No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless Users

Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless Users

This example illustrates how to configure Portal authentication on a wireless network to ensure that only authenticated wireless terminals can connect to the network.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus

Agile Controller-Campus

V100R003C00

WLAN AC

AC6605

V200R006C20

Access switch

S2750EI

V200R008C00

Aggregation switch

S5720HI

V200R008C00

Networking Requirements

A company has about 1000 employees and needs to deploy an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network.

The company has the following requirements:
  • The authentication operations must be simple. The authentication system only performs access authorization and does not require any client software on user terminals.
  • A unified identity authentication mechanism is used to authenticate all terminals attempting to connect to the campus network and deny access from unauthorized terminals.
  • Employees can connect only to public servers (such as the DHCP and DNS servers) of the company before authentication, and can connect to both the intranet and Internet after being authenticated.
  • If authenticated employees move out of the wireless coverage area and move in again within a certain period (60 minutes for example), they can connect to the wireless network directly, without entering their user names and passwords again. This ensures a good network access experience of employees.
  • Guests can connect only to public servers (such as the DHCP and DNS servers) of the company before authentication, and can connect only to the Internet after being authenticated.
  • Different authentication pages are pushed to employees and guests.
Figure 1-2  Networking of Portal authentication for wireless users

Requirement Analysis

  • The company has no specific requirement on terminal security check and requires simple operations, without a need to install authentication clients on wireless terminals. Considering the networking and requirements of the company, Portal authentication can be used on the campus network.
  • Tunnel forwarding is recommended for packets exchanged between the AC and APs, because this mode can ensure that all traffic of wireless users will be pass through the AC for unified control.
  • To implement interworking on the network, configure VLANs according to the following plan:
    • Add employees to VLAN 100 and guests to VLAN 101 to isolate employees from guests.
    • Use VLAN 10 as the mVLAN of the APs.
    • Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch S2750EI to VLAN 10 so that these interfaces can transparently transmit packets of APs' mVLAN.
    • On the aggregation switch S5700HI, add GE0/0/1 to mVLAN 10, GE0/0/3 to mVLAN 10 and service VLANs 100 and 101, and GE0/0/2 service VLANs 100 and 101. In this way, these interfaces can transparently transmit packets of the corresponding VLANs as required.
    • Add GE0/0/1 of the AC to mVLAN 10 and service VLANs 100 and 101 so that the AC can transparently transmit packets of these VLANs.
  • Employees and guests are all authenticated on the web pages pushed by the Portal server. You need to configure different ACL rules to control access rights of employees and guests.
  • Different SSIDs need to be configured for employees and guests so that different authentication pages can be pushed to them based on their SSIDs.
  • Enable MAC address-prioritized Portal authentication to allow employees to connect the wireless network without entering user names and passwords when they move in and out of the wireless coverage area repeatedly within a period (60 minutes for example).

    MAC address-prioritized Portal authentication is a function provided by an AC. When the Portal server needs to authenticate a user, the AC first sends the user terminal's MAC address to the Portal server for identity authentication. If the authentication fails, the Portal server pushes the Portal authentication page to the terminal. The user then enters the account and password for authentication. The RADIUS server caches a terminal's MAC address and associated MAC address during the first authentication for the terminal. If the terminal is disconnected and then connected to the network within the MAC address validity period, the RADIUS server searches for the SSID and MAC address of the terminal in the cache to authenticate the terminal.

VLAN Plan

Table 1-5  Wireless VLAN plan

VLAN ID

Function

10

mVLAN for wireless access

100

Service VLAN for employees

101

Service VLAN for guests

Network Data Plan

Table 1-6  Wireless network data plan

Item

Data

Description

Access switch S2750EI

GE0/0/1

VLAN 10

Connected to the AP in the guest area.

GE0/0/2

VLAN 10

Connected to the S5720HI.

GE0/0/3

VLAN 10

Connected to the AP in the employee area.

Aggregation switch S5720HI

GE0/0/1

VLAN 10

Connected to the access switch.

GE0/0/2

VLAN 100 and VLAN 101

Uplink interface that is connected to the core router and allows packets only from the service VLAN to pass through.

GE0/0/3

VLAN 10, VLAN 100, and VLAN 101

Connected to the AC. The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

AC6605

GE0/0/1

VLAN 10, VLAN 100, and VLAN 101

VLANIF 10: 10.10.10.254/24

The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

Gateway for APs.

Core router

GE1/0/1

172.16.21.254/24

Sub-interface number: GE1/0/1.1

Sub-interface IP address: 172.20.0.1/16

Sub-interface number: GE1/0/1.2

Sub-interface IP address: 172.21.0.1/16

The sub-interface GE1/0/1.1 functions as the gateway for employees.

The sub-interface GE1/0/1.2 functions as the gateway for guests.

Server
  • DNS server: 192.168.11.1
  • Agile Controller-Campus: 192.168.11.10
  • AD server: 192.168.11.100
  • DHCP server: 192.168.11.2
    • Employee: IP address pool (172.20.0.0/16); DNS server (192.168.11.1)
    • Guest: IP address pool (172.21.0.0/16); DNS server (192.168.11.1)
  • Service system: 192.168.11.200
-

Service Data Plan

Table 1-7  Portal service data plan

Item

Data

Description

RADIUS

  • RADIUS server: Agile Controller-Campus server
  • RADIUS client: AC
  • Authentication key: Admin@123
  • Accounting key: Admin@123
  • Real-time accounting interval: 15 minutes
  • Authentication port: 1812
  • Accounting port: 1813

The access control device and Agile Controller-Campus function as the RADIUS client and server respectively. The authentication, authorization, and accounting keys and the accounting interval must be the same on the access control device and Agile Controller-Campus.

The Agile Controller-Campus functioning as the RADIUS server uses ports 1812 and 1813 for authentication and accounting respectively.

Portal

  • Portal server: Agile Controller-Campus server with domain name access.example.com
  • Portal key: Admin@123
  • Portal server port: 50200
  • Port of the authentication control device for associating with the Portal server: 2000

When Portal pages are pushed using a domain name, the Agile Controller-Campus server's domain name is required.

The Agile Controller-Campus functioning as the Portal server uses port 50200 as the Portal server port.

When a Huawei switch or AC functions as the authentication control device to provide Portal authentication, the switch or AC uses port 2000 by default to associate with the Portal server.

Pre-authentication domain

DNS server, Agile Controller-Campus, AD server, and DHCP server

-

Post-authentication domain for employees

Service system and Internet

-

Post-authentication domain for guests

Internet

-

Configuration Roadmap

  1. Configure the access switch, aggregation switch, and AC to implement interworking on the network.
  2. On the AC, configure a RADIUS server template, configure authentication, accounting, and authorization schemes in the template, and specify the IP address of the Portal server. In this way, the AC can communicate with the RADIUS server and Portal server to perform MAC address-prioritized Portal authentication for employees.
  3. Add the AC to the Service Manager and configure parameters for the AC to ensure that the Agile Controller-Campus can manage the AC.
  4. Configure authentication and authorization rules to grant different network access rights to the authenticated employees and guests.
  5. Customize different authentication pages for employees and guests, and configure Portal page push rules to ensure that different web pages are pushed to employees and guests.

Prerequisites

You have configured a sub-interface, assigned an IP address to the sub-interface, and enabled DHCP relay on the core router to enable terminals to automatically obtain IP addresses from the DHCP server on a different network segment.

Procedure

  1. [Device] Configure the access switch to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S2700
    [S2700] vlan 10   
    [S2700-vlan10] quit   
    [S2700] interface gigabitethernet 0/0/3  
    [S2700-GigabitEthernet0/0/3] port link-type trunk
    [S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
    [S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
    [S2700-GigabitEthernet0/0/3] quit
    [S2700] interface gigabitethernet 0/0/1  
    [S2700-GigabitEthernet0/0/1] port link-type trunk
    [S2700-GigabitEthernet0/0/1] port trunk pvid vlan 10
    [S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
    [S2700-GigabitEthernet0/0/1] quit
    [S2700] interface gigabitethernet 0/0/2  
    [S2700-GigabitEthernet0/0/2] port link-type trunk
    [S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
    [S2700-GigabitEthernet0/0/2] quit

  2. [Device] Configure the aggregation switch to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S5700
    [S5700] vlan batch 10 100 101   
    [S5700] interface gigabitethernet 0/0/1  
    [S5700-GigabitEthernet0/0/1] port link-type trunk  
    [S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 
    [S5700-GigabitEthernet0/0/1] quit
    [S5700] interface gigabitethernet 0/0/2  
    [S5700-GigabitEthernet0/0/2] port link-type trunk
    [S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
    [S5700-GigabitEthernet0/0/2] quit
    [S5700] interface gigabitethernet 0/0/3  
    [S5700-GigabitEthernet0/0/3] port link-type trunk
    [S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100 101  
    [S5700-GigabitEthernet0/0/3] quit

  3. [Device]Configure the AC to ensure network connectivity.

    # Add GE0/0/1 connected to the aggregation switch to mVLAN 10 and service VLANs 100 and 101.

    <HUAWEI> system-view
    [HUAWEI] sysname AC
    [AC] vlan batch 10 100 101
    [AC] interface gigabitethernet 0/0/1  
    [AC-GigabitEthernet0/0/1] port link-type trunk
    [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 101
    [AC-GigabitEthernet0/0/1] quit

    # Configure the AC to assign IP addresses to APs from an interface address pool.

    [AC] dhcp enable   
    [AC] interface vlanif 10
    [AC-Vlanif10] ip address 10.10.10.254 24
    [AC-Vlanif10] dhcp select interface
    [AC-Vlanif10] quit

    # Configure a default route that the AC uses to communicate with the server. Packets are forwarded to the core router by default.

    [AC] ip route-static 0.0.0.0 0 172.16.21.254

  4. [Device] Configure the AP to go online.

    NOTE:

    If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.

    1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
    2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the AC.

    # Create an AP group to which APs with the same configuration can be added.

    [AC] wlan
    [AC-wlan-view] ap-group name employee  //Configure an AP group for employees.
    [AC-wlan-ap-group-employee] quit
    [AC-wlan-view] ap-group name guest  //Configure an AP group for guests.
    [AC-wlan-ap-group-guest] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
    [AC-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC-wlan-regulatory-domain-prof-domain1] quit
    [AC-wlan-view] ap-group name employee
    [AC-wlan-ap-group-employee] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-employee] quit
    [AC-wlan-view] ap-group name guest
    [AC-wlan-ap-group-guest] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-guest] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 10
    

    # Import the AP offline on the AC and add the AP to the AP group. This example assumes that the AP type is AP6010DN-AGN, the MAC address of AP_0 serving the employee area is 60de-4476-e360, and the MAC address of AP_1 serving the guest area is 60de-4476-e380.

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name ap_0
    [AC-wlan-ap-0] ap-group employee
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y  
    [AC-wlan-ap-0] quit
    [AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
    [AC-wlan-ap-1] ap-name ap_1
    [AC-wlan-ap-1] ap-group guest
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
    [AC-wlan-ap-1] quit
    [AC-wlan-view] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC] display ap all
    Total AP information:
    nor  : normal          [2]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    0    60de-4476-e360 ap_0   employee  10.10.10.252  AP6010DN-AGN    nor   0   10S
    1    60de-4476-e380 ap_1   guest     10.10.10.253  AP6010DN-AGN    nor   0   20S
    -------------------------------------------------------------------------------------
    Total: 2

  5. [Device] Configure interconnection parameters for the AC and RADIUS server as well as the AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.

    Figure 1-3  Configuration flow for Portal authentication service

    # Configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

    [AC] radius-server template radius_huawei  
    [AC-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254  
    [AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254
    [AC-radius-radius_template] radius-server shared-key cipher Admin@123
    [AC-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.  
    [AC-radius-radius_template] quit
    [AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123  
    [AC] aaa  
    [AC-aaa] authentication-scheme auth_scheme  //Authentication scheme
    [AC-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
    [AC-aaa-authen-auth_scheme] quit
    [AC-aaa] accounting-scheme acco_scheme  //Accounting scheme
    [AC-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS.
    [AC-aaa-accounting-acco_scheme] accounting realtime 15  
    [AC-aaa-accounting-acco_scheme] quit
    [AC-aaa] quit
    
    NOTE:

    The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

    Table 1-8  Accounting interval

    User Quantity

    Real-Time Accounting Interval

    1 to 99

    3 minutes

    100 to 499

    6 minutes

    500 to 999

    12 minutes

    ≥ 1000

    ≥ 15 minutes

    # Check whether a user can use a RADIUS template for authentication. (User name test and password Admin_123 have been configured on the RADIUS server.)

    [AC] test-aaa test Admin_123 radius-template radius_template pap
    Info: Account test succeed.
    # Configure the Portal server.
    1. Configure the URL of the Portal authentication page. When a user attempts to access a website before authentication, the AC redirects the website to the Portal server.

      You are advised to configure the URL using a domain name to ensure secure and fast page pushing. Before configuring the URL using a domain name, you must first configure the mapping between the domain name and IP address of the Agile Controller-Campus server on the DNS server.

      [AC] url-template name huawei
      [AC-url-template-huawei] url http://access.example.com:8080/portal  //access.example.com is the host name of the Portal server.
    2. Configure parameters carried in the URL, which must be the same as those on the authentication server.

      [AC-url-template-huawei] url-parameter ssid ssid redirect-url url  //Specify the names of the parameters included in the URL. The parameter names must the same as those on the authentication server. 
      //This first ssid indicates that the URL contains the SSID field, and the second ssid indicates the parameter name. 
      //For example, after ssid ssid is configured, the URL redirected to the user contains sid=guest, where ssid indicates the parameter name, and guest indicates the SSID with which the user associates. 
      //The second SSID represents the transmitted parameter name only and cannot be replaced with the actual user SSID.
      //When the AC uses URL as the parameter name, the URL must be entered on the Portal server to specify to which URL users' access request will be redirected.
      [AC-url-template-huawei] quit
    3. Specify the port number used to process Portal protocol packets. The default port number is 2000. If you change the port number on the AC, set the same port number when you add this AC to the Agile Controller-Campus.

      [AC] web-auth-server listening-port 2000
    4. Configure a Portal server template, including configuring the IP address and port number of the Portal server.

      Set the destination port number in the packets sent to the Portal server to 50200. The Portal server accepts packets with destination port 50200, but the AC uses port 50100 to send packets to the Portal server by default. Therefore, you must change the port number to 50200 on the AC so that the AC can communicate with the Portal server.

      [AC] web-auth-server portal_huawei
      [AC-web-auth-server-portal_huawei] server-ip 192.168.11.10  //IP address for the Portal server.
      [AC-web-auth-server-portal_huawei] source-ip 10.10.10.254  //The IP address that the AC uses to communicate with the Portal server.
      [AC-web-auth-server-portal_huawei] port 50200  //Set the destination port number in the packets sent to the Portal server to 50200.
    5. Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server. In addition, enable the AC to transmit encrypted URL parameters to the Portal server.

      [AC-web-auth-server-portal_huawei] shared-key cipher Admin@123  //Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server.
      [AC-web-auth-server-portal_huawei] url-template huawei  //Bind the URL template to the Portal server profile.
      
    6. Enable the Portal server detection function.

      After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation to allow the administrator to obtain the real-time Portal server status. The detection interval cannot be shorter than 15s, and the recommended value is 100s. The AC only supports Portal server detection but not Portal escape.

      [AC-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-num 0 action log

    # Enable the Portal authentication quiet period function. With this function enabled, the AC drops packets of an authentication user during the quiet period if the user fails Portal authentication for the specified number of times in 60 seconds. This function protects the AC from overloading caused by frequent authentication.

    [AC] portal quiet-period
    [AC] portal quiet-times 5  //Set the maximum number of authentication failures in 60 seconds before a Portal authentication is set to quiet state.
    [AC] portal timer quiet-period 240  //Set the quiet period to 240 seconds.

    # Create a Portal access profile, and bind the Portal server template to it.

    In this example, different Portal survival solutions need to be configured for employees and guests respectively. Therefore, configure two Portal access profiles.

    [AC] portal-access-profile name acc_portal_employee  //Create a Portal access profile for employees.
    [AC-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei direct  //Configure the Portal server template used by the Portal access profile. If the network between end users and the AC is a Layer 2 network, configure the direct mode; if the network is a Layer 3 network, configure the layer3 mode.
    [AC-portal-access-profile-acc_portal_employee] quit
    [AC] portal-access-profile name acc_portal_guest  //Create a Portal access profile for guests.
    [AC-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct 
    [AC-portal-access-profile-acc_portal_guest] quit
    

    # Create a MAC access profile so that MAC address-prioritized Portal authentication is performed on employees.

    [AC] mac-access-profile name acc_mac
    [AC-mac-access-profile-acc_mac] quit

    # Configure pre-authentication and post-authentication access rules for employees and guests.

    [AC] free-rule-template name default_free_rule 
    [AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the DNS server before authentication.
    [AC-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.100 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the AD server before authentication.
    [AC-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.2 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the DHCP server before authentication.
    [AC-free-rule-default_free_rule] quit
    
    [AC] acl 3001  //Configure the post-authentication domain for employees, including the intranet and Internet.
    [AC-acl-adv-3001]  rule 5 permit ip
    [AC-acl-adv-3001]  quit
    [AC] acl 3002  //Configure the post-authentication domain for guests, including the Internet.
    [AC-acl-adv-3002]  rule 5 deny ip destination 192.168.11.200 255.255.255.255  //192.168.11.200 is the service system IP address and cannot be accessed by guests.
    [AC-acl-adv-3002]  rule 10 permit ip
    [AC-acl-adv-3002]  quit
    # Configure different authentication profiles for employees and guests respectively because MAC address-prioritized Portal authentication needs to be enabled for employees.
    [AC] authentication-profile name auth_portal_employee
    [AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac   //Enable MAC address-prioritized authentication for employees.
    [AC-authentication-profile-auth_portal_employee] portal-access-profile acc_portal_employee
    [AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme
    [AC-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme
    [AC-authentication-profile-auth_portal_employee] radius-server radius_template
    [AC-authentication-profile-auth_portal_employee] free-rule-template default_free_rule
    [AC-authentication-profile-auth_portal_employee] quit
    [AC] authentication-profile name auth_portal_guest
    [AC-authentication-profile-auth_portal_guest] portal-access-profile acc_portal_guest
    [AC-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme
    [AC-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme
    [AC-authentication-profile-auth_portal_guest] radius-server radius_template
    [AC-authentication-profile-auth_portal_guest] free-rule-template default_free_rule
    [AC-authentication-profile-auth_portal_guest] quit

    # Enable terminal type awareness to allow the ACs to send the option fields containing the terminal type in DHCP packets to the authentication server. In this way, the authentication server can push the correct Portal authentication pages to users based on their terminal types.

    [AC] dhcp snooping enable
    [AC] device-sensor dhcp option 12 55 60
    # Configure Portal survival. Configure the device to grant network access rights of a user group to users when the Portal server is Down so that the users can access the post-authentication domain. In addition, configure the device to re-authenticate users when the Portal server goes Up.
    [AC] user-group group1
    [AC-user-group-group1] acl 3001  //Employees' post-authentication domain corresponding to group1.
    [AC-user-group-group1] quit
    [AC] portal-access-profile name acc_portal_employee
    [AC-portal-access-profile-acc_portal_employee] authentication event portal-server-down action authorize user-group group1  //Configure the network access permission of employees when the Portal server is Down.
    [AC-portal-access-profile-acc_portal_employee] authentication event portal-server-up action re-authen  //Enable the device to re-authenticate users when the Portal server state changes from Down to Up.
    [AC-portal-access-profile-acc_portal_employee] quit
    [AC] user-group group2
    [AC-user-group-group2] acl 3002  //Guests' post-authentication domain corresponding to group1.
    [AC-user-group-group2] quit
    [AC] portal-access-profile name acc_portal_guest
    [AC-portal-access-profile-acc_portal_guest] authentication event portal-server-down action authorize user-group group2  //Configure the network access permission of guests when the Portal server is Down.
    [AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up action re-authen
    [AC-portal-access-profile-acc_portal_guest] quit

  6. [Device] Set WLAN service parameters.

    # Create the security profile security_portal and set the security policy in the profile.

    [AC] wlan
    [AC-wlan-view] security-profile name security_portal
    [AC-wlan-sec-prof-security_portal] quit

    # Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to employee and guest respectively.

    [AC-wlan-view] ssid-profile name wlan-ssid-employee
    [AC-wlan-ssid-prof-wlan-ssid-employee] ssid employee
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-ssid-prof-wlan-ssid-employee] quit
    [AC-wlan-view] ssid-profile name wlan-ssid-guest
    [AC-wlan-ssid-prof-wlan-ssid-guest] ssid guest
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-ssid-prof-wlan-ssid-guest] quit

    # Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data forwarding mode and service VLANs, and apply the security, SSID, and authentication profiles to the VAP profiles.

    [AC-wlan-view] vap-profile name wlan-vap-employee
    [AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
    [AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
    [AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
    [AC-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal_employee  //Bind the authentication profile of employees.
    [AC-wlan-vap-prof-wlan-vap-employee] quit
    [AC-wlan-view] vap-profile name wlan-vap-guest
    [AC-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
    [AC-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
    [AC-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
    [AC-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest   //Bind the authentication profile of guests.
    [AC-wlan-vap-prof-wlan-vap-guest] quit

    # Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of the AP.

    [AC-wlan-view] ap-group name employee
    [AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
    [AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
    [AC-wlan-ap-group-employee] quit
    [AC-wlan-view] ap-group name guest
    [AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
    [AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
    [AC-wlan-ap-group-guest] quit

  7. [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile Controller-Campus to manage the AC.
    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Configure parameters for the AC.

      Parameter

      Value

      Description

      Name

      AC

      -

      IP address

      10.10.10.254

      The AC1 interface with this IP address must be able to communicate with the Agile Controller-Campus.

      Authentication key

      Admin@123

      It must be the same as the shared key of the RADIUS authentication server configured on the AC.

      Accounting key

      Admin@123

      It must be the same as the shared key of the RADIUS accounting server configured on the AC.

      Real-time accounting interval (minute)

      15

      It must be the same as the real-time accounting interval configured on the AC.

      Port

      2000

      This is the port that the AC uses to communicate with the Portal server. Retain the default value.

      Portal key

      Admin@123

      It must be the same as the Portal key configured on the AC.

      Access terminal IP list

      172.20.0.0/16; 172.21.0.0/16

      You need to add the IP addresses of all the terminals that go online through Portal authentication to the access terminal IP list. After the Portal server receives the account and password submitted by an end user, it searches for an access control device based on the terminal's IP address and allows the terminal to go online from the target access control device. If the IP address pool of the access control device does not include the terminal IP address, the Portal server cannot find an access control device to grant network access permission to the terminal, causing the terminal login failure.

      Enable heartbeat between access device and Portal server

      Select

      The Portal server can send heartbeat packets to the access device only when Enable heartbeat between access device and Portal server is selected and the Portal server's IP address has been added to Portal server IP list. The access device then periodically detects heartbeat packets of the Portal server to determine the Portal server status and synchronize user information from the Portal server. The server-detect and user-sync commands must have been configured in the Portal server view on the access device.

      Portal server IP list

      192.168.11.10

    4. Click OK.
  8. [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile Controller-Campus can authorize users through the SSIDs.
    1. Choose Policy > Permission Control > Policy Element > SSID.
    2. Click Add and add SSIDs for employees and guests.

      The SSIDs must be the same as those configured on the AC.

  9. [Agile Controller-Campus] Configure authentication and authorization.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule, and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is added as a data source, AD accounts will fail to be authenticated.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and add authorization ACLs for employees and guests.

      The ACL numbers must be the same as those configured on the authentication control device.

    3. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and bind the authorization result to specify resources accessible to employees and guests after successful authentication.

    4. Modify the default authorization rule by changing the authorization result to Deny Access.

      Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click on the right of Default Authorization Rule. Change the value of Authorization Result to Deny Access.

  10. [Agile Controller-Campus] Customize a Portal authentication page for employees.
    1. Choose Policy > Permission Control > Page Customization > Page Customization.
    2. Choose System-Membership Authentication Template and click Create Page.
    3. Configure basic information about the authentication page.

      Parameter

      Value

      Description

      Customize page name

      Authentication page for employee

      -

      Page Title

      Web

      This web title will be displayed on the authentication page.

      Enable Self-register

      Deselected

      -

    4. Click OK.

      Employees do not need to log in using mobile phones and can therefore skip this step.

    5. Click Next. Set Authentication Page, Authentication Success Page, and User Notice Page.

    6. After completing the configuration, click Release.
  11. [Agile Controller-Campus] Customize a Portal authentication page for guests.
    1. Choose Policy > Permission Control > Page Customization > Page Customization.
    2. Choose System-SMS Authentication Template and click Create Page.
    3. Configure basic information about the page.

      Parameter

      Value

      Description

      Customize page name

      Authentication page for guest

      -

      Page title

      Web

      This web title will be displayed on the authentication page.

      Enable Self-register

      Selected

      -

      Guest account policy

      Self-registration_password through phones_valid for 8 hours

      -

    4. Click OK. Set Authentication Page, Authentication Success Page, User Notice Page, Registration Page, and Registration Success Page.

    5. Click Next to set the PC authentication pages.

    6. After completing the configuration, click Release.
  12. [Agile Controller-Campus] Configure Portal page push rules to ensure that different authentication pages are pushed to employees and guests.
    1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
    2. Click Add.
    3. Configure a Portal page push rule for employees and click OK.

      Parameter

      Value

      Description

      Name

      push rule for employee

      -

      User-defined parameters

      ssid=employee

      For details about User-defined parameters, see Defining a Redirection Rule for the Portal Page.

      Pushed page

      Select the authentication page configured in 10.

      The Service Manager automatically saves each page in an independent folder.

      First page to push

      Authentication

      -

      URL

      Retain the default value.

      -

      Page displayed after successful authentication

      Continue to visit the original page

      The original page before authentication is automatically displayed after authentication succeeds.

    4. Configure push rules for guests in a similar way and click OK.

    5. Click OK.
  13. [Agile Controller-Campus] Enable MAC address-prioritized Portal authentication on the Agile Controller-Campus.
    1. Choose System > Terminal Configuration > Global Parameters > Access Management.
    2. On the MAC Address-prioritized Portal Authentication tab page, enable MAC Address-prioritized Portal Authentication and set Mac Address-Prioritized Portal Authentication to 60 minutes.

    3. Click OK.

Verification

If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration must be completed for the browser. Otherwise, the Portal authentication page cannot be displayed.
  1. Choose Tools > Internet Options.
  2. Select options related to Use TLS on the Advanced tab.



  3. Click OK.

Item

Expected Result

Employee authentication

  • Employee can only access the Agile Controller-Campus server, DNS server, AD server and DHCP server before authentication.
  • When the employee connects to the Wi-Fi hotspot employee using a computer and attempts to visit the Internet or service system, the employee authentication page is pushed to the user. After the employee enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • After employees are successfully authenticated, they can access the Internet and service system.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the employee account is online.
  • On the Service Manager, choose Resource > User > Online User Management, and the employee account is displayed on the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log, and you can see the RADIUS authentication log for the employee account.

Guest authentication

  • Guest can only access the Agile Controller-Campus server, DNS server, and DHCP server before authentication.
  • When the guest connects to the Wi-Fi hotspot guest using a mobile phone and attempts to visit the Internet, the Mobile Phone authentication page is pushed to the mobile phone. After the guest enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • When the guest connects to the Wi-Fi hotspot guest using a laptop or tablet, the PC/Pad authentication page is pushed to the laptop or tablet. After the guest enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • After guests are successfully authenticated using the accounts registered by their mobile numbers, they can access the Internet but not the service system.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the guest account is online.
  • On the Service Manager, choose Resource > User > Online User Management, and the guest account is displayed on the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log, and you can see the RADIUS authentication log for the guest account.

Summary and Suggestions

  • The authentication key, accounting key, and Portal key must be kept consistent on the AC and Agile Controller-Campus. The URL encryption key and accounting interval set on the Agile Controller-Campus must also be the same as those on the AC.

  • Authorization rules or Portal page push rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition or Portal push condition of a user matches a rule, the Agile Controller-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.

  • The RADIUS accounting function is configured on the AC to enable the Agile Controller-Campus to obtain online user information by exchanging accounting packets with the AC. The Agile Controller-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 51744

Downloads: 1699

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next