10-High availability

HomeSupportResource CenterConfigure & DeployConfiguration ExamplesH3C Access Controllers Configuration Examples(V7)-6W10210-High availability
Table of Contents
Related Documents
10-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples

 

H3C Access Controllers

Comware 7 Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example for configuring remote portal MAC-trigger authentication with local forwarding.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, portal, WLAN access, and WLAN high availability.

Example: Configuring remote portal MAC-trigger authentication for dual-link AC backup and local forwarding

Network configuration

As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as the portal authentication server, portal Web server, and RADIUS server.

Configure the devices to meet the following requirements:

·     The AP associates with both ACs and the two ACs to back up each other. When the master AC (AC 1) fails, the backup AC (AC 2) takes over, and the AP can provide services correctly through the backup AC.

·     Before passing portal authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources.

·     The AP forwards all the client traffic.

·     The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.

Figure 1 Network diagram

 

Analysis

·     To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, you must enable the portal roaming feature.

·     To assign interface GigabitEthernet 1/0/1 on the AP to VLAN 600 for local forwarding, you must edit the configuration file of the AP and then upload the file to the storage medium of the AC.

·     For dual-link backup to operate correctly, you must configure manual AP or auto AP settings on both ACs. This ensures that the AP can establish CAPWAP tunnels with both ACs.

Restrictions and guidelines

When you configure remote portal MAC-trigger authentication for dual-link AC backup and local forwarding, follow these restrictions and guidelines:

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     If you configure manual APs, make sure the manual APs configured on the two ACs have the same AP name and identifier (serial ID or MAC address).

·     Portal authentication might fail if portal clients come online and go offline frequently during a short period. To resolve the issue, disable Rule ARP entry feature for portal clients.

·     Make sure the two ACs have the same portal authentication settings, except for the portal Web server setting.

·     Some clients are enabled with MAC randomization by default, which might cause seamless roaming failures. As a best practice, disable MAC randomization.

·     You must upload the AP configuration file to both the master and backup ACs.

Procedures

Editing the AP configuration file

# Use a text editor to edit the AP configuration file, name the file map.txt, and then upload the file to the storage medium of the ACs. The file content and format are as follows:

system-view

vlan 600

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 600

Configuring AC 1

1.     Configure dual-link backup:

# Create VLAN 501 and VLAN-interface 501. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC1> system-view

[AC1] vlan 501

[AC1-vlan501] quit

[AC1] interface vlan-interface 501

[AC1-Vlan-interface501] ip address 99.1.0.5 16

[AC1-Vlan-interface501] quit

# Create VLAN 600. This VLAN will be used for wireless client access.

[AC1] vlan 600

[AC1-vlan600] quit

# Create AP ap1, and specify the AP name and serial ID.

[AC1] wlan ap ap1 model WA5620

[AC1-wlan-ap-ap1] serial-id 219801A0YH8166E00027

# Set the AP connection priority to 7.

[AC1-wlan-ap-ap1] priority 7

# Specify AC 2 as the backup AC for AC 1.

[AC1-wlan-ap-ap1] backup-ac ip 99.1.0.9

# Enable master CAPWAP tunnel preemption.

[AC1-wlan-ap-ap1] wlan tunnel-preempt enable

[AC1-wlan-ap-ap1] quit

2.     Configure wireless services:

# Create service template st1 and enter its view.

[AC1] wlan service-template st1

# Specify the SSID as service.

[AC1-wlan-st-st1] ssid service

# Assign clients coming online through the service template to VLAN 600.

[AC1-wlan-st-st1] vlan 600

# Configure the AP to forward client traffic.

[AC1–wlan-st-st1] client forwarding-location ap

[AC1-wlan-st-st1] quit

# Enter AP view of AP ap1, and deploy configuration file map.txt to the AP.

[AC1] wlan ap ap1

[AC1-wlan-ap-ap1] map-configuration map.txt

# Enter radio view of radio 2.

[AC1-wlan-ap-ap1] radio 2

# Bind service template st1 to radio 2 and enable the radio.

[AC1-wlan-ap-ap1-radio-2] service-template st1

[AC1-wlan-ap-ap1-radio-2] radio enable

[AC1-wlan-ap-ap1-radio-2] quit

[AC1-wlan-ap-ap1] quit

3.     Configure a RADIUS scheme:

# Create RADIUS scheme rs1.

[AC1] radius scheme rs1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[AC1-radius-rs1] primary authentication 8.1.1.195

[AC1-radius-rs1] primary accounting 8.1.1.195

# Specify shared keys for RADIUS authentication and accounting.

[AC1-radius-rs1] key authentication simple radius

[AC1-radius-rs1] key accounting simple radius

# Configure AC 1 to remove the ISP domain name from the usernames sent to the RADIUS servers.

[AC1-radius-rs1] user-name-format without-domain

[AC1-radius-rs1] nas-ip 99.1.0.5

[AC1-radius-rs1] quit

# Enable RADIUS session-control.

[AC1] radius session-control enable

4.     Configure the authentication domain:

# Create domain dm1 and enter its view.

[AC1] domain dm1

# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.

[AC1-isp-dm1] authentication portal radius-scheme rs1

[AC1-isp-dm1] authorization portal radius-scheme rs1

[AC1-isp-dm1] accounting portal radius-scheme rs1

# Set the client idle timeout to 15 minutes and set the minimum threshold to 1024 bytes for clients in ISP domain dm1.

[AC1-isp-dm1] authorization-attribute idle-cut 15 1024

[AC1-isp-dm1] quit

5.     Configure portal authentication:

# Create the portal authentication server newpt, specify the server IP address as 8.1.1.195, and set the destination UDP port number to 50100 for the AC to send unsolicited portal packets to the portal authentication server.

[AC1] portal server newpt

[AC1-portal-server-newpt] ip 8.1.1.195 key simple portal

[AC1-portal-server-newpt] port 50100

[AC1-portal-server-newpt] quit

# Configure the URL for the portal Web server newpt as http://8.1.1.195:8080/portal.

[AC1] portal web-server newpt

[AC1-portal-websvr-newpt] url http://8.1.1.195:8080/portal

[AC1-portal-websvr-newpt] quit

# Enable intra-VLAN roaming for portal users.

[AC1] portal roaming enable

# Disable the Rule ARP entry feature for portal clients.

[AC1] undo portal refresh arp enable

# Enable validity check on wireless portal clients.

[AC1] portal host-check enable

# Enable direct IPv4 portal authentication for service template st1.

[AC1] wlan service-template st1

[AC1-wlan-st-st1] portal enable method direct

# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.

[AC1-wlan-st-st1] portal domain dm1

# Specify portal Web server newpt as the backup portal Web server on service template st1 for portal authentication.

[AC1-wlan-st-st1] portal apply web-server newpt

[AC1-wlan-st-st1] quit

# Configure IPv4-based portal-free rules to permit DNS server traffic.

[AC1] portal free-rule 1 destination ip any udp 53

[AC1] portal free-rule 2 destination ip any tcp 53

6.     Configure MAC-trigger authentication:

# Create the MAC binding server mts and enter its view.

[AC1] portal mac-trigger-server mts

# Specify the IP address of the MAC binding server as 8.1.1.195.

[AC1-portal-mac-trigger-server-mts] ip 8.1.1.195

[AC1-portal-mac-trigger-server-mts] quit

# Specify the MAC binding server mts on service template st1.

[AC1] wlan service-template st1

[AC1-wlan-st-st1] portal apply mac-trigger-server mts

# Enable the service template.

[AC1-wlan-st-st1] service-template enable

[AC1-wlan-st-st1] quit

Configuring AC 2

1.     Configure dual-link backup:

# Create VLAN-interface 501. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC2> system-view

[AC2] interface Vlan-interface 501

[AC2-Vlan-interface501] ip address 99.1.0.9 16

[AC2-Vlan-interface501] quit

# Create AP ap1, and specify the AP model and serial ID.

[AC2] wlan ap ap1 model WA5620

[AC2-wlan-ap-ap1] serial-id 219801A0YH8166E00027

# Set the AP connection priority to 5.

[AC2-wlan-ap-ap1] priority 5

# Specify AC 1 as the backup AC for AC 2.

[AC2-wlan-ap-ap1] backup-ac ip 99.1.0.5

# Enable master CAPWAP tunnel preemption.

[AC2-wlan-ap-ap1] wlan tunnel-preempt enable

[AC2-wlan-ap-ap1] quit

2.     Configure AC 2 in the same way AC 1 was configured.

Configuring the IMC server

In this example, the IMC server runs IMC PLAT 7.3 (E0504), IMC EIA 7.3 (E0503), and IMC EIP 7.3 (E0503).

The IMC server configuration is the same for AC 1 and AC 2, except for the AC IP address. This section configures AC 1 as an example. Refer to AC 1 configuration when you configure AC 2 and remember to change the IP address setting for AC 2.

Configure the RADIUS server to add access devices

1.     Log in to IMC and click the User tab.

2.     From the navigation pane, select User Access Policy > Access Device Management > Access Device.

3.     Click Add.

The Add Access Device page opens.

4.     In the Access Configuration area, configure the following parameters:

¡     Enter radius in the Shared Key and Confirm Shared Key fields.

¡     Use the default values for other parameters.

5.     In the Device List area, click Select or Add Manually to add the AC 1 at 99.1.0.5 as an access device.

6.     Click OK.

Figure 2 Adding an access device

 

Configure the portal server:

1.     Configure portal authentication:

a.     Click the User tab.

b.     Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page.

c.     Configure the portal server parameters as needed.

This example uses the default settings.

d.     Click OK.

Figure 3 Portal authentication server configuration

 

2.     Configure the IP address group:

a.     Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.

b.     Click Add to open the page as shown in Figure 4.

c.     Enter the IP group name. In this example, the name is w05995-wx5540h-irf-ipaddgroup.

d.     Enter the start IP address and end IP address of the IP group.

Make sure the client IP address is in the IP group.

e.     Select a service group.

This example uses the default group Ungrouped.

f.     Select Normal from the Action list.

g.     Click OK.

Figure 4 Adding an IP address group

 

3.     Add a portal device:

a.     Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.

b.     Click Add to open the page as shown in Figure 5.

c.     Enter the device name. In this example, the name is WX5540H-IRF.

d.     Specify the version as Portal 2.0.

e.     Enter the IP address (99.1.0.5) of the AC's interface connected to the client.

f.     Set whether to support the portal server heartbeat and user heartbeat functions.

In this example, select No for both Support Server Heartbeat and Support User Heartbeat.

g.     Enter the key, which must be the same as that configured on the AC.

h.     Select Directly Connected from the Access Method list.

i.     Use the default settings for other parameters.

j.     Click OK.

Figure 5 Adding a portal device

 

4.     Associate the portal device with the IP address group:

a.     As shown in Figure 6, click the Port Group Information Management icon  for the device to open the port group configuration page.

b.     Click Add to open the page as shown in Figure 7.

c.     Enter the port group name. In this example, the name is w05995-wx5540h-irf-portgroup.

d.     Select the configured IP address group.

The IP address used by the user to access the network must be within this IP address group.

e.     Select Supported for Transparent Authentication.

f.     Use the default settings for other parameters.

g.     Click OK.

h.     From the navigation tree, select Intelligent Portal Management > User Management > Users.

Figure 6 Device list

 

Figure 7 Adding a port group

 

5.     Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to make the configurations take effect.

Configuring the MAC binding server

1.     Add an access policy:

a.     Select User Access Policy > Access Policy from the navigation tree to open the access policy page.

b.     Click Add to open the page as shown in Figure 8.

c.     Enter the access policy name. In this example, the name is w05995_portal.

d.     Select a service group.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 8 Adding an access policy

 

2.     Add an access service:

a.     Select User Access Policy > Access Service from the navigation tree to open the access service page.

b.     Click Add to open the page as shown in Figure 9.

c.     Enter the service name. In this example, the service name is w05995_portal.

d.     Select the Transparent Authentication on Portal Endpoints option.

e.     Use the default settings for other parameters.

f.     Click OK.

Figure 9 Adding an access service

 

3.     Add an access user:

a.     Select Access User > All Access Users from the navigation tree to open the access user page.

b.     Click Add to open the page as shown in Figure 10.

c.     Select or add an access user. In this example, the account name is w05995.

d.     Set the password. In this example, the password is w05995_portal.

e.     Select Enable Password Strategy.

f.     Retain the default settings for other parameters.

g.     Select the configured service.

h.     Click OK.

Figure 10 Adding an access user

 

4.     Configure system parameters:

a.     Select User Access Policy > Service Parameters > System Settings from the navigation tree to open the system settings page.

b.     Click the Configure icon 2013-07-29_144255.png for User Endpoint Settings to open the page as shown in Figure 11.

c.     Enable Transparent MAC Authentication.

d.     Select whether to enable transparent portal authentication on non-smart devices.

In this example, select Enable for Non-Terminal Authentication.

e.     Click OK.

f.     Click the Configure icon 2013-07-29_144255.png for Endpoint Aging Time to open the page as shown in Figure 12.

g.     Set the endpoint aging time as needed.

This example uses the default value.

Figure 11 Configuring user endpoint settings

 

Figure 12 Setting the endpoint aging time

 

5.     Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to make the configurations take effect.

Verifying the configuration

Verifying dual-link backup configuration

# Make the AP come online.

# Verify that the AP first associates with AC 1. Shut down VLAN-interface 1 on AC 1, wait 3 minutes, and verify that the AP associates with AC 2 and the AP state on AC 2 is R/M.

[AC2] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 10

Remaining APs: 9

Total AP licenses: 10

Remaining AP licenses: 9.50

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

AP name                        APID  State Model           Serial ID

ap1                            1     R/M   WA5620          219801A0YH8166E00027

# Bring up VLAN-interface 1 on AC 1. Verify that the AP state becomes R/M on AC 1 and R/B on AC 2.

[AC1] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 10

Remaining APs: 9

Total AP licenses: 10

Remaining AP licenses: 9.50

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

AP name                        APID  State Model           Serial ID

ap1                            1     R/M   WA5620          219801A0YH8166E00027

[AC2] display wlan ap all

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 10

Remaining APs: 9

Total AP licenses: 10

Remaining AP licenses: 9.50

                                 AP information

 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad

         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

AP name                        APID  State Model           Serial ID

ap1                            1     R/B   WA5620          219801A0YH8166E00027

Verifying portal MAC-trigger authentication configuration

# Display MAC binding server configuration.

[AC1] display portal mac-trigger-server name mts

Portal mac trigger server name: mts

  Version                    : 1.0

  Server type                : IMC

  IP                         : 8.1.1.195

  Port                       : 50100

  VPN instance               : Not configured

  Aging time                 : 300 seconds

  Free-traffic threshold     : 0 bytes

  NAS-Port-Type              : Not configured

  Binding retry times        : 3

  Binding retry interval     : 1 seconds

  Authentication timeout     : 3 minutes

A user can perform portal authentication through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

For the first portal authentication, the user is required to enter the username and password.

# Display portal user information.

[AC1] display portal user all

Total portal users: 1

Username: w05995_portal

  AP name: ap1

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  a89c-ed90-7730  99.100.0.12           600     WLAN-BSS2/0/2121

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

When the user goes offline and then accesses the network again, the user does not need to enter the authentication username and password.

# Display portal user information.

[AC1] display portal user all

Total portal users: 1

Username: A8:9C:ED:90:77:30

  AP name: ap1

  Radio ID: 2

  SSID: service

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  a89c-ed90-7730  99.100.0.12           600     WLAN-BSS2/0/2121

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     AC 1:

#

vlan 501

#

vlan 600

#

wlan service-template st1

 ssid service

 vlan 600

 client forwarding-location ap

 portal enable method direct

 portal domain dm1

 portal apply web-server newpt

 portal apply mac-trigger-server mts

 service-template enable

#

interface Vlan-interface501

 ip address 99.1.0.5 255.255.0.0

#

radius scheme rs1

 primary authentication 8.1.1.195

 primary accounting 8.1.1.195

 key authentication cipher $c$3$/Mc+yQtK3k6E3L0TtJth+7Pel1EBrSZAmg==

 key accounting cipher $c$3$WoQkH/FblsUGadr043yY0MGAPHWTIQvUdA==

 user-name-format without-domain

 nas-ip 99.1.0.5

#

domain dm1

 authorization-attribute idle-cut 15 1024

 authentication portal radius-scheme rs1

 authorization portal radius-scheme rs1

 accounting portal radius-scheme rs1

#

portal host-check enable

portal free-rule 1 destination ip any udp 53

portal free-rule 2 destination ip any tcp 53

#

 portal web-server newpt

 url http://8.1.1.195:8080/portal

#

portal server newpt

 ip 8.1.1.195 key cipher $c$3$GZf8+GypB2tLYA25pKOLrJu3quh+vnFElQ==

#

portal mac-trigger-server mts

 ip 8.1.1.195

#

wlan ap ap1 model WA5620

 serial-id 219801A0YH8166E00027

 wlan tunnel-preempt enable

 priority 7

 backup-ac ip 99.1.0.9 

 map-configuration flash:/map.txt

 radio 1

 radio 2

  radio enable

  service-template st1

#

·     AC 2:

Similar as that on AC 1. (Details not shown.)

Related documentation

·     AP Management Command Reference in H3C Access Controllers Command References

·     AP Management Configuration Guide in H3C Access Controllers Configuration Guides

·     Portal Authentication Command Reference in H3C Access Controllers Command References

·     Portal Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN High Availability Command Reference in H3C Access Controllers Command References

·     WLAN High Availability Configuration Guide in H3C Access Controllers Configuration Guides