HP Advanced Services zl Module with Microsoft® Windows Server® 2008 R2 Planning and Design Guide
5-6
Solution 4: Survivable Authentication and Authorization
Solution Implementation
The branch LAN itself consists of a single VLAN, VLAN 90. You must specify
the module’s internal interface 2 as an untagged member of this VLAN. The
module’s IP address will be 172.16.90.30/24 and its default gateway,
172.16.90.1/24.
Note Before this solution was implemented, the WAN router forwarded VLAN 90
DHCP requests to the DHCP router in the data center (172.16.25.30). Now the
DHCP server on the module can respond to the DHCP requests on VLAN 90.
Port Authentication
In this example, the HP zl switch at the branch enforces 802.1X authentication
on edge ports. To ensure that users can authenticate during WAN failures, add
the IP address of the server that runs on the Advanced Services zl Module as
a secondary RADIUS server.
Switch Clock
Note that the switch must be configured to the correct time. Its modules take
their time from the switch clock. If that clock is not accurate, the services
might fail; for example, the server cannot join the domain. Therefore, it is
recommended that the HP zl switch use SNTP to synchronize its clock to the
same server used by the domain controller.
Example Configuration
The configuration below indicates the time, VLAN, IP, and 802.1X configura-
tion on the HP zl switch in this example solution. Your switch might be
configured with other features as well. In this example:
■ The switch connects to the WAN router on port A1.
■ The switch connects to endpoints A2-A24 and B1-B24.
■ The Advanced Services zl Module with Microsoft Windows Server 2008
R2 is installed in slot C.
Note The configuration includes the VLAN assignment for the module’s internal
ports. However, you will not be able to configure these assignments until you
install the module.
Also note that in a real world environment, the branch office would include
other switches with similar settings for 802.1X.