Login
- Released At: 17-09-2025
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
H3C IMC EAD Security Check |
|
Configuration Examples |
Document version: 5W103-20250915
Copyright © 2025 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring EAD to perform security check for access users
Configuration restrictions and guidelines
Configuring PC software control
Configuring an anti-virus software policy for Symantec
Associating the security policy with an access service
Assigning the access service to an access user
Adding the switch to UAM as an access device
Triggering 802.1X authentication
Verifying the URL control policy
Verifying PC software control groups
Verifying anti-virus software control
Introduction
This document provides examples for configuring EAD to work with UAM to perform security check for endpoint users.
The examples apply to scenarios that provide endpoint users with security policy services that are typically used on an enterprise network or campus network.
Prerequisites
Make sure the access device supports 802.1X.
Example: Configuring EAD to perform security check for access users
Network requirements
As shown in Figure 1, UAM and EAD components are deployed on the same server at 192.168.0.87. An endpoint user attempts to access the network by using an 802.1X connection in the iNode client on a Windows PC.
The switch manages the 802.1X user in an ISP domain named 391 and includes the domain name in the user names that are sent for authentication.
The user accesses the network by using an account named qwert001.
To enhance security, configure EAD to work with UAM to meet the following requirements:
· Prevent the endpoint user from accessing service-critical URLs that contain 192.168.0.156 or 192.168.0.157.
· Check whether AccChecker is running on the PC. If it is not running, EAD immediately restricts the user access to a quarantine area for remediation.
· Check whether XDict is running on the PC. If it is installed, EAD immediately logs off the endpoint user.
· Check whether Symantec is running and is using the correct anti-virus engine and virus definition versions. If it is not, the iNode client immediately restricts the user access to a quarantine area for remediation.
· Monitor the endpoint in real time. When a violation is detected, the endpoint user is allowed 10 minutes to fix the violation.
Configuration restrictions and guidelines
When you configure an access device or an access service in UAM, follow these restrictions and guidelines:
· Make sure the parameters you configure for the access device are the same as the CLI configuration on the switch. The parameters include the authentication and accounting ports and shared key.
· When the switch is selected from the resource pool, make sure it is already added to the IMC platform, either manually or through auto discovery.
· The service suffix configuration varies by the username, authentication domain, and RADIUS commands, as shown in Table 1.
Table 1 Service suffix configuration
|
Username in iNode |
Authentication domain on the switch |
RADIUS commands configured on the switch |
Service suffix in UAM |
|
qwert001@391 |
391 |
user-name-format with-domain |
391 |
|
user-name-format without-domain |
No suffix |
Configuring check items
A security policy includes one or more security check items. This example uses URL control, PC software control, and anti-virus software control check items.
Configuring URL control
Adding the forbidden URLs to a URL group
You can add IP URL groups, domain URL groups, or both. This example uses IP URL groups.
To add an IP URL group:
1. Click the User tab.
2. From the navigation tree, select User Security Policy > Endpoint Access Control > IP URL Group.
The IP URL group list displays all IP URL groups.
3. Click Add.
The Add IP URL Group page appears.
Figure 2 Adding an IP URL group
4. Configure basic information about the IP URL group:
a. In the IP URL Group Name field, enter test_01.
b. In the Basic Information area, use the default settings of other parameters.
5. Configure IP URL items:
a. In the IP URL Item List area, click Add.
The Add IP URL Item page appears.
b. Enter 192.168.0.156 in the Start IP field and 192.168.0.157 in the End IP field, and then click OK, as shown in Figure 3.
Figure 3 Adding an IP URL item
6. On the Add IP URL Group page, click OK.
Configuring a URL control policy
1. Click the User tab.
2. From the navigation tree, select User Security Policy > Endpoint Access Control > URL Control Policy.
The URL control policy list displays all URL control policies.
3. Click Add.
The Add URL Control Policy page appears.
4. Configure basic information about the URL control policy, as shown in Figure 4:
a. In the URL Control Policy Name field, enter test_URL.
b. In the Basic Information area, use the default settings of other parameters.
Figure 4 Adding a URL control policy
5. Configure IP URL check items:
a. In the IP URL check Item List area, click Add.
The Add IP URL Group page appears.
b. Select test_01 from the IP URL Group Name list and select Deny from the Action list, as shown in Figure 5.
Figure 5 Adding the IP URL group
6. Click OK.
7. On the Add URL Control Policy page, click OK.
Configuring PC software control
This example uses MD5 to check software processes.
Calculating MD5 digests for AccChecker and XDict
1. Click the User tab.
2. From the navigation tree, select User Security Policy > PC Software Control Group.
The PC Software Control Group page appears, as shown in Figure 6.
Figure 6 PC software control group management page
3. In the PC software control group list, click the MD5 Tool link to download and store the MD5 tool locally.
4. In the local path, double-click FileMD5Digest.exe to run the MD5 tool.
5. In the MD5 Digest Calculator page, calculate the MD5 digest for AccChecker, as shown in Figure 7.
a. Click Select Executable File and browse to the file AccChecker.exe.
b. Click Calculate MD5 Digest to calculate the MD5 digest for AccChecker.
c. Click Copy to copy the MD5 digest to the clipboard.
Figure 7 Calculating the MD5 digest for AccChecker
6. Click Close.
7. Calculate the MD5 digest for XDict in the same way you calculated the MD5 digest for AccChecker. (Details not shown.)
Configuring PC software control groups for AccChecker and XDict
1. Click the User tab.
2. From the navigation tree, select User Security Policy > PC Software Control Group.
The PC Software Control Group page appears.
3. Click Add.
The Add PC Software Control Group page appears.
4. Configure PC software control group parameters, as shown in Figure 8:
a. In the Group Name field, enter AccChecker.exe.
b. From the Type list, select Process.
c. In the Description field, enter AccChecker.
d. From the Default Action for Check Failure list, select Isolate.
e. Use the default settings of other parameters.
Figure 8 Adding a PC software control group
5. In the Process Information area, click Add.
The Add Process page appears.
6. Configure the following parameters, as shown in Figure 9:
a. In the Process Name field, enter AccChecker.exe.
b. From the Operating System list, select Windows.
c. From the Check Type list, select MD5.
d. In the MD5 Digest field, paste the MD5 digest that is previously calculated.
e. Use the default settings of other parameters.
7. Click OK.
8. On the Add PC Software page, click OK.
9. Add a PC software control group named XDict.exe for XDict in the same way you added the PC software control group for AccChecker. (Details not shown.)
Configuring an anti-virus software policy for Symantec
1. Click the User tab.
2. From the navigation tree, select User Security Policy > PC Security Software Policy > Anti-Virus Software Policy.
The anti-virus software policy list displays all anti-virus software policies.
3. Click Add.
The Add Anti-Virus Software Policy page appears.
4. Configure the basic information for the anti-virus software policy, as shown in Figure 10:
a. In the Policy Name field, enter test_Anti-Virus.
b. Use the default settings of other parameters.
Figure 10 Adding an anti-virus software policy
5. In the Windows area, select Check and click
the Modify icon 
for Symantec, as
shown in Figure 11.
The Anti-Virus Software Settings page appears.
Figure 11 Selecting anti-virus software
6. Configure anti-virus software parameters, as shown in Figure 12:
a. In the Anti-Virus Software field, enter Symantec.
b. Select Check anti-virus engine version and select an anti-virus engine version format. This example uses Date or dotted format. The date format setting takes precedence over the dotted format setting.
c. Select a version from the Version Check Mode list: Specified Version or Auto Adaptive.
- Specified Version—The version check is passed if the version is higher than the specified version. If not, the version check fails.
When the version check mode is Specified Version and the version
format is Date format, either enter the date manually or click the Calendar icon 
next
to the Lowest Version of
Anti-Virus Engine field to select a date.
When the version check mode is Specified Version and the version format is Dotted format, enter the version in the Lowest Version of Anti-Virus Engine field.
- Auto Adaptive—The version check is passed if the version has been updated within the adaptation period. If not, the version check fails.
When the version check mode is Auto Adaptive and the version format is Date format, manually enter the adaptation period in the Adaptation Period (in days) field.
d. Select Check virus definition version and configure virus definition version parameters in the same way you configured anti-virus engine version parameters. (Details not shown.)
e. Click OK.
Figure 12 Configuring anti-virus software parameters
7. On the Add Anti-Virus Software Policy page, click OK.
Configuring a security level
1. Click the User tab.
2. From the navigation tree, select User Security Policy > Security Level.
The Security Level List displays all security levels.
3. Click Add.
The Add Security Level page appears.
4. In the Basic Information area, enter test_Level in the Security Level Name field and leave the Action After field empty, as shown in Figure 13.
The Action After field takes effect only for the Isolate and Kick Out actions that are configured for check items. When a violation is detected, the iNode client immediately isolates or logs off the endpoint user.
Figure 13 Configuring the basic information
5. In the Check Applications area, select Isolate for the software control group AccChecker.exe and select Kick Out for the software control group xDict.exe, as shown in Figure 14.
Figure 14 Configuring PC software control
6. In the Check Anti-Virus Software area, select the following items, as shown in Figure 15:
¡ Isolate from the Anti-Virus Software Not Installed list.
¡ Anti-Virus Client Runtime Error list.
¡ Old Anti-Virus Software/Engine Version list.
¡ Old Virus Definition Version list.
Figure 15 Configuring anti-virus software check
7. Use the default settings of other areas.
8. Click OK.
Configuring a security policy
1. Click the User tab.
2. From the navigation tree, select User Security Policy > Security Policy.
The security policy list displays all security policies.
3. Click Add.
The Add Security Policy page appears.
4. In the Basic Information area, configure basic information parameters, as shown in Figure 16:
a. In the Policy Name field, enter test_EAD.
b. Select test_Level from the Security Level list.
c. Select Monitor in Real Time and enter 10 in the Process After field.
d. Use the default settings of other parameters.
Figure 16 Configuring basic information
5. In the Isolation Mode area, configure isolation mode parameters, as shown in Figure 17:
a. Select Configure Isolate Mode.
b. Select Deploy ACLs to Access Device.
c. In the For Non-HP ProCurve area, enter 3021 and 3020 in the Security ACL and Isolation ACL field, respectively.
d. Use the default settings of other parameters.
Figure 17 Configuring the isolate mode
6. In the URL Control area, configure URL control parameters, as shown in Figure 18:
a. Select Enable URL Access Control.
b. Select test_URL from the URL Control Policy list.
c. Use the default settings of other parameters.
Figure 18 Configuring URL control
7. In the Application Control area, configure PC software control parameters, as shown in Figure 19:
a. Select Check Applications.
b. Click Per-Group Configuration.
c. Select AccChecker.exe and select Running Required from the Check Type list.
d. Select XDict.exe and select Running Forbidden from the Check Type list.
e. In the Server Address field, enter 192.168.0.87.
f. In the Failure Notification field, enter the notification message to be displayed on the user endpoint when PC applications do not meet the requirements.
Figure 19 Configuring application control
8. In the Anti-Virus Software Control area, configure anti-virus software control parameters, as shown in Figure 20:
a. Select Check Anti-Virus Software.
b. Select test_Anti-Virus from the Anti-Virus Software Policy list.
c. In the Server Address field, enter 192.168.0.87.
d. In the Failure Notification field, enter the notification message to be displayed on the user endpoint when the anti-virus software does not meet the requirements.
e. Use the default settings of other areas.
Figure 20 Configuring anti-virus software control
9. Click OK.
Configuring an access policy
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Policy.
The Access Policy configuration page appears.
3. In the access policy list, click Add.
The Add Access Policy page appears.
4. Configure access policy parameters, as shown in Figure 21:
a. In the Access Policy Name field, enter test_access-policy.
b. Use the default settings of other parameters.
Figure 21 Adding an access policy
5. Click OK.
Associating the security policy with an access service
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Service.
The Access Service configuration page appears.
3. In the access service list, click Add.
The Add Access Service page appears.
4. Configure access service parameters, as shown in Figure 22:
a. In the Service Name field, enter test_service.
b. In the Service Suffix field, enter 391.
c. From the Default Security Policy list, select test_EAD.
d. Select test_access-policy from the Default Access Policy list.
e. Use the default settings of other parameters.
Figure 22 Adding an access service
Assigning the access service to an access user
1. Click the User tab.
2. From the navigation tree, select Access User > All Access User.
The access user management page appears.
3. Click Add.
The Add Access User page appears.
4. Configure access user parameters, as shown in Figure 23:
a. In the User Name field, click Select to select an existing user account from the IMC platform, or click Add User to add a new IMC platform user. (Details not shown.)
This example uses a user named test.
b. In the Account Name field, enter qwert001.
c. Enter the same password in Password and Confirm Password fields. This example uses 234.
d. In the Access Service area, select the service named test_service.
e. Use the default settings of other parameters.
Figure 23 Adding an access user
5. Click OK.
Adding the switch to UAM as an access device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
The Access Device configuration page appears.
3. In the access device list, click Add.
The Add Access Device page appears.
4. Configure access device parameters, as shown in Figure 24:
a. In the Authentication Port field, enter 1812.
b. In the Accounting Port field, enter 1813.
c. In the Shared Key field, enter 123 as the shared key used by the access device and UAM to authenticate each other.
d. Use the default settings of other parameters in the Access Configuration area.
Figure 24 Adding an access device
5. Manually add the switch to UAM:
a. In the Device List area, click Add Manually.
b. On the Add Access Device Manually page that appears, enter 192.168.30.50 in the Start IP field, and then click OK, as shown in Figure 25.
Figure 25 Adding an access device manually
Or you can click Select and select the switch from the resource pool. (Details not shown.)
6. On the Add Access Device page, click OK.
Configuring the switch
1. Log in to the switch through Telnet and enter system view.
2. Configure a RADIUS scheme.
# Create RADIUS scheme named 390.
<Device> system-view
[Device] radius scheme 390
# Specify the IP address of the UAM server as the primary authentication server and the primary accounting server. Set the ports for authentication and accounting to 1812 and 1813, respectively.
[Device-radius-390] primary authentication 192.168.0.87 1812
[Device-radius-390] primary accounting 192.168.0.87 1813
# Set the shared key for secure communication with the server to 123 in plain text.
[Device-radius-390] key authentication 123
[Device-radius-390] key accounting 123
# Specify the source IP address for outgoing RADIUS packets.
[Device-radius-390] nas-ip 192.168.30.50
# Specify the RADIUS server type as extended to support UAM.
[Device-radius-390] server-type extended
# Include domain names in the usernames to be sent to the RADIUS servers.
[Device-radius-390] user-name-format with-domain
[Device-radius-390] quit
3. Configure an ISP domain.
# Create an ISP domain named 391.
[Device] domain 391
# Configure the switch to use the authentication, authorization, and accounting methods in RADIUS scheme 391 for login users in the domain.
[Device-isp-391] authentication lan-access radius-scheme 390
[Device-isp-391] authorization lan-access radius-scheme 390
[Device-isp-391] accounting lan-access radius-scheme 390
[Device-isp-391] quit
4. Configure 802.1X authentication.
# Enable 802.1X globally.
[Device] dot1x
# Enable 802.1X on port Ethernet 1/0/3.
[Device] dot1x interface Ethernet 1/0/3
5. Configure ACLs.
# Create ACL 3020 to permit only packets destined for 192.168.0.87.
[Device] acl number 3020
[Device-acl-adv-3020] rule 1 permit ip destination 192.168.0.87 0
[Device-acl-adv-3020] rule 2 deny ip
[Device-acl-adv-3020] quit
# Create ACL 3021 to permit all packets.
[Device] acl number 3021
[Device-acl-adv-3021] rule 1 permit ip
[Device-acl-adv-3021] quit
Verifying the configuration
Triggering 802.1X authentication
1. In the iNode client of the PC, create an 802.1X connection named 802.1X Connection and configure account parameters based on information listed in Table 1:
a. In the Username field, enter qwert001@391.
b. In the Password field, enter the password that you specify when you configure the access service.
c. Use the default settings of other parameters.
For more information about creating 802.1X connections, see iNode Client Online Help.
2. Trigger 802.1X authentication:
a. In the iNode client, double-click 802.1X Connection.
The 802.1X authentication connection page appears.
b. Click Connect.
The iNode client begins to authenticate the identity of the endpoint user. When the identity authentication is complete, the iNode client begins to perform security check for the endpoint user. After the security check is complete, the iNode client displays the secure connection state and a security check passed message, as shown in Figure 26 and Figure 27.
Figure 26 802.1X authentication connection
Figure 27 Security check result message
Verifying the URL control policy
1. Enter http://192.168.0.156:8080/imc in the address bar.
2. Read the message given by the iNode client.
The message shows that the access to 192.168.0.156 is prohibited, as shown in Figure 28.
Figure 28 Access prohibited message
Verifying PC software control groups
1. Trigger 802.1X authentication without running AccChecker. The following events occur:
¡ The iNode client displays the security status as Insecure, as shown in Figure 29.
¡ The endpoint user is restricted to a quarantine area and a safety risk message appears, as shown in Figure 30.
Figure 29 PC software control group check failed
Figure 30 Security check result message
2. Disconnect the 802.1X connection. Run XDict and trigger 802.1X authentication. The following events occur:
¡ The iNode client displays the security status as Insecure, as shown in Figure 31.
¡ The endpoint user is logged out, and a safety risk message appears, as shown in Figure 32.
Figure 31 PC software control group check failed
Figure 32 Security check result message
Verifying anti-virus software control
1. Run Symantec without updating the anti-virus engine. Make sure the version of the anti-virus engine is lower than the lowest version required by EAD.
For more information about configuring the lowest version of anti-virus engine, see "Configuring an anti-virus software policy for Symantec."
2. Trigger 802.1X authentication. The following events occur:
¡ The iNode client displays the security status as Insecure, as shown in Figure 33.
¡ The endpoint user is restricted to a quarantine area, and a safety risk message appears, as shown in Figure 34.
Figure 33 Anti-virus software check failed
Figure 34 Security check result message
