Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Windows LDAP Server Configuration Examples | 1.96 MB |
|
|
|
H3C Access Controllers |
|
Access Authentication by Windows LDAP Server |
|
Configuration Examples |
|
|
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring LDAP-based local EAP-GTC authentication
Example: Configuring LDAP-based remote 802.1X authentication
Example: Configuring LDAP-based local portal authentication
Example: Configuring LDAP-based remote portal authentication
Introduction
The following information provides examples for configuring H3C access controllers to use a Windows LDAP server to authenticate wireless clients. The supported features include EAP-GTC authentication, portal authentication, and 802.1X authentication.
Prerequisites
The following information applies to H3C access controllers, H3C IMC servers, and Windows LDAP servers running the specified version. Procedures and information in the examples might be slightly different depending on the software or hardware conditions of the H3C access controllers, H3C IMC servers, and Windows LDAP servers. For more information, see the manuals for the access controllers and servers.
The configuration examples were created and verified in a lab environment, and all the devices and servers were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every operation on your network.
The following information is provided based on the assumption that you have basic knowledge of H3C AAA, 802.1X, portal, WLAN access authentication, and WLAN access features as well as H3C IMC servers and Windows LDAP servers.
Example: Configuring LDAP-based local EAP-GTC authentication
Network configuration
As shown in Figure 1, the AC can reach the LDAP server over the switch. The AC uses the LDAP server to perform local EAP-GTC authentication for the client to control the client's access to network resources.
Software versions used
This configuration example was created and verified on the following hardware and software versions:
|
Hardware |
Software version |
|
vAC |
R5435P03 |
|
Microsoft Windows Server 2012 |
Active Directory |
Restrictions and guidelines
Use the serial ID labeled on the AP's rear panel to specify an AP.
Procedures
Configuring the AC
1. Configure a PKI domain and import the required certificates to the PKI domain:
You can use a certificate server to generate certificates.
# Create PKI domain eap-gtc.
<AC> system-view
[AC] pki domain eap-gtc
# Specify the general purpose RSA key pair named eap-gtc for certificate request.
[AC-pki-domain-eap-gtc] public-key rsa general name eap-gtc
# Disable CRL checking.
[AC-pki-domain-eap-gtc] undo crl check enable
[AC-pki-domain-eap-gtc] quit
# Import certificates to PKI domain eap-gtc.
[AC] pki import domain eap-gtc pem ca filename cacert.crt
The trusted CA's finger print is:
MD5 fingerprint:CEA3 E3EF C7B6 6BFD 8D9E 8174 606C 8D8E
SHA1 fingerprint:4D25 EA37 4885 5E94 3B0E 1B83 7AA7 290D 23A6 4EC3
Is the finger print correct?(Y/N):y
[AC] pki import domain eap-gtc p12 local filename local.pfx
Please input the password:123456
2. Create an SSL server policy and specify a PKI domain for the SSL server policy:
# Create SSL server policy ssl-eap.
[AC] ssl server-policy ssl-eap
# Specify PKI domain eap-gtc for SSL server policy ssl-eap.
[AC-ssl-server-policy-ssl-eap] pki-domain eap-gtc
[AC-ssl-server-policy-ssl-eap] quit
3. Configure an EAP profile, specify the default EAP authentication method, and specify an SSL server policy for EAP authentication:
# Create EAP profile eap-ldap.
[AC] eap-profile eap-ldap
# In the EAP profile, specify PEAP-GTC as the default EAP authentication method.
[AC-eap-profile-eap-ldap] method peap-gtc
# In the EAP profile, specify SSL server policy ssl-eap for EAP authentication.
[AC-eap-profile-eap-ldap] ssl-server-policy ssl-eap
[AC-eap-profile-eap-ldap] quit
4. Configure the AC to use EAP relay to authenticate the 802.1X client.
[AC] dot1x authentication-method eap
5. Configure an ISP domain:
# Create ISP domain eap-gtc.
[AC] domain eap-gtc
# Configure the ISP domain to use LDAP scheme ldap for LAN user authentication and not perform authorization and accounting for LAN users.
[AC-isp-eap-gtc] authentication lan-access ldap-scheme ldap
[AC-isp-eap-gtc] authorization lan-access none
[AC-isp-eap-gtc] accounting lan-access none
[AC-isp-eap-gtc] quit
6. Configure an LDAP scheme:
# Create LDAP scheme ldap and specify an LDAP authentication server in the LDAP scheme.
[AC] ldap scheme ldap
[AC-ldap-ldap] authentication-server ldap
[AC-ldap-ldap] quit
# Configure the LDAP authentication server. The IP address of the server is 192.168.106.40. Configure the administrator password for binding with the LDAP server during LDAP authentication, specify the administrator DN, and specify the base DN for user search.
[AC]ldap server ldap
[AC-ldap-server-ldap] login-dn cn=administrator,cn=users,dc=test,dc=com
[AC-ldap-server-ldap] search-base-dn dc=test,dc=com
[AC-ldap-server-ldap] ip 192.168.106.40
[AC-ldap-server-ldap] login-password simple 123456
[AC-ldap-server-ldap] quit
7. Configure a service template.
[AC] wlan service-template h3c-ldap
[AC-wlan-st-h3c-ldap] ssid h3c-ldap
[AC-wlan-st-h3c-ldap] akm mode dot1x
[AC-wlan-st-h3c-ldap] cipher-suite ccmp
[AC-wlan-st-h3c-ldap] security-ie rsn
[AC-wlan-st-h3c-ldap] client-security authentication-mode dot1x
[AC-wlan-st-h3c-ldap] dot1x domain eap-gtc
[AC-wlan-st-h3c-ldap] dot1x eap-termination eap-profile eap-ldap
[AC-wlan-st-h3c-ldap] dot1x eap-termination authentication-method pap
[AC-wlan-st-h3c-ldap] service-template enable
[AC-wlan-st-h3c-ldap ]quit
8. Bind the service template to a radio.
[AC] wlan ap ap1 model WA6330
[AC-wlan-ap-ap1] serial-id 219801A23V8209E0043Y
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1] radio enable
[AC-wlan-ap-ap1] service-template h3c-ldap
Configuring the LDAP server (adding a user account)
1. On the LDAP server, select Start > Control Panel > Administrative Tools.
2. Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
Figure 2 Active Directory Users and Computers window
3. From the navigation pane, click Users under the test.com node.
Figure 3 Users window
4. Right-click Users, and select New > User from the shortcut menu to display the dialog box for adding a user.
Figure 4 Users options
5. In the dialog box, set the first name, full name, and user logon name to h3c, and then click Next.
Figure 5 Entering the first name, full name, and user logon name
6. In the dialog box that opens, configure and confirm the password of the user, select options as needed, and click Next.
Figure 6 Setting the user's password
Figure 7 Finishing creating the user
7. From the navigation pane, click Users under the test.com node. In the right pane, right-click user h3c and select Properties.
Figure 8 Selecting the Properties option for the user
8. In the dialog box that opens, click the Member Of tab, select the Domain Users primary group, and then click Add.
Figure 9 Adding a primary group
9. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User h3c is added to group Users.
Figure 10 Adding user h3c to group Users
Verifying the configuration
# Use a wireless endpoint to connect to the WLAN. Use the user with username h3c to initiate 802.1X authentication. Select GTC for phase 2 authentication. Verify that the user can pass 802.1X authentication and come online.
# On the AC, display online WLAN client information to verify that user h3c has come online.
[AC] display wlan client
Total number of clients: 1
MAC address User name AP name R IP address VLAN
e0cc-f858-4d50 h3c ap1 1 192.168.105.191 1
# On the AC, display online 802.1X user information.
[AC] display dot1x connection
User MAC address : e0cc-f858-4d50
AP name : ap1
Radio ID : 1
SSID : h3c-ldap
BSSID : f010-9059-42e3
Username : h3c
Anonymous username : N/A
Authentication domain : eap-gtc
IPv4 address : 192.168.105.191
Authentication method : EAP
Initial VLAN : 1
Authorization VLAN : 1
Authorization ACL number : N/A
Authorization user profile : N/A
Authorization CAR : N/A
Authorization URL : N/A
Authorization IPv6 URL : N/A
Termination action : N/A
Session timeout last from : N/A
Session timeout period : N/A
Online from : 2022/05/10 15:15:59
Online duration : 0h 3m 11s
Configuration files
· AC:
#
pki domain eap-gtc
public-key rsa general name eap-gtc
undo crl check enable
#
pki import domain eap-gtc pem ca filename cacert.crt
#
pki import domain eap-gtc p12 local filename local.pfx
#
ssl server-policy ssl-eap
pki-domain eap-gtc
#
eap-profile eap-ldap
method peap-gtc
ssl-server-policy ssl-eap
#
dot1x authentication-method eap
#
domain eap-gtc
authentication lan-access ldap-scheme ldap
authorization lan-access none
accounting lan-access none
#
ldap scheme ldap
authentication-server ldap
#
ldap server ldap
login-dn cn=administrator,cn=users,dc=test,dc=com
search-base-dn dc=test,dc=com
ip 192.168.106.40
login-password simple 123456
#
wlan service-template h3c-ldap
ssid h3c-ldap
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
dot1x domain eap-gtc
dot1x eap-termination eap-profile eap-ldap
dot1x eap-termination authentication-method pap
service-template enable
#
wlan ap ap1 model WA6330
serial-id 219801A23V8209E0043Y
radio 1
radio enable
service-template h3c-ldap
#
Example: Configuring LDAP-based remote 802.1X authentication
Network configuration
As shown in Figure 11, the AC can reach the LDAP server and IMC server over the switch. The LDAP server stores usernames and passwords. The AC uses the IMC server as the RADIUS server to perform remote 802.1X authentication for the client to control the client's access to network resources. When the IMC server performs remote 802.1X authentication for the client, it requests the LDAP server to validate the password of the user on the client.
Software versions used
This configuration example was created and verified on the following hardware and software versions:
|
Hardware |
Software version |
|
vAC |
R5435P03 |
|
IMC server |
iMC PLAT 7.3 (E0706P03) and iMC 7.3 (E0620) |
|
Microsoft Windows Server 2012 |
Active Directory |
Procedures
Configuring the AC
1. Configure an ISP domain:
# Create ISP domain imc.
[H3C] domain imc
# Configure the ISP domain to use RADIUS scheme imc for LAN user authentication, authorization, and accounting.
[H3C-isp-imc] authentication lan-access radius-scheme imc
[H3C-isp-imc] authorization lan-access radius-scheme imc
[H3C-isp-imc] accounting lan-access radius-scheme imc
[H3C-isp-imc] quit
2. Configure a RADIUS scheme:
# Create RADIUS scheme imc.
[H3C] radius scheme imc
# Specify the IMC server at 192.168.106.88 as the server for user authentication and accounting, and set the shared keys for authentication and accounting to a plaintext string of 12345678.
[H3C-radius-imc] primary authentication 192.168.106.88 key simple 12345678
[H3C-radius-imc] primary accounting 192.168.106.88 key simple 12345678
# Specify NAS-IP 192.168.105.190 for outgoing RADIUS packets.
[H3C-radius-imc] nas-ip 192.168.105.190
[H3C-radius-nps] quit
3. Configure the AC to use EAP relay to authenticate the 802.1X client.
[H3C] dot1x authentication-method eap
4. Configure a service template.
[H3C] wlan service-template h3c-imc-ldap
[H3C-wlan-st-h3c-imc-ldap] ssid h3c-imc-ldap
[H3C-wlan-st-h3c-imc-ldap] akm mode dot1x
[H3C-wlan-st-h3c-imc-ldap] cipher-suite ccmp
[H3C-wlan-st-h3c-imc-ldap] security-ie rsn
[H3C-wlan-st-h3c-imc-ldap] client-security authentication-mode dot1x
[H3C-wlan-st-h3c-imc-ldap] dot1x domain imc
[H3C-wlan-st-h3c-imc-ldap] service-template enable
[H3C-wlan-st-h3c-imc-ldap] quit
5. Bind the service template to a radio.
[H3C] wlan ap ap1 model WA6330
[H3C-wlan-ap-ap1] serial-id 219801A23V8209E0043Y
[H3C-wlan-ap-ap1] radio 1
[H3C-wlan-ap-ap1] radio enable
[H3C-wlan-ap-ap1] service-template h3c-imc-ldap
Configuring the LDAP server (adding a user account)
1. On the LDAP server, select Start > Control Panel > Administrative Tools.
2. Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
Figure 12 Active Directory Users and Computers window
3. From the navigation pane, click Users under the test.com node.
Figure 13 Users window
4. Right-click Users, and select New > User from the shortcut menu to display the dialog box for adding a user.
Figure 14 Users options
5. In the dialog box, set the first name, full name, and user logon name to h3c, and then click Next.
Figure 15 Entering the first name, full name, and user logon name
6. In the dialog box that opens, configure and confirm the password of the user, select options as needed, and click Next.
Figure 16 Setting the user's password
Figure 17 Finishing creating the user
7. From the navigation pane, click Users under the test.com node. In the right pane, right-click user h3c and select Properties.
Figure 18 Selecting the Properties option for the user
8. In the dialog box that opens, click the Member Of tab, select the Domain Users primary group, and then click Add.
Figure 19 Adding a primary group
9. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User h3c is added to group Users.
Figure 20 Adding user h3c to group Users
Configuring the IMC server
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the User tab, and select User Access Policy > Access Device Management > Access Device from the navigation pane.
b. Click Add.
c. In the Access Configuration area, set the shared key to 12345678 for secure RADIUS communication, and use the default values for other parameters.
Make sure the shared key is the same as the shared keys for authentication and accounting in the RADIUS scheme on the AC.
Figure 21 Configuring the shared key
d. In the Device List area, click Add Manually. In the dialog box that opens, add the AC at 192.168.105.190 as an access device to the IMC Platform, and then click OK.
e. Click OK.
Figure 22 Specifying the IP address of the AC
2. Add an access policy:
a. From the navigation pane, select User Access Policy > Access Policy.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Enter an access policy name, for example, h3c.
- Select EAP for the Certificate Authentication field.
- Select EAP-PEAP Auth from the Certificate Type list, and select EAP-GTC Auth from the Certificate Sub-Type list.
- Use the default values for other parameters.
d. Click OK.
Figure 23 Adding an access policy
3. Add an access service:
a. From the navigation pane, select User Access Policy > Access Service.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Enter a service name, for example, h3c.
- Select h3c from the Default Access Policy list.
- Use the default values for other parameters.
d. Click OK.
Figure 24 Adding an access service
4. Add an LDAP server:
a. From the navigation pane, select User Access Policy > LDAP Service > LDAP Server.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Specify the LDAP server name.
- Configure the IP address of the LDAP server.
- Select Microsoft AD as the server type.
- Set the administrator DN to cn=administrator,cn=users,dc=test,dc=com,
- Enter the administrator password of the LDAP server.
- Set the base DN to dc=test,dc=com.
- Use the default values for other parameters.
d. Click OK.
Figure 25 Adding an LDAP server
5. Add an LDAP synchronization policy:
a. From the navigation pane, select User Access Policy > LDAP Service > Sync Policy.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Set the policy name to h3c.
- Set the sub-base DN to dc=test,dc=com.
- Use the default values for other parameters.
d. Click Next.
Figure 26 Adding an LDAP synchronization policy
e. In the Access Information area, configure a password used for user authentication after the user is unbound from the LDAP server. This password does not take effect when the user is bound to the LDAP server. In the Access Device Binding Information area, select access service h3c, and then click Finish.
Figure 27 Configuring a password for the access information and selecting access service h3c
f. On the User Access Policy > LDAP Service > Sync Policy page, click the Synchronize link for the policy to start synchronization.
Figure 28 Synchronizing LDAP user information
Verifying the configuration
# Use a wireless endpoint to connect to the WLAN. Use the user with username h3c to initiate 802.1X authentication. Select GTC for phase 2 authentication. Verify that the user can pass 802.1X authentication and come online.
# On the AC, display online WLAN client information to verify that user h3c has come online.
[H3C] display wlan client
Total number of clients: 1
MAC address User name AP name R IP address VLAN
e0cc-f858-4d50 h3c ap1 1 192.168.105.191 1
# On the AC, display online 802.1X user information.
[H3C] display dot1x connection
Total connections: 1
User MAC address : e0cc-f858-4d50
AP name : ap1
Radio ID : 1
SSID : h3c-imc-ldap
BSSID : f010-9059-42e7
Username : h3c
Anonymous username : N/A
Authentication domain : imc
IPv4 address : 192.168.105.191
Authentication method : EAP
Initial VLAN : 1
Authorization VLAN : 1
Authorization ACL number : N/A
Authorization user profile : N/A
Authorization CAR : N/A
Authorization URL : N/A
Authorization IPv6 URL : N/A
Termination action : N/A
Session timeout last from : N/A
Session timeout period : N/A
Online from : 2022/05/11 11:07:00
Online duration : 0h 1m 8s
Configuration files
· AC:
#
domain imc
authentication lan-access radius-scheme imc
authorization lan-access radius-scheme imc
accounting lan-access radius-scheme imc
#
radius scheme imc
primary authentication 192.168.106.88 key simple 12345678
primary accounting 192.168.106.88 key simple 12345678
nas-ip 192.168.105.190
#
dot1x authentication-method eap
#
wlan service-template h3c-imc-ldap
ssid h3c-imc-ldap
akm mode dot1x
cipher-suite ccmp
security-ie rsn
client-security authentication-mode dot1x
dot1x domain imc
service-template enable
#
wlan ap ap1 model WA6330
serial-id 219801A23V8209E0043Y
radio 1
radio enable
service-template h3c-imc-ldap
#
Example: Configuring LDAP-based local portal authentication
Network configuration
As shown in Figure 29, the AC can reach the LDAP server over the switch. The AC uses the LDAP server to perform local portal authentication for the client to control the client's access to network resources.
Software versions used
This configuration example was created and verified on the following hardware and software versions:
|
Hardware |
Software version |
|
vAC |
R5435P03 |
|
Microsoft Windows Server 2012 |
Active Directory |
Procedures
Configuring the AC
1. Configure an ISP domain:
# Create ISP domain portal.
[H3C] domain portal
# Configure the ISP domain to use LDAP scheme ldap for LAN user authentication and not perform authorization and accounting for LAN users.
[H3C-isp-portal] authentication lan-access ldap-scheme ldap
[H3C-isp-portal] authorization lan-access none
[H3C-isp-portal] accounting lan-access none
[H3C-isp-portal] quit
2. Configure an LDAP scheme:
# Create LDAP scheme ldap and specify an LDAP authentication server in the LDAP scheme.
[H3C] ldap scheme ldap
[H3C-ldap-ldap] authentication-server ldap
[H3C-ldap-ldap] quit
# Configure the LDAP authentication server. The IP address of the server is 192.168.106.40. Configure the administrator password for binding with the LDAP server during LDAP authentication, specify the administrator DN, and specify the base DN for user search.
[H3C] ldap server ldap
[H3C-ldap-server-ldap] login-dn cn=administrator,cn=users,dc=test,dc=com
[H3C-ldap-server-ldap] search-base-dn dc=test,dc=com
[H3C-ldap-server-ldap] ip 192.168.106.40
[H3C-ldap-server-ldap] login-password simple 123456
[H3C-ldap-server-ldap] quit
3. Configure portal authentication:
# Specify the URL of the portal Web server.
[H3C] portal web-server portal
[H3C-portal-websvr-portal] url http://192.168.105.190/portal
[H3C-portal-websvr-portal] quit
# Create an HTTP-based local portal Web service and enter its view. The service uses HTTP to exchange authentication information with clients.
[H3C] portal local-web-server http
# Specify file defaultfile.zip as the default authentication page file for local portal authentication. For the configuration to take effect, make sure the file is already stored in the root directory of the storage medium on the device.
[H3C–portal-local-websvr-http] default-logon-page defaultfile.zip
[H3C–portal-local-websvr-http] quit
# Configure destination-based portal-free rules to permit traffic destined for the DNS server.
[H3C] portal free-rule 1 destination ip any udp 53
[H3C] portal free-rule 2 destination ip any tcp 53
4. Configure a service template.
[H3C] wlan service-template h3c-ldap
[H3C-wlan-st-h3c-ldap] ssid h3c-ldap-portal
[H3C-wlan-st-h3c-ldap] portal enable method direct
[H3C-wlan-st-h3c-ldap] portal domain portal
[H3C-wlan-st-h3c-ldap] portal apply web-server portal
[H3C-wlan-st-h3c-ldap] service-template enable
[H3C-wlan-st-h3c-ldap] quit
5. Bind the service template to a radio.
[H3C] wlan ap ap1 model WA6330
[H3C-wlan-ap-ap1] serial-id 219801A23V8209E0043Y
[H3C-wlan-ap-ap1] radio 1
[H3C-wlan-ap-ap1] radio enable
[H3C-wlan-ap-ap1] service-template h3c-ldap
Configuring the LDAP server (adding a user account)
1. On the LDAP server, select Start > Control Panel > Administrative Tools.
2. Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
Figure 30 Active Directory Users and Computers window
3. From the navigation pane, click Users under the test.com node.
Figure 31 Users window
4. Right-click Users, and select New > User from the shortcut menu to display the dialog box for adding a user.
Figure 32 Users options
5. In the dialog box, set the first name, full name, and user logon name to h3c, and then click Next.
Figure 33 Entering the first name, full name, and user logon name
6. In the dialog box that opens, configure and confirm the password of the user, select options as needed, and click Next.
Figure 34 Setting the user's password
Figure 35 Finishing creating the user
7. From the navigation pane, click Users under the test.com node. In the right pane, right-click user h3c and select Properties.
Figure 36 Selecting the Properties option for the user
8. In the dialog box that opens, click the Member Of tab, select the Domain Users primary group, and then click Add.
Figure 37 Adding a primary group
9. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User h3c is added to group Users.
Figure 38 Adding user h3c to group Users
Verifying the configuration
# Use a wireless endpoint to connect to the WLAN. When the portal authentication page opens, enter the correct username and password. Verify that the user can pass authentication and come online.
# On the AC, display online portal user information to verify that user h3c has come online.
[H3C] display portal user all
Total portal users: 1
Username: h3c
AP name: ap1
Radio ID: 1
SSID: h3c-ldap-portal
Portal server: N/A
State: Online
VPN instance: N/A
MAC IP VLAN Interface
def4-dffd-50c9 192.168.105.156 1 WLAN-BSS1/0/5
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Web URL: N/A
Configuration files
· AC:
#
domain portal
authentication lan-access ldap-scheme ldap
authorization lan-access none
accounting lan-access none
#
ldap scheme ldap
authentication-server ldap
#
ldap server ldap
login-dn cn=administrator,cn=users,dc=test,dc=com
search-base-dn dc=test,dc=com
ip 192.168.106.40
login-password simple 123456
#
portal web-server portal
url http://192.168.105.190/portal
#
portal local-web-server http
default-logon-page defaultfile.zip
#
portal free-rule 1 destination ip any udp 53
#
portal free-rule 2 destination ip any tcp 53
#
wlan service-template h3c-ldap
ssid h3c-ldap-portal
portal enable method direct
portal domain portal
portal apply web-server portal
service-template enable
#
wlan ap ap1 model WA6330
serial-id 219801A23V8209E0043Y
radio 1
radio enable
service-template h3c-ldap
#
Example: Configuring LDAP-based remote portal authentication
Network configuration
As shown in Figure 39, the AC can reach the LDAP server and IMC server over the switch. The LDAP server stores usernames and passwords. The AC uses the IMC server as the RADIUS server to perform remote portal authentication for the client to control the client's access to network resources. When the IMC server performs remote portal authentication for the client, it requests the LDAP server to validate the password of the user on the client.
Software versions used
This configuration example was created and verified on the following hardware and software versions:
|
Hardware |
Software version |
|
vAC |
R5435P03 |
|
IMC server |
iMC PLAT 7.3 (E0706P03) and iMC 7.3 (E0620) |
|
Microsoft Windows Server 2012 |
Active Directory |
Procedures
Configuring the AC
1. Configure an ISP domain:
# Create ISP domain imc.
[H3C] domain imc
# Configure the ISP domain to use RADIUS scheme imc for portal user authentication, authorization, and accounting.
[H3C-isp-imc] authentication portal radius-scheme imc
[H3C-isp-imc] authorization portal radius-scheme imc
[H3C-isp-imc] accounting portal radius-scheme imc
[H3C-isp-imc] quit
2. Configure a RADIUS scheme:
# Create RADIUS scheme imc.
[H3C] radius scheme imc
# Specify the IMC server at 192.168.106.88 as the server for user authentication and accounting, and set the shared keys for authentication and accounting to a plaintext string of 12345678.
[H3C-radius-imc] primary authentication 192.168.106.88 key simple 12345678
[H3C-radius-imc] primary accounting 192.168.106.88 key simple 12345678
# Exclude the domain name from the usernames sent to the server.
[H3C-radius-imc] user-name-format without-domain
# Specify NAS-IP 192.168.105.190 for outgoing RADIUS packets.
[H3C-radius-imc] nas-ip 192.168.105.190
[H3C-radius-imc] quit
3. Configure portal authentication:
# Configure the portal authentication server.
[H3C] portal server imc
[H3C-portal-server-imc] ip 192.168.106.88 key simple 12345678
[H3C-portal-server-imc] quit
# Configure the portal Web server.
[H3C]portal web-server imc
[H3C-portal-websvr-imc] url http://192.168.106.88:8080/portal
[H3C-portal-websvr-imc] quit
4. Configure a service template:
# Create service template h3c-imc-ldap and specify an SSID for the service template.
[H3C] wlan service-template h3c-imc-ldap
[H3C-wlan-st-h3c-imc-ldap] ssid h3c-imc-ldap
# Enable direct portal authentication.
[H3C-wlan-st-h3c-imc-ldap] portal enable method direct
# Specify ISP domain imc as the authentication domain for portal users.
[H3C-wlan-st-h3c-imc-ldap] portal domain imc
# Configure the BAS-IP attribute as 192.168.105.190 for portal packets sent to the portal authentication server.
[H3C-wlan-st-h3c-imc-ldap] portal bas-ip 192.168.105.190
# Specify portal Web server imc for portal authentication.
[H3C-wlan-st-h3c-imc-ldap] portal apply web-server imc
# Enable the service template.
[H3C-wlan-st-h3c-imc-ldap] service-template enable
[H3C-wlan-st-h3c-imc-ldap] quit
5. Bind the service template to a radio.
[H3C] wlan ap ap1 model WA6330
[H3C-wlan-ap-ap1] serial-id 219801A23V8209E0043Y
[H3C-wlan-ap-ap1] radio 1
[H3C-wlan-ap-ap1] radio enable
[H3C-wlan-ap-ap1] service-template h3c-imc-ldap
Configuring the LDAP server (adding a user account)
1. On the LDAP server, select Start > Control Panel > Administrative Tools.
2. Double-click Active Directory Users and Computers.
The Active Directory Users and Computers window is displayed.
Figure 40 Active Directory Users and Computers window
3. From the navigation pane, click Users under the test.com node.
Figure 41 Users window
4. Right-click Users, and select New > User from the shortcut menu to display the dialog box for adding a user.
Figure 42 Users options
5. In the dialog box, set the first name, full name, and user logon name to h3c, and then click Next.
Figure 43 Entering the first name, full name, and user logon name
6. In the dialog box that opens, configure and confirm the password of the user, select options as needed, and click Next.
Figure 44 Setting the user's password
Figure 45 Finishing creating the user
7. From the navigation pane, click Users under the test.com node. In the right pane, right-click user h3c and select Properties.
Figure 46 Selecting the Properties option for the user
8. In the dialog box that opens, click the Member Of tab, select the Domain Users primary group, and then click Add.
Figure 47 Adding a primary group
9. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK.
User h3c is added to group Users.
Figure 48 Adding user h3c to group Users
Configuring the IMC server
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the User tab, and select User Access Policy > Access Device Management > Access Device from the navigation pane.
b. Click Add.
c. In the Access Configuration area, set the shared key to 12345678 for secure RADIUS communication, and use the default values for other parameters.
Make sure the shared key is the same as the shared keys for authentication and accounting in the RADIUS scheme on the AC.
Figure 49 Configuring the shared key
d. In the Device List area, click Add Manually. In the dialog box that opens, add the AC at 192.168.105.190 as an access device to the IMC Platform, and then click OK.
e. Click OK.
Figure 50 Specifying the IP address of the AC
2. Add an IP address group:
a. From the navigation pane, select User Access Policy > Portal Service > IP Group.
b. Click Add.
c. Specify an IP group name, and enter the start IP address and end IP address of the IP group.
d. Click OK.
Figure 51 Adding an IP address group
3. Add a portal device:
a. From the navigation pane, select User Access Policy > Portal Service > Device.
b. Click Add.
c. Specify a device name, and enter the IP address of the AC's interface that exchanges information with the portal server.
d. Enter the key, which must be the same as that configured on the AC.
e. Click OK.
Figure 52 Adding a portal device
4. Associate the portal device with the IP address group:
a. On the User Access Policy > Portal Service > Device page, click the Port
Group Information Management icon 
for device h3c-ldap to open the port
group configuration page.
b. Click Add.
c. Enter the port group name, select PAP from the Authentication Type list, select h3c from the IP Group list, and use the default values for other parameters.
d. Click OK.
Figure 53 Device list
Figure 54 Port group information management page
5. Add an access policy:
a. From the navigation pane, select User Access Policy > Access Policy.
b. Click Add.
c. On the page that opens, enter an access policy name, for example, h3c, and use the default values for other parameters.
d. Click OK.
Figure 56 Adding an access policy
6. Add an access service:
a. From the navigation pane, select User Access Policy > Access Service.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Enter a service name, for example, h3c.
- Select h3c from the Default Access Policy list.
- Use the default values for other parameters.
d. Click OK.
Figure 57 Adding an access service
7. Add an LDAP server:
a. From the navigation pane, select User Access Policy > LDAP Service > LDAP Server.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Specify the LDAP server name.
- Configure the IP address of the LDAP server.
- Select Microsoft AD as the server type.
- Set the administrator DN to cn=administrator,cn=users,dc=test,dc=com,
- Enter the administrator password of the LDAP server.
- Set the base DN to dc=test,dc=com.
- Use the default values for other parameters.
d. Click OK.
Figure 58 Adding an LDAP server
8. Add an LDAP synchronization policy:
a. From the navigation pane, select User Access Policy > LDAP Service > Sync Policy.
b. Click Add.
c. On the page that opens, configure the following parameters:
- Set the policy name to h3c.
- Set the sub-base DN to dc=test,dc=com.
- Use the default values for other parameters.
d. Click Next.
Figure 59 Adding an LDAP synchronization policy
e. In the Access Information area, configure a password used for user authentication after the user is unbound from the LDAP server. This password does not take effect when the user is bound to the LDAP server. In the Access Device Binding Information area, select access service h3c, and then click Finish.
Figure 60 Configuring a password for the access information
Figure 61 Selecting access service h3c
f. On the User Access Policy > LDAP Service > Sync Policy page, click the Synchronize link for the policy to start synchronization.
Figure 62 Synchronizing LDAP user information
Verifying the configuration
# Use a wireless endpoint to connect to the WLAN. When the portal authentication page opens, enter the correct username and password. Verify that the user can pass authentication and come online.
# On the AC, display online portal user information to verify that user h3c has come online.
[H3C] display portal user all
Total portal users: 1
Username: h3c
AP name: ap1
Radio ID: 1
SSID: h3c-imc-ldap
Portal server: imc
State: Online
VPN instance: N/A
MAC IP VLAN Interface
e0cc-f858-4d50 192.168.105.191 1 WLAN-BSS1/0/7
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Web URL: N/A
Configuration files
· AC:
#
domain imc
authentication portal radius-scheme imc
authorization portal radius-scheme imc
accounting portal radius-scheme imc
#
radius scheme imc
primary authentication 192.168.106.88 key simple 12345678
primary accounting 192.168.106.88 key simple 12345678
user-name-format without-domain
nas-ip 192.168.105.190
#
portal server imc
ip 192.168.106.88 key simple 12345678
#
portal web-server imc
url http://192.168.106.88:8080/portal
#
wlan service-template h3c-imc-ldap
ssid h3c-imc-ldap
portal enable method direct
portal domain imc
portal bas-ip 192.168.105.190
portal apply web-server imc
service-template enable
#
wlan ap ap1 model WA6330
serial-id 219801A23V8209E0043Y
radio 1
radio enable
service-template h3c-imc-ldap
#
