HPE IMC UAM LDAP Authentication Configuration Examples

Similar documents
HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples

HPE IMC UAM 802.1X Authentication Configuration Examples

HPE IMC UAM Binding Access Users with PCs Configuration Examples

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples

HPE IMC UAM Device User Authentication Configuration Examples

HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples

HPE IMC APM IIS Server Application Monitor Configuration Examples

HPE IMC BYOD WLAN MAC Authentication Configuration Examples

HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples

HPE IMC APM SQL Server Application Monitor Configuration Examples

IMC inode Intelligent Client v7.0 (E0106) Copyright (c) Hewlett-Packard Development Company, L.P. and its licensors.

Controlled/uncontrolled port and port authorization status

HPE IMC NTA MPLS VPN Traffic Analysis Configuration Examples

HPE IMC WSM Converged Topology Configuration Examples

HPE IMC Windows Migration Guide

HPE IMC DBA User Database to IMC User Database Restoration Configuration Examples

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

NetMotion Integration with GreenRADIUS - Quick Start Guide

HPE IMC WSM Network Planning Configuration Examples

HPE Intelligent Management Center v7.3

Creating Column Profiles on LDAP Data Objects

Configuring User VPN For Azure

H3C SSL VPN Configuration Examples

IMC VAN Fabric Manager v7.0 (E0201) Copyright (c) Hewlett-Packard Development Company, L.P. and its licensors.

Secure Access Configuration Guide For Wireless Clients

Table of Contents X Configuration 1-1

H3C Intelligent Management Center

HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples

VMware View (Horizon)

Table of Contents X Configuration 1-1

IMC User Access Manager 7.1 (E0302P15) Copyright (c) 2015 Hewlett-Packard Development Company, L.P. and its licensors.

Operation Manual Login and User Interface. Table of Contents

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00

Mobility Management Platform from AT&T

Using LifeSize Systems with Microsoft Office Communications Server 2007

Radius Configuration FSOS

HPE Intelligent Management Center

Overview. ACE Appliance Device Manager Overview CHAPTER

Quick Start Guide for Standalone EAP

H3C SecBlade NetStream Card Configuration Examples

Wireless LAN Controller Web Authentication Configuration Example

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

HP Unified Wired-WLAN Products

Identity Firewall. About the Identity Firewall

Interfaces for Firepower Threat Defense

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

HPE Security ArcSight Connectors

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

ForeScout CounterACT. Configuration Guide. Version 4.3

HPE Security ArcSight Connectors

Integrating YuJa Enterprise Video Platform with LDAP / Active Directory

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

ACS 5.x: LDAP Server Configuration Example

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems.

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Realms and Identity Policies

Configuring Hybrid REAP

How to setup Remote VPN access using Windows Radius Server and Unifi USG/Controller

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24

Table of Contents 1 AAA Overview AAA Configuration 2-1

HP Intelligent Management Center

H3C SR6600 Routers DVPN Configuration Example

AirWatch Mobile Device Management

Using the Management Interfaces

Obtaining the LDAP Search string (Distinguished Name)?

Exchange Sync. for Microsoft Dynamics CRM. Installation

Aruba Central Switch Configuration

AWS Remote Access VPC Bundle

Certificate Management

User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

Managing External Identity Sources

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY

Configuring Role-Based Access Control

OneLogin Integration User Guide

HP Operations Orchestration Software

Obtain the hostname or IP address of Cisco UCS Central. Obtain the shared secret that was configured when Cisco UCS Central was deployed.

HP High-End Firewalls

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

Forescout. Configuration Guide. Version 4.4

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Registering Cisco UCS Domains with Cisco UCS Central

Implementing Infoblox Data Connector 2.0

Logging in to the CLI

Aruba Central Switch Configuration

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager

Configure 802.1x - PEAP with FreeRadius and WLC 8.3

HPE Intelligent Management Center

Table of Contents. VMware AirWatch: Technology Partner Integration

Configuration Guide. For Managing EAPs via EAP Controller

HP IMC Smart Connect Virtual Appliance Software

HPE Intelligent Management Center

Configuring CWMP Service

Manage End Users. End User Overview. End User Management Tasks. End User Overview, on page 1 End User Management Tasks, on page 1

VMware Identity Manager Administration

Table of Contents HOL-1757-MBL-6

Transcription:

HPE IMC UAM LDAP Authentication Configuration Examples Part Number: 5200-1373 Software Version: IMC UAM 7.2 (E0402) Document Version: 2 The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

Contents Introduction 1 Prerequisites 1 Example: Using UAM for LDAP authentication 1 Network configuration 1 Software versions used 2 Restrictions and guidelines 2 Configuring UAM 3 Adding the switch to UAM 3 Configuring an access policy for LDAP authentication 5 Associating an access service with the access policy 6 Adding an LDAP server 7 Configuring a synchronization policy for the LDAP server 10 Synchronizing user data from the LDAP server 13 Configuring the switch 14 Verifying the configuration 15 Triggering 802.1X authentication in the inode client 15 Viewing online users in UAM 17 i

Introduction This document provides examples for using UAM to provide LDAP authentication on a network. UAM forwards authentication requests to the LDAP server and makes access decisions according to the authentication results. LDAP user information is stored both on the LDAP server and UAM. The examples apply to scenarios where UAM is deployed to work with an existing LDAP server for authentication. Prerequisites Make sure the access device supports 802.1X. Example: Using UAM for LDAP authentication Network configuration As shown in Figure 1, a user accesses the network by using the account imc001 that is stored on an LDAP server. The LDAP server is a Microsoft Active Directory and uses the default port 389. The domain name is xin.h3c. Deploy UAM to forward the user's authentication requests to the LDAP server. UAM uses the authentication port 1812, accounting port 1813, and shared key of fine for RADIUS communication. The switch manages the user in an ISP domain named cert and includes the domain information in the user names to be sent to UAM. The user accesses the network through the inode client on a Windows PC. 1

Figure 1 Network diagram Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0402) H3C S5500-28C-PWR-EI Comware Software, Version 5.20, Release 2220P02 inode PC 7.2 (E0402) Restrictions and guidelines When you configure LDAP and UAM authentication, follow these restrictions and guidelines: Make sure the shared key you configure for the access device on UAM is the same as the CLI configuration on the switch. Make sure the authentication port number and the accounting port number you configure for the access device on UAM are the same as the CLI configuration on the switch. To select or specify the device IP address, follow these restrictions and guidelines: If the nas ip command is configured on the switch, use the NAS IP address as the IP address of the access device. 2

If the nas ip command is not configured on the switch, use the IP address of the interface (including VLAN interface) that connects to UAM as the IP address of the access device. To select the switch from the resource pool, make sure it is already added to the IMC platform manually or through auto discovery and uses the correct IP address. If the switch in the resource pool does not use the correct IP address, you must specify the correct IP address of the access device. Configure a service suffix for the 802.1X user depending on the authentication domain and username format settings on the switch, as shown in Table 1. Table 1 Determining the service suffix Username in inode Authentication domain on the switch Username format command on the switch Service suffix in UAM imc001@cert cert user-name-format with-domain user-name-format without-domain cert No suffix Configuring UAM Adding the switch to UAM 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Device Management > Access Device. The access device list opens, as shown in Figure 2. Figure 2 Accessing the Access Device page 3. On the access device list, click Add. The Add Access Device page opens, as shown in Figure 3. 3

Figure 3 Adding an access device 4. Configure the access device parameters, as shown in Figure 4: a. In the Access Configuration area, enter fine in the Shared Key field and use the default values for the other parameters. If the Displays Key in parameter is set to Ciphertext (Displays ******) in the system configuration, enter the same shared key in both the Shared Key and Confirm Shared Key fields. b. Use the default values for other parameters. Figure 4 Configuring the access parameters 5. Add the switch to UAM as an access device. You can add a device to UAM either manually or by selecting the device from the IMC platform. This example uses the Add Manually option. To manually add the switch to UAM: a. In the Device List area, click Add Manually. b. On the Add Access Device Manually window, enter 192.168.30.100 in the Device IP field, as shown in Figure 5. 4

c. Click OK. Figure 5 Adding an access device manually 6. On the Add Access Device page, click OK. The new access device is displayed in the access device list, as shown in Figure 6. Figure 6 Viewing the new access device Configuring an access policy for LDAP authentication 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Policy. The access policy list is displayed, as shown in Figure 7. Figure 7 Accessing the Access Policy page 3. Click Add on top of the access policy list. 4. On the Add Access Policy page, configure the following parameters, as shown in Figure 8: 5

a. Enter LDAP User Access Policy in the Access Policy Name field. b. Use the default values for other parameters. Figure 8 Adding an access policy 5. Click OK. The new access policy named LDAP User Access Policy is displayed in the access policy list, as shown in Figure 9. Figure 9 Viewing the added access policy Associating an access service with the access policy 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Service. The Access Service page opens, as shown in Figure 10. 6

Figure 10 Accessing the Access Service page 3. Click Add on top of the access service list. 4. On the Add Access Service page, configure the following parameters, as shown in Figure 11: a. Enter LDAP User Access Service in the Service Name field. b. Enter cert in the Service Suffix field. For more information about determining the service suffix, see Table 1. c. Select LDAP User Access Policy from the Default Access Policy list. d. Use the default values for other parameters. Figure 11 Adding an access service 5. Click OK. The new access service named LDAP User Access Service is displayed in the access service list, as shown in Figure 12. Figure 12 Viewing the new access service Adding an LDAP server 1. Click the User tab. 2. From the navigation tree, select User Access Policy > LDAP Service > LDAP Server. 7

The LDAP Server page opens, as shown in Figure 13. Figure 13 Accessing the LDAP Server page 3. On the LDAP server list, click Add. 4. On the Add LDAP Server page, configure the following parameters, as shown in Figure 14: a. Enter a name in the Service Name field to uniquely identify the LDAP server on UAM. This example uses Windows AD as the server name. b. Enter 192.168.40.200 in the Address field. The combination of the IP address and the base DN must be unique on UAM. c. Enter the listening port number in the Port field. This example uses the default value 389. d. Select Microsoft AD from the Server Type list. e. Enter the absolute path where user data is stored on the LDAP server in the Base DN field. This example uses dc=xin,dc=h3c. f. Enter the absolute path of the administrator in the Admin DN field. This example uses cn=administrator,cn=users,dc=xin,dc=h3c. g. Enter the administrator password of the LDAP server in the Admin Password field. h. Use the default values for other parameters. NOTE: When Microsoft AD is selected from the Server Type list, the default value Yes automatically populates the Real-Time AuthN field. The value cannot be changed. 8

Figure 14 Adding an LDAP server 5. Click OK. The new LDAP server named Windows AD is displayed in the LDAP server list, as shown in Figure 15. Figure 15 Viewing the added LDAP server 6. Click Test to test the connectivity between IMC and the LDAP server. The test result opens on the top upper right of the page, as shown in Figure 16. 9

Figure 16 Viewing the testing result Configuring a synchronization policy for the LDAP server 1. Click the User tab. 2. From the navigation tree, select User Access Policy > LDAP Service > Sync Policy. The Sync Policy page opens, as shown in Figure 17. Figure 17 Accessing the Sync Policy page 3. Click Add on top of the synchronization policy list. 4. On the Add Sync Policy page, configure the following parameters, as shown in Figure 18: a. Enter Windows AD Sync Policy in the Policy Name field. b. Select Windows AD from the Server Name list. c. Enter the absolute subdirectory path where user data is stored on the LDAP server in the Sub-Base DN field. The sub-base DN must be the base DN itself or its subset. This example uses dc=xin,dc=h3c. UAM synchronizes only the user data under the specified subdirectory from the server. d. Use the default values for other parameters. 10

Figure 18 Adding a synchronization policy 5. Click Next. 6. On the Add Sync Policy page, configure the following parameters, as shown in Figure 19: a. In the Access Information area, enter imc123 in the Password field. By default, the password is not synchronized from the LDAP server. b. In the Access Service area, select the service named LDAP User Access Service. c. Use the default values for other parameters. 11

Figure 19 Configuring policy information 7. Click Finish. The new synchronization policy named Windows AD Sync Policy is displayed in the synchronization policy list, as shown in Figure 20. Figure 20 Viewing the new synchronization policy 12

Synchronizing user data from the LDAP server 1. Click the User tab. 2. From the navigation tree, select User Access Policy > LDAP Service > Sync Policy. The Sync Policy page opens, as shown in Figure 21. Figure 21 Accessing the Sync Policy page 3. Click Synchronize for the policy named Windows AD Sync Policy. UAM starts to synchronize user data from the LDAP server and displays the synchronization result, as shown in Figure 22. Figure 22 Viewing the LDAP user synchronization result 4. From the navigation tree, select Access User > All Access Users. The synchronized LDAP users appear in the access user list, as shown in Figure 23. 13

Figure 23 Viewing the synchronized LDAP users Configuring the switch 1. Configure a RADIUS scheme. # Create a RADIUS scheme named zzpermit. <H3C>system-view System View: return to User View with Ctrl+Z. [H3C] radius scheme zzpermit New Radius scheme # Configure UAM as the primary RADIUS authentication and accounting servers in the scheme. Set the RADIUS authentication port to 1812 and accounting port to 1813. [H3C-radius-zzpermit] primary authentication 192.168.40.239 1812 [H3C-radius-zzpermit] primary accounting 192.168.40.239 1813 # Configure the shared key to fine to secure RADIUS authentication and accounting communication. [H3C-radius-zzpermit] key authentication fine [H3C-radius-zzpermit] key accounting fine # Configure the switch to include domain information in the user names to be sent to the RADIUS server. [H3C-radius-zzpermit] user-name-format with-domain [H3C-radius-zzpermit] quit 2. Configure an ISP domain. # Add an ISP domain named cert. [H3C] domain cert New Domain added. 14

# Configure the switch to use the RADIUS scheme zzpermit for users in ISP domain cert. [H3C-isp-cert] authentication lan-access radius-scheme zzpermit [H3C-isp-cert] authorization lan-access radius-scheme zzpermit [H3C-isp-cert] accounting lan-access radius-scheme zzpermit [H3C-isp-cert] quit 3. Configure 802.1X authentication. # Enable 802.1X globally and on Ethernet 1/0/1. The 802.1X function takes effect on the interface only when 802.1X is enabled globally and on the interface. [H3C] dot1x 802.1X is enabled globally. [H3C] dot1x interface Ethernet 1/0/1 802.1X is enabled on port Ethernet 1/0/1. # Set the 802.1X authentication method. With LDAP authentication, you can set the 802.1X authentication method to EAP or PAP. In this example, the 802.1X authentication method is set to PAP. [H3C] dot1x authentication-method pap PAP authentication is enabled. Verifying the configuration Make sure the version of the inode client installed on the PC is compatible with IMC UAM. For more information about the compatibility, see the UAM readme file. Triggering 802.1X authentication in the inode client 1. On the inode client, click 802.1X Connection. The 802.1X Connection window opens. 2. Enter the username and password, and click Connect, as shown in Figure 24. 15

Figure 24 Viewing the 802.1X connection The authentication process starts. The authentication result shows that the connection has been established, as shown in Figure 25. Figure 25 Authentication information 16

Viewing online users in UAM 1. Click the User tab. 2. From the navigation tree, select Access User > Online Users. 3. Click the Local tab. 4. Verify that the user named imc001 has been added to the online user list, as shown in Figure 26. Figure 26 Viewing the online user 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback