HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1826
161
Task Command Remarks
Display information about a
specific portal server or all portal
servers (available only on the HP
5500 EI series). display portal server
[ server-name
] [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). display portal server statistics
{ all
| interface interface-type
interface-number } [ | { begin |
exclude...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1825.png "Page 1826
161
Task Command Remarks
Display information about a
specific portal server or all portal
servers (available only on the HP
5500 EI series). display portal server
[ server-name
] [ | { begin |
exclude | include }
regular-expression ] Available in any view
Display portal server statistics on a
specific interface or all interfaces
(available only on the HP 5500 EI
series). display portal server statistics
{ all
| interface interface-type
interface-number } [ | { begin |
exclude...")
![Page 1830
165
Figure 65 Adding a port group
# Select User Access Manager > Service Parameters > Validate System Configuration from the
navigation tree to validate the configurations.
Configuring the switch
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
system-view
[Switch] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended .
[Switch-radius-rs1] server-type extended
# Specify the...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1829.png "Page 1830
165
Figure 65 Adding a port group
# Select User Access Manager > Service Parameters > Validate System Configuration from the
navigation tree to validate the configurations.
Configuring the switch
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
system-view
[Switch] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended .
[Switch-radius-rs1] server-type extended
# Specify the...")
![Page 1831
166
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without
the ISP domain at logon, the authentication an d accounting methods of the default domain are
used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
# Configure a portal server on the switch, making sure that the IP address, port number and URL
match those of the actual portal server.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1830.png "Page 1831
166
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without
the ISP domain at logon, the authentication an d accounting methods of the default domain are
used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
# Configure a portal server on the switch, making sure that the IP address, port number and URL
match those of the actual portal server.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url...")
![Page 1833
168
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.
[Switch] dhcp enable
[Switch] dhcp relay server-group 0 ip 192.168.0.112
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1832.png "Page 1833
168
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.
[Switch] dhcp enable
[Switch] dhcp relay server-group 0 ip 192.168.0.112
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address...")
![Page 1836
171
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[Switch-radius-rs1] security-policy-server 192.168.0.113
[Switch-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1835.png "Page 1836
171
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[Switch-radius-rs1] security-policy-server 192.168.0.113
[Switch-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal...")
166 # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication an d accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 3. Configure portal authentication: # Configure a portal server on the switch, making sure that the IP address, port number and URL match those of the actual portal server. [Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \ http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal server newpt method direct [Switch–Vlan-interface100] quit Configuring re-DHCP portal authentication Network requirements As shown in Figure 66: • T he host is directly connected to the switch and the switch is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server. Before passing portal authentication, the host uses an assigned private IP address. After passing portal authentication, the host can get a public IP address and access Internet resources. • A RADIUS server serves as the authentication/accounting server. Figure 66 Network diagram Configuration procedure When you configure re-DHCP portal authentication, follow these guidelines: • Configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • The switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private
167
IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services
Configuration Guide .
• Make sure the IP address of the portal device added on the portal server is the public IP address of
the interface connecting users (20. 20.20.1 in this example), the private IP address range for the IP
address group associated with the portal device is the private network segment where the users
reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is
the public network segment 20.20.20.0/24.
• Configure IP addresses for the switch and servers as shown in Figure 66 and m
ake sure that the host,
switch, and servers can reach each other.
• Configure the RADIUS server properly to provide authentication and accounting functions for users.
Perform the following configuration to configure re-DHCP authentication on the switch:
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
system-view
[Switch] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended .
[Switch-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.113
[Switch-radius-rs1] primary accounting 192.168.0.113
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] key accounting radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[Switch-radius-rs1] user-name-format without-domain
[Switch-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the
username without the ISP domain at logon, the authentication and accounting methods of the
default domain are used for the user.
[Switch] domain default enable dm1
3. Configure portal authentication:
# Configure the portal server as follows:
{ Name: newpt
{ IP address: 192.168.0.1 11
{ Key: portal
168
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.
[Switch] dhcp enable
[Switch] dhcp relay server-group 0 ip 192.168.0.112
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
[Switch-Vlan-interface100] dhcp select relay
[Switch-Vlan-interface100] dhcp relay server-select 0
[Switch-Vlan-interface100] dhcp relay address-check enable
# Enable re-DHCP portal authentication on the interface connecting the host.
[Switch–Vlan-interface100] portal server newpt method redhcp
[Switch–Vlan-interface100] quit
Configuring cross-subnet portal authentication
Network requirements
As shown in Figure 67:
• S
witch A is configured for cross-subnet portal authentication. Before passing portal authentication,
the host can access only the portal server. After passing portal authentication, the host can access
Internet resources.
• The host accesses Switch A through Switch B.
• A RADIUS server serves as the authentication/accounting server.
Figure 67 Network diagram
Configuration procedure
When configuring cross-subnet portal authentication, follow these guidelines:
• Configure IP addresses for the host, switches, and servers as shown in Figure 67 and
make sure they
can reach each other.
• Configure the RADIUS server properly to provide authentication and accounting functions for users.
169
• Make sure the IP address of the portal device added on the portal server is the IP address of the
interface connecting users (20.20.20.1 in this exam ple), and the IP address group associated with
the portal device is the network segment where the users reside (8.8.8.0/24 in this example).
Perform the following configuration to configure cross-subnet portal authentication on Switch A:
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
system-view
[SwitchA] radius scheme rs1
# Set the server type for the RADIUS sche me. When using the IMC server, set it to extended.
[SwitchA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.112
[SwitchA-radius-rs1] primary accounting 192.168.0.112
[SwitchA-radius-rs1] key authentication radius
[SwitchA-radius-rs1] key accounting radius
# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.
[SwitchA-radius-rs1] user-name-format without-domain
[SwitchA-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[SwitchA] domain dm1
# Configure AAA methods for the ISP domain.
[SwitchA-isp-dm1] authentication portal radius-scheme rs1
[SwitchA-isp-dm1] authorization portal radius-scheme rs1
[SwitchA-isp-dm1] accounting portal radius-scheme rs1
[SwitchA-isp-dm1] quit
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the
username without the ISP domain at logon, the authentication and accounting methods of the
default domain are used for the user.
[SwitchA] domain default enable dm1
3. Configure portal authentication:
# Configure the portal server as follows:
{ Name: newpt
{ IP address: 192.168.0.1 11
{ Key: portal
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[SwitchA] portal server newpt ip 192.168.0.111 key portal port 50100 url\
http://192.168.0.111:8080/portal
# Enable portal authentication on th e interface connecting Switch B.
[SwitchA] interface vlan-interface 4
[SwitchA–Vlan-interface4] portal server newpt method layer3
[SwitchA–Vlan-interface4] quit
170 On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements As shown in Figure 68: • T he host is directly connected to the switch and the switch is configured for direct extended portal authentication. The host is assigned with a publ ic network IP address either manually or through DHCP. If the host fails security check after passing identity authentication, the host can access only subnet 192.168.0.0/24. After passing security check, the host can access Internet resources. • A RADIUS server serves as the authentication/accounting server. Figure 68 Network diagram Configuration procedure Configure IP addresses for the host, switch, and servers as shown in Figure 68 and make sure they can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. Configure the switch: 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended . [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key accounting radius
171
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[Switch-radius-rs1] security-policy-server 192.168.0.113
[Switch-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the
username without the ISP domain at logon, the authentication and accounting methods of the
default domain are used for the user.
[Switch] domain default enable dm1
3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources:
[Switch] acl number 3000
[Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-adv-3000] rule deny ip
[Switch-acl-adv-3000] quit
[Switch] acl number 3001
[Switch-acl-adv-3001] rule permit ip
[Switch-acl-adv-3001] quit
On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security
ACL.
4. Configure portal authentication:
# Configure the portal server as follows:
{ Name: newpt
{ IP address: 192.168.0.1 11
{ Key: portal
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal
# Configure a portal-free rule on the interface connecting the portal server.
[Switch] portal free-rule 1 source interface ethernet 1/0/1 destination \
any
[Switch] quit
# Enable portal authentication on th e interface connecting the host.
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] portal server newpt method direct
[Switch–Vlan-interface100] quit
172 Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure 69: • T he host is directly connected to the switch and the switch is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server. Before passing portal authentication, the host uses an assigned private IP address. After passing portal authentication, the host can get a public IP address. • If the host fails security check after passing identity authentication, the host can access only subnet 192.168.0.0/24. After passing the security check, the host can access Internet resources. • A RADIUS server serves as the authentication/accounting server. Figure 69 Network diagram Configuration procedure When you configure re-DHCP portal authentication, follow these guidelines: • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown) • For re-DHCP portal authentication, the switch must be configured as a DHCP relay agent and the portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide . • Make sure the IP address of the portal device added on the portal server is the public IP address of the interface connecting users (20. 20.20.1 in this example), the private IP address range for the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public network segment 20.20.20.0/24. • Configure IP addresses for the switch and servers as shown in Figure 69 and mak e sure that the host, switch, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions for users. Host automatically obtains an IP address 192.168.0.111/24 192.168.0.113/24 192.168.0.112/24 Switch Vlan-int100 20.20.20.1/24 10.0.0.1/24 sub Vlan-int2 192.168.0.100/24 Portal server RADIUS server DHCP server 192.168.0.114/24 Security policy server
173
Perform the following configuration to configure re-DHCP portal authentication with extended functions
on the switch:
1. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
system-view
[Switch] radius scheme rs1
# Set the server type for the RADIUS scheme. When using the IMC server, set the server type to
extended .
[Switch-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.113
[Switch-radius-rs1] primary accounting 192.168.0.113
[Switch-radius-rs1] key accounting radius
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] user-name-format without-domain
# Configure the IP address of the security policy server.
[Switch-radius-rs1] security-policy-server 192.168.0.114
[Switch-radius-rs1] quit
2. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[Switch] domain dm1
# Configure AAA methods for the ISP domain.
[Switch-isp-dm1] authentication portal radius-scheme rs1
[Switch-isp-dm1] authorization portal radius-scheme rs1
[Switch-isp-dm1] accounting portal radius-scheme rs1
[Switch-isp-dm1] quit
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the
username without the ISP domain at logon, the authentication and accounting methods of the
default domain are used for the user.
[Switch] domain default enable dm1
3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources:
[Switch] acl number 3000
[Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch-acl-adv-3000] rule deny ip
[Switch-acl-adv-3000] quit
[Switch] acl number 3001
[Switch-acl-adv-3001] rule permit ip
[Switch-acl-adv-3001] quit
On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security
ACL.
4. Configure portal authentication:
# Configure the portal server as follows:
{ Name: newpt
174
{ IP address: 192.168.0.1 11
{ Key: portal
{ Port number: 50100
{ U R L : h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal.
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100
url http://192.168.0.111:8080/portal
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.
[Switch] dhcp enable
[Switch] dhcp relay server-group 0 ip 192.168.0.112
[Switch] interface vlan-interface 100
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0
[Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub
[Switch-Vlan-interface100] dhcp select relay
[Switch-Vlan-interface100] dhcp relay server-select 0
[Switch-Vlan-interface100] dhcp relay address-check enable
# Enable re-DHCP portal authentication on the interface connecting the host.
[Switch–Vlan-interface100] portal server newpt method redhcp
[Switch–Vlan-interface100] quit
Configuring cross-subnet portal authentication with extended
functions
Network requirements
As shown in Figure 70:
• S
witch A is configured for cross-subnet extended port al authentication. If the host fails security check
after passing identity authentication, the host can access only subnet 192.168.0.0/24. After
passing security check, the host can access Internet resources.
• The host accesses Switch A through Switch B.
• A RADIUS server serves as the authentication/accounting server.
Figure 70 Network diagram
175 Configuration procedure Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the us ers reside (8.8.8.0/24 in this example). Configure IP addresses for the host, switches, and servers as shown in Figure 70 and mak e sure that they can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. Configure Switch A: 1. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [SwitchA] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended . [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.112 [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key accounting radius [SwitchA-radius-rs1] key authentication radius [SwitchA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [SwitchA-radius-rs1] security-policy-server 192.168.0.113 [SwitchA-radius-rs1] quit 2. Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 3. Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources: [SwitchA] acl number 3000 [SwitchA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 \ [SwitchA-acl-adv-3000] rule deny ip [SwitchA-acl-adv-3000] quit [SwitchA] acl number 3001 [SwitchA-acl-adv-3001] rule permit ip