the two ports be long to the same VLAN, the device allows the user to continue to access the network without re-authe ntication, and uses the new port information for user accounting. • If the original port is down or the two ports be long to different VLANs, the device removes the authentication information of the user from the original port and authenticates the user on the new port. To enable support for portal user moving: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable support for portal user moving. portal move-mode auto Disabled by default For a user with authorization information (such as authorized VLAN) configured, after the user moves from a port to another, the switch tries to assign the authorization information to the new port. If the operation fails, the switch deletes the users information from the original port and re-authenticates the user on the new port. Specifying an Auth-Fail VLAN for portal authentication Only Layer 2 portal authentication supports this feature.
153
This task sets the Auth-Fail VLAN to be assigned to users failing portal authentication. You can specify
different Auth-Fail VLANs for portal authentication on different ports. A port can be specified with only
one Auth-Fail VLAN for portal authentication.
Before specifying an Auth-Fail VLAN, be sure to create the VLAN.
To specify an Auth-Fail VLAN for portal authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet
interface view. interface
interface-type
interface-number N/A
3.
Specify an Auth-Fail VLAN for
portal authentication on the
port. portal auth-fail vlan
authfail-vlan-id
Not specified by default
After you specify an Auth-Fail VLAN for portal authentication on a port, you must also enable the
MAC-based VLAN function on the port to make the specified Auth-Fail VLAN take effect. For information
about MAC VLAN, see Layer 2—LAN Switching Configuration Guide .
The MAC-VLAN entries generated in response to portal authentication failures do not overwrite the
MAC-VLAN entries already generated in other authentication modes.
Configuring RADIUS related attributes
Only Layer 3 portal authentication supports this feature.
Specifying NAS-Port-Type for an interface
NAS-Port-Type is a standard RADIUS attribute for indica ting a user access port type. With this attribute
specified on an interface, when a portal user logs on from the interface, the device uses the specified
N A S - Po r t - Ty p e v a l u e a s t h a t i n t h e R A D I U S r e q u e s t t o b e s e n t t o t h e R A D I U S s e r v e r. I f N A S - Po r t - Ty p e i s n o t
specified, the device uses the access port type obtained.
If there are multiple network devices between the Broadband Access Server (BAS, the portal
authentication access device) and a portal client, th e BAS may not be able to obtain a users correct
access port information. For example, for a wireless client using portal authentication, the access port
type obtained by the BAS may be the type of the wired port that authenticates the user. To make sure that
the BAS delivers the right access port information to the RADIUS server, specify the NAS-Port-Type
according to the practical access environment.
To specify the NAS-Port-Type value for an interface:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Specify the NAS-Port-Type
value for the interface. portal nas-port-type
{ ethernet |
wireless } Not configured by default
154 Specifying a NAS ID profile for an interface In some networks, users access points are identified by their access VLANs. Network carriers need to use NAS-identifiers to identify user access points. With a NAS ID profile specified on an interface, when a user logs in from the interface, the access device checks the specified profile to obtain the NAS ID that is bound with the access VLAN. The value of this NAS ID is used as that of the NAS-identifier attribute in the RADIUS packets to be sent to the RADIUS server. A NAS ID profile defines the binding relationship between VLANs and NAS IDs. A NAS ID-VLAN binding is defined by the nas-id id-value bind vlan vlan-id command, which is described in detail in AAA configuration commands in the Security Command Reference . If no NAS-ID profile is specified for an interface or no matching binding is found in the specified profile, the switch uses the device name as the interface NAS ID. To configure a NAS ID profile for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a NAS ID profile and enter NAS ID profile view. aaa nas-id profile profile-name For more information about the command, see Security Command Reference . 3. Bind a NAS ID with a VLAN. nas-id nas-identifier bind vlan vlan-id For more information about the command, see Security Command Reference . 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6. Specify a NAS ID profile for the interface. portal nas-id-profile profile-name By default, an interface is specified with no NAS ID profile. Specifying a source IP address for outgoing portal packets After you specify a source IP address for outgoing port al packets on an interface, the IP address is used as the source IP address of packets that the access device sends to the portal server, and the destination IP address of packets that the portal server sends to the access device. To specify a source IP address for outgoing portal packets to be sent: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A
155
Step Command Remarks
3. Specify a source IP address
for outgoing portal packets. portal nas-ip
{ ipv4-address | ipv6
ipv6-address } Optional.
By default, no source IP address is
specified for outgoing portal
packets and the IP address of the
user logon interface is used as the
source IP address of the outgoing
portal packets.
In NAT environments, HP
recommends specifying the
interfaces public IP address as the
source IP address of outgoing
portal packets.
Configuring portal stateful failover (available only
on the HP 5500 EI series)
Only Layer 3 portal authentication supports this feature.
To implement stateful failover for portal, configure
VRRP for traffic switchover, and perform the following
configurations for service backup on each of the two devices that back up each other:
• Specify an interface for backing up portal servic es, which is called portal service backup interface
in this document, and enable portal on the portal service backup interface. The portal service
backup interface is different from the stateful failov er interface. Stateful failover interfaces only
forward state negotiation messages and backup data.
• Specify the portal group to which the portal servic e backup interface belongs. Be sure to specify the
same portal group for the portal service backup interfaces that back up each other on the two
devices.
• Specify the device ID. Make sure that the device ID of the local device is different from that of the
peer device.
• Specify the backup source IP address for RADIUS packets to be sent as the source IP address for
RADIUS packets that is configured on the peer device, so that the peer device can receive packets
from the server. (This configuration is optional.)
• Specify the backup VLAN, and enable stateful failover. For related configuration, see High
Availability Configuration Guide .
After the working state of the two devices changes fr om independence to synchronization and the portal
group takes effect, the two devices start to back up the data of online portal users for each other.
The AAA and portal configuration must be consistent on the two devices that back up each other. For
example, you must configure the same portal server on the two devices.
To configure stateful failover:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A