13-Basic network configuration

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10213-Basic network configuration
06-IPv6 URL Redirection Configuration Examples
Title Size Download
06-IPv6 URL Redirection Configuration Examples 89.62 KB

 

H3C Access Controllers

Comware 7 IPv6 URL Redirection

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example for configuring IPv6 URL redirection.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, MAC authentication, WLAN access, WLAN user authentication, and WLAN security.

Example: Configuring IPv6 URL redirection

Network configuration

As shown in Figure 1, the AP obtains an IP address from the DHCP server, and the client obtains an IPv6 address from the DHCP server and DHCPv6 server. To control the client's access to network resources, complete the following tasks:

·     Configure VLAN 100 as the access VLAN for the AP.

·     Configure VLAN 200 as the access VLAN for the client, and configure the client to be MAC authenticated on the AD Campus server.

·     Configure IPv6 URL redirection for a client to authenticate to the RADIUS server after it has failed a MAC authentication because the server does not have its credential information and MAC address.

Figure 1 Network diagram

Analysis

·     For the client to complete MAC authentication through URL redirection and IPv6 URL redirection, configure both an IPv4 and an IPv6 address for the AC, client, and AD Campus server, and make sure they are reachable to each other.

·     To display client IPv6 addresses on the AC, enable snooping DHCPv6 packets and ND packets.

Software version used

This example is configured and verified on B064D029SP41.

Restrictions and guidelines

·     Use MAC-based user accounts for MAC authentication users. Make sure the username and password added on the RADIUS server are in the same format as the MAC authentication username configured on the AC.

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

Procedures

Configuring the AD Campus server

On the AD Campus server, add an AC, access policy, access service, and access user.

Editing the AP’s configuration file

# Edit the AP’s configuration file, name it map.txt and upload the configuration file to the storage media on the AC.

System-view

acl advanced 3000

rule 1 permit ip destination 10.18.1.88 0

rule 2 permit ip source 10.18.1.88 0

acl ipv6 advanced 3000

rule 0 permit ipv6 source 123:1::C/128

rule 1 permit ipv6 destination 123:1::C/128

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.18.2.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. VLAN 200 will be used for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 10.18.3.1 24

[AC-Vlan-interface200] ipv6 address 123:1::2 64

[AC-Vlan-interface200] quit

2.     Configure a RADIUS scheme:

# Create a RADIUS scheme named adcampus and enter its view.

[AC] radius scheme adcampus

# Configure the primary authentication server, the primary accounting server, and the keys for the servers to communicate.

[AC-radius-rs1] primary authentication 10.18.1.88 (or [AC-radius-rs1] primary authentication ipv6 123:1::C 64)

[AC-radius-rs1] primary accounting 10.18.1.88 (or [AC-radius-rs1] primary accounting ipv6 123:1::C 64)

[AC-radius-rs1] key authentication simple 12345678

[AC-radius-rs1] key accounting simple 12345678

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] quit

# Enable RADIUS session-control.

[AC] radius session-control enable

3.     Configure an authentication domain:

# Create an ISP domain named ds and enter its view.

[AC] domain ds

# Perform RADIUS authentication for LAN users based on scheme adcampus.

[AC-isp-ds] authentication lan-access radius-scheme adcampus

# Perform RADIUS authorization for LAN users based on scheme adcampus.

[AC-isp-ds] authorization lan-access radius-scheme adcampus

# Perform RADIUS accounting for LAN users based on scheme adcampus.

[AC-isp-ds] accounting lan-access radius-scheme adcampus

[AC-isp-ds] quit

# Use MAC-based user accounts for MAC authentication users. The MAC addresses must be in hexadecimal notation without hyphens, and letters are in lower case.

[AC] mac-authentication user-name-format mac-address without-hyphen lowercase

4.     Configure a wireless service:

# Create a service template named redirect and enter its view.

[AC] wlan service-template redirect

# Configure the SSID as url-redirect.

[AC-wlan-st-redirect] ssid url-redirect

# Assign clients that come online from the service template to VLAN 200.

[AC-wlan-st-redirect] vlan 200

# Enable snooping DHCPv6 packets and ND packets.

[AC-wlan-st-redirect] client ipv6-snooping dhcpv6-learning enable

[AC-wlan-st-redirect] client ipv6-snooping nd-learning enable

# Specify the AP as the client data frame forwarder.

[AC-wlan-st-redirect] client forwarding-location ap

# Set the authentication mode to MAC authentication.

[AC-wlan-st-redirect] client-security authentication-mode mac

# Specify ISP domain ds for MAC authentication clients on the service template.

[AC-wlan-st-redirect] mac-authentication domain ds

# Enable URL redirection.

[AC-wlan-st-redirect] client url-redirect enable

# Enable the service template.

[AC-wlan-st-redirect] service-template enable

[AC-wlan-st-redirect] quit

5.     Configure URL redirection policies:

# Create IPv4 advanced ACL 3000, and configure the following rules: permit access only to the RADIUS server and deny IP packets, and permit inbound and outbound DHCP and DNS packets.

[AC] acl advanced 3000

[AC-acl-ipv4-adv-3000] rule 1 permit ip destination 10.18.1.88 0

[AC-acl-ipv4-adv-3000] rule 2 permit ip source 10.18.1.88 0

[AC-acl-ipv4-adv-3000] rule 3 permit udp destination-port eq bootps

[AC-acl-ipv4-adv-3000] rule 4 permit udp destination-port eq bootpc

[AC-acl-ipv4-adv-3000] rule 5 permit udp destination-port eq dns

[AC-acl-ipv4-adv-3000] rule 6 permit udp source-port eq dns

[AC-acl-ipv4-adv-3000] rule 9 deny ip

# Create IPv6 advanced ACL 3000, and configure the following rules: permit access only to the RADIUS server and deny IP packets, and permit inbound and outbound RS, RA, DHCPv6, and DNS packets.

[AC] acl ipv6 advanced 3000

[AC-acl-ipv6-adv-3000] rule 0 permit ipv6 source 123:1::C/128

[AC-acl-ipv6-adv-3000] rule 1 permit ipv6 destination 123:1::C/128

[AC-acl-ipv6-adv-3000] rule 2 permit udp destination-port eq dns

[AC-acl-ipv6-adv-3000] rule 3 permit udp source-port eq dns

[AC-acl-ipv6-adv-3000] rule 4 permit udp destination-port eq 546

[AC-acl-ipv6-adv-3000] rule 5 permit udp destination-port eq 547

[AC-acl-ipv6-adv-3000] rule 6 permit icmpv6 icmp6-type router-advertisement

[AC-acl-ipv6-adv-3000] rule 7 permit icmpv6 icmp6-type router-solicitation

[AC-acl-ipv6-adv-3000] rule 8 permit icmpv6 icmp6-type neighbor-solicitation

[AC-acl-ipv6-adv-3000] rule 9 permit icmpv6 icmp6-type neighbor-advertisement

[AC-acl-ipv6-adv-3000] rule 10 deny ipv6

[AC-acl-ipv6-adv-3000] quit

6.     Configure a manual AP, and bind service template redirect to a radio on the AP:

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N8182032235

# Deploy configuration file map.txt to the AP.

[AC-wlan-ap-ap1] map-configuration map.txt

# Enter the view of radio 1, and bind service template redirect to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template redirect

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Configure the switch

# Create VLAN 100. The switch will use this VLAN to forward the traffic on the CAPWAP tunnels between the AC and AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 that connects the switch to the AC as a trunk port, and assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects the switch to the AP as an access port, and assign the access port to VLAN 100.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable the PoE feature.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

Verifying the configuration

1.     Verify that the wireless client can associate with the AP after MAC authentication and will be redirected to the authentication page as long as the client accesses a webpage. Display MAC authentication connection information to verify that the ACL and URL have been deployed by the server.

[AC] dis mac-authentication connection

Total connections: 1

 

User MAC address                  : ecd0-9f92-2787

AP name                           : ap1

Radio ID                          : 1

SSID                              : url-redirect

BSSID                             : 3891-d5ba-fa60

Username                          : ecd09f922787

Authentication domain             : ds

Initial VLAN                      : 200

Authorization VLAN                : 200

Authorization ACL number          : 3000

Authorization user profile        : N/A

Authorization CAR                 : N/A

Authorization URL                 : http:// 10.18.1.88:8080/byod?usermac=%m&userip=%c&userurl=%o

Authorization IPv6 URL            : http://123:1::C:8080/portal

Termination action                : N/A

Session timeout last from         : N/A

Session timeout period            : N/A

Online from                       : 2020/04/01 13:46:29

Online duration                   : 0h 0m 7s

2.     Verify that the client can access the WLAN after authentication. Display MAC authentication connection information to verify that no URL is deployed by the server.

Total connections: 1

 

User MAC address                  : ecd0-9f92-2787

AP name                           : ap1

Radio ID                          : 1

SSID                              : url-redirect

BSSID                             : 3891-d5ba-fa60

Username                          : ecd09f922787

Authentication domain             : ds

Initial VLAN                      : 200

Authorization VLAN                : 200

Authorization ACL number          : N/A

Authorization user profile        : N/A

Authorization CAR                 : N/A

Authorization URL                 : N/A

Authorization IPv6 URL            : N/A

Termination action                : N/A

Session timeout last from         : N/A

Session timeout period            : N/A

Online from                       : 2020/04/01 13:46:40

Online duration                   : 0h 0m 18s

Configuration files

·     AC:

#

 mac-authentication user-name-format mac-address with-hyphen

#

vlan 100

#

vlan 200

#

wlan service-template redirect

 ssid url-redirect

 vlan 200

 client forwarding-location ap

 client url-redirect enable

 client-security authentication-mode mac

 client ipv6-snooping nd-learning enable

 client ipv6-snooping dhcpv6-learning enable

 mac-authentication domain ds

 service-template enable

#

interface Vlan-interface100

 ip address 10.18.2.1 255.255.255.0

#

interface Vlan-interface200

 ip address 10.18.3.1 255.255.255.0

 ipv6 address 123:1::2/64

#

 radius session-control enable

#

radius scheme adcampus

 primary authentication 10.18.1.88

 primary accounting 10.18.1.88

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

#

domain ds

 authentication portal radius-scheme adcampus

 authorization portal radius-scheme adcampus

 accounting portal radius-scheme adcampus

#

acl advanced 3000

 rule 1 permit ip destination 10.18.1.88 0

 rule 2 permit ip source 10.18.1.88 0

 rule 3 permit udp destination-port eq bootps

 rule 4 permit udp destination-port eq bootpc

 rule 5 permit udp destination-port eq dns

 rule 6 permit udp source-port eq dns

 rule 9 deny ip

#

acl ipv6 advanced 3000

 rule 0 permit ipv6 source 123:1::C/128

 rule 1 permit ipv6 destination 123:1::C/128

 rule 2 permit udp destination-port eq dns

 rule 3 permit udp source-port eq dns

 rule 4 permit udp destination-port eq 546

 rule 5 permit udp destination-port eq 547

 rule 8 permit icmpv6 icmp6-type router-advertisement

 rule 9 permit icmpv6 icmp6-type router-solicitation

 rule 10 deny ipv6

#

wlan ap office model WA6320

 serial-id 219801A28N8182032235

 map-configuration map.txt

 radio 1

  radio enable

  service-template redirect

 radio 2

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 1 100 200

#

interface GigabitEthernet1/0/2

 port link-type access

 port access vlan 100

 poe enable

#

Related documentation

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References