Login
- Released At: 11-03-2026
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EIA SSO
Configuration Examples
Document version: 5W105-20251014
Product version: EIA (E6204)
Copyright © 2025 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Procedures for Web Application System > Portal
Procedures for Web Application System > BYOD
Userinfo synthesis and resolution
Introduction
EIA single sign-on (SSO) is an authentication mode that integrates network access authentication and application authentication. That is, after a single authentication, end users can seamlessly access the network and use various Web applications.
EIA SSO applies to the following scenarios:
· Web Application System > Portal: End users are not authenticated through the login page on the portal server. Instead, third-party applications send authentication information of users to the portal server on their behalf. This method does not support security checks.
· Web Application System > BYOD: End users are not authenticated through the login page on the BYOD server. Instead, third-party applications send authentication information of users to the BYOD server on their behalf. This method does not support security checks.
Usage guidelines
Applicable scenarios
Users must be authenticated before they can access the network and use various Web applications.
Prerequisites
The third-party Web application system has been configured. For more information, see "Appendix: Public sample code."
Example: Configuring EIA SSO
Network configuration
As shown in Figure 2, configure portal authentication to verify the identity of users when they attempt to access the network. In this example, the EIA server and the portal server are the same server.
The IP address of the EIA server is 192.168.7.220. To view the IP address of the EIA server:
|
|
NOTE: · In a cluster deployment environment, always use the northbound service virtual IP address, not the actual node IP address, for the EIA server. · Follow the following general steps to check the IP address of the EIA server. The IP addresses mentioned in this document are examples only. |
1. Open your browser, and enter https://ip_address:8443/matrix/ui to access the Matrix Web interface. The ip_address argument represents the northbound service virtual IP or node IP.
2. On the top navigation bar, click DEPLOY. From the left navigation pane, select Clusters.
3. The northbound service virtual IP on this page is the IP address of the EIA server, as shown in Figure 1.
Figure 1 Viewing the IP address of the EIA server
This example uses the following versions:
· EIA version: EIA (E6204)
· Access device: H3C S5820V2-54QS-GE
Configuring the EIA server
|
|
IMPORTANT: Before using SSO, you must configure the EIA server. |
To use the EIA server, perform the following tasks:
· Configure access devices.
· Configure access policies.
· Configure access services.
· Configuring access users
Adding an access device
Add an access device to establish an interaction between the EIA server and the device. To add an access device:
1. Click the Automation tab. From the left navigation pane, select User > Access Service. Access the Access Device Management > Access Device tab.
Figure 3 Access device configuration
2. Click Add.
Figure 4 Adding an access device
3. Click Add IPv4 Device in the Device List section. Enter the IP address of the access device, and click OK. Make sure the IP address meet the following requirements:
¡ If you have executed the nas ip command for a RADIUS scheme on the access device, make sure the specified IP address is consistent with the NAS IP.
¡ If you have not executed the nas ip command, make sure you enter the IP address of the interface that connects the device to the EIA server or the IP address of the VLAN interface for the VLAN where the physical interface resides.
Figure 5 Manually adding an access device
4. Configure common parameters as follows:
¡ Authentication Port: Specifies the port for EIA to listen for RADIUS authentication packets. Make sure the setting is consistent with the authentication port configured on the access device through the CLI. EIA and access devices typically use the default port 1812.
¡ Accounting Port: Specifies the port for EIA to listen for RADIUS accounting packets. Make sure the setting is consistent with the accounting port configured on the access device through the CLI. EIA and access devices typically use the default port 1813.
|
|
NOTE: Currently, the EIA server must act as both the authentication server and accounting server. You cannot use EIA as the authentication and use another server as the accounting server. |
¡ Shared Key/Confirm Shared Key: Enter the same shared key twice. When the access device works with EIA for authentication, they use this key to verify each other's legitimacy. Make sure the setting is consistent with the shared key configured on the access device through the CLI. If you selected Plaintext for the Displays Key in field in system parameter settings on the Automation > User > Service Parameters > Access Parameters > System Settings page, you only need to enter the key once.
¡ Retain the default settings in the other fields.
This example sets the shared key to movie.
Figure 6 Configuring common parameters
5. Click OK. You can view the newly added device in the access device list.
Figure 7 Viewing the newly added access device
Adding an access policy
Configure an access policy that does not enforce any access control. To add an access policy:
1. Click the Automation tab. From the left navigation pane, select User > Access Service. Access the Access Policy > Access Policy tab.
Figure 8 Access policy management
2. Click Add. Since no access control is required, simply enter the access policy name and retain the default settings in the other fields.
Figure 9 Adding an access policy
|
|
NOTE: Authorization requires the device to support the corresponding attributes. Authentication binding requires the device to upload the corresponding information to RADIUS attributes. This example does not deploy any configurations to the device. Therefore, the default settings are used. |
3. Click OK. Return to the Access Policy Management page. You can view the newly added access policy in the access policy list.
Figure 10 Viewing the newly added access policy
Adding an access service
An access service is a collection of policies for user authentication and authorization. This example does not apply any access control to users. Therefore, it only adds a simple access service. To add an access service:
1. Click the Automation tab. From the left navigation pane, select User > Access Service.
Figure 11 Access service management
2. Click Add. On the page that opens, enter the service name and service suffix, select the default access policy, and use the default settings for other parameters, as shown in Figure 12.
Figure 12 Adding an access service
Configure service parameters:
¡ Service Name: Enter a unique service name in EIA.
¡ Service Suffix: The service suffix, authentication username, device domain, and the command in the RADIUS scheme are closely related. For more information, see Table 1.
¡ Default Access Policy: Select the newly added access policy.
¡ Security Group: Select a security group.
¡ Sub Security Group: Select a sub security group.
¡ Default Proprietary Attribute Assignment Policy: When users not restricted by access location groups come online, EIA assigns private attributes to their connected access devices based on the policy specified in this parameter.
¡ Default Max. Devices for Single Account: The setting takes effect when the access scenario of a user does not match any access scenario of the service. This field is available only when the EIP component is deployed.
- Matching access scenario: EIA checks whether the number of endpoints bound to the user in this scenario has reached the limit. If the limit is reached, EIA denies user authentication.
- Scenarios included in all services: EIA checks the number of bound endpoints across all services (including all scenarios within each service) requested by the user. If the total number of bound endpoints reaches the Default Max. Devices for Single Account setting, EIA rejects user authentication. If the limit is not reached, EIA allows the user to proceed.
¡ Default Max. Number of Online Endpoints: The setting takes effect when the access scenario of a user does not match any scenario of the service.
¡ Daily Max. Online Duration: Specify the total time an account can access the network per day. The system forces the account offline when the limit is reached. The account cannot reconnect on the same day. The parameter unit is minutes. You can enter an integer in the range of 0 to 1440. Setting this field to 0 means no limit.
¡ Description: Specify a description of the service to simplify daily maintenance for operators.
Table 1 Service suffix selection in EIA
|
Authentication username |
Device domain for authentication |
Command in the RADIUS scheme |
Service suffix in IMC |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default Domain] Default domain specified on the device |
user-name-format with-domain |
[Default Domain] |
|
user-name-format without-domain |
No suffix |
3. Click OK. Return to the access service management page. You can view the newly added access service in the access service list.
Figure 13 Viewing the newly added access service
Adding an access user
1. Click the Automation tab. From the left navigation pane, select User > Access User.
2. Click Add.
Figure 15 Adding an access user
Parameters:
¡ User Name: Enter the username.
¡ Identity Number: Enter the user ID.
¡ Account Name: A unique name that identifies a user, which can be used to apply for and access services. Make sure the name differs from existing ones and avoids special characters #+/?%&=*'@\"[]()<>` and the Tab key. Keep the name within 200 characters.
¡ Password/Confirm Password: Enter the same password twice.
¡ Access Service: Select the access service you added earlier.
¡ Retain the default settings in the other fields.
3. Click OK. You can view newly added access user in the access user list.
Figure 16 Viewing the newly added access user
Configuring SSO
Procedures for Web Application System > Portal
Configuring the server settings
1. Click Automation. From the left navigation pane, select User > Service Parameters > Portal Service.
Figure 17 Configuring the server settings
2. In the Service Type List section, click Add.
Figure 18 Adding a service type
Parameters:
¡ Service Type ID: The device determines the authentication scheme based on the service type. Make sure the setting matches the service suffix in the previously added access service.
¡ Service Type: The service type is device-specific information. Users may not easily understand its underlying meaning. Therefore, the portal authentication homepage explains the meaning of each service type for to help users understand service types. The Service Type field is required and cannot duplicate existing entries. Keep the total number of service types under 64.
3. Click OK. Return to the server configuration page. You can view the newly added service type in the service type list.
Figure 19 Viewing the newly added service type
4. Click OK.
Configuring an IP address group
1. Click Automation. From the left navigation pane, select User > Service Parameters > Portal Service. Click the Portal IP Group tab.
Figure 20 Configuring an IP address group
2. Click Add.
Figure 21 Adding an IP address group
3. Enter the IP address group name, and enter the start address and end address. In this example, the group name is portal_Address. Endpoints within this address range must undergo authentication.
4. Click OK. You can view the newly added IP address group in the IP address group list.
Figure 22 Viewing the newly added IP address group
Adding a device
1. Click the Automation tab. From the left navigation pane, select User > Service Parameters > Portal Service. Click the Portal Device tab.
2. Click Add.
Figure 24 Adding a portal device
Parameters:
¡ Device Name: Enter the device name. In this example, the device name is zhangsan-Switch.
¡ Public IP: Enter the public IP address of the portal access device.
¡ Key/Confirm Key: Enter the key twice. In this example, the key is movie. Make sure the key is consistent with the one configured for the portal server on the device.
¡ Access Method: Select Directly Connected.
¡ Retain the default settings in the other fields.
3. Click OK. You can view the newly added device in the device configuration list.
Figure 25 Viewing the newly added device
4. Click the port group management icon 
in
the Operation column.
Figure 26 Port group information
5. Click Add.
Parameters:
¡ Port Group Name: Enter the port group name. In this example, the group name is port-Port.
¡ Authentication Type: Select CHAP.
¡ IP Group: Select group portal_Address created at previous steps.
¡ Retain the default settings in the other fields.
6. Click OK. You can view the newly added port group in the port group list.
Figure 28 Viewing the newly added port group
Configuring SSO
1. Click the Automation tab. From the left navigation pane, select User > Service Parameters > Access Parameters. Click the Unified Authentication tab.
2. Click the icon in the Configure column for Web Application System > Portal, and then configure the parameters as needed, as shown in Figure 30.
Figure 30 Web Application System > Portal
Parameters:
¡ Enabled: Check this option to enable the Web Application System > Portal configuration.
¡ Shared Key: Ensures secure interaction between the Web application system and the portal server. This field supports only 8 characters. You can enter the following characters: [A-Z], [a-z], [0-9], and ~`!@#$%^&*()_-+{[}]|:";'<,>./
¡ Timestamp Valid Time (Minutes): After the Web application system and portal server complete a successful message exchange, this field defines how long they trust each other for verifying portal server security and validity. The value range for this field is 5 to 60 minutes.
¡ Redirect to URL after Portal Authentication: URL of the Web application server to redirect to after portal authentication succeeds or fails. Specify the URL in the format of http://XXXXXXXX.
Configuring the access device
Perform this task to control user access. Only authenticated users can access the network.
This section uses the CLI on a Windows PC to telnet to the access device. The specific commands and their descriptions are as follows:
1. Enter system view.
<Device>system-view
System View: return to User View with Ctrl+Z.
2. Configure RADIUS policy allpermit. Specify EIA as both the authentication server and accounting server. Make sure the authentication port, accounting port, and shared key are consistent with the settings in "Adding an access device."
[Device]radius scheme allpermit
New Radius scheme
[Device-radius-allpermit]primary authentication 192.168.7.220 1812
[Device-radius-allpermit]primary accounting 192.168.7.220 1813
[Device-radius-allpermit]key authentication simple movie
[Device-radius-allpermit]key accounting simple movie
[Device-radius-allpermit]user-name-format with-domain
[Device-radius-allpermit]nas-ip 172.19.254.76
[Device-radius-allpermit]quit
3. Configure domain portal and apply policy allpermit. Make sure the domain name is consistent with the service suffix configured in "Adding an access service."
[Device]domain portal
[Device-isp-portal]authentication portal radius-scheme allpermit
[Device-isp-portal]authorization portal radius-scheme allpermit
[Device-isp-portal]accounting portal radius-scheme allpermit
[Device-isp-portal]quit
4. Configure EIA as the portal authentication server. In this example, the server name is myportal. Make sure the key is consistent with the one configured in "Adding a device."
[Device]portal server myportal
New portal server added.
[Device-portal-server-myportal]ip 192.168.7.220 key simple movie
[Device-portal-server-myportal]quit
5. Configure the URL for the third-party Web server.
[Device]portal web-server myportal
New portal web-server added.
[Device-portal-websvr-myportal]url http://ip:port
[Device-portal-websvr-myportal]quit
6. Enable direct portal authentication on Vlan-interface 108 of GigabitEthernet 1/ 0/16. Reference portal Web server myportal and set the BAS-IP attribute value in portal packets sent to the portal authentication server. Make sure the BAS-IP setting is consistent with the public IP address configured in "Adding a device."
[Device]interface Vlan-interface 108
[Device-Vlan-interface108]portal enable method direct
[Device-Vlan-interface108]portal apply web-server myportal
[Device-Vlan-interface108]portal bas-ip 108.108.108.1
[Device-Vlan-interface108]Portal domain portal
[Device-Vlan-interface108]quit
Verifying the configuration
1. A user enters the username and password in a third-party Web application system for authentication. After the authentication succeeds, the third-party Web application system automatically initiates portal authentication to the portal system.
2. After successful authentication, the portal system returns the page specified in the SSO configuration and the heartbeat page pops up, indicating the user is online.
3. To terminate the connection, click Offline.
Procedures for Web Application System > BYOD
Configuring SSO
1. Click the Automation tab. From the left navigation pane, select User > Service Parameters > Access Parameters. Click the Unified Authentication tab.
2. Click the icon in the Configure column for Web Application System > BYOD, and then configure the parameters as needed, as shown in Figure 31.
Figure 31 Web Application System > BYOD
Parameters:
¡ Enabled: Check this option to enable the Web Application System > BYOD configuration.
¡ Shared Key: Ensures secure interaction between the third-party application and the BYOD server. This field supports only 8 characters. You can enter English characters except spaces, tabs, question marks (?), equal signs (=), and back slashes (\).
¡ Timestamp Valid Time (Minutes): After the third-party application and BYOD server complete a successful message exchange, this field defines how long they trust each other for BYOD server security and validity. The value range for this field is 5 to 60 minutes.
Configuring the access device
Perform this task to control user access. Only authenticated users can access the network.
This section uses the CLI on a Windows PC to telnet to the access device. The specific commands and their descriptions are as follows:
1. Enter system view.
<Device>system-view
System View: return to User View with Ctrl+Z.
2. Configure RADIUS policy allpermit. Specify EIA as both the authentication server and accounting server. Make sure the authentication port, accounting port, and shared key are consistent with the settings in "Adding an access device."
[Device]radius scheme allpermit
New Radius scheme
[Device-radius-allpermit]primary authentication 192.168.7.220 1812
[Device-radius-allpermit]primary accounting 192.168.7.220 1813
[Device-radius-allpermit]key authentication simple movie
[Device-radius-allpermit]key accounting simple movie
[Device-radius-allpermit]user-name-format with-domain
[Device-radius-allpermit]nas-ip 172.19.254.76
[Device-radius-allpermit]quit
3. Configure domain portal and apply policy allpermit. Make sure the domain name is consistent with the service suffix configured in "Adding an access service."
[Device]domain portal
[Device-isp-portal]authentication portal radius-scheme allpermit
[Device-isp-portal]authorization portal radius-scheme allpermit
[Device-isp-portal]accounting portal radius-scheme allpermit
[Device-isp-portal]quit
4. Configure EIA as the portal authentication server. In this example, the server name is myportal. Make sure the key is consistent with the one configured in "Adding a device."
[Device]portal server myportal
New portal server added.
[Device-portal-server-myportal]ip 192.168.7.220 key simple movie
[Device-portal-server-myportal]quit
5. Configure the URL for the third-party Web server.
[Device]portal web-server myportal
New portal web-server added.
[Device-portal-websvr-myportal]url http://ip:port
[Device-portal-websvr-myportal]quit
6. Enable direct portal authentication on Vlan-interface 108 of GigabitEthernet 1/ 0/16. Reference portal Web server myportal and set the BAS-IP attribute value in portal packets sent to the portal authentication server. Make sure the BAS-IP setting is consistent with the public IP address configured in "Adding a device."
[Device]interface Vlan-interface 108
[Device-Vlan-interface108]portal enable method direct
[Device-Vlan-interface108]portal apply web-server myportal
[Device-Vlan-interface108]portal bas-ip 108.108.108.1
[Device-Vlan-interface108]Portal domain portal
[Device-Vlan-interface108]quit
Verifying the configuration
A user enters the username and password in a third-party Web application system for authentication. After the authentication succeeds, the third-party Web application system automatically initiates BYOD authentication to the BYOD system. After successful authentication, the Monitor > Monitor List > Access Endpoint page will display the endpoint bound to the user. This endpoint can access the network successfully.
Appendix: Public sample code
DES encryption and decryption
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import org.apache.commons.codec.binary.Base64; // The Base64 API in this example comes from Apache's utility class.
/**
* DES encryption and decryption
*
* @author
*/
public class DesCipher {
/**
* Encryption
*
* @param plainText
* Original string to be encrypted
* @param key
* Shared key
* @return Base64-encoded encrypted character string
*/
public static String encryptData(String plainText, String key) {
Cipher encryptDesCipher = null;
try {
DESKeySpec desKeySpec = new DESKeySpec(key.getBytes("GBK")); // GBK
SecretKeyFactory factory = SecretKeyFactory.getInstance("DES");
SecretKey desSecretKey = factory.generateSecret(desKeySpec);
encryptDesCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); // DES/ECB/PKCS5Padding
encryptDesCipher.init(1, desSecretKey);
byte[] cryptoText = null;
cryptoText = encryptDesCipher.doFinal(plainText.getBytes("GBK")); // GBK
if (cryptoText != null) {
return new String(Base64.encodeBase64(cryptoText), "GBK"); // GBK
}
} catch (Throwable e) {
e.printStackTrace();
return null;
}
return null;
}
/**
* Decryption
*
* @param base64EncryptInfo
* Character string to be decrypted
* @param key
* Key
* @return Decrypted character string
* @throws UnsupportedEncodingException
*/
public static String decryptData(String base64EncryptInfo, String key) {
try {
byte[] encryptInfo = null;
if (base64EncryptInfo != null) {
encryptInfo = Base64.decodeBase64(base64EncryptInfo.getBytes("GBK")); // GBK
}
Cipher decryptDesCipher = null;
DESKeySpec desKeySpec = new DESKeySpec(key.getBytes("GBK")); // GBK
SecretKeyFactory factory = SecretKeyFactory.getInstance("DES");
SecretKey desSecretKey = factory.generateSecret(desKeySpec);
decryptDesCipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); // DES/ECB/PKCS5Padding
decryptDesCipher.init(2, desSecretKey);
byte[] plainText = null;
plainText = decryptDesCipher.doFinal(encryptInfo);
if (plainText != null) {
return new String(plainText, "GBK"); // GBK
}
} catch (Throwable e) {
e.printStackTrace();
return null;
}
return null;
}
}
Userinfo synthesis and resolution
import org.apache.commons.codec.binary.Base64; // The Base64 API in this example comes from Apache's utility class.
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.HashMap;
import java.util.Map;
/**
* DES encryption and decryption
*
* @author
*/
public class UserInfoUtil {
/**
* Synthesize the userinfo string
* @param username Name
* @param password Password
* @param timestamp Timestamp
* @param key Decrypt key
* @return
*/
public static String composeUserinfo(String username, String password, long timestamp, String key) {
try {
StringBuilder userInfo = (new StringBuilder())
.append("username=").append(new String(Base64.encodeBase64(username.getBytes("GBK")), "GBK"))
.append(",password=").append(new String(Base64.encodeBase64(password.getBytes("GBK")), "GBK"))
.append(",timestamp=").append(timestamp);
String userInfoStr = DesCipher.encryptData(userInfo.toString(), key);
userInfoStr = URLEncoder.encode(userInfoStr, "UTF-8"); // UTF-8
return userInfoStr;
} catch (Throwable e) {
e.printStackTrace();
return null;
}
}
/**
* Username/password extracted from userinfo.
* @param str Encrypted userinfo
* @param key Decrypt key
* @return
*/
public static Map<String, String> analyzeUserinfo(String str, String key) {
try {
str = URLDecoder.decode(str, "UTF-8"); // UTF-8
str = DesCipher.decryptData(str, key);
String[] userinfo = str.split(",");
Map<String, String> paras = new HashMap<String, String>();
for (String nameAndVal : userinfo) {
String[] nv = nameAndVal.split("=");
if("username".equals(nv[0]) || "password".equals(nv[0])) {
nv[1] = new String(Base64.decodeBase64(nv[1].getBytes("GBK")), "GBK");
}
paras.put(nv[0], nv[1]);
}
return paras;
} catch (Throwable e) {
e.printStackTrace();
return null;
}
}
}
Sending HTTP requests
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
/**
* DES encryption and decryption
*
* @author
*/
public class HttpUtil {
/**
* Request a URL.
* @param url URL
* @param method Request method
* @param accept accept
* @return Request result
*/
public static String requestWebAppUrl(String url, String method, String accept) {
HttpURLConnection con;
InputStream input = null;
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
try {
con = (HttpURLConnection)(new URL(url)).openConnection();
con.setRequestMethod(method);
con.setConnectTimeout(5000);
con.setReadTimeout(50000);
con.setDoOutput(false);
con.setRequestProperty("Accept", accept);
con.setRequestProperty("Accept-Language", "zh-cn,en-us;q=0.5");
con.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0");
input = con.getInputStream();
byte[] buff = new byte[256];
int len = -1;
while ((len = input.read(buff)) != -1) {
buffer.write(buff,0,len);
}
String str = buffer.toString("UTF-8"); // UTF-8
return str;
} catch (Throwable e) {
return null;
} finally {
if (input != null) {
try {
input.close();
} catch (Throwable e) {
}
}
}
}
}