H3C Access Controllers
Local Forwarding Mode Direct Portal Authentication Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring local forwarding mode direct portal authentication· 1

Network configuration· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring IMC· 2

Editing the AP configuration file· 8

Configuring the AC· 8

Configuring the switch· 11

Configuring the DHCP server 12

Verifying the configuration· 12

Configuration files· 14

Related documentation· 16

 

Introduction

The following information provides an example of configuring direct portal authentication in a wireless network where APs directly forward client traffic.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, portal, and WLAN.

Example: Configuring local forwarding mode direct portal authentication

Network configuration

As shown in Figure 1:

·     The AP and the client obtain IP addresses from the DHCP server.

·     The AP and the AC use VLAN 100 to establish CAPWAP tunnels, and the client uses VLAN 200 to access the wireless network.

·     The AP directly forwards traffic of the client.

·     The IMC server acts as the portal authentication server, portal Web server, and RADIUS server.

·     The AC performs direct portal authentication on clients. Before passing portal authentication, the client can access only the portal Web server. After passing portal authentication, the client can access other network resources.

·     The client user can access network resources on any Layer 2 ports in its access VLAN without re-authentication.

·     The IMC server can dynamically change authorization information for the user and can log out the user.

Figure 1 Network diagram

 

Analysis

To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, enable the portal roaming feature.

In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, you must enable wireless client validity check on the AC.

To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.

To allow the RADIUS server to modify user authorization information and log out users, enable the RADIUS session-control feature.

To add GigabitEthernet 1/0/1 of the AP to the local forwarding VLAN (VLAN 200), edit the AP's configuration file and upload it to the AC's storage medium.

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

The portal authentication server type and portal Web server type configured on the AC must be the same as the types of the servers actually used. In this example, the server type is CMCC.

By default, the portal Web server URL redirected to users does not carry parameters. You can configure the parameters to be carried in the redirection URL as needed.

Procedures

Configuring IMC

In this example, the IMC server runs IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configuring the RADIUS server

1.     Add an access device:

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c.     Click Add to open the Add Access Device page.

d.     Configure the shared key as radius.

The shared key must be the same as that configured for the RADIUS server on the AC.

e.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter the start IP address 2.2.2.1 and click OK.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 2 Adding an access device

 

2.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add to open the Add Access Policy page.

c.     Enter the policy name.

d.     Select the service group.

This example uses the default service group (Ungrouped).

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 3 Adding an access policy

 

3.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add to open the Add Access Service page.

c.     Enter the service name.

d.     Select the access policy configured in the previous step as the default access policy.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 4 Adding an access service

 

4.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add to open the Add Access User page.

c.     Set the user. If the user exists, click Select to select the existing user. If the user does not exist, click Add User to add a new user.

d.     Enter the account name.

e.     Enter and confirm the password.

f.     In the Access Service area, select the access service configured in the previous step.

g.     Use the default settings for other parameters.

h.     Click OK.

Figure 5 Adding an access user

 

Configuring the portal server

1.     Configure the portal authentication service:

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Portal Service > Server.

c.     Configure the portal server parameters.

This example uses the default settings.

d.     Click OK.

Figure 6 Configuring the portal server

 

2.     Configure an IP address group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group to open the portal IP address group configuration page.

b.     Click Add to open the Add IP Group page.

c.     Enter the IP group name.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default group Ungrouped.

f.     Select Normal from the Action list.

g.     Click OK.

Figure 7 Adding an IP group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add to open the Add Device page.

c.     Enter the device name NAS.

d.     Select CMCC 1.0 from the Version list.

e.     Enter the IP address of the AC's interface connected to the client.

f.     Select whether to support server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected from the Access Method list.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 8 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     In the device list on the portal device configuration page, click the Port Group Information Management icon in the Operation row of device NAS, as shown in Figure 9.

Figure 9 Device list

 

The port group configuration page opens, as shown in Figure 10.

Figure 10 Adding a port group

 

b.     Click Add to open the Add Port Group page.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Use the default settings for other parameters.

f.     Click OK.

5.     From the navigation tree, select User Access Policy > Service Parameters > Validate to make the configurations take effect.

Editing the AP configuration file

# Use a text editor to edit the AP's configuration file. Name the configuration file map.txt, and then upload the file to the storage medium of the AC.

The content of the configuration file is as follows:

System-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

Configuring the AC

1.     Configuring VLANs and interfaces:

# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish CAPWAP tunnels with APs.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 2.2.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. This VLAN will be used for wireless client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a static route to reach the IMC:

[AC] ip route-static 192.168.0.0 255.255.255.0 2.2.2.100

3.     Configure the wireless service:

# Create a service template named st1 and enter its view.

[AC] wlan service-template st1

# Configure the SSID of the service template as service.

[AC-wlan-st-st1] ssid service

# Assign clients coming online through the service template to VLAN 200.

[AC-wlan-st-st1] vlan 200

# Configure APs to forward client data traffic from all VLANs. (Skip this step if the client data forwarder is APs by default.)

[AC–wlan-st-st1] client forwarding-location ap

# Configure the AKM mode as PSK, and set the preshared key to 12345678 in plain text.

[AC-wlan-st-st1] akm mode psk

[AC-wlan-st-st1] preshared-key pass-phrase simple 12345678

# Configure the cipher suite as CCMP and security IE as RSN.

[AC-wlan-st-st1] cipher-suite ccmp

[AC-wlan-st-st1] security-ie rsn

[AC-wlan-st-st1] quit

4.     Configure the AP:

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create an AP named ap1 with model WA6320 and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Create an AP group named group1 and add AP ap1 to the AP group.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Create an AP model named WA6320 in AP group group1 and then deploy configuration file map.txt to the AP.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] map-configuration map.txt

# Enter the AP group's radio 2 view, and bind service template st1 to radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] return

5.     Configure the RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

<AC> system-view

[AC] radius scheme rs1

# Configure the primary authentication and accounting servers and shared keys used for secure communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.111

[AC-radius-rs1] primary accounting 192.168.0.111

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

# Specify 2.2.2.1 as the source IP address of outgoing RADIUS packets sent to the RADIUS servers.

[AC-radius-rs1] nas-ip 2.2.2.1

[AC-radius-rs1] quit

# Enable the RADIUS session-control feature.

[AC] radius session-control enable

# Enable the RADIUS DAE server feature and enter RADIUS DAE server view.

[AC] radius dynamic-author server

# Configure the IP address of the RADIUS DAE client as 192.168.0.111, and the shared key for secure communication with the client as radius.

[AC-radius-da-server] client ip 192.168.0.111 key simple radius

6.     Configure the authentication domain:

# Create an ISP domain named dm1 and enter its view.

[AC] domain dm1

# Configure the authentication, authorization, and accounting methods as RADIUS for portal users in the ISP domain.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal radius-scheme rs1

# Configure the idle cut feature for users. Log out a user if the user's traffic is less than 1024 bytes in 15 minutes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

[AC-isp-dm1] quit

7.     Configure portal authentication:

# Create a portal authentication server named newpt and specify the server's IP address as 192.168.0.111, and the portal listening port number as 50100.

[AC] portal server newpt

[AC-portal-server-newpt] ip 192.168.0.111 key simple radius

[AC-portal-server-newpt] port 50100

# Configure the portal authentication server type as CMCC.

[AC-portal-server-newpt] server-type cmcc

[AC-portal-server-newpt] quit

# Create a portal Web server named newpt and specify the server's URL as http://192.168.0.111:8080/portal.

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

# Add parameters ssid, wlanuserip, and wlanacname to the URL of the portal Web server, and specify the AP SSID, user IP address, and AC name as the values of the parameters, respectively. (These parameters are required to be carried in the URL of a portal Web server of the CMCC type).

[AC-portal-websvr-newpt] url-parameter ssid ssid

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

# Configure the portal Web server type as CMCC.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Configure a portal-free rule to allow users to access the portal Web server without authentication: set the rule number to 0 and the destination address to 192.168.0.111.

[AC] portal free-rule 0 destination ip 192.168.0.111 24

# Configure two portal-free rules to allow users to access the DNS server without authentication.

[AC] portal free-rule 1 destination ip any udp 53

[AC] portal free-rule 2 destination ip any tcp 53

# Enable the portal roaming feature.

[AC] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC] undo portal refresh arp enable

# Enable the wireless client validity check feature.

[AC] portal host-check enable

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal enable method direct

# Configure the authentication domain for portal users as dm1.

[AC-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1.

[AC-wlan-st-st1] portal apply web-server newpt

# Configure the BAS-IP as 2.2.2.1 for portal packets sent from service template st1 to the portal authentication server.

[AC-wlan-st-st1] portal bas-ip 2.2.2.1

# Enable service template st1.

[AC–wlan-st-st1] service-template enable

[AC-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward traffic of wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2. This VLAN is used for communication with the IMC server.

[Switch] vlan 2

[Switch-vlan2] quit

# Add the port connected to the IMC server to VLAN 2. (Details not shown.)

# Configure GigabitEthernet 1/0/1 (the port connected to the AC) as a trunk port. Assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as a trunk port. Assign the trunk port to VLAN 100 and VLAN 200. Set the PVID of the trunk port to 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable PoE on the port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Create VLAN-interface 200 and assign it an IP address.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Create VLAN-interface 2 and assign it an IP address.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Configuring the DHCP server

Configure required settings on the DHCP server. (Details not shown.)

Verifying the configuration

# Use the configured username and password to perform portal authentication through a Web browser on the client. Before passing authentication, all Web accesses are redirected to the portal authentication page (http://192.168.0.111:8080/portal). After passing authentication, you can access other network resources.

# Display the online portal user information on the AC.

[AC] display portal user all

Total portal users: 1

Username: Client

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.2               200     WLAN-BSS1/0/16

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

The output shows that the client successfully passes portal authentication and comes online.

# Display portal filtering rules on the AC and the AP.

[AC] display portal rule all ap ap1

Slot 1:

[AP] display portal rule all

 

IPv4 portal rules on WLAN-BSS1/0/16:

Rule 1:

 Type                : Static

 Action              : Permit

 Protocol            : Any

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

    MAC            : 0000-0000-0000

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 Destination:

    IP             : 192.168.0.111

    Mask           : 255.255.255.255

    Port           : Any

 

Rule 2:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 2.2.2.2

    MAC            : 0021-6330-0933

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 

Rule 3:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

    Protocol       : TCP

 Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : 443

 

Rule 4:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

    Protocol       : TCP

 Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : 80

 

Rule 5:

 Type                : Static

 Action              : Deny

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Interface      : WLAN-BSS1/0/16

    VLAN           : Any

 Destination:

    IP             : 0.0.0.0

Mask           : 0.0.0.0

The output shows that the AC does not have portal filtering rules for the AP and the AP has the portal filtering rules. This is because the local forwarding mode is used.

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client forwarding-location ap

akm mode psk

 preshared-key pass-phrase simple 12345678

 cipher-suite ccmp

 security-ie rsn

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.1

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.111

 primary accounting 192.168.0.111

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

 nas-ip 2.2.2.1

#

radius dynamic-author server

 client ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

portal free-rule 1 destination ip any udp 53

portal free-rule 2 destination ip any tcp 53

#

portal roaming enable

 undo portal refresh arp enable

#

 portal web-server newpt

 url http://192.168.0.111:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

 server-type cmcc

#

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

wlan ap-group group1

ap ap1

ap-model WA6320

 map-configuration flash:/map.txt

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type trunk

 port trunk permit vlan 1 100 200

 port trunk pvid vlan 100

 poe enable

#

Related documentation

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides