Download Book

04-H3C IMC UAM 802.1X Authentication with the User Certificate Configuration Examples-book.pdf(724.74 KB)

Released At: 05-07-2024
Page Views:
Downloads:

Table of Contents

04-H3C IMC UAM 802.1X Authentication with the User Certificate Configuration Examples

Related Documents

H3C IMC UAM

802.1X Authentication with the User Certificate Configuration Examples

Software version: IMC UAM 7.2 (E0402)

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring 802.1X authentication with the user certificate· 1

Network configuration· 1

Software versions used· 1

Restrictions and guidelines· 2

Configuring UAM·· 2

Configuring the switch as an access device· 2

Configuring an access policy for certificate authentication· 4

Configuring the switch· 10

Configuring the PC· 11

Installing root and user certificates for the PC· 11

Configuring the iNode client on the PC· 11

Verifying the configuration· 14

Triggering 802.1X authentication· 14

Viewing online users in UAM·· 15

Introduction

This document provides examples for configuring 802.1X authentication with the user certificate.

The examples apply to enterprise and campus networks that require 802.1X authentication with the user certificate.

Prerequisites

Before you configure 802.1X authentication with the user certificate, make sure the following requirements are met:

· Obtain a root certificate, a server certificate, and a user certificate from a certification authority. The name of the user certificate must be the same as the account name of the access user in UAM. For more information about requesting and installing certificates for UAM and the client, see UAM Authentication Certificates Usage Guide.

· The switch supports the 802.1X protocol.

Example: Configuring 802.1X authentication with the user certificate

Network configuration

As shown in Figure 1, UAM is deployed on the server at 192.168.4.239. A Windows PC user attempts to access the network by using an 802.1X connection in the iNode client. The PC connects to port Ethernet 1/0/9 on the switch. The user accesses the network by using an account named sam.

The switch manages 802.1X users in the default ISP domain named cert and includes the domain name in the user names that are sent for authentication.

Set the shared keys for secure RADIUS communication to hello, set the authentication port to 1812, and set the accounting port to 1813.

Configure UAM and the iNode client to perform 802.1X authentication with the user certificate.

Figure 1 Network diagram

Software versions used

This configuration example was created and verified on the following platforms:

· IMC UAM 7.2 (E0402)

· H3C S3600V2-28TP-EI Comware Software, Version 5.20, Release 2103

· iNode PC 7.2 (E0402)

Restrictions and guidelines

When you configure UAM to perform 802.1X authentication with the user certificate, follow these restrictions and guidelines:

· UAM must provide both authentication and accounting services. Do not use a second server (other than the UAM server) to provide accounting.

· Make sure the port and shared key settings you configure for the access device in UAM are the same as those in the CLI configuration on the switch.

· To select the switch from the resource pool, make sure it is already added to the IMC platform, either manually or through auto discovery.

· The procedure for importing certificates to UAM varies by UAM version. For more information, see UAM Authentication Certificates Usage Guide.

· Configure a service suffix for the 802.1X user depending on the authentication domain and username format settings on the switch, as shown in Table 1.

Table 1 Determining the service suffix

Username in iNode	Authentication domain on the switch	Username format command on the switch	Service suffix in UAM
sam@cert	cert	user-name-format with-domain	cert
sam@cert	cert	user-name-format without-domain	No suffix

Configuring UAM

Configuring the switch as an access device

1. Click the User tab.

2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

The Access Device page opens, as shown in Figure 2.

Figure 2 Accessing the Access Device page

3. Click Add on top of the access device list.

The Add Access Device page opens, as shown in Figure 3.

Figure 3 Accessing the Add Access Device page

4. Add the switch to UAM as an access device.

You can add a device to UAM either manually or by selecting the device from the IMC platform. This example uses the Add Manually option.

To manually add the switch to UAM:

a. In the Device List area, click Add Manually.

b. On the Add Access Device Manually window, enter 192.168.30.100 in the Device IP field, as shown in Figure 4.

c. Click OK.

Figure 4 Adding an access device manually

5. Configure the access parameters for the access device, as shown in Figure 5:

a. In the Access Configuration area, enter hello in the Shared Key and Confirm Shared Key fields.

b. Use the default values for other parameters.

Figure 5 Adding an access device

6. Click OK.

7. On the results page, click Back to Access Device List.

The new access device is added to the access device list, as shown in Figure 6.

Figure 6 Viewing the switch in the access device list

Configuring an access policy for certificate authentication

1. Click the User tab.

2. From the navigation tree, select User Access Policy > Access Policy.

The Access Policy page opens.

3. In the access policy list, click Add.

The Add Access Policy page opens.

4. Configure access policy parameters, as shown in Figure 7:

a. Enter CA Policy in the Access Policy Name field.

b. Select EAP-TLS from the Preferred EAP Type list.

c. Select Disable from the EAP Auto Negotiate list.

d. Use the default values for other parameters.

Figure 7 Adding an access policy

5. Click OK.

Configuring an access service

1. Click the User tab.

2. From the navigation tree, select User Access Policy > Access Service.

3. On the Access Service list, click Add.

The Add Access Service page opens.

4. Configure basic information for the access service, as shown in Figure 8:

a. Enter CA Service in the Service Name field.

b. Enter cert in the Service Suffix field. For more information about determining the service suffix, see Table 1.

c. Select CA Policy from the Default Access Policy list.

d. Use the default values for other parameters.

Figure 8 Adding an access service

5. Click OK.

Configuring the access user

1. Click the User tab.

2. From the navigation tree, select Access User > All Access Users.

3. Click Add on top of the access user list.

The Add Access User page opens.

4. Configure the basic parameters for the access user, as shown in Figure 9.

a. In the User Name field, configure an IMC platform user to be associated with the access user.

You can either select an existing user account from the IMC platform or add a new IMC platform user.

This example uses the Add User option. On the Add User window, enter sam in the User Name field, enter 1497 in the Identity Number field, and click OK.

b. Enter sam in the Account Name field.

c. Enter sam in the Password and Confirm Password fields.

d. Select the service named CA Service in the Access Service area.

e. Use the default values for other parameters.

Figure 9 Adding an access user

5. Click OK.

NOTE:

To check the account name against certificate attributes for certificate authentication, enable the Check Cert Attributes for Account option in system parameters and specify the certificate attributes to check. The certificate attributes include Subject-CN, Subject-Email, Subject Alternative Name-DNS, and Subject Alternative Name-UPN. The account name must match a certificate attribute to pass the authentication. If the account name does not match any attribute, the user cannot pass the authentication. In this example, the Check Cert Attributes for Account option is disabled.

Configuring certificates

1. Click the User tab.

2. From the navigation tree, select User Access Policy > Service Parameters > Certificate.

The Certificate page opens.

3. On the Root Certificate tab, click Import EAP Root Certificate, as shown in Figure 10.

Figure 10 Configuring the root certificate

4. Click Browse and select the local root certificate.

This example uses a root certificate named root.der, as shown in Figure 11.

Figure 11 Browsing to the root certificate

5. Click Next.

The CRL configuration page opens. This example skips the CRL configuration, as shown in Figure 12.

Figure 12 Configuring CRL

6. Click OK to finish the root certificate configuration.

7. Click the Server Certificate tab, and click Import EAP Server Certificate, as shown in Figure 13.

Figure 13 Configuring the server certificate

8. Configure the server certificate parameters, as shown in Figure 14:

a. Select the Private key is included in server certificate file option.

b. Click Browse and select the local server certificate.

This example uses a server certificate named server.p12.

Figure 14 Browsing to the server certificate

9. Click Next.

10. Enter the password in the Password of Server Private Key field, as shown in Figure 15.

Figure 15 Entering the server certificate key password

11. Click OK to finish the server certificate configuration.

Figure 16 Previewing the certificates

12. Click Verify Imported Certificate.

The verification result page opens, as shown in Figure 17.

Figure 17 Verifying imported certificates

Configuring the switch

1. Configure a RADIUS scheme:

# Create a RADIUS scheme named capolicy.

<SWITCH> system-view

[SWITCH] radius scheme capolicy

# Configure UAM as the primary RADIUS authentication and accounting server. Set the RADIUS authentication port to 1812, and set the accounting port to 1813.

[SWITCH-radius-capolicy] primary authentication 192.168.4.239 1812

[SWITCH-radius-capolicy] primary accounting 192.168.40.239 1813

# Configure the shared key to hello to secure RADIUS authentication and accounting communication.

[SWITCH-radius-capolicy] key authentication hello

[SWITCH-radius-capolicy] key accounting hello

# Specify the source IP address for outgoing RADIUS packets.

[SWITCH-radius-capolicy] nas-ip 192.168.30.100

# Specify the RADIUS server type as extended to support UAM.

[SWITCH-radius-capolicy] server-type extended

# Configure the switch to include domain information in the user names to be sent to the RADIUS server.

[SWITCH-radius-capolicy] user-name-format with-domain

[SWITCH-radius-capolicy] quit

2. Configure an ISP domain:

# Create an ISP domain named cert.

[SWITCH] domain cert

# Configure the switch to use the RADIUS scheme capolicy for LAN users.

[SWITCH-isp-cert] authentication lan-access radius-scheme capolicy

[SWITCH-isp-cert] authorization lan-access radius-scheme capolicy

[SWITCH-isp-cert] accounting lan-access radius-scheme capolicy

[SWITCH-isp-cert] quit

3. Configure 802.1X authentication:

# Enable 802.1X globally and on Ethernet 1/0/9. The 802.1X function takes effect only when 802.1X is enabled globally and on the interface.

[SWITCH] dot1x

[SWITCH] dot1x interface ethernet 1/0/9

# Configure the switch to support EAP authentication methods for RADIUS communication. To support certificate authentication, you must specify the eap keyword.

[SWITCH] dot1x authentication-method eap