Manuals / Brands / Computer Equipment / Switch / HP / Computer Equipment / Switch

HP 445946-001 A-R, A-A, A-C, A-R, Attribute, Attribute Value, Table 9 EAP support for RADIUS attributes, Port-basedNetwork Access and traffic control

1 198

Download 198 pages, 8.34 Mb

Port-based Network Access and traffic control

Supported RADIUS attributes

The HP 10GbE switch 802.1x Authenticator relies on external RADIUS servers for authentication with EAP. The following table lists the RADIUS attributes that are supported as part of RADIUS-EAP authentication based on the guidelines specified in Annex D of the 802.1x standard and RFC 3580.

Table 9 EAP support for RADIUS attributes

#	Attribute	Attribute Value	A-R	A-A	A-C	A-R

1	User-Name	The value of the Type-Data field from the	1	0-1	0	0
		supplicant’s EAP-Response/Identity message.
		If the Identity is unknown (i.e. Type-Data field
		is zero bytes in length), this attribute will have
		the same value as the Calling-Station-Id.

4	NAS-IP-Address	IP address of the authenticator used for	1	0	0	0
		RADIUS communication.

5	NAS-Port	Port number of the authenticator port to which	1	0	0	0
		the supplicant is attached.

24	State	Server-specific value. This is sent unmodified	0-1	0-1	0-1	0
		back to the server in an Access-Request that is
		in response to an Access-Challenge.

30	Called-Station-ID	The MAC address of the authenticator	1	0	0	0
		encoded as an ASCII string in canonical
		format, e.g. 000D5622E3 9F.

31	Calling-Station-ID	The MAC address of the supplicant encoded	1	0	0	0
		as an ASCII string in canonical format, e.g.
		00034B436206.

79	EAP-Message	Encapsulated EAP packets from the supplicant	1+	1+	1+	1+
		to the authentication server (Radius) and vice-
		versa. The authenticator relays the decoded
		packet to both devices.

80	Message-Authenticator	Always present whenever an EAP-Message	1	1	1	1
		attribute is also included. Used to integrity-
		protect a packet.

87	NAS-Port-ID	Name assigned to the authenticator port, e.g.	1	0	0	0
		Server1_Port3

Legend:

RADIUS Packet Types: A-R (Access-Request), A-A (Access-Accept), A-C (Access-Challenge), A-R (Access-Reject) RADIUS Attribute Support:

0—This attribute MUST NOT be present in a packet.

0+—Zero or more instances of this attribute MAY be present in a packet.

0-1—Zero or one instance of this attribute MAY be present in a packet. 1—Exactly one instance of this attribute MUST be present in a packet. 1+—One or more of these attributes MUST be present.

50

Contents

HP 10Gb Ethernet BL-cSwitch Page Contents Ports and trunking Configuring LACP Port-basedNetwork Access and traffic control VLANs Viewing VLANs Bridge priority Port priority Port path cost Adding a VLAN to a Spanning Tree Group Creating a VLAN Basic IP routing Routing Information Protocol IGMP Snooping Configuring IGMP Snooping (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Configuring IGMP Filtering (BBI example) Types of OSPF areas High availability Spanning Tree Protocol with UFD Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Accessing the switch Additional references http://www.hp.com/go/bladesystem/documentation •HP 10Gb Ethernet BL-cSwitch User Guide •HP 10Gb Ethernet BL-cSwitch Command Reference Guide •HP 10Gb Ethernet BL-cSwitch ISCLI Reference Guide ○Untagged ○Port VLAN ID (PVID): VLAN Interface •Gateway 254—Thisgateway is the default gateway for the management interface Using the command line interfaces Using the Browser-basedInterface Using Simple Network Management Protocol /cfg/sys/ssnmp/snmpv3/usm <x>/auth md5|sha To configure a user with name rview wview nview CLI user equivalent CLI oper equivalent SNMPv1 trap host 3.Configure an entry in the notify table c/sys/ssnmp/snmpv3/tparam <x>/uname 5.Use the community table to define the community string used in the traps snmpv2 snmpv1 /c/sys/ssnmp/snmpv3/access <x>/level /c/sys/ssnmp/snmpv3/tparam <x Secure access to the switch Configuring an IP address range for the management network How RADIUS authentication works Configuring RADIUS on the switch (CLI example) Configuring RADIUS on the switch (BBI example) RADIUS authentication features User accounts for RADIUS users RADIUS attributes for user privileges NOTE: User access level TACACS+ level Quit 2.Configure the TACACS+ secret and second secret 5.Configure custom privilege-levelmapping (optional) 6.Apply and save the configuration Tacacs+ Submit Secure Shell and Secure Copy Configuring SSH and SCP features (CLI example) Enabling or disabling SSH Enabling or disabling SCP apply and save Configuring the SCP administrator password Using SSH and SCP client commands Logging in to the switch Downloading configuration from the switch using SCP Uploading configuration to the switch using SCP Applying and saving configuration SSH and SCP encryption of management messages Generating RSA host and server keys for SSH access SSH/SCP integration with RADIUS and TACACS+ authentication Page Ports and trunking Port trunk groups Before you configure trunks Trunk group configuration rules Port trunking example Figure 1.On Switch 1, configure trunk groups 5 and 3: 2.On Switch 2, configure trunk groups 4 and 2: 3.Examine the trunking information on each switch, using the following command: Trunk Groups Add e. Click Submit Dashboard Page Configurable Trunk Hash algorithm Link Aggregation Control Protocol Actor Switch Partner Switch Page 1.Set the LACP mode on port 3. Set the LACP mode on port 4. Define the admin key on port 5.Apply and verify the configuration 6.Save your new configuration changes Port-basedNetwork Access and traffic control Page Page Table 9 EAP support for RADIUS attributes Attribute Attribute Value A-R A-A Port-basedtraffic control To configure a port for traffic control, perform the following steps: 1.Configure the traffic-controlthreshold and enable traffic control 2.To disable a traffic-controlthreshold, use the following command: 3.Apply and save the configuration VLANs Viewing VLANs Port information Port configuration VLAN tagging Page Page Figure 7 802.1Q tagging (after 802.1Q tag assignment) VLANs and IP interfaces VLAN topologies and design considerations /cfg/l2/stp /cfg/l2/mrst Page Multiple VLANS with tagging Figure 8 Multiple VLANs with VLAN tagging The features of this VLAN are described in the following table: Table 10 Multiple VLANs with tagging Component Configuring ports and VLANs on Switch 1 (CLI example) Page Configuring ports and VLANs on Switch 2 (CLI example) Configuring ports and VLANs on Switch 1 (BBI example) e.Click Submit Add VLAN c.Click Submit FDB static entries Page Spanning Tree Protocol Bridge priority Port priority Port path cost Page Switch element Belongs to Multiple Spanning Trees Page Configuring Switch 1 (CLI example) Configuring Switch 2 (CLI example) Configuring Switch 1 (BBI example) Submit Port Fast Forwarding Fast Uplink Convergence RSTP and MSTP Edge port Link type Configuring Rapid Spanning Tree (CLI example) Configuring Rapid Spanning Tree Protocol (BBI example) Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Protocol (CLI example) Configuring Multiple Spanning Tree Protocol (BBI example) CIST-Bridge CIST-Ports d. Click Submit Quality of Service Using ACL filters Number Protocol Name TCP/UDP Application Flag Precedence Group ACLs Precedence Level Using ACL Groups ACL Metering and Re-marking Viewing ACL statistics ACL configuration examples 1.Configure Access Control Lists (ACLs) b.Open the Access Control Lists folder, and select Add ACL Deny IPv4 Page Page Using DSCP values to provide QoS Drop Precedence Class Table 18 Class selector priority classes Priority Using 802.1p priorities to provide QoS Page 1.Configure a port’s default 802.1 priority 1.Configure a port’s default 802.1p priority Page Page Priority - CoS CoS - Weight Queuing and scheduling Basic IP routing Page Page Example of subnet routing Subnet Devices IP Addresses Interface IP Interface Switch Port VLAN # 4.The VLANs shown in the table above are configured as follows: 5.Each time you add a port to a VLAN, you may get the following prompt: 6.Enter y to set the default Port VLAN ID (PVID) for the port 7.Add each IP interface to the appropriate VLAN 9.Apply and verify the configuration Dynamic Host Configuration Protocol Page Routing Information Protocol RIPv1 RIPv2 RIPv2 in RIPv1 compatibility mode RIP Features Page RIP configuration example 1. Add VLANs for routing interfaces 2. Add IP interfaces to VLANs (/cfg/l3/frwd/on) before you turn RIP on /maint/route/dump IGMP Snooping Page Configuring the range Configuring the action Configuring IGMP Snooping (CLI example) Configuring IGMP Filtering (CLI example) Configuring a Static Mrouter (CLI example) Configuring IGMP Snooping (BBI example) Page Configuring IGMP Filtering (BBI example) a. Select Layer 3 > IGMP > IGMP Filters > Add Filter Layer 3 > IGMP > IGMP Filters > Switch Ports Page Configuring a Static Multicast Router (BBI example) Page OSPF Page dead OSPF implementation in HP 10GbE switch software Assigning the area index Using the area ID to assign the OSPF area number Attaching an area to a network Default routes Page Page Page OSPF configuration examples Example 1: Simple OSPF domain (BBI example) Add IP Interface Page Add OSPF Area d.Select Add OSPF Area f.Click Submit Add OSPF Interface d.Select Add OSPF Interface f. Click Submit Configuring OSPF for a virtual link on Switch A 8.Attach the network interface to the backbone 9.Attach the network interface to the transit area Configure the virtual link Switch B in step Apply and save the configuration changes Other Virtual Link Options Figure 23 Summarizing routes hide Configure IP interfaces for each network which will be attached to OSPF areas 2.Enable OSPF 3.Define the backbone Use the following commands to verify the OSPF configuration on your switch: •/info/l3/ospf/general •/info/l3/ospf/nbr •/info/l3/ospf/dbase/dbsum •/info/l3/ospf/routes Remote monitoring Configuring RMON Statistics (CLI example) Configuring RMON Statistics (BBI example) Page 4.Click Submit History MIB objects Configure RMON History (CLI example) Configure RMON History (BBI example) Alarm MIB objects Configure RMON Alarms (CLI example 1) Configure RMON Alarms (CLI example 2) Configure RMON Alarms (BBI example 1) 2.Click Submit Configure RMON Alarms (BBI example 2) Configuring RMON Events (CLI example) Configuring RMON Events (BBI example) High availability Page Page Configuring UFD on Switch 1 (CLI example) Configuring UFD on Switch 2 (CLI example) Configuring Uplink Failure Detection (BBI example) Add Virtual router Virtual router MAC address Owners and renters Master and backup virtual router Virtual Interface Router Failover methods Figure 26 Active-Activeredundancy HP 10GbE switch extensions to VRRP Parameter Virtual router deployment considerations Task 1: Configure Switch A 2.Configure client and server interfaces 4.Turn on VRRP and configure two Virtual Interface Routers 6.Turn off Spanning Tree Protocol globally Task 2: Configure Switch B Task 1: Configure Switch A (BBI example) Page Page Add Default Gateway Page Add Virtual Router g.Select Add Virtual Router i.Click Submit Add Spanning Tree Group Page off Troubleshooting tools To configure Port Mirroring for the example shown in the preceding figure: 1.Specify the monitoring port 2.Select the ports that you want to mirror 3.Enable Port Mirroring 4. Apply and save the configuration Port-Based Port Mirroring d.Click Add Mirrored Port Other network troubleshooting techniques Other network troubleshooting techniques include the following /info/sys/log -mgt –data Page Index