Configuring Authentication Profiles Through the WAC's Web System

CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Context

In the centralized gateway solution, you can log in to the web system of the WAC to configure the authentication profiles required for wireless user access. When a standalone WAC is used, wireless authentication profiles cannot be configured or delivered through iMaster NCE-Campus. In this case, you need to log in to the web system of the WAC to configure the required wireless authentication profiles.

In the centralized gateway solution, when the built-in authentication server of iMaster NCE-Campus is used for wireless access authentication, you need to configure the mapping between authentication control points, SSIDs, and authentication profiles on the Site Configuration tab page of iMaster NCE-Campus. The configuration process is the same as that in Configuring Authentication Profiles on iMaster NCE-Campus.

Plan Example

Table 4-9 Data plan for configuring authentication, authorization, and accounting (AAA) and AAA profiles for wireless services

Authentication/Authorization Scheme	Portal Server Setting	RADIUS Setting	Authentication Profile
RADIUS authentication is used. Only the authentication scheme needs to be configured on the device, and the authorization scheme is not required. Authentication scheme name: wlan-radius-authen First authentication mode: RADIUS authentication	An external Portal server is used, that is, iMaster NCE-Campus. Server name: wlan-portal Server IP address: 172.16.2.5 (iMaster NCE-Campus southbound IP address) Shared key: Admin@1234 URL: https://172.16.2.5:19008/portal URL option settings: Switch-MAC keyword: lsw-mac User MAC address keyword: umac User IP address keyword: uaddress User access URL keyword: redirect-url SSID keyword: ssid	The RADIUS server is iMaster NCE-Campus. Server template name: wlan-radius Server IP address: 172.16.2.5 (iMaster NCE-Campus southbound IP address) Profile default shared key: Admin@1234 Source address of outgoing packets: loopback interface address Called-Station-ID format: AC MAC address (containing the SSID)	Authentication profile for employees: employee 802.1X authentication: Set the profile name to employee. Set the forcible domain profile to default, and bind the authentication scheme profile wlan-radius-authen and the RADIUS server template wlan-radius to the forcible domain profile. Authentication profile for dumb terminals: dumb MAC address authentication: Set the profile name to dumb. Set the forcible domain profile to default. Authentication profile for guests: guest Portal authentication: Set the profile name to guest and the Portal server to wlan-portal. MAC address authentication: Set the profile name to guest. Set the forcible domain profile to default.

Authentication/Authorization Scheme

Portal Server Setting

RADIUS Setting

Authentication Profile

RADIUS authentication is used. Only the authentication scheme needs to be configured on the device, and the authorization scheme is not required.

Authentication scheme name: wlan-radius-authen
First authentication mode: RADIUS authentication

An external Portal server is used, that is, iMaster NCE-Campus.

Server name: wlan-portal
Server IP address: 172.16.2.5 (iMaster NCE-Campus southbound IP address)
Shared key: Admin@1234
URL: https://172.16.2.5:19008/portal
URL option settings:
- Switch-MAC keyword: lsw-mac
- User MAC address keyword: umac
- User IP address keyword: uaddress
- User access URL keyword: redirect-url
- SSID keyword: ssid

The RADIUS server is iMaster NCE-Campus.

Server template name: wlan-radius
Server IP address: 172.16.2.5 (iMaster NCE-Campus southbound IP address)
Profile default shared key: Admin@1234
Source address of outgoing packets: loopback interface address
Called-Station-ID format: AC MAC address (containing the SSID)

Authentication profile for employees: employee
- 802.1X authentication: Set the profile name to employee.
- Set the forcible domain profile to default, and bind the authentication scheme profile wlan-radius-authen and the RADIUS server template wlan-radius to the forcible domain profile.
Authentication profile for dumb terminals: dumb
- MAC address authentication: Set the profile name to dumb.
- Set the forcible domain profile to default.
Authentication profile for guests: guest
- Portal authentication: Set the profile name to guest and the Portal server to wlan-portal.
- MAC address authentication: Set the profile name to guest.
- Set the forcible domain profile to default.

Procedure

Set the authentication/authorization scheme to RADIUS authentication/authorization.
Choose Configuration > Security Services > AAA, and click the Authentication/Authorization/Accounting Scheme tab. In the Authentication Scheme List area, click Create. Set Authentication scheme name to wlan-radius-authen and First authentication to RADIUS authentication. After the configuration is complete, click OK.

Because RADIUS combines authentication and authorization, no authorization scheme needs to be configured.
Configure Portal server parameters.
Choose Configuration > Security Services > AAA, and then choose Portal Server Global Configuration > External Portal. In the Portal Authentication Server List area, click Create. Set parameters as follows and then click OK:
- Set the server name to wlan-portal.
- Set the server IP address to 172.16.2.5. (After entering the IP address, click to add it to the server IP address list.)
- Set the shared key to Admin@1234.
- Set the URL to https://172.16.2.5:19008/portal.
- Configure URL options:
  - Switch-MAC keyword: lsw-mac
  - User MAC address keyword: umac
  - User IP address keyword: uaddress
  - User access URL keyword: redirect-url
  - SSID keyword: ssid
Configure RADIUS server parameters.
Choose Configuration > Security Services > AAA, and click the RADIUS tab. In the RADIUS Server Profile area, click Create. Set parameters as follows and then click OK:
- Set Profile name to wlan-radius.
- Set Profile default shared key to Admin@1234.
- Click Create Server.
  - Set the IP address to 172.16.2.5.
  - Set the shared key to Admin@1234.
  - Select Authentication and set Source address of outgoing packets to Loopback.
- Click Advanced. Set Called-Station-ID format to AC MAC, and select Containing the SSID.
Set parameters for the 802.1X profile, Portal profile, and MAC authentication profile.
- Choose Configuration > Security Services > AAA Profile Mgmt, and click the 802.1X Profile tab. Click Create. Then, set the profile name to employee and click OK.
- Choose Configuration > Security Services > AAA Profile Mgmt, and click the Portal Profile tab. Click Create. Then, set the profile name to guest and click OK. Select guest from the Portal profile list, set Portal authentication to External Portal server and Primary Portal server group to wlan-portal.
- Choose Configuration > Security Services > AAA Profile Mgmt, and click the MAC Authentication Profile tab. Click Create. Then, set the profile name to dumb and click OK. Create the MAC authentication profile guest in the same way.
Configure authentication profile parameters. The following uses the employee authentication profile employee as an example.
1. Choose Configuration > Security Services > AAA, and click the Authentication Profile tab. Click Create. Then, set the profile name to employee and click OK.
1. Click next to employee to expand the list of referenced profiles.
2. Click 802.1X Profile in the list, and set the 802.1X profile to employee. Then click Apply.
3. In the list of referenced profiles, click Force Domain Profile and set the domain profile to default. Bind the authentication scheme profile wlan-radius-authen and RADIUS server profile wlan-radius to the domain profile default. Then click Apply.