Got it

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11 Highlighted

Latest reply: Mar 16, 2021 13:50:59 4680 8 4 0 0

Hello there, Community!


This post describes the WLAN access authentication, as part of the From Beginner to Expert - WLAN Fundamentals section on the Community. Please have a look below for more details.


1.1 Ubiquitous Portal Authentication

Scenario 1: In Beijing Capital International Airport, Jim switched on his mobile phone and searched for a Wi-Fi network. When the Wi-Fi login page was displayed, Jim entered the mobile phone number to obtain the password, and then entered the password to access the Internet and browse Twitter.

Scenario 2: In a small restaurant, Leo scanned a QR code on the table using his mobile phone. On the Internet connection page that was displayed, Leo tapped the Internet connection button to access the Internet in anonymous mode and shared food pictures with friends.

Scenario 3: In a hotel, John obtained a user name (room number) and a random password when he checked in. After entering the user name and password to connect to the Wi-Fi network using the mobile phone, John downloaded an offline map.

In all the preceding authentication modes for the Internet connection, a login page is displayed, which is the Portal authentication page.

Portal authentication has the following advantages:

  • No  client needs to be installed. Authentication is performed on web pages,  facilitating authentication and reducing the client maintenance workload

  • Business  operation is convenient. Business operations can be implemented on portal pages,  such as displaying advertisements and bulletins, and promoting enterprise  brands.

  • The  accounting function is provided to limit Internet connection durations of  terminals.

With so many advantages, Portal authentication is widely used.

1.2 Portal Authentication Overview

According to the Internet access regulations for Internet connections, terminals must be successfully authenticated before accessing the Internet. Considering the complexity of mobile terminals, installing authentication clients on all terminals for identity authentication is impossible. However, almost all smart terminals are equipped with web browsers. It is recommended that identity authentication is performed on web pages.

Portal authentication (also called web authentication) is performed on web pages to implement identity authentication and provide personalized information services for users.

As shown in the following figure, typical networking of the Portal authentication system consists of four basic elements: authentication client, access device, Portal server, as well as Authentication, Authorization, and Accounting (AAA) server.

576e0004ee25c.png

  • Authentication  client: indicates a browser that runs the HTTP protocol or a host that runs the  portal client software. 

  • Access  device: indicates a broadband access device such as a switch, router, or an  access controller (AC).  A user who wants to access a network must be  authenticated by an access device. An access device provides the following  functions:

  • Before  authentication, it redirects all HTTP requests from users in the authentication  network segment to the Portal server. 

  • During  authentication, it interacts with the Portal server and AAA server to implement  identity authentication and authorization.

  • After  authentication, it permits users to access Internet resources authorized by  administrators.

  •  Portal  server: indicates a server system that receives authentication requests from  the authentication client. It provides free portal services and web  authentication-based interfaces, and exchanges authentication information about  the authentication client with the access device

The Portal server can be a built-in Portal server or an external Portal server. Generally, a switch or an AC functions as a built-in Portal server, and saves authentication user names and passwords. Limited by the storage space, functions, and performance of access devices, a built-in Portal server is applicable only to scenarios with a small number of access users and those with simple functions. For example, a built-in Portal server can provide Internet access services for users in small restaurants.

If Internet connection through WeChat or SMS is required, a built-in Portal server cannot meet the requirements on authentication experience due to limited access device performance. In this case, an external Portal server is required to provide Portal authentication services.

An independent hardware server provides a sufficient storage space and high performance, enabling an external Portal server to provide extended functions. For example, the Portal server provided by Huawei's Agile Controller server can provide reliable authentication and network access services for users in high-density scenarios such as stadiums, airports, subways, and large shopping malls.
  •  AAA  server: interacts with the access device to implement user authentication,  authorization, and accounting.

Different users may have different network access rights. For example, authenticated guests can only access the Internet, while authenticated employees can also access internal service systems. Network access rights of users after passing authentication are determined by the AAA server.

Portal authentication can be performed for both wired and wireless terminals for achieving integrated wired and wireless access. Portal authentication is performed on switches for wired terminals, and on wireless access devices for wireless terminals. Portal authentication technology is mature and is widely used on networks of carriers, fast food chains, hotels, and schools.

1.3 Common Deployment Solutions

1.3.1Resource Allocation

Network resources are of different importance for an enterprise. To facilitate allocation of network resources of different levels, an entire network can be divided into the following domains:

  • Pre-authentication  domain

Users can access network resources in the pre-authentication domain before authentication. Network resources required for authentication, for example, the authentication server (Portal server or AAA server), DHCP server, and DNS server, must be accessible to users in the pre-authentication domain.

The pre-authentication domain is unique to the entire network and shared by all end users.

  • Post-authentication  domain

Network resources in the post-authentication domain, such as the Enterprise resource planning (ERP) system and financial system, are protected by a Portal gateway and can be accessed by end users only after they have been successfully authenticated.

Post-authentication domains differ for different end users. For example, authenticated guests can only access the Internet, while authenticated employees can also access the Internet and internal network resources.

1.3.2Networking Mode

As shown in the following figure, authentication points for wired and wireless terminals are deployed on multiple network devices to reduce the pressure on a single device and reduce the probability of errors.

  • The  aggregation switch functions as the access device for Portal authentication of  wired terminals.

  •  The AC  is connected to the core switch in bypass mode and functions as the access  device for Portal authentication of wireless terminals.

576dffee6f3c8.png

In this solution, the tunnel forwarding mode is required between the AC and APs, and the aggregation switch needs to permit the passage of packets from the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel.

576e0022972fd.png 

The AC is deployed in bypass mode at the core layer as opposed to the aggregation layer due to the following reasons:

  • If the  AC is deployed at the aggregation layer, the AC cannot implement unified  management on all APs across the whole network.

  • If the  AC is deployed in inline mode, the AC may become the network performance  bottleneck and may cause single-point failures.

Authentication points for wired terminals are deployed on aggregation switches due to the following reasons:

  • The  number of access devices deployed at the aggregation layer is smaller than that  at the access layer, reducing the device maintenance load for administrators.

  • Access  devices are deployed at the aggregation layer to isolate unauthorized  terminals, providing higher security than that at the core layer.

Portal authentication is generally deployed at the aggregation layer, and applicable to large-, medium-, and small-sized campus networks. On small-sized campus networks or in network reconstruction scenarios, Portal authentication points can be deployed at the core layer to reduce the maintenance load of administrators or lower enterprise investments, preventing large-scale device replacement.

The post is synchronized to: From Beginner to Expert-WLAN Fundamentals

  • x
  • convention:

user_158381
Created Jun 25, 2016 04:22:59

1.4 Authentication Principle

1.4.1 Authentication Modes

Portal authentication can be deployed at all layers of a network according to customer requirements and network conditions. For example, Portal authentication can be deployed at the core layer for authentication of wireless terminals, and at the aggregation layer for authentication of wired terminals. Devices at different network layers can obtain different terminal information; therefore, different Portal authentication modes are used.

  • When terminals are connected to an access device through a Layer 2 network, the access device can obtain MAC addresses of the terminals, and identify terminals using their IP addresses or MAC addresses. In this case, Layer 2 authentication can be configured as the Portal authentication mode.

  • When terminals are connected to an access device through a Layer 3 network, meaning that Layer 3 forwarding devices exist between the terminals and access device, the access device may be unable to obtain MAC addresses of the terminals, and is only able to identify terminals using their IP addresses. In this case, Layer 3 authentication can be configured as the Portal authentication mode.

Layer 2 authentication is simple and ensures high security, but it is not flexible. On the other hand, the networking structure of Layer 3 authentication is flexible, facilitating remote control. However, users can only be identified by their IP addresses, which results in poor security.

1.4.2 Authentication and Online Process

The basic Portal authentication processes for wired and wireless terminals are similar in various networking scenarios. The following example describes how a passenger in an airport accesses the Internet through Portal authentication. In this scenario, the Agile Controller is used as the RADUS server and Portal server.

  • The client exchanges packets with the Portal server using the HTTP protocol.
  •  The Portal server exchanges packets with the access device using the Portal V2 protocol, which uses the Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication.
  •  The access device exchanges packets with the RADIUS server using the RADIUS protocol.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-1

 

A passenger turns on Wi-Fi on their mobile phone and selects the free hotspot provided by the airport to obtain an IP address.

When the passenger attempts to visit a website, an HTTP packet is sent to the access device. The access device detects that the mobile phone is offline, and sends the Portal authentication link to the mobile phone through the web redirection technology.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-2

 

The mobile phone uses IP address 10.20.238.199 and Transmission Control Protocol (TCP) port number 47502 (random port).

The Portal server uses IP address 10.20.5.51 and TCP port number 8080 (fixed port).

In the link http://10.20.5.51:8080/PortalServer/portal.jsp?url=http://comm.inner.bbk.com, http://10.20.5.51:8080/PortalServer/portal.jsp is the Uniform Resource Locator (URL) of the Portal authentication page. http://comm.inner.bbk.com is the original address visited by the user before authentication. The Portal server records the original address entered by the passenger in the web browser's address box to push this address after authentication.

The passenger attempts to visit http://comm.inner.bbk.com, but the Portal authentication page is displayed in the web browser.

1.         The passenger enters his or her mobile phone number and taps Obtain password. After receiving an SMS message containing the password, the passenger enters the mobile phone number and password, and clicks Authenticate. This step corresponds to the first step in the working process shown in the preceding figure.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-3[tym1] 

 

2.         The Portal server searches for the access device based on the mobile phone's IP address.

3.         Before establishing a reliable connection with the access device, the Portal server sends an REQ_CHALLENGE message to the access device to verify the Portal key.

4.         If the Portal keys on the Portal server and access device are the same, verification is successful and the access device replies with an ACK_CHALLENGE message.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-4

 

The Portal server uses IP address 10.20.5.51 and User Datagram Protocol (UDP) port number 50200 (fixed port).

The AC uses IP address 10.20.5.254 and UDP port number 2000 (fixed port).

The packet analysis result shows that the Portal server exchanges packets with the access device using the CHAP protocol.

5.         After successful Portal key verification, the Portal server sends an REQ_AUTH message that contains user information to the access device.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-5

 

6.         After receiving the online request message, the access device encapsulates user information and the encrypted password into an Access_Request message and sends the message to the RADIUS server.

The AC uses IP address 10.20.5.254 and UDP port number 1812 (fixed port).

The RADIUS server (the RADIUS server and Portal server are installed on the same PC server) uses IP address 10.20.5.51 and UDP port number 1812 (fixed port).

7.         If the user name and password in the received message are the same as those saved on the RADIUS server, the RADIUS server replies with an Access_Accept message and delivers an access control list (ACL) ID.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-6

 

analysis of the Access_Accept message shows that the ACL ID is saved in the No. 11 RADIUS attribute Filter-Id. When authentication is successful, the RADIUS server delivers ACL 3001 to the access device.

8.         When the RADIUS server sends an Accounting_Request message to instruct the access device to start accounting, the mobile phone starts to go online on the RADIUS server.

9.         When the access device replies by sending an Accounting_Response message to the RADIUS server, accounting starts for the mobile phone and the mobile phone goes online on the RADIUS server successfully.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-7

 

The AC and RADIUS server use UDP ports 1812 and 1813 respectively for accounting.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-8

The accounting function provided by Huawei Agile Controller differs from traditional accounting methods, and the accounting function is used only to maintain user online status by recording users' login and logout times.

The numbers of online users and concurrent Internet connections are limited. To prevent exhaustion of RADIUS and Portal server resources, administrators can limit the online duration of each user. For example, one passenger can remain online for 4 hours and will be automatically disconnected when the specified duration expires.

10.      When the AC replies with an ACK_AUTH message to the Portal server, the user is authenticated successfully.

11.      The Portal server informs the passenger of the authentication success and pushes http://comm.inner.bbk.com (URL of the web page that the passenger visited before authentication) in a new web page. The passenger then can access the Internet.

1.4.3 Offline Detection

Offline detection of Portal users ensures that user online information on an access device or a server is correct and valid. Two offline detection methods are supported: Address Resolution Protocol (ARP) probing and heartbeat detection.

1.4.3.1 APP Probing

ARP probing enables an access device to periodically send unicast ARP request packets to authenticated clients. The access device communicates with the clients over a Layer 2 network. After receiving an ARP request packet from the access device, a client replies with an ARP response packet. If the access device does not receive a specified number of consecutive ARP response packets from the client, the access device automatically disconnects the user and notifies the Portal server of the user disconnection.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-9

Only Layer 2 Portal authentication supports ARP probing.

1.4.3.2 Heartbeat Detection

Heartbeat detection is enabled to push a page to a user in order to maintain the Internet connection after the user is successfully authenticated, which indicates that the user is in authenticated state. Heartbeat packets are exchanged between the user and Portal server for implementing user offline detection. If the Portal server does not receive a specified number of consecutive heartbeat packets from the user, the user is considered offline and the access device is instructed to disconnect the user.

For details about how to configure Portal authentication, see related AC product documentation.

1.5 Common Configurations and Faults

1.5.1 How Can I Configure MAC Address-Prioritized Portal Authentication?

After MAC address-prioritized Portal authentication has been enabled, the RADIUS server records the MAC address of a terminal that is used by a user to access a network through Portal authentication for the first time. If the user is disconnected from the network within the validity period of the MAC address, the user can directly reconnect to the network, without the need to enter the user name and password again.

For example, assume that a user passes Portal authentication using a mobile phone and the mobile phone is then in the standby mode for a period of time. If MAC address-prioritized Portal authentication is disabled, the user needs to enter the user name and password for re-authentication. No re-authentication is required if MAC address-prioritized Portal authentication is enabled.

Perform the following configurations to enable MAC address-prioritized Portal authentication:

1.         Configurations on the AC (V200R005C10 is used as an example):

[AC] interface wlan-ess X

[AC-Wlan-EssX] web-authentication first-mac

2.         Configurations on the server (for example, on the Agile Controller server):

Choose System > Terminal Configuration > Global Parameters. Enable MAC address-prioritized Portal authentication and set the MAC address validity period.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-10[tym2] 

 

1.5.2 How Can I Configure the Active and Standby Portal Servers?

The active and standby Portal servers can be configured to improve Portal authentication reliability and prevent network access failures caused by Portal authentication server faults.

1.         When performing configurations on the AC, pay attention to the following aspects:

a.       Configure two Portal server templates and perform the following configurations.

l  Set server-ip and url in the Portal server templates to the IP addresses and URLs of the active and standby Portal servers, respectively.

l  Enable the Portal server detection function in the Portal server templates to detect the status of the active and standby Portal servers. When the active Portal server status changes from Up to Down, the standby Portal server takes over the services.

b.       Bind the active Portal server template and then the standby Portal server template to the VLANIF interface.

The AC configuration file is as follows (V200R005C10 is used as an example):

#                                                                                                                                   

web-auth-server test1                                                                                                                            

 server-ip 10.10.1.128                  //Set the IP address for the active Portal server.                                                                                                            

 port 50200                                                                                                                         

 shared-key cipher %@%@VYNv5Pr$:8l5A/9JSY@VCeNJ%@%@                                                                                

 url http://192.168.1.1:8080/portal                                                                                               

 server-detect                           //Enable the Portal server detection function.                                                                                 

#                                                                                                                                     

web-auth-server test2                  //Set the IP address for the standby Portal server.                                                                                                           

 server-ip 10.10.1.129                                                                                                             

 port 50200                                                                                                                         

 shared-key cipher %@%@VYNv5Pr$:8l5A/9JSY@VCeNJ%@%@                                                                                

 url http://192.168.1.2:8080/portal                                                                                               

 server-detect                         //Enable the Portal server detection function.                                                                                

# 

interface Vlanif10                                                                                                                  

 web-auth-server test1 test2 direct  //

Bind the active Portal server template and then the standby Portal server template to the VLANIF interface.                                                                                               

#

2.         Perform configurations on the server (for example, on the Agile Controller server).

Choose Resources > Device > Device Management and click Add to add an access device. Select Enable Heartbeat between access device and Portal server and enter the IP addresses of the active and standby Portal servers in the Portal server IP list area.

WLAN access authentication [From Beginner to Expert - WLAN Fundamentals] - Section 11-1873293-11[tym3] 

 

1.5.3 Why Can the Portal Authentication Page Be Displayed but Cannot Be Redirected?

Fault Cause

Troubleshooting Procedure

Multiple network adapters are installed on the client. When you attempt to visit a web page before redirection, HTTP packets cannot be forwarded through the network adapter on which Portal authentication is configured.

Configure routes on the client so that HTTP packets can be sent to the authentication port on the access device.

The client and DNS server are unreachable by each other; therefore, domain name resolution fails and only the IP address can be used for redirection.

Configure an authentication-free rule on the access device to permit packets destined for the IP address of the DNS server to pass through.

User online information exists on the access device, and redirection fails.

Run the cut access-user command on the access device to force the user to go offline.

 

1.5.4 Why Do Authentication-Free Rules Not Take Effect?

IDs of the authentication-free rules configured on an AC range from 0 to 127, but only the authentication-free rules with IDs from 0 to 63 can be delivered to APs and take effect on the APs.

1.5.5 Why Is the Portal Authentication Page Still Pushed to a User Attempting to Re-connect to the Network After MAC Address-Prioritized Portal Authentication Is Configured?

By default, the account locking function is enabled on the AC to ensure security of user passwords. If a user fails authentication over 30 times within 30 minutes, the AC locks the user account for a specified period of time, during which this account cannot be authenticated.

Some terminals initiate MAC address authentication but do not initiate Portal authentication several times after associating with SSIDs. (For example, background applications on a mobile phone initiate multiple TCP requests instantly after the mobile phone associates with an SSID.) If the MAC address of a terminal is not recorded in the AAA server, and the terminal fails authentication over 30 times within 30 minutes, the AC locks the user account (the terminal's MAC address). Therefore, the terminal fails MAC address authentication and the Portal authentication page is displayed.

To solve this problem, run the undo remote-aaa-user authen-fail command in the AAA view to disable the account locking function.

View more
  • x
  • convention:

wissal
MVE Created Apr 11, 2018 10:12:55

useful document, thanks
View more
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I%20am%20a%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20a%20telecom%20operator%20who%20is%20a%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20networks%20department%2C%20during%20my%20career%20I%20have%20managed%20various%20projects%20for%20various%20network%20nodes.%3Cbr%2F%3EAt%20the%20same%20time%2C%20temporarily%20I%20give%20courses%20in%20telecom%20engineering%20schools%2C%20to%20bring%20the%20operational%20side.
Renan_Brasil
Created Jul 29, 2019 11:16:39

Thanks for sharing.
View more
  • x
  • convention:

VinceD
Created Jan 3, 2021 11:40:30

interesting content...
View more
  • x
  • convention:

I%20love%20to%20learn%20new%20things%20everyday.
DMashlah
Created Mar 15, 2021 11:49:15

Thank you...
View more
  • x
  • convention:

Unicef
MVE Created Mar 15, 2021 12:53:09

Well done
View more
  • x
  • convention:

Live%20Lead%20Love%20%3A)
kakuye
Created Mar 15, 2021 12:59:25

Thanks for sharing
View more
  • x
  • convention:

System%20Administrator%20at%20EthERNet
hugu
Created Mar 16, 2021 13:50:59

Thanks for sharing
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.