H3C Access Controllers

Comware 7 MAC-based Portal Quick

Authentication

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring MAC-based portal quick authentication· 1

Network configuration·· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 3

Configuring IMC·· 3

Editing a configuration file for the AP·· 9

Configuring the AC·· 9

Configuring the switch·· 12

Verifying the configuration·· 12

Configuration files· 13

Related documentation· 15

 

Introduction

This document provides examples for configuring MAC-based quick portal authentication.

Prerequisites

This document applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of AAA, portal, and WLAN.

Example: Configuring MAC-based portal quick authentication

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as a portal authentication server, a portal Web server, a MAC binding server, and a RADIUS server.

Configure direct portal authentication and MAC-based quick portal authentication to meet the following requirements:

·     The client can access only the portal Web server before passing portal authentication and can access other network resources after passing portal authentication.

·     The client can access the network without portal authentication before the network traffic reaches 1024000 bytes. Once the threshold is reached, MAC-based quick portal authentication is performed.

·     The client can access the network resources through any Layer 2 ports in its access VLAN without re-authentication.

·     The RADIUS server can dynamically change the user authorization information or forcibly disconnect users.

Figure 1 Network diagram

 

Analysis

For the client to access the portal Web server, configure a portal-free rule to permit user traffic destined for the portal Web server.

For the client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.

For the RADIUS server to dynamically change the user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.

To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the AC.

To ensure that dynamic user authorization information can be correctly assigned to users after they come online, enable the RADIUS DAS feature.

Restrictions and guidelines

When you configure MAC-based portal quick authentication, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Make sure the types of the portal authentication server, portal Web server, and MAC binding server specified on the AC are the same as those actually used. (This example uses CMCC servers.)

·     By default, the URL of the portal Web server to which the AC redirects portal users does not carry any parameters. You can add parameters to be carried in the URL as needed.

·     If portal authentication is enabled on a VLAN interface, the AC can forward client traffic. If portal authentication is enabled on a service template, both the AC and the AP can forward client traffic. (In this example, portal authentication is enabled on a service template.)

In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, enable wireless client validity check on the AC.

·     If a portal client logs out and then tries to come online frequently in a short time, the client will fail portal authentication. To avoid this problem, disable the Rule ARP entry feature for portal clients.

Procedures

Configuring IMC

This example uses the IMC server to describe the RADIUS server and portal server configuration. The IMC server runs on IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configuring the RADIUS server

Add the AC to IMC as an access device:

1.     Log in to IMC and click the User tab.

2.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

3.     Click Add to open the page as shown in Figure 2.

4.     In the Access Configuration area, configure the parameters as follows:

¡     Set the shared key to radius, which must be the same as that on the AC.

¡     Use the default values for other parameters.

5.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 2.2.2.1 in the Start IP field and then click OK.

6.     Click OK.

Figure 2 Adding the AC as an access device

 

Configuring the portal server

1.     Configure the portal authentication service:

a.     Click the User tab.

b.     From the navigation tree, select User Access Policy > Portal Service > Server to open the portal server configuration page, as shown in Figure 3.

c.     Configure the portal server parameters as needed.

This example uses the default values.

d.     Click OK.

Figure 3 Portal authentication server configuration

 

2.     Configure an IP address group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter the IP group name.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default value Ungrouped.

f.     From the Action list, select Normal.

g.     Click OK.

Figure 4 Adding an IP address group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add to open the page as shown in Figure 5.

c.     Enter the device name.

d.     Select CMCC 1.0 for Version.

e.     Enter the IP address of the AC's interface connected to the client.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected for Access Method.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 5 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     As shown in Figure 6, click the Port Group icon  in the Operation field for device NAS to open the port group configuration page.

Figure 6 Device list

 

b.     Click Add to open the page as shown in Figure 7.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Select Supported for Transparent Authentication.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 7 Adding a port group

 

5.     From the navigation tree, select User Access Policy > Service Parameters > Validate System Configuration to validate the configuration.

Configuring the MAC binding server

1.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the access policy name.

d.     Select a service group.

This example uses the default value Ungrouped.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 8 Adding an access policy

 

2.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add to open the page as shown in Figure 9.

c.     Enter the service name.

d.     Select the Transparent Authentication on Portal Endpoints option.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 9 Adding an access service

 

3.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add to open the page as shown in Figure 10.

c.     Select an existing access user or click Add User to add a new access user.

d.     Enter the account name.

e.     Set the password.

f.     Select a value from the Max. Transparent Portal Bindings list.

g.     Use the default settings for other parameters.

h.     Click OK.

Figure 10 Adding an access user

 

4.     Configure system parameters:

a.     From the navigation tree, select User Access Policy > Service Parameters > System Settings.

b.     Click the Configure icon  for User Endpoint Settings to open the page as shown in Figure 11.

c.     Select whether to enable transparent portal authentication on non-smart devices.

In this example, select Enable for Non-Terminal Authentication.

d.     Click OK.

Figure 11 Configuring user endpoint settings

 

e.     Click the Configure icon  for Endpoint Aging Time to open the page as shown in Figure 12.

f.     Set the endpoint aging time as needed.

This example uses the default value.

g.     Click OK.

Figure 12 Setting the endpoint aging time

 

5.     From the navigation tree, select User Access Policy > Service Parameters > Validate System Configuration to validate the configuration.

Editing a configuration file for the AP

# Create a .txt configuration file named map.txt.

# Enter the following content in the file.

System-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

# Upload the file to the AC.

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 2.2.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

2.     Configure a static route to the IMC server:

[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure a WLAN service:

# Create a service template named st1 and enter its view.

[AC] wlan service-template st1

# Set the SSID of service template st1 to service.

[AC-wlan-st-st1] ssid service

# Assign clients coming online through service template st1 to VLAN 200.

[AC-wlan-st-st1] vlan 200

# Configure APs to forward client data traffic from all VLANs.

[AC–wlan-st-st1] client forwarding-location ap

[AC-wlan-st-st1] quit

# Create an AP named office with model WA560-WW and set its serial ID to 219801A1NM8182032235.

[AC] wlan ap office model WA560-WW

[AC-wlan-ap-office] serial-id 219801A1NM8182032235

# Deploy configuration file map.txt to the AP.

[AC-wlan-ap-office] map-configuration map.txt

# Enter the view of radio 2.

[AC-wlan-ap-office] radio 2

# Bind service template st1 to radio 2 in AP office.

[AC-wlan-ap-office-radio-2] service-template st1

# Enable radio 2.

[AC-wlan-ap-office-radio-2] radio enable

[AC-wlan-ap-office-radio-2] quit

[AC-wlan-ap-office] quit

4.     Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

[AC] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.111

[AC-radius-rs1] primary accounting 192.168.0.111

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] quit

# Enable RADIUS session-control.

[AC] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC] radius dynamic-author server

# Specify a session-control client with IP address 192.168.0.111 and shared key radius in plaintext form.

[AC-radius-da-server] client ip 192.168.0.111 key simple radius

[AC-radius-da-server] quit

5.     Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[AC] domain dm1

# Configure the authentication and authorization methods as RADIUS and the accounting method as none in the ISP domain.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal none

# Set the idle timeout period to 15 minutes and the minimum traffic that must be generated in the idle timeout period to 1024 bytes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

[AC-isp-dm1] quit

6.     Configure portal authentication:

# Create a portal authentication server named newpt, specify IP address 192.168.0.111 for the authentication server, and specify 50100 as the port number for listening portal packets.

[AC] portal server newpt

[AC-portal-server-newpt] ip 192.168.0.111

[AC-portal-server-newpt] port 50100

# Specify CMCC as the type of portal authentication server newpt.

[AC-portal-server-newpt] server-type cmcc

[AC-portal-server-newpt] quit

# Specify http://192.168.0.111:8080/portal as the URL of portal Web server newpt.

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

# Configure the portal redirection URL to carry the ssid, wlanuserip, and wlanacname parameters, and their values are the AP's SSID, the user's IP address, and the AC's name (required by a CMCC portal Web server).

[AC-portal-websvr-newpt] url-parameter ssid ssid

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

# Specify CMCC as the type of portal Web server newpt.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Configure a portal-free rule numbered 0 to allow portal users to access the portal Web server (whose IP address is 192.168.0.111) without authentication.

[AC] portal free-rule 0 destination ip 192.168.0.111 24

# Enable portal roaming.

[AC] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC] portal host-check enable

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain.

[AC-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1 for portal authentication.

[AC-wlan-st-st1] portal apply web-server newpt

[AC-wlan-st-st1] quit

7.     Configure portal MAC-based quick authentication:

# Create a MAC binding server named mts and enter its view.

[AC] portal mac-trigger-server mts

# Set the free-traffic threshold for portal users to 1024000 bytes.

[AC-portal-mac-trigger-server-mts] free-traffic threshold 1024000

# Specify 192.168.0.111 as the IP address of MAC binding server mts.

[AC-portal-mac-trigger-server-mts] ip 192.168.0.111

# Specify CMCC as the type of MAC binding server mts.

[AC- mac-trigger-server-mts] server-type cmcc

[AC-portal-mac-trigger-server-mts] quit

# Specify MAC binding server mts on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal apply mac-trigger-server mts

# Enable service template st1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward client traffic.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2.

[Switch] vlan 2

[Switch-vlan2] quit

# Configure GigabitEthernet 1/0/1 as a trunk port and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 as an access port and assign it to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Assign an IP address to VLAN-interface 200.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Assign an IP address to VLAN-interface 2.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Verifying the configuration

# Display information about MAC binding server mts.

[AC] display portal mac-trigger-server name mts

Portal mac trigger server name: mts

  Version                    : 1.0

  Server type                : CMCC

  IP                         : 192.168.0.111

  Port                       : 50100

  VPN instance               : Not configured

  Aging time                 : 300 seconds

  Free-traffic threshold     : 1024000 bytes

  NAS-Port-Type              : Not configured

  Binding retry times        : 3

  Binding retry interval     : 1 seconds

  Authentication timeout     : 3 minutes

  Excluded attribute list    : 1

  Local-binding              : Disabled

  Local-binding aging-time   : 12 hours

  AAA-fail nobinding         : Disabled

A user can perform portal authentication through a Web browser. Before passing portal authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing portal authentication, the user can access other network resources.

For the first portal authentication, the user is required to enter the username and password. When the user goes offline and then accesses the network again, the user does not need to enter the authentication username and password.

# Display information about all portal users.

[AC] display portal user all

Total portal users: 1

Username: portal

  AP name: office

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.2               200     Vlan-interface200

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

client forwarding-location ap

 portal enable method direct

portal domain ldap

portal apply web-server newpt

 portal apply mac-trigger-server mts

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.111

 primary accounting 192.168.0.111

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

#

radius dynamic-author server

 client ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

portal host-check enable

 portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

#

 portal roaming enable

 undo portal refresh arp enable

#

 portal web-server newpt

 url http://192.168.0.111:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 192.168.0.111

 server-type cmcc

#

portal mac-trigger-server mts

 ip 192.168.0.111

 server-type cmcc

 free-traffic threshold 1024000

#

wlan ap office model WA560-WW

 serial-id 219801A1NM8182032235

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

poe enable

Related documentation

·     Security Command Reference in H3C Access Controllers Command References

·     Security Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Command Reference in H3C Access Controllers Command References

·     WLAN Configuration Guide in H3C Access Controllers Configuration Guides