HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1846
181
# Configure the server type for the RADIUS scheme. When using the IMC server, configure the
RADIUS server type as extended.
[SwitchA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.111
[SwitchA-radius-rs1] primary accounting 192.168.0.111
[SwitchA-radius-rs1] key authentication expert
[SwitchA-radius-rs1] key accounting...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1845.png "Page 1846
181
# Configure the server type for the RADIUS scheme. When using the IMC server, configure the
RADIUS server type as extended.
[SwitchA-radius-rs1] server-type extended
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[SwitchA-radius-rs1] primary authentication 192.168.0.111
[SwitchA-radius-rs1] primary accounting 192.168.0.111
[SwitchA-radius-rs1] key authentication expert
[SwitchA-radius-rs1] key accounting...")
![Page 1847
182
6.
Configure the stateful failover function:
# Configure the VLAN for stateful failover as VLAN 8.
[SwitchA] dhbk vlan 8
# Enable stateful failover and configure it to support the symmetric path.
[SwitchA] dhbk enable backup-type symmetric-path
Configuring Switch B
1. Configure VRRP:
# Create VRRP group 1, and configure the virtua l IP address of the VRRP group 1 as 9.9.1.1.
system-view
[SwitchB] interface vlan-interface 10
[SwitchB–Vlan-interface10] vrrp vrid 1 virtual-ip 9.9.1.1
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1846.png "Page 1847
182
6.
Configure the stateful failover function:
# Configure the VLAN for stateful failover as VLAN 8.
[SwitchA] dhbk vlan 8
# Enable stateful failover and configure it to support the symmetric path.
[SwitchA] dhbk enable backup-type symmetric-path
Configuring Switch B
1. Configure VRRP:
# Create VRRP group 1, and configure the virtua l IP address of the VRRP group 1 as 9.9.1.1.
system-view
[SwitchB] interface vlan-interface 10
[SwitchB–Vlan-interface10] vrrp vrid 1 virtual-ip 9.9.1.1
#...")
![Page 1848
183
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username
without any ISP domain at logon, the authenti cation and accounting methods of the default
domain are used for the user.
[SwitchB] domain default enable dm1
4. Enable portal authentication on the interface connecting the host:
# Configure the portal server as needed.
[SwitchB] portal server newpt ip 192.168.0.111 key portal port 50100 url\
http://192.168.0.111:8080/portal
# Enable portal...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1847.png "Page 1848
183
# Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username
without any ISP domain at logon, the authenti cation and accounting methods of the default
domain are used for the user.
[SwitchB] domain default enable dm1
4. Enable portal authentication on the interface connecting the host:
# Configure the portal server as needed.
[SwitchB] portal server newpt ip 192.168.0.111 key portal port 50100 url\
http://192.168.0.111:8080/portal
# Enable portal...")
![Page 1853
188
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] key accounting radius
# Configure the access device to not carry the ISP domain name in the username sent to the
RADIUS server.
[Switch-radius-rs1] user-name-format without-domain...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1852.png "Page 1853
188
# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.
[Switch-radius-rs1] primary authentication 192.168.0.112
[Switch-radius-rs1] primary accounting 192.168.0.112
[Switch-radius-rs1] key authentication radius
[Switch-radius-rs1] key accounting radius
# Configure the access device to not carry the ISP domain name in the username sent to the
RADIUS server.
[Switch-radius-rs1] user-name-format without-domain...")
![Page 1854
189
[Switch] portal server newpt user-sync interval 600 retry 2
The product of interval and retry must be greater than or equal to the portal user heartbeat interval,
and HP recommends configuring the interval as a value greater than the portal user heartbeat
interval configured on the portal server.
Verifying the configuration
Use the following command to view information about the portal server:
display portal server newpt
Portal server:
1)newpt:
IP : 192.168.0.111
Key...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1853.png "Page 1854
189
[Switch] portal server newpt user-sync interval 600 retry 2
The product of interval and retry must be greater than or equal to the portal user heartbeat interval,
and HP recommends configuring the interval as a value greater than the portal user heartbeat
interval configured on the portal server.
Verifying the configuration
Use the following command to view information about the portal server:
display portal server newpt
Portal server:
1)newpt:
IP : 192.168.0.111
Key...")
![Page 1856
191
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1855.png "Page 1856
191
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal...")
186 • Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is in the IP group. • Select a service group. By default, the group Ungrouped is used. • Select the IP group type Normal. Figure 79 Adding an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure 63. • En ter the device name NAS. • Enter the IP address of the switchs interface connected to the user. • Enter the key, which must be the same as that configured on the switch. • Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list. • Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select Ye s for both Support Server Heartbeat and Support User Heartbeat . Figure 80 Adding a portal device
187 # Associate the portal device with the IP address group. As shown in Figure 64, c lick the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 81 Device list On the port group configuration page, click Add to enter the page shown in Figure 65. P erform the following configurations: • Enter the port group name. • Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. • Use the default settings for other parameters. Figure 82 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch 1. Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. system-view [Switch] radius scheme rs1 # Configure the server type for the RADIUS scheme. When using the IMC server, configure the RADIUS server type as extended. [Switch-radius-rs1] server-type extended
188 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Configure the access device to not carry the ISP domain name in the username sent to the RADIUS server. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 2. Configure an authentication domain: # Create ISP domain dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without the ISP domain at logon, the authenticati on and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 3. Configure portal authentication: # Configure a portal server on the switch, making sure that the IP address, port number and URL match those of the actual portal server. [Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \ http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal server newpt method direct [Switch–Vlan-interface100] quit 4. Configure the portal server detection function: # Configure the access device to detect portal server newpt, specifying the detection method as portal heartbeat probe, setting the server probe interval to 40 seconds, and specifying the access device to send a server unreac hable trap message and disable portal authentication to permit unauthenticated portal users if two consecutive probes fail. [Switch] portal server newpt server-detect method portal-heartbeat actio\ n trap permit-all interval 40 retry 2 The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server. 5. Configure portal user synchronization: # Configure the access device to synchronize portal user information with portal server newpt, setting the synchronization probe interval to 600 se conds, and specifying the access device to log off users if the users do not appear in the user sy nchronization packets sent from the server in two consecutive probe intervals.
189
[Switch] portal server newpt user-sync interval 600 retry 2
The product of interval and retry must be greater than or equal to the portal user heartbeat interval,
and HP recommends configuring the interval as a value greater than the portal user heartbeat
interval configured on the portal server.
Verifying the configuration
Use the following command to view information about the portal server:
display portal server newpt
Portal server:
1)newpt:
IP : 192.168.0.111
Key : ******
Port : 50100
URL : http://192.168.0.111:8080/portal
Status : Up
Configuring Layer 2 portal authentication
Network requirements
As shown in Figure 83 , a host is directly connected to a switch. The switch performs Layer 2 portal
authentication on users connected to port GigabitEthernet 1/0/1. More specifically,
• Use the remote RADIUS server for authentication, authorization and accounting.
• Use the remote DHCP server to assign IP addresses to users.
• The listening IP address of the local portal server is 4.4.4.4. The local portal server pushes the
user-defined authentication pages to users and uses HTTPS to transmit authentication data.
• Add users passing authentication to VLAN 3.
• Add users failing authentication to VLAN 2, to allow the users to access resources on the update
server.
• The host obtains an IP address through DHCP. Before authentication, the DHCP server assigns an IP
address in segment 192.168.1.0/24 to the host. When the host passes the authentication, the DHCP
server assigns an IP address in segment 3.3.3.0/24 to the host. When the host fails authentication,
the DHCP server assigns an IP address in segment 2.2.2.0/24 to the host.
190 Figure 83 Network diagram Configuration procedures Follow these guidelines to configure Layer 2 portal authentication: • Make sure that the host, switch, and servers can reach each other before portal authentication is enabled. • Configure the RADIUS server properly to provide normal authentication/authorization/accounting functions for users. In this example, you must create a portal user account with the account name userpt on the RADIUS server, and configure an authorized VLAN for the account. • On the DHCP server, you must specify the IP address ranges (192.168.1.0/24, 3.3.3.0/24, 2.2.2.0/24), specify the default gateway addresses (192.168.1.1, 3.3.3.1, 2.2.2.1), exclude the update servers address 2.2.2.2 from the address ranges for address allocation, specify the leases for the assigned IP addresses and make sure there is a route to the host. To shorten the IP address update time in case of an authentication st ate change, set a short lease for each address. • Because the DHCP server and the DHCP client are not in the same subnet, you need to configure a DHCP relay agent on the subnet of the client. For more information about DHCP relay agent, see Layer 3—IP Services Configuration Guide . Perform the following configuration on the switch to implement Layer 2 portal authentication: 1. Configure portal authentication: # Add Ethernet ports to related VLANs and configure IP addresses fo r the VLAN interfaces. (Details not shown.) # Configure PKI domain pkidm, and apply for a local certificate and CA certificate. For more configuration information, see 1Configuring PKI . # Edit the user-defined authentication pages file, compress it into a zip file named defaultfile, and save the file in the root directory of the access device. # Configure SSL server policy sslsvr, and specify to use PKI domain pkidm. system-view [Switch] ssl server-policy sslsvr [Switch-ssl-server-policy-sslsvr] pki pkidm [Switch-ssl-server-policy-sslsvr] quit IP network RADIUS server Switch 1.1.1.2/24 Host Vlan-int3 3.3.3.1 Vlan-int8 192.168.1.1/24 GE1/0/1 Vlan-int1 1.1.1.1 DHCP server Update server2.2.2.2/24 1.1.1.3/24 (DHCP relay) Vlan-int2 2.2.2.1/24
191 # Configure the local portal server to support HTTPS and reference SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure the IP address of loopback interface 12 as 4.4.4.4. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal authentication. [Switch] portal local-server ip 4.4.4.4 # Enable portal authentication on port GigabitEth ernet 1/0/1, and specify the Auth-Fail VLAN of the port as VLAN 2. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] port link-type hybrid [Switch–GigabitEthernet1/0/1] mac-vlan enable [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit 2. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended . [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key accounting radius [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] quit 3. Configure an authentication domain: # Create and enter ISP domain triple. [Switch] domain triple # Configure AAA methods for the ISP domain. [Switch-isp-triple] authentication portal radius-scheme rs1 [Switch-isp-triple] authorization portal radius-scheme rs1 [Switch-isp-triple] accounting portal radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authenti cation and accounting methods of the default domain are used for the user. [Switch] domain default enable triple 4. Configure the DHCP relay agent: # Enable DHCP. [Switch] dhcp enable
192 # Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. [Switch] dhcp relay server-group 1 ip 1.1.1.3 # Enable the DHCP relay agent on VLAN-interface 8. [Switch] interface vlan-interface 8 [Switch-Vlan-interface8] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 8. [Switch-Vlan-interface8] dhcp relay server-select 1 [Switch-Vlan-interface8] quit # Enable the DHCP relay agent on VLAN-interface 2. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 2. [Switch-Vlan-interface2] dhcp relay server-select 1 [Switch-Vlan-interface2] quit # Enable the DHCP relay agent on VLAN-interface 3. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 3. [Switch-Vlan-interface3] dhcp relay server-select 1 [Switch-Vlan-interface3] quit Verifying the configuration Before user userpt accesses a web page, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a web page on the external network, the web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm. After entering the correct username and password, the user can pass the authentication. Then, the device will move the user from VLAN 8 to VLAN 3, the authorized VLAN. You can use the display connection ucibindex command to view the online user information display connection ucibindex 30 Slot: 1 Index=30 , Username=userpt@triple MAC=0015-e9a6-7cfe IP=192.168.1.2 IPv6=N/A Access=PORTAL ,AuthMethod=PAP Port Type=Ethernet,Port Name=GigabitEthernet1/0/1 Initial VLAN=8, Authorization VLAN=3 ACL Group=Disable User Profile=N/A CAR=Disable Priority=Disable Start=2009-11-26 17:40:02 ,Current=2009-11-26 17:48:21 ,Online=00h08m19s\ Total 1 connection matched. Use the display mac-vlan all c o m m a n d t o v i e w t h e g e n e r a t e d M AC - V L A N e n t r i e s , w h i c h r e c o r d t h e M AC addresses passing authentication and the corresponding VLANs. [Switch] display mac-vlan all The following MAC VLAN addresses exist:
193 S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff 3 0 D Total MAC VLAN address count:1 If a client fails authentication, it is added to VLAN 2. Use the previously mentioned commands to view the assigned IP address and the generated MAC-VLAN entry for the client. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank web page, rather than the portal authentication page or an error message. Analysis The keys configured on the access device and the portal server are inconsistent, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution • Use the display portal server command to display the key for the po r t a l s e r ve r o n t h e a c c e s s d evi c e and view the key for the access device on the portal server. • Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to make sure that the keys are consistent. Incorrect server port number on the access device Symptom After a user passes the portal authentication, you cannot force the user to log off by executing the portal delete-user command on the access device, but the user can log off by using the disconnect attribute on the authentication client. Analysis When you execute the portal delete-user command on the access device to force the user to log off, the access device actively sends a REQ_LOGOUT message to the portal server. The default listening port of the portal server is 50100. However, if the listening port configured on the access device is not 50100, the destination port of the REQ_LOGOUT message is no t the actual listening port on the server, and the p o r t a l s e r ve r c a n n o t re c e ive t h e R EQ _ LO G O U T m e s s a g e. A s a re s u l t, yo u c a n n o t fo rc e t h e u s e r t o l o g o f f the portal server. When the user uses the disconnect attribute on the client to log off, the portal server actively sends a REQ_LOGOUT message to the access device. The source port is 50100 and the destination port of the ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that the portal server can receive the ACK_LOGOUT message correctly, no matter whether the listening port is configured on the access device. The user can log off the portal server.
194 Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to make sure that it is the actual listening port of the portal server.
195 Configuring triple authentication Overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services. For example, the triple authentication-enabled access port in Figure 84 ca n perform MAC authentication for the printer, 802.1X authentication for a PC installed with the 802.1X client, and port authentication for the other PC. Figure 84 Triple authentication network diagram For more information about portal authentication, MAC authentication and 802.1X authentication, see Configuring portal authentication , Configuring MAC authentication , and Configuring 802.1X . Triple authentication mechanism The three types of authentication are triggered by different packets: • The access port performs MAC authentication for a terminal when it receives an ARP or DHCP broadcast packet from the terminal for the first time. If the terminal passes MAC authentication, the terminal can access the network. If the MAC authentication fails, the access port performs 802.1X or portal authentication. • The access port performs 802.1X authentication when it receives an EAP packet from an 802.1X client. If the unicast trigger function of 802.1X is enabled on the access port, any packet from an 802.1X client can trigger an 802.1X authentication. • The access port performs portal authentication wh en it receives an HTTP packet from a terminal. If a terminal triggers different types of authentication, the authentications are processed at the same time. The failure of one type of authentication does not affect the others. When a terminal passes one type of authentication, the other types of authentication being performed are terminated. Then, whether the other types of authentication can be triggered varies: