Copyright © 2019 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring local portal authentication· 1

Network configuration·· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring the AC·· 2

Configuring the switch·· 4

Configuring the RADIUS server 5

Verifying the configuration·· 7

Configuration files· 8

Related documentation· 9

 

Introduction

This document provides examples for configuring local portal authentication on the AC.

Prerequisites

This document applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of portal authentication.

Example: Configuring local portal authentication

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server.

·     Configure the access device AC to also act as the portal Web server and the portal authentication server.

·     Use the RADIUS server as both the authentication server and the authorization server.

·     Configure direct portal authentication on the AC.

Figure 1 Network diagram

 

Analysis

To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, you must enable the portal roaming feature.

In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, you must enable wireless client validity check on the AC.

To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.

To allow the RADIUS server to modify user authorization information and log out users, enable the RADIUS session-control feature.

Restrictions and guidelines

When you configure local portal authentication, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     The portal authentication server type and portal Web server type configured on the AC must be the same as the types of the servers actually used. In this example, the server type is CMCC.

·     By default, the portal Web server URL redirected to users does carry parameters. You can configure the parameters to be carried in the redirection URL as needed.

·     To enable portal authentication on a VLAN interface, you must use the centralized forwarding mode. To enable portal authentication on a service template, you can use the centralized forwarding mode or the local forwarding mode. In this example, portal authentication is enabled on a service template.

·     Edit portal authentication pages, compress them to a .zip file (this example uses abc.zip), and then upload the file to the root directory of the storage medium of the AC. On the AC, you must specify this file as the default authentication page file.

·     To change the default authentication page file, you must first execute the undo default-logon-page command, and then specify a new default authentication page file.

Procedures

Configuring the AC

1.     Configuring VLANs and interfaces:

# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 192.168.0.100 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. This VLAN will be used for wireless client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 2.2.2.1 24

[AC-Vlan-interface200] quit

# Configure routing to make sure the client, servers, and AC can reach one another. (Details not shown.)

2.     Configure the wireless service:

# Create a service template named st1 and enter its view.

[AC] wlan service-template st1

# Configure the SSID of the service template as service.

[AC-wlan-st-st1] ssid service

# Assign clients coming online through the service template to VLAN 200.

[AC-wlan-st-st1] vlan 200

# Configure the authentication domain for portal users as dm1.

[AC-wlan-st-st1] portal domain dm1

# Enable the service template.

[AC-wlan-st-st1] service-template enable

[AC-wlan-st-st1] quit

# Create an AP named office. Specify the AP model and serial ID.

[AC] wlan ap office model WA560-WW

[AC-wlan-ap-office] serial-id 219801A1NM8182032235

# Enter the view of radio 2.

[AC-wlan-ap-office] radio 2

# Bind service template st1 to radio 2 and enable the radio.

[AC-wlan-ap-office-radio-2] service-template st1

[AC-wlan-ap-office-radio-2] radio enable

[AC-wlan-ap-office-radio-2] quit

[AC-wlan-ap-office] quit

# Create a RADIUS scheme named rs1 and enter its view.

[AC] radius scheme rs1

# Configure the primary authentication and accounting servers and shared keys used for secure communication with the servers.

[AC-radius-rs1] primary authentication 192.168.0.112

[AC-radius-rs1] primary accounting 192.168.0.112

[AC-radius-rs1] key authentication simple radius

[AC-radius-rs1] key accounting simple radius

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] quit

# Enable the RADIUS session-control feature.

[AC] radius session-control enable

3.     Configure the authentication domain:

# Create an ISP domain named dm1 and enter its view.

[AC] domain dm1

# Configure the authentication and authorization methods as RADIUS and the accounting method as none for portal users.

[AC-isp-dm1] authentication portal radius-scheme rs1

[AC-isp-dm1] authorization portal radius-scheme rs1

[AC-isp-dm1] accounting portal none

# Configure the idle cut feature for users. Log out a user if the user's traffic is less than 1024 bytes in 15 minutes.

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

[AC-isp-dm1] quit

4.     Configure portal authentication:

# Create a portal Web server named newpt and specify the server's URL as http://2.2.2.1/portal.

[AC] portal web-server newpt

[AC-portal-websvr-newpt] url http://2.2.2.1/portal

# Configure the portal redirection URL to carry the wlanuserip parameter and the parameter value is the user's IP address.

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

# Configure the portal Web server type as CMCC.

[AC-portal-websvr-newpt] server-type cmcc

[AC-portal-websvr-newpt] quit

# Enable direct portal authentication on service template st1.

[AC] wlan service-template st1

[AC–wlan-st-st1] portal enable method direct

# Specify portal Web server newpt on service template st1.

[AC–wlan-st-st1] portal apply web-server newpt

[AC–wlan-st-st1] quit

# Enable the local portal service and enter HTTP-based local portal Web service view.

[AC] portal local-web-server http

# Specify the default authentication page file as abc.zip. (The file must already exist in the root directory of the storage medium of the AC.)

[AC–portal-local-websvr-http] default-logon-page abc.zip

[AC–portal-local-websvr-http] quit

# Enable the portal roaming feature.

[AC] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC] undo portal refresh arp enable

# Enable the wireless client validity check feature.

[AC] portal host-check enable

Configuring the switch

# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and the AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward traffic of wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the AC) as a trunk port. Assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as an access port. Assign the access port to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

Configuring the RADIUS server

This example uses the IMC server to describe the RADIUS server configuration. The IMC server runs on IMC PLAT 7.1(E0303p13), IMC EIA 7.1(F0302p08), and IMC EIP 7.1(F0302p08).

1.     Add an access device:

a.     Log in to IMC and click the User tab.

b.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c.     Click Add.

The Add Access Device page opens.

d.     Configure the shared key as radius.

The shared key must be the same as that configured for the RADIUS server on the AC.

e.     In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter the start IP address 2.2.2.1 and click OK.

f.     Use the default settings for other parameters on the Add Access Device page.

g.     Click OK.

Figure 2 Adding an access device

 

2.     Add an access policy:

a.     From the navigation tree, select User Access Policy > Access Policy.

b.     Click Add to open the Add Access Policy page.

c.     Enter the policy name, select the service group, and use the default settings for other parameters.

d.     Click OK.

Figure 3 Adding an access policy

 

3.     Add an access service:

a.     From the navigation tree, select User Access Policy > Access Service.

b.     Click Add to open the Add Access Service page.

c.     Enter the service name, select the access policy configured in the previous step as the default access policy, and use the default settings for other parameters.

d.     Click OK.

Figure 4 Adding an access service

 

4.     Add an access user:

a.     From the navigation tree, select Access User > All Access Users.

b.     Click Add to open the Add Access User page.

c.     Select a user from the Username list. If the user does not exist, click Add User to add a user.

d.     Enter the account name.

e.     Enter and confirm the password.

f.     Use the default settings for other parameters.

g.     Click OK.

Figure 5 Adding an access user

 

Verifying the configuration

# Use the configured username and password to perform portal authentication through a Web browser on the client. Before passing authentication, all Web accesses are redirected to the portal authentication page (http://2.2.2.1/portal). After passing authentication, you can access other network resources.

# Display the online portal user information on the AC.

[AC] display portal user all

Total portal users: 1

Username: Client

  AP name: officeap

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  0024-d705-c686     2.2.2.2            200     Vlan-interface200

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template st1

 ssid service

 vlan 200

 portal enable method direct

 portal domain dm1

 portal apply web-server newpt

 service-template enable

#

interface Vlan-interface100

 ip address 192.168.0.100 255.255.255.0

 

#

interface Vlan-interface200

 ip address 2.2.2.1 255.255.255.0

#

 radius session-control enable

#

radius scheme rs1

 primary authentication 192.168.0.112

 primary accounting 192.168.0.112

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal none

#

portal host-check enable

#

 portal roaming enable

 undo portal refresh arp enable

#

portal web-server newpt

 url http://2.2.2.1/portal

 server-type cmcc

 url-parameter wlanuserip source-address

#

portal local-web-server http

 default-logon-page abc.zip

#

wlan ap office model WA560-WW

 serial-id 219801A1NM8182032235

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

 poe enable

Related documentation

·     Security Command Reference in H3C Access Controllers Command References

·     Security Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Command Reference in H3C Access Controllers Command References

·     WLAN Configuration Guide in H3C Access Controllers Configuration Guides