When configuring HSNS, go to these sections for information you are interested in:
l HSNS Overview
l HSNS Configuration
l Displaying and Maintaining
l HSNS Configuration Example
H3C - Soliton Network Security (HSNS) is an extension solution co-developed by H3C and Soliton based on Microsoft Network Access Protection (NAP). HSNS is mainly used to work with NAP authentications and perform enhanced authorization (applying ACLs on the port connected to the access user) based on the NAP authentication result.
Deployed on Windows Vista/Server 2008 systems, NAP is mainly used to authenticate, authorize and quarantine the access users (i.e., verifying that firewall or antivirus software is enabled) when the client requests access to the network controlled by NAP server and to assign the client the corresponding network segment that can be accessed based on the quarantine result.
At present, you can use HSNS together with DHCP snooping, 802.1x and MAC authentication to control user access privileges.
HSNS is jointly implemented by an ACL server and the switch. The local network administrator needs to configure the ACLs for controlling user access (refer to Obtaining an ACL) on the ACL server and configure HSNS on the switch. The switch interacts with the ACL server through Soliton private protocol - Soliton ACL Distribution Protocol (SADP) to perform HSNS authorization for the access client, obtains the ACLs corresponding to the authenticated client and applies them on the port connected to the client, thereby achieving enhanced authorization for the access user.
To perform HSNS authorization, the switch sends the client’s attributes (MAC address, IP address, connected switch port, etc.) to the ACL server. Upon receiving such information, the ACL server looks up authentication status of the client from NAP server, find out configured ACLs for the authenticated user. If such ACLs can be found, they will be passed to the switch to perform enhanced authorization; otherwise, the client will remain unauthorized with default ACLs (refer to hsns default-user-acl).
HSNS works in the following three modes:
l DHCP snooping
l 802.1x
l MAC authentication
In any one of the three modes, HSNS works with DHCP snooping, 802.1x, and MAC authentication respectively to handle the access of legal or restricted users differently.
I. HSNS in the DHCP snooping mode
With DHCP snooping enabled, the switch can analyze the received DHCP packets and records the IP addresses that the DHCP server assigns to the clients, the ports to be used for connecting to the clients, and other information.
Microsoft NAP authenticates the client who is requesting an IP address. If the client fails to pass the authentication, the DHCP server assigns the client an IP address in a restricted network segment and sends back DHCPACK packets carrying static routes to the restricted network.
When HSNS works in the DHCP snooping mode, the switch determines whether a client passes NAP authentication based on whether the DHCPACK packet carries a restricted subnet mask option.
l The client passes NAP authentication if the DHCPACK packet carries restricted subnet mask option.
l The client failed to pass NAP authentication if the DHCPACK packet carries unrestricted subnet mask option.
As shown in Figure 1-1, the switch works with the ACL server to obtain the configured ACLs and apply them on the port connected to the client, thereby enhancing user authorization.
Figure 1-1 HSNS working flow on the switch
After analyzing the DHCPACK packets, updating the authentication information, the switch forwards DHCPACK to the client to ensure that the client can obtain the requested IP address normally. When a DHCPACK shows that the user can enter an unrestricted network, switch will perform HSNS enhanced authorization to request user ACLs.
II. HSNS in the 802.1x mode
HSNS can perform HSNS authorization on an 802.1x-authenticated user through the ACL server:
l For an HSNS authorized user, the ACL server sends back the configured ACLs to the switch and the switch applies the ACLs on the port connected to the user.
l For a user who has not passed the HSNS authorization, the switch automatically creates an ACL based on the default user ACL setting, the user will remain 802.1x-authenticated.
A user who is 802.1x-authenticated but not HSNS-authorized may be unable to access the network even though the 802.1x client software shows that the user is authorized. In this case, you can use the display hsns client command and check whether the user has passed the HSNS authentication.
III. HSNS in the MAC authentication mode
HSNS can perform HSNS authorization on a MAC-authenticated user through the ACL server:
l For a HSNS-authorized user, the ACL server sends back the specified ACL to the switch and the switch applies the ACL on the port connected to the user.
l For a user who has not passed the HSNS authorization, the switch automatically creates an ACL based on the default user ACL setting, the user will remain MAC-authenticated.
I. HSNS networking modes
There are two HSNS networking modes:
