HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1856
191
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1855.png "Page 1856
191
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr.
[Switch] portal local-server https server-policy sslsvr
# Configure the IP address of loopback interface 12 as 4.4.4.4.
[Switch] interface loopback 12
[Switch-LoopBack12] ip address 4.4.4.4 32
[Switch-LoopBack12] quit
# Specify IP address 4.4.4.4 as th e listening IP address of the local portal server for Layer 2 portal
authentication.
[Switch] portal local-server ip 4.4.4.4
# Enable portal...")
![Page 1857
192
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.
[Switch] dhcp relay server-group 1 ip 1.1.1.3
# Enable the DHCP relay agent on VLAN-interface 8.
[Switch] interface vlan-interface 8
[Switch-Vlan-interface8] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 8.
[Switch-Vlan-interface8] dhcp relay server-select 1
[Switch-Vlan-interface8] quit
# Enable the DHCP relay agent on VLAN-interface 2.
[Switch] interface vlan-interface 2...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1856.png "Page 1857
192
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group.
[Switch] dhcp relay server-group 1 ip 1.1.1.3
# Enable the DHCP relay agent on VLAN-interface 8.
[Switch] interface vlan-interface 8
[Switch-Vlan-interface8] dhcp select relay
# Correlate DHCP server group 1 with VLAN-interface 8.
[Switch-Vlan-interface8] dhcp relay server-select 1
[Switch-Vlan-interface8] quit
# Enable the DHCP relay agent on VLAN-interface 2.
[Switch] interface vlan-interface 2...")
![Page 1863
198
# Configure the local portal server to support HTTP.
system-view
[Switch] portal local-server http
# Configure the IP address of interface loopback 0 as 4.4.4.4.
[Switch] interface loopback 0
[Switch-LoopBack0] ip address 4.4.4.4 32
[Switch-LoopBack0] quit
# Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as
4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1.
[Switch] interface...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1862.png "Page 1863
198
# Configure the local portal server to support HTTP.
system-view
[Switch] portal local-server http
# Configure the IP address of interface loopback 0 as 4.4.4.4.
[Switch] interface loopback 0
[Switch-LoopBack0] ip address 4.4.4.4 32
[Switch-LoopBack0] quit
# Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as
4.4.4.4.
[Switch] portal local-server ip 4.4.4.4
# Enable Layer-2 portal authentication on GigabitEthernet 1/0/1.
[Switch] interface...")
![Page 1864
199
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP
domain name, the authentication sche me of the default domain is used.
[Switch] domain default...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1863.png "Page 1864
199
[Switch] domain triple
# Configure the default AAA methods for all types of users in the domain.
[Switch-isp-triple] authentication default radius-scheme rs1
[Switch-isp-triple] authorization default radius-scheme rs1
[Switch-isp-triple] accounting default radius-scheme rs1
[Switch-isp-triple] quit
# Configure domain triple as the default domain. If a username input by a user includes no ISP
domain name, the authentication sche me of the default domain is used.
[Switch] domain default...")
![Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1865.png "Page 1866
201
# Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs.
(Details not shown.)
# Enable DHCP.
system-view
[Switch] dhcp enable
# Exclude the IP address of the update server from assignment.
[Switch] dhcp server forbidden-ip 2.2.2.2
# Configure IP address pool 1, including the address range, lease and gateway address. A short
lease is recommended to shorten the time term inals use to re-acquire IP addresses after the
terminals passing or failing...")
196 • If a terminal passes 802.1X or portal authentication, no other types of authentication will be triggered for the terminal. • If the terminal passes MAC authentication, no portal authentication can be triggered for the terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal. Using triple authentication with other features A triple authentication enabled access port supports working with the following features. VLAN assignment After a terminal passes authentication, the authentication server assigns an authorized VLAN to the access port for the access terminal. The terminal can then access the network resources in the authorized VLAN. Auth-Fail VLAN or MAC authentication guest VLAN After a terminal fails authentication, the access port: • Adds the terminal to an Auth-Fail VLAN, if it uses 802.1X or portal authentication service. • Adds the terminal to a MAC authentication guest VLAN, if it uses MAC authentication service. A terminal may undergo all three types of authentication. If it fails to pass all types of authentication, the access port adds the terminal to the 802.1X Auth-Fail VLAN. ACL assignment You can specify an authorization ACL for an authenticated user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL onto the access port to filter traffic for the user. You must configure the ACLs on the access device, whether the authentication server is the access device or a remote AAA server. Detection of online terminals • You can enable an online detection timer, which is configurable, to detect online portal clients. • You can enable the online handshake or periodic re-authentication function to detect online 802.1X clients at a configurable interval. • You can enable an offline detection timer to detect online MAC authentication terminals at a configurable interval. For more information about the extended functions, see Configuring 802.1X, Configuring MAC a uthentication , and Configuring portal authentication . Configuring triple authentication Step Command Remarks 1. Configure 802.1X authentication. See Configuring 802.1X Configure at least one type of authentication. 802.1X authentication must use 2. Configure MAC authentication. See Configuring MAC authentication
197 Step Command Remarks 3. Configure Layer-2 portal authentication. See Configuring portal authentication MAC -based access control. HP does not recommend you configure 802.1X guest VLANs for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 85, the ter minals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch that connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. • Configure static IP addresses in network 192.168.1.0/24 for the terminals. • Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to send usernames carrying no ISP domain names to the RADIUS server. • The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data using HTTP. Figure 85 Network diagram Configuration procedure Make sure that the terminals, the server, and the switch can reach each other. The host of the web user must have a route to the listening IP address of the local portal server. 1. Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), and a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7). 2. Configure portal authentication: # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.)
198 # Configure the local portal server to support HTTP. system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit # Specify the listening IP address of the local portal server fo r Layer-2 portal authentication as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] quit 3. Configure 802.1X authentication: # Enable 802.1X authentication globally. [Switch] dot1x # Enable 802.1X authentication (M AC-based access control required) on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] dot1x port-method macbased [Switch–GigabitEthernet1/0/1] dot1x [Switch–GigabitEthernet1/0/1] quit 4. Configure MAC authentication: # Enable MAC authentication globally. [Switch] mac-authentication # Enable MAC authentication on GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] quit 5. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used. [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 6. Configure an ISP domain: # Create an ISP domain named triple.
199 [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication sche me of the default domain is used. [Switch] domain default enable triple Verifying the configuration User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting th e correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network. Use the display connection command to view online users. [Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=192.168.1.3 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=192.168.1.4 IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 86 , the terminals are connected to a switch to access the IP network. Configure triple authentication on the Layer-2 interface of the switch which connects to the terminals so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network. • Portal terminals use DHCP to get IP addresses in 192.168.1.0/24 before authentication and in 3.3.3.0/24 after passing authentication.
200 • 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. • After passing authentication, the printer obtains the IP address 3.3.3.1 11/24 that is bound with its MAC address through DHCP. • Use the remote RADIUS server to perform authentication, authorization, and accounting and configure the switch to remove the ISP domain names from usernames sent to the RADIUS server. • The local portal authentication server on the switch uses listening IP address 4.4.4.4. The switch sends a default authentication page to the web user and forwards authentication data by using HTTPS. • Configure VLAN 3 as the authorized VLAN on the RADIUS server. Users passing authentication are added to this VLAN. • Configure VLAN 2 as the Auth-Fail VLAN on the access device. Users failing authentication are added to this VLAN, and are allowed to access only the Update server. Figure 86 Network diagram Configuration procedure Make sure that the terminals, the servers, and the switch can reach each other. When using an external DHCP server, make sure that the terminals can get IP addresses from the server before and after authentication. 1. Configure the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally. In this example, configure on the RADIUS server an 802.1X user (with username userdot), a portal user (with username userpt), a MAC authentication user (with a username and password both being the MAC address of the printer 001588f80dd7), and an authorized VLAN (VLAN 3). 2. Configure PKI domain pkidm and acquire the local and CA certif icates. For more information, see 1Configuring PKI. 3. Complete the editing of a self-defined default au thentication page file, compress the file to a zip file named defaultfile and save the zip file at the root directory. 4. Configure DHCP:
201 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address. A short lease is recommended to shorten the time term inals use to re-acquire IP addresses after the terminals passing or failing authentication. [Switch] dhcp server ip-pool 1 [Switch-dhcp-pool-1] network 192.168.1.0 mask 255.255.255.0 [Switch-dhcp-pool-1] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-1] gateway-list 192.168.1.1 [Switch-dhcp-pool-1] quit A short lease is recommended to shorten the time th at terminals use to re-acquire IP addresses after passing or failing authentication. However, in so me applications, a terminal can require a new IP address before the lease duration expires. For example, the iNode 802.1X client automatically renews its IP address after di sconnecting from the server. # Configure IP address pool 2, including the address range, lease and gateway address. A short lease is recommended to shorten the time term inals use to re-acquire IP addresses after the terminals pass authentication. [Switch] dhcp server ip-pool 2 [Switch-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0 [Switch-dhcp-pool-2] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-2] gateway-list 2.2.2.1 [Switch-dhcp-pool-2] quit # Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time term inals use to re-acquire IP addresses after the terminals are offline. [Switch] dhcp server ip-pool 3 [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-3] gateway-list 3.3.3.1 [Switch-dhcp-pool-3] quit # Configure IP address pool 4, and bind th e printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.111/24 in this address pool. [Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0\ [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe [Switch-dhcp-pool-4] quit 5. Configure portal authentication: # Create SSL server policy sslsvr and specify it to use PKI domain pkidm. [Switch] ssl server-policy sslsvr [Switch-ssl-server-policy-sslsvr] pki pkidm [Switch-ssl-server-policy-sslsvr] quit # Configure the local portal server to support HTTPS and use SSL server policy sslsvr.
202 [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] port link-type hybrid [Switch–GigabitEthernet1/0/1] mac-vlan enable [Switch–GigabitEthernet1/0/1] portal local-server enable [Switch–GigabitEthernet1/0/1] portal auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit 6. Configure 802.1X authentication: # Enable 802.1X authentication globally. [Switch] dot1x # Enable 802.1X authentication (M AC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN. [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] dot1x port-method macbased [Switch–GigabitEthernet1/0/1] dot1x [Switch–GigabitEthernet1/0/1] dot1x auth-fail vlan 2 [Switch–GigabitEthernet1/0/1] quit 7. Configure MAC authentication: # Enable MAC authentication globally. [Switch] mac-authentication # Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] mac-authentication guest-vlan 2 [Switch–GigabitEthernet1/0/1] quit 8. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the IMC server is used. [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names.
203 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit 9. Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication sche me of the default domain is used. [Switch] domain default enable triple Verifying the configuration User userdot uses the 802.1X client to initiate authentication. After inputting the correct username and password, the user can pass 802.1X authentication. Web user userpt uses a web browser to access an external network. The web request is redirected to the authentication page http://4.4.4.4/portal/logon.htm. After inputting th e correct username and password, the web user can pass portal authentication. The printer can pass MAC authentication after being connected to the network. Use the display connection command to view connection information about online users. [Switch] display connection Slot: 1 Index=30 , Username=userpt@triple IP=192.168.1.2 IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=3.3.3.2 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN. [Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff 3 0 D
204
0002-0002-0001 ffff-ffff-ffff 3 0 D
0015-88f8-0dd7 ffff-ffff-ffff 3 0 D
Total MAC VLAN address count:3
Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users.
[Switch] display dhcp server ip-in-use all
Pool utilization: 0.59%
IP address Client-identifier/ Lease expiration Type
Hardware address
3.3.3.111 0015-88f8-0dd7 Dec 15 2009 17:40:52 Auto:C\
OMMITTED
3.3.3.2 0002-0002-0001 Dec 15 2009 17:41:02 Auto:C\
OMMITTED
3.3.3.3 0015-e9a6-7cfe Unlimited Manual\
--- total 3 entry ---
When a terminal fails authentication, it is added to VLAN 2. You can also use the display commands to
view the MAC-VLAN entry and IP address of the terminal.
205 Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies to a network that requires different authentication methods for different users on a port. Port security prevents unauthorized access to the network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic. Port security can control MAC address learning and authentication on a port to make sure that the port learns only trusted MAC addresses. A frame is illegal, if its source MAC address cannot be learned in a port security mode or it is from a client that has failed 802.1X or MAC authentication. The port security feature can automatically take a pre-defined action on illegal frames. This automatic mechanism enhances network security and reduces human intervention. NOTE: For scenarios that require only 802.1X authenti cation or MAC authentication, HP recommends you configure 802.1X authentica tion or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see Configuring 802.1X an d Configuring MAC authentication . Port security features NTK The need to know (NTK) feature prevents traffic inte rception by checking the destination MAC address in the outbound frames. The feature guarantees that frames are sent only to hosts that have passed authentication or whose MAC addresses have been learned or configured on the access device. Intrusion protection The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and takes a pre-defined action on each detected ille gal frame. The action can be disabling the port temporarily, disabling the port permanently, or bl ocking frames from the illegal MAC address for three minutes (not user configurable). Port security traps Yo u c a n c o n f i g u r e t h e p o r t s e c u r i t y m o d u l e t o s e n d t r a p s f o r p o r t s e c u r i t y e v e n t s s u c h a s l o g i n , l o g o f f, a n d MAC authentication. These traps help you monitor user behaviors. Port security modes Port security supports the following categories of security modes: