Login
- Released At: 09-12-2024
- Page Views:
- Downloads:
- Related Documents
-
H3C EIA 802.1X Certificate-Based Authentication
Configuration Examples
Software version: EIA (E6604)
Document version: 5W103-20240226
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring 802.1X certificate-based authentication
Installing the root certificate
Requesting and installing a client certificate
Configuring the iNode PC client
Viewing the online user on EIA
Introduction
The following information provides an example of configuring 802.1X certificate-based authentication for access users. The client and server mutually validate each other's certificates, ensuring validity of identities and secure communication.
Feature usage guidelines
Application scenarios
The following information applies to enterprise networks or campus networks requiring 802.1X certificate-based authentication.
Prerequisites
This example uses the EAP-TLS certificate authentication method in which the client and server mutually validate each other's certificates before communication. Before configuring the EIA server and iNode client, you must request the root certificate and server certificate for the EIA server and the root certificate and client certificate for the iNode client from the certificate authority. For more information about the procedures for certificate application and installation, see H3C EIA Certificate Usage Guide.
Restrictions and guidelines
If the client certificate is not directly installed on the certificate server, but installed via import/export, make sure the format of the exported client certificate is consistent with the format of the server certificate.
Example: Configuring 802.1X certificate-based authentication
Network configuration
As shown in Figure 1, an enterprise use 802.1X to authenticate uses who try to access the network, and the server and client mutually validate each other's certificates before communication. In this example, the IP address of the EIA server is 192.168.7.196, the IP address of the access device is 192.168.71.11, the user-side interface used for access authentication on the access device is GigabitEthernet 1/0/39, and the IP address of the user's PC is 192.168.70.140.
Restrictions and guidelines
In a cluster deployment, specify the northbound service virtual IP as the IP address of the EIA server. Do not specify the node IP address of the EIA server.
To identify the northbound service virtual IP of the EIA server in a cluster deployment:
1. Enter https://ip_address:8443/matrix/ui in the address bar of the browser to open the Matrix page. ip_address represents the northbound service virtual IP or node IP address.
2. On the top navigation bar, click DEPLOY.
3. From the left navigation pane, select Clusters.
4. Click the Cluster Parameters tab. Use the IP address in the Northbound Service Virtual IP field as the IP address of the EIA server.
|
|
NOTE: The northbound service virtual IP (10.114.117.164) in the screenshot is for illustration only. It differs from the one used in this example. |
Software versions used
This configuration example was created and verified on the following software:
|
Role |
Platform |
Software version |
|
802.1X authentication server |
EIA |
EIA (E6604) |
|
Access device |
H3C S7502E-XS switch |
Comware software version 7.1.070, Release 7536P05 |
|
802.1X client |
iNode |
iNode PC 7.3 (E0558) |
Procedures
Configuring the EIA server
Configure the following items on the EIA server:
· Access device.
· Access policy.
· Access service.
· Access user.
· Certificate importing.
Adding an access device
You must add an access device to the EIA server before the EIA server can work with the access device for authentication.
To add an access device to the EIA server:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service, and then click the Access Device Management tab.
Figure 2 Access device configuration page
3. On the Access Device tab, click Add.
Figure 3 Adding an access device
4. Add an access device.
Click Add IPv4 Device. In the window that opens, enter the IP address of the access device in the Device IP field, and then click Confirm.
When you specify the IP address of the access device, examine the applicable RADIUS scheme on the access device to identify the IP address to specify.
¡ If the RADIUS scheme contains a NAS IP specified by using the nas-ip command for the access device, specify that IP address on the EIA server.
¡ If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.
Figure 4 Manually adding the access device
5. Configure the following common parameters:
¡ Authentication Port: Specify a port number for EIA to listen for RADIUS authentication packets. The authentication port must be the same as that specified in the RADIUS scheme on the access device. Typically, use the default port 1812.
¡ Accounting Port: Specify a port for EIA to listen for RADIUS accounting packets. The accounting port must be the same as that specified in the RADIUS scheme on the access device. Typically, use the default port 1813.
|
|
IMPORTANT: You must use the EIA server to provide both authentication and accounting services. You cannot use the EIA server as the authentication server and another server as the accounting server. |
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. The access device and the EIA server use the shared key to validate each other. The shared key must be the same as that configured in the RADIUS scheme on the access device. This example uses fine.
¡ Use the default settings for other parameters. The descriptions for some of the parameters are as follows:
- Service Type: Specify the type of service supported by the access device. Currently, only LAN access service and device management service are available. If the service type is set to Unlimited, the device supports both LAN access and device management services. A device of the device management service type does not support LAN access service.
- Access Device Type: Select the vendor or protocol type of the access device. Available options include STANDARD (Standard), predefined vendors and types, and administrator-defined vendors and types. The STANDARD (Standard) type requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats stipulated in the standard RADIUS protocol (RFC 2865/2866 or later). The predefined vendors include H3C, 3COM, Huawei, Cisco, Ruijie, HP, Microsoft, and Juniper.
Figure 5 Configuring common parameters
6. Click Confirm. Verify that the access device has been added to the access device list.
Figure 6 Verifying that the access device has been added
Adding an access policy
To validate the certificates of the access client and the EIA server, you must select a certificate authentication type when creating an access policy.
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service, and then click the Access Policy tab.
3. Click Add.
Figure 7 Adding an access policy
4. Configure the access policy parameters as needed:
¡ Access Policy Name: Enter a policy name. This example uses CA policy.
¡ Authentication Type: Select an authentication type. This example uses EAP-TLS.
¡ EAP Auto Negotiate: Specify whether to enable automatic negotiation of EAP authentication types when the EAP authentication types specified on the client and EIA are different. This example disables this feature.
Use the default settings for the other parameters. The descriptions for some of the parameters are as follows:
¡ Access Period: Select an access period policy from the list. A user using the access policy can access the network only in the time ranges defined in the access period policy.
¡ Allocate IP: Specify whether to assign IP addresses to users.
¡ Upstream Rate (Kbps)/Downstream Rate (Kbps): Specify the maximum upstream rate and downstream rate for users using the access policy.
¡ Priority: Specify the traffic priority during network congestion. A smaller value indicates a higher priority. Select a priority value from the priority values supported by the device. An invalid value might result in failures of endpoint users to access the network.
¡ Authentication Type/Subtype: Select an EAP authentication type. During EAP authentication, the RADIUS server deploys this EAP authentication type to the client. Options include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. If you select the EAP-TTLS or EAP-PEAP authentication type, select EAP-MSCHAPv2, EAP-MD5, or EAP-GTC as the subtype.
- EAP-MD5: CHAP-based EAP authentication.
- EAP-TLS: Certificate-based identity authentication, which uses the TLS protocol to implement identity authentication and requires PKI for certificate management. The server and client use certificates for identity authentication. If authentication succeeds, the two sides negotiate a shared key, session ID, and cipher suite (encryption, compression, and data integrity check) to set up a secure and reliable communication channel. EAP-TLS uses the session ID for fast reauthentication, which greatly simplifies the authentication process. It also supports fragmentation of large TLS packets.
- EAP-TTLS: Certificate-based identity authentication, which initiates subauthentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. Subauthentication types include EAP or non-EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC. Non-EAP authentication can be MSCHAPv2 or PAP. If you select the EAP-TTLS authentication type, you must select an EAP subtype on EIA. However, in actual authentication, an endpoint can use a non-EAP subtype (PAP, for example) even if an EAP subtype is configured on EIA.
- EAP-PEAP: Certificate-based identity authentication, which initiates EAP authentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC.
¡ EAP Auto Negotiate: Specify whether to enable automatic negotiation of EAP authentication types when the EAP authentication types specified on the client and EIA are different. With this feature enabled, EIA permits the client's authentication request without considering the EAP type configured on the client. With this feature disabled, EIA rejects the client's authentication request if the EAP authentication types specified on the client and EIA are different.
¡ Maximum Online Duration for a Logon (Minutes): Specify the maximum duration an authenticated user that uses the access policy can be online, in minutes. The value is an integer in the range of 1 to 1440. If you leave this field empty, the online duration is not limited. If you specify a value and the online duration of an access user exceeds the specified value, EIA logs off the user.
¡ Deploy VLAN: Specify a VLAN ID or name for deployment to users. After passing authentication, users can access resources in the specified VLAN only. On the access device, configure the VLAN assignment mode as integer or string type accordingly:
If the type of the access device is H3C (General), HUAWEI (General), HP (Comware), or 3COM (General), you can enter a VLAN ID or VLAN name. EIA takes any integer in the range of 1 to 4094 as an integer-type VLAN ID and deploys it to the access device. Any other character string is taken as a string-type VLAN name and deployed to the access device.
If the access device is none of the previous types, EIA always deploys the entered value to the access device as a string-type VLAN name.
¡ Deploy Address Pool: Enter an address pool name to be deployed to the access device for assigning IP address to users. For successful address assignment, make sure an address pool with the same name exists on the access device.
¡ Deploy User Profile: Specify the name of the user profile for deployment to the device to perform user-based QoS functions. This feature takes effect only when the user profile to be deployed has been configured on the device.
¡ Deploy VSI Name: Specify the name of the VSI for deployment to a leaf access device. This allows allocating users to the corresponding VXLAN in a VXLAN networking scenario.
¡ Deploy User Group: Specify the name of the user group to which the users belong after they pass authentication. You can enter multiple user groups, separated by semi-colon (;). This feature takes effect only when EIA works with an SSL VPN device.
¡ Deploy ACL: Specify an ACL for deployment to access users. Use either of the following methods:
- Manual enter an ACL.
- Specify an ACL from the ACL list. To modify the ACL list, navigate to the Access Policy > Access ACL page.
¡ Offline Check Period (Hours): Specify the offline check period during which an access user's online status is checked. If no heartbeat packet is received from an online user within the specified period, the user's connection will be disconnected.
¡ Authentication Password: Specify an authentication password option.
- If you select Account Password, the server validates only the account password.
- If you select Dynamic Password, the server validates only the dynamic password. The dynamic password is sent to the user via SMS or email.
- If you select Account Password + Dynamic Password, the server validates both the account password and dynamic password. The dynamic password is sent to users via SMS.
Dynamic passwords support only the PAP, EAP-MD5, EAP-PEAP/EAP-MD5, and EAP-PEAP/EAP-GTCS authentication methods. If you select the Dynamic Password or Account Password + Dynamic Password option in the Authentication Password field, you must configure the authentication method as one of the abovementioned options.
¡ Authentication Binding Information
EIA cooperates with the access device to check the binding information for each user account to be authenticated, including the IP address, port, VLAN, QinQ double VLAN, and SN of the access device, and the IP address, MAC address, IMSI, IMEI, wireless user SSID and the hard disk serial number of the user endpoint. The iNode client cooperates with the policy server to check the following binding information of the user: user IP address, MAC address, computer name, computer domain, logon domain and hard disk serial number. Among the binding items, user MAC address and IMSI are mutually exclusive and cannot be bound at the same time. You can configure binding information for an access policy and apply the access policy in an access service. If a user uses an access service that applies an access policy without binding information, auto learning is adopted. In this case, EIA binds the parameters used in the first login of a user. For example, if a user uses 10.100.10.10 for the first login through the service, the user must always use the IP address for future authentication.
- Control Access IP/MAC Address: With this feature enabled, EIA checks the IP address or MAC address of an access user using this policy when the user attempts to come online. If the IP address or MAC address is on the allowed access address list, the user can come online. Otherwise, the user cannot come online. For more information about the access address configuration, see Access IP/MAC Address.
- Control Hard Disk Serial Number: With this feature enabled, EIA checks the hard disk serial number of a user endpoint when the user attempts to come online. If the serial number is permitted or EIA cannot obtain the hard disk serial number, the user is allowed to come online. Otherwise, the user cannot come online. This feature must work with an iNode PC client.
- Enable SSID Access Control: When you enable this feature and set the SSID filter to Permit, EIA maintains an SSID allowlist. Users can access the network when they connect to an SSID on the SSID access control list. When you enable this feature and set the SSID filter to Deny, EIA maintains an SSID denylist. Users cannot access the network when they connect to an SSID on the SSID access control list. This feature must work with the iNode PC client. The client receives the SSID access control configuration from EIA and saves it to the PC. The configuration also applies to the Windows built-in 802.1X application.
- Enable BIOS Serial Number: With this feature enabled, EIA checks the BIOS serial number of an access user using this service when the user attempts to come online. If the serial number is permitted, the user is allowed to come online. Otherwise, the user cannot come online. If EIA cannot obtain the BIOS serial number, it allows the user to come online. This feature must work with an iNode PC client.
¡ User Client Configuration
- iNode Client Only: You can use this feature to set restrictions on the authentication client. If iNode Client Only is selected, end users must use iNode client for authentication. You can also select options such as Disable Proxy Server, Disable Proxy Setting in IE, Forbid Modifying IP When Online, and Forbid Modifying MAC for more restrictions.
- Disable iNode DC for Windows: With this feature enabled, the iNode Dissolvable Client (iNode DC) is forbidden when a Windows operating system is used.
- DisableiNode DC for Linux/MacOS: With this feature enabled, the iNode DC is forbidden when a Linux or MacOS operating system is used.
- Forbid Modifying IP When Online: Specify whether to forbid an online user from modifying the IP address of the authentication NIC. If an online user modifies the IP address, the following results might occur depending on your configuration:
If you enable the policy server and select Forbid Modifying IP When Online, the client is immediately logged out.
If you enable the policy server and have not selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
If you have not enabled the policy server and have selected Forbid Modifying IP When Online, the client is logged out after waiting for a certain period.
If you have not enabled the policy server and have not selected Forbid Modifying IP When Online, the client stays online.
- Disable Proxy Server: Specify whether to prohibit the users' PCs from acting as proxy servers for other users.
- Disable Proxy Setting in IE: Specify whether to prohibit proxy settings in IE for Internet access.
- Disable Multiple NICs: Specify whether to prohibit a single user from enabling multiple NICs at the same time.
- Prohibit Multiple OSs: Specify whether to prohibit a user from installing multiple operating systems on the PC.
- Prohibit Multi-IP on Authenticated NIC: Specify whether to prohibit a user from configuring multiple IP addresses for a single authenticated NIC.
- Forbid Modifying MAC: Specify whether to prohibit changes to a user PC's MAC address.
- Reject Duplicate MAC Addresses: Specify whether to reject authentication of duplicate MAC addresses. With this feature enabled, when a user with the same MAC address as an existing one uses an iNode client to perform authentication, the authentication fails.
- Block VMware NAT Service: Specify whether to prevent users from setting vNICs to NAT mode on VMs and to prevent unauthenticated VMs from accessing the host machine's network.
- Block VMware USB Service: Specify whether to prevent users from using the VMWare Hostd and VMUSB Arb services.
When this option is selected, VM users cannot use the USB devices that are connected to the host machine. You can select this option and the Block VMWare NAT Service option to prevent the host machine from sharing the wireless hotspots that are created on the vNICs of VMs.
- IP Address Assignment Method: Specify the method for assigning IP addresses to users. If Static is selected, users can use only static IP addresses to perform authentication and access the network. If Dynamic is selected, users must use the IP addresses allocated through DHCP to access the network.
- Action for Violation: This feature specifies the action to take on a user who has compliance violations. Actions can be Kick Out, which logs out the user, or Monitor, which keeps the user online. This feature applies to only the following check items: Disable Proxy Server, Disable Proxy Setting in IE, Disable Multiple NICs, Prohibit Multiple OSs, Prohibit Multi-IP on Authenticated NIC, Forbid Modifying MAC, Reject Duplicate MAC Addresses, Block VMWare NAT Service, Block VMWare USB Service, Prohibit from Running on Virtual Machine, and IP Address Assignment Method. Violations of these items will be recorded in client violation check logs. For violations of other check items in the iNode client configuration, the users will be logged out and no logs are generated for these violations.
- Auto Reconnect after Network Failure: Specify whether to enable auto reconnect after a network failure. With this feature enabled, the client automatically retries to reconnect if the user connection is disconnected because of a network failure. After you enable this feature, you can configure the retry interval and maximum number of retries. If you set the retry interval to 30 minutes and the maximum number of retries to 3, the client will try to reconnect every 30 minutes for a maximum of three times after the user is disconnected. To ensure normal system operation, consider the number of online users when you set the retry interval. For more information, see the table below.
|
Online users |
Retry interval |
|
<=1000 |
5 minutes |
|
<=2000 |
10 minutes |
|
<=3000 |
15 minutes |
|
<=5000 |
25 minutes |
|
>5000 |
When the number of online users exceeds 5000, the auto reconnect feature greatly impacts the server's performance. As a best practice, do not use this feature in such scenario. |
- Lowest Client Version: Specify the allowed lowest version of iNode PC clients. Users cannot pass authentication by using an iNode client lower than the specified version. This parameter is available only when the iNode Client Only option is selected.
5. Click Confirm.
Adding an access service
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service.
3. Click Add.
Figure 8 Adding an access service
4. Configure the access service parameters as needed:
¡ Service Name: Enter a service name. This example uses CA service.
¡ Service Suffix: Enter a service suffix. This example uses 629.
¡ Default Access Policy: Specify an access policy as the default access policy. This example uses CA policy.
Use the default settings for other parameters. The descriptions for some of the parameters are as follows:
¡ Service Suffix: Used in authentication to identify services that a user has requested. If a service suffix is set for the service requested by the user, the user must use username@service_suffix as the login name for authentication. For normal authentication, make sure the service suffix is the same as the domain name on the access device, and the device has uploaded the domain name.
¡ Description: Enter a description for the access service.
¡ Daily Max. Online Duration: Specify the total duration in a day that an account can access the network by using the service. When the limit is reached, the account is forced offline and cannot access the network this day. The value is an integer in the range of 0 to 1440 minutes. A value of 0 means not limited.
¡ Default Security Policy: Specify the security policy applied to users in access scenarios that are not included in the service. The security policy is used to check and monitor user endpoints for security issues and to automatically defend the network. This parameter is displayed only when the EAD component is installed.
¡ Default Internet Access Policy: Specify the Internet access policy applied to users in access scenarios that are not included in the service.
¡ Default Access Policy: Specify the default access policy applied to users in access scenarios that are not included in the service.
¡ Default Proprietary Attribute Assignment Policy: Specify the default proprietary attribute assignment policy. If a user that uses the service does not match an access device group when the user accesses the network, the system deploys proprietary attributes to the access device according to the configuration of the default proprietary attribute assignment policy.
¡ Max. Number of Bound Endpoints: Specify the maximum number of endpoints a user can bind in the access scenario. The value range is 1 to 999. A value of 0 indicates no limit. When the number of endpoints bound to the user reaches the specified value, no more endpoints can be bound and come online. This parameter is displayed only when the EIP component is deployed.
¡ Default Max. Devices for Single Account: Specify the number of endpoints to be bound to the same user account in access scenarios that are not included in the service. This parameter is displayed only when the EIP component is deployed.
EIA checks the maximum number of bound endpoint devices for a single account in the following order:
- Matched access scenario: Checks the number of bound endpoint devices against the maximum number limit specified in the scenario. If the number reaches the limit, EIA denies the user authentication.
- Scenarios in all services: Checks the number of bound endpoint devices in scenarios of all assigned services for the account. If the number reaches the value of Max. Device for Single Account specified in user endpoint settings on the Automation > User > Service Parameters > Access Parameters > System Settings page, EIA denies the user authentication.
¡ Max. Number of Online Endpoints: Specify the maximum number of allowed online endpoints of a user in the access scenario. The value range is 0 to 999. A value of 0 indicates no limit. If the number of online endpoints of the user in the access scenario exceeds the specified value, no more endpoints can come online.
¡ Default Max. Number of Online Endpoints: Specify the maximum number of online endpoints using the same user account in access scenarios that are not included in the service.
¡ Service Group: Select a service group for the service. The service group ensures privilege management of the service. The administrators and maintainers can add the service to one of the service groups to which they have the management privileges.
¡ Transparent Authentication: Specify whether to enable transparent authentication for the access service. When an endpoint user passes authentication by entering the correct username and password for the first time, the RADIUS server binds the endpoint MAC address with the access user account. When the user attempts to access the network again, the RADIUS server automatically authenticates the user by matching the MAC address with the bound account, without user intervention. Transparent authentication includes transparent portal authentication and transparent MAC authentication. In transparent portal authentication, the access service is also bound with the MAC address and user account, and must be matched for subsequent user authentication.
¡To enable a portal gateway to perform transparent authentication on an client:
- Configure the portal gateway to support transparent authentication at the CLI. Specify the IP address and port number of the portal server to process packets for transparent authentication. The default port number is 50100.
- Navigate to the Automation > User > Service Parameters > Portal Service >Portal Device page. Click the Port Group icon in the Operation column for the target device, click the Modify icon for the target port group, and then select Supported in the Transparent Authentication field.
- Navigate to the Automation > User > Service Parameters > Access Parameters > System Settings page, and click the Configure icon for the User Endpoint Settings item. Select Enabled in the Transparent Authentication field.
To implement transparent MAC authentication, you must complete the following configuration:
- Configure the access device to support transparent authentication at the CLI.
- Navigate to the Automation > User > Service Parameters > Access Parameters > System Settings page, and click the Configure icon for the User Endpoint Settings item. Select Enabled in the Transparent Authentication field.
If the above conditions are met, users can use the service to perform transparent authentication for accessing the network. To view the bindings of the endpoints and access users, navigate to the Monitor > Monitor List > Endpoint > Access Endpoint page.
When Transparent Authentication is selected for an access service, the Bind User MAC option of the service does not take effect on users who pass transparent authentication.
5. Click Confirm.
Adding an access user
For successful authentication, when you add a user, make sure the account name matches at least one of the selected attributes if you have configured the following settings on the System Settings page:
· Enabled Check Cert Attributes for Account.
· Selected one or more attributes among Subject-CN, Subject-Email, Subject Alternative Name-DNS, and Subject Alternative Name-UPN.
If you have not enabled Check Cert Attributes for Account, the restriction does not apply. In this example, this feature is disabled.
To add an access user:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access User.
3. Click Add.
Figure 9 Adding an access user
4. Configure access information and access service:
¡ Account Name: Specify an account name to uniquely identify the access user. You do not need to select any user type options. This example uses account name zana.
¡ Password/Password Confirm: Enter the password for authentication and enter the password again for confirmation.
¡ Access Service: Select an added access service. This example uses CA service.
Use the default settings for other parameters. The descriptions for some of the parameters are as follows:
¡ Trial Account: You can set a user as a trial account access user when adding the user. A trial account access user cannot come online and will not generate any expense information even if the user has requested a service and the account has enough charges.
¡ Default BYOD User: When you add an access user, you can set the user as a default BYOD user (this option is displayed only when the system does not have a default BYOD user). The account name of the default BYOD user is fixed at byodanonymous, and you do not need to set the account password for the default BYOD user. In MAC authentication, if an MAC address is not bound to any account name, the user logs in as the default BYOD user. After the user logs in, the user can access the platform registration page, register a guest account, or bind the MAC address to an existing account. After successful binding of the user MAC address and the account, the system forces the user offline. When the user performs authentication again, the user can use the account name bound to the MAC address.
¡ MAC Authentication User: Select this option to hide parameters such as Password, Password Confirm, and Allow User to Change Password.
¡ Fast Access User: You can set a new user as a fast access user (this option is displayed only when the system does not have a fast access user user). If you select Fast Access User, the account name is automatically set to anonymous, and the password configuration is unavailable. The number of licenses occupied by fast access users equals to the number of online fast access users.
¡ Start Time: Time on which the account becomes valid automatically. If no start time is set, the account becomes valid immediately upon opening.
¡ End Time: Time on which the account becomes invalid automatically. If no end time is set, the account will not become invalid automatically. Invalid accounts are allowed to log in to the self-service platform.
¡ Max. Idle Time: Maximum length of time for which an online user can remain idle before being logged off by the access device. If you do not configure this parameter, a user will not go offline because of idleness.
¡ Max. Concurrent Logins: Maximum number of concurrent online users using the account. If you do not configure this parameter, the number of concurrent online users using the account is not limited. If you have selected the Fast Access User option for the account, the value must be an integer in the range of 1 to 255.
¡ Login Message: Prompt information displayed on the login window after a user using the account passes the authentication. You can customize the message as needed. For example, Merry Christmas.
Figure 10 Adding an access user
5. Click Confirm.
Configuring the certificates
For more information about the procedures for requesting the root certificate and server certificate, see EIA Certificate Usage Guide.
To configure the certificates:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Service Parameters > Access Parameters, and then click the Certificate tab.
Figure 11 Certificate configuration
3. On the Root Certificate tab, click Import EAP Root Certificate.
4. Click Select File, and then select the root certificate to be imported.
5. Click Next.
6. Configure the CRL settings as needed, and then click OK.
In this example, no CRL settings are configured.
7. Click the Server Certificate tab.
8. Click Import EAP Server Certificate.
9. Select the check box next to Private key is included in server certificate file. Click Select File in the Server Certificate File field, and then select the server certificate file to be imported.
Figure 13 Configuring the server certificate
10. Click Next, and then enter the server private key password (configured when you exported the server certificate).
11. Click OK.
12. Click Verify Imported Certificate to validate the root certificate and server certificate.
Configure the access device
1. Configure a RADIUS scheme:
# Enter system view.
<SWITCH>system-view
# Configure a RADIUS scheme named capolicy.
[SWITCH]radius scheme capolicy
# Specify the EIA server as the authentication server. Configure the authentication port as that configured on EIA.
[SWITCH-radius-capolicy]primary authentication 192.168.7.196 1812
# Specify the EIA server as the accounting server. Configure the accounting port as that configured on EIA.
[SWITCH-radius-capolicy]primary accounting 192.168.7.196 1813
# Configure the shared keys for authentication and accounting as those configured on EIA.
[SWITCH-radius-capolicy]key authentication simple fine
[SWITCH-radius-capolicy]key accounting simple fine
# Specify a source IP address for outgoing RADIUS packets.
[SWITCH-radius-capolicy] nas-ip 192.168.71.11
# Include domain names in the usernames sent to the RADIUS server.
[SWITCH-radius-capolicy]user-name-format with-domain
[SWITCH-radius-capolicy]quit
2. Configure a domain:
# Configure a domain named 629.
[SWITCH]domain 629
# Configure the domain to use RADIUS scheme capolicy for authentication, authorization, and accounting.
[SWITCH-isp- 629]authentication lan-access radius-scheme capolicy
[SWITCH-isp- 629]authorization lan-access radius-scheme capolicy
[SWITCH-isp- 629]accounting lan-access radius-scheme capolicy
[SWITCH-isp- 629]quit
3. Configure 802.1X authentication:
# Enable 802.1X both globally and on GigabitEthernet 1/0/39.
For the 802.1X feature to take effect on an interface, you must enable the feature both globally and on the interface.
[SWITCH]dot1x
[SWITCH]interface GigabitEthernet 1/0/39
[SWITCH - GigabitEthernet 1/0/39] dot1x
[SWITCH - GigabitEthernet 1/0/39] quit
# Set an 802.1X authentication method.
To perform certificate-based authentication, you must set the authentication method to EAP.
[SWITCH]dot1x authentication-method eap
Configuring the client
Installing the root certificate
For request and installation of the client root certificate, see EIA Certificate Usage Guide.
Requesting and installing a client certificate
For request and installation of the client certificate, see EIA Certificate Usage Guide.
Configuring the iNode PC client
Configuring certificate-based authentication
1. Open the iNode PC client, and select 802.1X connection.
2. Click More, and then select Properties.
3. Click the Advanced tab.
Figure 16 Advanced authentication settings
4. Select the check box before Enable advanced authentication.
Figure 17 Enable advanced authentication
5. Configuring certificate authentication:
a. Select Certificate Authentication from the drop-down list.
b. Set the authentication type to EAP-TLS.
c. Click Client Certificate. In the window that opens, select the client certificate used for authentication, and then click OK.
d. Select the check box before Validate server certificate chain.
Figure 18 Configuring certificate authentication
6. Click OK.
Performing authentication using the iNode client
1. Click 802.1X connection.
Figure 19 Connection validation
2. Enter username zana@629, and then click Connect.
The iNode client starts to request identity validation. After the validation is complete, the user successfully connects to the network.
Viewing the online user on EIA
1. On the top navigation bar, click Monitor.
2. From the left navigation pane, select Monitor List > Online User.
3. On the Local tab, view the local online user list to verify that user zana@391 is online.
