Software version: IMC UAM 7.2 (E0403)

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring common 802.1X authentication· 1

Network configuration· 1

Software versions used· 1

Configuring UAM·· 2

Configuring the switch as an access device· 2

Configuring an access policy· 4

Configuring an access service· 6

Configuring an access user 7

Configuring the access device· 9

Configuring the iNode client 10

Verifying the configuration· 10

Triggering 802.1X authentication· 10

Viewing online users in UAM·· 12

 

Introduction

This document provides examples for configuring common 802.1X authentication.

Common 802.1X authentication only identifies users. It is applicable to enterprise or campus networks that do not have special requirements for access control or security checking.

Prerequisites

The access device must support 802.1X.

Example: Configuring common 802.1X authentication

Network configuration

As shown in Figure 1, internal users must pass 802.1X authentication to access the Internet. The users' PC runs Windows 7 operating system. The built-in 802.1X client of Windows 7 and the iNode client are both available.

The switch uses the IMC UAM server to provide authentication services for internal users. The internal network does not have special requirements for user access control or security checking.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on the following platforms:

·     IMC UAM 7.2 (E0403)

·     H3C S3600V2-28TP-EI Comware Software, Version 5.20, Release 2103

·     iNode PC 7.2 (E0403)

Configuring UAM

Configuring the switch as an access device

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

The Access Device page opens, as shown in Figure 2.

Figure 2 Accessing the access device list

 

3.     Click Add on top of the access device list.

The Add Access Device page opens, as shown in Figure 3.

Figure 3 Adding an access device

 

4.     Add the switch to UAM as an access device.

You can add a device to UAM either manually or by selecting the device from the IMC platform. This example uses the Add Manually option.

To add an access device manually:

a.     Click Add Manually.

The Add Access Device Manually page opens.

b.     Enter 192.168.30.100 in the Device IP field, as shown in Figure 4.

If the nas ip command is configured on the device, enter the NAS IP address in the Device IP field. If the command is not configured, enter the IP address or VLAN interface address for the interface connected to UAM in the Device IP field.

Figure 4 Specifying the IP address of the access device

 

c.     Click OK to return to the Add Access Device page.

5.     Configure access information for the access device, as shown in Figure 5:

a.     Enter the authentication port number in the Authentication Port field, and enter the accounting port number in the Accounting Port field. Make sure the values are the same as the port numbers configured on the access device.

This example uses the default authentication and accounting port numbers 1812 and 1813, respectively.

 

 

b.     Select LAN Access Service from the Service Type list.

c.     Select H3C (General) from the Access Device Type list.

d.     Enter movie in the Shared Key and Confirm Shared Key fields.

Make sure the shared key is the same as the shared key configured on the access device.

If a plain text shared key is configured on the access device, the Confirm Shared Key field is not available.

e.     Use the default values for other parameters.

Figure 5 Configuring the access device

 

6.     Click OK.

7.     On the Result of Adding Access Devices page, click Back to Access Device List.

The new access device is displayed in the access device list, as shown in Figure 6.

Figure 6 Viewing the new access device

 

Configuring an access policy

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Policy.

The Access Policy page opens, as shown in Figure 7.

Figure 7 Accessing the access policy list

 

3.     Click Add on top of the access policy list.

The Add Access Policy page opens.

4.     Configure access policy parameters, as shown in Figure 8:

a.     Enter Access Permit in the Access Policy Name field.

b.     Use the default values for other parameters.

Figure 8 Adding an access policy

 

5.     Click OK.

The new access policy is displayed in the access policy list, as shown in Figure 9.

Figure 9 Viewing the new access policy

 

Configuring an access service

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Service.

3.     Click Add on top of the access service list, as shown in Figure 10.

The Add Access Service page opens.

Figure 10 Accessing the access service list

 

4.     Configure basic information for the access service, as shown in Figure 11:

a.     Enter 802.1X Service in the Service Name field.

The name must be unique in UAM.

b.     Enter 391 in the Service Suffix field.

In this example, the user-name-format with-domain command is configured on the access device to include domain information in usernames. Therefore, you must configure the service suffix.

For authentication to be performed correctly, the username specified on the client, the domain and RADIUS scheme configuration on the access device, and the service suffix on the UAM server must comply with the correlation rules shown in Table 1.

Table 1 Parameter correlation

 

c.     Select Access Permit from the Default Access Policy list.

d.     Use the default values for other parameters.

Figure 11 Configuring the access service

 

5.     Click OK.

The new access service is displayed in the access service list, as shown in Figure 12.

Figure 12 Viewing the new access service

 

Configuring an access user

1.     Click the User tab.

2.     From the navigation tree, select Access User > All Access Users.

The All Access Users page opens, as shown in Figure 13.

Figure 13 Accessing the access user list

 

3.     On the access user list, click Add.

The Add Access User page opens.

4.     Configure the basic parameters for the access user, as shown in Figure 14:

a.     In the User Name field, configure an IMC platform user to be associated with the access user.

You can either select an existing user account from the IMC platform or add a new IMC platform user.

This example uses the Add User option. On the Add User page, enter wbing in the User Name field, enter 0128 in the Identity Number field, and click OK.

b.     Enter ice in the Account Name field.

c.     Enter imc123 in the Password and Confirm Password fields.

d.     Select 802.1X Service in the Access Service list.

e.     Use the default values for other parameters.

Figure 14 Configuring an access user

 

5.     Click OK.

The new access user is displayed in the access user list, as shown in Figure 15.

Figure 15 Viewing the new access user

 

Configuring the access device

The access device controls user access to the network. Only users who pass 802.1X authentication can access the network.

To configure the access device at the CLI, perform the following tasks:

1.     Configure a RADIUS scheme:

# Create the RADIUS scheme named 1xallpermit.

<AccDevice> system-view

System View: return to User View with Ctrl+Z.

[AccDevice] radius scheme 1xallpermit

New Radius scheme

# Configure UAM as the primary RADIUS authentication and accounting server. Set the authentication port to 1812, and set the accounting port to 1813. Make sure the ports are the same as those configured on UAM.

[AccDevice-radius-1xallpermit] primary authentication 192.168.40.237 1812

[AccDevice-radius-1xallpermit] primary accounting 192.168.40.237 1813

# Configure the shared key to movie to secure RADIUS authentication and accounting communication. Make sure the shared key is the same as that configured on UAM.

[AccDevice-radius-1xallpermit] key authentication movie

[AccDevice-radius-1xallpermit] key accounting movie

# Configure the device to include domain information in the user names that are sent to the RADIUS server. The username format must be the same as the format configured on UAM.

[AccDevice-radius-1xallpermit] user-name-format with-domain

[AccDevice-radius-1xallpermit] quit

2.     Configure the authentication domain:

# Create the ISP domain named 391. Make sure the domain name is the same as the service suffix configured on UAM.

[AccDevice] domain 391

New Domain added.

# Configure the ISP domain to use RADIUS scheme 1xallpermit for authentication, authorization, and accounting of all LAN users.

[AccDevice-isp-391] authentication lan-access radius-scheme 1xallpermit

[AccDevice-isp-391] authorization lan-access radius-scheme 1xallpermit

[AccDevice-isp-391] accounting lan-access radius-scheme 1xallpermit

[AccDevice-isp-391] quit

3.     Configure 802.1X:

# Enable 802.1X globally and on port Ethernet 1/0/1. 802.1X takes effect on a port only after you enable it globally and on the port.

[AccDevice] dot1x

802.1X is enabled globally.

[AccDevice] dot1x interface Ethernet 1/0/1

802.1X is enabled on port Ethernet1/0/1.

# Specify the authentication method as CHAP.

[AccDevice] dot1x authentication-method chap

 

 

Configuring the iNode client

The iNode client must be compatible with IMC UAM. For more information, see the release notes for the UAM version.

Verifying the configuration

Triggering 802.1X authentication

1.     On the iNode client, click 802.1X Connection.

The 802.1X Connection window opens.

2.     Enter the user name and password, and click Connect, as shown in Figure 16.

Figure 16 Entering the user name in the 802.1X connection area

 

The 802.1X authentication process starts. The authentication result shows that the connection has been established, as shown in Figure 17.

Figure 17 Authentication information

 

Viewing online users in UAM

1.     Click the User tab.

2.     From the navigation tree, select User > Online Users.

The access user named ice@391 is in the online user list, as shown in Figure 18.

Figure 18 Viewing online users