Example for Configuring External Portal Authentication (In HACA Mode)

Wireless Access Controller (AC and Fit AP) V200R019C10 Web-based Configuration Guide

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Service Requirements

An enterprise deploys a cloud AC to manage users connected to the Internet and the iMaster NCE-Campus as a Huawei Agile Cloud Authentication (HACA) server. The HACA server is located on the cloud to implement functions of an external Portal server, authentication server, and accounting server. Access users are authenticated and charged on the HACA server through the cloud AC. This reduces routing network maintenance costs of the enterprise.

Networking Requirements

AC networking mode: Layer 2 bypass mode
DHCP deployment mode:
- The AC functions as a DHCP server to assign IP addresses to APs.
- The aggregation switch (SwitchB) functions as a DHCP server to assign IP addresses to STAs.
Service data forwarding mode: tunnel forwarding
AAA scheme: HACA
Authentication mode: External Portal authentication

Figure 3-32 Networking for configuring external Portal authentication (in HACA mode)

Data Planning

Item	Data
Management VLAN for APs	VLAN 100
Service VLAN for STAs	VLAN 101
DHCP server	The AC functions as a DHCP server to assign IP addresses to APs. SwitchB functions as a DHCP server to assign IP addresses to STAs. The default gateway address of STAs is 10.23.101.2.
IP address pool for APs	10.23.100.2-10.23.100.254/24
IP address pool for STAs	10.23.101.3-10.23.101.254/24
AC's source interface address	VLANIF 100: 10.23.100.1/24
AP group	Name: ap-group1 Referenced profile: VAP profile wlan-net and regulatory domain profile default
Regulatory domain profile	Name: default Country code: China
SSID profile	Name: wlan-net SSID name: wlan-net
Security profile	Name: wlan-net Security policy: open
HACA server template	Name: wlan-net IP address: 10.23.200.1 Destination port number in the packets that the AC sends to the Portal server: 50301 PKI realm name: default
Portal access profile	Name: wlan-net Referenced profile: Portal server template wlan-net
Portal server template	Name: wlan-net IP address: 10.23.200.1
Authentication-free rule profile	Name:default_free_rule Authentication-free resource: IP address of the DNS server (8.8.8.8)
Authentication profile	Name: wlan-net Referenced profiles: Portal access profile wlan-net, authentication scheme wlan-net, authentication-free rule profile default_free_rule, and HACA server template wlan-net
VAP profile	Name: wlan-net Forwarding mode: tunnel forwarding Service VLAN: VLAN 101 Referenced profiles: SSID profile wlan-net, security profile wlan-net, and authentication profile wlan-net

Configuration Roadmap

Configure network interworking of the AC, APs, and other network devices.
Register the AC with the iMaster NCE-Campus and go to the web platform of the AC.
Select Config Wizard to configure system parameters for the AC.
Select Config Wizard to configure the APs to go online on the AC.
Configure WLAN services on the AC using the WLAN configuration wizard.
Configure HACA authentication in a VAP profile.
Configure authentication-free rules for an AP group.
Configure the iMaster NCE-Campus parameters.
Complete service verification.

Procedure

Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN 101.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to 10.23.101.2/24.

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default gateway address of STAs to 10.23.101.2.
Configure the DNS server as required. The common methods are as follows:
In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
```
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
```
Register the AC with the iMaster NCE-Campus and add APs. For the registration procedure, see Configuration - Cloud-based Management Configuration of AC. For operations of adding APs, see CloudCampus Cloud Managed Campus Solution Product Documentation.
Log in to the iMaster NCE-Campus through the Internet, go to the web platform of the AC, and remotely configure WLAN service data.
1. Select a site.
  1. Choose Deploy > Site > Site Configuration from the main menu.
  2. In the displayed window, select a site from the Site drop-down list box in the upper left corner, and set the selected site as the operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click the name of the desired WLAN AC in the Device Name area. The WLAN AC management page is displayed.
4. Click Open Web System in the upper right corner and the WLAN AC web NMS page is displayed.
Configure system parameters for the AC.
1. Perform basic AC configurations.
  # Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is displayed.
  
  # Set Country/Region based on actual situations. For example, set Country/Region to China. Set System time to Manual and Date and time to PC.
  
  # Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
  # Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service VLAN).
  
  If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to management VLAN 100.
  
  # Click Apply. In the dialog box that is displayed, click OK.
  
  # Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
  # Set DHCP status to ON.
  
  # Click Create under Interface Configuration. The Create Interface Configuration page is displayed.
  
  # Set the IP address of VLANIF 100 to 10.23.100.1/24.
  
  # Click Create under DHCPv4 Address Pool List, select Interface address pool and select VLANIF 100.
  
  # Click OK. An address pool for VLANIF 100 is configured.
  
  # Under Static Route Table, click Create. The Create Static Route Table page is displayed.
  
  # Configure the default route and set its next hop address to 10.23.101.2.
  
  # Click OK.
  
  # Click Next.
  
  # Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
  # Set AC source address to VLANIF. Click the browse button and select Vlanif100.
  
  # Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
  # Confirm the configuration and click Continue With AP Online.
Configure an AP to go online.
1. Configure an AP to go online.
  # Click Next. The Group APs page is displayed.
  
  # Click next to AP Group List. The page for adding an AP group is displayed.
  
  # Enter the AP group name ap-group1 and click OK.
  
  # Click Add. Select the AP added on the iMaster NCE-Campus, and add this AP to ap-group1.
  
  # Click OK.
  
  # Click Next.
2. Confirm the configuration.
  # Confirm the configuration and click Continue With Wireless Service Configuration.
Configure WLAN services.
# Click Create. The Basic Information page is displayed.

# Configure the SSID name, forwarding mode, and service VLAN ID.

# Click Next. The Security Authentication page is displayed.

# Set Security settings to Open (applicable to personal networks).

# Click Next. The Access Control page is displayed.

# Set Binding the AP group to ap-group1.

# Click Finish.
Configure HACA authentication.
1. Create the authentication profile wlan-net.
  # Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
  
  # Click AP group ap-group1. The AP group configuration page is displayed.
  
  # Choose VAP Configuration > wlan-net > Authentication Profile. The Authentication Profile page is displayed.
  
  # Set Access mode to Portal authentication and Portal option to HACA access.
  
  # Click Apply. In the dialog box that is displayed, click OK.
2. Configure HACA access parameters.
  # Click in front of Authentication Profile. Under it, click HACA Access. The Portal Profile page is displayed.
  
  # Click next to Portal server group. The Portal Authentication Server List page is displayed.
  
  # Click Create. On the Create Portal server group page that is displayed, set Server name to wlan-net, Server IP to 10.23.200.1, and parameters in Redirection Setting as follows:
  - AC-MAC keyword: lsw-mac
  - User access URL keyword: redirect-url
  - User MAC keyword: umac
  - User IP address keyword: uaddress
  - SSID keyword: ssid
  # Click OK. In Portal Authentication Server List, select the server named wlan-net and click OK.
  
  # Click Apply. In the dialog box that is displayed, click OK.
3. Configure the HACA server.
  # Click in front of Authentication Profile. Under it, click HACA Server. The HACA Server page is displayed.
  
  # On the HACA Server Template tab, click Create. The Create HACA Server Template page is displayed. Set Profile name to wlan-net. Enable HACA function. Set IP address to 10.23.200.1, Port number to 50301, and Certificate name to default.
  
  # Click OK. In the dialog box that is displayed, click OK.
  
  # Set HACA Server Template to wlan-net, Accounting mode to HACA accounting, and Policy for accounting-start failures to Allow user login.
  
  # Click Apply. In the dialog box that is displayed, click OK.
Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile.The Profile Management page is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile > Authentication-free Rule Profile. The Authentication-free Rule Profile page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that is displayed, click OK.
Configure the user group and users on the iMaster NCE-Campus.
1. Choose Admission > User Management > Users from the main menu.
2. ClickBatch import uses and user groups using the Excel template. Download the template, fill users and user groups in the document, and upload the Excel document.
3. Click OK.
Configure authentication parameters on the iMaster NCE-Campus.
1. Select a site.
  1. Choose Deploy > Site > Site configuration from the main menu.
  2. Select a site from the Site drop-down list box in the upper left corner and set the site as an operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click Add and configure authentication parameters as follows:
  - Name: wlan-net
  - SSID: wlan-net, which must be the same as the SSID configured on the AC
  - Authentication mode: Open network
  - Push mode: Fast
  - Push page: Default customization page with user name and password authentication
  - User group: Guest
4. Click OK.
Verify the configuration.
- The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
- The STAs obtain IP addresses when they successfully associate with the WLAN.
- When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.