Wireless Fail-Permit Technology White Paper-6W100

HomeSupportTechnology LiteratureTechnology White PapersWireless Fail-Permit Technology White Paper-6W100
Download Book
  • Released At: 04-01-2023
  • Page Views:
  • Downloads:
Table of Contents
Related Documents

 

 

Wireless Fail-Permit Technology White Paper

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

This document provides generic technical information, some of which might not be applicable to your products.

The information in this document is subject to change without notice.



Overview

Technical background

In wireless networks, users perform remote 802.1X, MAC, portal, or Cloudnet PPSK authentication through the remote authentication server to access network resources. Authentication and network access might fail when the access device cannot connect to the remote authentication server in the following situations:

·     Poor network qualityIn local forwarding mode, APs and the AC might be connected over multiple devices or even an external network, poor network quality can cause network access failures.

·     Authentication server failure—The remote authentication server becomes unreachable.

·     Radar avoidanceWhen a 5G radio detects radar signals in a network, it stops services on the radio and users cannot use the radio to access network resources.

To keep existing users online and allow new users to have network access, you can configure the wireless fail-permit feature.

Benefits

The wireless fail-permit feature allows users to have network access in the following cases:

·     In 802.1X or MAC authentication, the AC disconnects from the AP in local forwarding mode or the AC disconnects from the remote authentication server.

·     In portal authentication, the portal Web server or H3C Cloudnet platform becomes unreachable or cannot work correctly.

·     In PPSK authentication, the AC disconnects from H3C Cloudnet platform, users can have network access.

·     A 5G radio stops providing services upon detecting radar signals.

Implementation

Fail-permit implementation for AC-authentication server disconnection

Mechanism

The AC uses RADIUS server detection to detect the reachability of the server. With fail-permit enabled, the AC enters the fail-permit state when the authentication server becomes unreachable and exits the fail-permit state when the authentication server becomes reachable.

For 802.1X authentication, you must configure a fail-permit service template. When the AC enters the fail-permit state, APs hide all the access services and use the fail-permit service template to provide services. This ensures that new users can come online without authentication and existing users can continue to access network resources.

For MAC authentication, no fail-permit service template is required. When the AC enters the fail-permit state, existing users can stay online and new users can access network resources without authentication.

When the AC exits the fail-permit state, unauthenticated users who have come online during the fail-permit period will be logged off and must perform authentication to access network resources.

Figure 1 Fail-permit implementation mechanism for AC-authentication server disconnection

 

Restrictions

Fail-permit for AC-authentication server disconnection is supported only in 802.1X and MAC authentication.

Fail-permit implementation for AC-AP disconnection

Mechanism

The AP sends echo requests to the AC at the specified echo intervals to identify whether the CAPWAP control tunnel is operating correctly. With fail-permit enabled, if no response is received with a specific period, the AP terminates the tunnel and starts a 5-minute timer. When the timer expires, if the AC is still unreachable, the AP enters fail-permit state. The timer prevents the AP from entering and exiting the fail-permit state frequently because of network flapping.

For 802.1X authentication, you must configure a fail-permit service template. When the AP enters the fail-permit state, the AP hides existing access services and uses the fail-permit service template to provide services. This ensures that new users can come online without authentication and existing users can continue to access network resources.

For MAC or portal authentication, no fail-permit service template is required. When the AP enters the fail-permit state, existing users can stay online and new users can access network resources without authentication.

When the AP connection to the AC recovers, the AP exits the fail-permit state. Unauthenticated users who have come online during the fail-permit period will be logged off and must perform authentication to access network resources.

Figure 2 Fail-permit implementation mechanism for AC-AP disconnection

 

Restrictions

Fail-permit for AC-AP disconnection is applicable only in local forwarding mode.

Fail-permit for AC-AP disconnection is supported only in 802.1X, MAC, and portal authentication.

Fail-permit implementation for portal Web server failure

Mechanism

The AC uses portal Web server detection to periodically detect the reachability of the server. The AC simulates a Web access process to initiate a TCP connection to the portal Web server. If the TCP connection can be established successfully, the AC considers the detection successful, and the portal Web server is reachable. Otherwise, it considers the detection failed.

With fail-permit enabled, when the AC detects that the Web server becomes unreachable, it removes the network access restrictions on the interface or service template and allows users to access network resources without authentication.

When the portal Web server becomes reachable, the AC resumes portal authentication on the interface or service template. After portal authentication resumes, unauthenticated users must pass portal authentication to access network resources. Users who have passed portal authentication before the fail-permit period can continue accessing network resources.

Figure 3 Fail-permit implementation mechanism for portal Web server failure

 

Restrictions

Fail-permit for a portal Web server is supported on all devices that support portal authentication.

Portal fail-permit implementation for H3C Cloudnet platform unreachability

The AC periodically detects the portal packets sent by H3C Cloudnet platform to determine the reachability of the platform.

With fail-permit enabled, when the AC detects that H3C Cloudnet platform becomes unreachable, it removes the network access restrictions on the interface or service template and allows users to access network resources without authentication.

When H3C Cloudnet platform becomes reachable, the AC resumes portal authentication on the interface or service template. After portal authentication resumes, unauthenticated users must pass portal authentication to access network resources. Users who have passed portal authentication before the fail-permit period can continue accessing network resources.

Figure 4 Fail-permit implementation mechanism for H3C Cloudnet platform unreachability

 

PPSK fail-permit implementation for H3C Cloudnet platform unreachability

The AC periodically sends keepalive packets to H3C Cloudnet platform to check the connection state.

With PPSK fail-permit enabled, if no response is received within the detection timeout, the AC terminates the connection, enters the fail-permit state, and sends a registration request to platform to re-establish the connection. New users can access network resources after successful four-way handshake and the password-client binding entries will not be reported to H3C Cloudnet platform. Existing users are not affected and can continue to access network resources.

When the AC successfully establishes a connection to H3C Cloudnet platform, the AC exits the fail-permit state and synchronizes PPSK authentication user information with H3C Cloudnet platform.

Figure 5 Fail-permit implementation mechanism for H3C Cloudnet platform unreachability

 

Fail-permit implementation for radar avoidance

Mechanism

To implement fail-permit for radar avoidance, you must bind a service template for user access to a 5G radio and bind the fail-permit service template to the other radios on the AP. When the 5G radio detects radar signals and stops providing services, the radios bound with the fail-permit template provide fail-permit services for users to access network resources.

Figure 6 Fail-permit implementation mechanism for radar avoidance

 

Restrictions

Fail-permit for radar avoidance is supported only on 5 GHz frequency bands.

Application scenarios

Fail-permit network for AC-authentication server disconnection

As shown in Figure 7, the AC is connected to the RADIUS server authenticating users through the external network.

With fail-permit enabled on the AC, when the RADIUS server becomes unreachable, existing users can continue to access network resources and new users can have network access without authentication.

This fail-permit feature is supported only in 802.1X and MAC authentication.

Figure 7 Network diagram

 

Fail-permit network for AC-authentication server disconnection

As shown in Figure 8, in local forwarding mode, the AP directly forwards data from the client and the AC is connected to the AP through the external network.

With fail-permit enabled on the AP, when the AC becomes unreachable, existing users can stay online and new users can access network resources without authentication. You do not need to restart the AP.

This fail-permit feature is supported only in 802.1X, MAC, and portal authentication.

Figure 8 Network diagram

 

Fail-permit network for portal Web server failure

As shown in Figure 9, the AC is connected to the portal Web server authenticating users through the switch.

With fail-permit enabled on the AC, when the portal Web server becomes unreachable, existing users can continue to access network resources and new users can have network access without authentication.

Figure 9 Network diagram

 

Portal fail-permit network for H3C Cloudnet platform unreachability

As shown in Figure 10, with fail-permit enabled on the AC, when H3C Cloudnet platform becomes unreachable, existing users can continue to access network resources and new users can have network access without authentication.

Figure 10 Network diagram

 

PPSK fail-permit network for H3C Cloudnet platform unreachability

As shown in Figure 11, the AC + fit AP network establishes a connection and interacts with H3C Cloudnet platform through an encrypted tunnel. H3C Cloudnet platform deploys, deletes, and synchronizes passwords of clients. The AC reports the password-client bindings to H3C Cloudnet platform.

When H3C Cloudnet platform becomes reachable, PPSK authentication process is as follows:

1.     The client is connected to a 4G/5G service provider network and requests a password for wireless access through the WeChat mini-program.

2.     H3C Cloudnet platform deploys a password to the AC through the encrypted tunnel and the related key is automatically installed on the AC.

3.     The client uses the obtained password to perform four-way handshake key negotiation to obtain network access.

In this case, new users can obtain network access as long as four-way handshake succeeds. The password-client bindings will not be reported to H3C Cloudnet platform. Existing users are not affected and can continue to access network resources.

Figure 11 Network diagram

 

Fail-permit network for radar avoidance

As shown in Figure 12, in the dual 5G radio network, bind a service template for user access to a 5G radio and bind the fail-permit service template to the other 5G radio on the AP.

When Radio 1 detects radar signals and stops to provide wireless services, Radio 2 provides fail-permit services for users to access network resources.

Figure 12 Network diagram

 

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网