HPE IMC UAM Binding Access Users with PCs Configuration Examples

Transcription

1 HPE IMC UAM Binding Access Users with PCs Configuration Examples Part Number: Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

2 Contents Introduction 1 Prerequisites 1 Example: Binding access users with PCs 1 Network configuration 1 Software versions used 1 Restrictions and guidelines 1 Configuring UAM 2 Configuring the switch as an access device 2 Configuring an access policy 4 Configuring an access service 5 Configuring an access user 6 Configuring the switch 8 Configuring the inode client 9 Verifying the configuration 9 Triggering 802.1X authentication 9 Viewing online users 11 Viewing the PC binding information 12 Reauthenticating the user with another IP address 13 i

3 Introduction This document provides an example for binding an access user account with a PC. With PC binding, you can bind access user accounts with computer names, IP addresses, or domain names to enhance authentication security and prevent account spoofing and unauthorized access. PC binding is also used in enterprise and campus networks that require access user accounts to be bound with PCs. Prerequisites Make sure the access device supports 802.1X. Example: Binding access users with PCs Network configuration As shown in Figure 1, a user accesses the network through the inode client on a Windows PC. The switch performs 802.1X authentication of the user. Figure 1 Network diagram Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0403) H3C S3600V2-28TP-EI Comware Software, Version 5.20, Release 2103 inode PC 7.2 (E0403) Restrictions and guidelines When you configure the PC binding, follow these restrictions and guidelines: Make sure the shared key you configure for the access device in UAM is the same as the shared key in the CLI configuration on the switch. If you want to select a switch from the resource pool as an access device, make sure it has already been added to the IMC platform, either manually or through auto discovery. Configure a service suffix for the 802.1X user depending on the authentication domain and username format settings on the switch, as shown in Table 1. 1

4 Table 1 Determining the service suffix Username in inode Authentication domain on the switch Username format command on the switch Service suffix in UAM ice@ user-name-format with-domain user-name-format without-domain No suffix 5315 Configuring UAM Configuring the switch as an access device 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Device Management > Access Device. 3. On the Access Device List, click Add. The Add Access Device page opens, as shown in Figure 2. Figure 2 Adding an access device 4. Add the switch to UAM as an access device. You can add a device to UAM either manually or by selecting the device from the IMC platform. This example uses the Add Manually option. To add an access device manually: a. Click Add Manually. The Add Access Device Manually page opens. b. Enter in the Device IP field, as shown in Figure 3. If the nas-ip command is configured on the device, enter the NAS IP address in the Device IP field. If the command is not configured, enter the IP address or VLAN interface address for the interface connected to UAM in the Device IP field. 2

5 Figure 3 Specifying the IP address of the access device c. Click OK to return to the Add Access Device page. 5. Configure access information for the access device, as shown in Figure 4: a. Enter the authentication port number in the Authentication Port field, and enter the accounting port number in the Accounting Port field. Make sure the values are the same as the port numbers configured on the access device. This example uses the default authentication and accounting port numbers 1812 and 1813, respectively. IMPORTANT: Use UAM for authentication and accounting at the same time. If you use UAM for authentication, you must use it for accounting. b. Select LAN Access Service from the Service Type list. c. Select H3C (General) from the Access Device Type list. d. Enter movie in the Shared Key and Confirm Shared Key fields. Make sure the shared key is the same as the shared key configured on the access device. If Display Access Passwords is set to Plain Text (display password) in system settings, the Confirm Shared Key field does not appear. e. Use the default values for other parameters. 3

6 Figure 4 Configuring the access device 6. Click OK. 7. On the Result of Adding Access Devices page, click Back to Access Device List. The new access device is displayed in the access device list, as shown in Figure 5. Figure 5 Viewing the new access device Configuring an access policy 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Policy. 3. On the Access Policy list, click Add. The Add Access Policy page opens, as shown in Figure In the Basic Information area, enter access bind-pc in the Access Policy Name field and select Ungrouped from the Service Group list. 5. In the Authentication Binding Information area, select the Bind User IP and Bind User MAC options. 6. Leave other parameters with the default values. 4

7 Figure 6 Adding an access policy 7. Click OK. The new access policy is displayed in the access policy list, as shown in Figure 7. Figure 7 Viewing the new access policy Configuring an access service 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Service. 3. On the Access Service list, click Add. 4. On the Add Access Service page, configure basic information for the access service, as shown in Figure 8: a. Enter pc bind in the Service Name field. The service name must be unique. b. Enter the service suffix in the Service Suffix field. In this example, leave the field blank. For information about determining the service suffix, see Table 1. c. Select access bind-pc from the Default Access Policy list. d. Use the default values for other parameters. 5

8 Figure 8 Adding an access service 5. Click OK. The new access service is displayed in the access service list, as shown in Figure 9. Figure 9 Viewing the access service Configuring an access user 1. Click the User tab. 2. From the navigation tree, select Access User > All Access Users. 3. On the Access User list, click Add. The Add Access User page opens, as shown in Figure 10. 6

9 Figure 10 Adding an access user 4. On the Add Access User page, configure the basic parameters for the access user: a. In the User Name field, configure an IMC platform user to be associated with the access user. You can either select an existing user account from the IMC platform or add a new IMC platform user. This example uses the Add User option. On the Add User page, enter wbing in the User Name field, enter 0128 in the Identity Number field, and click OK, as shown in Figure 11. b. Enter ice in the Account Name field. c. Enter in the Password and Confirm Password fields. d. Select the service named pc bind in the Access Service area. e. Use the default values for other parameters. Figure 11 Adding a new IMC platform user 5. Click OK. The new access user is displayed in the access user list, as shown in Figure 12. 7

10 Figure 12 Viewing the new access user 6. Click the account name to view its details. The binding information for the access device is empty, as shown in Figure 13. Figure 13 Viewing access user details Configuring the switch 1. Configure a RADIUS scheme. # Create a RADIUS scheme named pcbind. <Device> system-view [Device] radius scheme pcbind 8

11 # Configure UAM as the primary RADIUS authentication and accounting server. Set the RADIUS authentication port to 1812 and set the accounting port to [Device-radius-pcbind] primary authentication [Device-radius-pcbind] primary accounting # Configure the shared key to expert to secure RADIUS authentication and accounting communication. [Device-radius-pcbind] key authentication expert [Device-radius-pcbind] key accounting expert # Configure the switch to remove domain information from the usernames to be sent to the RADIUS server. [Device-radius-pcbind] user-name-format without-domain [Device-radius-pcbind] quit 2. Create an ISP domain. # Create an ISP domain named [Device] domain 5315 # Configure the switch to use the RADIUS scheme pcbind for 802.1X users. [Device-isp-5315] authentication lan-access radius-scheme pcbind [Device-isp-5315] authorization lan-access radius-scheme pcbind [Device-isp-5315] accounting lan-access radius-scheme pcbind [Device-isp-5315] quit 3. Configure 802.1X authentication. # Enable 802.1X globally and on Ethernet 1/0/4. The 802.1X function takes effect on the interface only when 802.1X is enabled globally and on the interface. [Device] dot1x 802.1X is enabled globally. [Device] dot1x interface Ethernet 1/0/ X is enabled on port Ethernet 1/0/4. # Configure the switch to perform EAP termination and to support all CHAP authentication methods for RADIUS communication. [Device] dot1x authentication-method chap Configuring the inode client Create an 802.1X authentication connection in the inode client. Make sure the username is ice and the password is (Details not shown.) Verifying the configuration Use the inode client to trigger 802.1X authentication for network access. Triggering 802.1X authentication IMPORTANT: To obtain the IP address on the PC, select the Upload IPv4/IPv6 address option in the 802.1X connection property dialog box. 1. On the inode client, click 802.1X Connection. The 802.1X Connection window opens. 9

12 2. Enter the user name and password, and click Connect, as shown in Figure 14. Figure 14 Triggering 802.1X authentication The 802.1X authentication process starts. The authentication result shows that the connection has been established, as shown in Figure

13 Figure 15 Authentication information Viewing online users After the user passes authentication, you can view that user as an online user in UAM by performing the following steps: 1. Click the User tab. 2. From the navigation tree, select Access User > Online Users. 3. Click the Local tab. 4. Verify that the user named ice has been added to the online user list, as shown in Figure

14 Figure 16 Viewing the online user list Viewing the PC binding information When the user passes authentication, IP address and MAC address on the PC are automatically bound to the user. In the online user list, click the account name ice to display detailed information about the user, as shown in Figure 17. You can view the IP address and MAC address in the Terminal Binding Information area. Figure 17 Viewing the access account information 12

15 Reauthenticating the user with another IP address Modify the IP address of the inode client, and perform 802.1X authentication for the user with username ice and password The authentication starts, as shown in Figure 18. The user cannot pass authentication and an error message is displayed. The user cannot pass the static IP address binding check because the IP address is different from the terminal binding information in UAM. Figure X authentication failure 13