No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts)

Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts)

The Service Manager can interconnect with the GooglePlus, Facebook, and Twitter authentication servers so that end users can use their social media accounts and passwords to complete authentication on the Service Manager. Authenticated users then can connect to the network.

Involved Products and Versions

Product Type

Product Name

Version

  • RADIUS Server
  • Portal Server

Agile Controller-Campus

V100R003C00

Networking Requirements

An enterprise has deployed an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. Enterprise employees connect to the network through PCs and guests connect to the network through mobile phones. The administrator has created local accounts for the employees so that they can use the local accounts to pass authentication. For guest accounts, the administrator needs to configure the Service Manager to enable guests to complete authentication using GooglePlus, Facebook or Twitter accounts.

Data Plan

Table 1-16  Data Plan

Item

Data

Description

SM + SC (RADIUS server + Portal server)

Domain name: controller.sz

-

Number of the ACL for guests' post-authentication domain

3002

-

SSID of the network to which guests associate with

guest

Configure this parameter on the AC. For details, see step 4 in Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless Users.

Configuration Roadmap

  1. Configure the Agile Controller-Campus to interconnect with the Google, Facebook, and Twitter authentication servers.
  2. Customize authentication pages. The authentication page is automatically displayed if an unauthenticated guest attempts to connect to the network.
  3. Customize the portal page push rule to push the customized authentication page to guests.
  4. Configure social media as external authentication sources and add authorization results and authorization rules to grant different access rights to guests after they are successfully authenticated.

Prerequisites

  1. Portal authentication configurations have been completed on the AC/switch and the Agile Controller-Campus. For details, see configuration examples about Portal. Pay attention to the following points during the configuration:
    1. When configuring the Portal server's URL in the URL template, set a URL in the domain name format.
      [AC] url-template name huawei
      [AC-url-template-huawei] url http://Portal server's domain name:8080/portal
      [AC-url-template-huawei] quit
    2. A free rule has been configured on the AC/switch to permit social media website addresses. This ensures that guests' terminals can access the social media authentication page before passing authentication.
      • Access to authentication-free resources is permitted by the domain name on the AC/switch. You need to permit guests to access the following domain names before passing authentication.
        • Google server: www.googleapis.com, apis.google.com, accounts.google.com
        • Facebook server: connect.facebook.net, www.facebook.com
        • Twitter server: api.twitter.com, abs.twimg.com, mobile.twitter.com and twitter.com
      • If the AC/switch cannot permit access to authentication-free resources by the domain name, run the nslookup complete host name command in the CLI to view the IP address matching the host name, and then permit the destination server by the IP address.
    3. If the enterprise uses its own DNS server and an access control device is used as the DHCP server, you must configure the DNS server address on the VLANIF interface of the access control device that communicates with terminals.
      [AC] interface vlanif 101
      [AC-Vlanif101] ip address 192.168.0.1 255.255.255.0
      [AC-Vlanif101] dhcp select interface
      [AC-Vlanif101] dhcp server dns-list 172.18.1.2 8.8.8.8  //Configure the DNS server address.
      [AC-Vlanif101] quit
  2. The social media server and Agile Controller-Campus server are reachable to each other.

Procedure

  1. Configure the interconnection with the Google authentication server.
    1. Apply for a googlePlus account.

      To enable end users to use googlePlus accounts for guest identity authentication, enterprises must request their own googlePlus accounts from Google to obtain the authorization information from Google.
      1. Open the Web browser.
      2. Enter https://accounts.google.com/SignUp?service=oz&continue=https://plus.google.com/?hl=en-us&gpsrc=gplp0&hl=en-us in the address box.
      3. Register an account.

    2. Create the googlePlus application.

      1. Enter https://console.developers.google.com/project in the address box. On the page that is displayed, log in using a Google account, and click Create Project.



      2. Enter a project name and click Create.



      3. Click Use Google APIs.

      4. In the Social APIs area, click Google+ API.



      5. Click Enable API.

      6. Click Go to Credentials.

      7. Set the Credentials type and click What credentials do I need?.

      8. Fill in required information, and click Create client ID.



        Parameter

        Value

        Name

        Web client 1

        Authorized JavaScript origins

        https://Service Controller-Domain Name:8445.

        When you customize pages on the Agile Controller-Campus, the protocol for page pushing must be consistent with the input here. If you enter https://Service Controller-domain name:8445 here, select Push pages using HTTPS.
        NOTE:

        In Google authentication, the protocol must be HTTPS and the domain name must be configured.

        Authorized redirect URls

        https://Service Controller-Domain Name:8445/portal .

        When you customize pages on the Agile Controller-Campus, the protocol for page pushing must be consistent with the input here. If you enter https://Service Controller-domain name:8445 here, select Push pages using HTTPS.
        NOTE:

        In Google authentication, the protocol must be HTTPS and the domain name must be configured.

        If multiple Portal servers are deployed, use Enter to isolate their URIs.

      9. Set Email address and Product name shown to users, and click Continue.

      10. Click Done.

      11. On the Credentials page, click New credentials, and select API key.

      12. Select Browser key.

      13. Set the API key name, and click Create. The created API key is displayed.



      14. Write down the client ID and API key.



  2. Configure the interconnection with the Facebook authentication server.
    1. Apply for a Facebook account.

      To enable end users to use Facebook accounts for guest identity authentication, enterprises must request their own Facebook accounts from Facebook to obtain the authorization information from Facebook.

      1. Open the Web browser.
      2. Enter https://en-us.facebook.com/ in the address box.
      3. Register an account.

    2. Create a Facebook application.

      1. Enter https://developers.facebook.com/ in the address box. On the page that is displayed, log in using a Facebook account, and click Get Started.

        Click Register in the upper right corner of the page upon initial login to register as a developer. After that, you can create apps.



      2. Create a new app ID.

      3. Click Set Up under Facebook Login.



      4. Set Valid OAuth Redirect URIs on the Settings page. This URI must be the same as the URL in the pushing policy for a customized portal page.





        In this URL, the protocol must be HTTPS.

      5. Select a web platform.



      6. Set Site URL in the https://SC-IP:8445 format. Click Save and then Continue.



      7. Set up the Facebook SDK for Javascript and click Next.



      8. Check Login Status and click Next.



      9. Add the Facebook Login button and click Next.



      10. Perform next steps.



      11. Choose Settings > Basic, find the matching App ID and App Secret and record the two values. You need to use the two values when setting parameters on the Agile Controller-Campus.

        The Privacy Policy URL field is mandatory. Otherwise, applications cannot be released.



      12. Choose a category.



      13. Click App Review and set Make Agile Controller public? to Yes.



  3. Configure the interconnection with the Twitter authentication server.
    1. Apply for a Twitter account.

      To enable end users to use Twitter accounts for guest identity authentication, enterprises must request their own Twitter accounts from Twitter to obtain the authorization information from Twitter.

      1. Open the Web browser.
      2. Enter https://twitter.com/ in the address box.
      3. Register an account.

    2. Create a Twitter application.

      1. Enter https://apps.twitter.com/ in the address box. On the page that is displayed, log in using a Twitter account, and click Create New App.



      2. Enter application information.


        Parameter

        Value

        Name

        authtest10001

        Description

        authtest10001

        Website

        https://Service Controller-IP or Domain Name:8445 or http://Service Controller-IP or Domain Name:8080. If a Google account is used for authentication, configure this parameter in the domain name format.

        When you customize pages on the Agile Controller-Campus, the protocol for page pushing must be consistent with the input here. If you enter https://Service Controller-domain name:8445 here, select Push pages using HTTPS.
        NOTE:

        In Google authentication, the protocol must be HTTPS and the domain name must be configured.

        Callback URL

        https://Service Controller-IP or Domain Name:8445 or http://Service Controller-IP or Domain Name:8080. If a Google account is used for authentication, configure this parameter in the domain name format.

        When you customize pages on the Agile Controller-Campus, the protocol for page pushing must be consistent with the input here. If you enter https://Service Controller-domain name:8445 here, select Push pages using HTTPS.
        NOTE:

        In Google authentication, the protocol must be HTTPS and the domain name must be configured.

      3. Click Create your Twitter application.



      4. Click Settings, select Allow this application to be used to Sign in with Twitter, and click Update Settings.



      5. Click Keys and Access Tokens.



      6. Save the API Key and API Secret.

  4. On the Service Manager, configure the association parameters on Google, Facebook, and Twitter authentication servers.
    1. Choose System > External Authentication > Third-Party Applications.

      Select Facebook, Google, and Twitter.

      Parameter

      Value

      Facebook

      App ID

      *****************

      App secret

      *****************

      Google

      Client ID

      *****************

      API key

      *****************

      Twitter

      API key

      *****************

      API secret

      *****************

      User group

      ROOT\Guest

      Role

      guest

  5. Customize the authentication page.
    1. Choose Policy > Permission Control > Page Customization > Page Customization.
    2. Choose System-SMS + Social Media Account Template and click Create Page.
    3. Set parameters on the page.

      If guests are allowed to complete authentication through both their social media accounts and self-registration, select Self Register. For details about how to configure guests to connect to networks through self-registration, see Example for Configuring Guests to Obtain Passwords Through Mobile Phones to Pass Authentication Quickly.

      Click Advanced setting and select or deselect Push pages using HTTPS based on the configuration on the social media server.
      • If the configuration on the social media server is https://Service Controller-IP or Domain Name:8445, select Push pages using HTTPS.
      • If the configuration on the social media server is http://Service Controller-IP or Domain Name:8080, deselect Push pages using HTTPS.

    4. Click OK and customize Authentication Page, Authentication Success Page, and User Notice Page.

    5. Click Release.
  6. Configure portal page push rules.
    1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule and click Add.



      Parameter

      Value

      Description

      Name

      Guest page pushing policy

      -

      User-defined parameters

      ssid=guest

      • ssid=guest indicates that the AC pushes the specified page so long as unauthorized guests select the SSID guest.
      • For details about User-defined parameters, see Defining a Redirection Rule for the Portal Page.
      • The AC needs to send the user-defined URL parameter to the Portal server through the URL parameter template, so that the Portal server can correctly match the pushed condition. In this example, the AC sends the user-defined URL parameter ssid to the Portal server, so that it can correctly match the pushed condition.

      Pushed page

      Select a page customized in 5.

      -

      Page displayed after successful authentication

      Continue to access the original page.

      Configure URL parameters on the AC. For details, see How Do I Continue to Access the Original Page After Successful Portal Authentication?.

    2. Click OK.
  7. Add SSIDs to the Agile Controller-Campus for SSID-based user authorization.
    1. Choose Policy > Permission Control > Policy Element > SSID.
    2. Click Add, and add a guest SSID.

      The case-sensitive SSID name must be the same as those configured on the AC.

  8. Configure social media as external authentication sources.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule and click Add.



      Parameter

      Value

      Name

      Social Media

      Customize Condition

      Social Media Account

      Data Source

      Third-Party Applications Data Source

      Please select the allowed authentication protocol

      Select all protocols.

    2. Click OK.
  9. Configure authorization results and rules.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result. Click Add.



      Parameter

      Value

      Name

      Social Media

      ACL Number/AAA User Group

      3002 (It has been configured on the switch. The ACL determines the network resources that the user can access after successful authentication.)

    2. Click OK.
    3. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule. Click Add.



      Parameter

      Value

      Name

      Authorization rules of social media

      Customize Condition

      Social Media Account

      Authorization Result

      Social media

    4. Click OK.

Verification

  1. A guest connects to the Wi-Fi hotspot guest using a mobile phone. The guest authentication page is pushed to the mobile phone.
  2. On the authentication page, the guest presses the icon matching the guest's account type and the web browser opens the corresponding website.
  3. The guest enters the user name and password and presses Authentication. After successful authentication, the user can visit the Internet.
  4. On the Service Manager, choose Resource > User > Online User Management. The online information about the account is displayed.
  5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS authentication logs of the account are displayed.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 51766

Downloads: 1699

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next