Login
- Released At: 09-12-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EIA LDAP-based MSCHAPv2 Authentication
Configuration Examples
Product Version: EIA (E6604)
Document version: 5W103-20240226
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring LDAP-based MSCHAPv2 authentication
Configuring the Windows AD server
Using the iNode client to initiate authentication
Introduction
The following information provides an example of configuring LDAP for EIA MSCHAPv2 authentication. EAP-PEAP is a type of EAP certificate authentication, and EAP-PEAP-MSCHAPv2 is a subtype of EAP-PEAP. When the LDAP server uses Windows AD, LDAP users support EAP-PEAP-MSCHAPv2 authentication.
Example: Configuring LDAP-based MSCHAPv2 authentication
Network configuration
An enterprise plans to use the EIA LDAP-based MSCHAPv2 authentication system to control employee access to the enterprise network.
In this example, the endpoint user uses 802.1X certificate authentication through the iNode client. You must add an LDAP server on EIA and configure the EAP MSCHAPv2 certificate authentication. The LDAP server is Windows AD.
As shown in Figure 1,
· The IP address of the EIA server is 192.168.7.196. In a cluster deployment, specify the northbound service virtual IP as the IP address of the EIA server. Do not specify the node IP address of the EIA server. To identify the northbound service virtual IP of the EIA server in a cluster deployment:
a. Enter https://ip_address:8443/matrix/ui in the address bar of the browser to open the Matrix page. ip_address represents the northbound service virtual IP or node IP address.
b. On the top navigation bar, click DEPLOY. From the left navigation pane, select Clusters. Click the Cluster Parameters tab. Use the IP address in the Northbound Service Virtual IP field as the IP address of the EIA server.
· The IP address of the LDAP server is 10.114.119.46.
· The IP address of the access device is 172.19.254.101.
Software versions used
This configuration example was created and verified on the following software and hardware:
· EIA: EIA (E6604)
· Windows AD: Installed in Windows Server 2012
· Access Device: H3C S7502E-XS Comware Software, Version 7.1.070, Release 7536P05
· iNode PC: iNode PC 7.3 (E0558)
Prerequisites
· The access device supports the 802.1X protocol and can communicate with EIA.
· The LDAP server is Windows AD and can communicate with EIA.
· The server certificate application is completed.
Procedures
Configuring the Windows AD server
Perform the following tasks on the Windows AD server:
· Configure h3c.com as the root domain name of the forest.
· Configure h3c as the NetBIOS domain name.
· In folder Users of domain h3c.com, reset the password for the administrator to EIA123456.
· Create organization testid in domain h3c.com, and then create users test001 and test002 in the organization.
· Create virtual computer xin10939 in domain h3c.com and execute script file ModifyComputerAccountPass.vbs to reset the password of the virtual computer, as described in "Reseting the virtual computer password."
· Run Windows AD on a Windows Server 2012 server with the full name ad.h3c.com.
Configuring the EIA server
Perform the following tasks in order on the EIA server:
1. Add an access policy.
2. Add an access service.
3. Add a LDAP server.
4. Reset the virtual computer password.
5. Add an LDAP synchronization policy.
6. Synchronize user data.
7. Import a server certificate.
8. Configure system parameters.
9. Add an access device.
Adding an access policy
To add an access policy:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service > Access Policy.
3. Click Add.
¡ Access Policy Name: Enter the access policy name CA Policy.
¡ Authentication Type: Select EAP-PEAP.
¡ Subtype: Select EAP-MSCHAPv2.
¡ Use the default settings for other parameters. For more information about the parameters, see the online help.
Figure 3 Adding an access policy
4. Click Confirm. The system returns to the Access Policy page. You can view the newly added access policy in the list.
Figure 4 Viewing the newly added access policy
Adding an access service
An access service is a collection of policies for user authentication and authorization.
To add an access service:
1. On the top navigation bar, click Automation.
2. From the navigation pane, select User > Access Service.
3. Click Add. On the page that opens, configure the following parameters:
¡ Service Name: Enter the access service name CA Service.
¡ Service Suffix: Enter the service suffix cert.
¡ Default Access Policy: Select access policy CA Policy.
¡ Use the default settings for other parameters.
Figure 6 Adding an access service
|
Authentication username |
Authentication domain on the device |
RADIUS scheme command on the device |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default Domain] |
user-name-format with-domain |
[Default Domain] |
|
user-name-format without-domain |
No suffix |
|
|
NOTE: The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 1. In this example, configure a service suffix for the EIA server, use X@Y as the authentication username, and execute the user-name-format with-domain command on the access device. |
4. Click Confirm. The system returns to the Access Service page. You can view the newly added access service in the list.
Figure 7 Viewing the newly added access service
Adding an LDAP server
1. On the top navigation bar, click Automation.
2. From the navigation pane, select User >Access Parameters > LDAP Service.
3. Click Add.
¡ LDAP Server Name: Enter server name Windows AD.
¡ Address: Enter server address 10.114.119.46.
¡ Server Type: Select server type Microsoft AD.
¡ Admin DN: Enter administrator DN cn=administrator,cn=users,dc=h3c,dc=com.
¡ Admin Password: Enter administrator password EIA123456.
¡ Base DN: Enter base DN dc=h3c,dc=com.
¡ User Group: Select Synchronize by OU.
¡ Enable MS-CHAPv2: Select Yes to enable MS-CHAPv2 authentication for the Windows AD server.
¡ Authentication Method: Select Authentication by Virtual Computer.
¡ Use IP Addresses of LDAP Servers: Select Yes, because this example uses the domain controller as the LDAP server.
¡ Domain Controller Full Name: Enter the full name of the domain controller server ad.h3c.com.
¡ Auto Join Computer Domain: Select No. For more information about this parameter, see the online help.
¡ Virtual Computer Name: Enter virtual computer name xin10939.
¡ Virtual Computer Password: Enter the password for the virtual computer, and then enter it again in the Confirm virtual computer password field to confirm it.
¡ Use the default settings for other parameters.
Figure 9 Adding an LDAP Server (1)
Figure 10 Adding an LDAP Server (2)
4. After configuration, click Test to check the server's connectivity. If the server is configured correctly, the test result will be as shown in Figure 11.
5. Click Confirm. The system returns to the LDAP server list. You can view the newly added server configuration in the list.
Figure 12 Viewing the newly added server configuration
Reseting the virtual computer password
After adding a virtual computer to the domain controller, execute the ModifyComputerAccountPass.vbs script file to reset the password of the virtual computer.
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Service Parameters > LDAP Service > LDAP Parameters.
3. Click Download to save the script file to modify the virtual computer password, as shown in Figure 14. Open the script file with a text editor, modify the object value and password of the virtual computer, and then save it, as shown in Figure 15. Execute the script file on the domain controller to reset the virtual computer password.
Figure 14 Script file to modify the virtual computer password
Figure 15 Modifying the virtual computer object value and password
Adding an LDAP synchronization policy
1. On the top navigation bar, click Automation. From the left navigation pane, select User > Service Parameters > LDAP Service > Sync Policy.
Figure 16 Synchronization policy list
2. Click Add.
¡ Policy Name: Enter synchronization policy name LDAP Policy.
¡ Server Name: Select server Windows AD.
¡ Sub-Base DN: Enter ou=testid,dc=h3c,dc=com.
Use the default settings for other parameters.
Figure 17 Adding a synchronization policy
3. Click Next.
a. In the Access Information area, enter password EIA123. When the LDAP user unbinds from the LDAP server, the access user can use this password to pass EIA authentication.
b. In the Access Service area, select the CA Service option.
c. You can configure other parameters based on the configuration of Windows AD. In this example, use the default settings for other parameters.
Figure 18 Synchronization policy parameters
Figure 19 Selecting the CA Service option
4. Click Confirm.
Figure 20 Viewing the newly added synchronization policy
Synchronizing LDAP user data
After configuring the LDAP synchronization policy, click Synchronize in the Synchronize column for the policy to manually synchronize LDAP user data.
On the top navigation bar, click Automation. From the left navigation pane, select User > Access User. You can view LDAP users in the access user list.
Importing a server certificate (Optional)
|
|
NOTE: You can perform this task to import a built-in certificate or a certificate that you have purchased. |
To import a server certificate:
1. On the top navigation bar, click Automation.
2. From the navigation pane, select User > Service Parameters > Access Parameters > Certificate.
Figure 21 Certificate configuration page
3. Click the Server Certificate tab.
Figure 22 Server certificate List
4. Click Import EAP Server Certificate.
Figure 23 Importing a server certificate
5. Select the Private key is included in server certificate file option.
Figure 24 Selecting the Private key is included in server certificate file option
6. Click Select File. On the window that opens, select a server certificate.
8. Click Next, and enter the private key for the server certificate.
Adding an access device
You must add an access device to the EIA server before the EIA server can work with the access device for authentication.
To add a device:
1. On the top navigation bar, click Automation.
2. From the navigation pane, select User > Access Service > Access Device Management.
3. On the Access Device tab, click Add。
a. Enter and confirm the shared key expert. Use the default settings for other parameters.
b. In the Device List area, click Add IPv4 Device. In the window that opens, enter device IP 172.19.254.101 and click Confirm.
Figure 26 Adding an access device
|
|
IMPORTANT: The IP address of the access device must meet the following requirements: · If the RADIUS scheme contains a NAS IP specified by using the nas ip command for the access device, specify that IP address on the EIA server. · If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server. |
4. Click Confirm. You can view the newly added access device in the device list.
Configuring the access device
The access device is used to control user access. Authenticated users can access the network, while unauthenticated users cannot access the network.
In this example, log in to the access device through Telnet from the Windows CLI and configure it.
Creating a RADIUS scheme
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]radius session-control enable
// Enable RADIUS session control.
[H3C]radius scheme test
New RADIUS scheme
[H3C-radius-test]primary authentication 192.168.7.196 1812
[H3C-radius-test]primary accounting 192.168.7.196 1813
// Specify EIA as both the authentication and accounting servers. Make sure the authentication and accounting ports are the same as those specified for the access device.
[H3C-radius-test]key authentication simple expert
[H3C-radius-test]key accounting simple expert
// Make sure the authentication and accounting shared keys are the same as the shared key specified for the access device.
[H3C-radius-test]user-name-format with-domain
// Include the domain name in the usernames sent to the server. For information about the configuration matching relationships between the EIA server and the device, see Table 1.
[H3C-radius-test]nas-ip 172.19.254.101
[H3C-radius-test]quit
Creating a domain
[H3C]domain cert
[H3C-isp-cert]authentication lan-access radius-scheme test
[H3C-isp-cert]authorization lan-access radius-scheme test
[H3C-isp-cert]accounting lan-access radius-scheme test
// Configure the domain to use RADIUS scheme test for authentication, authorization, and accounting.
[H3C-isp-cert]quit
Enabling 802.1X authentication
[H3C]dot1x authentication-method eap
# To perform EAP-MSCHAPv2 authentication on Windows AD, you must set the 802.1X authentication method to EAP.
[H3C]dot1x
[H3C]interface Ten-GigabitEthernet 1/1/23
[H3C-Ten-GigabitEthernet 1/1/23]dot1x
[H3C-Ten-GigabitEthernet 1/1/23]quit
// For 802.1X authentication to take effect, you must enable it both globally and on the interface that users access.
Using the iNode client to initiate authentication
Installing the iNode client
|
|
NOTE: EIA supports all versions of iNode. You can select an iNode version as needed. |
Configuring 802.1X connection properties
1. Open the iNode PC client, and select 802.1X connection.
2. Click More, and then select Properties.
Figure 28 802.1X properties settings
3. Click the Advanced tab.
Figure 29 Advanced authentication settings
4. Select the check box before Enable advanced authentication. Select Certificate Authentication from the list, set PEAP as the authentication type, and then select MS-CHAP-V2 from the Sub-Type list.
Figure 30 Enabling advanced authentication
5. Click OK.
Verifying the configuration
Using the iNode client to initiate 802.1X authentication
Open the iNode client, enter the username and password, and then click Connect. Verify that the username and password can pass authentication.
Figure 31 Authentication window
Figure 32 802.1X connection
Figure 33 Authentication success
Viewing online users on EIA
On the top navigation bar, click Monitor. From the left navigation pane, select Monitor List > Online User. On the page that opens, view online users.
