H3C iMC EIA

Centralized device management and user resource management

In addition to the centralized management of network devices, EIA maintains basic user information (including username, identification ID, contact address, telephone number, email address, and user group) and additional user information in a centralized way. The administrator can customize user information according to the network operation needs. For example, the administrator can customize student IDs and grades for a university network, and departments and positions for an enterprise network. The centralized management also can bound usernames of authenticated users with multiple devices, to multiple IP addresses thus allowing users to have access to the entire campus wireless network. User unified management also handles user rights, QoS, bandwidth, applications, and security policies. EIA is capable to onboard users and devices. EIA supports displaying and reporting of user authentication and Radius logs.

User List

Group management of devices and users

EIA supports grouping devices and users. Network devices can be grouped based on type, location, or function; while users can be grouped based on their role, department, or location. Users can be automatically classified based from a number of criteria which can automatically add or remove users based on the criteria set, which can be location, day, or time of day among others. The administrator assigns users with the same attribute to a group and allocates group management privileges to operators via a policy matrix. The policy matrix is a centralized way of enforcing policies for groups of devices or users which can be created to control access parameters such as network access and bandwidth usage as well as restrict excessive resource usage on specific users. In addition, the administrator manages the network access of users in user groups by assigning access services to user groups and assign the groups to different subnets. EIA system supports specifying the usage level rights of Account users for each Account User, such as Administrator user level, Monitor user level.

Integration of user management and network device management

The integration of device management and user management enables the administrator to perform operations more efficiently. The online user list provides an interface for viewing information about access devices of online users, such as basic device information, alarms, and performance status. The administrator can take actions on users by selecting their access devices. For example, the administrator can select an access device and force all access users on the device to go offline.EIA supports integration with third-party AD and LDAP servers.( Support LDAPs protocol)

Multiple access and authentication methods for different application scenarios

Various access methods (such as 802.1X and VPN access), Mac authentication, Certificate-based authentication, as well as 2FA/MFA authentications are available access methods for users to access the network.

Authentication methods (for example, PAP, CHAP, EAP-MD5, EAP-TLS, and PEAP) meet the security requirements in different application scenarios.

Bindings between users and device IP addresses, access ports, VLANs, user IP addresses, and hardware information (MAC addresses for example) enhance authentication security and prevent account loss and invalid access.

Unified authentication with the Windows domain controller and LDAP-capable third-party email systems avoids multi-authentication.

Adopts the Authentication server which separates the control plane

Cooperation with the Endpoint Admission Defense (EAD) solution ensures that only user endpoints compliant with security policies can access the network.

Captive Portal authentication supports H3C iNode DC and PC, and mobile clients. You can customize the portal authentication page and embed it to the home page of a third-party system. Portal customization can also provides various system templates such as registration-free and self-service guest registration. Authentication pages can be pushed based on port groups, SSIDs, and endpoint operating systems to grant authorized users temporary guest accounts/access with limited/internet only access. Pre-shared keys can also be provided to authenticate guest users to give them limited network access.

Support Windows Machine Authentication

Strict privilege control and enhanced user access management

User-based privilege control policies define network access privileges for different users.

The settings of concurrent online users and proxy service prohibition effectively avoid excessive network resource use by specific users.

Supports setting the maximum idle time.

The user ACL-based and VLAN-based control prevents users from accessing external illegal websites and internal servers with sensitive data.

The user ACL-based, time-based, and VLAN-based control prevents users from accessing external illegal websites and internal servers with sensitive data.

User IP address allocation policies ensure IP address security and uniqueness.

After the administrator configures the network access time range and location, users can only access the network as configured.

EIA limits the use of multiple NICs and the dial-in access method to prevent internal information leakage.

EIA requires users to use dedicated clients and forces automatic client upgrade, which ensures the security of clients.

EIA Supports granular, fine-grained, role-based access control. Supporting dynamic adjustments in the network access control policies and implements network segmentation mechanisms based on user roles, device type, and security requirements as well as the ever-changing network conditions.

EIA Supports AAA (Authentication, Authorization, and Accounting) as well as role-based access control, and policy enforcement mechanisms to ensure secure access to the network to protect against unauthorized access while enforcing network policies.

EIA support permission management. (authorization) according to user group (group) or user role (role)

EIA Policies can be defined in a variety of ways. It can be guest, cloud, application-specific, network, device access. It can also can audit devices to ensure compliance with regulatory or organizational policies.

Powerful endpoint user monitoring and management

EIA supports real-time querying online users and allows the administrator to force illegal users to go offline.

The blacklist feature adds users who maliciously guess passwords to the blacklist and traces origins of illegal behaviors by MAC address or IP address.

EIA secures endpoint access by denying network access of endpoints that use spoofed MAC addresses of clientless dumb terminals and smart endpoints.

EIA supports sending the administrator notifications to access users upon important events. For example, the network disconnection notification before system upgrade and password protection notification when a malicious password attack is detected.

Authentication failure logs help the administrator locate authentication failure reasons.

Simplified maintenance operations

Service-based user classification management and integration of authentication binding policies, security polices, and access privileges into services simplify the maintenance operations and ensure unified network management.

EIA provides a user-friendly Web interface for operators to perform centralized management operations on access users.

EIA provides a user-friendly Web interface for operators to perform centralized management and control operations, allowing network administrators to monitor and manage network traffic, behavior on access users and devices as well as providing them access control mechanisms to control access to network resources.

Access users can apply for accounts, and query and modify user information in the self-service center, which improves the access efficiency and reduces the workload of the administrator.

Various guest account creation methods

Based on application scenarios, EIA guest management provides the following guest creation methods:

SMS authentication method in public places

In public places, guests can use telephone numbers to register accounts and obtain passwords through SMS messages for quick network access. The workflow is as follows:

The guest manager configures a guest access policy and account parameters (including the validity period) on the EIA server.

A guest attempts to connect to the Guest SSID.

The guest enters telephone number on the pushed Web authentication page and clicks Get Password.

The EIA server automatically creates a guest account for this telephone number and assigns the guest access policy and the account validity period to the account.

The EIA server sends the account and password to the guest in an SMS message through the SMS message gateway.

The guest enters the password on the Web authentication page after receiving the SMS message.

After passing the authentication, the guest can access network resources defined by the access policy.

The EIA server periodically deletes expired guest accounts.

Account creation by receptionists

This method applies when guest accounts are managed by a specific receptionist, such as a security guard, front desktop receptionist, or employee. The workflow is as follows:

The guest receptionist logs in to the self-service center, creates a guest account, and assigns an access policy and validity period to the account.

The EIA server sends the account and password to the guest by email or SMS message.

The guest attempts to connect to the Guest SSID.

The guest enters the account and password on the pushed Web authentication page.

After passing the authentication, the guest can access network resources defined by the access policy.

The EIA server periodically deletes expired guest accounts.

Administrators can create a single visitor account or guest accounts in batch. EIA supports guest account export and printing and notification through emails and Short Messaging Service (SMS) messages.

Account creation by receptionists

Self-service account creation by guests

Guests use this method to apply for accounts and the guest receptionist approves the application. The workflow is as follows:

A guest attempts to connect to the Guest SSID.

The guest clicks Preregister Guest on the pushed Web authentication page, and enters the account information and selects a guest receptionist on the preregistration page.

The guest receptionist logs in to the self-service center, and assigns an access policy and validity period to the guest.

After the account takes effect, EIA sends the account to the guest by email or SMS message.

The guest attempts to connect to the Guest SSID again and enters the account and password on the pushed Web authentication page.

After passing the authentication, the guest can access network resources defined by the access policy.

The EIA server periodically deletes expired guest accounts.

Account creation by guests

QR code authentication method

A guest can use an intelligent endpoint to scan a specific QR code for fast account creation and network access. The following types of QR codes are available for guest authentication:

Authentication QR code

The guest manager creates a guest account in the self-service center and generates a QR code.

The guest scans the QR code for authentication.

Approval QR code

When the guest accesses a website, the guest is directed to the page for automatic preregistration. A QR code is also automatically generated on the page.

The guest manager scans the QR code to enter the approval page and approves the guest account.

The guest can access the network after the account is approved.

Other methods

EIA supports abundant SDK interfaces to communicate with the WeChat official platforms of enterprises. A guest can access the wireless network of an enterprise by following the WeChat official account of the enterprise.

Multiple SMS message notification methods

The following methods are available for sending SMS messages:

SMS message gateway.

Third-party SMS message gateways with which EIA communicates through the Web interface.

Customer SMS message platforms with which EIA communicates through customized interfaces.

Integrated access device management with simplified operations and maintenance

EIA works with the IMC ACL manager solution for ACL configuration on access devices. The administrator can select an access device and configure an ACL for the device. The ACL deployment information of access devices is displayed on the access device list.

EIA provides links for querying access device details, including basic device information, alarms, and performance status.

The administrator can manage access devices by using the topology management feature. The topology displays access devices and allows the administrator to view information about these devices. The administrator can also set access devices to non-access devices on the topology.

Scenario-based authorization policy management for device users

EIA assigns authorization polices based on scenarios. A scenario is a combination of the device location, device type, and access time range. The administrator can define shell profiles and command sets for device users in different scenarios.

EIA supports setting fixed or flexible access time ranges to control network access time ranges of device users.

Shell profile configuration defines the global attributes for device users, for example, privilege levels, access ACLs, and access duration.

Command set configuration defines commands available for device users.

Detailed logging and and auditing for device management behaviors

Authentication logs record the device login information of device users, including login name, login result, failure reason, authenticating time, IP address of the login device, user IP address, privilege level, login action, authentication type, and service type.

Authorization logs monitor login authorization and command authorization events. If login authorization is enabled, the TACACS+ Authentication Manager (TAM) server authorizes a login level to a successful login user and records the event in the authorization log. If command authorization is enabled, the TAM server determines whether the device user has the execution right of a command when this command is executed and maintains command authorization logs.

The TAM server records the device user logins, login devices, and behaviors of device users. The audit logs record the following information: login name, audit type, audit time, device IP, endpoint user IP, and commands.

Audit logs

Intelligent advertisement push for network operation

Working with the IMC platform, EIA can push advertisements to users based on user identities and access locations. Access users can obtain information more easily and quickly. EIA can also work with third-party advertisement platforms to meet the network operation needs.

High-performance authentication process and massive database storage

With optimized authentication mechanism, simplified packet processing, and efficient memory control, EIA can process authentication requests from more than 10000 users concurrently per second at the peak authentication time. With performance optimization of the database and accurate control of service processing, EIA can perform efficient statistics collection and service processing among data about millions of users.