 |
|
|
|
This document describes how to configure Web authentication using a ProCurve switch and a RADIUS server (Microsoft IAS). The switch used in this example is an HP ProCurve Switch 5400zl, but most ProCurve switches can be configured in the same manner.
» Return to top
|
|
|
|
|
|
This procedure assumes you have an already configured RADIUS server (Microsoft IAS, on Windows Server 2003), and have created the necessary users and groups.
» Return to top
|
|
|
|
|
|
As stated in the previous section, to keep the unauthorized and authorized traffic separate and secure, you will divide them into two separate VLANs. The first VLAN, ID=2, will be used to hold the unauthorized traffic. The second VLAN, ID=3, will be used to hold the authorized traffic.
4.1 Configure the VLANs
In order to support the authorized and unauthorized VLANs on the HP ProCurve Switch 5400zl, you need to create the VLANs and assign the uplink ports to the designated VLANs.
Connect to the 5400zl switch and enter the following commands:
» Return to top
4.2 Configure access to the RADIUS server
Now that you have created the VLANs, you need to tell the HP ProCurve Switch 5400zl how to authorize clients and
how to handle client traffic. Connect to the 5400zl switch and enter the following commands to tell the switch to access
a RADIUS server:
» Return to top
4.3 Configure the ProCurve switch for Web authentication
After the 5400zl switch knows the address of the RADIUS server, you next restrict the security on the switch and
enable Web authentication. Restricting the access to the switch and specifying secure communication to it is
necessary to create a secure environment.
The following steps create local usernames, set up SSL communications, and set the Web authentication parameters to the switch:
» Return to top
|
|
|
|
|
|
With the switch configured, the next step is to configure the Windows 2003 IAS RADIUS server.
5.1 Configure the policy
You first need to define a policy to allow Web authentication to work. To configure the policy:
- In IAS, right-click Remote Access Policies and choose New Remote Access Policy. The New Remote Access Policy Wizard pops up:
- Click Next. You see the Policy Configuration Method screen:
- Click the button Set up a custom policy, and enter a name in the Policy name field. Then click Next. You see the Policy Conditions window:
Policy conditions are used to determine whether connection requests should be handled by this policy. It is
best to choose something that can be easily controlled.
- In the Policy Conditions window, click Add to see the options. You see a list of names and attributes:
You will use Windows-Groups, since it allows you to select everyone at once and does not restrict the
connection request to one device (type).
- In the Select Attributes window, click select Windows-Groups, and click Add. You see the Groups windows, which allows you to choose which Windows Groups will be handled by this remote access policy:
- In the Groups window, no groups are selected yet, so click Add. You see the Select Groups window that allows you to enter object names:
- In the Select Groups window, type in Domain users and click Check Names. This should verify the group. By default, every user in the domain is a member of domain users.
- After checking the name, in the Select Groups window click OK. You see the Groups window with the new group added:
- After confirming that the group has been added to the Groups window, click OK. You see the Permissions window, showing the policy condition:
- Since you will only use this one, click Next.
This determines whether connection requests are granted or denied. Since you raised the functional level of
the domain, this is the only setting that determines whether or not users are authorized. If you had not raised
the functional level, it would be necessary for each user to have the Remote Access Permission set to Allow
access in the user properties.
Instead, choose Grant remote access permission, then click Next. You see the Profile window for this policy:
- Next, you will edit the profile of the remote access policy so that it suits your needs. Click Edit Profile. You see the Edit Profile window:
- In the Edit Profile window, choose the Authentication tab. Make sure at least Encrypted authentication (CHAP) is checked. This means that Web authentication from the ProCurve switch will use CHAP.
- You have finished configuring the profile. Click OK to return to the wizard.
- This completes the New Remote Access Policy Wizard and the IAS configuration. Click Finish.
» Return to top
5.2 Configure IAS clients
You now need to configure the IAS server to recognize the RADIUS client and users making the requests. This means that you need to identify the ProCurve Switch 5400zl as a RADIUS client. To do this in a Windows 2003 environment, you add the switch to the IAS client table, as follows:
-
To load the IAS management console on the IAS server, go to Start > Programs > Administrative Tools > Internet Authentication Service. You see the Welcome page:
- Right−click on RADIUS Clients and select New Client. You see the Add Client window:
- In the Add Client window, enter a name for the HP ProCurve 5400zl (for example, 5400Static) in the Friendly name text box and click Next. You see the Add RADIUS Client window:
- In the Add RADIUS Client window:
- Enter the IP Address or DNS Name of the HP ProCurve Switch 5400zl (for example, 10.24.3.80).
- Select RADIUS Standard as the Client−Vendor.
- Enter a secret (for example, hpsecret) in the Shared secret field.
- And make sure the check box next to Client must always send the signature attribute in the request is
not selected.
- Then click Finish to complete adding the RADIUS client.
» Return to top
|
|
|
|
|
|
This concludes the procedure for configuring Web authentication.
For further information about how to configure ProCurve switches to support security, please refer to the following links:
» Return to top
|
|
|
