H3C Access Controllers

Comware 7 Remote Portal Authentication

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring remote portal authentication· 1

Network configuration·· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring IMC·· 2

Configuring the AC·· 7

Configuring the switch·· 9

Verifying the configuration·· 10

Configuration files· 11

Related documentation· 12

 

Introduction

This document provides examples for configuring remote portal authentication.

Prerequisites

This document applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of AAA, portal, and WLAN.

Example: Configuring remote portal authentication

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server.

To implement remote portal authentication, perform the following tasks:

·     Configure direct portal authentication.

·     Configure a portal authentication server and a portal Web server on IMC.

·     Configure a RADIUS server as the authentication server and accounting server.

Figure 1 Network diagram

 

Analysis

For the client to access the portal Web server, configure a portal-free rule to permit traffic destined for the portal Web server.

To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.

To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature for portal clients.

For the RADIUS server to dynamically change user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.

Restrictions and guidelines

When you configure remote portal authentication, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Make sure the types of the portal authentication server and portal Web server specified on the AC are the same as those actually used. (This example uses CMCC servers.)

·     By default, the portal Web server URL redirected to users does not carry parameters. You can configure the parameters to be carried in the redirection URL as needed.

Procedures

Configuring IMC

This example uses the IMC server to describe the RADIUS server and portal server configuration. The IMC server runs on IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).

Configuring the RADIUS server

1.     Add an access device.

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c.     Click Add to open the page as shown in Figure 2.

d.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 2.2.2.1 in the Start IP field and then click OK.

e.     In the Access Configuration area, set the shared key to radius, which must be the same as that configured on the AC.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 2 Adding an access device

 

2.     Add an access policy.

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add to open the page as shown in Figure 3.

c.     Enter the access policy name.

d.     Select a service group.

e.     Use the default settings for other parameters.

Figure 3 Adding an access policy

 

3.     Add an access service.

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter the service name.

d.     Use the default settings for other parameters.

e.     Click OK.

Figure 4 Adding an access service

 

4.     Add an access user.

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add to open the page as shown in Figure 5.

c.     Select an existing access user or click Add User to add a new access user.

d.     Set the password.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 5 Adding an access user

 

Configuring the portal server

1.     Configure the portal authentication service:

a.     From the navigation tree, select User Access Policy > Portal Service > Server to open the portal server configuration page, as shown in Figure 6.

b.     Configure the portal server parameters as needed.

This example uses the default settings.

c.     Click OK.

Figure 6 Configuring the portal server

 

2.     Configure the IP address group:

a.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

b.     Click Add to open the page as shown in Figure 7.

c.     Enter the IP group name.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default group Ungrouped.

f.     Select Normal from the Action list.

g.     Click OK.

Figure 7 Adding an IP address group

 

3.     Add a portal device:

a.     From the navigation tree, select User Access Policy > Portal Service > Device.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the device name.

d.     Select CMCC 1.0 for Version.

e.     Enter the IP address of the AC's interface connected to the client.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected for Access Method.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 8 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     Click the Port Group icon in the Operation field of device NAS, as shown in Figure 9.

Figure 9 Device list

 

b.     Click Add to open the page as shown in Figure 10.

c.     Enter the port group name.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 10 Adding a port group

 

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 2.2.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200. Assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

2.     Configure a static route to reach the IMC server:

[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

3.     Configure a wireless service:

# Create a service template named st1 and enter its view.

[AC] wlan service-template st1

# Set the SSID of service template st1 to service.

[AC-wlan-st-st1] ssid service

# Assign clients coming online through service template st1 to VLAN 200.

[AC-wlan-st-service] vlan 200

# Specify ISP domain dm1 as the authentication domain for portal users on service template st1.

[AC-wlan-st-st1] portal domain dm1

# Enable service template st1.

[AC–wlan-st-st1] service-template enable

[AC-wlan-st-st1] quit

# Create an AP named office with model WA560-WW and set its serial ID to 219801A1NM8182032235.

[AC] wlan ap office model WA560-WW

[AC-wlan-ap-office] serial-id 219801A1NM8182032235

# Deploy configuration file map.txt to the AP.

[AC-wlan-ap-office] map-configuration map.txt

# Enter the view of radio 2.

[AC-wlan-ap-office] radio 2

# Bind service template st1 to radio 2 in AP office.

[AC-wlan-ap-office-radio-2] service-template st1

# Enable radio 2.

[AC-wlan-ap-office-radio-2] radio enable

[AC-wlan-ap-office-radio-2] quit

[AC-wlan-ap-office] quit

4.     Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1 and enter its view.

[AC] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.111

[AC-radius-rs1] primary accounting 192.168.0.111

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] quit

# Enable the RADIUS session-control feature.

[Router] radius session-control enable

5.     Configure an authentication domain:

# Create an ISP domain named dm1 and enter its view.

[AC] domain dm1

# Configure the authentication and authorization methods as RADIUS and the accounting method as none for the ISP domain.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal none

# Configure the idle cut feature for users in the ISP domain. Log out a user if the user's traffic is less than 1024 bytes in 15 minutes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

[AC-isp-dm1] quit

6.     Configure portal authentication:

# Create a portal authentication server named newpt, specify IP address 192.168.0.111 for the authentication server, and specify 50100 as the port number for listening portal packets.

[AC] portal server newpt

[AC-portal-server-newpt] ip 192.168.0.111 key simple radius

[AC-portal-server-newpt] port 50100

# Specify CMCC as the type of portal authentication server newpt.

[AC-portal-server-newpt] server-type cmcc

[AC-portal-server-newpt] quit

# Create a portal Web server named newpt and specify http://192.168.0.111:8080/portal as the URL of the server.

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

# Configure the URL parameters ssid, wlanuserip, and wlanacname for portal Web server newpt. Specify the AP's SSID, the IP address of the client, and the AC's name as the value for the ssid, wlanuserip, and wlanacname parameters, respectively. (The parameters are required to be carried in the URL of a CMCC portal Web server.)

[AC-portal-websvr-newpt] url-parameter ssid ssid

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

# Specify CMCC as the type of portal Web server newpt.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Configure a destination-based portal-free rule numbered 0 to permit traffic destined for IP address 192.168.0.111 (the portal Web server).

[AC] portal free-rule 0 destination ip 192.168.0.111 24

# Enable portal roaming.

[AC] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC] undo portal refresh arp enable

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC-wlan-st-st1] portal enable method direct

# Specify ISP domain dm1 as the portal authentication domain.

[AC-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt on service template st1 for portal authentication.

[AC-wlan-st-st1] portal apply web-server newpt

# Configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to portal authentication server newpt.

[AC-wlan-st-st1] portal bas-ip 2.2.2.1

[AC-wlan-st-st1] quit

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward client traffic.

[Switch] vlan 200

[Switch-vlan200] quit

# Create VLAN 2.

[Switch] vlan 2

[Switch-vlan2] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the AC) as a trunk port and assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as an access port and assign the access port to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Create VLAN-interface 200 and assign an IP address to the VLAN interface.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

[Switch-Vlan-interface200] quit

# Create VLAN-interface 2 and assign an IP address to the VLAN interface.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

[Switch-Vlan-interface2] quit

Verifying the configuration

# Use the configured username and password to perform portal authentication through a Web browser on the client. Before passing portal authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing portal authentication, the user can access other network resources.

# Display information about all portal users.

[AC] display portal user all

Total portal users: 1

Username: Client

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0021-6330-0933  2.2.2.2               200     Vlan-interface200

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

Outbound CAR: N/A

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 portal enable method direct

 portal domain dm1

 portal bas-ip 2.2.2.1

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 2.2.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

 ip route-static 192.168.0.0 16 2.2.2.100

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.111

 primary accounting 192.168.0.111

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

#

domain dm1

authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

portal host-check enable

 portal free-rule 0 destination ip 192.168.0.0 255.255.255.0

#

 portal roaming enable

 undo portal refresh arp enable

#

portal web-server newpt

 url http://192.168.0.111:8080/portal

 server-type cmcc

 url-parameter ssid ssid

 url-parameter wlanacname value AC

 url-parameter wlanuserip source-address

#

portal server newpt

 ip 192.168.0.111 key cipher $c$3$Q82T/9AHq5HT7uFX7nho8K0Y6jziycoJTw==

 server-type cmcc

#

wlan ap office model WA560-WW

 serial-id 219801A1NM8182032235

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface Vlan-interface200

 ip address 2.2.2.100 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

 poe enable

Related documentation

·     Security Command Reference in H3C Access Controllers Command References

·     Security Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Command Reference in H3C Access Controllers Command References

·     WLAN Configuration Guide in H3C Access Controllers Configuration Guides