Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-User isolation configuration | 625.54 KB |
Contents
User group-based user isolation
Enabling SSID-based user isolation
Configuring VLAN-based user isolation
Configuring user group-based user isolation
Verifying and maintaining user isolation
Displaying user isolation statistics
Clearing user isolation statistics
User isolation configuration examples
Example: Configuring SSID-based user isolation in centralized forwarding mode
Example: Configuring SSID-based user isolation in local forwarding mode
Example: Configuring VLAN-based user isolation in centralized forwarding mode
Example: Configuring VLAN-based user isolation in local forwarding mode (via AP group configuration)
Example: Configuring user group-based user isolation
Configuring user isolation
About user isolation
The user isolation feature isolates packets for users that use the same SSID in the same VLAN or for users that are in the same VLAN. This feature improves user security, relieves the forwarding stress of the device, and reduces consumption of radio resources.
User isolation types
User isolation includes the following types:
· SSID-based user isolation—Isolates wireless users that use the same SSID in the same VLAN.
· VLAN-based user isolation—Isolates wired or wireless users in the same VLAN.
· User group-based user isolation—Isolates wireless users in the same user group or in different user groups.
SSID-based user isolation
SSID-based user isolation is applicable to both the local forwarding mode and the centralized forwarding mode.
When SSID-based user isolation is enabled for a service, the device isolates all wireless users that access the network through the service in the same VLAN.
User isolation mechanism in centralized forwarding mode
As shown in Figure 1, the AC centrally forwards the client traffic. Client 1 to Client 3 access the WLAN through AP 1 to AP 3 by using the service named service. Client 1 and Client 2 are in VLAN 100, and Client 3 is in VLAN 200. Enable user isolation on the AC for the service.
· Client 1 sends broadcast or multicast packets in VLAN 100. When the AC receives the packets, it does not forward them to any APs in the WLAN. The AC forwards the packets only through the wired port to the switch.
· Client 1 sends unicast packets to Client 2 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 1 Packet forwarding path
User isolation mechanism in local forwarding mode
This mechanism isolates wireless clients on the same AP.
As shown in Figure 2, the APs perform local traffic forwarding for clients. Client 1 to Client 4 access the WLAN through AP 1 to AP 3 by using the service named service. Client 1 to Client 3 are in VLAN 100, and Client 4 is in VLAN 200. Enable SSID-based user isolation on the service for AP 1.
· Client 1 sends broadcast or multicast packets in VLAN 100.
¡ When AP 1 receives the packets, it does not forward them to Client 2 because user isolation is enabled. The AP forwards the packets only through the wired port to the wired devices in the same VLAN, including AP 2, AP 3, and the host.
¡ When AP 2 receives the packets, it forwards them to Client 3 because user isolation is disabled on AP 2.
¡ When AP 3 receives the packets, it does not forward them to Client 4 because Client 1 and Client 4 are in different VLANs.
· Client 1 sends unicast packets to Client 2 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to Client 2.
Figure 2 Packet forwarding path
VLAN-based user isolation
VLAN-based user isolation is applicable to both local and centralized forwarding modes. Table 1 shows the mechanism to isolate traffic of wired users and wireless users.
Table 1 VLAN-based user isolation mechanism
|
Forwarding mode |
Received unicast packets |
Received broadcast or multicast packets |
|
Centralized forwarding |
The AC discards the packets. |
The AC forwards the packets only through wired ports to the wired users in the VLAN, and it does not forward the packets to wireless users in the VLAN. |
|
Local forwarding |
The fit AP discards the packets. |
The fit AP forwards the packets to wired and wireless users in the VLAN through wired ports. However, the AP does not forward the packets to the local wireless users in the VLAN. |
User isolation mechanism in centralized forwarding mode (packets received from wireless users)
As shown in Figure 3, the AC centrally forwards the client traffic. Enable user isolation on the AC for VLAN 100.
· Client 1 sends broadcast or multicast packets in VLAN 100. When the AC receives the packets, it does not forward them to any APs in the WLAN. The AC forwards the packets only through the wired port to the switch. The switch then forwards the packets to the wired host and server.
· Client 1 sends unicast packets to Client 3 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 3 Packet forwarding path
User isolation mechanism in centralized forwarding mode (packets received from wired users)
As shown in Figure 4, the AC centrally forwards the client traffic. Enable user isolation on the AC for VLAN 100.
· The host sends broadcast or multicast packets in VLAN 100. The server and AC can receive the packets. When the AC receives the packets, it discards them instead of forwarding them to any APs in the WLAN.
· The host sends unicast packets to Client 3 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 4 Packet forwarding path
User isolation mechanism in local forwarding mode (packets received from wireless users)
As shown in Figure 5, AP 1 performs local forwarding for clients. Enable user isolation on AP 1 for VLAN 100.
· Client 1 sends broadcast or multicast packets in VLAN 100.
¡ When AP 1 receives the packets, it forwards them to the server, AP 2, and the host in VLAN 100 through the wired port. However, AP 1 does not forward the packets to Client 2 because user isolation is enabled.
¡ When AP 2 receives the packets, it forwards them to Client 3 since user isolation is not enabled on AP 2.
· Client 1 sends unicast packets to Client 3 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to AP 2.
Figure 5 Packet forwarding path
User isolation mechanism in local forwarding mode (packets received from wired users)
As shown in Figure 6, AP 1 performs local forwarding for clients. Enable user isolation on AP 1 for VLAN 100.
· The host sends broadcast or multicast packets in VLAN 100. The server, AC, AP 1, and AP 2 can receive the packets.
¡ When AP 1 receives the packets, it discards them instead of forwarding them to Client 1 and Client 2.
¡ When AP 2 receives the packets, it forwards them to Client 3 since user isolation is not enabled on AP 2.
· The host sends unicast packets to Client 1 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to Client 1.
Figure 6 Packet forwarding path
User group-based user isolation
User group-based user isolation is applicable only to the centralized forwarding mode. You can use intra-group user isolation and inter-group user isolation.
Table 2 User group-based user isolation mechanism
|
Isolation policy |
User access restrictions |
|
Intra-group user isolation |
· A wireless user cannot send unicast packets to other wireless users in the same user group. · A wireless user in one user group can send unicast packets to wireless users in another user group. |
|
Inter-group user isolation |
· A wireless user can send unicast packets to other wireless users in the same user group. · A wireless user in one user group cannot send unicast packets to wireless users in another user group. |
|
|
IMPORTANT: User group-based user isolation can take effect on wireless users that access different APs and VLANs. If wireless users belong to different service VLANs, you must deploy the gateway on the AC for user group-based user isolation to take effect on the wireless users. |
User isolation mechanism in centralized forwarding mode
As shown in Figure 7 the AC centrally forwards the client traffic. Client 1 to Client 3 access the WLAN through AP 1 to AP 3. Client 1 and Client 2 are in VLAN 100, and the authorization user group for them is GROUP_100. Client 3 is in VLAN 200, and the authorization user group is also GROUP_100. Configure user isolation in user group GROUP_100 to isolate wireless users in that user group.
· Client 1 sends unicast packets to Client 2 in VLAN 100. When the AC receives the unicast packets, it discards them instead of forwarding them to AP 2.
· Client 1 sends unicast packets to Client 3 in VLAN 200. When the AC receives the unicast packets, it discards them instead of forwarding them to AP 3.
Figure 7 Packet forwarding path
Enabling SSID-based user isolation
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable SSID-based user isolation.
user-isolation enable
By default, SSID-based user isolation is disabled.
Configuring VLAN-based user isolation
Restrictions and guidelines
VLAN-based user isolation applies to both the centralized forwarding mode and the local forwarding mode.
· In centralized forwarding mode, configure this feature directly on the AC.
· In local forwarding mode, you can configure an AP group on the AC or deploy a configuration file from the AC to an AP. If you deploy a configuration file from the AC to an AP, you must add the user isolation command lines in the order as shown in the "Procedure (in centralized forwarding mode or deploying a configuration file to an AP in local forwarding mode)" section to the configuration file. Then, use the map-configuration command on the AC to deploy the configuration file to the AP to enable VLAN-based user isolation for the AP. For more information about configuration file deployment, see WLAN access in WLAN Access Configuration Guide.
To enable users in a VLAN to access the external network, assign the VLAN gateway MAC address to the permitted MAC address list before you enable VLAN-based user isolation.
Procedure (in centralized forwarding mode or deploying a configuration file to an AP in local forwarding mode)
1. Enter system view.
system-view
2. Configure permitted MAC address list for a list of VLANs.
user-isolation vlan vlan-list permit-mac mac-list
By default, no permitted MAC addresses are configured for a VLAN.
3. Enable user isolation for a list of VLANs.
user-isolation vlan vlan-list enable [ permit-unicast ]
By default, user isolation is disabled for a VLAN.
4. (Optional.) Permit broadcast and multicast traffic sent from wired users to wireless users.
user-isolation permit-broadcast
By default, the device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.
5. (Optional.) Permit wireless users in the specified VLANs to receive broadcast and multicast traffic that matches an ACL.
user-isolation vlan vlan-list permit-bmc acl [ ipv6 ] acl-number
By default, wireless users in a VLAN cannot receive broadcast or multicast traffic.
Procedure (configuring an AP group on the AC in local forwarding mode)
1. Enter system view.
system-view
2. Enter AP group view.
wlan ap-group group-name
3. Configure permitted MAC address list for a list of VLANs.
wlan user-isolation vlan vlan-list permit-mac mac-list
By default, no permitted MAC addresses are configured for a VLAN.
4. Enable user isolation for a list of VLANs.
wlan user-isolation vlan vlan-list enable [ permit-unicast ]
By default, user isolation is disabled for a VLAN.
5. (Optional.) Permit broadcast and multicast traffic sent from wired users to wireless users.
wlan user-isolation permit-broadcast
By default, the device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.
Configuring user group-based user isolation
About this task
To isolate wireless users based on user groups, you must assign user groups to the wireless users and configure user group-based user isolation in user group view. The device supports the following user group-based user isolation policies:
· Intra-group user isolation—Users in a user group cannot access one another at Layer 2 or Layer 3.
· Inter-group user isolation—Users in a user group cannot access users in other user groups.
Restrictions and guidelines
· User group-based user isolation takes effect only on unicast packets of wireless users in centralized forwarding mode.
· If wireless users belong to different service VLANs, you must deploy the gateway on the AC for user group-based user isolation to take effect on the wireless users.
· As a best practice to avoid isolation policy confusion, do not delete or modify a user group if that user group has users that have been restricted by the existing user group-based user isolation policy.
Procedure
1. Enter system view.
system-view
2. Create a user group and enter user group view.
user-group group-name
By default, only user group system exists.
3. Configure user group-based user isolation.
user-isolation { intra-group | inter-group } *
By default, user group-based user isolation is not configured.
This command takes effect only on unicast packets of wireless users in centralized forwarding mode.
For more information about user groups and user group-based user isolation, see AAA configuration in User Access and Authentication Configuration Guide.
Verifying and maintaining user isolation
Displaying user isolation statistics
To display VLAN-based user isolation statistics, execute the following command in any view:
display user-isolation statistics [ vlan vlan-id ]
Clearing user isolation statistics
To clear VLAN-based user isolation statistics, execute the following command in user view:
reset user-isolation statistics [ vlan vlan-id ]
User isolation configuration examples
Example: Configuring SSID-based user isolation in centralized forwarding mode
Network configuration
As shown in Figure 8, Client 1 and Client 2 use the same SSID to access the Internet. The AC centrally forwards the client traffic.
Configure user isolation on the AC to isolate the clients from each other while providing Internet access for the clients.
Procedure
# Configure Client 1 and Client 2 to access the Internet through service template service. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Enable SSID-based user isolation for service template service.
<AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] user-isolation enable
[AC-wlan-st-service] quit
Verifying the configuration
# Verify that Client 1 and Client 2 can use service service to access the Internet but cannot access each other. (Details not shown.)
Example: Configuring SSID-based user isolation in local forwarding mode
Network configuration
As shown in Figure 9, Client 1 and Client 2 use the same SSID to access the Internet. The APs perform local traffic forwarding.
Configure user isolation for AP 1 to isolate the clients from each other while providing Internet access for the clients.
Procedure
# Configure Client 1 and Client 2 to access the Internet through service template service1. Configure the APs to perform local traffic forwarding for the clients. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Enable SSID-based user isolation for service template service1.
<AC> system-view
[AC] wlan service-template service1
[AC-wlan-st-service1] user-isolation enable
[AC-wlan-st-service1] quit
Verifying the configuration
# Verify that Client 1 and Client 2 can use service service1 to access the Internet but cannot access each other. (Details not shown.)
Example: Configuring VLAN-based user isolation in centralized forwarding mode
Network configuration
As shown in Figure 10, the AC centrally forwards the client traffic and the router acts as the gateway of the devices in VLAN 100. The MAC address of the gateway is 000f-e212-7788.
Configure user isolation for VLAN 100 on the AC to meet the following requirements:
· Client 1, Client 2, Client 3, the host, and the server can access the Internet. For this purpose, add the MAC address of the gateway to the permitted MAC address list.
· When Client 1 forwards broadcast packets, only the host and the server can receive the packets.
· Client 1, Client 2, and Client 3 cannot reach one another.
Procedure
# Configure Client 1, Client 2, and Client 3 to access the Internet through WLAN. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Assign the MAC address of the gateway to the permitted MAC address list.
<AC> system-view
[AC] user-isolation vlan 100 permit-mac 000f-e212-7788
# Enable VLAN-based user isolation for VLAN 100.
[AC] user-isolation vlan 100 enable
Verifying the configuration
# Verify that Client 1, Client 2, Client 3, the host, and the server in VLAN 100 can access the Internet. (Details not shown.)
# Verify that only the host and the server can receive broadcast packets from Client 1. (Details not shown.)
# Verify that Client 1, Client 2, and Client 3 cannot reach one another. (Details not shown.)
Example: Configuring VLAN-based user isolation in local forwarding mode (via AP group configuration)
Network configuration
As shown in Figure 11, AP 1 belongs to AP group group1 and AP 2 belongs to AP group group2. The APs perform local traffic forwarding for the clients and the router acts as the gateway of the devices in VLAN 100. The MAC address of the gateway is 000f-e212-7788.
Configure VLAN-based user isolation on the AC for AP group group1 to meet the following requirements:
· Client 1, Client 2, Client 3, the host, and the server can access the Internet. For this purpose, add the MAC address of the gateway to the permitted MAC address list.
· When Client 1 forwards broadcast packets, only the host, the server, and Client 3 can receive the packets.
· Client 1 and Client 2 cannot reach each other.
Procedure
# Configure Client 1, Client 2, and Client 3 to access the Internet through WLAN. For more information, see AP management in AP and WT Management Configuration Guide and WLAN access in WLAN Access Configuration Guide. (Details not shown.)
# Add the gateway MAC address to the permitted MAC address list in VLAN 100 and enable user isolation for VLAN 100.
<AC> system-view
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] user-isolation vlan 100 permit-mac 000f-e212-7788
[AC-wlan-ap-group-group1] user-isolation vlan 100 enable
Verifying the configuration
# Verify that Client 1, Client 2, Client 3, the host, and the server in VLAN 100 can access the Internet. (Details not shown.)
# Verify that only the host, the server, and Client 3 can receive broadcast packets from Client 1. (Details not shown.)
# Verify that Client 1 and Client 2 cannot reach each other. (Details not shown.)
Example: Configuring VLAN-based user isolation in local forwarding mode (via configuration file deployment)
Network configuration
As shown in Figure 12, AP 1 performs local traffic forwarding for the clients and the router acts as the gateway of the devices in VLAN 100. The MAC address of the gateway is 000f-e212-7788.
Configure user isolation for VLAN 100 on AP 1 to meet the following requirements:
· Client 1, Client 2, Client 3, the host, and the server can access the Internet. For this purpose, add the MAC address of the gateway to the permitted MAC address list.
· When Client 1 forwards broadcast packets, only the host, the server, and Client 3 can receive the packets.
· Client 1 and Client 2 cannot reach each other.
Procedure
# Configure Client 1, Client 2, and Client 3 to access the Internet through WLAN. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Create configuration file apcfg.txt and add user isolation command lines in the following order into the configuration file. You must place the command for adding the gateway MAC address to the permitted MAC address list before the command for enabling user isolation.
system-view
user-isolation vlan 100 permit-mac 000f-e212-7788
user-isolation vlan 100 enable
# Upload configuration file apcfg.txt to the AC. (Details not shown.)
# Issue configuration file apcfg.txt to AP 1.
<AC> system-view
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] map-configuration apcfg.txt
Verifying the configuration
# Verify that Client 1, Client 2, Client 3, the host, and the server in VLAN 100 can access the Internet. (Details not shown.)
# Verify that only the host, the server, and Client 3 can receive broadcast packets from Client 1. (Details not shown.)
# Verify that Client 1 and Client 2 cannot reach each other. (Details not shown.)
Example: Configuring user group-based user isolation
Network configuration
As shown in Figure 13, the AC centrally forwards the client traffic. Configure user isolation on the AC for clients in a user group so that wireless users in that user group are isolated at Layer 2 and Layer 3.
Configuring the AC
This example provides only basic AAA settings, including RADIUS. For more information about AAA commands, see User Access and Authentication Configuration Guide.
1. Configure 802.1X authentication and a RADIUS scheme:
# Configure the AC to use EAP relay to authenticate 802.1X clients.
<AC> system-view
[AC] dot1x authentication-method eap
# Create a RADIUS scheme named imcc.
[AC] radius scheme imcc
# Specify the primary authentication server, the primary accounting server, and the authentication and accounting port numbers.
[AC-radius-imcc] primary authentication 192.168.66.141 1812
[AC-radius-imcc] primary accounting 192.168.66.141 1813
# Set the authentication and accounting shared keys to 12345678 in plaintext form.
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Exclude the domain name from the usernames sent to the servers.
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
2. Configure AAA methods for the ISP domain:
# Create an ISP domain named imc.
[AC] domain imc
# Configure the ISP domain to use RADIUS scheme imcc for LAN client authentication, authorization, and accounting.
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
3. Configure a service template:
# Create a service template named wlas_imc_peap.
[AC] wlan service-template wlas_imc_peap
# Set the authentication mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x
# Specify ISP domain imc for the service template.
[AC-wlan-st-wlas_imc_peap] dot1x domain imc
# Set the SSID to wlas_imc_peap.
[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap
# Set the AKM mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] akm mode dot1x
# Set the CCMP cipher suite.
[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp
# Enable the RSN-IE in the beacon and probe responses.
[AC-wlan-st-wlas_imc_peap] security-ie rsn
# Enable the service template.
[AC-wlan-st-wlas_imc_peap] service-template enable
[AC-wlan-st-wlas_imc_peap] quit
4. Configure manual AP ap1, and bind the service template to an AP radio:
# Create AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template wlas_imc_peap to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
5. Configure a user group to isolate wireless users in that user group.
<AC> system
[AC] user-group intraGroup
[AC-ugroup-intragroup] user-isolated intra-group
[AC-ugroup-intragroup] quit
Configuring the RADIUS server
This example uses IMC as the RADIUS server, which runs IMC PLAT 7.3 and IMC UAM 7.3.
1. Install the EAP-PEAP certificate in IMC. (Details not shown.)
2. Add the AC to IMC as an access device:
a. Log in to IMC and click the User tab.
b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
c. Click Add.
d. On the page that opens, configure the following parameters:
- Configure 12345678 as the authentication and accounting shared keys, and use the default values for other parameters.
- Click Select or Add Manually to add the device at 192.168.66.103 as an access device.
e. Click OK.
3. Add an access policy:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Policy.
c. Click Add.
d. On the page that opens, configure the following parameters:
- Enter intra in the Access Policy Name field.
- Select EAP for the Certificate Authentication field.
- Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.
The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.
- Deploy user group intraGroup to a user after the user passes authentication.
e. Click OK.
4. Add an access service:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Service.
c. Click Add.
d. On the page that opens, configure the following parameters:
- Enter aaa_intra in the Service Name field.
- Select intra from the Default Access Policy list.
e. Click OK.
5. Add an access user:
a. Click the User tab.
b. From the navigation tree, select Access User > All Access Users.
The access user list opens.
c. Click Add.
d. In the Access Information area, configure the following parameters:
- Click Select to select a user that has been added to the IMC platform or click Add User to add a new user to the IMC platform. In this example, click Add User to add user user.
- Enter intra in the Account Name field.
- Enter 12345678 in the Password and Confirm Password fields.
e. In the Access Service area, select aaa_intra from the list.
f. Click OK.
Verifying the configuration
# Verify that the clients can pass 802.1X authentication and associate with the APs. (Details not shown.)
# On the AC, display detailed WLAN client information to verify that the clients have passed authentication and come online and they have been assigned to user group intra.
[AC] display wlan client verbose
Total number of clients: 3
MAC address : 5213-5677-11a7
IPv4 address : 192.168.125.100
...
Authorization user group name : intra
MAC address : 72c8-a028-8aab
IPv4 address : 192.168.125.101
...
Authorization user group name : intra
MAC address : 04b1-6704-7847
IPv4 address : 192.168.126.100
...
Authorization user group name : intra
# Verify that Client 1 to Client 3 can access the Internet, but they cannot access one another. (Details not shown.)
