Login
- Released At: 09-12-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C EIA 802.1X and RSA Authentication |
|
Configuration Examples |
|
|
|
|
Software version: EIA (E6205)
Document version: 5W103-20240226
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring 802.1X and RSA authentication
Using the iNode PC client to complete 802.1X authentication
Introduction
In a network configured with 802.1X access and RSA authentication, you can use two-factor authentication to validate both static passwords and dynamic passwords. When EIA receives an authentication request from a user, it forwards the authentication request to the RSA server for identity validation. EIA allows or denies the user's access to the network based on the validation result from the RSA server and enforces various policies to control the user's access to the network.
The following scenarios are supported:
· The EIA server validates the static password of a user and the RSA server validates the dynamic password of the user.
· The RSA server validates both the static and dynamic passwords of a user.
The following information provides an example of RSA two-factor authentication by using the EIA server to validate the static password of a user and the RSA server to validate the dynamic password of the user.
Feature usage guidelines
Application scenarios
This example is applicable to environments that require dynamic passwords for enhancing password security, such as banking systems.
Prerequisites
The PC is installed with the iNode client that supports RSA dynamic keys.
The access device supports the 802.1X protocol.
The network has an RSA server.
Each user has an RSA authentication token.
Example: Configuring 802.1X and RSA authentication
Network configuration
As shown in Figure 1, a bank plans to deploy the RSA authentication system. When users connect to the network, they send authentication requests to the EIA server. The EIA server forwards the requests to the RSA server. The RSA server validates the identity of the users.
The PC is installed with the Windows OS and is ready for the installation of the iNode client.
Software versions used
This configuration example was created and verified on the following versions:
· EIA (E6205) on the EIA server.
· H3C S5500-28C-EI Comware Software, Version 5.20, Release 2221P15 on the access device.
· iNode PC 7.3 (E0558) on the PC.
Restrictions and guidelines
In a cluster deployment, specify the northbound service virtual IP as the IP address of the EIA server. Do not specify the node IP address of the EIA server.
To identify the northbound service virtual IP of the EIA server in a cluster deployment:
1. Enter https://ip_address:8443/matrix/ui in the address bar of the browser to open the Matrix page. ip_address represents the northbound service virtual IP or node IP address.
2. On the top navigation bar, click DEPLOY. From the navigation pane, select Clusters.
3. Click the Cluster Parameters tab. The northbound service virtual IP is the IP address of the EIA server.
Procedures
Configuring the EIA server
To configure the EIA server, perform the following tasks:
· Enabling third-party authentication
Adding an access device
You must add an access device to the EIA server before the EIA server can work with the access device for authentication.
To add a device:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service, and then click the Access Device Management tab.
3. Click Add.
Figure 3 Adding an access device
4. Click Add IPv4 Device in the Device List area. In the dialog box that opens, enter the IP address of the access device in the Device IP field, and then click Confirm. The IP address of the access device must meet the following requirements:
¡ If the RADIUS scheme contains a NAS IP specified by using the nas ip command for the access device, specify that IP address on the EIA server.
¡ If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.
Figure 4 Manually adding an access device
5. Configure the common parameters. The configuration requirements for the common parameters are as follows:
¡ Authentication Port: Specify a port number for EIA to listen for RADIUS authentication packets. The configuration must be the same as that configured on the access device. By default, the authentication port is 1812 on EIA and the access device.
¡ Accounting Port: Specify a port for EIA to listen for RADIUS accounting packets. The configuration must be the same as that configured on the access device. By default, the accounting port is 1813 on EIA and the access device.
|
|
IMPORTANT: In the current software version, if you use EIA as the authentication server, you must also use EIA as the accounting server. When EIA is used as the authentication server, other servers cannot be used as the accounting server. |
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. When the access device and EIA cooperate to perform authentication, they use the shared key to validate each other. The shared key specified here must be the same as the shared key specified on the access device. You only need to enter the shared key once if you selected Plaintext for the Displays Key in field in system parameter settings on the Automation > User > Service Parameters > Access Parameters > System Settings page.
¡ Use the default values for other parameters.
In this example, set the shared key to movie and use the default values for other parameters.
Figure 5 Configuring common parameters
6. Click Confirm. Verify that the access device has been added to the access device list.
Figure 6 Viewing the newly added access device
Adding an access policy
Configure an access policy that does not contain any access control settings. To add an access policy:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service, and then click the Access Policy tab.
Figure 7 Access policy management page
3. Click Add. Because no access control is required, you only need to enter an access policy name. In this example, set the access policy name to Access Permit and use the default values for other parameters, as shown in Figure 8.
Figure 8 Adding an access policy
Parameter description:
¡ Access Period: Select an access period policy. Users who apply this access policy can access the network only within the time range specified in the access period policy.
¡ Allocate IP: Specify whether to allocate IP addresses to users.
¡ Upstream Rate (Kbps)/Downstream Rate (Kbps): Specify the maximum upstream rate and downstream rate for users that match the access policy.
¡ Priority: Specify the traffic priority during network congestion. A smaller value indicates a higher priority. Select a priority value from the priority values supported by the device. An invalid value might result in failures of endpoint users to access the network.
¡ Authentication Type/Subtype: Select an EAP authentication type. During EAP authentication, the RADIUS server deploys this EAP authentication type to the client. Options include EAP-MD5, EAP-TLS, EAP-TTLS, and EAP-PEAP. If you select the EAP-TTLS or EAP-PEAP authentication type, select EAP-MSCHAPv2, EAP-MD5, or EAP-GTC as the subtype.
- EAP-MD5: CHAP-based EAP authentication.
- EAP-TLS: Certificate-based identity authentication, which requires PKI for certificate management. This authentication method recommends server and client bidirectional authentication. The server and client use certificates for identity authentication. If authentication succeeds, the two sides negotiate a shared key, session ID, and cipher suite (encryption, compression, and data integrity check) to set up a secure and reliable communication channel. EAP-TLS is a TLS-based identity authentication method that uses the access device to transparently forward authentication information between the client and EIA. EAP-TLS uses the session ID for fast reauthentication, which greatly simplifies the authentication process. It also supports fragmentation of large TLS packets.
- EAP-TTLS: Certificate-based identity authentication, which initiates subauthentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. Subauthentication types include EAP or non-EAP authentication. EAP authentication can be EAP-MSCHAPv2, EAP-MD5, or EAP-GTC. If you select the EAP-TTLS authentication type, you must also select an EAP subtype on EIA. However, in the actual authentication process, an endpoint can ignore EIA configuration and use the endpoint's configuration for authentication if it uses a non-EAP subtype, such as PAP.
- EAP-PEAP: Certificate-based identity authentication, which initiates EAP authentication within the security channel set up by TLS authentication between the client and EIA. The authentication method protects the user identity and the EAP authentication negotiation process. EIA only supports EAP-MSCHAPv2, EAP-MD5, and EAP-GTC authentication types.
¡ EAP Auto Negotiate: Specify whether to enable automatic negotiation of EAP authentication type when the EAP authentication type specified on the client and that on EIA are different. With this feature enabled, EIA permits the client's authentication request without considering the EAP type configured on the client. With this feature disabled, EIA rejects the client's authentication request if the EAP authentication types specified on the client and EIA are different.
¡ Maximum Online Duration for a Logon (Minutes): Specify the maximum online duration in minutes for a successfully authenticated user that uses the access policy. The value is an integer in the range of 1 to 1440. If you leave this field empty, the online duration is not limited. If you specify a value and the online duration of an access user exceeds the specified value, EIA forces the user to go offline.
¡ Deploy Address Pool: Enter an address pool name. EIA deploys the address pool name to the access device. The access device will search for an address pool with the same name and use this address pool to assign IP addresses to users. For successful address assignment, make sure an address pool with the same name exists on the access device.
¡ Deploy VLAN: Specify the VLAN to be deployed to users. After passing authentication, users can access resources in the specified VLAN only.
- If the type of the access device is H3C (General), HUAWEI (General), HP (Comware), or 3COM (General), you can enter a VLAN ID or VLAN name. EIA takes any integer in the range of 1 to 4094 as an integer-type VLAN ID and deploys it to the access device. Any other character string is taken as a string-type VLAN name and deployed to the access device. On the access device, configure the VLAN assignment mode as integer or string type accordingly.
- If the access device is none of the previous types, EIA always deploys the entered value to the access device as a string-type VLAN name. On the access device, configure the VLAN assignment mode as string type.
¡ Deploy User Profile: Specify the name of the user profile to be deployed to the access device. The access device will use the user profile to perform user-based QoS functions. This feature takes effect only when the user profile to be deployed has been configured on the device.
¡ Deploy User Group: Specify the name of the user group to be deployed to users after they pass authentication. You can enter a list of semicolon-separated user group names. This parameter takes effect only when EIA is cooperating with the ACG1000 device or an SSL VPN device.
¡ Deploy ACL: Specify the ACL to be deployed to users. Use either of the following methods:
- Manual enter an ACL number or name.
- Specify an ACL from the ACL list. To modify the ACL list, navigate to the Access Policy > Access ACL page.
¡ Offline Check Period (Hours): Specify the offline check interval for mute terminals, in hours. After a mute terminal passes authentication, EIA deploys the configuration to the device and the device checks whether the mute terminal is offline at the specified periods. If you leave this field empty, offline check will not be performed. The value for the offline check interval must be an integer in the range of 0 to 596523. This parameter is applicable only to mute terminals.
¡ Authentication Binding Information: EIA cooperates with the access device to check the binding information for each user to be authenticated, including the IP address, port, VLAN, QinQ inner and outer VLANs, and SN of the access device, and the IP address, MAC address, IMSI, IMEI, wireless user SSID, and hard disk serial number of the user endpoint. The iNode client cooperates with the policy server to check the binding information of a user, including the IP address, MAC address, computer name, computer domain, logon domain, and hard disk serial number of the user endpoint. Among the binding items, user MAC address and IMSI are mutually exclusive and cannot be bound at the same time.
You can specify values for the bound attributes in a user account if the access policy that has authentication binding configuration is applied to the user account. If you do not specify values for the bound attributes, EIA will use the learning mechanism to obtain the information to be bound. That is, EIA automatically stores parameter settings in the first successful authentication of the access user account as the bound values. For example, if EIA automatically stores the IP address used by a user when it passes authentication for the first time, that user can pass authentication only when it uses the same IP address.
When both binding user IP address and binding user IPv6 address are selected, the system only checks one IP address (IPv4 or IPv6) of a user. The user can pass the binding information check if any of its IP addresses passes the binding information check.
You can configure the following authentication binding information:
- Control Access IP/MAC Address: With this feature enabled, EIA checks the IP address or MAC address of an access user using this policy when the user attempts to come online. If the IP address or MAC address is on the allowed access address list, the user can come online. Otherwise, the user cannot come online. For more information about the access address configuration, see Access IP/MAC Address.
- Control Hard Disk Serial Number: With this feature enabled, EIA checks the hard disk serial number of a user endpoint when the user attempts to come online. If the serial number is permitted or EIA cannot obtain the hard disk serial number, the user is allowed to come online. Otherwise, the user cannot come online. This feature must work with an iNode PC client.
- Enable SSID Access Control: When you enable this feature and set the SSID filter to Permit, EIA maintains an SSID allowlist. Users can access the network when they connect to an SSID on the SSID access control list. When you enable this feature and set the SSID filter to Deny, EIA maintains an SSID denylist. Users cannot access the network when they connect to an SSID on the SSID access control list. This feature must work with the iNode PC client. The client receives the SSID access control configuration from EIA and saves it to the PC. The configuration also applies to the Windows built-in 802.1X client.
|
|
NOTE: To deploy authorization information, make sure the attributes are supported on the device. For the authentication binding information to take effect, you must configure the corresponding information in the RADIUS attributes on the device. In this example, no authorization attributes are assigned to the access device. You can use the default values. |
4. Click Confirm. On the access policy management page, verify that the access policy has been added to the access policy list.
Figure 9 Viewing the newly added access policy
Adding an access service
An access service is a collection of policies for user authentication and authorization. In this example, configure an access service for users who must pass RSA authentication to access the network.
To add an access service:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Access Service.
3. Click Add.
4. Configure the following access service parameters:
¡ Service Name: Enter a service name. Make sure the name is unique on the EIA server. In this example, set the service name to RSA Authentication.
¡ Service Suffix: Enter a service suffix, which identifies the name of the domain to be used for user authentication. The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 1. In this example, set the service suffix to 629.
|
Authentication username |
Authentication domain on the device |
RADIUS scheme command on the device |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default domain] Default domain on the device |
user-name-format with-domain |
[Default domain name] |
|
user-name-format without-domain |
No suffix |
¡ Default Access Policy: Specify an access policy as the default access policy. In this example, select Access Permit from the drop-down list.
¡ Use the default values for other parameters.
The parameter settings are as shown in Figure 11.
Figure 11 Adding an access service
5. Click Confirm. On the access service page, verify that the access service has been added to the access service list.
Figure 12 Viewing the newly added access service
Enabling third-party authentication
EIA forwards the authentication request of a user to the RSA server for validation and determines whether the user can pass authentication based on the validation result of the RSA server. RSA authentication is a method for authenticating third-party users, so you must configure third-party authentication settings on EIA.
To configure third-party authentication:
1. On the top navigation bar, click Automation.
2. From the left navigation pane, select User > Service Parameters > Access Parameters, and then click the Third-Party Authentication tab.
Figure 13 Third-party authentication configuration page
3. Click the Configure
icon 
for the Third-Party Authentication
configuration.
Figure 14 Third-party authentication page
4. Select Enable to expand the third-party authentication configuration areas.
5. Select Third-Party RADIUS Authentication. In the RADIUS List area, click Add. On the page that opens, configure the basic information as follows:
¡ IP Address: Enter the IP address of the RSA server, in this example, the IP address is 192.168.3.95.
¡ Port: Enter the number of the port listening for authentication requests. In this example, the port number must be the same as the authentication port on the RSA Security Console of the RSA server. In this example, the port number is 1812.
¡ Key/Confirm Key: Enter an authenticated key. The key must be the same as the key specified for the RSA client on the RSA server. In this example, the key is mytest.
¡ Local Password: Enter a static password for third-party RADIUS authentication users. In this example, the password is 123.
¡ Password Check Mode: Select Third-Party Password + Local Password from the drop-down list.
¡ In the Access Service area, select access service RSA Authentication.
|
|
NOTE: · In this example, the EIA server validates the local password (static password). All users initially have the same local password, and they can log in to the self-service platform to change it. · Regardless of the scenario, whether the password check mode is third-party password or third-party password + local password, you must use a third-party password (dynamic password) to log in to the self-service platform. |
6. Click Confirm. The third-party authentication settings are displayed in the list on the Third-Party Authentication page.
Configuring the access device
The access device is used to control user access. Authenticated users can access the network, while unauthenticated users cannot access the network.
In this example, Telnet to the access device from the Windows CLI and configure it.
Creating a RADIUS scheme
<H3C>system-view
System View: return to User View with Ctrl+Z.
// Specify EIA as both the authentication and accounting servers. Make sure the authentication and accounting ports are the same as those specified for the access device on EIA.
[H3C]radius scheme zzpermit
New Radius scheme
[H3C-radius-zzpermit]primary authentication 192.168.5.180 1812
[H3C-radius-zzpermit]primary accounting 192.168.5.180 1813
// Make sure the authentication and accounting shared keys are the same as the shared key specified for the access device on EIA. In this example, the shared key is fine.
[H3C-radius-zzpermit]key authentication fine
[H3C-radius-zzpermit]key accounting fine
// Include the domain name in the usernames sent to the server. For information about the configuration matching relationships between the EIA server and the device, see Table 1 in "Adding an access service.”
[H3C-radius-zzpermit]user-name-format with-domain
[H3C-radius-zzpermit]quit
Creating an ISP domain
// Make sure the name of the ISP domain is the same as the service suffix specified on EIA. In this example, the name is 629.
[H3C]domain 629
New Domain added.
// Apply RADIUS scheme zzpermit for LAN user authentication, authorization, and accounting in the ISP domain.
[H3C-isp-629]authentication lan-access radius-scheme zzpermit
[H3C-isp-629]authorization lan-access radius-scheme zzpermit
[H3C-isp-629]accounting lan-access radius-scheme zzpermit
[H3C-isp-629]quit
Enabling 802.1X authentication
// For 802.1X authentication to take effect, you must enable it both globally and on the interface that users access.
[H3C]dot1x
802.1X is enabled globally.
[H3C]dot1x interface GigabitEthernet2/0/19
802.1X is enabled on port GigabitEthernet2/0/19.
// Supported 802.1X authentication methods include PAP, CHAP, and EAP. To perform RSA authentication, the authentication method must be PAP. RSA only supports the PAP, PEAP-MD5, and PEAP-GTC authentication methods.
[H3C]dot1x authentication-method pap
PAP authentication is enabled.
Configuring the RSA server
Adding a user named rose and assigning a token to the user
1. Log in to the RSA Security Console on the RSA server, and select Identity > Users > Add New.
2. Add user rose.
|
|
IMPORTANT: · If EIA validates the static password of the user, the RSA user password configured here is only used to log in to the RSA server. · If the RSA server validates the static password of the user, the RSA user password configured here acts as the static password of the user for authentication. |
3. Use one of the following methods to assign a token to the user:
¡ Select
Identity > Users
> Manage Existing, click the 
icon next to rose, select SecurID Tokens
from the drop-down list, and then select the token to be assigned to the user.
¡ Select
Authentication > SecurID
Tokens > Manage Existing > Unassigned, click the 
icon next to the
token, select Assign to User from the drop-down
list, and select the user to whom the token will be assigned.
Adding EIA as a client and agent of the RSA RADIUS server
1. Log in to the RSA Security Console on the RSA server, and select RADIUS > RADIUS Clients > Add New.
Figure 17 Adding new RADIUS clients
2. Add EIA as a RADIUS client as follows:
a. Enter a client name. In this example, the name is 192.168.5.180.
b. Enter the client IP address. The client IP address must be the IP address of the EIA server. In this example, the IP address is 192.168.5.180.
c. Enter a shared secret. The shared secret must be the same as the key configured on the EIA server when you add RSA authentication settings. In this example, the shared secret is mytest.
Figure 18 Adding a RADIUS client
3. Click Save and Create Associated RSA Agent to add the RSA agent associated with the RADIUS client.
4. Click Save.
Verifying that the authentication listening port on the RSA server is the same as the authentication port on the EIA server
Figure 20 Viewing the authentication listening port on the RSA server
Verifying the configuration
Using the iNode PC client to complete 802.1X authentication
Installing an iNode client with 802.1X capability and support for RSA dynamic keys
Make sure the iNode client version is compatible with EIA and supports RSA dynamic keys. For more information about the compatibility matrix, see the release notes for your EIA version.
Establishing a connection for 802.1X authentication
1. On the iNode PC client, select 802.1X connection to expand the 802.1X connection area.
Figure 21 iNode client interface
2. Click More, and then select Properties.
Figure 22 Clicking the More icon
3. Select the Use RSA dynamic password verification option, and then click OK.
|
|
IMPORTANT: If the RSA server validates both the static and dynamic passwords of the user, you do not need to customize dynamic password verification on the iNode client or select the Use RSA dynamic password verification option in the Properties window. |
4. Configure the username, password, and domain, and then click Connect.
|
|
IMPORTANT: If the RSA server validates both the static and dynamic passwords of the user, the password of the user is in the format of RSA user static password + RSA user dynamic password. For example, if RSA user Tom has a static password of abc and a dynamic password of 1234 (generated by the authentication token) on the RSA server, enter abc1234 in the password input box on the page in Figure 24, and then click Connect. |
Figure 24 Authentication interface
5. Enter the dynamic key on the RSA authentication token, and then click OK.
Figure 25 Dynamic password configuration interface
6. Verify that the iNode client can pass authentication.
Viewing online users on EIA
1. On the top navigation bar, click Monitor.
2. From the left navigation pane, select Monitor List > Online User. On the page that opens, view local online users.
Figure 26 Viewing online users
