Country / Region
Country / Region
As a secure access management solution, H3C IMC End-user Intelligent Access (EIA) manages network access of endpoints in enterprise networks that are built with wired, wireless, and VPN network infrastructures. EIA supports defining access scenarios based on the user role, device type, access time, access location, and other criteria and performs strict network access control for granular privilege management. It meets the unified operation and maintenance requirements of enterprise networks to manage various access methods, abundant endpoint types, and different user roles and ensures execution of security policies.
The following contents are complex, and it is recommended to browse on PC.
Enter c.h3c.com.cn on the PC browser and operate according to the page to synchronize to the PC and continue browsing.
Continue by mobile
In addition to the centralized management of network devices, EIA maintains basic user information (including username, identification ID, contact address, telephone number, email address, and user group) and additional user information in a centralized way. The administrator can customize user information according to the network operation needs. For example, the administrator can customize student IDs and grades for a university network, and departments and positions for an enterprise network. The centralized management also can bound usernames of authenticated users with multiple devices, to multiple IP addresses thus allowing users to have access to the entire campus wireless network. User unified management also handles user rights, QoS, bandwidth, applications, and security policies. EIA is capable to onboard users and devices. EIA supports displaying and reporting of user authentication and Radius logs.
Resource management
EIA supports grouping devices and users. The administrator assigns users with the same attribute to a group and allocates group management privileges to operators via a policy matrix. In addition, the administrator manages the network access of users in user groups by assigning access services to user groups and assign the groups to different subnets. EIA system supports specifying the usage level rights of Account users for each Account User, such as Administrator user level, Monitor user level.
The integration of device management and user management enables the administrator to perform operations more efficiently. The online user list provides an interface for viewing information about access devices of online users, such as basic device information, alarms, and performance status. The administrator can take actions on users by selecting their access devices. For example, the administrator can select an access device and force all access users on the device to go offline. EIA supports integration with third-party AD and LDAP servers.
Various access methods (such as 802.1X and VPN access) are available for users to access the network.
Authentication methods (for example, PAP, CHAP, EAP-MD5, EAP-TLS, and PEAP) meet the security requirements in different application scenarios.
Bindings between users and device IP addresses, access ports, VLANs, user IP addresses, and hardware information (MAC addresses for example) enhance authentication security and prevent account loss and invalid access.
Unified authentication with the Windows domain controller and LDAP-capable third-party email systems avoids multi-authentication.
Adopts the Authentication server which separates the control plane
Cooperation with the Endpoint Admission Defense (EAD) solution ensures that only user endpoints compliant with security policies can access the network.
Portal authentication supports H3C iNode DC and PC clients. You can customize the portal authentication page and embed it to the home page of a third-party system. Portal customization can also provides various system templates such as registration-free and self-service guest registration. Authentication pages can be pushed based on port groups, SSIDs, and endpoint operating systems.
User-based privilege control policies define network access privileges for different users.
The settings of concurrent online users and proxy service prohibition effectively avoid excessive network resource use by specific users.
Supports setting the maximum idle time.
The user ACL-based and VLAN-based control prevents users from accessing external illegal websites and internal servers with sensitive data.
User IP address allocation policies ensure IP address security and uniqueness.
After the administrator configures the network access time range and location, users can only access the network as configured.
EIA limits the use of multiple NICs and the dial-in access method to prevent internal information leakage.
EIA requires users to use dedicated clients and forces automatic client upgrade, which ensures the security of clients.
EIA support permission management. (authorization) according to user group (group) or user role (role)
EIA supports real-time querying online users and allows the administrator to force illegal users to go offline.
The blacklist feature adds users who maliciously guess passwords to the blacklist and traces origins of illegal behaviors by MAC address or IP address.
EIA secures endpoint access by denying network access of endpoints that use spoofed MAC addresses of clientless dumb terminals and smart endpoints.
EIA supports sending the administrator notifications to access users upon important events. For example, the network disconnection notification before system upgrade and password protection notification when a malicious password attack is detected.
Authentication failure logs help the administrator locate authentication failure reasons.
Service-based user classification management and integration of authentication binding policies, security polices, and access privileges into services simplify the maintenance operations and ensure unified network management.
EIA provides a user-friendly Web interface for operators to perform centralized management operations on access users.
Access users can apply for accounts, and query and modify user information in the self-service center, which improves the access efficiency and reduces the workload of the administrator.
Based on application scenarios, EIA guest management provides the following guest creation methods:
In public places, guests can use telephone numbers to register accounts and obtain passwords through SMS messages for quick network access. The workflow is as follows:
1) The guest manager configures a guest access policy and account parameters (including the validity period) on the EIA server.
2) A guest attempts to connect to the Guest SSID.
3) The guest enters telephone number on the pushed Web authentication page and clicks Get Password.
4) The EIA server automatically creates a guest account for this telephone number and assigns the guest access policy and the account validity period to the account.
5) The EIA server sends the account and password to the guest in an SMS message through the SMS message gateway.
6) The guest enters the password on the Web authentication page after receiving the SMS message.
7) After passing the authentication, the guest can access network resources defined by the access policy.
8) The EIA server periodically deletes expired guest accounts.
This method applies when guest accounts are managed by a specific receptionist, such as a security guard, front desktop receptionist, or employee. The workflow is as follows:
1) The guest receptionist logs in to the self-service center, creates a guest account, and assigns an access policy and validity period to the account.
2) The EIA server sends the account and password to the guest by email or SMS message.
3) The guest attempts to connect to the Guest SSID.
4) The guest enters the account and password on the pushed Web authentication page.
5) After passing the authentication, the guest can access network resources defined by the access policy.
6) The EIA server periodically deletes expired guest accounts.
7) Administratorscancreateasinglevisitoraccountorguestaccountsinbatch.EIA supportsguestaccountexportandprintingandnotificationthroughemailsandShortMessagingService(SMS)messages.
Account creation by receptionists
Guests use this method to apply for accounts and the guest receptionist approves the application. The workflow is as follows:
1) A guest attempts to connect to the Guest SSID.
2) The guest clicks Preregister Guest on the pushed Web authentication page, and enters the account information and selects a guest receptionist on the preregistration page.
3) The guest receptionist logs in to the self-service center, and assigns an access policy and validity period to the guest.
4) After the account takes effect, EIA sends the account to the guest by email or SMS message.
5) The guest attempts to connect to the Guest SSID again and enters the account and password on the pushed Web authentication page.
6) After passing the authentication, the guest can access network resources defined by the access policy.
7) The EIA server periodically deletes expired guest accounts.
Account creation by guests
A guest can use an intelligent endpoint to scan a specific QR code for fast account creation and network access. The following types of QR codes are available for guest authentication:
Authentication QR code
1) The guest manager creates a guest account in the self-service center and generates a QR code.
2) The guest scans the QR code for authentication.
Approval QR code
1) When the guest accesses a website, the guest is directed to the page for automatic preregistration. A QR code is also automatically generated on the page.
2) The guest manager scans the QR code to enter the approval page and approves the guest account.
3) The guest can access the network after the account is approved.
EIA supports abundant SDK interfaces to communicate with the WeChat official platforms of enterprises. A guest can access the wireless network of an enterprise by following the WeChat official account of the enterprise.
Multiple SMS message notification methods
The following methods are available for sending SMS messages:
SMS message gateway.
Third-party SMS message gateways with which EIA communicates through the Web interface.
Customer SMS message platforms with which EIA communicates through customized interfaces.
EIA works with the IMC ACL manager solution for ACL configuration on access devices. The administrator can select an access device and configure an ACL for the device. The ACL deployment information of access devices is displayed on the access device list.
EIA provides links for querying access device details, including basic device information, alarms, and performance status.
The administrator can manage access devices by using the topology management feature. The topology displays access devices and allows the administrator to view information about these devices. The administrator can also set access devices to non-access devices on the topology.
EIA assigns authorization polices based on scenarios. A scenario is a combination of the device location, device type, and access time range. The administrator can define shell profiles and command sets for device users in different scenarios.
EIA supports setting fixed or flexible access time ranges to control network access time ranges of device users.
Shell profile configuration defines the global attributes for device users, for example, privilege levels, access ACLs, and access duration.
Command set configuration defines commands available for device users.
Authentication logs record the device login information of device users, including login name, login result, failure reason, authenticating time, IP address of the login device, user IP address, privilege level, login action, authentication type, and service type.
Authorization logs monitor login authorization and command authorization events. If login authorization is enabled, the TACACS+ Authentication Manager (TAM) server authorizes a login level to a successful login user and records the event in the authorization log. If command authorization is enabled, the TAM server determines whether the device user has the execution right of a command when this command is executed and maintains command authorization logs.
The TAM server records the device user logins, login devices, and behaviors of device users. The audit logs record the following information: login name, audit type, audit time, device IP, endpoint user IP, and commands.
Audit logs
Working with the IMC platform, EIA can push advertisements to users based on user identities and access locations. Access users can obtain information more easily and quickly. EIA can also work with third-party advertisement platforms to meet the network operation needs.
With optimized authentication mechanism, simplified packet processing, and efficient memory control, EIA can process authentication requests from more than 10000 users concurrently per second at the peak authentication time. With performance optimization of the database and accurate control of service processing, EIA can perform efficient statistics collection and service processing among data about millions of users.
Item | Specifications | |
Hardware platform | PC server | Xeon 2.4 G (higher), memory size ≥ 4 GB, hard disk size ≥ 80 GB, 48x optical drive, 100 M NIC, resolution 1024 × 768, sound card |
PC client | Base frequency ≥ 1.8 GHz, memory size ≥ 512 MB, hard disk size ≥ 20 GB, 48x optical drive, 100 M NIC, resolution 1024 × 768, sound card | |
Operating system | Windows | IMC EIA server: Windows Server 2012/2016 64-bit Database: SQL Server 2012 SP2/2014/2016 Enterprise 64-bit |
Linux | IMC EIA server: Red Hat Enterprise Linux Version 7.3/7.4 64-bit Database: Oracle 11g/12c 64-bit |
Product ID | Description |
SWP-IMC7-EIA | H3C iMC, End-user Intelligent Access Component |
LIS-IMC7-EIAA-50 | H3C iMC, End-user Intelligent Access Component, 50 Licenses |
LIS-IMC7-EIAB-200 | H3C iMC, End-user Intelligent Access Component, 200 Licenses |
LIS-IMC7-EIAC-500 | H3C iMC, End-user Intelligent Access Component, 500 Licenses |
LIS-IMC7-EIAD-2000 | H3C iMC, End-user Intelligent Access Component, 2000 Licenses |
LIS-IMC7-EIAE-5000 | H3C iMC, End-user Intelligent Access Component, 5000 Licenses |