H3C SSL VPN RADIUS Authentication Configuration Example Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.
Contents Feature overview 1 Application scenarios 1 Configuration restrictions and guidelines 1 Prerequisites 1 Network requirements 1 Configuration considerations 2 Software version used 2 Configuration procedures 3 Configuring the SSL VPN card 3 Configuring IMC 12 Verifying the configuration 19 Related documentation 20 i
Feature overview SSL VPN is an SSL-based virtual private network technology. It works between the transport layer and the application layer. Using the SSL-provided certificate-based identity authentication, data encryption and integrity verification mechanisms, SSL VPN provides secure connections for communications at the application layer. SSL VPN supports local, RADIUS, LDAP, and AD authentication. RADIUS is a distributed information interaction protocol that uses a client/server model. It protects networks against unauthorized access to provide remote user access and guarantee high security. H3C Intelligent Management Center (IMC) provides enhanced user authentication, accounting, and management functions. This configuration example uses IMC as the RADIUS server. Application scenarios This configuration example applies to networks that perform RADIUS authentication for SSL VPN users. Configuration restrictions and guidelines Make sure IMC contains a user group whose name is the same as that configured on the SSL VPN card. The accounting configuration is optional. If accounting is disabled, IMC does not provide billing statistics for online users. Prerequisites The configuration examples in this document were created and verified in a lab environment, and all the devices started with the factory default configuration. If you are working in a live network, make sure you understand the potential impact of every command on your network. Network requirements The interface GigabitEthernet 0/0/1 on the SSL VPN card is connected to the RADIUS servers and the internal network. The interface GigabitEthernet 0/0/0 on the SSL VPN card is connected to the Internet. 1
SSL VPN users use public network addresses to access the SSL VPN card, and must pass RADIUS authentication to access the internal network servers. Figure 1 Network diagram RADIUS server 192.168.100.51 RADIUS server 192.168.100.199 Web server 10.153.1.223 SSL VPN Gateway Internet GE0/0/0 200.0.0.21/24 GE0/0/1 192.168.252.21/24 IP network Other server 10.0.0.0/8 SSL VPN user FTP server 192.168.100.10 Switch or Router SSL VPN card Configuration considerations Configure IP addresses for the interfaces on the SSL VPN card. Configure a domain in the SSL VPN root domain. Configure RADIUS authentication in the configured domain. Configure IMC. Software version used This document uses an H3C SecBlade SSL VPN card for S7500E switches to describe the SSL VPN RADIUS authentication configuration. The configuration on the SSL VPN cards for SR6600 and SR8800 routers is similar. An SSL VPN card for an S7500E switch uses the internal high-speed GE interface to connect to the switch. An SSL VPN card for an SR6600 or SR8800 router uses the internal high-speed 10GE interface to connect to the router. This configuration example was created and verified on E7115 and applies to version E7110 and higher versions of the SSL VPN card. 2
Configuration procedures Configuring the SSL VPN card Configuring interface addresses and static routes 1. Configure GigabitEthernet 0/0/0, the interface connected to the Internet. <Sysname> System-view [Sysname] interface GigabitEthernet0/0/0 [Sysname-GigabitEthernet0/0/0] ip address 200.0.0.21 255.255.255.0 [Sysname-GigabitEthernet0/0/0] quit 2. Configure GigabitEthernet 0/0/1, the interface connected to the internal network. [Sysname] interface GigabitEthernet0/0/1 [Sysname-GigabitEthernet0/0/0] ip address 192.168.252.21 255.255.255.0 [Sysname-GigabitEthernet0/0/0] quit 3. Add static routes. [Sysname] ip route-static 0.0.0.0 0.0.0.0 200.0.0.30 preference 60 [Sysname] ip route-static 10.0.0.0 255.0.0.0 192.168.252.254 preference 60 [Sysname] ip route-static 192.168.100.0 255.255.252.0 192.168.252.254 preference 60 Configuring a domain in the SSL VPN root domain 1. Enter https://192.168.252.21/admin in the address bar of your browser to open the SSL VPN login page. 2. Select root from the Login to list to log in to the SSL VPN root domain as a super administrator. Figure 2 SSL VPN login page 3
3. Select Domain > Domain Policy from the navigation tree. 4. Click Add to create a domain and click Apply. Figure 3 Adding a domain 5. Select Domain > Configuration Management from the navigation tree. 6. Click Save. Figure 4 Saving the configuration 7. Click Exit on the upper right. Configuring RADIUS authentication and accounting 1. On the SSL VPN login page, select zone from the Login to list to log in to the SSL VPN domain zone as a common administrator. 4
Figure 5 SSL VPN login page 2. Select Domain > Authentication from the navigation tree. 3. Click the RADIUS Authentication tab. 4. Enter the primary and secondary server addresses and the shared key, and select Enable Authentication and Enable Accounting. Figure 6 Configuring RADIUS authentication and accounting 5
5. Select With domain name from the Username Format list if the RADIUS server requires a domain name for authentication. The domain name automatically appears next to the Username Format field, as shown in Figure 7. This domain name will be used for service configuration. (See "Adding a service.") 6. Click Apply. Figure 7 Username format with domain name Configuring resources 1. Add a web proxy resource: a. Select Resource > Web Site from the navigation tree. b. Click Add. c. Configure the web proxy resource, as shown in Figure 8. d. Click Apply. 6
Figure 8 Configuring a Web proxy resource 2. Add a remote access service resource: a. Select Resource > TCP Application from the navigation tree. b. Click the Telnet tab. c. Click Add. d. Configure the remote access service resource, as shown in Figure 9. e. Click Apply. Figure 9 Configuring a remote access service resource 7
3. Configure global parameters for IP network resources: a. Select Resource > IP Network from the navigation tree. b. Click the Global Configuration tab. c. Configure an IP address pool and basic parameters, as shown in Figure 10. d. Click Apply. Figure 10 Global configuration 4. Configure a host resource: a. Select Resource > IP Network from the navigation tree. b. Click the Host Configuration tab. c. Enter the resource name ftp. d. Click the Accessible Network Service tab, and then click Add to configure an accessible network service, as shown in Figure 11. e. Click the Shortcut tab, and then click Add to configure a shortcut to the network service, as shown in Figure 12. f. Click Apply. 8
Figure 11 Configuring an accessible network service Figure 12 Configuring a network service shortcut 5. Configure a resource group: a. Select Resource > Resource Group from the navigation tree. b. Click Add. c. Specify the group name, and then assign resources tech, telnet, and ftp to the group. d. Click Apply. 9
Figure 13 Configuring a resource group Configuring a user group 1. Select User > User Group from the navigation tree. 2. Click Add. 3. Enter sslvpn_group as the group name, and then associate the resource group test with the user group. 4. Click Apply. 10
Figure 14 Configuring a user group Saving the configuration 1. Select Domain > Configuration Management from the navigation tree. 2. Click Save. Figure 15 Saving the configuration 11
Configuring IMC Adding an access device 1. Log in to IMC. 2. On the top navigation bar, click Service and then select User Access Manager > Access Device Management from the menu. 3. Click Add. Figure 16 Adding an access device 4. Configure the access information, including the shared key, authentication port, accounting port, and access device type, as shown in Figure 17. Figure 17 Configuring the access information 5. Click Add Manually in the Device List area. 12
6. Specify the start IP address and click OK. Figure 18 Adding an access device manually 7. Click OK at the bottom of the page. The page displays a success message, as shown in Figure 20. Figure 19 Completing access device configuration 13
Figure 20 Access device successfully added Adding a service 1. Select User Access Manager > Service Configuration from the navigation tree. 2. Click Add. Figure 21 Service list 3. Configure the service parameters as follows: Enter 8042_ssl as the service name. Enter svpnaaa11 as the service suffix. 14
Make sure the value is same as the domain name to be used for RADIUS authentication. If the RADIUS server does not require any domain name for authentication, do not configure this parameter. Select Free from the Charging Plan list. Select the Deploy User Group box and specify the user group sslvpn_group. 4. Click OK. The page displays a success message, as shown in Figure 23. Figure 22 Adding a service Ungrouped Free 15
Figure 23 Service successfully added Adding an access user account 1. Select User > All Access Users on the top navigation bar. 2. Click Add. Figure 24 Access user list 3. Click Add User. 4. Specify the user name and identity number, select the user group, and click OK. 16
Figure 25 Adding an IMC Platform user account 5. Configure the access information and select the service 8042_ssl on the access service list for the access user account, as shown in Figure 26. 6. Click OK. The page displays a success message, as shown in Figure 27. 17
Figure 26 Adding an access user account Figure 27 Access user account successfully added 18
Verifying the configuration Log in to SSL VPN that uses RADIUS authentication: 1. Open the SSL VPN user login page at https://200.0.0.21/. 2. Enter the SSL VPN username and password. 3. Select RADIUS from the Auth Mode list. 4. Click Login. Figure 28 Logging in to SSL VPN The SSL VPN user can successfully log in to the SSL VPN gateway and access websites, TCP applications, and IP access resources configured for the user. Figure 29 Accessing internal network resources 19
Related documentation H3C SecBlade SSL VPN Card Web Configuration Guide H3C Intelligent Management Center Getting Started Guide 20