H3C iMC EIA
As a secure access management solution, H3C IMC End-user Intelligent Access (EIA) manages network access of endpoints in enterprise networks that are built with wired, wireless, and VPN network infrastructures. EIA supports defining access scenarios based on the user role, device type, access time, access location, and other criteria and performs strict network access control. It meets the unified operation and maintenance requirements of enterprise networks to manage various access methods, abundant endpoint types, and different user roles and ensures execution of security policies.
Centralized device management and user resource management
In addition to the centralized management of network devices, EIA maintains basic user information (including username, identification ID, contact address, telephone number, email address, and user group) and additional user information in a centralized way. The administrator can customize user information according to the network operation needs. For example, the administrator can customize student IDs and grades for a university network, and departments and positions for an enterprise network.
Group management of devices and users
EIA supports grouping devices and users. The administrator assigns users with the same attribute to a group and allocates group management privileges to operators. In addition, the administrator manages the network access of users in user groups by assigning access services to user groups.
Integration of user management and network device management
The integration of device management and user management enables the administrator to perform operations more efficiently. The online user list provides an interface for viewing information about access devices of online users, such as basic device information, alarms, and performance status. The administrator can take actions on users by selecting their access devices. For example, the administrator can select an access device and force all access users on the device to go offline.
Multiple access and authentication methods for different application scenarios
Various access methods (such as 802.1X and VPN access) are available for users to access the network.
Authentication methods (for example, PAP, CHAP, EAP-MD5, EAP-TLS, and PEAP) meet the security requirements in different application scenarios.
Bindings between users and device IP addresses, access ports, VLANs, user IP addresses, and hardware information (MAC addresses for example) enhance authentication security and prevent account loss and invalid access.
Unified authentication with the Windows domain controller and LDAP-capable third-party email systems avoids multi-authentication.
Cooperation with the Endpoint Admission Defense (EAD) solution ensures that only user endpoints compliant with security policies can access the network.
Portal authentication supports H3C iNode DC and PC clients. You can customize the portal authentication page and embed it to the home page of a third-party system. Authentication pages can be pushed based on port groups, SSIDs, and endpoint operating systems.
Strict privilege control and enhanced user access management
User-based privilege control policies define network access privileges for different users.
The settings of concurrent online users and proxy service prohibition effectively avoid excessive network resource use by specific users.
Supports setting the maximum idle time.
The user ACL-based and VLAN-based control prevents users from accessing external illegal websites and internal servers with sensitive data.
User IP address allocation policies ensure IP address security and uniqueness.
After the administrator configures the network access time range and location, users can only access the network as configured.
EIA limits the use of multiple NICs and the dial-in access method to prevent internal information leakage.
EIA requires users to use dedicated clients and forces automatic client upgrade, which ensures the security of clients.
Powerful endpoint user monitoring and management
EIA supports real-time querying online users and allows the administrator to force illegal users to go offline.
The blacklist feature adds users who maliciously guess passwords to the blacklist and traces origins of illegal behaviors by MAC address or IP address.
EIA supports sending the administrator notifications to access users upon important events. For example, the network disconnection notification before system upgrade and password protection notification when a malicious password attack is detected.
Authentication failure logs help the administrator locate authentication failure reasons.
Simplified maintenance operations
Service-based user classification management and integration of authentication binding policies, security polices, and access privileges into services simplify the maintenance operations and ensure unified network management.
EIA provides a user-friendly Web interface for operators to perform centralized management operations on access users.
Access users can apply for accounts, and query and modify user information in the self-service center, which improves the access efficiency and reduces the workload of the administrator.
Various guest account creation methods
Based on application scenarios, EIA guest management provides the following guest creation methods:
SMS authentication method in public places
In public places, guests can use telephone numbers to register accounts and obtain passwords through SMS messages for quick network access. The workflow is as follows:
1) The guest manager configures a guest access policy and account parameters (including the validity period) on the EIA server.
2) A guest attempts to connect to the Guest SSID.
3) The guest enters telephone number on the pushed Web authentication page and clicks Get Password.
4) The EIA server automatically creates a guest account for this telephone number and assigns the guest access policy and the account validity period to the account.
5) The EIA server sends the account and password to the guest in an SMS message through the SMS message gateway.
6) The guest enters the password on the Web authentication page after receiving the SMS message.
7) After passing the authentication, the guest can access network resources defined by the access policy.
8) The EIA server periodically deletes expired guest accounts.
Account creation by receptionists
This method applies when guest accounts are managed by a specific receptionist, such as a security guard, front desktop receptionist, or employee. The workflow is as follows:
1) The guest receptionist logs in to the self-service center, creates a guest account, and assigns an access policy and validity period to the account.
2) The EIA server sends the account and password to the guest by email or SMS message.
3) The guest attempts to connect to the Guest SSID.
4) The guest enters the account and password on the pushed Web authentication page.
5) After passing the authentication, the guest can access network resources defined by the access policy.
6) The EIA server periodically deletes expired guest accounts.
Account creation by receptionists
Self-service account creation by guests
Guests use this method to apply for accounts and the guest receptionist approves the application. The workflow is as follows:
1) A guest attempts to connect to the Guest SSID.
2) The guest clicks Preregister Guest on the pushed Web authentication page, and enters the account information and selects a guest receptionist on the preregistration page.
3) The guest receptionist logs in to the self-service center, and assigns an access policy and validity period to the guest.
4) After the account takes effect, EIA sends the account to the guest by email or SMS message.
5) The guest attempts to connect to the Guest SSID again and enters the account and password on the pushed Web authentication page.
6) After passing the authentication, the guest can access network resources defined by the access policy.
7) The EIA server periodically deletes expired guest accounts.
Account creation by guests
QR code authentication method
A guest can use an intelligent endpoint to scan a specific QR code for fast account creation and network access. The following types of QR codes are available for guest authentication:
Authentication QR code
1) The guest manager creates a guest account in the self-service center and generates a QR code.
2) The guest scans the QR code for authentication.
Approval QR code
1) When the guest accesses a website, the guest is directed to the page for automatic preregistration. A QR code is also automatically generated on the page.
2) The guest manager scans the QR code to enter the approval page and approves the guest account.
3) The guest can access the network after the account is approved.
EIA supports abundant SDK interfaces to communicate with the WeChat official platforms of enterprises. A guest can access the wireless network of an enterprise by following the WeChat official account of the enterprise.
Multiple SMS message notification methods
The following methods are available for sending SMS messages:
SMS message gateway.
Third-party SMS message gateways with which EIA communicates through the Web interface.
Customer SMS message platforms with which EIA communicates through customized interfaces.
Integrated access device management with simplified operations and maintenance
EIA works with the IMC ACL manager solution for ACL configuration on access devices. The administrator can select an access device and configure an ACL for the device. The ACL deployment information of access devices is displayed on the access device list.
EIA provides links for querying access device details, including basic device information, alarms, and performance status.
The administrator can manage access devices by using the topology management feature. The topology displays access devices and allows the administrator to view information about these devices. The administrator can also set access devices to non-access devices on the topology.
Scenario-based authorization policy management for device users
EIA assigns authorization polices based on scenarios. A scenario is a combination of the device location, device type, and access time range. The administrator can define shell profiles and command sets for device users in different scenarios.
EIA supports setting fixed or flexible access time ranges to control network access time ranges of device users.
Shell profile configuration defines the global attributes for device users, for example, privilege levels, access ACLs, and access duration.
Command set configuration defines commands available for device users.
Detailed logging and auditing for device management behaviors
Authentication logs record the device login information of device users, including login name, login result, failure reason, authenticating time, IP address of the login device, user IP address, privilege level, login action, authentication type, and service type.
Authorization logs monitor login authorization and command authorization events. If login authorization is enabled, the TACACS+ Authentication Manager (TAM) server authorizes a login level to a successful login user and records the event in the authorization log. If command authorization is enabled, the TAM server determines whether the device user has the execution right of a command when this command is executed and maintains command authorization logs.
The TAM server records the device user logins, login devices, and behaviors of device users. The audit logs record the following information: login name, audit type, audit time, device IP, endpoint user IP, and commands.
Intelligent advertisement push for network operation
Working with the IMC platform, EIA can push advertisements to users based on user identities and access locations. Access users can obtain information more easily and quickly. EIA can also work with third-party advertisement platforms to meet the network operation needs.
High-performance authentication process and massive database storage
With optimized authentication mechanism, simplified packet processing, and efficient memory control, EIA can process authentication requests from more than 10000 users concurrently per second at the peak authentication time. With performance optimization of the database and accurate control of service processing, EIA can perform efficient statistics collection and service processing among data about millions of users.
Xeon 2.4 G (higher), memory size ≥ 4 GB, hard disk size ≥ 80 GB, 48x optical drive, 100 M NIC, resolution 1024 × 768, sound card
Base frequency ≥ 1.8 GHz, memory size ≥ 512 MB, hard disk size ≥ 20 GB, 48x optical drive, 100 M NIC, resolution 1024 × 768, sound card
IMC EIA server: Windows Server 2012/2016 64-bit
Database: SQL Server 2012 SP2/2014/2016 Enterprise 64-bit
IMC EIA server: Red Hat Enterprise Linux Version 7.3/7.4 64-bit
Database: Oracle 11g/12c 64-bit
H3C iMC, End-user Intelligent Access Component
H3C iMC, End-user Intelligent Access Component, 50 Licenses
H3C iMC, End-user Intelligent Access Component, 200 Licenses
H3C iMC, End-user Intelligent Access Component, 500 Licenses
H3C iMC, End-user Intelligent Access Component, 2000 Licenses
H3C iMC, End-user Intelligent Access Component, 5000 Licenses