Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-User isolation configuration | 1.09 MB |
User group-based user isolation
Configuration profile support for commands
Enabling SSID-based user isolation
Configuring VLAN-based user isolation
Configuring user group-based user isolation
Verifying and maintaining user isolation
Displaying user isolation statistics
Clearing user isolation statistics
User isolation configuration examples
Example: Configuring SSID-based user isolation in centralized forwarding mode
Example: Configuring SSID-based user isolation in local forwarding mode
Example: Configuring VLAN-based user isolation in centralized forwarding mode
Example: Configuring user group-based user isolation in centralized forwarding mode
Configuring user isolation
About user isolation
The user isolation feature isolates packets for users that use the same SSID in the same VLAN or for users that are in the same VLAN. This feature improves user security, relieves the forwarding stress of the device, and reduces consumption of radio resources.
User isolation types
User isolation includes the following types:
· SSID-based user isolation—Isolates wireless users that use the same SSID in the same VLAN.
· VLAN-based user isolation—Isolates wired or wireless users in the same VLAN.
· User group-based user isolation—Isolates wireless users in the same user group or different user groups.
SSID-based user isolation
SSID-based user isolation is applicable to both the local forwarding mode and the centralized forwarding mode.
When SSID-based user isolation is enabled for a service, the device isolates all wireless users that access the network through the service in the same VLAN.
User isolation mechanism in centralized forwarding mode
As shown in Figure 1, the AC centrally forwards the client traffic. Client 1 to Client 3 access the WLAN through AP 1 to AP 3 by using the service named service. Client 1 and Client 2 are in VLAN 100, and Client 3 is in VLAN 200. Enable user isolation on the AC for the service.
· Client 1 sends broadcast or multicast packets in VLAN 100. When the AC receives the packets, it does not forward them to any APs in the WLAN. The AC forwards the packets only through the wired port to the switch.
· Client 1 sends unicast packets to Client 2 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 1 Packet forwarding path
User isolation mechanism in local forwarding mode
This mechanism isolates wireless clients on the same AP.
As shown in Figure 2, the APs perform local traffic forwarding for clients. Client 1 to Client 4 access the WLAN through AP 1 to AP 3 by using the service named service. Client 1 to Client 3 are in VLAN 100, and Client 4 is in VLAN 200. Enable SSID-based user isolation on the service for AP 1.
· Client 1 sends broadcast or multicast packets in VLAN 100.
¡ When AP 1 receives the packets, it does not forward them to Client 2 because user isolation is enabled. The AP forwards the packets only through the wired port to the wired devices in the same VLAN, including AP 2, AP 3, and the host.
¡ When AP 2 receives the packets, it forwards them to Client 3 because user isolation is disabled on AP 2.
¡ When AP 3 receives the packets, it does not forward them to Client 4 because Client 1 and Client 4 are in different VLANs.
· Client 1 sends unicast packets to Client 2 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to Client 2.
Figure 2 Packet forwarding path
VLAN-based user isolation
VLAN-based user isolation is applicable to both local and centralized forwarding modes. Table 1 shows the mechanism to isolate traffic of wired users and wireless users.
Table 1 VLAN-based user isolation mechanism
|
Forwarding mode |
Received unicast packets |
Received broadcast or multicast packets |
|
Centralized forwarding |
The AC discards the packets. |
The AC forwards the packets only through wired ports to the wired users in the VLAN, and it does not forward the packets to wireless users in the VLAN. |
|
Local forwarding |
The fit AP discards the packets. |
The fit AP forwards the packets to wired and wireless users in the VLAN through wired ports. However, the AP does not forward the packets to the local wireless users in the VLAN. |
User isolation mechanism in centralized forwarding mode (packets received from wireless users)
As shown in Figure 3, the AC centrally forwards the client traffic. Enable user isolation on the AC for VLAN 100.
· Client 1 sends broadcast or multicast packets in VLAN 100. When the AC receives the packets, it does not forward them to any APs in the WLAN. The AC forwards the packets only through the wired port to the switch. The switch then forwards the packets to the wired host and server.
· Client 1 sends unicast packets to Client 3 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 3 Packet forwarding path
User isolation mechanism in centralized forwarding mode (packets received from wired users)
As shown in Figure 4, the AC centrally forwards the client traffic. Enable user isolation on the AC for VLAN 100.
· The host sends broadcast or multicast packets in VLAN 100. The server and AC can receive the packets. When the AC receives the packets, it discards them instead of forwarding them to any APs in the WLAN.
· The host sends unicast packets to Client 3 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
Figure 4 Packet forwarding path
User isolation mechanism in local forwarding mode (packets received from wireless users)
As shown in Figure 5, AP 1 performs local forwarding for clients. Enable user isolation on AP 1 for VLAN 100.
· Client 1 sends broadcast or multicast packets in VLAN 100.
¡ When AP 1 receives the packets, it forwards them to the server, AP 2, and the host in VLAN 100 through the wired port. However, AP 1 does not forward the packets to Client 2 because user isolation is enabled.
¡ When AP 2 receives the packets, it forwards them to Client 3 since user isolation is not enabled on AP 2.
· Client 1 sends unicast packets to Client 3 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to AP 2.
Figure 5 Packet forwarding path
User isolation mechanism in local forwarding mode (packets received from wired users)
As shown in Figure 6, AP 1 performs local forwarding for clients. Enable user isolation on AP 1 for VLAN 100.
· The host sends broadcast or multicast packets in VLAN 100. The server, AC, AP 1, and AP 2 can receive the packets.
¡ When AP 1 receives the packets, it discards them instead of forwarding them to Client 1 and Client 2.
¡ When AP 2 receives the packets, it forwards them to Client 3 since user isolation is not enabled on AP 2.
· The host sends unicast packets to Client 1 in VLAN 100. When AP 1 receives the packets, it discards them instead of forwarding them to Client 1.
Figure 6 Packet forwarding path
User group-based user isolation
User group-based user isolation is applicable to the centralized forwarding mode. Table 2 shows the mechanism to isolate traffic of wireless users in the same user group or different user groups.
Table 2 User group-based user isolation mechanism
|
Forwarding mode |
APs |
Service VLANs |
Isolation policy |
User packet reachability |
|
Centralized forwarding |
Same/different |
Same/different |
Intra-group isolation |
· Users in the same user group cannot forward unicast packets to each other. · Users in a user group can forward unicast packets to users in other user groups. |
|
Inter-group isolation |
· Users in the same user group can forward unicast packets to each other. · Users in a user group cannot forward unicast packets to users in other user groups. |
If wireless users are in different service VLANs, you must deploy the gateway on the AC to use the user group-based isolation feature.
User isolation mechanism in centralized forwarding mode
As shown in Figure 7, the AC centrally forwards the client traffic. Client 1 to Client 3 access the WLAN through AP 1 to AP 3. Client 1 and Client 2 are in VLAN 100, and Client 3 is in VLAN 200. The three clients are all authorized with user group Group_100. Configure intra-group isolation for the user group:
· Client 1 sends unicast packets to Client 2 in VLAN 100. When the AC receives the packets, it discards them instead of forwarding them to AP 2.
· Client 1 sends unicast packets to Client 3 in VLAN 200. When the AC receives the packets, it discards them instead of forwarding them to AP 3.
Figure 7 Packet forwarding path
Configuration profile support for commands
You can execute some commands of this feature in configuration profile view. For more information, see the command reference for this feature. For more information about configuration profiles, see configuration file management in Fundamentals Configuration Guide.
Enabling SSID-based user isolation
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable SSID-based user isolation.
user-isolation enable
By default, SSID-based user isolation is disabled.
Configuring VLAN-based user isolation
Restrictions and guidelines
VLAN-based user isolation applies to both the centralized forwarding mode and the local forwarding mode.
· In centralized forwarding mode, configure this feature directly on the AC.
· In local forwarding mode, you can deploy a configuration file from the AC to an AP. If you deploy a configuration file from the AC to an AP, you must add the user isolation command lines in the order as shown in the "Procedure (in centralized forwarding mode or deploying a configuration file to an AP in local forwarding mode)" section to the configuration file. Then, use the map-configuration command on the AC to deploy the configuration file to the AP to enable VLAN-based user isolation for the AP. For more information about configuration file deployment, see WLAN access in WLAN Access Configuration Guide.
To enable users in a VLAN to access the external network, assign the VLAN gateway MAC address to the permitted MAC address list before you enable VLAN-based user isolation.
Procedure (in centralized forwarding mode or deploying a configuration file to an AP in local forwarding mode)
1. Enter system view.
system-view
2. Configure permitted MAC address list for a list of VLANs.
user-isolation vlan vlan-list permit-mac mac-list
By default, no permitted MAC addresses are configured for a VLAN.
3. Enable user isolation for a list of VLANs.
user-isolation vlan vlan-list enable [ permit-unicast ]
By default, user isolation is disabled for a VLAN.
4. (Optional.) Permit broadcast and multicast traffic sent from wired users to wireless users.
user-isolation permit-broadcast
By default, the device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.
5. (Optional.) Permit wireless users in the specified VLANs to receive broadcast and multicast traffic that matches an ACL.
user-isolation vlan vlan-list permit-bmc acl [ ipv6 ] acl-number
By default, wireless users in a VLAN cannot receive broadcast or multicast traffic.
Configuring user group-based user isolation
About this task
To isolate wireless services by user group, you can authorize user groups to wireless users and configure user group-based isolation in user group view. User group-based isolation policies include the following types:
· Intra-group isolation—Disables users in the same group from reaching each other at Layer 2 or Layer 3.
· Inter-group isolation—Disables users in a group from communicating with users in other groups.
Restrictions and guidelines
User group-based user isolation takes effect only on unicast packets in a WLAN enabled with centralized forwarding.
If wireless users are in different service VLANs, you must deploy the gateway on the AC to use the user group-based isolation feature.
If a user in a user group has obtained the user group-based isolation policy, do not delete or edit the group as a best practice. If you delete or edit such a user group, isolation policy chaos might occur.
Procedure
1. Enter system view.
system-view
2. Create a user group and enter user group view.
user-group group-name
By default, a user group named system exists on the device.
3. Configure a user group-based user isolation policy.
user-isolation { intra-group | inter-group } *
By default, no user group-based user isolation policy is configured.
User group-based user isolation takes effect only on unicast packets in a WLAN enabled with centralized forwarding.
For more information about the configurations of user groups and user group-based user isolation policies, see AAA configuration in User Access and Authentication Configuration Guide.
Verifying and maintaining user isolation
Displaying user isolation statistics
To display VLAN-based user isolation statistics, execute the following command in any view:
display user-isolation statistics [ vlan vlan-id ]
Clearing user isolation statistics
To clear VLAN-based user isolation statistics, execute the following command in user view:
reset user-isolation statistics [ vlan vlan-id ]
User isolation configuration examples
Example: Configuring SSID-based user isolation in centralized forwarding mode
Network configuration
As shown in Figure 8, Client 1 and Client 2 use the same SSID to access the Internet. The AC centrally forwards the client traffic.
Configure user isolation on the AC to isolate the clients from each other while providing Internet access for the clients.
Procedure
# Configure Client 1 and Client 2 to access the Internet through service template service. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Enable SSID-based user isolation for service template service.
<AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] user-isolation enable
[AC-wlan-st-service] quit
Verifying the configuration
# Verify that Client 1 and Client 2 can use service service to access the Internet but cannot access each other. (Details not shown.)
Example: Configuring SSID-based user isolation in local forwarding mode
Network configuration
As shown in Figure 9, Client 1 and Client 2 use the same SSID to access the Internet. The APs perform local traffic forwarding.
Configure user isolation for AP 1 to isolate the clients from each other while providing Internet access for the clients.
Procedure
# Configure Client 1 and Client 2 to access the Internet through service template service1. Configure the APs to perform local traffic forwarding for the clients. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Enable SSID-based user isolation for service template service1.
<AC> system-view
[AC] wlan service-template service1
[AC-wlan-st-service1] user-isolation enable
[AC-wlan-st-service1] quit
Verifying the configuration
# Verify that Client 1 and Client 2 can use service service1 to access the Internet but cannot access each other. (Details not shown.)
Example: Configuring VLAN-based user isolation in centralized forwarding mode
Network configuration
As shown in Figure 10, the AC centrally forwards the client traffic and the router acts as the gateway of the devices in VLAN 100. The MAC address of the gateway is 000f-e212-7788.
Configure user isolation for VLAN 100 on the AC to meet the following requirements:
· Client 1, Client 2, Client 3, the host, and the server can access the Internet. For this purpose, add the MAC address of the gateway to the permitted MAC address list.
· When Client 1 forwards broadcast packets, only the host and the server can receive the packets.
· Client 1, Client 2, and Client 3 cannot reach one another.
Procedure
# Configure Client 1, Client 2, and Client 3 to access the Internet through WLAN. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Assign the MAC address of the gateway to the permitted MAC address list.
<AC> system-view
[AC] user-isolation vlan 100 permit-mac 000f-e212-7788
# Enable VLAN-based user isolation for VLAN 100.
[AC] user-isolation vlan 100 enable
Verifying the configuration
# Verify that Client 1, Client 2, Client 3, the host, and the server in VLAN 100 can access the Internet. (Details not shown.)
# Verify that only the host and the server can receive broadcast packets from Client 1. (Details not shown.)
# Verify that Client 1, Client 2, and Client 3 cannot reach one another. (Details not shown.)
Example: Configuring VLAN-based user isolation in local forwarding mode (via configuration file deployment)
Network configuration
As shown in Figure 11, AP 1 performs local traffic forwarding for the clients and the router acts as the gateway of the devices in VLAN 100. The MAC address of the gateway is 000f-e212-7788.
Configure user isolation for VLAN 100 on AP 1 to meet the following requirements:
· Client 1, Client 2, Client 3, the host, and the server can access the Internet. For this purpose, add the MAC address of the gateway to the permitted MAC address list.
· When Client 1 forwards broadcast packets, only the host, the server, and Client 3 can receive the packets.
· Client 1 and Client 2 cannot reach each other.
Procedure
# Configure Client 1, Client 2, and Client 3 to access the Internet through WLAN. For more information, see WLAN access in WLAN Access Configuration Guide and AP management in AP and WT Management Configuration Guide. (Details not shown.)
# Create configuration file apcfg.txt and add user isolation command lines in the following order into the configuration file. You must place the command for adding the gateway MAC address to the permitted MAC address list before the command for enabling user isolation.
system-view
user-isolation vlan 100 permit-mac 000f-e212-7788
user-isolation vlan 100 enable
# Upload configuration file apcfg.txt to the AC. (Details not shown.)
# Issue configuration file apcfg.txt to AP 1.
<AC> system-view
[AC] wlan ap ap1 model WA6520
[AC-wlan-ap-ap1] map-configuration apcfg.txt
Verifying the configuration
# Verify that Client 1, Client 2, Client 3, the host, and the server in VLAN 100 can access the Internet. (Details not shown.)
# Verify that only the host, the server, and Client 3 can receive broadcast packets from Client 1. (Details not shown.)
# Verify that Client 1 and Client 2 cannot reach each other. (Details not shown.)
Example: Configuring user group-based user isolation in centralized forwarding mode
Network configuration
As shown in Figure 12, the AC centrally forwards the client traffic. Configure authorization user group-based user isolation on the AC to isolate mutual access between Client 1, Client 2, and Client 3 and allow the clients to access the Internet.
Procedure
This example provides only basic AAA settings, including RADIUS. For more information about AAA configuration, see User Access and Authentication Configuration Guide.
a. Configure 802.1X and the RADIUS scheme:
# Configure the AC to use EAP relay to authenticate 802.1X clients.
<AC> system-view
[AC] dot1x authentication-method eap
# Create a RADIUS scheme.
[AC] radius scheme imcc
# Specify the primary authentication server and the primary accounting server.
[AC-radius-imcc] primary authentication 192.168.66.141 1812
[AC-radius-imcc] primary accounting 192.168.66.141 1813
# Set the shared key for secure communication with the server to 12345678 in plain text.
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Exclude domain names in the usernames sent to the RADIUS server.
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
b. Configure AAA methods for the ISP domain:
# Create an ISP domain named imc.
[AC] domain imc
# Configure the ISP domain to use RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
c. Configure a service template:
# Create a service template named wlas_imc_peap.
[AC] wlan service-template wlas_imc_peap
# Set the authentication mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x
# Specify ISP domain imc for the service template.
[AC-wlan-st-wlas_imc_peap] dot1x domain imc
# Set the SSID to wlas_imc_peap.
[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap
# Set the AKM mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] akm mode dot1x
# Set the CCMP cipher suite.
[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp
# Enable the RSN-IE in the beacon and probe responses.
[AC-wlan-st-wlas_imc_peap] security-ie rsn
# Enable the service template.
[AC-wlan-st-wlas_imc_peap] service-template enable
[AC-wlan-st-wlas_imc_peap] quit
d. Configure manual AP ap1, and bind the service template to an AP radio:
# Create ap1, and specify the AP model and serial ID.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template wlas_imc_peap to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
e. Create user group intraGroup, and configure inter-group user isolation for the user group.
<AC> system
[AC] user-group intraGroup
[AC-ugroup-intragroup] user-isolated intra-group
[AC-ugroup-intragroup] quit
2. Configure the RADIUS server:
In this example, the RADIUS server runs IMC PLAT 7.3 and IMC UAM 7.3, and the EAP-PEAP certificate has been installed.
# Add an access device:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
c. Click Add.
The Add Access Device page appears.
d. In the Access Configuration area, configure the following parameters, as shown in Figure 13:
- Enter 12345678 in the Shared Key and Confirm Shared Key fields.
- Use the default values for other parameters.
e. In the Device List area, click Select or Add Manually to add the device at 192.168.66.103 as an access device.
f. Click OK.
Figure 13 Adding an access device
# Add an access policy:
g. Click the User tab.
h. From the navigation tree, select User Access Policy > Access Policy.
i. Click Add.
j. On the Add Access Policy page, configure the following parameters, as shown in Figure 14:
- Enter intra in the Access Policy Name field.
- Select EAP-PEAP from the Preferred EAP Type list, and select EAP-MSCHAPv2 from the Subtype list.
The certificate subtype on the IMC server must be the same as the identity authentication method configured on the client.
- Enter intraGroup in the Deploy User Group field.
k. Click OK.
Figure 14 Adding an access policy
# Add an access service:
l. Click the User tab.
m. From the navigation tree, select User Access Policy > Access Service.
n. Click Add.
o. On the Add Access Service page, configure the following parameters, as shown in Figure 15:
- Enter aaa_intra in the Service Name field.
- Select intra from the Default Access Policy list.
p. Click OK.
Figure 15 Adding an access service
# Add an access user:
q. Click the User tab.
r. From the navigation tree, select Access User > All Access Users.
The access user list appears.
s. Click Add.
The Add Access User page appears.
t. In the Access Information area, configure the following parameters, as shown in Figure 16:
- Click Select or Add User to associate the user with IMC Platform user user.
- Enter intra in the Account Name field.
- Enter 12345678 in the Password and Confirm Password fields.
u. In the Access Service area, select aaa_intra from the list.
v. Click OK.
Figure 16 Adding an access user account
Verifying the configuration
# Verify that each client can pass 802.1X authentication and associate with the corresponding AP. (Details not shown.)
# Use the display wlan client verbose command to view the online status and authorization user group information of each client.
[AC] display wlan client verbose
Total number of clients: 3
MAC address : 5213-5677-11a7
IPv4 address : 192.168.125.100
...
Authorization user group name : intraGroup
MAC address : 72c8-a028-8aab
IPv4 address : 192.168.125.101
...
Authorization user group name : intraGroup
MAC address : 04b1-6704-7847
IPv4 address : 192.168.126.100
...
Authorization user group name : intraGroup
# Verify that Client 1, Client 2, and Client 3 can access the Internet but cannot reach one another. (Details not shown.)