Login
- Released At: 05-07-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C IMC EIA SSL VPN Authentication (IPv6) Configuration Examples |
|
|
|
|
Software version: EIA 7.3 (E0623)
Document version: 5W108-20230627
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring SSL VPN authentication
Configuring the SSL VPN device
Verifying authentication information on EIA
Introduction
The following information provides an example of configuring SSL VPN authentication for user identity authentication with the EIA server for SSL VPN user access from an iNode PC client. Users can access network resources after they pass SSL VPN authentication with a username and password.
Feature usage guidelines
Application scenarios
The following information applies to scenarios where users access an SSL VPN gateway through an iNode PC client by using a username and password.
Prerequisites
Make sure the network is reachable.
Example: Configuring SSL VPN authentication
Network configuration
As shown in Figure 1, deploy the EIA server as the SSL VPN authentication server to authenticate users who try to access network resources through the SSL VPN gateway from the iNode PC client.
Software versions used
This configuration example was created and verified on EIA 7.3 (E0623), iNode PC 7.3 (E0577), and SSL VPN gateway of H3C Comware software version 7.1.064, ESS 9308.
Analysis
Perform the following operations on the EIA server:
· Enable IPv6.
· Add an IPv4 access device.
· Add an access policy.
· Add an access service.
· Add an access user.
Procedures
Configuring the EIA server
Enabling IPv6 for EIA system parameter configuration
Configuring system parameters
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Service Parameters > System Settings.
3. Click 
in the Configure column
for System Parameters.
4. In the User Data Management Parameters area, select Yes for the Enable IPv6 field, as shown in Figure 2.
5. Click OK.
Configuring policy server parameters
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Service Parameters > System Settings.
3. Click 
in the Configure column
for Policy Server Paramters.
4. Select IPv6 Enable Policy Server, as shown in Figure 3.
Figure 3 Configuring policy server parameters
5. Click OK.
Adding an IPv4 access device
In the network, the user and the device use IPv6 addresses for communication, and the device and the EIA servers use IPv4 addresses for communication. Therefore, you need to add an IPv4 access device.
To add an IPv4 access device:
1. On the top navigation bar, click User.
2. From the left navigation pane, select User Access Policy > Access Device Management > Access Device, as shown in Figure 4.
Figure 4 Access device configuration page
3. Click Add.
Figure 5 Adding an access device
4. Configure the following common parameters:
¡ Authentication Port: Specify the RADIUS authentication service port on the EIA server. It must be the same as that specified on the access device. Typically, use the default service port (1812).
¡ Accounting Port: Specify the RADIUS accounting service port on the EIA server. It must be the same as that specified on the access device. Typically, use the default service port 1813.
|
|
IMPORTANT: You must use the EIA server to provide both authentication and accounting services. You cannot use the EIA server as the authentication server and another server as the accounting server. |
¡ Service Type: Specify the type of service supported by the access device, including Unlimited and Device Management Service. The Unlimited option is used for user access and network and the Device Management Service option for device login and management by the administrator.
¡ Forcible Logout Type: Specify a method that forces users to log out. Options include Disconnect user and Shut down and bring up port. The Disconnect user option disconnects user connections through disconnect messages. The Shut down and bring up port option logs out users by shutting down the port connecting to them, and then brings up the port after the users are logged out.
¡ Access Device Type: Select the access device type from the list.
|
Categories of access device types |
Options |
|
Standard |
STANDARD (Standard) NOTE: You can select this option for any access devices that support the standard RADIUS protocol. |
|
Pre-defined, vendor-specific |
· H3C (General). · 3COM (General). · HUAWEI (General). · CISCO (General). · RG (General). · HP (MSM). · HP (Comware). · MICROSOFT (General). · JUNIPER (General). · HP (ProCurve). |
|
Administrator-defined, vendor-specific |
Available options depend on the configuration. |
¡ Service Group: Select a service group for the access device for hierarchical management.
¡ Shared Key/Confirm Shared Key: Enter a shared key in the Shared Key field. If the system is configured to display keys in ciphertext, you must enter the key again in the Confirm Shared Key field for confirmation.
The shared key is used for secure communication between the server and the access device.
The shared key specified on the EIA server must be the same as that specified on the access device.
You only need to enter the shared key once if you selected Plaintext in the Displays Key in field on the User > User Access Policy > Service Parameters > System Settings > System Parameters page page.
¡ Access Location Group: Select an access location group for the access device. Options include the existing groups on EIA and --. The access location group is one of the user access conditions to distinguish endpoint users.
¡ Use the default settings for other parameters.
In this example, you only need to enter shared key movie and confirm the key.
5. Click Add Manually to add the device with address 1.2.4.199, as shown in Figure 6,
Figure 6 Configuring an access device
6. Click OK.
Adding an access policy
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Access Policy.
Figure 7 Access policy management page
3. Click Add. On the page that opens, configure the access policy as needed. In this example, enter only the access policy name, and use the default settings for other parameters.
Figure 8 Adding an access policy
4. Click OK.
Adding an access service
1. On the top navigation pane, click User.
2. From the left navigation pane, select User Access Policy > Access Service.
Figure 9 Access service management page
3. Click Add, and configure the parameters on the page that opens as follows:
¡ Service Name: Specify the name of the access service. In this example, the service name is VPN Gateway Access Service.
¡ Default Access Policy: Specify the access policy that has been added in "Adding an access policy."
¡ Use the default settings for other parameters.
Figure 10 Adding an access service
4. Click OK.
Adding an access user
1. On the top navigation pane, click User.
2. From the left navigation pane, select Access User > All Access Users.
Figure 11 All Access Users page
3. Click Add. On the page that opens configure the parameters as follows:
¡ User Name: Specify the username of the access user. This example specifies the existing user named wang.
¡ Account Name: Specify the account name. This example specifies the account name as wang.
¡ Password/Confirm Password: Specify and confirm a password.
¡ Access Service: Select access services. This example selects VPN Gateway Access Service that has been added in "Adding an access service."
Figure 12 Adding an access user
Configuring the SSL VPN device
1. Enter system view.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[h3c]interface GigabitEthernet1/0/11
[h3c-GigabitEthernet1/0/11]port link-mode bridge
[h3c-GigabitEthernet1/0/11]quit
2. Configure an IP address for VLAN-interface 1 to which interface GigabitEthernet 1/0/11 belongs.
[h3c]interface Vlan-interface1
[h3c-Vlan-interface1]ipv6 address 2020:4c::10/64
[h3c-Vlan-interface1]undo ipv6 nd ra halt
[h3c-Vlan-interface1]quit
3. Create a RADIUS scheme named market.
[h3c]radius scheme market
[h3c-radius-market]primary authentication 1.2.4.159
[h3c-radius-market]primary accounting 1.2.4.159
[h3c-radius-market]key authentication simple expert
[h3c-radius-market]key accounting simple expert
[h3c-radius-market]user-name-format without-domain
[h3c-radius-market]quit
4. Create an ISP domain named market.
[h3c]domain market
[h3c-isp-market]authorization default radius-scheme market
[h3c-isp-market]authorization default radius-scheme market
[h3c-isp-market]accounting default radius-scheme market
[h3c-isp-market]quit
5. Create SSL VPN AC interface AC 1 and configure an IP addressfor the interface. Make sure the EIA server can reach the interface.
[h3c]interface SSLVPN-AC1
[h3c-SSLVPN-AC1]ip address 192.168.2.1 255.255.255.0
6. Create a security zone and add interfaces to the security zone.
[h3c]security-zone name Trust
[h3c-security-zone-Trust]import interface GigabitEthernet1/0/1
[h3c-security-zone-Trust]import interface GigabitEthernet1/0/11
[h3c-security-zone-Trust]import interface SSLVPN-AC1
[h3c-security-zone-Trust]import interface Vlan-interface1
[h3c-security-zone-Trust]import ipv6 2020:4C7::64
[h3c-security-zone-Trust]quit
7. Configure security policies.
[h3c]security-policy ip
[h3c-security-policy-ip]rule 0 name 0
[h3c-security-policy-ip]action pass
[h3c-security-policy-ip]quit
[h3c]security-policy ipv6
[h3c-security-policy-ipv6]rule 0 name test
[h3c-security-policy-ipv6]action pass
8. Configure ACLs.
[h3c]acl advanced 3000
[h3c-acl-ipv4-adv-3000]rule 0 permit ip
[h3c-acl-ipv6-adv-3000]quit
[h3c]acl ipv6 advanced 3000
[h3c-acl-ipv6-adv-3000]rule 0 permit ipv6
[h3c-acl-ipv6-adv-3000]quit
9. Create zone pairs and apply ACLs to the zone pairs.
[h3c]zone-pair security source Any destination Any
[h3c-zone-pair-security-Any-Any]packet-filter 3000
[h3c-zone-pair-security-Any-Any]packet-filter ipv6 3000
[h3c-zone-pair-security-Any-Any]quit
[h3c]zone-pair security source Any destination Trust
[h3c-zone-pair-security-Any-Trust]packet-filter 3000
[h3c-zone-pair-security-Any-Trust]packet-filter ipv6 3000
[h3c-zone-pair-security-Any-Trust]quit
[h3c]zone-pair security source Local destination Trust
[h3c-zone-pair-security-Local-Trust]quit
[h3c]zone-pair security source Trust destination Any
[h3c-zone-pair-security-Trust-Any]packet-filter 3000
[h3c-zone-pair-security-Trust-Any]packet-filter ipv6 3000
[h3c-zone-pair-security-Trust-Any]quit
[h3c]zone-pair security source Trust destination Local
10. Specify the default action as permit for packets exchanged between interfaces in the same security zone.
[h3c]security-zone intra-zone default permit
11. Configure PKI domain cert.
[h3c]pki domain cert
[h3c-pki-domain-cert]public-key rsa general name cert length 2048
[h3c-pki-domain-cert]undo crl check enable
12. Create an SSL server policy named cert and specify PKI domain cert for the policy.
[h3c]ssl server-policy cert
[h3c-ssl-server-policy-cert]pki-domain cert
[h3c-ssl-server-policy-cert]session cachesize 1000
13. Configure an IP address for SSL VPN gateway ipv6c, apply SSL server policy cert to the gateway, and enable the gateway.
[h3c]sslvpn gateway ipv6c
[h3c-sslvpn-gateway-ipv6c]ipv6 address 2020:4C7::10
[h3c-sslvpn-gateway-ipv6c]ssl server-policy cert
[h3c-sslvpn-gateway-ipv6c]service enable
14. Create IP access address pools.
[h3c]sslvpn ip address-pool ippool 192.168.2.100 192.168.2.200
[h3c]sslvpn ipv6 address-pool poo_v6 2020:4C7::200 2020:4C7::800
15. Create an SSL VPN context named market, and specify ISP domain market for AAA of SSL VPN users in SSL VPN context market.
[h3c]sslvpn context market
[h3c-sslvpn-context-market]geteway ipv6c domin market
[h3c-sslvpn-context-market]aaa domin market
[h3c-sslvpn-context-market]ip-tunnel interface SSLVPN-AC1 //Configure the SSL VPN context to use SSL VPN AC interface AC 1 for user authentication.
16. Create a route list to ensure that the EIA server is reachable.
[h3c-sslvpn-context-market]ip-route-list iplist
[h3c-sslvpn-context-market-route-list-iplist]include 1.2.4.0 255.255.255.0
[h3c-sslvpn-context-market-route-list-iplist]include 192.168.2.0 255.255.255.0
[h3c-sslvpn-context-market-route-list-iplist]quit
17. Create an SSL VPN policy group named pg1 and specify ACL 3000 for IP access filtering, Web access filtering, and TCP access filtering.
[h3c-sslvpn-context-market]policy-group pg1
[h3c-sslvpn-context-market-policy-group-pg1]filter ip-tunnel ac1 3000
[h3c-sslvpn-context-market-policy-group-pg1]filter web-access ac1 3000
[h3c-sslvpn-context-market-policy-group-pg1]filter tcp-access ac1 3000
[h3c-sslvpn-context-market-policy-group-pg1]ip-tunnel access-route ip-route-list iplist //Specify a route list
[h3c-sslvpn-context-market-policy-group-pg1]quit
18. Specify address pools and the default policy group for the SSL VPN context.
[h3c-sslvpn-context-market]ip-tunnel address-pool ippool mask 255.255.255.0 //Specify address pool ippool
[h3c-sslvpn-context-market]ip-tunnel ipv6 address-pool poo_v6 prefix 64 //Specify address pool poo_v6
[h3c-sslvpn-context-market]default-policy-group pg1
Verifying the configuration
SSL VPN authentication
1. After the SSL VPN settings are configured, open the SSL VPN connection, as shown in Figure 13.
2. Enter the IPv6 gateway address and click the refresh icon. Then, enter the username and password, and select domain market, as shown in Figure 14.
Figure 14 Entering information for authentication
3. Click Connect. The connection succeeded, as shown in Figure 15.
Figure 15 Connection succeeded
Verifying authentication information on EIA
After successful authentication, you can view the authenticated online users in the online user list on EIA.
To view online users:
1. On the top navigation pane, click User.
2. From the left navigation pane, select Access User > Online Users. Then, you can view information about users that have passed authentication.
