Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Microsoft NPS Server Configuration Examples | 1.70 MB |
|
|
|
H3C Access Controllers |
|
Access Authentication by Microsoft NPS Server |
|
Configuration Examples |
|
|
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides examples for configuring H3C access controllers to use authentication server software of Microsoft NPS to authenticate wireless clients. The examples include configuring Microsoft NPS-based portal authentication and authorization ACL assignment.
Software versions used
The following configuration example was created and verified on the following hardware and software versions:
· AC: vAC running R5435P03.
· NPS authentication server: Windows Server 2016 NPS component.
· IMC server: Server running iMC PLAT 7.3 (E0706P03) and iMC 7.3 (E0620).
Example: Configuring portal authentication using the NPS authentication server
Network configuration
As shown in Figure 1, the AP is connected to the AC over the switch and the client accesses the wireless network through the AP.
Configure direct portal authentication to control the client's access to the network resources. Use the NPS server as the RADIUS server and the IMC server as the portal server.
Restrictions and guidelines
Use the serial ID labeled on the AP's rear panel to specify an AP.
Procedures
Configuring the AC
1. Configure a RADIUS scheme:
# Create RADIUS scheme nps.
<AC> system-view
[AC] radius scheme nps
# Specify the NPS server as the primary authentication and accounting server and specify a shared key for secure communication with the server. Make sure the shared key is the same as the shared secret configured on the NPS server.
[AC-radius-nps] primary authentication 8.72.1.7 key simple 12345678
[AC-radius-nps] primary accounting 8.72.1.7 key simple 12345678
# Exclude the domain name from usernames sent to the NPS server.
[AC-radius-nps] user-name-format without-domain
[AC-radius-nps] quit
2. Configure an ISP domain:
# Create ISP domain portal.
[AC] domain portal
# Configure the ISP domain to use RADIUS scheme nps as the default methods for user authentication, authorization, and accounting.
[AC-isp-portal] authentication portal radius-scheme nps
[AC-isp-portal] authorization portal radius-scheme nps
[AC-isp-portal] accounting portal radius-scheme nps
[AC-isp-portal] quit
3. Configure portal authentication:
# Configure the portal authentication server name as imc, IP address as the IP address of the IMC server, and the key as portal in plaintext.
[AC] portal server imc
[AC-portal-server-imc] ip 8.1.1.231 key simple portal
[AC-portal-server-imc] quit
# Configure the portal Web server URL as http://8.1.1.231:8080/portal/. (Please specify the URL of the real portal Web server.)
[AC] portal web-server imc
[AC-portal-websvr-imc] url http://8.1.1.231:8080/portal/
[AC-portal-websvr-imc] quit
# Create service template portal.
[AC] wlan service-template portal
# Specify an SSID for the service template.
[AC-wlan-st-portal] ssid portal_nps
# Enable direct portal authentication on the service template.
[AC-wlan-st-portal] portal enable method direct
# Specify portal Web server imc on the service template.
[AC-wlan-st-portal] portal apply web-server imc
# Specify authentication domain portal on the service template.
[AC-wlan-st-portal] portal domain portal
# Enable the service template.
[AC-wlan-st-portal] service-template enable
[AC-wlan-st-portal] quit
# Configure a manual AP named ap1 and specify its model and serial ID.
[AC] wlan ap ap1 model WA6638-JP
[AC-wlan-ap-ap1] serial-id 219801A24F8198E0001G
[AC-wlan-ap-ap1] quit
# Enable radio 1 and bind service template portal and VLAN 80 to the radio.
[AC] wlan ap ap1
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template portal vlan 80
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
4. Configure ACL 3999. (Configure the ACL as needed.)
[AC] acl advanced 3999
[AC-acl-ipv4-adv-3999] rule 0 permit ip
[AC-acl-ipv4-adv-3999] quit
5. Enable the DHCP service on the AC, create a DHCP address pool to assign an IP address to the client:
# Create VLAN 80 and VLAN-interface 80. Assign IP address 72.205.1.1 and subnet mask 255.255.0.0 to the VLAN interface.
[AC] vlan 80
[AC-vlan80] quit
[AC] interface Vlan-interface 80
[AC-Vlan-interface80] ip address 72.205.1.1 255.255.0.0
[AC-Vlan-interface80] quit
# Enable the DHCP service.
[AC] dhcp enable
# Create a DHCP address pool named 80.
[AC] dhcp server ip-pool 80
[AC-dhcp-pool-80] quit
# In the DHCP address pool, specify the subnet for dynamic allocation as 72.205.0.0/16.
[AC-dhcp-pool-80] network 72.205.0.0 mask 255.255.0.0
# Specify the gateway address as 72.205.1.1 in the DHCP address pool.
[AC-dhcp-pool-80] gateway-list 72.205.1.1
# Specify the DNS server address as 72.205.1.1 in the DHCP address pool.
[AC-dhcp-pool-80] dns-list 72.205.1.1
[AC-dhcp-pool-80] quit
Configuring the IMC server (portal server)
1. Configure the portal server:
a. Log in to IMC and click the User tab.
b. Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page, as shown in Figure 2.
c. Configure the portal server parameters as needed.
d. Click OK.
Figure 2 Portal server configuration
2. Configure the IP address group:
a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.
b. Click Add to open the page as shown in Figure 3.
c. Enter the start IP address and end IP address of the IP group.
Make sure the client IP address is in the IP group.
d. Select a service group.
This example uses the default group Ungrouped.
e. Select Normal from the Action list.
f. Click OK.
Figure 3 Adding an IP address group
3. Add a portal device:
a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.
b. Click Add to open the page as shown in Figure 4.
c. Enter the device name (name of the AC).
d. Enter the IP address of the AC's interface that exchanges information with the portal server.
e. Enter the key, which must be the same as that configured on the AC. In this example, it is portal.
f. Select Directly Connected from the Access Method list.
g. Use the default settings for other parameters.
h. Click OK.
Figure 4 Adding a portal device
4. Associate the portal device with the IP address group:
a. As shown in Figure 5, click
the Port Group Information Management icon 
for the device to open the port group configuration page.
b. Click Add to open the page as shown in Figure 6.
c. Enter the port group name.
d. Select the configured IP address group.
The IP address used by the user to access the network must be within this IP address group.
e. Use the default settings for other parameters.
f. Click OK.
Configuring the NPS server (RADIUS server)
1. Configure the RADIUS client:
a. Open the Network Policy Server (NPS) component. In the left navigation pane, select RADIUS Client and Servers > RADIUS Clients.
b. Add a new RADIUS client: Enter the IP address of the AC in the Address (IP or DNS) field. Enter the shared secret, which must be the same as the shared key configured for the primary authentication and accounting server. In this example, the shared secrete is 12345678.
Figure 7 Creating a RADIUS client
2. Create a user:
a. Open the Active Directory Users and Computers component. Select the Users directory and then right-click it to add a new user.
b. Configure the username as my, and then click Next.
Figure 8 Creating a user
c. Configure the user password and select Password never expires. Click Next.
Figure 9 Configuring the user password
3. Configure a connection request policy:
a. Add a new connection request policy:
# Open the NPS component. Select Policies > Connection Request Policies from the navigation pane.
# Add a request policy: configure the policy name, use the default settings for other options, and then click Next.
Figure 10 Creating a connection request policy
b. Add a user name: On the Specify Conditions page, select User Name, and then click Add to add the RADIUS user added in the previous step to the connection request policy. Click OK.
Figure 11 Adding a user name
c. Configure the NAS port type:
# In the bottom part of the Specify Conditions page, select NAS Port Type, and then click Add to add the selected types to the connection request policy.
# In the Common 8021.X connection tunnel types area, select Wireless IEEE – 802.11. In the Others area, select Wireless – Other.
# Click OK.
Figure 12 Configuring NAS Port Type
# Click Next to open the Specify Connection Request Forwarding page.
d. Configure the identity authentication location:
# On the Specify Connection Request Forwarding page, select Authentication, and then select Authenticate requests on this server.
Figure 13 Configuring identity authentication location
# Click Next to open the Specify Authentication Methods page.
e. Specify authentication methods:
# In the EAP Types box, add Protected EAP (PEAP) and Secured password (EAP-MSCHAP v2).
# In the Less secure authentication methods area, select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), Microsoft Encrypted Authentication (MS-CHAP), Encrypted authentication (CHAP), Unencrypted authentication (PAP.SPAP), and Allow clients to connect without negotiating an authentication method.
Figure 14 Specifying authentication methods
# Click Next.
# In the window that opens, click No to open the Configure Settings page.
f. Configure the policy attribute: Select Called-Station-Id from the Attribute list.
Figure 15 Configuring the policy attribute
g. Add standard RADIUS attributes:
# Select Standard for RADIUS Attributes.
# In the Attributes column, select an attribute name, and then click Add. The Attribute Information dialog box opens.
Figure 16 Adding a standard RADIUS attribute
# In the Attribute Information dialog box that opens, configure the attribute value.
# Keep the default selection for the attribute, select the attribute value from the drop-down list, and then click OK.
For example, for the Framed-Protocol attribute, the Commonly used for Dial-Up or VPN option is selected by default. Keep this default selection and then select PPP from the drop-down list, and then click OK. The attribute value PPP is configured for the Framed-Protocol attribute.
Figure 17 Configuring the attribute value
# Repeat the previous steps to add the Service-Type attribute with value Framed, the Tunnel-Media-Type attribute with value 802 (include all 802 media plus Ethernet…), and the Filter-Id attribute with value 3999 (an ACL). The configured attributes are listed as follows:
Figure 18 Standard RADIUS attributes
h. View or edit the connection request policy:
# Select Policies > Connection Request Policies from the left navigation pane of NPS.
# In the Policy Name column, you can view the connection request policies.
# To edit the configuration for a policy, right-click the policy name and select Properties.
Figure 19 Connection request policies
Verifying the configuration
1. On the client, connect to the wireless network. Access a website by using a browser. The portal authentication page is opened. Enter the configured username my and password. The user can successfully pass the authentication.
2. On the AC, verify that the user has come online and the server has assigned the authorization ACL to the user by using the following command:
[AC] display portal user all verbose
Total portal users: 1
Basic:
AP name: ap1
Radio ID: 1
SSID: portal_nps
Current IP address: 72.205.0.1
Original IP address: 72.205.0.1
Username: my
User ID: 0x1000002b
Access interface: WLAN-BSS0/4
Service-VLAN/Customer-VLAN: 80/-
MAC address: d4bb-c8a1-8a55
Authentication type: Normal
Domain name: portal
VPN instance: N/A
Status: Online
Portal server: imc
Vendor: VIVO
Portal authentication method: Direct
AAA:
Realtime accounting interval: 720s, retry times: 5
Idle cut: N/A
Session duration: 0 sec, remaining: 0 sec
Remaining traffic: N/A
Login time: 2021-12-3 18:57:44 UTC
Online time(hh:mm:ss): 00:00:05
DHCP IP pool: N/A
Web URL: N/A
ACL&QoS&Multicast:
Inbound CAR: N/A
Outbound CAR: N/A
ACL number: 3999 (active, AAA)
User profile: N/A
Session group profile: N/A
Max multicast addresses: 4
Flow statistic:
Uplink packets/bytes: 7/540
Downlink packets/bytes: 0/0
Configuration files
#
radius scheme nps
primary authentication 8.72.1.7 key simple 12345678
primary accounting 8.72.1.7 key simple 12345678
user-name-format without-domain
#
domain portal
authentication portal radius-scheme nps
authorization portal radius-scheme nps
accounting portal radius-scheme nps
#
portal server imc
ip 8.1.1.231 key simple portal
#
portal web-server imc
url http://8.1.1.231:8080/portal/
#
wlan service-template portal
ssid portal_nps
portal enable method direct
portal domain portal
portal apply web-server imc
service-template enable
#
wlan ap ap1 model WA6638-JP
serial-id 219801A24F8198E0001G
radio 1
radio enable
service-template portal vlan 80
#
acl advanced 3999
rule 0 permit ip
#
vlan 80
#
interface Vlan-interface 80
ip address 72.205.1.1 255.255.0.0
#
dhcp server ip-pool 80
gateway-list 72.205.1.1
network 72.205.0.0 mask 255.255.0.0
dns-list 72.205.1.1
#
Return
