Login
02-H3C IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples-book.pdf(673.10 KB)
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
H3C IMC UAM |
|
802.1X Authentication and ACL–Based Access Control Configuration Examples |
|
|
Software version: IMC UAM 7.2 (E0406)
|
Copyright © 2016 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. |
|
Contents
Example: Configuring 802.1X authentication and ACL-based access control
Configuring the switch as an access device
Introduction
This document provides examples for configuring UAM to implement 802.1X authentication and ACL-based access control for users who connect to an HPE device for network access. In IMC UAM 7.2 (E0406), HPE devices are managed as HP devices.
Prerequisites
Make sure the HPE device supports 802.1X.
Example: Configuring 802.1X authentication and ACL-based access control
Network configuration
As shown in Figure 1, a user intends to access the Internet through an 802.1X connection in the iNode client. An HP switch acts as the NAS.
UAM authenticates the user and deploys an ACL to the switch to control the user's access. The ACL specifies that the user can access all network resources except resources on host 192.168.30.25/32.
Software versions used
This configuration example was created and verified on the following platforms:
· IMC UAM 7.2 (E0406)
· HP 2810-24G Switch
· iNode PC 7.2 (E0402)
Restrictions and guidelines
When you configure an access device or an access service in UAM, follow these restrictions and guidelines:
· If you have configured the nas-ip command for the radius-server host on the device, configure the NAS IP address as the access device address in UAM.
· If you do not configure the nas-ip command for the radius-server host, enter the IP address of the device's interface that connects to UAM for the access device.
· When the switch is selected from the resource pool, the IP address is automatically populated for the access device. If the IP address is incorrect, the switch must be manually configured.
· Use the same port and shared key settings for authentication and accounting communication as those configured on the switch.
· Configure an access service that does not have a suffix so it will work with the HP switch.
Configuring the switch
1. Configure RADIUS settings in global configuration mode:
# Specify UAM as the RADIUS server, and configure the authentication port, accounting port, and shared key for RADIUS communication.
HP Switch 2810-24>
HP Switch 2810-24> enable
HP Switch 2810-24# configure terminal
HP Switch 2810-24(config)#
HP Switch 2810-24(config)# radius-server host 192.168.40.239 auth-port 1812 acct-port 1813 key imc123
# Set the accounting mode to network start-stop, in which the switch sends Accounting-Start and Accounting-Stop packets.
HP Switch 2810-24(config)# aaa accounting network start-stop radius
# Set the accounting update interval in the range of 1 to 525600 minutes. Small update interval might degrade UAM performance. This example uses an update interval of 12 minutes.
HP Switch 2810-24(config)# aaa accounting update periodic 12
2. Configure 802.1X settings:
# Configure 802.1X-enabled ports on the switch to use the EAP authentication method.
HP Switch 2810-24(config)# aaa authentication port-access eap-radius
# Enable 802.1X globally.
HP Switch 2810-24(config)# aaa port-access authenticator active
# Enable 802.1X on Interface 1.
HP Switch 2810-24(config)# aaa port-access authenticator 1
Configuring IMC UAM
Configuring the switch as an access device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
The Access Device page opens.
3. Click Add on top of the access device list.
The Add Access Device page opens, as shown in Figure 2.
Figure 2 Adding an access device
4. On the Device List, click Select to select the switch from the IMC platform, or click Add Manually to add the switch to UAM.
This example uses the Add Manually option.
To manually add the switch to UAM:
a. Click Add Manually in the Device List area.
b. On the Add Access Device Manually page, enter 90.16.0.55 in the Device IP field, as shown in Figure 3.
Figure 3 Manually adding an access device
c. Click OK to return to the Add Access Device page.
5. Configure access information for the access device, as shown in Figure 4:
a. Enter 1812 in the Authentication Port field, and enter 1813 in the Accounting Port field.
b. Select HP (ProCurve) from the Access Device Type list.
c. Enter imc123 in the Shared Key and Confirm Shared Key fields.
d. Use the default values for other parameters.
Figure 4 Adding an access device
6. Click OK.
7. On the results page, click Back to Access Device List to view the added access device in the access device list, as shown in Figure 5.
Figure 5 Viewing the added access device
Configuring an access ACL
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Policy.
3. On the Access Policy page, click Access ACL on the upper right of the access policy list, as shown in Figure 6.
Figure 6 Accessing the Access Policy page
4. On the access ACL list, click Add.
The Add Access ACL page opens.
5. Configure basic information for the ACL, as shown in Figure 7:
a. Enter ACL-802.1X in the Access Name field.
b. Select Permit as the Default Action.
c. Use the default values for other parameters.
Figure 7 Configuring an access ACL
6. In the ACL Rule List area, click Add.
The Add ACL Rule page opens.
7. Configure the ACL rule parameters, as shown in Figure 8:
a. Select Deny from the Action list.
b. Select IP from the Protocol list.
c. Enter 192.168.30.25 in the Dest IP field.
d. Select 32 in the Mask Length field.
e. Use the default values for other parameters.
8. Click OK to return to the Add Access ACL page.
The new ACL rule is displayed in the ACL Rule List, as shown in Figure 9.
Figure 9 Viewing the new ACL rule
Configuring an access policy
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Policy.
3. In the access policy list area, click Add.
The Add Access Policy page opens.
4. Configure the access policy, as shown in Figure 10:
a. In the Basic Information area, enter Access Policy-802.1X in the Access Policy Name field.
b. In the Authorization Information area, select Deploy ACL, the Access ACL List option, and ACL-802.1X from the list.
c. Use the default values for other parameters.
Figure 10 Adding an access policy
5. Click OK to return to the Access Policy page.
The new access policy is displayed in the access policy list, as shown in Figure 11.
Figure 11 Viewing the new access policy
Configuring an access service
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Service.
3. On the access service list, click Add.
The Add Access Service page opens.
4. Configure basic information for the access service, as shown in Figure 12:
a. Enter Access Service-802.1X in the Service Name field.
b. Select Access Policy-802.1X from the Default Access Policy list.
c. Use the default values for other parameters.
Figure 12 Configuring an access service
5. Click OK to return to the Access Service page.
The new access service is displayed in the access service list, as shown in Figure 13.
Figure 13 Viewing the new access service
Configuring an access user
1. Click the User tab.
2. From the navigation tree, select Access User > All Access Users.
3. On the access user list, click Add.
The Add Access User page opens.
4. Configure the access user parameters, as shown in Figure 15:
a. Click Select next to the User Name field to associate an IMC platform user with the access user, or click Add User to manually add an IMC platform user.
This example uses the Add User option.
On the Add User page, enter test in the User Name field, enter 1497 in the Identity Number field, and click OK to return to the Add Access User page, as shown in Figure 14.
Figure 14 Adding a new IMC platform user
b. Enter test in the Account Name field.
c. Enter test in the Password and Confirm Password fields.
d. Select the access service named Access Service-802.1X in the access service list.
e. Use the default values for other parameters.
Figure 15 Adding an access user
5. Click OK.
The new access user is displayed in the access user list, as shown in Figure 16.
Figure 16 Viewing the new access user
Verifying the configuration
Triggering 802.1X authentication
1. On the iNode client, double-click 802.1X Connection.
The 802.1X Connection window opens.
2. Enter the username and password, select Save username and password, and click Connect, as shown Figure 17.
The authentication process starts.
Figure 17 Triggering 802.1X authentication
3. Verify that the user has passed the 802.1X authentication, as shown in Figure 18.
Figure 18 Viewing the authentication result
Viewing online users on UAM
1. Click the User tab.
2. From the navigation tree, select Access User > Online Users.
3. Click the Local tab.
4. Verify that user test has been added to the online user list, as shown in Figure 19.
Figure 19 Viewing the online user
Verifying ACL-based access control
# Ping IP addresses 192.168.30.37 and 192.168.30.25 from the PC.
ping 192.168.30.37
ping 192.168.30.25
# Verify that 192.168.30.37 can be pinged, whereas 192.168.30.25 cannot be pinged, as shown in Figure 20. This is because packets destined for 192.168.30.25 are denied by the ACL that is deployed to the switch.
Figure 20 Viewing the ping result
