H3C Access Controllers
Remote Portal Authentication with User Profile Authorization Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring remote portal authentication and user profile authorization  1

Network configuration· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Editing the AP configuration file· 2

Configuring the AC· 3

Configuring the switch· 6

Configuring the IMC server 7

Verifying the configuration· 13

Configuration files· 14

Related documentation· 16

 

Introduction

The following information provides an example of configuring remote portal authentication with user profile authorization.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, portal authentication, WLAN access, and WLAN high availability.

Example: Configuring remote portal authentication and user profile authorization

Network configuration

As shown in Figure 1:

·     The AP and the client obtain IP addresses from the DHCP server.

·     The network deploys an IMC server as the portal authentication server, portal Web server, and RADIUS server for portal authentication.

Configure the devices to meet the following requirements:

·     The AC uses a service template to provide direct portal authentication for the client. Before passing the authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources.

·     The AP forwards the client traffic locally.

·     The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.

·     The RADIUS server can dynamically change user authorization information or forcibly disconnect users.

Figure 1 Network diagram

 

Analysis

To allow a client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.

In local forwarding mode, to ensure that valid clients can perform portal authentication, enable validity check on wireless clients.

To avoid portal authentication failure caused by frequent logins and logouts in a short time, disable the Rule ARP entry feature.

For the RADIUS server to dynamically change user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.

To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the AC.

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

Make sure the type of the portal authentication server and portal Web server is the same as the type of the portal authentication server and portal Web server actually used.

By default, the portal Web server URL redirected to users does carry parameters. You can configure the parameters to be carried in the redirection URL as needed.

Procedures

Editing the AP configuration file

# Use a text editor to edit the AP's configuration file. Name the configuration file map.txt, and then upload the file to the storage medium of the AC.

The content of the configuration file is as follows:

system-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

Configuring the AC

1.     Configure interfaces:

# Create VLAN 100, create VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish CAPWAP control and data tunnels with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 2.2.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200, create VLAN-interface 200, and assign an IP address to the VLAN interface. The AC will use VLAN for wireless client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 (the interface connected to the switch) as a trunk port and assign it to VLAN 100 and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a static route:

# Configure a static route to the IMC server.

[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure the wireless service:

# Create a service template named st1.

[AC] wlan service-template st1

# Set the SSID of the service template.

[AC-wlan-st-st1] ssid service

# Specify VLAN 200 for the service template.

[AC-wlan-st-st1] vlan 200

# Configure the AKM mode as PSK, and set the preshared key to 12345678 in plain text.

[AC-wlan-st-st1] akm mode psk

[AC-wlan-st-st1] preshared-key pass-phrase simple 12345678

# Configure the cipher suite as CCMP and security IE as RSN.

[AC-wlan-st-st1] cipher-suite ccmp

[AC-wlan-st-st1] security-ie rsn

# Configure APs to forward client data traffic from all VLANs. (Skip this step if the client data forwarder is APs by default.)

[AC–wlan-st-st1] client forwarding-location ap

[AC-wlan-st-st1] quit

4.     Configure the AP:

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create an AP named office with model WA6320 and set its serial ID to 219801A28N819CE0002T.

[AC] wlan ap office model WA6320

[AC-wlan-ap-office] serial-id 219801A28N819CE0002T

[AC-wlan-ap-office] quit

# Create an AP group named group1 and add AP office to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap office

# Create an AP model named WA6320 in AP group group1 and then deploy configuration file map.txt to the AP.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] map-configuration map.txt

# Enter the AP group's radio 2 view, and bind service template st1 to radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1

# Enable radio 2.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit

[AC-wlan-ap-group-group1-ap-model-WA6320] quit

[AC-wlan-ap-group-group1] quit

5.     Configure a RADIUS scheme:

# Create RADIUS scheme rs1.

[AC] radius scheme rs1

# Configure the primary authentication and accounting servers and shared keys used for secure communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.111

[AC-radius-rs1] primary accounting 192.168.0.111

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the ISP domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

# Specify 2.2.2.1 as the source IP address for outgoing RADIUS packets.

[AC-radius-rs1] nas-ip 2.2.2.1

[AC-radius-rs1] quit

# Enable the RADIUS session-control feature.

[AC] radius session-control enable

# Enable the RADIUS DAS feature.

[AC] radius dynamic-author server

# Specify the server at 173.18.4.100 as a DAC and set the shared key to radius in plaintext form for secure communication between the DAS and DAC.

[AC-radius-da-server] client ip 192.168.0.111 key simple radius

6.     Configure a user profile:

# Create a user profile named h3c.

[AC] user-profile h3c

# Configure CAR actions in the user profile: set the CIR to 2 Mbps for incoming and outgoing packets.

[AC-user-profile-h3c] qos car inbound any cir 2048

[AC-user-profile-h3c] qos car outbound any cir 2048

[AC-user-profile-h3c] quit

7.     Configure an ISP domain:

# Create an ISP domain named dm1.

[AC] domain dm1

# Configure AAA methods for portal users in the ISP domain.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal none

# Configure the idle cut feature so that the AC will log out a user if the user's total traffic in the idle timeout period is less than 1024 bytes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

# Assign authorization user profile h3c to users in the ISP domain.

[AC-isp-dm1] authorization-attribute user-profile h3c

[AC-isp-dm1] quit

8.     Configure portal authentication:

# Create portal authentication server newpt, specify 192.168.0.111 as the server's IP address, and specify 50100 as the portal listening port number.

[AC] portal server newpt

[AC-portal-server-newpt] ip 192.168.0.111

[AC-portal-server-newpt] port 50100

# Configure the portal authentication server type as CMCC.

[AC-portal-server-newpt] server-type cmcc

[AC-portal-server-newpt] quit

# Create a portal Web server named newpt, and specify http://192.168.0.111:8080/portal as the server's URL

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

# Add parameters ssid, wlanuserip, and wlanacname to the URL of the portal Web server and specify the AP SSID, user IP address, and AC name as the values of the parameters, respectively. (You must add the parameters to the URL of a CMCC-type portal Web server.)

[AC-portal-websvr-newpt] url-parameter ssid ssid

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

# Configure the portal Web server type as CMCC.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Configure a portal-free rule to allow users to access the portal Web server without authentication: set the rule number to 0 and the destination address to 192.168.0.111.

[AC] portal free-rule 0 destination ip 192.168.0.111 24

# Configure two destination-based portal-free rules to permit the traffic destined for the DNS server.

[AC] portal free-rule 1 destination ip any udp 53

[AC] portal free-rule 2 destination ip any tcp 53

# Enable roaming for portal users.

[AC] portal roaming enable

# Disable the Rule ARP entry feature.

[AC] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC] portal host-check enable

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain on service template st1.

[AC-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1.

[AC-wlan-st-st1] portal apply web-server newpt

# Configure the BAS-IP as 2.2.2.1 for portal packets sent from service template st1 to the portal authentication server.

[AC-wlan-st-st1] portal bas-ip 2.2.2.1

# Enable service template st1.

[AC–wlan-st-st1] service-template enable

[AC-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on CAPWAP control and data tunnels between the ACs and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2. The switch will use this VLAN to communicate with the IMC server.

[Switch] vlan 2

[Switch-vlan2] quit

# Assign the port that connects the switch to the IMC server to VLAN 2. (Details not shown.)

# Configure GigabitEthernet 1/0/1 (the port connected to the AC) as a trunk port, and assign the port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as a trunk port, assign the port to VLAN 100 and VLAN 200, and set the PVID to 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 (the port connected to the IMC server) as an access port, and assign the port to VLAN 2.

[Switch] interface gigabitethernet 1/0/3

[Switch-GigabitEthernet1/0/3] port link-type access

[Switch-GigabitEthernet1/0/3] port access vlan 2

[Switch-GigabitEthernet1/0/3] quit

# Assign an IP address to VLAN-interface 200.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Assign an IP address to the VLAN-interface 2.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Configuring the IMC server

In this example, the IMC server runs IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configuring the RADIUS server

1.     Add an access device:

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Access Device Management > Access Device to open the access device page.

c.     Click Add to open the Add Access Device page as shown in Figure 2.

d.     Configure the shared key as radius.

The shared key must be the same as that configured for the RADIUS server on the AC.

e.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter the start IP address 2.2.2.1 and click OK.

f.     Use the default settings for other parameters on the Add Access Device page.

g.     Click OK.

Figure 2 Adding an access device

2.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy to open the access policy page.

b.     Click Add to open the page as shown in Figure 3.

c.     Enter the access policy name.

d.     Select a service group. This example uses the default setting (ungrouped).

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 3 Adding an access policy

 

3.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service to open the access service page.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter service name RadiusServer.

d.     Select the access policy configured in the previous step from the Default Access Policy list.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 4 Adding an access service

 

4.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users to open the access user page.

b.     Click Add to open the page as shown in Figure 5.

c.     Set the user: If the user already exists, click Select to select the user. If the user does not exist, click Add User to add the user.

d.     Set the password.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 5 Adding an access user

 

Configuring the portal server

1.     Configure the portal service:

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Portal Service > Server to open the portal server configuration page as shown in Figure 6.

c.     Configure the portal server parameters as needed.

This example uses the default settings.

d.     Click OK.

Figure 6 Configuring the portal server

 

2.     Configure an IP address group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group to open the portal IP address group configuration page.

b.     Click Add to open the Add IP Group page as shown in Figure 7.

c.     Enter the IP group name.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default group Ungrouped.

f.     Select Normal from the Action list.

g.     Click OK.

Figure 7 Adding an IP group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the device name.

d.     Select CMCC 1.0 from the Version list.

e.     Enter the IP address of the port through which the AC connects to the client in the IP Address field.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected from the Access Method list.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 89 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     As shown in Figure 8, click the Port Group Information Management icon  for the AC to open the port group configuration page.

b.     Click Add to open the page as shown in Figure 9.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Use the default settings for other parameters.

f.      Click OK.

Figure 8 Device list

 

Figure 9 Adding a port group

 

5.     From the navigation tree, select User Access Policy > Service Parameters. Then, click Validate to make the configuration take effect.

Verifying the configuration

# Use the configured username and password to perform portal authentication through a Web browser on the client. Before passing authentication, all Web accesses are redirected to the portal authentication page (http://192.168.0.111:8080/portal). After passing authentication, you can access other network resources.

# Display online portal user information on the AC.

[AC] display portal user all

Total portal users: 1

Username: Client

  AP name: office

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  bce2-659a-3232  2.2.2.2               200     WLAN-BSS1/0/4

  Authorization information:

    DHCP IP pool: N/A

    User profile: h3c (active, AAA)

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

The output shows that the user has passed portal authentication.

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 client forwarding-location ap

akm mode psk                                                                  

 preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ    

 cipher-suite ccmp                                                             

 security-ie rsn

 portal enable method direct

portal domain dm1

portal bas-ip 2.2.2.1

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

user-profile h3c

 qos car inbound any cir 2048 cbs 128000

 qos car outbound any cir 2048 cbs 128000

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.111

 primary accounting 192.168.0.111

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

nas-ip 2.2.2.1

#

radius dynamic-author server

 client ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==

#

domain dm1

authorization-attribute idle-cut 15 1024

authorization-attribute user-profile h3c

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

portal host-check enable

portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

portal free-rule 1 destination ip any udp 53

portal free-rule 2 destination ip any tcp 53

#

portal roaming enable

 undo portal refresh arp enable

#

 portal web-server newpt

 url http://192.168.0.111:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 192.168.0.111

 server-type cmcc

#                                                                              

wlan ap-group group1                                                            

 ap office                                                                        

 ap-model WA6320                                                               

map-configuration flash:/map.txt

radio 1

  radio 2

   radio enable

   service-template st1

#

wlan ap office model WA6320

 serial-id 219801A28N819CE0002T

#

·     Switch:

#

vlan 2

#

vlan 100

#

vlan 200

#

interface Vlan-interface2

 ip address 192.168.0.100 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

port link-type trunk

 port trunk permit vlan 1 100 200

port trunk pvid vlan 100

poe enable

#

interface GigabitEthernet1/0/3

 port link-type access

 port access vlan 2

#

Related documentation

·     User Access and Authentication Command Reference in H3C Access Controllers Command Reference

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guide

·     WLAN Access Command Reference in H3C Access Controllers Command Reference

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guide

·     AP Management Command Reference in H3C Access Controllers Command Reference

·     AP Management Configuration Guide in H3C Access Controllers Configuration Guide