Login
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C IMC EIA IPv6 Portal Authentication Configuration Examples |
|
|
|
|
Software Version: EIA 7.3 (E0623)
Document version: 5W108-20230627
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides an example of configuring a generic IPv6 portal authentication for user identity authentication with the EIA server. The example does not include additional access control or security check settings. Users can access network resources after they pass portal authentication.
Feature usage guidelines
Application scenarios
The following information applies to enterprise networks or campus networks requiring portal authentication.
Prerequisites
The access devices support the portal protocol.
Example: Configuring IPv6 portal authentication
Network configuration
As shown in Figure 1, deploy EIA as a portal authentication server to authenticate users who try to access the network resources.
· Specify IPv4 address 172.19.202.241 and IPv6 address 2020::202:241 for the EIA server.
· The access device (Switch) uses GigabitEthernet 1/0/47 to connect to users and GigabitEthernet 1/0/1 to connect to the EIA server. Configure the IPv6 address of VLAN-interface 180 where GigabitEthernet 1/0/47 resides as 2021:180::1. Configure the IPv6 address of GigabitEthernet 1/0/1 as 2021:252::2.
· The user PC is installed with Windows and iNode. The IPv6 address of the PC is obtained through DHCP.
Software versions used
This configuration example was created and verified on the following software and hardware:
|
Role |
Platform |
Software version |
|
Portal authentication server |
EIA |
EIA 7.3 (E0623) |
|
Access device |
H3C S5820V2-52Q switch |
Comware software version 7.1.059, ESS 0322 |
|
Authentication client |
iNode |
iNode PC 7.3 (E0589) |
Procedures
To configure IPv6 portal authentication, complete the following tasks:
· Enabling IPv6
· Configuring the EIA server
¡ Adding an access device
¡ Adding an access policy
¡ Adding an access service
· Adding an access user
· Configuring a portal service
¡ Configuring a portal server
¡ Configuring an IP address group
¡ Configuring a portal device
· Configuring the access device
Enabling IPv6
Configuring system settings
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Service Parameters > System Settings.
3. Click the Configure
icon 
for configuration item System Parameters.
In the User Data Management Parameters area, select
Yes in the Enable IPv6
field.
4. Click OK to save the configuration.
Configuring policy server parameter settings
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Service Parameters > System Settings.
3. Click the Configure
icon 
for configuration item Policy Server
Parameters. Select the check box before Enable
Policy Server for IPv6.
Figure 3 Policy server parameter settings
4. Click OK to save the configuration.
Configuring the EIA server
Adding an access device
You must add an access device to the EIA server before the EIA server can work with the access device for authentication.
To add an access device:
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
Figure 4 Access device configuration page
3. Click Add.
Figure 5 Adding an access device
4. Configure the access device:
Use one of the following methods to add the access device:
¡ In the device list, click Select and select a device from IMC.
¡ In the device list, click Add Manually and manually configure the access device.
Make sure the IPv6 address of the access device on EIA meets the following requirements:
¡ If a NAS IPv6 address is specified for the access device (by using the nas-ip ipv6 command in a RADIUS scheme), the IPv6 address of the access device on the EIA server must be the specified NAS IPv6 address.
¡ If no NAS IPv6 address is specified, the IPv6 address of the access device on the EIA server must be the IPv6 address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.
If you select a device from IMC, you cannot change the IPv6 address of the device. If the device on IMC does not meet the above requirements, do not select it from IMC but manually add the device. In this example, the access device is manually added.
In this example, click Add Manually in the Device List area. In the dialog box that opens, enter the IPv6 address of the access device, and then click OK.
Figure 6 Manually adding the access device
5. Configure the following parameters:
¡ Authentication Port: Specify a port number for EIA to listen for RADIUS authentication packets. The authentication port must be the same as that specified in the RADIUS scheme on the access device. By default, the authentication port is 1812 on the EIA server and the access device.
¡ Accounting Port: Specify a port for EIA to listen for RADIUS accounting packets. The accounting port must be the same as that specified in the RADIUS scheme on the access device. By default, the accounting port is 1813 on the EIA server and the access device.
|
|
IMPORTANT: You must use the EIA server to provide both authentication and accounting services. You cannot use the EIA server as the authentication server and another server as the accounting server. |
¡ Service Type: Specifies the type of service supported by the access device.
¡ Forcible Logout Type: Specifies a method that forces users to log out. Options include Disconnect user and Shut down and bring up port. The former disconnects user connections through disconnect messages. The latter logs out users by shutting down the port connecting to them, and then brings up the port after the users are logged out.
¡ Access Device Type: Select the access device type from the list.
|
Categories of access device types |
Options |
|
Standard |
STANDARD (standard) NOTE: You can select this option for any access devices that support the standard RADIUS protocol. |
|
Pre-defined, vendor-specific |
H3C (General). 3COM (General). HUAWEI (General). CISCO (General). RG (General). HP (MSM). HP (Comware). MICROSOFT (General). JUNIPER (General). HP (ProCurve). ARUBA (General). |
|
Administrator-defined, vendor-specific |
Available options depend on the configuration. |
¡ Service Group: Select a service group for the access device for hierarchical management.
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. The access device and the EIA server use the shared key to validate each other. The shared key must be the same as that configured in the RADIUS scheme on the access device. You only need to enter the shared key once if you selected Plaintext in the Displays Key in field on the User > User Access Policy > Service Parameters > System Settings > System Parameters page.
¡ Use the default settings for other parameters.
In this example, you only need to enter shared key movie and confirm the key, as shown in Figure 7.
Figure 7 Configuring access device parameters
6. Click OK. Click Back to Access Device List to go back to the access device configuration page. Verify that the access device has been added to the access device list.
Figure 8 Verifying that the access device has been added
Adding an access policy
This example adds an access policy that does not contain any user-defined access control settings.
To add an access policy:
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Policy.
Figure 9 Access policy management page
3. Click Add. In this example, because no access control is required, you only need to enter an access policy name and use the default settings for other parameters.
Figure 10 Adding an access policy
|
|
NOTE: To deploy an authorization attribute, you must make sure the device supports that authorization attribute. To configure authentication binding information, you must make sure the device can upload the corresponding authentication binding information to the EIA server in RADIUS attributes. In this example, you do not need to deploy authorization information. The default settings apply. |
4. Click OK. Go back to the access policy management page. Verify that the access policy has been added to the access policy list.
Figure 11 Verifying that the access policy has been added
Adding an access service
An access service contains a collection of policies for user authentication and authorization. In this example, no access control is required. You only need to add a simple access service that does not contain access control settings.
To add an access service:
1. Click the User tab.
2. From the left navigation pane, select User Access Policy > Access Service.
Figure 12 Access service management page
3. Click Add.
Figure 13 Adding an access service
Access service parameters
¡ Service Name: Enter a service name. Make sure the name is unique on the EIA server.
¡ Service Suffix: Enter a service suffix, which identifies the name of the domain to be used for user authentication. The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 1.
¡ Service Group: Select a service group for permission access control. The service group contains accessible services. Only administrators and operators with permissions to access this service group can configure it and the services assigned to it.
¡ Default Access Policy: Specify an access policy as the default access policy. This example uses the added access policy.
¡ Default Security Policy: Specify the security policy applied to users in access scenarios that are not included in the service. The security policy is used to check and monitor user endpoints for security issues and to automatically defend the network. This field is displayed only when the EAD component is installed.
¡ Default Internet Access Policy: Specify the Internet access policy applied to users in access scenarios that are not included in the service.
¡ Default Max. Devices for Single Account: Maximum number of endpoints to be bound to the same user account in access scenarios that are not included in the service. This field is displayed only when the EIP component is installed.
¡ Default Max. Number of Online Endpoints: Maximum number of online endpoints using the same user account in access scenarios that are not included in the service.
¡ Daily Max. Online Duration: Total duration in a day that an account can access the network by using the service. When the limit is reached, the account is forced offline and is unable to access the network in the day. This parameter is an integer in the range of 0 to 1440 minutes. A value of 0 means not limited.
¡ Use the default settings for other parameters.
|
Authentication username |
Authentication domain |
Device's RADIUS scheme command |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default Domain] Default domain on the device |
user-name-format with-domain |
[Default Domain] |
|
user-name-format without-domain |
No suffix |
4. Click OK. Go back to the service management page. Verify that the access service has been added to the access service list.
Figure 14 Verifying that the access service has been added
Adding an access user
1. Click the User tab.
2. From the left navigation pane, select Access User > All Access Users.
Figure 15 Access user configuration page
3. Click Add. On the page that opens, configure the access information and access service:
¡ User Name: Enter a user name for the access user.
Use either of the following methods to configure the access information for the user.
- Click the 
icon. On the window that opens, select a target user, and then
click OK.
To view all users after a query result page appears, click Query.
- Configure the user name, identity number, and other parameters. Then click OK.
¡ Account Name: Enter an account name to uniquely identify the access user.
¡ Password/Confirm Password: Enter a password and confirm it.
¡ Access Service: Select an added access service.
¡ Use the default settings for other parameters.
Figure 16 Adding an access user
4. Click OK. Verify that the access user has been added to the access user list.
Figure 17 Verifying that the access user has been added
Configure a portal service
Configure a portal server
1. Click the User tab. From the left navigation pane, select User Access Policy > Portal Service > Server.
Figure 18 Portal server configuration page
2. Click Add next to Service Type List. On the window that opens, enter the service type ID and service type.
Figure 19 Adding a service type
Service type parameters
¡ Service Type ID: Specify the service type ID. Make sure the service type ID is the same as the service suffix of the added access service.
¡ Service Type: Specify the service type. This parameter is a description and identification for the service type ID.
3. Click OK. Go back to the server configuration page. Verify that the service type has been added to the service type list.
Figure 20 Verifying that the service type has been added
4. Click OK.
Configuring an IP address group
1. Click the User tab.
2. From the left navigation pane, select User Access Policy > Portal Service > IP Group.
Figure 21 IP group configuration page
3. Click Add.
4. Enter the IP group name, select Yes in the IPv6 field, and configure the start IP and end IP. In this example, IP group name portal_jinice, start IP 2021:180::2, and end IP 2021:180:ffff::255 are used. The system performs authentication on all endpoints in the IPv6 address range.
5. Click OK. Go back to the IP group configuration page. Verify that the IP group has been added to the IP group list.
Figure 23 Verifying that the IP group has been added
Configuring a portal device
1. Click the User tab.
2. From the left navigation pane, select User Access Policy > Portal Service > Device.
Figure 24 Portal device configuration page
3. Click Add.
Figure 25 Adding a portal device
Portal device parameters
¡ Device Name: Name of the device. This example uses Jinice-Switch.
¡ Version: Specify the version used. In the current software version, only Portal 3.0 supports IPv6.
¡ IP Address: IP address of the device. This example uses 2021:180::1.
¡ Key/Confirm Key: Enter a key and confirm it. The key must be the same as that configured on the access device for the portal server. This example uses iMC123.
¡ Access Method: Select the authentication mode used by the device. This example uses Directly Connected.
¡ Use the default settings for other parameters.
4. Click OK. Go back to the device configuration page. Verify that the portal device has been added to the portal device list.
Figure 26 Verifying that the portal device has been added
5. Click the Port Group
icon 
in the Operation column for the portal
device.
Figure 27 Port group configuration page
6. Click Add.
Port group parameters
¡ Port Group Name: Specify the port group name. In this example, port_portal is used.
¡ IP Group: Specify the IP group. In this example, portal_jinice is used.
¡ Use the default settings for other parameters.
7. Click OK. Go back to the port group configuration page. Verify that the port group has been added to the port group list.
Figure 29 Verifying that the port group has been added
Configuring the access device
Configure the access device to perform portal authentication on users to make sure only users who have passed the authentication can access the network resources.
In this example, Telnet to the access device from the CLI of a Windows system and configure the access device.
1. Enter system view.
<Device>system-view
System View: return to User View with Ctrl+Z.
2. Specify the RADIUS scheme:
# Create RADIUS scheme allpermit.
[Device]radius scheme allpermit
New Radius scheme
# Specify the EIA server as both the authentication server and accounting server. Configure the authentication port, accounting port, and shared keys. Make sure the settings are the same as those configured in "Adding an access device."
[Device-radius-allpermit]primary authentication ipv6 2020::202:241 1812
[Device-radius-allpermit]primary accounting ipv6 2020::202:241 1813
[Device-radius-allpermit]key authentication simple movie
[Device-radius-allpermit]key accounting simple movie
[Device-radius-allpermit]user-name-format with-domain
[Device-radius-allpermit]nas-ip ipv6 2021:252::2
[Device-radius-allpermit]quit
3. Configure ISP domain ipv6 and apply RADIUS scheme allpermit to the ISP domain: The name of the ISP domain must be the same as the service suffix configured in "Adding an access service."
[Device]domain ipv6
New Domain added.
[Device-isp-portal]authentication default radius-scheme allpermit
[Device-isp-portal]authorization default radius-scheme allpermit
[Device-isp-portal]accounting default radius-scheme allpermit
[Device-isp-portal]quit
4. Configure the portal authentication server:
4.# Create portal authentication server portal.
[Device]portal server portal
New portal server added.
# Specify the IP address of the EIA server as the IP address of the portal authentication server, and set the shared key for communication with the portal authentication server. The key must be the same as that configured in "Configuring a portal device."
[Device-portal-server-portal]ipv6 2020::202:241 key simple iMC123
[Device-portal-server-portal]quit
5. Create portal Web server portal, and specify a URL for the portal Web server. The URL must be the same as the URL specified in the Portal Page filed on EIA in "Configure a portal server." You can view the portal server configurations on EIA in Figure 18.
[Device]portal web-server portal
New portal web-server added.
[Device-portal-websvr-portal]url http://[2020::202:241]:8080/portal/
[Device-portal-websvr-portal]quit
6. Assign GigabitEthernet 1/0/47 to VLAN 180.
[Device-Gigabitethernet1/0/47]portal link-mode bridge
[Device-Gigabitethernet1/0/47]portal access vlan 180
[Device-Gigabitethernet1/0/47]quit
7. Configure portal authentication:
# Enable direct portal authentication on VLAN-interface 180.
[Device]interface Vlan-interface 180
[Device-Vlan-interface180]ipv6 dhcp select relay
[Device-Vlan-interface180]ipv6 dhcp relay server-address 2021:207::50
[Device-Vlan-interface180]ipv6 address 2021:180::1/64
[Device-Vlan-interface180]portal ipv6 enable method direct
# Specify portal Web server portal on VLAN-interface 180. Configure the BAS-IP for portal packets sent to the portal authentication server. Make sure the BAS-IP is the same as the IP address configured on EIA in "Configuring a portal device."
[Device-Vlan-interface180]portal bas-ipv6 2021:180::1
[Device-Vlan-interface180]portal ipv6 apply web-server portal
[Device-Vlan-interface180]quit
Verifying the configuration
Verify that the user can pass portal authentication by entering the configured username and password on the iNode PC client.
Installing the iNode client
Install an iNode client with portal access function.
|
|
NOTE: The EIA server is compatible with all versions of iNode clients. You can install an iNode client as needed. |
Configuring IPv6 portal authentication
1. Open the iNode PC client, select Portal connection, click More, and then select Properties.
Figure 30 Portal authentication settings
2. Click the Network tab. Select the IPv6 protocol version, and then click OK.
Figure 31 Network configuration window
(Optional) Customizing GUI
To view user IPv6 address information on the Online Users page, configure the Customize GUI feature on the page:
1. Click the User tab. From the left navigation pane, select Access User > Online Users.
Figure 32 Online user configuration page
2. Click Customize GUI.
Figure 33 List of displayed items
3. Select User IPv6
Address from the Option List, and then click
the 
icon to add the item to the Output List.
4. Click OK. Verify that you can view the User IPv6 Address column in the online user list.
Figure 35 Successful customization
Performing portal authentication
1. Open the iNode PC client, and select Portal connection. Click the Refresh
icon 
in the Server field to obtain the
portal server information. The obtained portal server information is
automatically populated in the Server field.
Figure 36 Obtaining portal server information
2. Enter the configured username and password, select service type office-IPv6, and then click Connect to perform portal authentication.
Figure 37 Portal authentication connection page
3. View the portal authentication result to verify that the user can pass portal authentication successfully.
Figure 38 Authentication result page
4. On EIA, click the User tab and select Access User > Online Users from the navigation pane. Verify that user jiniceipv6 has successfully come online.
