MAC + portal authentication for wireless user(MAC first)

Created Dec 25, 2018 20:48:45Latest reply Dec 29, 2018 14:06:44 153 5 9 0

204302iddz0cm0p0caazfd.png


1. Wireless User Association, AC Initiates MAC certification if authentication fails

2. The client obtain ip address and initiates the authentication request through the HTTP protocol.

3.chap (Challenge Handshake authentication Protocol, Challenge Handshake Verification Protocol) authentication interaction between the portal server and the access device.

4.Portal server encapsulates the user name and password entered by the user into the authentication request message sent to the access device.

5. Interaction between the access device and the authentication server for authentication messages.

6. The access device sends the authentication answer message to the Portal server. 

7.Portal server sends authentication to the client through the message, informing the client that the authentication was successful.

8.Portal server sends a certification response confirmation to the access device

configuration example


#
radius-server template controller_12.36
 radius-server shared-key cipher %^%#}gu$V!77QTf_=E.XK49#cLg'Smo}T!v8mIBwkKz0%^%#
 radius-server authentication 12.12.12.36 1812 weight 80
#
aaa
 authentication-scheme radius
  authentication-mode radius
 domain radius
  authentication-scheme radius
  radius-server controller_12.36
#

#
web-auth-server controller_12.36
 server-ip 12.12.12.36
 port 50100
 shared-key cipher %^%#NL[;Z]3E*(wML.1b2*x'zG\t-\e)$98$R;:Qnh"V%^%#
 url http://12.12.12.36:8080/portal
#
portal-access-profile name portal_access_profile
 web-auth-server controller_12.36 direct
#
mac-access-profile name mac_access_profile
#
free-rule-template name default_free_rule
 free-rule 0 destination ip 8.8.8.8 mask 255.255.255.255
#
authentication-profile name mac_portal
 mac-access-profile mac_access_profile
 portal-access-profile portal_access_profile
 free-rule-template default_free_rule
 access-domain radius
#

#
wlan
 ssid-profile name mac_portal
  ssid mac_portal_129_33
 vap-profile name mac_portal
  forward-mode tunnel
  service-vlan vlan-id 200
  ssid-profile mac_portal
  authentication-profile mac_portal
 ap-group name default
  radio 0
   vap-profile mac_portal wlan 2
#



  • x
  • convention:

Mysterious.color  Novice   Created Dec 25, 2018 21:35:15 Helpful(0) Helpful(0)

good to see call flow
  • x
  • convention:

find what you love and let it kill you.
yjhd     Created Dec 28, 2018 10:06:44 Helpful(0) Helpful(0)

Portal server sends a certification response confirmation to the access device

configuration example
  • x
  • convention:

SupperRobin  Novice   Created Dec 29, 2018 11:06:43 Helpful(0) Helpful(0)

Check whether the Portal server can work properly and whether the Portal service can be used properly.

If the Portal server works properly, check the network connectivity between the Portal server and device. If the network connection is disconnected, restore the network connection.
If the Portal server cannot work properly, restore the Portal server to the normal state.
  • x
  • convention:

Finn92  Novice   Created Dec 29, 2018 11:15:48 Helpful(0) Helpful(0)

there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet high security requirements of the enterprise, only specified STAs are allowed to access the WLAN. These STAs need to be authenticated before users of the STAs can be authenticated. MAC address + 802.1X hybrid authentication is an appropriate choice in this scenario, in which a RADIUS server is deployed to authenticate the identity of wireless users.
  • x
  • convention:

Torrent     Created Dec 29, 2018 14:06:44 Helpful(0) Helpful(0)

7.Portal server sends authentication to the client through the message, informing the client that the authentication was successful.

8.Portal server sends a certification response confirmation to the access device

configuration example
thanks for sharing , we learned a lot
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top