Login
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Related Documents
-
|
H3C IMC EIA |
|
PEAP-MSCHAPv2 Authentication with LDAP |
|
Configuration Examples |
Software version: IMC EIA (E0630)
Document version: 5W101-20240701
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring EIA PEAP-MSCHAPv2 authentication with LDAP
Associating EIA with the LDAP server
Resetting the virtual computer password
Configuring an LDAP synchronization policy
Importing the server certificate
Creating an 802.1X connection in the iNode client
Triggering 802.1X authentication from the user's PC
Installing the primary domain controller
Configuring certificate services
Introduction
This document provides examples for using EIA and LDAP servers to provide PEAP-MSCHAPv2 authentication.
PEAP-MSCHAPv2 is a type of EAP certificate authentication.
When the LDAP server uses Windows AD, the EAP-PEAP-MSCHAPv2 authentication method is supported for LDAP users.
Prerequisites
Before you configure EIA PEAP-MSCHAPv2 authentication with LDAP, complete the following tasks:
· Verify that the access device supports 802.1X. Make sure the access device and the IMC server can reach other.
· Verify that the LDAP server uses Windows AD, and make sure the LDAP server and the IMC server can reach other. For more information about installing Windows AD, see the "Appendix."
· Obtain the server certificate for certificate authentication.
Example: Configuring EIA PEAP-MSCHAPv2 authentication with LDAP
Network configuration
As shown in Figure 1, a company uses an LDAP server (Windows AD) and IMC EIA for user authentication.
The iNode client is installed on the user's PC, which triggers 802.1X certificate authentication.
EIA performs PEAP-MSCHAPv2 authentication and sends user authentication information to the LDAP server. The LDAP server authenticates the user and returns the authentication result to EIA.
Software versions used
This configuration example was created and verified on the following platforms:
· EIA: IMC EIA 7.3 (E0630).
· LDAP server: Windows AD, which runs on Windows Server 2016.
· Switch (the access device): H3C Comware Software, Version 7.1.045, Release 2432P06 2212P02.
· iNode client: iNode PC 7.3 (E0585).
Restrictions and guidelines
Access device configuration
When you add the switch to EIA as an access device, use the following guidelines:
· Use the NAS IP address (configured by using the nas-ip command on the switch) as the IP address of the access device on EIA.
· If the nas-ip command is not configured, use the IP address of the interface (including VLAN interface) that connects to EIA.
In this example, the nas-ip command is not configured.
Certificate configuration
The server certificate imported to EIA must be the same as the server certificate installed on the client.
Shared key configuration
The authentication and accounting shared keys configured on EIA must be the same as the authentication and accounting shared keys configured on the access device.
Service port configuration
The authentication port and accounting port configured on EIA must be the same as the authentication port and accounting port configured on the access device.
Service suffix configuration
The service suffix configuration on EIA depends on the ISP domain configuration on the access device and the account name used by the client for authentication.
Table 1 shows the parameter mapping.
Table 1 Parameter mapping
|
Account name |
Authentication domain on the access device |
Username format command on the access device |
Service suffixes in EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
X@Y |
Y |
user-name-format without-domain |
No suffix |
|
X |
Default domain |
user-name-format with-domain |
Default domain |
|
X |
Default domain |
user-name-format without-domain |
No suffix |
In this example, the domain name is included in the usernames and you must specify a service suffix in EIA.
Configuring the LDAP server
Figure 2 User data directory
2. Create a virtual computer named eiaserver. Then, execute the ModifyComputerAccountPass.vbs script to reset the virtual computer password. For more information, see "Resetting the virtual computer password."
Figure 3 Creating a virtual computer
Figure 4 Administrator
4. Identify the authentication listening port on the LDAP server. The default value is 389.
Configuring EIA
Configuring an access policy
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Policy.
The access policy list is displayed, as shown in Figure 5.
3. Click Add.
4. On the Add Access Policy page, configure the following parameters, as shown in Figure 6:
¡ Enter CA Policy in the Access Policy Name field.
¡ Select EAP-PEAP from the Preferred EAP Type list.
¡ Select EAP-MSCHAPv2 from the Subtype list.
¡ Use the default values for other parameters.
Figure 6 Configuring the access policy
5. Click OK.
The access policy named CA Policy is added to the access policy list, as shown in Figure 7.
Figure 7 Viewing the new access policy on the list
Configuring an access service
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Service.
The access service list is displayed, as shown in Figure 8.
3. Click Add.
4. On the Add Access Service page, configure the basic information for the access service, as shown in Figure 9:
a. Enter CA Service in the Service Name field.
b. Enter cert in the Service Suffix field. For more information about service suffix, see "Service suffix configuration."
c. Select CA Policy from the Default Access Policy list.
d. Use the default values for other parameters.
Figure 9 Configuring the access service
5. Click OK.
The access service named CA Service is added to the access service list, as shown in Figure 10.
Figure 10 Viewing the new access service on the list
Associating EIA with the LDAP server
1. Click the User tab.
2. From the navigation tree, select User Access Policy > LDAP Service > LDAP Server.
The LDAP server list is displayed, as shown in Figure 11.
3. Click Add.
4. On the Add LDAP Server page, configure the following parameters, as shown in Figure 12:
¡ Server Name: Enter an LDAP server name. Make sure the name is unique on the EIA server. This example uses Windows AD.
¡ Address: Enter the IP address of the LDAP server. The combination of this parameter and Base DN must be unique. The example uses 10.114.119.41.
¡ Server Type: The LDAP server is Windows AD, for which select server type Microsoft Active Directory as a best practice.
¡ Admin DN: Enter the absolute path that locates the LDAP server's administrator (you can create the administrator account as needed). In this example, the administrator DN is cn=administrator,cn=users,dc=h3c,dc=com in 3.
¡ Admin Password: Enter the password for the LDAP server administrator. This example uses the administrator's password iMC123 in 3. The system establishes a connection with the LDAP server by using the administrator DN and password.
¡ Base DN: Enter the absolute path on the LDAP server where user data is saved. This example uses the Base DN ou=test,dc=h3c,dc=com in 1.
¡ Select MS-CHAPv2 Authentication to enable MSCHAPv2 authentication for the Windows AD server.
¡ Select Authentication by Virtual Computer.
¡ Use IP addresses of LDAP Servers: In this example, the domain controller and the LDAP server are the same server, and their addresses are identical, so select Use IP addresses of LDAP Servers.
¡ Domain Controller Full Name: Enter the full name of the domain controller server WIN-QV3FGRSHLRD.h3c.com.
¡ Virtual Computer Name: Enter the name of the virtual computer as eiaserver.
¡ Virtual Computer Password: Enter the password for the virtual computer and re-enter it to ensure consistency.
¡ Use the default values for other parameters.
Figure 12 Adding an LDAP server
5. Click Test to test the LDAP server's connectivity.
The connectivity test result is displayed, as shown in Figure 13.
6. Click OK.
The LDAP server named Windows AD is added to the LDAP server list, as shown in Figure 14.
Figure 14 Viewing the new LDAP server on the list
Resetting the virtual computer password
1. Click the User tab.
2. From the navigation tree, select User Access Policy > LDAP Service > LDAP Parameters.
The LDAP Parameters page opens, as shown in Figure 15.
Figure 15 LDAP Parameters page
3. Click the link at the bottom of the page to download the script and save it locally, as shown in Figure 16.
Figure 16 Downloading the script
4. Use the text editor to modify the object value and password of the virtual computer in the script file, as shown in Figure 17.
Figure 17 Modifying the object value and password of the virtual computer
5. Execute the script on the domain controller.
Configuring an LDAP synchronization policy
1. Click the User tab.
2. From the navigation tree, select User Access Policy > LDAP Service > Sync Policy.
The synchronization policy list is displayed, as shown in Figure 18.
Figure 18 Synchronization policy list
3. Click Add.
4. On the Add Sync Policy page, configure the following parameters, as shown in Figure 19:
¡ Policy Name: Enter a unique name for the LDAP synchronization policy in EIA. This example uses LDAP Sync Policy.
¡ Server Name: Select Windows AD from the drop-down list.
¡ Sub-Base DN: Enter the path to the subdirectory where the LDAP server stores user data. The synchronization policy syncs user data in this directory. The sub-base DN must be an absolute path on the LDAP server, and it must be the base DN or its subset. This example uses ou=test,dc=h3c,dc=com.
¡ Sync Object: Select the type of users to be synchronized. This example selects Access Users.
¡ To add an LDAP synchronization policy of access users, select Access Users as the sync object.
¡ To add an LDAP synchronization policy of device management users, select Device Users as the sync object.
¡ Sync Options: Select synchronization options. In this example, select Auto Synchronization, Synchronize New Users and Accounts, Synchronize New Accounts for Existing Users, and Filter out Computer Accounts.
- Auto Synchronization: Sync daily at the time set for LDAP Sync/Backup Task in the system parameters.
- Synchronize Users as Needed: This feature performs on-demand synchronization for users. When users not present in the IMC EIA system but existing in the LDAP server attempt access authentication, EIA automatically forwards the access-requests to the LDAP server for authentication. If a user passes authentication, the system will automatically synchronize this user from the LDAP server to IMC. Note that if the number of user-related licenses in IMC reaches the upper limit, synchronization cannot be performed and the user will be forced offline. LDAP on-demand synchronization can only synchronize users authenticated via PAP and EAP-MD5 methods. It cannot synchronize users authenticated with CHAP or any certificate-based method. To support LDAP on-demand synchronization for PEAP/MS-CHAPv2 authentication users, the users must meed the following criteria: The default access policy specified for the user’s access service cannot be Deny access and the specified default access policy must use PEAP/MS-CHAPv2 authentication. When a user initiates EAP authentication for the first time (without access to the user's password), EIA checks if this LDAP temporary user meets the on-demand sync criteria. If yes, the user is synced as an official user, regardless of whether the user can pass the subsequent authentication.
- Enable Third-Party Authentication: When you select this option, the system will perform third-party authentication for the LDAP users synchronized by this synchronization policy. When you do not not select this option, the system performs LDAP authentication for these users.
- Synchronize New Users and Accounts: If a user exists in the LDAP server but not on the IMC platform, the synchronization will add the user to the IMC platform and create a corresponding access user in the EIA component.
- Synchronize New Accounts for Existing Users: If a user exists in both the LDAP server and the IMC platform but lacks a corresponding access user in the EIA component, the synchronization will create the access user in the EIA component.
- Synchronize Users in Current Node Only: If this option is selected, the synchronization policy synchronizes only the users in the sub-based DN, and it does not synchronizes the users in the subordinate OUs of the sub-based DN. If this option is not selected, the synchronization policy synchronizes all users in the sub-base DN and its subordinate OUs.
- Filter Computer Accounts: If you de-select this option, the computer accounts will be synchronized as access users.
- SMS Message: Sends password notifications through text messages.
- Email: Sends password notifications through email.
¡ Use the default values for other parameters.
Figure 19 Adding a synchronization policy
5. Click Next.
6. On the page shown in Figure 20, configure the following parameters:
¡ Configure access information:
- Password: In this example, enter password iMC123456. You can customize it.
- Use the default settings for other parameters.
¡ Configure the access service: If the synchronization policy's LDAP server uses an AD group-based synchronization method, the access service for users synchronized with this policy is determined by the user's LDAP group, the relationship between LDAP groups and services in the synchronization policy, and the structure of LDAP groups on the LDAP server. The access service is selected as follows: Select the service closest to the user and with the highest priority from the tree consisting of the user's direct and indirect groups. If the service sync mode of the LDAP server for the synchronization policy is set to manual, you can specify the access service for the bound user. This example uses CA Service as the access service.
¡ Access Device Binding Information and Terminal Binding Information: Use the default settings.
Figure 20 Configuring the synchronization policy
7. Click Finish.
The synchronization policy named Windows AD Sync Policy is added to the synchronization policy list, as shown in Figure 21.
Figure 21 Viewing the new policy on the synchronization policy list
Synchronizing LDAP users
1. On the synchronization policy list, click Synchronize for the LDAP synchronization policy Windows AD Sync Policy.
The page displays the synchronization result, as shown in Figure 22.
Figure 22 Synchronizing LDAP users
2. Click Back.
3. From the navigation tree, select Access User > All Access Users.
The access user list includes users synchronized from the LDAP server, as shown in Figure 23.
Figure 23 Viewing the LDAP users on the access user list
Importing the server certificate
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Service Parameters > Certificate.
The certificate configuration page opens, as shown in Figure 24.
Figure 24 Configuring certificates
3. Click the Server Certificate tab.
The server certificate list is displayed, as shown in Figure 25.
Figure 25 Server certificate list
4. Click Import EAP Server Certificate.
The Server Certificate page opens.
5. Select the Private key is included in server certificate file option and select a server certificate file.
6. On the Choose File to Upload window that opens, select the certificate file named server.p12, as shown in Figure 26.
Figure 26 Uploading the server certificate file
7. Click Open.
The Server Certificate page displays the name of the server certificate file.
8. Click Next.
9. On the Certificate Private Key Protection page, enter a password, and then click OK.
Configuring system parameters
To use certificate authentication, disable the system from checking the certificate attributes for user accounts.
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Service Parameters > System Settings.
The system settings list is displayed, as shown in Figure 27.
Figure 27 System settings list
3. Click the Configure icon 
for System Parameters.
4. On the System Parameters page, clear the Check Cert Attributes for Account option, and then click OK, as shown in Figure 28.
Figure 28 Configuring the system parameters
Adding an access device
1. Click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
The access device list is displayed, as shown in Figure 29.
3. Click Add.
The Add Access Device page opens.
4. Configure the following parameters, as shown in Figure 30:
a. In the Access Configuration area, enter expert in the Shared Key field and Confirm Shared Key field, and use the default values for other parameters.
b. In the Device List area, click Select.
c. On the Select Devices window, select the access device with an IP address of 192.168.30.100, and then click OK.
d. Click OK.
Figure 30 Configuring the access device
5. On the operation result page, click Back to Access Device List.
The new access device is added to the access device list.
Configuring the switch
1. Configure a RADIUS scheme:
# Create RADIUS scheme test and enter RADIUS scheme view.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]radius scheme test
New Radius scheme
# Specify EIA at 192.168.1.230 as the primary authentication and accounting server, and set the authentication and accounting port numbers, which must be the same as those set in "Adding an access device."
[H3C-radius-test]primary authentication 192.168.1.230 1812
[H3C-radius-test]primary accounting 192.168.1.230 1813
# Set both the authentication and accounting shared keys to expert for secure RADIUS communication. The share keys must be the same as those set in "Adding an access device."
[H3C-radius-test]key authentication expert
[H3C-radius-test]key accounting expert
# Configure the access device to send usernames with domain names to EIA. See Table 1 for configuration mappings.
[H3C-radius-test]user-name-format with-domain
[H3C-radius-test]nas-ip 192.168.30.100
[H3C-radius-test]quit
2. Configure an ISP domain:
# Create domain cert and enter ISP domain view.
[H3C]domain cert
New Domain added.
# Configure ISP domain cert to use RADIUS scheme test for authentication, authorization, and accounting of users.
[H3C-isp-cert]authentication default radius-scheme test
[H3C-isp-cert]authorization default radius-scheme test
[H3C-isp-cert]accounting default radius-scheme test
[H3C-isp-cert]quit
3. Configure 802.1X:
# Set the authentication method to EAP to support EAP-PEAP/EAP-MSCHAPv2 authentication.
[H3C]dot1x authentication-method eap
# Enable 802.1X globally and on an interface. Specify a mandatory authentication domain for 802.1X users on the interface.
[H3C]dot1x
[H3C] interface GigabitEthernet 1/0/9
[H3C-GigabitEthernet 1/0/9]dot1X
[H3C-GigabitEthernet 1/0/9]dot1X mandatory-domain cert
Configuring the user's PC
Creating an 802.1X connection in the iNode client
1. Launch the iNode client.
The iNode client window opens, as shown in Figure 31.
Figure 31 iNode client window
2. Click the More icon 
next
to Connect, and then select Properties.
The Properties dialog box opens, as shown in Figure 32.
Figure 32 Properties dialog box
3. Click the Advanced tab.
The advanced authentication configuration page opens, as shown in Figure 33.
Figure 33 Advanced authentication configuration
4. Configure the following parameters, as shown in Figure 34:
a. Select the Enable advanced authentication option.
b. Select Certificate Authentication from the list.
c. Select PEAP for Authentication Type.
d. Select MS-CHAP-V2 for Sub-Type.
e. Use the default values for other parameters.
Figure 34 Configuring 802.1X properties
5. Click OK.
Verifying the configuration
Triggering 802.1X authentication from the user's PC
1. Launch the iNode client, enter the username and password for 802.1X access, and then click Connect, as shown in Figure 35.
Figure 35 iNode client window
2. In the 802.1X Connection area, view the messages to verify that the user passed authentication, as shown in Figure 36.
Figure 36 Viewing the authentication result
Viewing online users in EIA
1. Click the User tab.
2. From the navigation tree, select All Access Users > Online Users.
The online user list displays online users.
Verify that the user test01 is in the online user list.
Appendix
Installing the primary domain controller
1. Click the Server Manager.
2. Access the dashboard page.
3. Click Add roles and features. In the wizard window that opens, click Next.
Figure 39 Add Roles and Features Wizard
4. On the Installation Type tab, select the Role-based or feature-based installation option, and then click Next.
5. On the Server Selection tab, select the Select a server from the server pool option, and then click Next.
6. On the Server Roles tab, select Active Directory Domain Services.
7. In the window that opens, click Add Features, and then click Next.
8. On the Features tab, click Next.
9. On the AD DS tab, click Next.
10. On the Confirmation tab, select the Restart the destination server automatically if required option.
11. Click Install. On the Results tab, view the installation progress.
Figure 46 Feature installation
12. The computer will automatically restart after the installation is complete. After the computer restarts up, reopen the Server Manager, select Add roles and features, go back to the Results tab, and then click Promote this server to a domain controller.
Figure 47 Installation completed
13. On the Deployment Configuration tab, select Add a new forest and enter a root domain name. In this example, enter h3c.com as the root domain name.
Figure 48 Deployment configuration
14. Click Next. On the Domain Controller Options tab, select the functional levels of the new forest and root domain, and enter the Directory Services Restore Mode (DSRM) password.
Figure 49 Domain controller options
15. Click Next.
16. Click Next.
17. Click Next.
18. Click Next.
19. After all prerequisites pass the check, click Install. After the installation is complete, you will be prompted to restart the computer.
20. After the restart is complete, log in to the domain server.
21. Open the Server Manager, and then select Tools > Active Directory Users and Computers.
Figure 54 Opening the Active Directory Users and Computers window
22. In the Active Directory Users and Computers window, view managed users and groups.
23. Navigate to the Control Panel > System and Security > System window, and verify that the domain controller has been installed successfully.
Figure 56 Viewing domain settings
Configuring certificate services
1. Open the Server Manager, and enter the dashboard page.
2. Select Add roles and features, access the Server Roles tab, select Active Directory Certificate Services, and then click Next.
3. In the Add Roles and Features Wizard window, click Add Features.
4. On the Role Services tab, select Certification Authority, and then click Next.
5. On the Confirmation tab, select the Restart the destination server automatically if required option, and then click Install.
6. On the Results tab, view the installation progress.
Figure 61 Installation completed
7. The computer will automatically restart after the installation is complete. After the computer restarts up, reopen the Server Manager, go to the Credentials page, and then click Next.
8. On the Role Services tab, click Next.
9. On the Setup Type tab, click Next.
10. On the CA Type tab, click Next.
11. On the Private Key tab, select to create a new private key, and then click Next.
12. Select SHA1, and then click Next.
13. On the CA Name tab, use the default value, and then click Next.
14. On the Validity Period tab, specify a validity period, and then click Next.
15. On the Certificate Database tab, click Next.
Figure 70 Certificate database
16. On the Confirmation tab, click Configure.
17. View the configuration progress.
18. After the installation is complete, a prompt will appear to indicate successful configuration.
Figure 73 Successful configuration
19. After the installation, you can navigate to the Server Manager > Tools > Certification Authority > Issued Certificates window to view certificates.
Figure 74 Viewing certificates
