Login
- Released At: 17-09-2025
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C IMC EAD IPsec Policy
Configuration Examples
Document version: 5W103-20250915
Product version: EAD 7.3 (E0631)
Copyright © 2025 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring an IPsec policy
Configuring the EIA/EAD server
Using the iNode client to perform identity authentication and security authentication for the client
Introduction
Use IPsec policy management to configure IPsec policies for client operating systems, including IPsec and hosts files. The Windows XP operating system requires separate configuration because its configuration differs from that for other Windows systems.
Feature usage guide
Application scenarios
This feature is applicable to network environments where IPsec policies are required, such as enterprises and schools.
Prerequisites
Make sure the user endpoints, access devices, and EIA/EAD servers can reach each other at Layer 3. Users can use the iNode client for identity authentication (for example, the access devices need to support the 802.1X protocol for 802.1X authentication).
Example: Configuring an IPsec policy
Network configuration
A company plans to perform security authentication based on user identity authentication, as shown in Figure 1. Configure the IP address of the EIA and EAD server as 192.168.0.87 and the IP address of the access device as 192.168.30.50. The PC has the Windows operating system and the iNode client installed.
Procedures
This section describes how to configure the EIA and EAD server, access device, and iNode client. As a best practice, follow the configuration order provided in this document.
If an IPsec policy and a hosts file already exist, start configuration from "Configuring the EIA/EAD server."
Configuring an IPsec policy
Creating an IPsec policy
Create an IPsec policy as needed. This example shows how to create an IPsec policy to block access to an IP address.
To create an IPsec policy:
1. On the local computer, access the Control Panel > Administrative Tools > Local Security Policy > IP Security Policies on Local Computer page. The path might vary by operating system version.
2. Right click IP Security Policies on Local Computer and then select Create IP Security Policy.
Figure 2 Local Security Policy page
3. Start the IP security policy wizard. In this example, the policy name is TEST and Activate the default response rule option is not selected.
Figure 3 IP security policy wizard (1)
Figure 4 IP security policy wizard (2)
Figure 5 IP security policy wizard (3)
4. Click Finish. Then, edit the properties of IPsec policy TEST and leave the Use Add Wizard option unselected.
Figure 6 Configuring properties
5. Click Add. The New Rule Properties window opens.
Figure 7 Configuring properties
6. On the IP Filter List tab, click Add. Configure the IP filter properties such as addresses and protocol. Configure the parameters as follows:
¡ Source address: Select My IP Address.
¡ Destination address: Select A specific IP Address or Subnet.
¡ IP Address or Subnet: Enter 172.10.28.204.
¡ Use the default settings for the other parameters.
Figure 8 Configuring properties
7. After the configuration is completed, click OK until you return to the New Rule Properties page.
Figure 9 Configuring properties
8. The newly configured IP filter list is displayed. Select it and then click the Filter Action tab. Keep the Use Add Wizard option unselected.
Figure 10 Configuring properties
9. Click Add. In this example, the security method is set to block.
Figure 11 Configuring properties
10. After the configuration is completed, click OK. The newly configured filter action is displayed in the filter action list. After you select it, a black dot indicates that it is selected.
Figure 12 Configuring properties
11. Return to the Local Security Policy window. Right click TEST and select Assign to assign the policy to the computer.
Figure 13 Assigning the IPsec policy
12. If the assignment fails, the IPsec policy agent service might be disabled. Enable the service as follows:
a. Click the Start menu icon, and then select Control Panel.
b. Click Administrative Tools.
c. Click Services.
d. Find the IPsec Policy Agent service.
The procedure varies by operating system.
Figure 14 IPsec policy agent service
e. Double-click IPsec Policy Agent. In the window that opens, select Automatic from the Startup type list. Click Apply, and then click Start.
Figure 15 Enabling the IPsec service
Exporting the IPsec policy
· To export the IPsec policy in the Windows 7 operating system, execute the netsh ipsec static exportpolicy c:\policy.ipsec command, where c:\policy.ipsec represents the full path of the export file. Edit it as required.
· To export the IPsec policy in the Windows XP operating system, perform the following tasks:
a. Copy the IpSecInstall\IPSec\ipseccmd.exe file to your computer. If you do not have this file, search and download it online.
b. Execute the ipseccmd exportpolicy c:\policy_xp.ipsec command.
If the above methods cannot meet your needs or you cannot export the IPsec policy, perform the following tasks:
1. Press Windows+R, enter gpedit.msc, and then press Enter to open Local Group Policy Editor.
2. Access the Computer Configuration > Windows Settings > Security Settings > IP Security Policies on Local Computer page.
3. Right click IP Security Policies on Local Computer, select All Tasks > Export Policies.
4. In the window that opens, specify a location to save the policy file and a file name, and then click Save.
|
|
NOTE: The export method might vary by operating system. |
Figure 16 Exporting the IPsec policy
Configuring the hosts file
1. Create a .txt file named hosts.
2. Edit the file as shown in Figure 17.
Figure 17 Editing the hosts.txt file
Configuring the EIA/EAD server
The EIA/EAD Web interface might differ by version. Perform the configuration based on the actual situation, and follow the configuration order provided in this section as a best practice.
Editing the IPsec configuration
1. Click the User tab. From the navigation pane, select User Security Policy > IPsec Policy Management.
Figure 18 Editing the IPsec configuration
2. Upload the policy.ipsec or policy_xp.ipsec file exported in "Configuring an IPsec policy."
3. Upload the hosts.txt file created in "Configuring an IPsec policy".
4. Click OK.
Adding a security policy
A security policy is a collection of check and monitoring policies. When you add a security policy, configure the required policies.
To add a security policy:
1. Click the User tab. From the navigation pane, select User Security Policy > Security Policy.
Figure 19 Security Policy page
2. Click Add. Configure the parameters as follows:
¡ Policy Name: Enter the name of the security policy. In this example, enter test_EAD.
¡ Security Level: Select the security level configured previously. If no separate security level has been configured, you can select a system-defined security level as needed. In this example, select Monitor Mode. Some system-defined security levels are as follows:
- Block and Kick Out Mode: When the security check fails, the system adds the user to the blacklist, kicks out the user, and records the result in security logs.
- Guest Mode: When the security check fails, the system informs the user, kicks out the user, and records the result in security logs.
- Kick Out Mode: When the security check fails, the system kicks out the user and records the result in security logs.
- Isolate Mode: When the security check fails, the system isolates the user, informs the user of the security vulnerability and remediation methods, and records the result in security logs.
- VIP Mode: When the security check fails, the system informs the user of the security vulnerability and remediation methods, and records the result in security logs. The system does not isolate the user.
- Monitor Mode: When the security check fails, the system records the result in security logs only without isolating or informing the user.
¡ Select Deploy IPsec Configuration in the PC area.
Figure 20 Common Configuration area
3. Click OK.
Figure 22 Completing adding a security policy
Adding an access policy
1. Click the User tab. From the navigation tree, select User Access Policy > Access Policy.
2. Click Add. On the page that opens, configure parameters as needed. In this example, configure the access policy name as test-access-policy and use the default settings for other parameters.
Figure 24 Adding an access policy
3. Click OK.
Figure 25 Completing adding an access policy
Adding an access service
1. Click the User tab. From the navigation tree, select User Access Policy > Access Service.
2. Click Add.
Figure 27 Adding an access service
3. Configure the parameters as follows:
¡ Service Name: Enter the service name. In this example, enter test_service.
¡ Service Suffix: Enter the service suffix. In this example, enter 391. When the IMC EIA server and the device collaborate to authenticate the access users, their configurations must comply with the constraints in Table 1. In this example, the first combination is used.
¡ Default Access Policy: Select the previously configured access policy. In this example, select test-access-policy.
¡ Default Security Policy: Select the previously configured security policy, indicating that users using this access service will use this security policy. In this example, select test_EAD.
¡ Use the default settings for other parameters.
Table 1 The constraint relationship between login name and account name
|
Login name |
Authentication domain on device |
Related command in device configuration |
Account name of the device management user in IMC |
|
X@Y |
Y |
With-domain |
X@Y |
|
Without-domain |
X |
||
|
X |
[Default Domain] (Default domain) |
With-domain |
X@[Default Domain] |
|
Without-domain |
X |
Figure 28 Access service configuration
4. Click OK.
Figure 29 Complete adding an access services
Adding an access user
1. Click the User tab. From the navigation pane, select User > All Access Users.
Figure 30 All Access Users page
2. Click Add. Configure the parameters as follows:
¡ User Name: Enter the name of the access user, which can be the real name of the access user.
¡ Identity Number: Enter the identity number of the user, which can be the ID card number.
¡ Account Name: Enter the account used for user authentication, which is unique in EIA. In this example, enter qwert001.
¡ Password: Enter the password used for user authentication.
¡ Confirm Password: Re-enter the password used for user authentication.
¡ Access Service: Select the previously configured access service in the access service list.
Figure 31 Configuring basic information and access information
Figure 32 Selecting the previously configured access service
3. Click OK.
Figure 33 Completing adding an access user
Adding an access device
1. Click the User tab. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
2. Click Add.
Figure 35 Adding an access device
3. Configure the parameters in the Access Configuration area as follows:
¡ Authentication Port: Enter the authentication port number, which is 1812 by default.
¡ Accounting Port: Enter the accounting port, which is 1813 by default.
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. Enter a shared key for communication between the EIA server and the access device. The shared key specified on the EIA server must be the same as that specified on the access device. You only need to enter the shared key once if you selected Plaintext for the Displays Key field in system parameter settings. In this example, enter 123.
¡ Use the default settings for other parameters.
Figure 36 Configuring the parameters in the Access Configuration area
4. Configure the parameters in the Device List area by using either of the following methods:
¡ Click Select to select an access device.
¡ Click Add Manually to manually configure an access device.
The IP address of the access device must meet the following requirements:
¡ If the RADIUS scheme contains a NAS IP specified by using the nas ip command for the access device, specify that IP address on the EIA server.
¡ If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.
This example uses the Add Manually method. Click Add Manually. On the page that opens, enter the IP address of the access device, and then click OK. In this example, enter 192.168.30.50.
Figure 37 Manually adding an access device
5. The configuration result is as shown in Figure 38.
Figure 38 Completing configuring access device parameters
6. Click OK to return to the Access Device page. You can view the newly added access device in the access device list.
Figure 39 Newly added access device
Configuring the access device
Configure a server to perform identity authentication and security authentication when users log in, and configure a simple ACL control policy. Here, configure the IMC server as the AAA server and security check server.
Then, Telnet to the access device by using the CLI window of the Windows operating system as follows:
1. Telnet to the access device and enter system view.
2. Configure a RADIUS scheme. Specify the EIA server as the primary authentication server and primary accounting server. Make sure the authentication port, accounting port, and shared key are the same as those configured on the IMC EIA server.
[Device]radius scheme 390
New Radius scheme
[Device-radius-390]primary authentication 192.168.0.87 1812
[Device-radius-390]primary accounting 192.168.0.87 1813
[Device-radius-390]key authentication 123
[Device-radius-390]key accounting 123
[Device-radius-390]nas-ip 192.168.30.50
[Device-radius-390]server-type extended
[Device-radius-390]user-name-format with-domain
[Device-radius-390]quit
|
|
NOTE: Specify the extended service type, which can better support H3C's extended RADIUS attributes. The default service type is extended. |
3. Create a domain and configure users to use RADIUS scheme 390 for authentication, authorization, and accounting when accessing the device. When the IMC EIA server and the device collaborate to authenticate access users, their configuration must comply with the constraints specified in Table 1.
[Device]domain 391
New Domain added
[Device-isp-391]authentication lan-access radius-scheme 390
[Device-isp-391]authorization lan-access radius-scheme 390
[Device-isp-391]accounting lan-access radius-scheme 390
[Device-isp-391]quit
4. Configure 802.1X authentication. Enable 802.1X authentication globally and on the interface to enable the authentication feature for the interface.
[Device]dot1x
802.1x is enabled globally
[Device]dot1x interface Ethernet 1/0/3
802.1x is enabled on port Ethernet1/0/3
Verifying the configuration
Installing the iNode client
The iNode client version must be compatible with the IMC EIA/EAD server. For information about the compatibility between iNode client version and the IMC EIA/EAD server, see the EIA release notes and EAD release notes, respectively.
Using the iNode client to perform identity authentication and security authentication for the client
Enter your account and password on the 802.1X authentication page, and then click the connect button for authentication. After you pass identity authentication and security authentication, the status of identity authentication and security authentication will be displayed on the interface, as shown in Figure 40 and Figure 41.
Figure 40 802.1X authentication
Figure 41 Passing security check
Verifying the IPsec policy
1. Verify the deployment of the IPsec policy on the client.
Figure 42 IPsec policy deployed successfully
2. Ping the blocked IP address in the IPsec policy. If the ping fails, the configuration succeeds.
Figure 43 Ping failure
