H3C Access Controllers
IPv6 URL Redirection
Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring IPv6 URL redirection· 1

Network configuration· 1

Analysis· 2

Restrictions and guidelines· 2

Procedures· 2

Configuring the AD Campus server 2

Editing the AP’s configuration file· 2

Configuring the AC· 3

Configure the switch· 5

Verifying the configuration· 6

Configuration files· 7

Related documentation· 9

 

Introduction

The following information provides an example for configuring IPv6 URL redirection.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of AAA, MAC authentication, WLAN access, WLAN user authentication, and WLAN security.

Example: Configuring IPv6 URL redirection

Network configuration

As shown in Figure 1, the AP obtains an IP address from the DHCP server, and the client obtains an IPv6 address from the DHCP server and DHCPv6 server. To control the client's access to network resources, complete the following tasks:

·     Configure VLAN 100 as the access VLAN for the AP.

·     Configure VLAN 200 as the access VLAN for the client, and configure the client to be MAC authenticated on the AD Campus server.

·     Configure IPv6 URL redirection for a client to authenticate to the RADIUS server after it has failed a MAC authentication because the server does not have its credential information and MAC address.

Figure 1 Network diagram

Analysis

·     For the client to complete MAC authentication through URL redirection and IPv6 URL redirection, configure both an IPv4 and an IPv6 address for the AC, client, and AD Campus server, and make sure they are reachable to each other.

·     To display client IPv6 addresses on the AC, enable snooping DHCPv6 packets and ND packets.

Restrictions and guidelines

·     Use MAC-based user accounts for MAC authentication users. Make sure the username and password added on the RADIUS server are in the same format as the MAC authentication username configured on the AC.

·     Use the actual serial ID of an AP to uniquely identify that AP.

Procedures

Configuring the AD Campus server

On the AD Campus server, add an AC, access policy, access service, and access user.

Editing the AP’s configuration file

# Edit the AP’s configuration file, name it map.txt and upload the configuration file to the storage media on the AC.

System-view

vlan 200

interface gigabitethernet1/0/1

port link-type trunk

port trunk permit vlan 200

acl advanced 3000

rule 1 permit ip destination 10.18.1.88 0

rule 2 permit ip source 10.18.1.88 0

acl ipv6 advanced 3000

rule 0 permit ipv6 source 123:1::C/128

rule 1 permit ipv6 destination 123:1::C/128

Configuring the AC

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.18.2.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. VLAN 200 will be used for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 10.18.3.1 24

[AC-Vlan-interface200] ipv6 address 123:1::2 64

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port. Assign the port to VLAN 100 and VLAN 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a RADIUS scheme:

# Create a RADIUS scheme named adcampus and enter its view.

[AC] radius scheme adcampus

# Configure the primary authentication server, the primary accounting server, and the keys for the servers to communicate.

[AC-radius-rs1] primary authentication 10.18.1.88 (or [AC-radius-rs1] primary authentication ipv6 123:1::C 64)

[AC-radius-rs1] primary accounting 10.18.1.88 (or [AC-radius-rs1] primary accounting ipv6 123:1::C 64)

[AC-radius-rs1] key authentication simple 12345678

[AC-radius-rs1] key accounting simple 12345678

# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.

[AC-radius-rs1] user-name-format without-domain

[AC-radius-rs1] quit

# Enable RADIUS session-control.

[AC] radius session-control enable

3.     Configure an authentication domain:

# Create an ISP domain named ds and enter its view.

[AC] domain ds

# Perform RADIUS authentication for LAN users based on scheme adcampus.

[AC-isp-ds] authentication lan-access radius-scheme adcampus

# Perform RADIUS authorization for LAN users based on scheme adcampus.

[AC-isp-ds] authorization lan-access radius-scheme adcampus

# Perform RADIUS accounting for LAN users based on scheme adcampus.

[AC-isp-ds] accounting lan-access radius-scheme adcampus

[AC-isp-ds] quit

# Use MAC-based user accounts for MAC authentication users. The MAC addresses must be in hexadecimal notation without hyphens, and letters are in lower case.

[AC] mac-authentication user-name-format mac-address without-hyphen lowercase

4.     Configure a wireless service:

# Create a service template named redirect and enter its view.

[AC] wlan service-template redirect

# Configure the SSID as url-redirect.

[AC-wlan-st-redirect] ssid url-redirect

# Assign clients that come online from the service template to VLAN 200.

[AC-wlan-st-redirect] vlan 200

# Enable snooping DHCPv6 packets and ND packets.

[AC-wlan-st-redirect] client ipv6-snooping dhcpv6-learning enable

[AC-wlan-st-redirect] client ipv6-snooping nd-learning enable

# Specify the AP as the client data frame forwarder.

[AC-wlan-st-redirect] client forwarding-location ap

# Set the authentication mode to MAC authentication.

[AC-wlan-st-redirect] client-security authentication-mode mac

# Specify ISP domain ds for MAC authentication clients on the service template.

[AC-wlan-st-redirect] mac-authentication domain ds

# Enable URL redirection.

[AC-wlan-st-redirect] client url-redirect enable

# Enable the service template.

[AC-wlan-st-redirect] service-template enable

[AC-wlan-st-redirect] quit

5.     Configure URL redirection policies:

# Create IPv4 advanced ACL 3000, and configure the following rules: permit access only to the RADIUS server and deny IP packets, and permit inbound and outbound DHCP and DNS packets.

[AC] acl advanced 3000

[AC-acl-ipv4-adv-3000] rule 1 permit ip destination 10.18.1.88 0

[AC-acl-ipv4-adv-3000] rule 2 permit ip source 10.18.1.88 0

[AC-acl-ipv4-adv-3000] rule 3 permit udp destination-port eq bootps

[AC-acl-ipv4-adv-3000] rule 4 permit udp destination-port eq bootpc

[AC-acl-ipv4-adv-3000] rule 5 permit udp destination-port eq dns

[AC-acl-ipv4-adv-3000] rule 6 permit udp source-port eq dns

[AC-acl-ipv4-adv-3000] rule 9 deny ip

# Create IPv6 advanced ACL 3000, and configure the following rules: permit access only to the RADIUS server and deny IP packets, and permit inbound and outbound RS, RA, DHCPv6, and DNS packets.

[AC] acl ipv6 advanced 3000

[AC-acl-ipv6-adv-3000] rule 0 permit ipv6 source 123:1::C/128

[AC-acl-ipv6-adv-3000] rule 1 permit ipv6 destination 123:1::C/128

[AC-acl-ipv6-adv-3000] rule 2 permit udp destination-port eq dns

[AC-acl-ipv6-adv-3000] rule 3 permit udp source-port eq dns

[AC-acl-ipv6-adv-3000] rule 4 permit udp destination-port eq 546

[AC-acl-ipv6-adv-3000] rule 5 permit udp destination-port eq 547

[AC-acl-ipv6-adv-3000] rule 6 permit icmpv6 icmp6-type router-advertisement

[AC-acl-ipv6-adv-3000] rule 7 permit icmpv6 icmp6-type router-solicitation

[AC-acl-ipv6-adv-3000] rule 8 permit icmpv6 icmp6-type neighbor-solicitation

[AC-acl-ipv6-adv-3000] rule 9 permit icmpv6 icmp6-type neighbor-advertisement

[AC-acl-ipv6-adv-3000] rule 10 deny ipv6

[AC-acl-ipv6-adv-3000] quit

6.     Configure a manual AP, and bind service template redirect to a radio on the AP:

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

# Add AP ap1 to AP group group1.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

# Bind service template redirect to radio 1 in AP group group1.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template redirect

# Enable radio 1.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit

# Deploy configuration file map.txt to the AP.

[AC-wlan-ap-group-group1-ap-model-WA6320] map-configuration map.txt

[AC-wlan-ap-group-group1-ap-model-WA6320] quit

[AC-wlan-ap-group-group1] quit

Configure the switch

# Create VLAN 100. The switch will use this VLAN to forward the traffic on the CAPWAP tunnels between the AC and AP.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

# Create VLAN 200. The switch will use this VLAN to forward packets for wireless clients.

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 that connects the switch to the AC as a trunk port, and assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects the switch to the AP as a trunk port, and assign the trunk port to VLAN 100 and VLAN 200.

[Switch] interface gigabitethernet 1/0/2

[Switch-GigabitEthernet1/0/2] port link-type trunk

[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200

# Enable the PoE feature.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

Verifying the configuration

1.     Verify that the wireless client can associate with the AP after MAC authentication and will be redirected to the authentication page as long as the client accesses a webpage. Display MAC authentication connection information to verify that the ACL and URL have been deployed by the server.

[AC] dis mac-authentication connection

Total connections: 1

 

User MAC address                  : ecd0-9f92-2787

AP name                           : ap1

Radio ID                          : 1

SSID                              : url-redirect

BSSID                             : 3891-d5ba-fa60

Username                          : ecd09f922787

Authentication domain             : ds

Initial VLAN                      : 200

Authorization VLAN                : 200

Authorization ACL number          : 3000

Authorization user profile        : N/A

Authorization CAR                 : N/A

Authorization URL                 : http:// 10.18.1.88:8080/byod?usermac=%m&userip=%c&userurl=%o

Authorization IPv6 URL            : http://123:1::C:8080/portal

Termination action                : N/A

Session timeout last from         : N/A

Session timeout period            : N/A

Online from                       : 2020/04/01 13:46:29

Online duration                   : 0h 0m 7s

2.     Verify that the client can access the WLAN after authentication. Display MAC authentication connection information to verify that no URL is deployed by the server.

Total connections: 1

 

User MAC address                  : ecd0-9f92-2787

AP name                           : ap1

Radio ID                          : 1

SSID                              : url-redirect

BSSID                             : 3891-d5ba-fa60

Username                          : ecd09f922787

Authentication domain             : ds

Initial VLAN                      : 200

Authorization VLAN                : 200

Authorization ACL number          : N/A

Authorization user profile        : N/A

Authorization CAR                 : N/A

Authorization URL                 : N/A

Authorization IPv6 URL            : N/A

Termination action                : N/A

Session timeout last from         : N/A

Session timeout period            : N/A

Online from                       : 2020/04/01 13:46:40

Online duration                   : 0h 0m 18s

Configuration files

·     AC:

#

 mac-authentication user-name-format mac-address with-hyphen

#

vlan 100

#

vlan 200

#

wlan service-template redirect

 ssid url-redirect

 vlan 200

 client forwarding-location ap

 client url-redirect enable

 client-security authentication-mode mac

 client ipv6-snooping nd-learning enable

 client ipv6-snooping dhcpv6-learning enable

 mac-authentication domain ds

 service-template enable

#

interface Vlan-interface100

 ip address 10.18.2.1 255.255.255.0

#

interface Vlan-interface200

 ip address 10.18.3.1 255.255.255.0

 ipv6 address 123:1::2/64

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

 radius session-control enable

#

radius scheme adcampus

 primary authentication 10.18.1.88

 primary accounting 10.18.1.88

 key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==

 key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==

 user-name-format without-domain

#

domain ds

 authentication portal radius-scheme adcampus

 authorization portal radius-scheme adcampus

 accounting portal radius-scheme adcampus

#

acl advanced 3000

 rule 1 permit ip destination 10.18.1.88 0

 rule 2 permit ip source 10.18.1.88 0

 rule 3 permit udp destination-port eq bootps

 rule 4 permit udp destination-port eq bootpc

 rule 5 permit udp destination-port eq dns

 rule 6 permit udp source-port eq dns

 rule 9 deny ip

#

acl ipv6 advanced 3000

 rule 0 permit ipv6 source 123:1::C/128

 rule 1 permit ipv6 destination 123:1::C/128

 rule 2 permit udp destination-port eq dns

 rule 3 permit udp source-port eq dns

 rule 4 permit udp destination-port eq 546

 rule 5 permit udp destination-port eq 547

 rule 8 permit icmpv6 icmp6-type router-advertisement

 rule 9 permit icmpv6 icmp6-type router-solicitation

 rule 10 deny ipv6

#

wlan ap-group group1

 ap ap1

 ap-model WA6320

  radio 1

  map-configuration map.txt

   service-template redirect

   radio enable

#

wlan ap ap1 model WA6320

 serial-id 219801A28N819CE0002T

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

interface GigabitEthernet1/0/2

port link-type trunk

 port trunk permit vlan 100 200

 poe enable

#

Related documentation

·     User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides

·     User Access and Authentication Command Reference in H3C Access Controllers Command References

·     WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides

·     WLAN Access Command Reference in H3C Access Controllers Command References