H3C Access Controllers
HTTPS-Based Local Portal
Authentication Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring HTTPS-based local portal authentication· 1

Network configuration· 1

Restrictions and guidelines· 1

Procedures· 1

Verifying the configuration· 4

Configuration files· 8

Related documentation· 10

 

Introduction

The following information provides an example of configuring HTTP-based local portal authentication.

Prerequisites

This document applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of SSL, portal authentication, and PKI.

Example: Configuring HTTPS-based local portal authentication

Network configuration

As shown in Figure 1, the wireless client needs to access the network resources.

Configure HTTPS-based local portal authentication on the AC to allow the client to access network resources only after the client passes portal authentication.

Configure PKI and SSL on the AC to perform digital certificate-based authentication on the client but not to display the message of unavailable security certificate revocation information when the client performs portal authentication.

Figure 1 Network diagram

 

Restrictions and guidelines

Before configuring HTTPS-based local portal authentication, make sure the devices can reach each other.

Make sure the AC has a valid CA certificate and a valid local certificate.

Procedures

Configuring certificates

# Create a PKI domain named domain1.

<AC> system-view

[AC] pki domain domain1

# Disable CRL checking.

[AC-pki-domain-domain1] undo crl check enable

[AC-pki-domain-domain1] quit

# Import CA certificate file certnew.cer in DER format to PKI domain domain1. The certificate file contains the root certificate.

[AC] pki import domain domain1 der ca filename certnew.cer

The trusted CA's finger print is:

    MD5  fingerprint:98D8 2B98 6D35 1DE7 A13A C362 DA33 2F38

    SHA1 fingerprint:5817 1C1E D81F 1B5F 525D 5183 C196 37B8 73C7 46E5

Is the finger print correct?(Y/N):y

# Import local certificate file QQ.pfx in PKCS12 format to PKI domain domain1. The certificate file contains a key pair.

[AC] pki import domain domain1 p12 local filename QQ.pfx

Please input the password:

Configuring an SSL server policy

# Create an SSL server policy named myssl.

[AC] ssl server-policy myssl

# Specify PKI domain domain1 for SSL server policy myssl.

[AC-ssl-server-policy-myssl] pki-domain domain1

# Enable mandatory SSL client authentication.

[AC-ssl-server-policy-myssl] client-verify enable

[AC-ssl-server-policy-myssl] quit

Configuring AAA

# Add network access user named user1, and assign the portal service to the user.

[AC] local-user user1 class network

[AC-luser-network-user1] password simple user1

[AC-luser-network-user1] service-type portal

[AC-luser-network-user1] quit

# Create an ISP domain named dm1, and configure local authentication, authorization, and accounting for portal users in the domain.

[AC] domain dm1

[AC-isp-dm1] authentication portal local

[AC-isp-dm1] authorization portal local

[AC-isp-dm1] accounting portal local

[AC-isp-dm1] quit

# Specify ISP domain dm1 as the default ISP domain.

[AC] domain default enable dm1

Configuring the wireless service and HTTPS-based portal authentication

# Create a portal Web server named newpt.

[AC] portal web-server newpt

# Specify https://84.7.0.3/portal as the URL of the portal Web server.

[AC-portal-websvr-newpt] url https://84.7.0.3/portal

[AC-portal-websvr-newpt] quit

# Enable validity check on wireless portal clients.

[AC] portal host-check enable

# Configure two destination-based portal-free rules to permit the traffic destined for the DNS server.

[AC] portal free-rule 1 destination ip any udp 53

[AC] portal free-rule 2 destination ip any tcp 53

# Create a service template named service1.

[AC] wlan service-template service1

# Set the SSID of the service template.

[AC-wlan-st-service1] ssid service1

# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie rsn

# Configure the AC to forward client data traffic. (Skip this step if the client data traffic forwarder is the AC by default.)

[AC-wlan-st-service1] client forwarding-location ac

# Enable direct portal authentication on the service template.

[AC-wlan-st-service1] portal enable method direct

# Specify portal Web server newpt on the service template.

[AC-wlan-st-service1] portal apply web-server newpt

# Enable the service template.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Set the HTTPS service port number to 8080. Make sure this port number is not used by the local portal Web service.

[AC] ip https port 8080

# Create an HTTPS-based local portal Web service and specify SSL server policy myssl for the service.

[AC] portal local-web-server https ssl-server-policy myssl

# Specify file defaultfile.zip as the default authentication page file for the local portal Web service.

[AC-portal-local-websvr-https] default-logon-page defaultfile.zip

[AC-portal-local-websvr-https] quit

Configuring the AP

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create VLAN 200. This VLAN will be used for wireless client access.

[AC] vlan 200

[AC-vlan200] quit

# Create an AP named ap1 with model WA6320, and specify the serial ID of the AP.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap1] quit

# Create AP group group1 and add AP 1 to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Bind service template service1 to radio 2 in AP group group1.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template service1 vlan 200

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit

[AC-wlan-ap-group-group1-ap-model-WA6320] quit

[AC-wlan-ap-group-group1] quit

Verifying the configuration

Verifying certificate import

# Display information about the CA certificate in PKI domain domain1 to verify that the CA certificate has been imported to the PKI domain.

[AC] display pki certificate domain domain1 ca

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            27:ef:22:2e:cc:63:9e:9c:4c:f7:2b:ba:81:d2:8e:a9

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=beijing, L=haidian, O=h3c, OU=wireless/emailAddress=kf2

576@h3c.com/description=kf2576, CN=wlan

        Validity

            Not Before: Jul 12 05:16:08 2017 GMT

            Not After : Jul 12 05:24:51 2517 GMT

        Subject: C=CN, ST=beijing, L=haidian, O=h3c, OU=wireless/emailAddress=kf

2576@h3c.com/description=kf2576, CN=wlan

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (512 bit)

                Modulus:

                    00:cb:7e:d0:dd:38:f7:e8:20:00:2d:ba:f0:b7:37:

                    33:f6:cb:7a:1b:6b:74:56:63:5f:34:94:e3:06:4b:

                    06:36:e5:3e:22:ab:96:c5:52:d3:57:98:b0:b4:72:

                    6e:1f:0b:ed:40:50:0c:db:7d:c6:5e:15:34:a1:89:

                    e7:de:ec:84:07

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Subject Key Identifier:

                96:BB:A7:8D:70:C7:E9:46:C3:B7:EE:F4:E8:1A:D8:6F:16:B8:15:73

            X509v3 CRL Distribution Points:

 

                Full Name:

                  URI:http://ca1/CertEnroll/wlan.crl

                  URI:file://\\ca1\CertEnroll\wlan.crl

 

            1.3.6.1.4.1.311.21.1:

                ...

    Signature Algorithm: sha1WithRSAEncryption

         60:76:1a:52:bf:f0:79:45:22:04:7c:91:13:8a:9c:be:d9:18:

         20:14:5d:55:5c:31:22:49:ba:40:bc:ec:c2:ba:08:ac:11:0e:

         d5:d8:23:18:f4:5c:6a:c9:10:5e:d4:92:4c:d7:b8:cf:dc:92:

         41:24:db:93:3e:7a:14:3b:ad:b0

# Display information about the local certificate in PKI domain domain1 to verify that the local certificate has been imported to the PKI domain.

[AC] display pki certificate domain domain1 local

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            3b:1a:30:5e:00:00:00:00:00:1d

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=beijing, L=haidian, O=h3c, OU=wireless/emailAddress=kf2

576@h3c.com/description=kf2576, CN=wlan

        Validity

            Not Before: Dec 27 12:01:47 2017 GMT

            Not After : Dec 27 12:11:47 2273 GMT

        Subject: C=CN, CN=QQ

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c4:bf:a1:86:3b:ba:53:8b:aa:c7:43:1a:1a:be:

                    18:4e:fa:d1:5e:9a:49:b3:bb:b9:92:be:64:6b:97:

                    06:f6:bd:c0:d9:36:20:50:c6:eb:5c:4f:89:1c:6d:

                    c6:62:65:1f:a0:06:50:9e:ee:23:b7:ad:73:58:dc:

                    e9:62:1a:5f:87:8b:fd:da:2f:43:58:0f:45:06:b8:

                    7f:d5:43:52:e6:ed:fe:ce:7e:fa:20:6d:bc:67:c6:

                    e5:dd:06:35:bd:fb:a2:04:85:34:b9:dd:ff:3c:f8:

                    78:9e:92:ad:4c:86:7d:33:04:09:90:ce:ab:a8:30:

                    f3:87:f5:4b:c7:9c:a5:4d:8b

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation, Key Encipherment, Data Encip

herment

            S/MIME Capabilities:

......0...+....0050...*.H..

..*.H..

            X509v3 Subject Key Identifier:

                73:9E:F6:85:15:4F:FE:1B:CC:C3:1C:48:99:41:E7:DA:8E:89:B8:74

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Authority Key Identifier:

                keyid:96:BB:A7:8D:70:C7:E9:46:C3:B7:EE:F4:E8:1A:D8:6F:16:B8:15:7

3

 

            X509v3 CRL Distribution Points:

 

                Full Name:

                  URI:ldap:///CN=wlan,CN=ca1,CN=CDP,CN=Public%20Key%20Services,C

N=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRL

DistributionPoint

                  URI:http://ca1/CertEnroll/wlan.crl

                  URI:file://\\ca1\CertEnroll\wlan.crl

 

            Authority Information Access:

                CA Issuers - URI:http://ca1/CertEnroll/ca1_wlan.crt

                CA Issuers - URI:file://\\ca1\CertEnroll\ca1_wlan.crt

 

    Signature Algorithm: sha1WithRSAEncryption

         0b:f8:f8:53:ef:b2:f9:01:07:4e:89:cf:b7:5b:e2:72:a6:38:

         fa:af:99:30:0c:57:3f:36:25:f9:ed:02:7b:df:4b:a8:bd:92:

         63:b8:d8:ae:ae:72:9a:4d:1f:ea:fa:8a:1f:dc:5a:ad:ec:31:

         2a:15:65:ea:74:bc:95:c1:21:a9

Verifying SSL server policy configuration

# Display information about SSL server policy myssl.

[AC] display ssl server-policy myssl

 SSL server policy: myssl

     Version-info:

         SSL3.0: Enabled

         TLS1.0: Enabled

         TLS1.1: Enabled

         TLS1.2: Enabled

     PKI domain: user2

     Ciphersuites:

         RSA_AES_128_CBC_SHA

         RSA_DES_CBC_SHA

         RSA_RC4_128_MD5

         RSA_RC4_128_SHA

         RSA_3DES_CBC_SHA

         RSA_AES_256_CBC_SHA

         EXP_RSA_RC4_MD5

         RSA_RC2_CBC_MD5

         EXP_RSA_DES_CBC_SHA

         DHE_RSA_AES_128_CBC_SHA

         DHE_RSA_AES_256_CBC_SHA

         RSA_AES_128_CBC_SHA256

         RSA_AES_256_CBC_SHA256

         DHE_RSA_AES_128_CBC_SHA256

         DHE_RSA_AES_256_CBC_SHA256

         ECDHE_RSA_AES_128_CBC_SHA256

         ECDHE_RSA_AES_256_CBC_SHA384

         ECDHE_RSA_AES_128_GCM_SHA256

         ECDHE_RSA_AES_256_GCM_SHA384

         ECDHE_ECDSA_AES_128_CBC_SHA256

         ECDHE_ECDSA_AES_256_CBC_SHA384

         ECDHE_ECDSA_AES_128_GCM_SHA256

         ECDHE_ECDSA_AES_256_GCM_SHA384

     Session cache size: 500

     Caching timeout: 3600 seconds

     Client-verify: Enabled

Verifying portal authentication

# Display information about portal Web server newpt.

[AC] display portal web-server newpt

Portal Web server: newpt

    Type: IMC

    URL: https://84.7.0.3/portal

    URL parameters: Not configured

    VPN instance: Not configured

    Server detection: Not configured

    IPv4 status: Up

    IPv6 status: N/A

    Captive-bypass: Disabled

    If-match: Not configured

# On a mobile phone that has connected to the wireless network, access https://84.7.0.3/portal (the URL of portal Web server newpt). The portal authentication page opens, as shown in Figure 2. Enter the username and password of user user1 on the portal authentication page.

Figure 2 Portal authentication page on a mobile phone

 

# Display information about online portal users on the AC to verify that the user has come online.

[AC] display portal user all

Total portal users: 1

Username: user1

  AP name: ap1

  Radio ID: 2

  SSID: service1

  Portal server: N/A

  State: Online

  VPN instance: N/A

  MAC               IP                   VLAN      Interface

  145f-94aa-d323  84.7.0.12           200       WLAN-BSS1/0/5

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

Outbound CAR: N/A

Configuration files

#

vlan 200

#

wlan service-template service1

 ssid service1

client forwarding-location ac

 akm mode psk

 preshared-key pass-phrase cipher $c$3$9tIUHSkAUVqCH9/EPrL26ldkcEQnngexUEFj

 cipher-suite ccmp

 security-ie rsn

 portal enable method direct

 portal apply web-server newpt

 service-template enable

#

domain dm1

 authentication portal local

 authorization portal local

 accounting portal local

#

 domain default enable dm1

#

local-user user1 class network

 password cipher $c$3$iN3qo9XCWBRXSHa5q0sq1hkblSu/MCul

 service-type portal

 authorization-attribute user-role network-operator

#

pki domain domain1

 undo crl check enable

#

ssl server-policy myssl

 pki-domain domain1

 client-verify enable

#

 portal host-check enable

 portal free-rule 1 destination ip any udp 53

 portal free-rule 2 destination ip any tcp 53

#

portal web-server newpt

 url https://84.7.0.3/portal

#

portal local-web-server https ssl-server-policy myssl

 default-logon-page defaultfile.zip

#

 ip https port 8080

 ip http enable

 ip https enable

#

wlan ap-group group1

 ap ap1

 ap-model WA6320

  radio 1

  radio 2

   radio enable

   service-template service1 vlan 200

#

 

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

Related documentation

·     Security Command Reference in H3C Access Controllers Command Reference

·     Security Configuration Guide in H3C Access Controllers Configuration Guide

·     WLAN Access Command Reference in H3C Access Controllers Command Reference

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guide