39-H3C WX Series AC+Fit AP Dynamic VLAN Assignment with ...



H3C WX Series AC+Fit AP Dynamic VLAN Assignment with AC and Windows IAS Configuration Example

Keywords: 802.1X, VLAN

Abstract: This document describes the required configurations in configuring an H3C WX series access controller to work with a Windows IAS server to dynamically assign wireless clients to a specific VLAN.

Acronyms:

|Acronym |Full spelling |

|AC |Access Control |

|AP |Access Point |

|ESS |Extended Service Set |

|WLAN |Wireless Local Area Network |

|SSID |Service Set Identifier |

|CHAP |Challenge Handshake Authentication Protocol |

|IAS |Internet Authentication Server |

|VLAN |virtual local area network |

|AAA |Authentication, Authorization and Accounting |

|RADIUS |Remote Authentication Dial-In User Service |

Table of Contents

Feature Overview 1

Benefits 1

Application Scenarios 1

Configuration Guidelines 1

Configuration Example 1

Network Requirements 1

Configuration Considerations 2

Software Version Used 2

Configuration Procedures 2

Configuration Information 2

Configuration Steps 4

Precautions 17

References 17

Protocols and Standards 17

Related Documentation 17

Feature Overview

Dynamic VLAN assignment refers to the process where access devices work with a RADIUS server to control the VLANs of user access ports, thus controlling the users’ access rights to the network. Before a user passes the authentication, it belongs to a certain VLAN and has no access to the network resources. After the user passes the authentication, the access controller assigns the user to another VLAN based on the attributes in RADIUS packets.

1 Benefits

With the dynamic VLAN assignment feature, the network administrator can control the VLANs of user access ports and thus control the users’ access rights to the network, delivering great flexibility and adaptability.

Application Scenarios

The dynamic VLAN assignment feature can be used as a complement to the EAD security solution to protect the access points of enterprise wireless networks.

Configuration Guidelines

1) Configure the Windows IAS correctly.

2) Configure 802.1X and AAA on access devices correctly.

Configuration Example

1 Network Requirements

[pic]

This configuration example uses a WX6103 access controller and a WA2200 wireless LAN access point. The IP address of the RADIUS server is 8.1.45.67/24. The wireless client and the AP obtain IP addresses from a DHCP server.

Before the client passes the 802.1X authentication, it is in VLAN 10; after it passes the 802.1X authentication, it is assigned to VLAN 100.

1. Network diagram for dynamic VLAN assignment

[pic]

2 Configuration Considerations

• Configure the access devices.

• Configure the Windows IAS RADIUS server.

3 Software Version Used

display version

H3C Comware Platform Software

Comware Software, Version 5.20, Beta 2108

Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.

H3C WX6103 uptime is 1 week, 5 days, 2 hours, 46 minutes

H3C WX6103 with 1 BCM MIPS 1125H 600MHz Processor

1024M bytes DDR

261M bytes CFCard Memory

Config Register points to CFCARD

Hardware Version is Ver.C

CPLD Version is 007

Backboard CPLD Version is 003

Basic Bootrom Version is 1.11

Extend Bootrom Version is 1.12

[Slot 0]EWPX1G24XA0 Hardware Version is NA

[Slot 1]EWPX1WCMB0 Hardware Version is Ver.C

4 Configuration Procedures

1 Configuration Information

display current-configuration

#

version 5.20, Beta 2108

#

sysname AC

#

dhcp relay server-group 1 ip 8.1.45.100

#

domain default enable radius

#

port-security enable

#

vlan 1

#

vlan 10

#

vlan 100

#

vlan 210

#

radius scheme radius

primary authentication 8.1.45.67

primary accounting 8.1.45.67

key authentication luqiang

key accounting luqiang

nas-ip 8.1.61.3

accounting-on enable

#

domain radius

authentication lan-access radius-scheme radius

authorization lan-access radius-scheme radius

accounting lan-access radius-scheme radius

access-limit disable

state active

idle-cut disable

self-service-url disable

#

wlan service-template 10 clear

ssid radius

bind WLAN-ESS 10

service-template enable

#

interface Vlan-interface1

ip address 7.0.0.61 255.255.255.0

dhcp select relay

dhcp relay server-select 1

#

interface Vlan-interface10

ip address 10.1.1.1 255.255.255.0

dhcp select relay

dhcp relay server-select 1

#

interface Vlan-interface100

ip address 100.1.1.1 255.255.255.0

dhcp select relay

dhcp relay server-select 1

#

interface Vlan-interface210

ip address 8.1.61.3 255.255.255.0

#

interface M-GigabitEthernet1/0/0

#

interface Ten-GigabitEthernet1/0/1

port link-type trunk

port trunk permit vlan 1 10 100 210

#

interface WLAN-ESS10

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 10 100 untagged

port hybrid pvid vlan 10

mac-vlan enable

port-security port-mode userlogin-secure-ext

#

wlan ap wa2220x model WA2220X-AGP

serial-id 210235A29E007C000009

radio 2

channel 3

max-power 6

service-template 10

radio enable

2 Configuration Steps

Configure 802.1X authentication on the AC.

3) Enable port security, and configure the 802.1X authentication mode as EAP.

[AC] port-security enable

[AC] dot1x authentication-method chap

4) Configure the authentication policy.

# Create a RADIUS scheme named radius and enter RADIUS scheme view.

[AC] radius scheme radius

# Assign IP address 8.1.45.67 to the primary RADIUS authentication server.

[AC-radius-radius] primary authentication 8.1.45.67

# Assign IP address 8.1.45.67 to the primary RADIUS accounting server.

[AC-radius-radius] primary accounting 8.1.45.67

# Set the shared key used when the system exchanges packets with the RADIUS authentication server to radius.

[AC-radius-radius] key authentication radius

# Set the shared key used when the system exchanges packets with the RADIUS accounting server to radius.

[AC-radius-radius] key accounting radius

# Configure the source IP address of the RADIUS packets sent by the device as 8.1.61.3.

[AC-radius-radius] nas-ip 8.1.61.3

# Enable accounting-on. With this feature enabled, when the device reboots, an accounting-on message will be sent to the RADIUS server to log out the online users of the device.

[AC-radius-radius] accounting-on enable

[AC-radius-radius] quit

5) Configure an authentication domain.

# Create domain radius and enter its view.

[AC] domain radius

# Configure ISP domain radius to use RADIUS authentication scheme radius for LAN access users.

[AC-isp-radius] authentication lan-access radius-scheme radius

# Configure ISP domain radius to use RADIUS authorization scheme radius for LAN access users.

[AC-isp-radius] authorization lan-access radius-scheme radius

# Configure ISP domain radius to use RADIUS accounting scheme radius for LAN access users.

[AC-isp-radius] accounting lan-access radius-scheme radius

[AC-isp-radius] quit

6) Configure authentication domain radius configured earlier as the system default domain.

[AC] domain default enable radius

7) Configure a WLAN port and enable port security (802.1X authentication) on it.

# Create VLAN 10.

[AC] vlan 10

[AC-vlan10] quit

# Create interface WLAN-ESS 10 and enter its view.

[AC] interface WLAN-ESS10

# Set the link type of the interface to hybrid.

[AC-WLAN-ESS10] port link-type hybrid

# Set the default VLAN of the hybrid interface to VLAN 10.

[AC-WLAN-ESS10] port hybrid pvid vlan 10

# Configure the hybrid interface to forward packets of VLAN 100 with the VLAN tags removed.

[AC-WLAN-ESS10] port hybrid vlan 100 untagged

# Configure the security mode on the port as userlogin-secure-ext.

[AC-WLAN-ESS10] port-security port-mode userlogin-secure-ext

# Enable MAC-based VLAN on interface WLAN-ESS 10.

[AC-WLAN-ESS10] mac-vlan enable

8) Configure the wireless service template.

# Create service template 10 of the clear type.

[AC] wlan service-template 10 clear

# Set the SSID of service template 10 to radius.

[AC-wlan-st-10] ssid radius

# Bind interface WLAN-ESS 10 to service template 10.

[AC-wlan-st-10] bind WLAN-ESS 10

# Enable service template 10.

[AC-wlan-st-10] service-template enable

9) # Create an AP template and bind it to the wireless service template created earlier.

# Create an AP template named wa2220x and select WA2220X-AGP as the model name.

[AC] wlan ap wa2220x model WA2220X-AGP

# Set the serial ID of the AP to 210235A29E007C000009.

[AC-wlan-ap-wa2220x] serial-id 210235A29E007C000009

# Set the radio type of radio 2 to 802.11g.

[AC-wlan-ap-wa2220x] radio 2

# Set the working channel of radio 2 to 3.

[AC-wlan-ap-wa2220x-radio-2] channel 3

# Set the maximum power of radio 2 to 6.

[AC-wlan-ap-wa2220x-radio-2] max-power 6

# Associate the clear-type service template 10 configured on the AC with radio 2.

[AC-wlan-ap-wa2220x-radio-2] service-template 10

# Enable radio 2 of the AP.

[AC-wlan-ap-wa2220x-radio-2] radio enable

10) # Configure VLAN interfaces.

# Create VLAN 210.

[AC] vlan 210

[AC] quit

# Create VLAN interface 210 and enter its view.

[AC] interface Vlan-interface 210

# Configure the IP address of VLAN interface 210 as 8.1.61.3 and the mask as 255.255.255.0.

[AC-Vlan-interface210] ip address 8.1.61.3 24

# Enter the view of VLAN interface 1.

[AC] interface Vlan-interface 1

# Configure the IP address of VLAN interface 1 as 7.0.0.61 and the mask as 255.255.255.0.

[AC-Vlan-interface1] ip address 7.0.0.61 24

# Enable the DHCP relay agent on VLAN interface 1.

[AC-Vlan-interface1] dhcp select relay

# Correlate VLAN interface 1 to DHCP server group 1.

[AC-Vlan-interface1] dhcp relay server-select 1

1 Configuration on the Windows IAS

When configuring VLAN assignment on the Windows IAS, you need to add three attributes to the Remote Access Policies applied to the users: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Pvt-Group-ID.

2 Configuring the Tunnel-Type attribute

11) Enter the page displaying the remote access policies from the Internet authentication service window, double-click to select the access policy (radius) applied to users, and then click Edit Profile to display the Edit Dial-in Profile page.

[pic]

12) Select the Advanced tab on the Edit Dial-in Profile page and then click Add to display the Add Attribute page.

[pic]

13) Double-click the Tunnel-Type option in the list on the Add Attribute page to display the Multivalued Attribute Information dialog box.

[pic]

14) Click Add in the Multivalued Attribute Information dialog box to display the Enumerable Attribute Information page.

[pic]

15) Set the value of the Tunnel-Type attribute on the Enumerable Attribute Information page.

• Select Virtual LANs (VLAN) from the Attribute value dropdown list and then click OK.

[pic]

3 Configuring the Tunnel-Medium-Type attribute

16) Double-click the Tunnel-Medium-Type option in the list on the Add Attribute page to display the Multivalued Attribute Information dialog box.

[pic]

17) Click Add in the Multivalued Attribute Information dialog box to display the Enumerable Attribute Information page. On the page, set the value of the Tunnel-Medium-Type attribute: select 802 from the Attribute value dropdown list and then click OK.

[pic]

4 Configuring the Tunnel-Pvt-Group-ID attribute

18) Double-click the Tunnel-Pvt-Group-ID option in the list on the Add Attribute page to display the Multivalued Attribute Information dialog box.

[pic]

19) Click Add in the Multivalued Attribute Information dialog box to display the Enumerable Attribute Information page. On the page, set the value of the Tunnel-Pvt-Group-ID attribute in string or hexadecimal format (by selecting the String or Hexadecimal option) and then click OK. The format must be supported on the access devices to which the attribute is issued. H3C devices support both the string and hexadecimal formats.

• Here, select the String option and set the value of the Tunnel-Pvt-Group-ID attribute to 100.

[pic]

Click OK to finish adding attributes.

Click Apply and then click OK to end the add attribute operation.

[pic]

5 Verification

Use the display sessions command to check for online 802.1X users and check whether they belong to the issued VLANs.

display connection ucibindex 1059

Index=1059, Username=test@radius

MAC=0810-742d-a88d

IP=N/A

Access=8021X ,AuthMethod=CHAP

Port Type=Wireless-802.11,Port Name=WLAN-DBSS10:78

Initial VLAN=10, Authorization VLAN=100

ACL Group=Disable

User Profile=N/A

CAR=Disable

Priority=Disable

Start=2008-09-14 13:30:59 ,Current=2008-09-14 13:31:58 ,Online=00h00m59s

Total 1 connection matched.

5 Precautions

None

References

1 Protocols and Standards

• 802.1X

• RADIUS

2 Related Documentation

• 802.1X Configuration, Port Security Configuration, and AAA Configuration in the Security Volume of H3C WX Series Access Controllers User Manual.

• 802.1X Commands, Port Security Commands, and AAA Commands in the Security Volume of H3C WX Series Access Controllers User Manual.

• WLAN Security Configuration and WLAN Service Configuration in the WLAN Volume of H3C WX Series Access Controllers User Manual.

• WLAN Security Commands and WLAN Service Commands in the WLAN Volume of H3C WX Series Access Controllers User Manual.

• DHCP Configuration in the IP Services Volume of H3C WX Series Access Controllers User Manual.

• DHCP Commands in the IP Services Volume of H3C WX Series Access Controllers User Manual.

• WLAN Interface Configuration and VLAN Configuration in the Access Volume of H3C WX Series Access Controllers User Manual.

• WLAN Interface Commands and VLAN Commands in the Access Volume of H3C WX Series Access Controllers User Manual.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download