H3C Access Controllers
Portal MAC-Trigger Authentication Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring portal MAC-trigger authentication· 1

Network configuration· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 3

Configuring IMC· 3

Editing a configuration file for the AP· 9

Configuring the AC· 9

Configuring the switch· 12

Verifying the configuration· 13

Configuration files· 14

Related documentation· 16

 

Introduction

The following information provides an example of configuring MAC-trigger authentication (MAC-based quick portal authentication).

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, portal, and WLAN.

Example: Configuring portal MAC-trigger authentication

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as a portal authentication server, a portal Web server, a MAC binding server, and a RADIUS server.

Configure direct portal authentication and MAC-trigger authentication to meet the following requirements:

·     The client can access only the portal Web server before passing portal authentication and can access other network resources after passing portal authentication.

·     The client can access the network resources through any Layer 2 ports in its access VLAN without re-authentication.

·     The RADIUS server can dynamically change the user authorization information or forcibly disconnect users.

Figure 1 Network diagram

 

Analysis

For the client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.

For the RADIUS server to dynamically change the user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.

To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the AC.

To ensure that dynamic user authorization information can be correctly assigned to users after they come online, enable the RADIUS DAS feature.

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

Make sure the types of the portal authentication server, portal Web server, and MAC binding server specified on the AC are the same as those actually used. (This example uses CMCC servers.)

By default, the URL of the portal Web server to which the AC redirects portal users does not carry any parameters. You can add parameters to be carried in the URL as needed.

If portal authentication is enabled on a VLAN interface, the AC can forward client traffic. If portal authentication is enabled on a service template, both the AC and the AP can forward client traffic. (In this example, portal authentication is enabled on a service template.)

In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, enable wireless client validity check on the AC.

To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.

Some types of endpoints use random MAC by default, which might cause failure of the MAC-trigger authentication. As a best practice, disable the random MAC feature on the endpoints.

Procedures

Configuring IMC

This example uses the IMC server to describe the RADIUS server and portal server configuration. The IMC server runs IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configuring the RADIUS server

Add the AC to IMC as an access device:

1.     Log in to IMC and click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

3.     Click Add to open the page as shown in Figure 2.

4.     In the Access Configuration area, configure the parameters as follows:

¡     Set the shared key to radius, which must be the same as that on the AC.

¡     Use the default values for other parameters.

5.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 2.2.2.1 in the Start IP field and then click OK.

6.     Click OK.

Figure 2 Adding the AC as an access device

 

Configuring the portal server

1.     Configure the portal authentication service:

a.     Click the User tab.

b.     From the navigation tree, select User Access Policy > Portal Service > Server to open the portal server configuration page, as shown in Figure 3.

c.     Configure the portal server parameters as needed.

This example uses the default values.

d.     Click OK.

Figure 3 Portal authentication server configuration

 

2.     Configure an IP address group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter the IP group name.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default value Ungrouped.

f.     From the Action list, select Normal.

g.     Click OK.

Figure 4 Adding an IP address group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add to open the page as shown in Figure 5.

c.     Enter the device name.

d.     Select CMCC 1.0 for Version.

e.     Enter the IP address of the AC's interface connected to the client.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected from the Access Method list.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 5 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     As shown in Figure 6, click the Port Group icon  in the Operation field for device NAS to open the port group configuration page.

Figure 6 Device list

 

b.     Click Add to open the page as shown in Figure 7.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Select Supported for Transparent Authentication.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 7 Adding a port group

 

5.     From the navigation tree, select User Access Policy > Service Parameters > Validate System Configuration to validate the configuration.

Configuring the MAC binding server

1.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the access policy name.

d.     Select a service group.

This example uses the default value Ungrouped.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 8 Adding an access policy

 

2.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add to open the page as shown in Figure 9.

c.     Enter the service name.

d.     Select the Transparent Authentication on Portal Endpoints option.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 9 Adding an access service

 

3.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add to open the page as shown in Figure 10.

c.     Select an existing access user or click Add User to add a new access user.

d.     Enter the account name.

e.     Set the password.

f.     In the Access Service area, select the access policy configured in a previous step.

g.     Use the default settings for other parameters.

h.     Click OK.

Figure 10 Adding an access user

 

4.     Configure system parameters:

a.     From the navigation tree, select User Access Policy > Service Parameters > System Settings.

b.     Click the Configure icon  for User Endpoint Settings to open the page as shown in Figure 11.

c.     Select whether to enable transparent portal authentication on non-smart devices.

In this example, select Enable for Non-Terminal Authentication.

d.     Click OK.

Figure 11 Configuring user endpoint settings

 

e.     Click the Configure icon  for Endpoint Aging Time to open the page as shown in Figure 12.

f.     Set the endpoint aging time as needed.

This example uses the default value.

g.     Click OK.

Figure 12 Setting the endpoint aging time

 

5.     From the navigation tree, select User Access Policy > Service Parameters. Then, click Validate to make the configuration take effect.

Editing a configuration file for the AP

# Create a .txt configuration file named map.txt.

# Enter the following content in the file.

System-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

# Upload the file to the AC.

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 2.2.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

# Configure the interface that is connected to the switch as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a static route to the IMC server:

[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure a WLAN service:

# Create a service template named st1 and enter its view.

[AC] wlan service-template st1

# Set the SSID of service template st1 to service.

[AC-wlan-st-st1] ssid service

# Assign clients coming online through service template st1 to VLAN 200.

[AC-wlan-st-st1] vlan 200

# Configure the AP to forward client data traffic from all VLANs.

[AC–wlan-st-st1] client forwarding-location ap

[AC-wlan-st-st1] quit

# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.

[AC-wlan-st-st1] akm mode psk

[AC-wlan-st-st1] preshared-key pass-phrase simple 12345678

# Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-st1] cipher-suite ccmp

[AC-wlan-st-st1] security-ie rsn

[AC-wlan-st-st1] quit

4.     Configure the AP:

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create an AP named ap1 with model WA6320 and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Create AP group group1 and add AP ap1 to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Enter the view of AP model WA6320 and deploy configuration file map.txt to the AP.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] map-configuration map.txt

# Bind service template st1 to radio 2 in AP group group1.

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] return

5.     Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<AC> system-view

[AC] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.111

[AC-radius-rs1] primary accounting 192.168.0.111

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] nas-ip 2.2.2.1

[AC-radius-rs1] quit

# Enable RADIUS session-control.

[AC] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC] radius dynamic-author server

# Specify a session-control client with IP address 192.168.0.111 and shared key radius in plaintext form.

[AC-radius-da-server] client ip 192.168.0.111 key simple radius

[AC-radius-da-server] quit

6.     Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[AC] domain dm1

# Configure the authentication and authorization methods as RADIUS and the accounting method as none in the ISP domain.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal radius-scheme rs1

# Set the idle timeout period to 15 minutes and the minimum traffic that must be generated in the idle timeout period to 1024 bytes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

[AC-isp-dm1] quit

7.     Configure portal authentication:

# Create a portal authentication server named newpt, specify IP address 192.168.0.111 for the authentication server, and specify 50100 as the port number for listening portal packets.

[AC] portal server newpt

[AC-portal-server-newpt] ip 192.168.0.111 key simple 123456

[AC-portal-server-newpt] port 50100

# Specify CMCC as the type of portal authentication server newpt.

[AC-portal-server-newpt] server-type cmcc

[AC-portal-server-newpt] quit

# Specify http://192.168.0.111:8080/portal as the URL of portal Web server newpt.

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

# Add parameters ssid, wlanuserip, and wlanacname to the URL of portal Web server newpt, and specify the AP SSID, user IP address, and AC name as the values of the parameters. (These parameters are required to be carried in the URL of a CMCC-type portal Web server).

[AC-portal-websvr-newpt] url-parameter ssid ssid

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

# Specify CMCC as the type of portal Web server newpt.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Configure portal-free rule 0 to allow portal users to access the portal Web server (whose IP address is 192.168.0.111) without authentication. Configure port-free rule 1 to permit the traffic sourced from the aggregate interface.

[AC] portal free-rule 0 destination ip 192.168.0.111 24

[AC] portal free-rule 1 source interface Bridge-Aggregation 1

# Configure two destination-based portal-free rules to permit the traffic destined for the DNS server.

[AC] portal free-rule 2 destination ip any udp 53

[AC] portal free-rule 3 destination ip any tcp 53

# Enable portal roaming.

[AC] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC] portal host-check enable

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain.

[AC-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1 for portal authentication.

[AC-wlan-st-st1] portal apply web-server newpt

[AC-wlan-st-st1] quit

8.     Configure portal MAC-trigger authentication:

# Create a MAC binding server named mts and enter its view.

[AC] portal mac-trigger-server mts

# Specify 192.168.0.111 as the IP address of MAC binding server mts.

[AC-portal-mac-trigger-server-mts] ip 192.168.0.111

# Specify CMCC as the type of MAC binding server mts.

[AC- mac-trigger-server-mts] server-type cmcc

[AC-portal-mac-trigger-server-mts] quit

# Specify MAC binding server mts on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal apply mac-trigger-server mts

[AC-wlan-st-st1] portal bas-ip 2.2.2.1

# Enable service template st1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward client traffic.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2. This VLAN will be used for communication with the IMC server.

[Switch] vlan 2

[Switch-vlan2] quit

# Add the port connected to the IMC server to VLAN 2. (Details not shown.)

# Configure the interface that is connected to the AC as a trunk port and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure the interface that is connected to the AP as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable PoE.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Assign an IP address to VLAN-interface 200.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Assign an IP address to VLAN-interface 2.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Verifying the configuration

# Display information about MAC binding server mts.

[AC] display portal mac-trigger-server name mts

Portal mac trigger server name: mts

  Version                    : 1.0

  Server type                : CMCC

  IP                         : 192.168.0.111

  Port                       : 50100

  VPN instance               : Not configured

  Aging time                 : 300 seconds

  Free-traffic threshold     : 0 bytes

  NAS-Port-Type              : Not configured

  Binding retry times        : 3

  Binding retry interval     : 1 seconds

  Authentication timeout     : 3 minutes

A user can perform portal authentication through a Web browser. Before passing portal authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing portal authentication, the user can access other network resources.

For the first portal authentication, the user is required to enter the username and password. When the user goes offline and then accesses the network again, the user does not need to enter the authentication username and password.

# Display information about all portal users.

[AC] display portal user all

Total portal users: 1

Username: portal

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.2               200     WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

akm mode psk

 preshared-key pass-phrase simple 12345678

 cipher-suite ccmp

 security-ie rsn

 vlan 200

client forwarding-location ap

 portal enable method direct

portal domain ldap

portal bas-ip 2.2.2.1

portal apply web-server newpt

 portal apply mac-trigger-server mts

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.111

 primary accounting 192.168.0.111

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

nas-ip 2.2.2.1

#

radius dynamic-author server

 client ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

portal free-rule 1 source interface Bridge-Aggregation 1

portal free-rule 2 destination ip any udp 53

portal free-rule 3 destination ip any tcp 53

#

 portal roaming enable

 undo portal refresh arp enable

#

 portal web-server newpt

 url http://192.168.0.111:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

 server-type cmcc

#

portal mac-trigger-server mts

 ip 192.168.0.111

 server-type cmcc

#

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

wlan ap-group group1

ap ap1

ap-model WA6320

 map-configuration flash:/map.txt

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk vlan 100 200

port trunk pvid vlan 100

 poe enable

Related documentation

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides