Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)
Networking Requirements
An enterprise uses HTTPS for Portal authentication.
As shown in Figure 4-36, an AC in an enterprise directly connects to an AP. The enterprise deploys the WLAN wlan-net to provide wireless network access for employees. The AC functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
The AC and employees' STAs communicate at Layer 2. To reduce network security risks, you can deploy Layer 2 Portal authentication on the AC. The AC works with the RADIUS server (integrated with the Portal server) to implement access control on employees who attempt to connect to the enterprise network, meeting the enterprise's security requirements.
Configuration Roadmap
- Configure basic WLAN services so that the AC can communicate with upper-layer and lower-layer devices and the AP can go online.
- Configure RADIUS authentication parameters.
- Configure a Portal server template.
- Configure a Portal access profile and configure Layer 2 Portal authentication.
- Configure an authentication-free rule profile so that the AC allows packets to the DNS server to pass through.
- Configure an authentication profile to manage NAC configuration.
- Configure WLAN service parameters, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.
Data Plan
Item |
Data |
|---|---|
RADIUS authentication parameters |
Name of the RADIUS authentication scheme: radius_huawei Name of the RADIUS accounting scheme: scheme1 Name of the RADIUS server template: radius_huawei
|
SSL policy |
|
Portal server template |
|
Portal access profile |
|
Authentication-free rule profile |
|
Authentication profile |
|
DHCP server |
The AC functions as the DHCP server to assign IP addresses to the AP and STAs. |
IP address pool for the AP |
10.23.100.2 to 10.23.100.254/24 |
IP address pool for the STAs |
10.23.101.2 to 10.23.101.254/24 |
IP address of the AC's source interface |
VLANIF 100: 10.23.100.1/24 |
AP group |
|
Regulatory domain profile |
|
SSID profile |
|
Security profile |
|
VAP profile |
|
Procedure
- Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
<HUAWEI> system-view [HUAWEI] sysname AC [AC] vlan batch 100 101 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk pvid vlan 100 [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 [AC-GigabitEthernet0/0/1] quit [AC] interface gigabitethernet 0/0/3
- Configure the AC to communicate with upper-layer network devices.
# Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).
[AC] interface gigabitethernet 0/0/2 [AC-GigabitEthernet0/0/2] port link-type trunk [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 [AC-GigabitEthernet0/0/2] quit
- Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.23.101.1 24 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] dhcp server dns-list 10.23.200.2 [AC-Vlanif101] quit
- Configure a route from the AC to the server area (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
- Configure the AP to go online.
# Create an AP group and add the AP to the AP group.
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit# Configure the AC's source interface.[AC] capwap source interface vlanif 100
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-e360 and the AP is deployed in area 1. Name the AP area_1.The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit [AC-wlan-view] quit# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.
[AC] display ap all Total AP information: nor : normal [1] Extrainfo : Extra information P : insufficient power supply -------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S - -------------------------------------------------------------------------------------------------- Total: 1
- Configure a RADIUS server template, and a RADIUS authentication scheme.
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.
# Configure a RADIUS server template.
[AC] radius-server template radius_huawei [AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812 [AC-radius-radius_huawei] radius-server accounting 10.23.200.1 1813 [AC-radius-radius_huawei] radius-server shared-key cipher Example@123 [AC-radius-radius_huawei] quit
# Configure a RADIUS authentication scheme.
[AC] aaa [AC-aaa] authentication-scheme radius_huawei [AC-aaa-authen-radius_huawei] authentication-mode radius [AC-aaa-authen-radius_huawei] quit [AC-aaa] quit
# Configure a RADIUS accounting scheme.
[AC-aaa] accounting-scheme scheme1 [AC-aaa-accounting-scheme1] accounting-mode radius [AC-aaa-accounting-scheme1] accounting realtime 15 [AC-aaa-accounting-scheme1] quit [AC-aaa] quit
In this example, the device is connected to the Agile Controller-Campus. The accounting function is not implemented for accounting purposes, and is used to maintain terminal online information through accounting packets.
The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the user quantity.
User Quantity
Real-Time Accounting Interval
1-99
3 minutes
100-499
6 minutes
500-999
12 minutes
≥ 1000
≥ 15 minutes
- Configure the HTTPS protocol for Portal authentication.
If the HTTPS protocol is used for Portal authentication, you need to configure an SSL policy.
[AC] ssl policy huawei type server [AC-ssl-policy-huawei] pki-realm default [AC-ssl-policy-huawei] quit [AC] http secure-server ssl-policy huawei [AC] portal web-authen-server https ssl-policy huawei [AC] web-auth-server abc [AC-web-auth-server-abc] protocol http [AC-web-auth-server-abc] quit
- Configure a Portal server template.
Ensure that the Portal server IP address, URL address, and port number, are configured correctly and are the same as those on the Portal server.
[AC] web-auth-server abc //In V200R021C00 and later versions, you must use the web-auth-server server-source or server-source command to configure the local gateway address used by the device to receive and respond to the packets sent by the Portal server. Otherwise, the Portal interconnection function cannot be used. [AC-web-auth-server-abc] server-ip 10.23.200.1 10.23.101.1 [AC-web-auth-server-abc] url https://10.23.200.1:8445/portal [AC-web-auth-server-abc] quit
- Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.
[AC] portal-access-profile name portal1 [AC-portal-access-profile-portal1] web-auth-server abc direct [AC-portal-access-profile-portal1] quit
- Configure an authentication-free rule profile.
[AC] free-rule-template name default_free_rule [AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24 [AC-free-rule-default_free_rule] quit
- Configure the authentication profile p1.
[AC] authentication-profile name p1 [AC-authentication-profile-p1] portal-access-profile portal1 [AC-authentication-profile-p1] free-rule-template default_free_rule [AC-authentication-profile-p1] authentication-scheme radius_huawei [AC-authentication-profile-p1] accounting-scheme scheme1 [AC-authentication-profile-p1] radius-server radius_huawei [AC-authentication-profile-p1] quit
- Configure WLAN service parameters.
# Create security profile wlan-security and set the security policy in the profile.
[AC] wlan [AC-wlan-view] security-profile name wlan-security [AC-wlan-sec-prof-wlan-security] security open [AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net [AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [AC-wlan-vap-prof-wlan-vap] authentication-profile p1 [AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit
- Verify the configuration.
The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
- The STAs obtain IP addresses when they successfully associate with the WLAN.
- When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.
Configuration Files
AC configuration file
# sysname AC # http secure-server ssl-policy huawei # vlan batch 100 to 101 # authentication-profile name p1 portal-access-profile portal1 free-rule-template default_free_rule authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # portal web-authen-server https ssl-policy huawei # dhcp enable # radius-server template radius_huawei radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%# radius-server authentication 10.23.200.1 1812 weight 80 radius-server accounting 10.23.200.1 1813 weight 80 # ssl policy huawei type server pki-realm default # free-rule-template name default_free_rule free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0 # web-auth-server abc server-ip 10.23.200.1 url https://10.23.200.1:8445/portal protocol http # portal-access-profile name portal1 web-auth-server abc direct # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme scheme1 accounting-mode radius accounting realtime 15 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select interface dhcp server dns-list 10.23.200.2 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 101 # ip route-static 10.23.200.0 255.255.255.0 10.23.101.2 # capwap source interface vlanif100 # wlan security-profile name wlan-security ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-ssid security-profile wlan-security authentication-profile p1 regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 ap-mac 60de-4476-e360 ap-name area_1 ap-group ap-group1 # return