Example for Configuring MAC Address Authentication to Control Access of Wireless Office Devices (V200R008C00 and earlier versions)

Latest reply: Mar 23, 2017 15:56:53 3192 1 0 0

 

MAC Address Authentication on the Wireless Side Overview

Portal authentication is also called web authentication. Generally, Portal authentication websites are also called Portal websites. When users go online, they must be authenticated on Portal websites. The users can use network resources only after they pass the authentication. A user can access a known Portal authentication website and enter a user name and password for authentication. This mode is called active authentication. If a user attempts to access other external networks through HTTP, the device forcibly redirects the user to the Portal authentication website for Portal authentication. This mode is called forcible authentication.

Configuration Notes

l   The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

l   In the service data forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

l   If direct forwarding is used, configure port isolation on the interface directly connects to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   Configure the management VLAN and service VLAN:

           In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel, and then forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.

           In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between APs and upper-layer network is added to the service VLAN.

l   How to configure the source interface:

           In V200R005 and V200R006, run the wlan ac source interface { loopback loopback-number | vlanif vlan-id } command in the WLAN view.

           In V200R007 and V200R008, run the capwap source interface { loopback loopback-number | vlanif vlan-id } command in the system view.

l   No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.

           In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.

           In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Software Version

Product Model

AP Model and Version

V200R005C00

S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R005C00:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN

V200R006C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R005C00:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN

V200R007C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R005C10:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN

V200R005C20:

AP7030DE, AP9330DN

V200R008C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R005C10:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, AP8130DN

V200R005C20:

AP7030DE, AP9330DN

V200R005C30:

AP2030DN, AP4030DN, AP4130DN

 

Networking Requirements

As shown in Figure 1-1, an enterprise's AC connects to the egress gateway (Router) and RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID of test is available for wireless users and terminals to access network resources. The gateway also functions as a DHCP server to provide IP addresses on the 10.10.10.0/24 network segment for STAs. The AC controls and manages STAs.

The WLAN authentication client cannot be installed on wireless devices providing public services, such as wireless printers and phones, so use MAC address authentication. The RADIUS server authenticates wireless devices using their MAC addresses. No authentication is required when STAs access the WLAN, facilitating the use of WLAN services.

Figure 1-1 Networking diagram for configuring MAC address authentication on the wireless side

20170323141753585004.png

 

Data Planning

Table 1-2 Data planning

Configuration Item

Data

WLAN service

Open system authentication+non-encryption

Management VLAN

VLAN 100

Service VLAN

VLAN 101

Source interface on the AC

VLANIF 100: 192.168.10.1/24

AC carrier ID/AC ID

Other/1

AP region ID

10

Service set

l  SSID: test

l  Data forwarding mode: tunnel forwarding

SwitchA VLAN

VLAN 100

DHCP server

l  IP addresses that the AC assigns to APs: 192.168.10.2 to 192.168.10.254/24

l  IP addresses that Router assigns to STAs: 10.10.10.2 to 10.10.10.254/24

Gateway for the AP

VLANIF 100: 192.168.10.1/24

Gateway for STAs

VLANIF 101: 10.10.10.1/24

RADIUS authentication parameters

l  IP address: 10.12.10.1

l  Port number: 1812

l  Shared key: 123456

l  AAA domain: huawei.com

MAC address of a STA

0011-2233-4455

 

Configuration Roadmap

1.         Configure basic WLAN services on the AC so that STAs can connect to the WLAN. This example uses default configuration parameters.

2.         Configure RADIUS authentication on the AC and set parameters to enable the AC to communicate with the RADIUS server.

3.         On the AC, configure MAC address authentication on the WLAN-ESS interface for STA identity authentication.

4.         On the ISE server, configure authentication device information, user information, and MAC address authentication function to implement device access, user access, and MAC address authentication.

Procedure

                               Step 1     Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.

# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2 that connects SwitchA to the AC to the same VLAN.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit

                               Step 2     Configure the AC to communicate with the upstream device.

# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.

[AC] vlan batch 101 102 103
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.10.10.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.11.10.2 24
[AC-Vlanif102] quit
[AC] interface vlanif 103
[AC-Vlanif103] ip address 10.12.10.2 24
[AC-Vlanif103] quit

# Add GE1/0/2 that connects the AC to the Router to VLAN 102.

[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/2] quit

# Add GE1/0/2 that connects the AC to the RADIUS server to VLAN 103.

[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit

# On the AC, configure a static route.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.11.10.1

                               Step 3     Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to STAs.

# Configure the AC to assign an IP address to the AP from an interface IP address pool.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface 
[AC-Vlanif100] quit

# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.

[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay 
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 
[AC-Vlanif101] quit

# Configure the Router as a DHCP server to allocate IP addresses to STAs.

<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta 
[Router-ip-pool-sta] gateway-list 10.10.10.1
[Router-ip-pool-sta] network 10.10.10.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.11.10.1 24
[Router-Vlanif102] dhcp select global 
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.10.10.0 24 10.11.10.2 

                               Step 4     Configure RADIUS authentication.

1.         Configure a RADIUS server template, an AAA authentication scheme, and domain information.

20170323141754773005.jpg

The STA sends its MAC address as the user name to the RADIUS server for authentication, so the AC needs to be disabled from adding a domain name to the user name (default setting).

[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.12.10.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher 123456   
[AC-radius-radius_huawei] calling-station-id mac-format hyphen-split mode2  
[AC-radius-radius_huawei] radius-attribute set service-type 10  
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius   
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit

2.         Globally configure user names in MAC address authentication without the delimiter "-" (default setting).

3.         Test whether a STA can be authenticated using RADIUS authentication. In MAC address authentication, STA's MAC address is used as the user name and password.

[AC] test-aaa 001122334455 001122334455 radius-template radius_huawei
Info: Account test succeed.

                               Step 5     Configure AC system parameters.

# Configure the country code.

[AC] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which use 
the global country code and reset them, continue?[Y/N]:y

# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other

# Configure the source interface.

[AC] wlan
[AC-wlan-view] wlan ac source interface vlanif 100

                               Step 6     Manage the AP on the AC.

# Check the AP type ID after obtaining the MAC address of the AP.

[AC-wlan-view] display ap-type all
  All AP types information:     
  ------------------------------------------------------------------------------
  ID     Type                   
  ------------------------------------------------------------------------------
  17     AP6010SN-GN            
                  
  21     AP6310SN-GN             
  23     AP6510DN-AGN           
  25     AP6610DN-AGN           
  27     AP7110SN-GN            
  28     AP7110DN-AGN           
  29     AP5010SN-GN            
  30     AP5010DN-AGN           
  31     AP3010DN-AGN           
  33     AP6510DN-AGN-US        
  34     AP6610DN-AGN-US        
  35     AP5030DN               
  36     AP5130DN               
  37     AP7030DE                                                               
  38     AP2010DN                                                                
  39     AP8130DN                                                               
  40     AP8030DN                                                               
  42     AP9330DN                                                                
  43     AP4030DN                                                               
  44     AP4130DN                                                               
  45     AP3030DN                                                                
  46     AP2030DN                                                               
  ------------------------------------------------------------------------------
  Total number: 23

# Set the AP authentication mode to MAC address authentication (default setting). Add the AP offline based on the AP type ID. Assume that the AP type is AP6010DN-AGN, and the MAC address of the AP is 60de-4476-e360.

[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360
[AC-wlan-ap-0] quit

# Configure an AP region and add the AP to the AP region.

[AC-wlan-view] ap-region id 10 
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 0
[AC-wlan-ap-0] region-id 10 
[AC-wlan-ap-0] quit

# After powering on the AP, run the display ap all command on the AC to check the AP running status. The command output shows that the AP status is normal.

[AC-wlan-view] display ap all
  All AP information:           
  Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]       
  Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]            
  ------------------------------------------------------------------------------
  AP    AP               AP              Profile   AP              AP           
                                         /Region                                
  ID    Type             MAC             ID        State           Sysname      
  ------------------------------------------------------------------------------
  0     AP6010DN-AGN     60de-4476-e360  0/10                ap-0         
  ------------------------------------------------------------------------------
  Total number: 1,printed: 1   

                               Step 7     Configure WLAN service parameters.

# Create a WMM profile named wmm.

[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit

# Create a radio profile named radio and bind the WMM profile wmm to the radio profile.

[AC-wlan-view] radio-profile name radio id 1 
[AC-wlan-radio-prof-radio] wmm-profile name wmm 
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit

# Create WLAN-ESS interface 1.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] port trunk allow-pass vlan 101
[AC-Wlan-Ess1] quit

# Create a security profile named security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] quit

# Create a traffic profile named traffic.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit

# Create a service set named test and bind the WLAN-ESS interface, security profile, and traffic profile to the service set.

[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test   
[AC-wlan-service-set-test] wlan-ess 1 
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101   
[AC-wlan-service-set-test] forward-mode tunnel   
[AC-wlan-service-set-test] quit

                               Step 8     Configure MAC address authentication on the WLAN-ESS interface.

[AC-wlan-view] quit
[AC] interface wlan-ess 1
[AC-Wlan-Ess1] authentication mac-authen
[AC-Wlan-Ess1] domain name huawei.com force
[AC-Wlan-Ess1] permit-domain name huawei.com
[AC-Wlan-Ess1] quit
[AC] wlan

                               Step 9     Configure a VAP and deliver VAP parameters to the AP.

# Configure a VAP.

[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio 
[AC-wlan-radio-0/0] service-set name test 
[AC-wlan-radio-0/0] quit

# Commit the configuration.

[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y

                            Step 10     Configure the ISE server.

# Log in to the ISE server.

1.         Enter the access address of the ISE server in the address bar, which is in the format of https://ISE-IP. ISE-IP is the IP address of the ISE server.

2.         On the displayed page, enter the user name and password to log in to the ISE server.

# Create user account information. Choose Administration > Identity Management > Identities, and click Endpoints. In the pane on the right side, click Add to add MAC addresses.

20170323141755328006.png

 

# Add AC information so that the ISE can interwork with the AC. Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add to add AC information.

Parameter

Value

Remarks

Name

AC

-

IP Address

10.12.10.2/32

The IP address of the AC must be accessible from the ISE server.

Shared Secret

123456

The value must be the same as the RADIUS server key configured on the AC.

 

20170323141756809007.png

 

# Configure allowed authentication and encryption protocols. Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols, and click Add to configure allowed authentication and encryption protocols. MAC address authentication uses the PAP authentication protocol.

20170323141757492008.png

 

# Configure authentication and authorization policies. Choose Policy > Authentication. Policy Type can be set to Simple or Rule-based. In this example, set it to Simple. Then, bind the user information and allowed authentication protocols configured in previous steps to the authentication policy.

20170323141758659009.png

 

                            Step 11     Verify the configuration.

l   The WLAN with SSID test is available for STAs connected to the AP.

l   After the WLAN function is enabled on wireless devices, they can access the WLAN and provide public services.

l   After the STA connects to the WLAN, authentication is performed automatically. You can directly access the WLAN.

----End

Configuration Files

l   Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

l   Configuration file of the Router

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
 gateway-list 10.10.10.1
 network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
 ip address 10.11.10.1 255.255.255.0
 dhcp select global
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 102
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return

l   AC configuration file

#
sysname AC
#
 vlan batch 100 to 103
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
radius-server template radius_huawei
 radius-server authentication 10.12.10.1 1812 weight 80
 radius-server shared-key cipher %@%@hH67%f}f8X"AE&Pw`wS~{:;0%@%@
 calling-station-id mac-format hyphen-split mode2 
 radius-attribute set Service-Type 10
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 domain huawei.com
  authentication-scheme radius_huawei
  radius-server radius_huawei
#
interface Vlanif100
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.10.10.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.11.10.1
#
interface Vlanif102
 ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
 ip address 10.12.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 103
#
interface Wlan-Ess1
 port trunk allow-pass vlan 101 
 authentication mac-authen
 permit-domain name huawei.com
 domain name huawei.com force
#
wlan
 wlan ac source interface vlanif100
 ap-region id 10
 ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287
  region-id 10
 wmm-profile name wmm id 1
 traffic-profile name traffic id 1
 security-profile name security id 1
 service-set name test id 1
  forward-mode tunnel
  wlan-ess 1
  ssid test
  traffic-profile id 1
  security-profile id 1
  service-vlan 101
 radio-profile name radio id 1
  wmm-profile id 1
 ap 0 radio 0
  radio-profile id 1
  service-set id 1 wlan 1
#
return

  • x
  • convention:

Created Mar 23, 2017 15:56:53 Helpful(0) Helpful(0)

good
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top