Login
- Released At: 15-05-2026
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EIA Self-Developed Token
Configuration Examples
Document version: 5W105-20251014
Product Version: EIA (E6605)
Copyright © 2025 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring the self-developed token
Procedures for a RADIUS device management user
Procedures for a TACACS device management user
Using the iNode client on the PC for 802.1X authentication
Using the RADIUS or TACACS device management user to verify the configuration
Introduction
The self-developed token feature is a two-factor authentication solution implemented through the cooperation of the dynamic token app developed by H3C and EIA.
H3C e-shield randomly generates a dynamic password for each bound access account. The password changes every 30 seconds and is valid for one-time use, ensuring high authentication security.
Compared with traditional mobile dynamic password authentication, dynamic token authentication is more secure. It avoids multiple vulnerabilities that are easy to exploit and does not require a phone number, thereby protecting user privacy. There is no need to pay usage fees to third parties.
Usage guidelines
Application scenarios
This feature is applicable to scenarios such as Wi-Fi access authentication for banks, access authentication for carrier stores, and admission authentication for enterprises. It effectively ensures transaction and login authentication security.
Example: Configuring the self-developed token
Network configuration
· The PC is an endpoint used in a company.
· The IP address of the EIA/TAM server is 10.114.117.66. To view the IP address of the EIA server:
|
|
NOTE: · In a cluster deployment, specify the northbound service VIP as the IP address of the EIA server. Do not specify the node IP address of the EIA server. · The northbound service VIP in the screenshot is for illustration only. It differs from the one used in this example. |
1. Enter https://ip_address:8443/matrix/ui in the address bar of the browser to open the Matrix page. The ip_address argument represents the northbound service VIP or node IP address.
2. On the top navigation bar, click DEPLOY. From the navigation pane, select Clusters. Click the Cluster Parameters tab.
3. The northbound service VIP on this page is the IP address of the EIA server, as shown in Figure 1.
Figure 1 Viewing the IP address of the EIA server
· The management IP address of the access device is 192.168.30.100. The PC connects to GE1/0/5 on the access switch.
Software versions used
This configuration example was created and verified on the following software:
· EIA (E6605).
· The access device is the H3C S5560X-34C-HI Comware Software, Version 7.1.070, ESS 6515P06.
Procedures for a common user
Configuring the EIA server
Adding an access device
Add an access device to establish an interaction between the EIA server and the device. To add an access device:
1. On the top navigation bar, click the Automation tab.
2. From the navigation pane, select User > Access Service. Click the Access Device Management > Access Device tab.
Figure 3 Access Device tab
3. Click Add. Configure the parameters as shown in Table 1. Use the default settings for other parameters. The configuration result is as shown in Figure 4.
|
Parameter |
Description |
|
Authentication Port |
Specify a port number for EIA to listen for RADIUS authentication packets. Make sure the setting is consistent with the authentication port configured on the access device through the CLI. EIA and access devices typically use the default port 1812. |
|
Accounting Port |
Specify a port for EIA to listen for RADIUS accounting packets. Make sure the setting is consistent with the accounting port configured on the access device through the CLI. EIA and access devices typically use the default port 1813. |
|
Service Type |
Select a service type for the access device from the drop-down list. Options include Unlimited and Device Management Service. In this example, select Unlimited. |
|
Access Device Type |
Select the vendor and type of the access device from the drop-down list. Options include the standard, EIA predefined, and user-defined vendors and types. In this example, select H3C (General). |
|
Service Group |
Select the service group to which the access device belongs. Add different access devices to different service groups for hierarchical management. In this example, select Ungrouped. |
|
Shared Key/Confirm Shared Key |
Specify a shared key and confirm it. When the access device works with EIA for authentication, they use this key to verify each other's legitimacy. Make sure the setting is consistent with the shared key configured on the access device through the CLI. In this example, set the shared key to fine. |
|
Access Location Group |
Select an access location group for the access device. You can select an existing access location group or None. The access location group is one of the user access conditions. In this example, select None. |
Figure 4 Completing adding an access device
4. Configure the access device. Click Add IPv4 Device in the Device List area. In the window that opens, enter the IP address of the access device in the Device IP field, leave the other parameters unchanged, and then click Confirm.
Figure 5 Adding an access device
Figure 6 Configuration completed
5. Click Confirm. You can view the newly added access device in the access device list.
Figure 7 Viewing the newly added access device
Adding an access policy
Requesting services and connecting to the network are limited by the access policies in services. Configured access policies can be referenced by services. To add an access policy:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access Service > Access Policy > Access Policy.
2. Click Add. On the page that opens, configure the parameters as follows:
¡ Access Policy Name: Enter the access policy name. In this example, enter 802.1X-Policy.
¡ Authentication Password: Select Dynamic Password or Account Password + Dynamic Password. In this example, select Account Password + Dynamic Password.
- Dynamic Password: The server validates only the dynamic password.
- Account Password + Dynamic Password: The server validates both the static user password and the dynamic password.
¡ Use the default settings for other parameters.
The configuration result is as shown in Figure 9.
Figure 9 Configuring an access policy
3. Click Confirm to return to the Access Policy page. You can view the newly added access policy in the access policy list.
Figure 10 Viewing the newly added access policy
Adding an access service
An access service is a collection of policies for user authentication and authorization. This example does not apply any access control to users. Therefore, it only adds a simple access service. To add an access service:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access Service.
2. Click Add. On the page that opens, configure the access service parameters as follows:
¡ Service Name: Enter a service name. Make sure the name is unique on the EIA server.
¡ Service Suffix: Enter a service suffix, which is closely related to the configuration of the access device. For more information, see Table 2. In this example, you do not need to enter a service suffix because domain names are configured to be excluded in a RADIUS-related command.
¡ Default Access Policy: Select 802.1X-Policy.
¡ Use the default settings for other parameters.
Table 2 Matrix of service suffix and access device configuration
|
Authentication username |
Authentication domain |
Device's RADIUS scheme command |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default Domain] Default domain specified on the device |
user-name-format with-domain |
[Default Domain] |
|
user-name-format without-domain |
No suffix |
|
|
NOTE: The commands in Table 2 are applicable to H3C (General) devices. For information about commands applicable to other devices, see the command references for the device. |
The configuration result is as shown in Figure 12.
Figure 12 Adding an access service
3. Click Confirm to return to the Access Service page. You can view the newly added access service in the access service list.
Figure 13 Viewing the newly added access service
Adding an access user
You must configure the identification information for an access user on EIA, including the username, password, access service, and other information.
To add an access user:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access User.
Figure 14 All Access Users page
2. Click Add.
Figure 15 Adding an access user
Parameters
¡ User Name: Enter the username.
¡ Identity Number: Enter the user ID.
¡ Account Name: A unique name that identifies a user, which can be used to apply for and access services. Make sure the name differs from existing ones and avoids special characters #+/?%&=*'@\"[]()<>` and the Tab key. Keep the name within 200 characters.
¡ Password/Password Confirm: Enter the same password twice.
¡ Use the default settings for other parameters.
3. Specify the access service. This example uses the previously added access service.
Figure 16 Specifying the access service
4. Click Confirm to return to the All Access Users page. You can view the newly added access user in the access user list.
Figure 17 Viewing the newly added access user
Enabling dynamic token authentication
1. Click Automation. From the navigation pane, select User > Service Parameters > Access Parameters.
Figure 18 Access Parameters page
2. Click 
in the Configure column for System
Parameters. On the page that opens, enable the Dynamic
Token Auth feature.
Figure 19 Enabling dynamic token authentication
Configuring the access device
1. Configure a RADIUS scheme:
# Configure a RADIUS scheme named 1xallpermit.
[sw]radius scheme 1xallpermit
New RADIUS scheme.
# Specify the EIA server as the authentication server. Configure the authentication port as that configured on EIA.
[sw-radius-1xallpermit]primary authentication 10.114.117.66 1812
# Specify the EIA server as the accounting server. Configure the accounting port as that configured on EIA.
[sw-radius-1xallpermit]primary accounting 10.114.117.66 1813
# Configure the shared keys for authentication and accounting as those configured on EIA.
[sw-radius-1xallpermit]key authentication simple fine
[sw-radius-1xallpermit]key accounting simple fine
# Exclude domain names from the usernames sent to the RADIUS server.
[sw-radius-1xallpermit]user-name-format without-domain
[sw-radius-1xallpermit]quit
2. Configure a domain:
# Configure a domain named 1xallpermit.
[sw]domain 1xallpermit
# Configure the domain to use RADIUS scheme 1xallpermit for authentication, authorization, and accounting.
[sw-isp-1xallpermit]authentication default radius-scheme 1xallpermit
[sw-isp-1xallpermit]authorization default radius-scheme 1xallpermit
[sw-isp-1xallpermit]accounting default radius-scheme 1xallpermit
[sw-isp-1xallpermit l]quit
# Specify the domain as the default ISP domain.
[sw]domain default enable 1xallpermit
3. Configure 802.1X authentication:
# Enable 802.1X both globally and on GigabitEthernet 1/0/5. For the 802.1X feature to take effect on an interface, you must enable the feature both globally and on that interface.
[sw]dot1x
[sw]interface GigabitEthernet1/0/5
[sw-GigabitEthernet1/0/5] dot1x
# Set an 802.1X authentication method. To perform certificate-based authentication, you must set the authentication method to EAP.
[sw]dot1x authentication-method chap
Binding the user to the token
Binding the user to the token through registration
|
|
IMPORTANT: To bind the user to the dynamic token through registration, ensure network connectivity between the user endpoint and EIA server. |
1. Install the H3C e-shield on the phone and open it.
2. Click 
in the upper left
corner. Enter the EIA server
address in the Server Address field.
3. Return to the home page.
4. Click Register. On the page that opens, select Access User.
5. Enter the username and password, and then click Generate Password.
6. The user has been bound to the token.
Binding the user to the token by scanning a QR code
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access User.
2. Select the access user, click More, and then select Batch Register Dynamic Tokens.
Figure 20 Batch registering dynamic tokens
3. In the window that opens, click OK. The QR code page opens.
4. On the home page of the H3C e-shield, click Scan to scan the QR code.
5. The user is bound to the token after a successful scan.
Obtaining a dynamic password
To obtain a dynamic password, click the token for the access user.
Procedures for a RADIUS device management user
Configuring the EIA server
Adding an access device
See "Adding an access device."
|
|
NOTE: The service type for the access device must be Unlimited or Device Management Service. |
Enabling dynamic token authentication
See "Enabling dynamic token authentication."
Adding a RADIUS device management user
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Device User(RADIUS) > Device Users.
2. Click Add. On the page that opens, perform the following tasks:
¡ Configure the user name and user password.
¡ Select Dynamic Password or Account Password + Dynamic Password from the Authentication Password list. In this example, select Account Password + Dynamic Password.
- Dynamic Password: The server validates only the dynamic password.
- Account Password + Dynamic Password: The server validates both the static user password and the dynamic password.
¡ Select Telnet from the Login Type list.
¡ Use the default settings for other parameters.
Figure 23 Adding a device management user.
3. Click Confirm.
Figure 24 Viewing the newly added device management user
Configuring the access device
Specify the EIA server as the AAA server to authenticate login users.
Telnet to the access device from the Windows CLI window as follows:
1. Telnet to the access device and enter system view.
2. Enable scheme authentication for user lines VTY 0 through VTY 4.
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]quit
3. Configure a RADIUS scheme. Specify the EIA server as the primary authentication server and primary accounting server. Make sure the authentication port, accounting port, and shared key are the same as those configured on the EIA server.
[H3C]radius scheme 391
New Radius scheme
[H3C-radius-391]primary authentication 10.114.117.66 1812
[H3C-radius-391]primary accounting 10.114.117.66 1813
[H3C-radius-391]key authentication fine
[H3C-radius-391]key accounting fine
[H3C-radius-391]nas-ip 192.168.30.100
[H3C-radius-391]user-name-format with-domain
4. Create a domain and configure users to use RADIUS scheme 391 for authentication, authorization, and accounting when accessing the device.
[H3C]domain 391
New Domain added
[H3C-isp-391]authentication login radius-scheme 391
[H3C-isp-391]authorization login radius-scheme 391
[H3C-isp-391]accounting login radius-scheme 391
[H3C-isp-391]quit
5. Specify the domain as the default ISP domain.
[H3C]domain default enable 391
Binding the user to the token
Binding the user to the token through registration
|
|
IMPORTANT: To bind the user to the dynamic token through registration, ensure network connectivity between the user endpoint and EIA server. |
1. Install the H3C e-shield on the phone and open it.
2. Click 
in the upper left
corner. Enter the EIA server
address in the Server Address field.
3. Return to the home page.
4. Click Register. On the page that opens, select Device Management User (RADIUS).
5. Enter the username and password, and then click Generate Password
6. The user has been bound to the token.
Binding the user to the token by scanning a QR code
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Device User(RADIUS) > Device Users.
2. Select the device management user, click More, and then select Batch Register Dynamic Tokens.
Figure 25 Batch registering dynamic tokens
3. In the window that opens, click OK. The QR code page opens.
4. On the home page of the H3C e-shield, click Scan to scan the QR code.
5. The user is bound to the token after a successful scan.
Obtaining a dynamic password
To obtain a dynamic password, click the token for the device management user.
Procedures for a TACACS device management user
Configuring the TAM server
This example only requires authentication-related settings. This document does not cover authorization commands. Configure authorization as needed.
Adding a device area
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Authorization Conditions > Device Areas.
2. Click Add. On the page that opens, enter the area name.
Figure 28 Adding a device area
3. After the configuration is completed, click OK.
Adding a device type
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Authorization Conditions > Device Types.
Figure 29 Device Types page
2. Click Add. On the page that opens, enter the type name.
Figure 30 Adding a device type
3. After the configuration is completed, click OK.
Adding an authorized time range policy
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Authorization Conditions > Time Ranges.
2. Click Add. On the page that opens, enter the policy name in the Basic Information area, and use the default settings for other parameters. In the Authorized Time Range Information area, click Add. On the page that opens, select Weekly from the Type list and specify the start time and the end time.
Figure 32 Adding an authorized time range information entry
3. After the configuration is completed, click OK.
Figure 33 Adding an authorized time range policy
4. Click OK.
Figure 34 Configuration completed
Adding a device
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Device Management(TACACS).
Figure 35 Device Management(TACACS) page
2. Click Add.
3. On the page that opens, enter a shared key, confirm it, and use the default settings for other parameters. Click Add IPv4, and select Add. On the page that opens, enter the device IP address.
Parameters
¡ Shared Key/Confirm Shared Key: Specify a shared key and confirm it. The shared key is used for the device and TAM to authenticate each other. The value must be the same as that configured on the device.
¡ Authentication Port: Enter the port for TAM to listen for authentication packets. The port must be the same as that configured on the device.
¡ Device Area: Select areas to which the device belongs. A device can belong to multiple areas.
¡ Device Type: Select a type for the device. A device can have only one type.
¡ Single Connection: The following options are available:
- Supported: TAM supports establishing multiple sessions in one TCP connection when communicating with the device.
- Not Supported: TAM supports establishing only one session in one TCP connection when communicating with the device.
This example uses the default setting.
¡ Watchdog: The following options are available:
- Supported: TAM keeps the online status and duration of an online device user by receiving watchdog packets sent by the device.
- Not Supported: TAM does not keep the online status and duration of an online device user because it does not receive watchdog packets sent by the device.
The configuration must be the same as that on the device. This example uses the default setting.
Figure 36 Adding a single device
4. Click OK.
Figure 37 Completing adding a device
5. Click OK. You can view the newly added device in the device list.
Figure 38 Viewing the newly added device
Enabling dynamic token authentication
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > System Configuration > RSA Authentication Parameters.
2. Select Enable RSA.
Adding a TAM device user authorization policy
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Authorization Policies.
Figure 40 Authorization Policies page
2. Click Add. On the page that opens, enter the policy name, select Enable RSA, and select TAM + RSA Passwords from the Password Type list.
Figure 41 Adding an authorization policy
3. In the Access Authorization Info area, click Add. On the page that opens, configure the parameters as follows:
¡ Device Area: Select the device area added in "Adding a device area."
¡ Device Type: Select the device type added in "Adding a device type."
¡ Authorized Time Range: Select the authorized time range added in "Adding an authorized time range policy."
¡ Use the default settings for other parameters.
Figure 42 Adding an access authorization information entry
Adding a TACACS device management user
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Device User(TACACS) > All Devices Users.
Figure 43 All Device Users page
2. Click Add. On the page that opens, enter the account name and login password, select the policy added in "Adding a TAM device user authorization policy" from the User Authorization Policy list, and use the default settings for other parameters.
Figure 44 Adding a device management user
3. After the configuration is completed, click OK.
Configuring device management
Specify the EIA server as the AAA server to authenticate login users.
Telnet to the access device from the Windows CLI window as follows:
1. Telnet to the access device and enter system view.
2. Enable scheme authentication for user lines VTY 0 through VTY 4.
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]authentication-mode scheme
[H3C-ui-vty0-4]command authorization
[H3C-ui-vty0-4]quit
3. Configure an HWTACACS scheme. Specify the TAM server as the primary authentication server and primary accounting server. Make sure the authentication port, accounting port, and shared key are the same as those configured on the TAM server.
[H3C]hwtacacs scheme 391
New Radius scheme
[H3C-hwtacacs-391]primary authentication 10.114.117.66
[H3C-hwtacacs-391]primary authorization 10.114.117.66
[H3C-hwtacacs-391]primary accounting 10.114.117.66
[H3C-hwtacacs-391]key authorization simple 123
[H3C-hwtacacs-391]key authentication simple 123
[H3C-hwtacacs-391]key accounting simple 123
[H3C-hwtacacs-391]user-name-format without-domain
[H3C-hwtacacs-391]quit
4. Create a domain and configure users to use HWTACACS scheme 391 for authentication, authorization, and accounting when accessing the device.
[H3C]domain 391
New Domain added
[H3C-isp-391]authentication login hwtacacs-scheme 391
[H3C-isp-391]authorization login hwtacacs-scheme 391
[H3C-isp-391]accounting login hwtacacs-scheme 391
[H3C-isp-391]quit
Binding the user to the token
Binding the user to the token through registration
|
|
IMPORTANT: To bind the user to the dynamic token through registration, ensure network connectivity between the user endpoint and EIA/TAM server. |
1. Install the H3C e-shield on the phone and open it.
2. Click 
in the upper left
corner. Enter the EIA/TAM server address in
the Server Address (TACACS)
field.
3. Return to the home page.
4. Click Register. On the page that opens, select Device Management User(TACACS).
5. Enter the username and password, and then click Generate Password r.
6. The user has been bound to the token.
Binding the user to the token by scanning a QR code
1. On the top navigation bar, click Automation. From the navigation pane, select User > Device User > Device User(TACACS) > All Devices Users.
2. Select the device management user, click More, and then select Batch Register Dynamic Tokens.
Figure 45 Batch registering dynamic tokens
3. In the window that opens, click OK. The QR code page opens.
4. On the home page of the H3C e-shield, click Scan to scan the QR code.
5. The access user is bound to the token after a successful scan.
Obtaining a dynamic password
To obtain a dynamic password, click the token for the user.
Verifying the configuration
Using the iNode client on the PC for 802.1X authentication
Verify that the user can pass 802.1X authentication by entering the configured username and password on the iNode PC client. This example uses a common user.
Installing the iNode client
Install the iNode client.
|
|
NOTE: The current EIA is compatible with all versions of iNode, and you can select the version of iNode as needed. |
Performing 802.1X authentication
1. Open the iNode PC client, and select 802.1X connection.
2. Enter the username and password, and then click Connect. The password type is account password + dynamic password.
Figure 47 iNode client homepage
3. If the connection status is connected, the configuration is correct.
Viewing the online user on EIA
1. Log in to EIA.
2. On the top navigation bar, click Monitor. From the navigation pane, select Monitor List > Online User. On the Local Online Users tab, verify that the user is online.
Using the RADIUS or TACACS device management user to verify the configuration
Use the device management user account configured on the server to log in to the device. The following uses the TACACS device management user as an example.
1. Log in to the device through Telnet.
Figure 48 Telneting to the device
2. Enter the username and password. The password type is account password + dynamic password, and the username is the same as the account name configured on the TAM server.
Figure 49 Entering the username and password
3. A successful login indicates that the configuration is correct.