H3C Access Controllers
Remote 802.1X Authentication in WPA3-Enterprise Mode
Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring remote 802.1X authentication in WPA3-Enterprise mode  1

Network configuration· 1

Restrictions and guidelines· 2

Procedures· 2

Configuring the AC· 2

Configuring the switch· 4

Configuring the RADIUS server 5

Configuring the wireless client 7

Verifying the configuration· 7

Configuration files· 9

Related documentation· 11

 

Introduction

The following information provides an example of configuring remote 802.1X authentication in WPA3-Enterprise mode.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of WLAN access, WLAN security, WLAN access authentication, and 802.1X features.

Example: Configuring remote 802.1X authentication in WPA3-Enterprise mode

Network configuration

As shown in Figure 1, the switch acts as a DHCP server to assign IP addresses to the AP and the client. The RADIUS server is an IMC server.

Configure the AC, the client, the switch, and the RADIUS server to meet the following requirements:

·     The AC uses the RADIUS server to perform authentication, authorization, and accounting for the wireless client. The 802.1X EAP-PEAP authentication method is used.

·     The AC uses the open system authentication for the client at the data link layer. This is the default authentication method at the data link layer.

·     The AC uses the 802.1X AKM mode to secure data transmission between the client and the AP.

·     The cipher suite is GCMP and the security mode is WPA3-Enterprise.

Figure 1 Network diagram

 

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

Procedures

Configuring the AC

1.     Configure interfaces:

# Create VLAN 100, create VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish CAPWAP tunnels with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.1.1.46 24

[AC-Vlan-interface100] quit

# Create VLAN 200, create VLAN-interface 100, and assign an IP address to the VLAN interface. The AC assigns VLAN 200 to a client when the client comes online.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 10.1.2.1 24

[AC-Vlan-interface200] quit

# Set the link type of GigabitEthernet 1/0/1 (the interface connected to the switch) to trunk, and permit traffic from VLAN 100 and VLAN 200 to pass through the interface.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a RADIUS scheme:

# Create RADIUS scheme radius1 and enter its view.

[AC] radius scheme radius1

# Specify the RADIUS server at 10.1.1.3 as the primary authentication and accounting servers.

[AC-radius-radius1] primary authentication 10.1.1.3

[AC-radius-radius1] primary accounting 10.1.1.3

# Set the shared key to 12345 in plaintext form for secure communication with the RADIUS authentication server.

[AC-radius-radius1] key authentication simple 12345

# Set the shared key to 12345 in plaintext form for secure communication with the RADIUS accounting server.

[AC-radius-radius1] key accounting simple 12345

# Specify IP address 10.1.2.1 as the source IP address for outgoing RADIUS packets.

[AC-radius-radius1] nas-ip 10.1.2.1

[AC-radius-radius1] quit

# Create ISP domain dom1 and enter its view.

[AC] domain dom1

# Configure the ISP domain to use RADIUS scheme radius1 for 802.1X user authentication, authorization, and accounting.

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

3.     Specify EAP relay as the method to exchange packets with the RADIUS server.

[AC] dot1x authentication-method eap

4.     Configure a service template:

# Create service template wpa3_enterprise and enter its view.

[AC] wlan service-template wpa3_enterprise

# Set the SSID to wpa3.

[AC-wlan-st-wpa3_enterprise] ssid wpa3

# Specify VLAN 200 for the service template.

[AC-wlan-st-wpa3_enterprise] vlan 200

# Set the AKM mode to 802.1X.

[AC-wlan-st-wpa3_enterprise] akm mode dot1x

# Specify the GCMP cipher suite and enable the RSN IE in beacon and probe responses. Support for the GCMP cipher suite depends on the AP model.

[AC-wlan-st-wpa3_enterprise] cipher-suite gcmp

[AC-wlan-st-wpa3_enterprise] security-ie rsn

# Set the access authentication mode to 802.1X authentication.

[AC-wlan-st-wpa3_enterprise] client-security authentication-mode dot1x

# Specify ISP domain dom1 for authenticating the 802.1X client.

[AC-wlan-st-wpa3_enterprise] dot1x domain dom1

# Set the WPA3 security mode to WPA3-Enterprise.

[AC-wlan-st-wpa3_enterprise] wpa3 enterprise

# Enable management frame protection in mandatory mode.

[AC-wlan-st-wpa3_enterprise] pmf mandatory

# Enable the AC to forward client data traffic. If the AC forwards client data traffic by default, skip this step.

[AC-wlan-st-wpa3_enterprise] client forwarding-location ac

# Enable the service template.

[AC-wlan-st-wpa3_enterprise] service-template enable

[AC-wlan-st-wpa3_enterprise] quit

5.     Configure AP settings:

 

IMPORTANT: In a large-scale network, configure AP groups as a best practice.

 

# Create manual AP office and specify the AP model and serial ID.

[AC] wlan ap office model WA6320

[AC-wlan-ap-office] serial-id 219801A28N819CE0002T

[AC-wlan-ap-office] quit

# Create AP group group1 and create an AP grouping rule by AP names to add AP office to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap office

# Bind service template wpa3_enterprise to radio 1 in AP group group1.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template wpa3_enterprise

# Enable radio 1.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit

[AC-wlan-ap-group-group1-ap-model-WA6320] quit

[AC-wlan-ap-group-group1] quit

Configuring the switch

1.     Configure interfaces:

# Create VLAN 100 and VLAN 200, create VLAN-interface 100 and VLAN-interface 200, and assign IP addresses to the VLAN interfaces. VLAN 100 is used to forward CAPWAP tunnel traffic between the AC and AP. VLAN 200 is used to forward wireless client packet.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ip address 10.1.1.47 24

[Switch-Vlan-interface100] quit

[Switch] vlan 200

[Switch-vlan200] quit

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 10.1.2.2 24

[Switch-Vlan-interface200] quit

# Set the link type of GigabitEthernet 1/0/1 (the interface connected to the AC), and permit traffic from VLAN 100 and VLAN 200 to pass through the interface.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Set the link type of GigabitEthernet 1/0/2 (the interface connected to the AP) to access, and permit traffic from VLAN 100 to pass through the interface.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

2.     Configure DHCP:

# Enable DHCP.

[Switch] dhcp enable

# Create a DHCP address pool named 100, and specify subnet 10.1.1.0/24 and gateway IP address 10.1.1.47 in the DHCP address pool.

[Switch] dhcp server ip-pool 100

[Switch-dhcp-pool-100] network 10.1.1.0 mask 255.255.255.0

[Switch-dhcp-pool-100] gateway-list 10.1.1.47

[Switch-dhcp-pool-100] quit

# Create a DHCP address pool named 200, and specify subnet 10.1.2.0/24 and gateway IP address 10.1.2.2 in the DHCP address pool. In this example, the address of the DNS server is 10.1.2.2 (the gateway address). You must replace it with the actual address of the DNS server on your network.

[Switch] dhcp server ip-pool 200

[Switch-dhcp-pool-200] network 10.1.2.0 mask 255.255.255.0

[Switch-dhcp-pool-200] gateway-list 10.1.2.2

[Switch-dhcp-pool-200] dns-list 10.1.2.2

[Switch-dhcp-pool-200] quit

Configuring the RADIUS server

Prerequisites

The RADIUS server runs IMC PLAT 7.3 and IMC UAM 7.3.

Make sure the RADIUS server has been installed with the EAP-PEAP certificate.

Adding the AC as an access device to IMC

1.     Log in to IMC and click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

3.     Click Add.

The Add Access Device page opens.

4.     In the Access Configuration area, configure the following parameters, as shown in Figure 2:

¡     Enter 12345 in the Shared Key and Confirm Shared Key fields. The shared key must be the same as the authentication and accounting shared keys configured on the AC.

¡     Use the default values for other parameters.

5.     In the Device List area, click Select or Add Manually to add the AC at 10.1.2.1 as an access device.

The IP address must be the source IP address specified for outgoing RADIUS packets in the RADIUS scheme on the AC.

6.     Click OK.

Figure 2 Adding an access device

 

Adding an access policy

1.     From the navigation tree, select User Access Policy > Access Policy.

2.     Click Add.

3.     On the Add Access Policy page, configure the following parameters, as shown in Figure 3:

¡     Enter dot1x in the Access Policy Name field.

¡     Select EAP-PEAP from the Preferred EAP Type list, and select EAP-MSCHAPv2 from the Subtype list.

The certificate subtype on the IMC server must be the same as the identity authentication method configured on the client.

4.     Click OK.

Figure 3 Adding an access policy

 

Adding an access service

1.     From the navigation tree, select User Access Policy > Access Service.

2.     Click Add.

3.     On the Add Access Service page, configure the following parameters, as shown in Figure 4:

¡     Enter dot1x in the Service Name field.

¡     Select dot1x from the Default Access Policy list.

4.     Click OK.

Figure 4 Adding an access service

 

Adding an access user

1.     From the navigation tree, select Access User > Access User.

The access user list opens.

2.     Click Add.

The Add Access User page opens.

3.     In the Access Information area, configure the following parameters, as shown in Figure 5:

a.     Click Select or Add User to associate the user with IMC Platform user user.

b.     Enter dot1x in the Account Name field.

c.     Enter dot1x123 in the Password and Confirm Password fields.

4.     In the Access Service area, select dot1x from the list.

5.     Click OK.

Figure 5 Adding an access user account

 

Configuring the wireless client

Restrictions and guidelines

Support for WPA3 depends on the wireless client model.

The configuration procedure is slightly different depending on the wireless client model. The following information only briefly describes the configuration procedure on a mobile phone.

Procedure

1.     Open the WLAN list page of the mobile phone, and click the wireless network named wpa3. On the page that opens, configure the following parameters:

¡     Set the phase 2 authentication method to MSCHAPv2.

¡     Configure to not validate the CA certificate.

¡     Set the identity to dot1x.

¡     Enter password dot1x123.

2.     Click Connect.

Verifying the configuration

1.     On the client, verify that the client has passed authentication and associated with the AP, and it can access the wireless network. (Details not shown.)

2.     On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display detailed WLAN client information.

[AC] display wlan client verbose

Total number of clients: 1

 

 MAC address                       : ccc9-5de2-512d

 IPv4 address                      : 10.1.2.3

 IPv6 address                      : N/A

 Username                          : dot1x

 AID                               : 1

 AP ID                             : 1

 AP name                           : office

 Radio ID                          : 1

 Channel                           : 52

 SSID                              : wpa3

 BSSID                             : f474-8879-ea60

 VLAN ID                           : 200

 Sleep count                       : 0

 Wireless mode                     : 802.11ax

 Channel bandwidth                 : 80MHz

 SM power save                     : Disabled

 Short GI for 20MHz                : Supported

 Short GI for 40MHz                : Supported

 Short GI for 80MHz                : Supported

 Short GI for 160/80+80MHz         : Not supported

 STBC RX capability                : Not supported

 STBC TX capability                : Not supported

 LDPC RX capability                : Supported

 Beamformee STS capability         : N/A

 Number of Sounding Dimensions     : N/A

 SU beamformee capability          : Not supported

 MU beamformee capability          : Not supported

 Block Ack                         : N/A

 Supported VHT-MCS set             : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

                                     NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

 Supported HT MCS set              : 0, 1, 2, 3, 4, 5, 6, 7,

                                     8, 9, 10, 11, 12, 13, 14,

                                     15

 Supported rates                   : 6, 9, 12, 18, 24, 36,

                                     48, 54 Mbps

 5G 40And80MHz Channel bandwidth   : Supported

 5G 160MHz Channel bandwidth       : Not Supported

 5G 8080MHz Channel bandwidth      : Not Supported

 OFDMA random access RUs           : Not supported

 Supported HE-MCS set              : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11

                                     NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11

 TWT scheduled                     : no

 QoS mode                          : WMM

 Listen interval                   : 20

 RSSI                              : 0

 Rx/Tx rate                        : 0/0 Mbps

 Speed                             : N/A

 Authentication method             : Open system

 Security mode                     : RSN

 AKM mode                          : 802.1X

 Cipher suite                      : GCMP

 User authentication mode          : 802.1X

 WPA3 status                       : Enabled

 Authorization CAR                 : N/A

 Authorization ACL ID              : N/A

 Authorization user profile        : N/A

 Roam status                       : N/A

 Key derivation                    : SHA384

 PMF status                        : Enabled

 Forwarding policy name            : Not configured

 Online time                       : 0days 0hours 0minutes 8seconds

 FT status                         : Inactive

 BTM mode                          : Inactive

# Display online 802.1X client information.

[AC] display dot1x connection

Total connections: 1

User MAC address                   : ccc9-5de2-512d

AP name                            : office

Radio ID                           : 1

SSID                               : wpa3

BSSID                              : f474-8879-ea60

Username                           : dot1x

Authentication domain              : dom1

IPv4 address                       : 192.168.100.17

Authentication method              : EAP

Initial VLAN                       : 200

Authorization VLAN                 : 200

Authorization ACL number           : N/A

Authorization user profile         : N/A

Authorization CAR                  : N/A

Authorization URL                  : N/A

Authorization IPv6 URL             : N/A

Termination action                 : Default

Session timeout last from          : 2021/03/18 14:42:20

Session timeout period             : 86400 s

Online from                        : 2021/03/18 14:42:20

Online duration                    : 0h 2m 44s

Configuration files

·     AC:

#

 dot1x authentication-method eap

#

vlan 100

#

vlan 200

#

wlan service-template wpa3_enterprise

 ssid wpa3

 vlan 200

 client forwarding-location ac

 akm mode dot1x

 cipher-suite gcmp

 security-ie rsn

 wpa3 enterprise

 client-security authentication-mode dot1x

 dot1x domain dom1

 pmf mandatory

 service-template enable

#

interface Vlan-interface100

 ip address 10.1.1.46 255.255.255.0

#

interface Vlan-interface200

 ip address 10.1.2.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

radius scheme radius1

 primary authentication 10.1.1.3

 primary accounting 10.1.1.3

 key authentication cipher $c$3$Bb61SHV2ZsVYPJU2+RFB/8ntk0uCQkmxdA==

 key accounting cipher $c$3$w03NfxnBmfDuedv9/xo7ESnoxKjowmmX9A==

 nas-ip 10.1.2.1

#

domain dom1

 authentication lan-access radius-scheme radius1

 authorization lan-access radius-scheme radius1

 accounting lan-access radius-scheme radius1

#

wlan ap-group group1

 ap office

 ap-model WA6320

  radio 1

   radio enable

   service-template wpa3_enterprise

  radio 2

#

wlan ap office model WA6320

 serial-id 219801A28N819CE0002T

#

·     Switch:

#

 dhcp enable

#

vlan 100

#

vlan 200

#

dhcp server ip-pool 100

 gateway-list 10.1.1.47

 network 10.1.1.0 mask 255.255.255.0

#

dhcp server ip-pool 200

 gateway-list 10.1.2.2

 network 10.1.2.0 mask 255.255.255.0

 dns-list 10.1.2.2

#

interface Vlan-interface100

 ip address 10.1.1.47 255.255.255.0

#

interface Vlan-interface200

 ip address 10.1.2.2 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

 poe enable

#

Related documentation

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References