06-Wireless authentication

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10206-Wireless authentication
Table of Contents
Related Documents
26-Remote 802.1X Authentication (IPv6) Configuration Examples

 

H3C Access Controllers

Comware 7 Remote 802.1X Authentication (IPv6)

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example for configuring remote 802.1X authentication for wireless clients on an IPv6 network.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of IPv6 basics, WLAN access, WLAN security, WLAN authentication, and 802.1X.

Example: Configuring remote authentication for 802.1X clients (IPv6)

Network configuration

As shown in Figure 1, the switch acts as a DHCPv6 server to assign IPv6 addresses to the AP and the client. IMC acts as the RADIUS server.

Configure the AC, the client, the switch, and the RADIUS server to meet the following requirements:

·     The AC uses the RADIUS server to perform 802.1X authentication for the wireless client.

·     The AC uses the open system authentication for the client at the data link layer. This is the default authentication method.

·     The AC uses the 802.1X AKM mode to secure data transmission between the client and the AP.

·     The cipher suite is CCMP.

Figure 1 Network diagram

 

Restrictions and guidelines

When you configure remote 802.1X authentication for wireless clients, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     For the IMC server to dynamically change the client authorization information or forcibly disconnect clients, enable the RADIUS session-control feature on the AC.

Procedures

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IPv6 address to the VLAN interface. The AC will use this IP address to establish CAPWAP tunnels with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ipv6 address 2001::1 64

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IPv6 address to the VLAN interface. VLAN 200 will be used for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ipv6 address 2004::1 64

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port, and assign the port to VLAN 1, VLAN 100, and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 1 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the IPv6 addresses of the primary authentication and accounting RADIUS servers.

[AC-radius-radius1] primary authentication ipv6 2003::2

[AC-radius-radius1] primary accounting ipv6 2003::2

# Set the shared key to 12345 in plain text for secure communication with the servers.

[AC-radius-radius1] key authentication simple 12345

[AC-radius-radius1] key accounting simple 12345

# Specify IPv6 address 2001::1 as the source IPv6 address of outgoing RADIUS packets.

[AC-radius-radius1] nas-ip ipv6 2001::1

[AC-radius-radius1] quit

# Create an ISP domain named dom1 and enter its view.

[AC] domain dom1

# Apply RADIUS scheme radius1 to ISP domain dom1 for LAN user authentication, authorization, and accounting.

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

# Enable the RADIUS session-control feature.

[AC] radius session-control enable

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

[AC] radius dynamic-author server

# Specify the RADIUS server at 2003::2 as a DAC and set the shared key to 12345 in plain text for validating DAE packets from the RADIUS server.

[AC-radius-da-server] client ipv6 2003::2 key simple 12345

[AC-radius-da-server] quit

3.     Configure the AC to use EAP relay to authenticate 802.1X clients.

[AC] dot1x authentication-method eap

4.     Configure a wireless service:

# Create a service template named service and enter its view.

[AC] wlan service-template service

# Set the SSID of the service template to service.

[AC-wlan-st-service] ssid service

# Assign clients coming online through the service template to VLAN 200.

[AC-wlan-st-service] vlan 200

# Set the AKM mode to 802.1X authentication.

[AC-wlan-st-service] akm mode dot1x

# Set the cipher suite to CCMP and enable the RSN-IE in beacon and probe responses.

[AC-wlan-st-service] cipher-suite ccmp

[AC-wlan-st-service] security-ie rsn

# Set the authentication mode to 802.1X authentication.

[AC-wlan-st-service] client-security authentication-mode dot1x

# Specify ISP domain dom1 for authenticating 802.1X clients.

[AC-wlan-st-service] dot1x domain dom1

# Enable snooping DHCPv6 packets and enable snooping ND packets.

[AC-wlan-st-service] client ipv6-snooping dhcpv6-learning enable

[AC-wlan-st-service] client ipv6-snooping nd-learning enable

# Enable the service template.

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

5.     Configure a manual AP:

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model UAP300

[AC-wlan-ap-ap1] serial-id 219801A15K8171E00166

# Enter the view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Bind service template service to radio 1, and enable radio 1.

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

6.     Configure a static route destined for the RADIUS server.

[AC] ipv6 route-static 2003:: 64 2004::2

Configuring the switch

1.     Configure VLAN settings:

# Create VLAN 100. The switch will use this VLAN to forward the traffic on the CAPWAP tunnels between the AC and AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the AC) as a trunk port, and assign the port to VLAN 1, VLAN 100, and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 1 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Create VLAN-interface 1 and assign an IPv6 address to the VLAN interface.

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ipv6 address 2003::1 64

[Switch-Vlan-interface1] quit

# Create VLAN-interface 100 and assign an IPv6 address to the VLAN interface.

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ipv6 address 2001::2 64

[Switch-Vlan-interface100] quit

# Create VLAN-interface 200 and assign an IPv6 address to the VLAN interface.

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ipv6 address 2004::2 64

[Switch-Vlan-interface200] quit

2.     Configure the DHCPv6 service:

# Create DHCPv6 address pool 1, specify the subnet 2001::/64 in the DHCPv6 address pool, and specify 2001::1 as the gateway address. The switch assigns an IPv6 address to the AP from this pool.

[Switch] ipv6 dhcp pool 1

[Switch-dhcp6-pool-1] network 2001::/64

[Switch-dhcp6-pool-1] gateway-list 2001::1

# Configure Option 52 that specifies the AC's IPv6 address 2001::1 and exclude the IPv6 address from dynamic assignment.

[Switch-dhcp6-pool-1] option 52 hex 20010000000000000000000000000001

[Switch-dhcp6-pool-1] quit

[Switch] ipv6 dhcp server forbidden-address 2001::1

# Apply address pool 1 to VLAN-interface 100 and enable the DHCPv6 server on the VLAN interface.

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ipv6 dhcp server apply pool 1

[Switch-Vlan-interface100] ipv6 dhcp select server

# Set the managed address configuration flag (M) and the other stateful configuration flag (O) to 1 in RA advertisements to be sent, and disable RA message suppression on VLAN-interface 100.

[Switch-Vlan-interface100] ipv6 nd autoconfig managed-address-flag

[Switch-Vlan-interface100] ipv6 nd autoconfig other-flag

[Switch-Vlan-interface100] undo ipv6 nd ra halt

[Switch-Vlan-interface100] quit

# Create DHCPv6 address pool 2, specify the subnet 2004::/64 in the DHCPv6 address pool, and specify 2004::2 as the gateway address. The switch assigns an IPv6 address to the client from this pool.

[Switch] ipv6 dhcp pool 2

[Switch-dhcp6-pool-2] network 2004::/64

[Switch-dhcp6-pool-2] gateway-list 2004::2

[Switch-dhcp6-pool-2] quit

# Exclude IPv6 address 2004::1 from dynamic assignment.

[Switch] ipv6 dhcp server forbidden-address 2004::1

# Apply address pool 2 to VLAN-interface 200 and enable the DHCPv6 server on the VLAN interface.

[Switch] interface Vlan-interface 200

[Switch-Vlan-interface200] ipv6 dhcp server apply pool 2

[Switch-Vlan-interface200] ipv6 dhcp select server

# Set the managed address configuration flag (M) and the other stateful configuration flag (O) to 1 in RA advertisements to be sent, and disable RA message suppression on VLAN-interface 200.

[Switch-Vlan-interface200] ipv6 nd autoconfig managed-address-flag

[Switch-Vlan-interface200] ipv6 nd autoconfig other-flag

[Switch-Vlan-interface200] undo ipv6 nd ra halt

[Switch-Vlan-interface200] quit

Configuring the RADIUS server

This example uses IMC PLAT 7.1 and IMC UAM 7.1 to show the procedure.

Make sure the EAP-PEAP certificate has been installed on the server.

1.     Add the AC to IMC as an access device:

a.     Log in to IMC.

b.     Click the User tab.

c.     From the navigation tree, select User Access Policy > Access Device Management > Access Device.

d.     Click Add.

The Add Access Device page opens.

e.     Configure access device parameters, as shown in Figure 2:

-     In the Access Configuration area, set the authentication and accounting shared keys to 12345 and use the default settings of other parameters.

-     In the Device List area, click Select or Add IPv6 Dev to add the device at 2001::1 to IMC as an access device. If you click Add IPv6 Dev, enter 2001::1 as the start IPv6 address and click OK in the dialog box that opens.

f.     Click OK.

Figure 2 Adding an access device

 

2.     Add an access policy:

a.     Click the User tab.

b.     From the navigation tree, select User Access Policy > Access Policy.

c.     Click Add.

d.     On the Add Access Policy page, configure the following parameters, as shown in Figure 3:

-     Enter dot1x in the Access Policy Name field.

-     Select EAP for the Certificate Authentication field.

-     Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.

The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.

e.     Click OK.

Figure 3 Adding an access policy

 

3.     Add an access service:

a.     Click the User tab.

b.     From the navigation tree, select User Access Policy > Access Service.

c.     Click Add.

d.     On the Add Access Service page, configure the following parameters, as shown in Figure 4:

-     Enter dot1x in the Service Name field.

-     Select dot1x from the Default Access Policy list.

e.     Click OK.

Figure 4 Adding an access service

 

4.     Add an access user:

a.     Click the User tab.

b.     From the navigation tree, select Access User > Access User.

The access user list opens.

c.     Click Add.

The Add Access User page opens.

d.     In the Access Information area, configure the following parameters, as shown in Figure 5:

-     Click Select or Add User to associate the user with IMC Platform user user.

-     Enter dot1x in the Account Name field.

-     Enter dot1x123 in the Password and Confirm Password fields.

e.     In the Access Service area, select dot1x from the list.

f.     Click OK.

Figure 5 Adding an access user account

 

Configuring the client

Use a mobile phone to connect to the wireless network with SSID service:

1.     Select PEAP as the EAP authentication method.

2.     Enter dot1x as the identity and enter password dot1x123.

Use the default settings of other parameters.

3.     Connect to the wireless network.

Verifying the configuration

1.     On the client, verify that the client can pass authentication, associate with the AP, and access the wireless network. (Details not shown.)

2.     On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display detailed WLAN client information.

[AC] display wlan client verbose

Total number of clients: 1

 

 MAC address                       : 3829-5a40-9589

 IPv4 address                      : N/A

 IPv6 address                      : 2004::4

 Username                          : dot1x

 AID                               : 1

 AP ID                             : 2

 AP name                           : ap1

 Radio ID                          : 1

 SSID                              : service

 BSSID                             : ac74-090a-6421

 VLAN ID                           : 200

 Sleep count                       : 0

 Wireless mode                     : 802.11an

 Channel bandwidth                 : 40MHz

 20/40 BSS Coexistence Management  : Supported

 SM power save                     : Enabled

 SM power save mode                : Static

 Short GI for 20MHz                : Supported

 Short GI for 40MHz                : Supported

 STBC RX capability                : Supported

 STBC TX capability                : Not supported

 LDPC RX capability                : Not supported

 Block Ack                         : N/A

 Supported HT MCS set              : 0, 1, 2, 3, 4, 5, 6, 7

 Supported rates                   : 6, 9, 12, 18, 24, 36,

                                     48, 54 Mbps

 QoS mode                          : WMM

 Listen interval                   : 2

 RSSI                              : 0

 Rx/Tx rate                        : 0/0 Mbps

 Authentication method             : Open system

 Security mode                     : RSN

 AKM mode                          : 802.1X

 Cipher suite                      : CCMP

 User authentication mode          : 802.1X

 Authorization ACL ID              : N/A

 Authorization user profile        : N/A

 Roam status                       : N/A

 Key derivation                    : SHA1

 PMF status                        : N/A

 Forwarding policy name            : Not configured

 Online time                       : 0days 0hours 0minutes 1seconds

 FT status                         : Inactive

# Display online 802.1X client information.

[AC] display dot1x connection

Total connections: 1

User MAC address           : 3829-5a40-9589

AP name                    : ap1

Radio ID                   : 1

SSID                       : service

BSSID                      : ac74-090a-6421

Username                   : dot1x

Authentication domain      : dom1

IPv6 address               : 2004::4

Authentication method      : EAP

Initial VLAN               : 200

Authorization VLAN         : 200

Authorization ACL number   : N/A

Authorization user profile : N/A

Termination action         : Radius-Request

Session timeout period     : 86401 s

Online from                : 2018/07/18 10:36:00

Online duration            : 0h 0m 19s

Configuration files

·     AC:

#

 dot1x authentication-method eap

#

vlan 1

#

vlan 100

#

vlan 200

#

wlan service-template service

 ssid service

 vlan 200

 akm mode dot1x

 cipher-suite ccmp

 security-ie rsn

 client-security authentication-mode dot1x

 dot1x domain dom1

 client ipv6-snooping nd-learning enable

 client ipv6-snooping dhcpv6-learning enable

 service-template enable

#

interface Vlan-interface100

 ipv6 address 2001::1/64

#

interface Vlan-interface200

 ipv6 address 2004::1/64

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 port link-type trunk

 port trunk permit vlan 1 100 200

#

 ipv6 route-static 2003:: 64 2004::2

#

 radius session-control enable

#

radius scheme radius1

 primary authentication ipv6 2003::2

 primary accounting ipv6 2003::2

 key authentication cipher $c$3$Nc0p9aAdEZsigfKkc+BNOVwr1StmtFHa

 key accounting cipher $c$3$1UiOGNVopIKWmUamDZBOpK2pSJ9+C7U5

 nas-ip ipv6 2001::1

#

radius dynamic-author server

 client ipv6 2003::2 key cipher $c$3$mOGMY0tNJT94RiwVyD80JG2zYwSUfpNV

#

domain dom1

 authentication lan-access radius-scheme radius1

 authorization lan-access radius-scheme radius1

 accounting lan-access radius-scheme radius1

#

wlan ap ap1 model UAP300

 serial-id 219801A15K8171E00166

 radio 1

  radio enable

  service-template service

#

·     Switch:

#

 ipv6 dhcp server forbidden-address 2001::1

 ipv6 dhcp server forbidden-address 2004::1

#

vlan 1

#

vlan 100

#

vlan 200

#

ipv6 dhcp pool 1

 network 2001::/64

 option 52 hex 20010000000000000000000000000001

 gateway-list 2001::1

#

ipv6 dhcp pool 2

 network 2004::/64

 gateway-list 2004::2

#

interface Vlan-interface1

 ipv6 address 2003::1/64

#

interface Vlan-interface100

 ipv6 dhcp select server

 ipv6 dhcp server apply pool 1

 ipv6 address 2001::2/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

#

interface Vlan-interface200

 ipv6 dhcp select server

 ipv6 dhcp server apply pool 2

 ipv6 address 2004::2/64

 ipv6 nd autoconfig managed-address-flag

 ipv6 nd autoconfig other-flag

 undo ipv6 nd ra halt

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port access vlan 100

 poe enable

#

Related documentation

·     AP and WT Management Configuration Guide in H3C Access Controllers Configuration Guides

·     AP and WT Management Command Reference in H3C Access Controllers Command References

·     Network Connectivity Configuration Guide in H3C Access Controllers Configuration Guides

·     Network Connectivity Command Reference in H3C Access Controllers Command References

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References