HPE FlexNetwork 7500 Series Security Configuration Manual page 117
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (597 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Configuration procedure
1.
Configure the 802.1X client. Make sure the client is able to update its IP address after the
access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not
shown.)
2.
Configure the RADIUS servers to provide authentication, authorization, and accounting
services. Add user accounts and specify the ACL (ACL 3000 in this example) for the users.
(Details not shown.)
3.
Assign an IP address to each interface, as shown in
4.
Configure a RADIUS scheme:
# Create RADIUS scheme 2000 and enter RADIUS scheme view.
<Device> system-view
[Device] radius scheme 2000
# Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication
port to 1812.
[Device-radius-2000] primary authentication 10.1.1.1 1812
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to
1813.
[Device-radius-2000] primary accounting 10.1.1.2 1813
# Set the shared key to abc in plain text for secure communication between the authentication
server and the device.
[Device-radius-2000] key authentication simple abc
# Set the shared key to abc in plain text for secure communication between the accounting
server and the device.
[Device-radius-2000] key accounting simple abc
# Exclude the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
5.
Configure an ISP domain:
# Create ISP domain bbb and enter ISP domain view.
[Device] domain bbb
# Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and
accounting.
[Device-isp-bbb] authentication lan-access radius-scheme 2000
[Device-isp-bbb] authorization lan-access radius-scheme 2000
[Device-isp-bbb] accounting lan-access radius-scheme 2000
[Device-isp-bbb] quit
6.
Configure a time range named ftp from 8:00 to 18:00 on weekdays.
[Device] time-range ftp 8:00 to 18:00 working-day
7.
Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 during the
specified time range.
[Device] acl number 3000
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 time-range ftp
[Device-acl-adv-3000] quit
8.
Configure 802.1X:
# Enable 802.1X on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
[Device-GigabitEthernet1/0/1] quit
Figure
38. (Details not shown.)
105
Advertisement
Table of Contents
Troubleshooting
