HP Intelligent Management Center

Transcription

1 HP Intelligent Management Center User Access Manager Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with the UAM service module. Part number: Software version: IMC UAM 5.1 (E0301) Document version: 5PW

2 Acknowledgments Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Oracle and Java are registered trademarks of Oracle and/or its affiliates i

3 Contents 1 UAM overview 1 UAM function in the EAD solution 1 EAD solution key components 3 UAM functional structure 3 UAM user types 3 UAM access control settings 4 Authorization 4 Binding 5 Access area control 5 Access methods and authentication methods X 6 Portal 7 VPN 8 MAC authentication 9 UAM local authentication 10 LDAP authentication 10 RSA authentication 11 Roaming authentication 12 UAM and access device cooperation 13 Other UAM functions 14 Monitoring and auditing 14 Trouble report management 15 Hierarchical management 15 System configuration 15 Self service 15 2 UAM authentication configuration guide X access and UAM local authentication 16 UAM configuration 16 Access device configuration 19 inode client configuration 20 Parameter correlation 20 Portal access and UAM local authentication 20 UAM configuration 21 Access device configuration 25 inode client configuration 25 Parameter correlation 25 VPN access and UAM local authentication 26 UAM configuration 27 VPN gateway configuration 29 inode client configuration 33 Parameter correlation 33 MAC authentication and UAM local authentication 33 UAM configuration 34 Access device configuration 37 Mute terminal configuration 37 LDAP authentication 37 UAM configuration 38 RSA authentication 41 ii

4 UAM configuration 41 Roaming authentication 44 UAM 1 configuration 45 UAM 2 configuration 47 Certificate authentication X access and certificate authentication 49 Portal access and certificate authentication 52 3 Service configuration 55 Service 55 Service configuration considerations 55 Viewing the service list 55 Viewing service details 56 Adding a service 60 Modifying a service 64 Deleting a service 68 Access period 69 Displaying the access period policy list 69 Viewing access period policy details 69 Adding an access period policy 70 Modifying an access period policy 71 Deleting an access period policy 72 Access area 72 Viewing the access area list 72 Querying access areas 73 Viewing the detailed access area information 73 Adding an access area 74 Modifying an access area 74 Deleting an access area 75 Access IP group 75 Displaying the access IP group list 76 Querying access IP groups 76 Adding an access IP group 77 Modifying an access IP group 77 Deleting an access IP group 77 Access ACL 78 Viewing the access ACL list 78 Viewing access ACL details 78 Adding an access ACL 79 Modifying an access ACL 80 Deleting an access ACL 81 Access MAC address 81 Setting MAC filter 81 Viewing the access MAC address list 81 Querying access MAC addresses 82 Adding an access MAC address 82 Importing access MAC addresses in batches 83 Modifying an access MAC address 84 Deleting an access MAC address 84 Hard disk serial number 84 Viewing the hard disk serial number list 84 Querying hard disk serial numbers 85 Adding a hard disk serial number 85 Importing hard disk serial numbers in batches 85 Modifying a hard disk serial number 86 iii

5 Deleting a hard disk serial number 86 4 Managing access users 88 Access users and platform users 88 Configuration guidelines 91 Managing ordinary access users 92 Viewing the access user list 92 Querying ordinary access users 93 Viewing ordinary access user details 95 Adding an ordinary access user 98 Bulk importing ordinary access users 101 Modifying an ordinary access user 101 Modifying ordinary access users in bulk 104 Deleting an ordinary access user 104 Adding an ordinary access user to the blacklist 104 Releasing ordinary access users from the blacklist 105 Applying for services for ordinary access users 105 Canceling a service for ordinary access users 105 Registering ordinary access users 106 Managing mute terminal users 113 Viewing the mute terminal user configuration profile list 114 Viewing mute terminal user configuration profile details 114 Adding a mute terminal user configuration profile 115 Modifying a mute terminal user configuration profile 116 Activating mute terminal user configuration profiles 118 Deleting mute terminal user configuration profiles 118 Managing LDAP users 118 Managing guests 118 Managing guest managers in UAM 119 Configuring guest services in UAM 122 Configuring guest service parameters 123 Pre-registering a guest on the self-service center login page (by a guest) 123 Managing pre-registered guests in the self-service center (by a guest manager) 124 Managing registered guests in the self-service center (by a guest manager) 130 Managing guests in UAM (by the IMC administrator) 138 Managing blacklisted users 143 Viewing the blacklisted user list 143 Querying blacklisted users 144 Viewing blacklist information 145 Adding users to the blacklist 145 Releasing a blacklisted user 146 Batch operations 147 Importing accounts in batches 147 Maintaining accounts in a file 151 Querying and maintaining accounts in batches 156 Exporting accounts in batches 160 Exporting access details in batches Access device configuration 164 Configuring access devices 164 Viewing the Access Device List 164 Querying access devices 165 Viewing access device details 166 Viewing the access device configuration 166 Adding access devices 167 Modifying access devices 169 iv

6 Deleting access devices 170 Configuring ARP spoofing attack protection 170 Configuring access device types 172 Viewing the Access Device Type List 172 Viewing access device type details 173 Adding an access device type 174 Modifying an access device type 174 Deleting an access device type 175 Modifying the priority of an access device type 175 Configuring the Proprietary Attribute List 175 Configuring proprietary attribute assignment policies 176 Viewing the Proprietary Attribute Assignment Policy List 176 Viewing proprietary attribute assignment policy details 177 Adding a proprietary attribute assignment policy 177 Modifying a proprietary attribute assignment policy 179 Deleting a proprietary attribute assignment policy Portal authentication 181 Configuring the portal server 181 Configuring IP address groups 182 Viewing the IP address group list 183 Querying IP address groups 183 Viewing IP address group details 184 Adding an IP address group 184 Modifying an IP address group 185 Deleting an IP address group 185 Configuring portal devices 185 Viewing portal devices 186 Querying portal devices 186 Viewing portal device details 186 Adding a portal device 187 Modifying a portal device 188 Deleting a portal device 189 Configuring port groups 190 Viewing the port group list 190 Querying port groups 190 Viewing port group details 191 Adding a port group 192 Modifying a port group 195 Deleting a port group 196 Configuring portal login pages 197 Viewing the login page list 197 Viewing login page details 197 Adding a login page 198 Modifying a login page 199 Deleting a login page 200 Configuring PDAs to support portal authentication LDAP authentication 201 Managing LDAP servers 201 Viewing LDAP servers 201 Viewing detailed information about an LDAP server 202 Adding an LDAP server 204 Testing connectivity to an LDAP server 206 Modifying LDAP server settings 206 Deleting an LDAP server 208 v

7 Importing certificates 208 Batch modifying LDAP server admin passwords 209 Managing LDAP synchronization policies 209 Viewing LDAP synchronization policies 209 Viewing LDAP synchronization policy information 210 Viewing detailed information about an LDAP synchronization policy 211 Adding an LDAP synchronization policy 214 Modifying an LDAP synchronization policy 223 Deleting an LDAP synchronization policy 232 Executing a synchronization policy 232 Managing users bound to an LDAP synchronization policy 233 Validating on-demand synchronization policies 233 Managing LDAP users 233 Viewing LDAP users 234 Querying LDAP users 235 Viewing LDAP user details 236 Binding common users with LDAP synchronization policies 238 Unbinding users with LDAP synchronization policy 239 Synchronizing an LDAP user 239 Modifying LDAP user information 239 Deleting an LDAP user 241 Adding an LDAP user to the blacklist 242 Releasing an LDAP user from the blacklist 242 Applying services for an LDAP user 242 Canceling services for LDAP users 243 Exporting LDAP users 243 Batch LDAP User Operations 244 Supplementary information for LDAP user passwords stored in UAM Certificate authentication 246 Configuring 802.1X access and UAM local authentication 246 Configuring portal access and UAM local authentication 248 Managing root certificate, server certificate, and CRL in UAM 251 Importing root certificate and server certificate into UAM 251 Viewing certification configuration 253 Configuring CRL update 253 Updating the CRL at the URL 254 Importing a CRL file 254 Deleting certificate configuration 254 Enabling certificate authentication in a service RSA authentication 256 Enabling RSA authentication in a service 257 Configuring RSA authentication 257 Adding an RSA authentication item 257 Viewing RSA authentication configuration items 257 Modifying an RSA authentication item 258 Deleting an RSA authentication item Roaming authentication 260 Configuring the source UAM as an access device (on the destination UAM) 260 Enabling and configuring the roaming function (on the source UAM) 261 Enabling roaming 261 Add roaming configuration 261 Displaying roaming configuration 262 Modifying roaming configuration 263 vi

8 Deleting roaming configuration Monitoring and auditing 265 Managing online users 265 Managing native online users 265 Managing roaming online users 273 Managing logs 278 Managing authentication failure logs 279 Managing access detail records 282 Managing roaming-access detail records 287 Managing user logs 291 Managing device management user authentication logs 294 Managing data export tasks 296 Exporting LAN access detail records 296 Exporting account information Access service topology 300 Managing access service topology views 300 Viewing access service topology views 300 Adding an access service topology view 300 Modifying an access service topology view 300 Deleting an access service topology view 301 Viewing devices 301 Adding a non-access device 301 Add an access device 303 Deleting devices 304 Managing devices 304 Unmanaging devices 304 Synchronizing a device 305 Viewing access service topology 305 Viewing device topology 305 Ping 306 TraceRoute 306 Opening web manager 306 Telnetting to the device 307 Managing access service topologies 307 Configuring a device as an access device 307 Viewing access device information 308 Configuring an access device as a non-access device 308 Displaying user terminals 308 Querying user terminals 309 Querying online users 310 Querying online user details 310 Kicking out users 311 Clearing online information 311 Sending messages 312 Adding an online user to the blacklist 312 Unblacklisting an online user 313 Locking an online user 313 Unlocking an online user Reports 315 Selecting a report type 315 Real-time reports 315 Service usage report 315 Authentication failure category statistics report 316 vii

9 Offline reason report 317 Idle account report 319 Online user report 320 Account number monthly report 323 Scheduled reports 324 Service usage report 324 Authentication failure category statistics report 326 Offline reason report 329 Idle account report 333 Online user report Device management users 341 Configuring device management users in UAM 341 Viewing device management users 341 Querying device management users 342 Viewing device management user details 342 Adding a device management user 343 Modifying a device management user 344 Deleting device management users 345 Configuring access devices in UAM 345 Configuring AAA authentication on devices 347 Viewing authentication logs of device management users in UAM Trouble report management 348 Trouble report questions management 348 Viewing trouble report questions 349 Viewing trouble report question details 349 Adding a trouble report question 351 Modifying a trouble report question 352 Adjusting the priority of a trouble report question 354 Deleting a trouble report question 354 Submitting a trouble ticket 354 Submitting a trouble ticket 355 Viewing a trouble ticket 356 Viewing trouble ticket details 356 Deleting a trouble ticket 357 Trouble ticket management 357 Viewing a trouble ticket 357 Querying trouble tickets 358 Viewing trouble ticket details 360 Handling a trouble ticket 361 Deleting a trouble ticket 362 FAQ management 363 Configuring the FAQ in UAM 363 Viewing FAQ in the Self-Service Center Managing user groups and service groups 368 Managing user groups 368 Viewing user groups 368 Viewing a subgroup 368 Viewing user group details 369 Viewing subgroup details 370 Adding a user group 370 Adding a subgroup 371 Modifying a user group 371 Modifying a subgroup 372 viii

10 Deleting a user group 372 Deleting a subgroup 373 Viewing users in a user group or subgroup 373 Querying users in a user group or subgroup 374 Moving users between user groups 374 Managing service groups 374 Viewing service groups 375 Viewing service group details 375 Adding a service group 375 Modifying a service group 376 Deleting a service group Configuring global system settings 377 Configuring system parameters 377 Configuring policy server parameters 381 Configuring UAM system operation log parameters 382 Configuring a user prompt 383 Viewing a user prompt 383 Adding a user prompt 383 Modifying a user prompt 384 Deleting a user prompt 384 Configuring autorun tasks on client 384 Configuring the password strategy 385 Configuring auto-cancel accounts settings 385 Configuring SSV logo images 386 Configuring wireless positioning parameters 387 Configuring authentication notify parameters 388 Configuring client anti-crack 389 Viewing a dictionary file 389 Querying dictionary files 389 Importing dictionary files 390 Deleting dictionary files 390 Configuring proxy server detection settings 390 Configuring client upgrade 392 Viewing a client upgrade task 392 Viewing client upgrade task details 393 Adding a client upgrade task 393 Modifying a client upgrade task 394 Deleting a client upgrade task 394 Configuring unified authentication 395 Configuring Web Application System >> Portal 395 Configuring Web Application System >> Self-Service 395 Configuring Portal >> Web Application System 396 Configuring inode client shortcuts User self-service 399 Pre-registering access users 399 Maintaining accounts by access users 400 Retrieving an access user password 400 Maintaining account information 400 Changing a password 402 Auditing account behaviors 402 Viewing the FAQ and trouble report 404 Maintaining user information by device management users 404 Checking the FAQ 405 ix

11 19 Support and other resources 406 Contacting HP 406 Subscription service 406 Related information 406 Documents 406 Websites 406 Conventions 407 About HP IMC documents 407 Index 409 x

12 1 UAM overview UAM function in the EAD solution The Endpoint Admission Defense (EAD) solution is a multi-service, secure access management solution that integrates authentication, monitoring, auditing, and service management. In the EAD solution, IMC cooperates with various access devices (such as switches, routers, VPN gateways, and firewalls) to meet the requirements of identity authentication, user privilege control, access admission, and desktop management in different network scenarios. The EAD solution has the following features: Reliable user identity authentication Simple and practical user management Strict user privilege control All-around terminal security protection Powerful desktop management function High-performance, expansible deployment solutions. Reliable user identity authentication Supports many authentication access modes, such as 802.1X, portal, VPN access, and wireless access. Supports many identity authentication modes to meet different security requirements, such as PAP, CHAP, EAP-MD5, EAP-TLS, and EAP-PEAP. Supports binding an access account with an access device IP address, access port, VLAN, and user terminal IP address/mac address. Supports binding an access account with the identity information such as computer name, domain user, and SSID, to enhance user authentication. Supports automatic learning of the binding information. Supports LDAP authentication by cooperating with the LDAP servers such as Windows AD, OpenLDAP, and third-party mail systems that support the LDAP protocol. Supports roaming authentication. Supports RSA authentication. Portal authentication supports web, dissolvable client, and inode client modes. The portal web authentication also supports providing different authentication pages according to different port groups, SSIDs, and terminal operating systems. Simple and practical user management Many types of users, including normal access users, guests, mute terminal users, and LDAP users. Abundant batch operations, such as batch open/cancel/modify accounts. Customized additional information for users, such as the department and post information. Web-based user pre-registration. A terminal user can submit user information through the web and then the administrator opens an account for the user, reducing the workload for the administrator. Blacklist function prevents malicious user attacks. Users in the blacklist cannot pass authentication. 1

13 Strict user privilege control Supports user-based privilege control allowing the administrator to customize different network access rights for different users. Controls network access bandwidth of users, limits the number of online users, prohibits users from setting and using proxy servers, and limits the idle time. Restricts user access to sensitive internal servers and illegal external websites by using device ACLs and VLANs. Restricts user access to sensitive internal servers and illegal external websites by using client ACLs. Controls user IP addresses allocation to avoid IP address embezzlement. Prohibits terminal users from using multiple network adapters and dial-up network access to avoid leakage of internal information. All-around terminal security protection Supports various security policies to ensure that all user terminals connected to the network are secure. When an access user does not comply with the security policy, the system can log off, quarantine, notify, or monitor the user. The system can use different security policies to check users connected to the network from different areas. Integrates anti-virus software, anti-phishing software, anti-spyware software, firewall software, hard disk encryption software, and patch management software to check the security status of terminals and provide repair measures for insecure terminals. Provides the operating system patch management function to improve the self-defense ability of terminals. The administrator can define the patches to be checked or let the WSUS server to detect and update the operating system patches. Checks software installation and running processes and services. Checks Windows registry entries, and monitors certain system files terminal traffic, and share directories. Detects weak operating system passwords. Assigns security and isolation ACLs to access devices to control access of users. Security ACLs allow access of secure users and isolate ACLs deny access of insecure users. Assigns security ACLs and isolation ACLs to clients. Security ACLs allow access of secure users and isolate ACLs deny access of insecure users. Supports real-time security monitoring. The system checks the security status of users during authentication. The system also performs security check for online users periodically. Once a security weakness is identified, the system immediately takes corrective action. The actions include logging off, quarantine, notification, or monitoring. Supports area-based EAD. The system uses different security policies for the same user that accesses the network from different areas or using different IP addresses. Powerful desktop management function Provides a desktop assets management solution, including flexible asset registration mechanisms, all-around asset control policies, real-time software and hardware asset collection, detailed asset changes reports, and detailed asset statistics. Supports software deployment for assets and asset groups through HTTP, FTP, and file sharing. Supports peripherals monitoring. It can disable USB port, optical disk drive, soft disk drive, PCMCIA interface, serial port, parallel port, infrared, blue tooth, 1394, and modem. If a peripheral is enabled illegally, the inode client can automatically disables the peripheral and report an alarm. Supports monitoring of files in a USB storage device or printer. It can record the names and sizes of the files written to the USB device or printed by the printer. 2

14 Supports files auditing function, helping the administrator to check whether certain files exist in the specified directory on an online asset. Supports an energy-saving function that can force terminals to shut down at a specified time. High-performance, expansible deployment solutions Provides two software and hardware platforms PC server, Windows, and SQL Server and PC server, Linux, and Oracle. Supports several reliable deployment solutions, such as stateful failover, stateless failover, and RADIUS fail-open. Supports hierarchical management. The child nodes use the EAD policies deployed from their parent node, satisfying the requirement of distributed deployment with centralized management for large enterprises. EAD solution key components The EAD solution includes these key components: User Access Manager (UAM) and Endpoint Admission Defense (EAD) components at the server side, and the inode client at the client side. The UAM component provides reliable user identity authentication, simple and practical user management, and strict user privilege control for the EAD solution. The EAD component provides strict end-point security defense and powerful desktop management for the EAD solution. The inode client cooperates with the UAM and EAD components to implement the previous functions. UAM functional structure As shown in Figure 1, UAM functions are based on the access user and service structure. An access user is the information a terminal user employs to access the network, including access account and password. A service is a set of access control policies. To access the network, a terminal user creates an access user and applies for at least one service in UAM. When accessing the network, the user is restricted by the policies defined in each service that the user employs. Figure 1 UAM functional structure UAM user types To satisfy the access requirements in different scenarios, UAM contains the following types of users: Normal access users Uses an account name-password or certificate to pass identity authentication. UAM saves and maintains user access information. Mute terminal users Refers to a network terminal without an authentication operating interface, such as an IP phone and a printer. A mute terminal uses its MAC address for identity authentication. 3

15 LDAP users UAM users who are bound with an LDAP server. When UAM receives an authentication request from such a user, it delivers the username and password to the LDAP server for identity authentication. LDAP user information is saved in both the LDAP server and the UAM server. The LDAP server maintains user information. UAM periodically synchronizes user information from the LDAP server. If a network already uses an LDAP server to manage users, HP recommends using LDAP users when you deploy the UAM system to the network. Guests Refers to a user who needs to access the network. In UAM, you can specify a normal user as a guest administrator, who can add guest users and process the pre-registration requests for guest users. Device management users Manages network devices. When a device management user logs in to a network device through Telnet or SSH, UAM authenticates the user s account and password. UAM supports only RADIUS authentication for device management users. After a device management user passes authentication, UAM assigns corresponding management rights to the user and then the user can manage and maintain the network device. UAM access control settings Access control policies are used in UAM services to control user access behaviors and avoid insecure user access. Access control policies include the following categories: authorization, binding, and access area control. Authorization Authorization for users includes the following: Control user access time UAM lets you define time ranges during which users can or cannot access the network. Specifying different access time ranges for different users to implement time-range based network access. Control user uplink and downlink bandwidth and priorities Access devices can limit the uplink and downlink speeds and priorities of access users according to the rate and priority limit policies assigned by the UAM. This function prevents users from excessively occupying network resources, which reduces network congestions. Specify user access rights to resources Access devices can dynamically grant users to access specific network resources according to the user ACLs and user VLANs assigned by the UAM. This function prevents illegal access to important network resources. Require the usage of an inode client Some UAM functions require the cooperation of an inode client. UAM lets you specify that users must use an inode client to ensure these functions. Prohibit users from using an IE proxy or proxy server software If you enable this function in UAM, users who use an IE proxy or run proxy server software cannot pass authentication, and online users who configure an IE proxy or run a proxy server are logged off. This function requires the cooperation of the inode client. Prohibit online users from changing IP addresses If you enable this function in UAM, online users who change the IP address of the authentication network adapter are logged off. This function runs with the inode client. Prohibit users from changing MAC addresses If you enable this function in UAM, users who change the MAC address of the authentication network adapter cannot pass authentication. This function runs with the inode client. 4

16 Binding Prohibit users from using multiple network adapters If you enable this function in UAM, users who have multiple network adapters (including virtual network adapters) activated in their PCs cannot pass authentication. If detecting that an online user has multiple active network adapters, UAM logs off the user. This function runs with the inode client. Prohibit users from using the inode DC in Windows, Linux, or Mac OS If you enable this function in UAM, users who use an inode DC in the corresponding operating system cannot pass authentication. Restrict external network access If you enable this function in UAM, UAM uses client ACLs to restrict the network access rights of users who uses an unauthenticated network adapter. This function runs with the inode client. Restrict the user IP getting method In UAM, you can specify the user IP getting method as DHCP, static configuration, or either DHCP or static. If a user obtains the IP address in a way different from that you specified, the user cannot pass authentication. The following types of bindings can be used with one another unless otherwise specified. Access user and access device binding Users can access the network only from the access device with a specific IP address. The IP address is specified in the UAM. Access user and access port binding Users can access the network only from a specific port on an access device. The port is specified in the UAM. Access user and access VLAN binding Users can access the network only from a specific VLAN on an access device. The VLAN is specified in the UAM. You can use VLAN binding or QinQ VLAN binding but not both. Access user and QinQ VLAN binding Users can access the network only when the user s inner and outer VLAN configuration is the same as that you configured in UAM. You can use VLAN binding or QinQ VLAN binding, but not both. Access user and PC s IP address binding Users can access the network only when the IP address of the network adapter that the user uses for authentication is the same as that you configured in UAM. Access user and PC s MAC address binding Users can access the network only when the MAC address of the network adapter that the user uses for authentication is the same as that you configured in UAM. Access user and SSID binding Wireless users can access the network only when the user uses the same SSID as that you configured in UAM. Access user and PC name binding Users can access the network only when the user s PC name is the same as that you configured in UAM. PC and domain binding Users can access the network only when the user s PC is added to the domain specified in UAM. PC and login-domain binding Users can access the network only if the user logs in to a domain when logging in to the PC operating system. Access area control Access area control provides fine-grained access control binding policies. You can configure the UAM to use or not use binding policies when users access the network from different devices and using different IP addresses. UAM provides client security to prevent users from using an inode client to bypass the access control policies. 5

17 Access methods and authentication methods 802.1X A UAM authentication system contains UAM, access devices, and clients, as shown in Figure 2. An access method refers to the exchange between a client and its access device. An authentication method refers to the exchange between an access device and the UAM. UAM supports these access methods: 802.1X Portal VPN MAC authentication UAM supports these authentication methods: UAM local authentication LDAP authentication RSA authentication Roaming authentication An access method and an authentication method work together to implement user identity authentication X access is applicable to the following scenarios: New network construction, or large-scale rebuilding of an existing network Strict access control at the network access layer 6

18 Figure 2 Network diagram of 802.1X access 802.1X access has the following features: UAM serves as the RADIUS server to authenticate user identities. Access layer switches determine whether terminal users can access the network. Access layer switches grant user access rights to resources according to the access control policies assigned by the UAM. The 802.1X access process supports these password exchange methods: PAP CHAP EAP-MD5 EAP-TLS EAP-PEAP Portal Portal access, shown in Figure 3, is applicable to the following scenarios: Small-scale rebuilding of an existing network. User access control at the network distribution layer. Control access only to the external network. Users can access the internal network, but must pass authentication to access the external network. 7

19 Figure 3 Network diagram of portal access Portal access has the following features: UAM serves as both the RADIUS server and the portal server. The network distribution layer, core layer (portal gateway attached), or egress device controls user access to the network. The portal access process supports these password exchange methods: PAP CHAP EAP-MD5 EAP-TLS EAP-PEAP NOTE: Web portal authentication does not support EAP-MD5, EAP-TLS, or EAP-PEAP. VPN UAM supports these VPN access methods: L2TP and IPsec+L2TP VPN access, shown in Figure 4, is applicable to the following scenarios: Branches need to access the internal network of the headquarters. Mobile employees need to access the internal network of the headquarters. 8

20 Partners need to access some internal network resources of the headquarters. Figure 4 Network diagram of VPN access VPN access has the following features: UAM serves as the RADIUS server to authenticate user identities. The L2TP VPN gateway controls user access to the Intranet. The L2TP VPN gateway grants user access rights to resources according to the access control policies assigned by the UAM. MAC authentication MAC authentication, shown in Figure 5, is typically used to authenticate mute terminals. A mute terminal refers to a network terminal without an authentication interface, such as an IP phone or a printer. 9

21 Figure 5 Network diagram of MAC authentication MAC authentication has the following features: UAM serves as the RADIUS server to authenticate user identities. Access layer switches determine whether mute terminals can access the network. If a PC is attached to an IP phone, you must enable both MAC authentication and 802.1X authentication on the port of the access layer switch. MAC authentication authenticates the IP phone, and 802.1X authenticates the user that uses the PC. UAM local authentication In UAM local authentication, user data is saved in UAM and UAM authenticates user identities. If a user is valid, UAM informs the access device to permit network access and assigns the access control policies to the access device. The access device then controls user access to network according to the policies. LDAP authentication LDAP authentication, shown in Figure 6, is used in a network that uses an LDAP server to manage users. You only need to periodically synchronize user information from the LDAP server to UAM. 10

22 Figure 6 Network diagram of LDAP authentication LDAP authentication has the following features: After UAM receives an authentication request from a terminal user, UAM forwards the request to the LDAP server by using the LDAP protocol. The LDAP server authenticates the user identity. After the user passes identify authentication, UAM checks the binding information. If the user passes the check, UAM informs the access device to permit network access and assigns the access control policies to the access device. The access device then controls user access to the network according to the policies. RSA authentication RSA authentication, shown in Figure 7, is used for applications (for example, bank systems) that use dynamic passwords for security. UAM does not support dynamic passwords. Because of this, a RADIUS server that supports dynamic passwords (such as an RSA server) must be deployed. 11

23 Figure 7 Network diagram of RSA authentication RSA authentication has the following features: After UAM receives an authentication request from a terminal user, UAM forwards the request to the RSA server by using the RADIUS protocol. The RSA server authenticates the user identity. After the user passes identify authentication, UAM checks the binding information. If the user passes the check, UAM informs the access device to permit network access and assigns the access control policies to the access device. The access device then controls user access to the network according to the policies. Roaming authentication Roaming authentication, as shown in Figure 8, is typically used in a large-scale network that has deployed multiple UAM servers. Each server performs access control in an area, and a user needs to access the network in different areas. 12

24 Figure 8 Network diagram of roaming authentication Roaming authentication has the following features: Each terminal user has a local UAM server, which is the server that saves the user s information. Each terminal user also has a roaming UAM server, which is the server through which the user is connected to the network. Assume UAM 2 is the local UAM server of a user, and UAM 1 is the roaming UAM server of the user. After UAM 1 receives an authentication request from the user, UAM 1 forwards the request to UAM 2 through the RADIUS protocol. UAM 2 authenticates the user identity. If the user is valid, UAM 2 returns the authentication success message and the access control policies for the user to UAM 1. UAM 1 informs the access device to permit network access and control network access according to the policies. UAM and access device cooperation An access device forwards packets between terminal users and the UAM. It will control network access of the users according to the policies assigned by UAM. UAM supports establishing an authentication network with HP, H3C, Cisco, Huawei, and Ruijie devices and other devices that support standard RADIUS. 13

25 For use with UAM, an access device must be configured with RADIUS, 802.1X, portal, VPN, MAC authentication, or certificates, as needed to meet the network requirements. For more information about configuration, see the configuration guides of the access device. Other UAM functions Other UAM functions include monitoring and auditing, trouble report management, hierarchical management, system configuration, and self-service. Each function is discussed below. Monitoring and auditing UAM provides the following functions to monitor, control, and audit access users: Online user management Access service topology display and operation Log management Data export (dump) Reports Online user management UAM displays all online users in a list. You can perform the following operations on the list: Send messages. For example, you can send a message to users, telling them to log off before system maintenance. Log off illegal online users. You can log off a user when you notice that the user is illegal. For example, you may locate illegal online users by analyzing the user behavior audit results. Log off halted users. For example, after a network device is restarted, you can log off the users connected to the network device. Access service topology display and operation Log management An access service topology integrates user management and access device management into the basic network topology. On an access service topology, you can display/hide access users, log off online users, and send messages to online users. Logs help you analyze and audit users network access behaviors, as well as analyze and locate network errors. UAM logs user authentication failures, user network access details, and user self-service operations. Data export (dump) Reports The data export function lets you export data from UAM to other storage devices. Data export implements data backup and also reduces the data that UAM saves to ensure high performance. You can export these UAM data: access user information and user network access details. Reports summarize and display data in tables and charts. You can audit history user behaviors and analyze future trends based on reports. 14

26 UAM reports include online user count, service report, idle account report, monthly account number report, authentication failure types report, offline reasons report, monthly/daily service usage report, and monthly/daily per-user service usage report. UAM works with IAR to allow for custom reports. You can create custom reports as needed. Trouble report management Access users can encounter problems during network access. The trouble report function lets access users and administrators solve problems through negotiation. 1. Access users can view the FAQ to find a solution. 2. Access users can use the trouble report system to report unsolved problems to the administrator. 3. The administrator analyzes the problem and provides a solution, and if the problem is typical, adds it to the FAQ. The trouble report system is integrated in the user self-service platform. Hierarchical management Hierarchical management helps administrators manage a large-scale access network. IMC platform supports hierarchical management of users and devices. UAM supports hierarchical management of services. Hierarchical management lightens the workload of each administrator and ensures independency and security of each service group. System configuration The system configuration is a general policy for UAM operation. The system configuration includes the following settings: Global parameter settings. For example, specify whether to open the self-service and pre-registration service, and set the log storage period. Client upgrade configuration. You can restrict the inode client version that can be used by each user group. Self service Client secure configuration. Upgrade and maintain the inode dictionary to prevent illegal clients from accessing the network. At the UAM self-service center, access users can view and modify user information, view access details, modify user passwords, and clear the online information. 15

27 2 UAM authentication configuration guide UAM supports the following access modes: 802.1X access Portal access VPN access MAC authentication access UAM supports the following authentication modes: UAM local authentication LDAP authentication RSA authentication Roaming authentication You can configure a combination of user access and authentication modes. The following information describes how to configure UAM local authentication with four access modes and other authentication access mode combinations. An access mode supports multiple password transport modes. Some password transport modes, (for example, the certificate mode) are not suitable for all authentication modes X access and UAM local authentication To implement 802.1X access and UAM local authentication, you must configure UAM, an access device, and the inode client. Figure 9 shows the configuration items and recommended configuration procedure. Figure 9 Recommended configuration procedure for 802.1X access and UAM local authentication UAM configuration To configure RADIUS authentication: 1. Configure the access device. 16

28 2. (Optional) Configure access control settings. 3. Configure a service. 4. Configure an access user. Configuring the access device The access device configuration is a prerequisite for access area control (one of the access control settings). HP recommends that you configure the access device first. During authentication, the access device exchanges RADIUS packets with UAM. For UAM to properly exchange RADIUS packets with an access device, you must add the access device s information (such as the vendor name, IP address, port number, and key) to UAM. 1. To enter the access device configuration page, select Service > User Access Manager > Access Device Management from the IMC configuration menu, as shown in Figure 10. For more configuration information, see "Access device configuration." Figure 10 Enter the access device configuration page (Optional) Configuring access control settings When you configure a service, you can select access control parameters for the service. Certain access control parameters must already be configured, such as the access period. HP recommends configuring access control parameters before configuring services. The access control configuration is optional. If you do not configure any access control parameters, a user only needs to pass identity authentication to access the network. For more information, see "Service configuration." 1. To enter the configuration page of an access control item, select Service > User Access Manager. 2. Select the access control item, as shown in Figure

29 Figure 11 Enter the configuration page of an access control item Configuring a service A service is a set of access control settings. When you add an access user, you must apply for a service for the user. You must add services before adding access users. 1. To enter the service configuration page, select Service > User Access Manager > Service Configuration from the IMC configuration menu, shown in Figure 12. For more configuration information, see "Service configuration." Figure 12 Enter the service configuration page Configuring an access user The configuration for an access user includes account, password, and service. When authenticated and online, the access user is limited by the policies in the service. 1. To enter the access user configuration page, select User > Access User View > All Access Users from the IMC configuration menu, shown in Figure 13. For more configuration information, see "Managing access users." 18

30 Figure 13 Enter the access user configuration page Access device configuration For specific commands for each configuration item, see the configuration guide or command reference manual for the access device. To configure the access device: 1. Create a RADIUS scheme. 2. Create a domain. 3. Enable 802.1X and configure the password transport mode. Creating a RADIUS scheme An access device exchanges RADIUS packets with UAM according to the configured RADIUS scheme. When you configure a RADIUS scheme, follow these guidelines: The authentication server IP and the accounting server IP that you specified in the RADIUS scheme must be the IP address of the UAM server. The share key and authentication/accounting port specified in the RADIUS scheme must be consistent with those configured for the access device on UAM. Creating a domain When you configure a domain, follow these guidelines: For 8021.X access, select LAN access as the terminal user access mode. The RADIUS scheme used by the domain must be configured as explained in the previous topic. Enabling 802.1X and the password transport mode You must enable 802.1X globally and on interfaces. 19

31 HP A series switches and H3C switches support these password transport modes: PAP, CHAP, and EAP. Cisco switches only support EAP. inode client configuration After you install the inode client, you need to create an 802.1X authentication connection. For the configuration procedure, see the inode client help. Parameter correlation For authentication to run properly, the username specified on the inode client, the domain and RADIUS scheme configuration on the access device, and the suffix of the service in UAM must comply with the correlation rules shown in Table 1. Table 1 Parameter correlation Username format on the inode client Domain on the access device Username format configured on the access device Service suffix in UAM X@Y Y user-name-format with-domain user-name-format without-domain Y No suffix X [Default Domain] The default domain specified on the access device user-name-format with-domain user-name-format without-domain Name of the default domain No suffix HP recommends using the configuration in the first line to accommodate authentication for terminal users. The commands shown in Table 1 are those on the HP A series switches. For commands on other devices, see the command reference manuals for those devices. Portal access and UAM local authentication To implement portal access and UAM local authentication, you must configure UAM, access device, and inode client (PC). Figure 14 shows the configuration items and the recommended configuration procedure. Figure 14 Recommended configuration procedure for portal access and UAM local authentication 20

32 UAM configuration UAM configuration includes RADIUS authentication and portal authentication. RADIUS authentication HP recommends that you configure the RADIUS authentication function of UAM in the following order: access device, access control policy (optional), service, and access user. 1. Configure the access device. The access device configuration is the prerequisite for access area control (one of the access control settings). HP recommends that you configure the access device first. During authentication, the access device exchanges RADIUS packets with UAM. For UAM to exchange RADIUS packets with an access device, you must add the access device s information (such as the vendor name, IP address, port number, and key) to UAM. 2. To enter the access device configuration page, select Service > User Access Manager > Access Device Management from the IMC configuration menu, shown in Figure 15. For more configuration information, see "Access device configuration." Figure 15 Enter the access device configuration page 3. (Optional) Configure access control settings. When you configure a service, you can select access control parameters for the service. Certain access control parameters must already be configured, such as the access period. HP recommends configuring such access control parameters before configuring services. The access control configuration is optional. If you do not configure any access control parameters, a user only needs to pass identity authentication to access the network. 4. To enter the configuration page of an access control item, select Service > User Access Manager, and then select the access control item, as shown in the red box in Figure 16. For more configuration information, see "Service configuration." 21