H3C IMC UAM

Prohibiting Access Users from Using IE Proxy or Proxy Server Software Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Software version: IMC UAM 7.2 (E0403)

 

Copyright © 2016 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

Contents

Introduction· 1

Example: Prohibiting access users from using IE proxy or proxy server software  1

Network configuration· 1

Software versions used· 1

Restrictions and guidelines· 2

Configuring UAM·· 2

Configuring the switch as an access device· 2

Configuring an access policy for proxy control 5

Configuring an access service· 6

Configuring an access user 7

Configuring proxy server detection settings· 8

Configuring the switch· 10

Verifying the configuration· 11

Related documentation· 13

 

Introduction

This document provides examples for prohibiting an access user from using IE proxy or proxy server software.

With this function enabled, UAM works with the iNode client to perform the following tasks:

·     Reject the authentication requests from endpoints on which IE proxy is enabled or proxy services are provided.

·     Log off online users when they enable IE proxy or provide proxy services on the endpoints.

The examples apply to networks that prohibit the use of IE proxy and proxy server software.

Example: Prohibiting access users from using IE proxy or proxy server software

Network configuration

As shown in Figure 1, UAM resides on a server at 192.168.40.139. A switch acts as the NAS and the IP address is 192.168.30.111.

Endpoint users access the network by using an 802.1X connection in the iNode client. They access the network by using an account named test001.

The switch manages 802.1X users in an ISP domain named 238 and includes the domain name in the user names that are sent for authentication.

Configure UAM to prohibit users from accessing the Internet when they use CCProxy.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on the following platforms:

·     IMC UAM 7.2 (E0403)

·     H3C S5500-28C-SI Comware Software, Version 5.20, Release 2215

·     iNode PC 7.2 (E0403)

Restrictions and guidelines

When you configure an access device or an access service in UAM, follow these restrictions and guidelines:

·     If you have configured the nas-ip command for the RADIUS scheme on the device, configure the NAS IP address as the access device address in UAM.

·     If you do not configure the nas-ip command for the RADIUS scheme, enter the IP address of the device's interface that connects to UAM for the access device.

·     When the switch is selected from the resource pool, the IP address is automatically populated for the access device. If the IP address is incorrect, the switch must be manually configured.

·     Use the same port and shared key settings for authentication and accounting communication as those configured on the switch.

·     Configure a service suffix for the 802.1X user depending on the authentication domain and username format settings on the switch, as shown in Table 1.

Table 1 Determining the service suffix

Username in iNode	Authentication domain on the switch	Username format command on the switch	Service suffix in UAM
test001@238	238	user-name-format with-domain	238
		user-name-format without-domain	No suffix

 

Configuring UAM

Configuring the switch as an access device

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

3.     On the access device list, click Add.

The Add Access Device page opens, as shown in Figure 2.

Figure 2 Adding an access device

 

4.     On the Device List, click Select to select the switch from the IMC platform, or click Add Manually to add the switch to UAM.

This example uses the Add Manually option.

To manually add the switch to UAM:

a.     Click Add Manually in the Device List area.

b.     On the Add Access Device Manually page, enter 192.168.30.111 in the Device IP field, as shown in Figure 3.

Figure 3 Manually adding an access device

 

c.     Click OK to return to the Add Access Device page.

5.     Configure access information for the access device, as shown in Figure 4:

a.     Enter the authentication port number in the Authentication Port field, and enter the accounting port number in the Accounting Port field. Make sure the values are the same as the port numbers configured on the access device.

This example uses the default authentication port 1812 and default accounting port 1813.

 

	IMPORTANT: Use UAM for authentication and accounting at the same time. If you use UAM for authentication, you must use it for accounting.

 

b.     Select LAN Access Service from the Service Type list.

c.     Select HP (ProCurve) from the Access Device Type list.

d.     Enter expert in the Shared Key and Confirm Shared Key fields.

Make sure the shared key is the same as the shared key configured on the access device.

If Display Access Passwords is set to Plain Text (display password) in system settings, the Confirm Shared Key field does not appear.

Figure 4 Configuring the access device

 

6.     Click OK.

7.     On the Result of Adding Access Devices page, click Back to return to the Access Device page.

The new access device is in the access device list, as shown in Figure 5.

Figure 5 Viewing the new access device

 

Configuring an access policy for proxy control

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Policy.

3.     On the access policy list, click Add.

The Add Access Policy page opens.

4.     Configure the access policy, as shown in Figure 6:

a.     In the Basic Information area, enter antiAgent in the Access Policy Name field.

b.     In the User Client Configuration area, select the iNode Client Only, Disable Proxy Server, and Disable Proxy Setting in IE options.

c.     Use the default values for other parameters.

Figure 6 Adding an access policy

 

5.     Click OK.

The new access policy is added to the access policy list, as shown in Figure 7.

Figure 7 Viewing the new access policy

 

Configuring an access service

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Access Service.

3.     On the access service list, click Add.

The Add Access Service page opens.

4.     Configure basic information for the access service, as shown in Figure 8:

a.     Enter testAgent in the Service Name field.

b.     Enter 238 in the Service Suffix field. For more information about determining the service suffix, see Table 1.

c.     Select antiAgent from the Default Access Policy list.

d.     Use the default values for other parameters.

Figure 8 Adding an access service

 

5.     Click OK.

The new access service is added to the access service list, as shown in Figure 9.

Figure 9 Viewing the new access service

 

Configuring an access user

1.     Click the User tab.

2.     From the navigation tree, select Access User > All Access Users.

3.     On the access user list, click Add.

The Add Access User page opens.

4.     Configure the access user parameters, as shown in Figure 10:

a.     Click Select to select an existing platform user, or click Add User to manually add a user in the User Name field. This example uses the user name test001.

b.     Enter test001 in the Account Name field, which must be unique in UAM.

c.     Enter the same password in the Password and Confirm Password fields. This example uses the password 1.

d.     Select the service named testAgent from the Access Service list.

e.     Use the default values for other parameters.

Figure 10 Adding an access user

 

5.     Click OK.

The new access user is added to the access user list, as shown in Figure 11.

Figure 11 Viewing the new access user

 

Configuring proxy server detection settings

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Service Parameters > System Settings.

The System Settings page opens, as shown in Figure 12.

Figure 12 Accessing the System Settings page

 

3.     Click the Configure icon  to the right of Proxy Server Detection Settings in the System Settings list.

The Proxy Server Detection Settings page opens, as shown in Figure 13.

Figure 13 Configuring the proxy server detection settings

 

4.     Configure the proxy server detection parameters:

a.     Leave the External Network Segments Excluded From Detection area empty.

b.     In the Internal Network Segments Under Detection area, click Add.

c.     Enter 192.168.30.22 in the IP Address field, and select 24 from the Mask Length list, as shown in Figure 14.

d.     Use the default values for other parameters.

Figure 14 Adding an internal network segment

5.     Click OK.

The new internal network segment is added, as shown in Figure 15.

Figure 15 Viewing the new internal network segment

 

6.     Click OK.

Configuring the switch

1.     Configure a RADIUS scheme:

# Create a RADIUS scheme named uam.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]radius scheme uam

# Configure UAM as the primary RADIUS authentication and accounting server. Set the RADIUS authentication port and accounting port to 1812 and 1813, respectively.

[H3C-radius-uam]primary authentication 192.168.40.139 1812

[H3C-radius-uam]primary accounting 192.168.40.139 1813

# Configure the shared key to expert to secure RADIUS authentication and accounting communication.

[H3C-radius-uam]key authentication expert

[H3C-radius-uam]key accounting expert

# Specify the RADIUS server type as extended to support UAM.

[H3C-radius-uam]server-type extended

# Configure the switch to include domain information in the user names that are sent to the RADIUS server.

[H3C-radius-uam]user-name-format with-domain

[H3C-radius-uam]quit

2.     Create an ISP domain:

# Create an ISP domain named 238.

[H3C]domain 238

# Configure the switch to use the RADIUS scheme uam for 802.1X users.

[H3C-isp-238]authentication lan-access radius-scheme uam

[H3C-isp-238]authorization lan-access radius-scheme uam

[H3C-isp-238]accounting lan-access radius-scheme uam

[H3C-isp-238]quit

3.     Configure 802.1X authentication:

# Enable 802.1X globally and on Ethernet 1/0/1. The 802.1X function takes effect on the interface only when 802.1X is enabled globally and on the interface.

[H3C]dot1x

[H3C]dot1x interface Ethernet 1/0/1

Verifying the configuration

1.     On an endpoint, enable IE proxy. (Details not shown.)

2.     In the 802.1X connection area of the iNode client, enter the username and password, and click Connect, as shown in Figure 16.

Figure 16 Triggering 802.1X authentication

 

3.     Verify that the user has passed the 802.1X authentication, as shown in Figure 17.

Figure 17 Viewing the authentication result

 

The iNode client detects the IE proxy setting and logs out the user, as shown in Figure 18.

Figure 18 Checking the IE proxy setting

 

4.     On the endpoint, disable IE proxy. (Details not shown.)

5.     Run CCProxy without providing the proxy service.

6.     Trigger 802.1X authentication again.

UAM allows the endpoint to connect to the network because it does not provide the proxy service.

7.     Use CCProxy to provide the proxy service for other users.

UAM detects the proxy service and immediately logs out the user, as shown in Figure 19.

Figure 19 Checking the proxy server

 

Related documentation

·     User Access Manager Help

·     HPE IMC User Access Manager Administrator Guide