HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples

Transcription

1 HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples Part Number: Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

2 Contents Introduction 1 Prerequisites 1 Example: Configuring WLAN 802.1X authentication and security check 1 Network configuration 1 Analysis 2 Software versions used 4 Restrictions and guidelines 4 Configuring the DHCP server 5 Configuring DHCP scopes 5 Configuring the DHCP Agent plugin 11 Configuring UAM 11 Configuring the AC as an access device 11 Configuring a share control policy 14 Configuring a security level 16 Configuring a security policy 17 Configuring an endpoint MAC group 18 Configuring an access policy 21 Configuring an access service 23 Adding or importing user accounts 25 Importing server and root certificates 29 Configuring WX Associating WX6103 with an AP 32 Configuring 802.1X authentication on WX Configuring MSM Configuring the security VLAN 36 Configuring a RADIUS profile 36 Configuring a VSC profile 37 Configuring a VSC binding 40 Deploying configurations from MSM 760 to the AP 40 Configuring the switch that connects the AP to MSM Configuring AIR-WLC2100-K9 41 Configuring authentication and accounting servers 41 Configuring the security VLAN 43 Configuring WLAN authentication 44 Configuring the upstream switch of AIR-WLC2100-K9 47 Verifying the configuration 48 i

3 Introduction This document provides examples for configuring UAM and an AC (H3C WX6103, HP MSM 760, or Cisco AIR-WLC2100-K9) to implement 802.1X authentication and security check for wireless users. Prerequisites Before you configure 802.1X authentication and security check, complete the following tasks: Obtain a server certificate and a root certificate from a certification authority. Deploy a DHCP server and a DNS server on the network. The example in this document uses the DHCP server and the DNS server that are embedded in Windows Server. On the DHCP server, install the DHCP Agent plugin to identify endpoint information and to obtain endpoint IP addresses for UAM. The DHCP Agent installation file HP IMC DHCP Agent.exe is located in the /UAM directory of the IMC installation path. Copy the file to the DHCP server and double-click it to install the DHCP Agent plugin. (Details not shown.) Example: Configuring WLAN 802.1X authentication and security check Network configuration As shown in Figure 1, Figure 2, and Figure 3, configure 802.1X authentication and security check for wireless users. The authentication and security check process is as follows: 1. A user uses the inode client to access the WLAN with SSID ss_byod_jay_1x. 2. UAM authenticates the user's PC based on a MAC address group: If the PC MAC address is in the group, the user passes authentication. If the PC MAC address is not in the group, the user fails authentication. 3. UAM implements security check on the authenticated PC: If the PC passes security check, UAM assigns the PC to the security VLAN 33. If the PC fails security check, UAM assigns the PC to the isolation VLAN 66 or logs off the PC: UAM isolates the PC when WX6103 is used as the access device. UAM logs off the PC when MSM 760 or AIR-WLC2100-K9 is used as the access device. 1

4 Figure 1 Network diagram (WX6103) Internet DNS server PC AP VLAN 1 SW VLAN 24 VLAN 24 DHCP server SSID: ss_byod_jay_1x Secure area: VLAN 33 Isolation area: VLAN 66 VLAN 1 VLAN 24 VLAN 24 imc UAM/EAD WX6103 VLAN-interface 1: VLAN-interface 24: VLAN-interface 33: VLAN-interface 66: Figure 2 Network diagram (MSM 760) MSM 760 VLAN-interface 1: Internet DNS server PC AP DHCP server SSID: ss_byod_jay_1x Secure area: VLAN 33 SW VLAN-interface 1: VLAN-interface 33: imc UAM/EAD Figure 3 Network diagram (AIR-WLC2100-K9) Internet DNS server PC AP AIR-WLC2100-K9 DHCP server VLAN-interface 1: SSID: ss_byod_jay_1x Secure area : VLAN 33 SW VLAN-interface 1: VLAN-interface 33: imc UAM/EAD Analysis Table 1 lists the tasks that must be performed to meet the network requirements. 2

5 Table 1 Requirements analysis Requirements Device Tasks 802.1X authentication Security check VLAN-based access control Obtaining endpoint IP addresses for UAM UAM AC UAM AC UAM AC AC Configure the AC as an access device. Configure an access policy, an access service, and user accounts: For WX6103, do not configure the deploy VLAN in the access policy. For MSM 760 or AIR-WLC2100-K9, specify the deploy VLAN in the access policy by VLAN name. On WX6103, configure VLAN, RADIUS scheme, authentication domain, port security, and WLAN settings. On MSM 760, configure VLAN, RADIUS profile, VSC profile, and VSC binding settings. On AIR-WLC2100-K9, configure authentication/accounting server, VLAN, and WLAN settings. Configure a share control policy. Configure a security level: For WX6103, select the isolation mode. For MSM 760 or AIR-WLC2100-K9, select the kick out mode. Configure a security policy: For WX6103, configure the isolation method, the security VLAN, and the isolation VLAN. MSM 760 and AIR-WLC2100-K9 require no isolation configurations. On WX6103, set the server type to extended for the RADIUS scheme. MSM 760 and AIR-WLC2100-K9 require no server type configurations. For WX6103, configure the security VLAN and the isolation VLAN in the security policy. For MSM 760 or AIR-WLC2100-K9, configure the security VLAN in the access policy. On WX6103, create the security VLAN 33 and the isolation VLAN 66. On MSM 760 and the connected switch, create the security VLAN 33. On AIR-WLC2100-K9 and the upstream switch, create the security VLAN 33. On WX6103, configure DHCP relay. On the switch connected to MSM 760, configure DHCP replay. On AIR-WLC2100-K9, configure DHCP replay. NOTE: When working with MSM 760 or AIR-WLC2100-K9, UAM does not support the isolation mode in the security policy. Therefore, UAM cannot deploy a VLAN to endpoints by implementing the security policy. It can deploy a VLAN only by implementing the access policy. The deploy VLAN in the access policy is equal to the security VLAN in the security policy. 3

6 Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0403) EAD in IMC UAM 7.2 (E0402) DHCP server embedded in Windows Server 2008 R2 Datacenter Certificate server embedded in Windows Server 2008 R2 Datacenter HP IMC DHCP Agent Config Tool V7.0-E0102 H3C WX6103 Comware Software, Version 5.20, ESS2507P04 HP MSM 760 Software Version , Hardware Version B:48 Cisco AIR-WLC2100-K9 Software Version Windows XP SP3 inode PC 7.2 (E0403) Restrictions and guidelines When you configure 802.1X authentication and security check, follow these restrictions and guidelines: Deploy the servers (such as a Windows patch server) that PCs use in the isolation VLAN to remove unsecure conditions. UAM must provide both authentication and accounting services. Do not use another server to provide the accounting service. The service suffix configuration on UAM is closely related to the authentication domain configuration on the AC and to the username that an endpoint uses for authentication. 0, 0, and 0 show the parameter correlations for WX6103, MSM 760, and AIR-WLC2100-K9. Table 2 Parameter correlation on WX6103 Username Mandatory domain on WX6103 Authentication domain on WX6103 RADIUS command on WX6103 Service suffix on UAM X Y None Y Default domain user-name-format with-domain user-name-format without-domain user-name-format with-domain user-name-format without-domain Y No suffix Default domain No suffix X@Z Y None Y Z user-name-format with-domain user-name-format without-domain user-name-format with-domain user-name-format without-domain Y No suffix Z No suffix 4

7 Table 3 Parameter correlation on MSM 760 Username X X@Z How MSM 760 handles the account name MSM 760 sends usernames to UAM without making any modifications. Service suffix on UAM No suffix Z Table 4 Parameter correlation on AIR-WLC2100-K9 Username X X@Z How AIR-WLC2100-K9 handles the account name AIR-WLC2100-K9 sends usernames to UAM without making any modifications. Service suffix on UAM No suffix Z The examples show how to configure a service suffix. Use the following guidelines when you configure the service suffix: On UAM, configure the service suffix as Y. On a PC, use the username in X@Y format. On the AC: On WX6103, configure the dot1x mandatory-domain Y command on the WLAN-ESS interface for wireless users, and configure the user-name-format with-domain command for the RADIUS scheme for wireless users. MSM 760 and AIR-WLC2100-K9 require no configurations. When you add the AC to UAM as an access device, use the following guidelines: UAM must have the same port and shared key settings for authentication and accounting communication as the AC. Guidelines for specifying the AC IP address on UAM: For WX6103, specify the NAS IP address configured with the nas-ip command on WX6103 as the AC IP address. If the nas-ip command is not configured, specify the IP address of the physical interface or VLAN-interface that connects to UAM. For MSM 760 or AIR-WLC2100-K9, specify the IP address of the interface that connects to UAM as the AC IP address. If you select the AC from the platform, make sure the AC has been added to the IMC platform. If the AC in the IMC platform has an incorrect IP address, you must manually specify the IP address of the AC on UAM. Guidelines for specifying the deploy VLAN for an access policy on UAM: If WX6103 is used as the access device, specify the deploy VLAN by VLAN ID. If MSM 760 or AIR-WLC2100-K9 is used as the access device, specify the deploy VLAN by VLAN name. When configuring WX6103, you must execute the mac-vlan enable command on the WLAN-ESS interface for wireless users. Configuring the DHCP server Configuring DHCP scopes This example creates two scopes for 802.1X authentication. As shown in Table 5, scope 1x applies to the isolation VLAN, and scope 1x-isolate applies to the security VLAN. 5

8 Table 5 Scope configurations Scope name IP range Subnet mask Default gateway VLAN 1x to Security VLAN 33 1x-isolate to Isolation VLAN 66 The procedure for creating scopes 1x and 1x-isolate is the same. This example uses the 1x scope. To create scope 1x: 1. Start the DHCP server. 2. From the navigation tree, right-click IPv4 and select New Scope from the shortcut menu. The New Scope Wizard opens. 3. Click Next. The Scope Name page opens. 4. Enter 1x in the Name field, and then click Next, as shown in Figure 4. Figure 4 Scope Name 5. On the IP Address Range page, configure the following parameters, as shown in Figure 5: a. Enter in the Start IP address field, and in the End IP address field. b. Specify as the subnet mask. 6

9 Figure 5 IP Address Range 6. Click Next. 7. On the Add Exclusions and Delay page, click Next, as shown in Figure 6. Figure 6 Add Exclusions and Delay 8. On the Lease Duration page, use the default settings, and then click Next, as shown in Figure 7. 7

10 Figure 7 Lease Duration 9. On the Configure DHCP Options page, select Yes, I want to configure these options now, and then click Next, as shown in Figure 8. Figure 8 Configure DHCP Options 10. On the Router (Default Gateway) page, specify as the default gateway, and then click Next, as shown in Figure 9. 8

11 Figure 9 Router (Default Gateway) 11. On the Domain Name and DNS Servers page, specify the parent domain name and the DNS server IP address, and then click Next, as shown in Figure 10. This example uses uam.test.com as the parent domain name and as the DNS server IP address. Figure 10 Domain Name and DNS Servers 12. On the WINS Servers page, click Next, as shown in Figure 11. 9

12 Figure 11 WINS Servers 13. On the Activate Scope page, select Yes, I want to activate this scope now, and then click Next, as shown in Figure 12. Figure 12 Activate Scope 14. On the Completing the New Scope Wizard page, click Finish. The new DHCP scope is added to the DHCP page. The DHCP server applies this scope to wireless users who pass 802.1X authentication. 10

13 Configuring the DHCP Agent plugin 1. Double-click the DHCP Agent shortcut on the desktop to start the DHCP Agent. 2. Configure the following parameters, as shown in Figure 13: a. Select the Enable Agent option. b. Enter the IP address of the UAM server. This example uses c. Use the default UAM server port (1810) and log level. Figure 13 Configuring the DHCP Agent 3. Click Save Configuration. 4. Click Enable DHCP Server. When the DHCP Agent is operating correctly, you can see a green check mark Status area. Configuring UAM Configuring the AC as an access device in the Agent 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Device Management > Access Device. 3. Click Add, as shown in Figure

14 Figure 14 Accessing the access device list The Add Access Device page opens, as shown in Figure 15. Figure 15 Adding an access device 4. Add the AC to UAM as an access device. You can manually add a device or select a device from the IMC platform. You cannot modify the IP address of the device that is selected from the IMC platform. This example uses the manual method. For more information about adding an access device to UAM, see "Configuring the AC as an access device." To manually add the AC to UAM: a. In the Device List area, click Add Manually. b. Configure the AC IP address: For WX6103, enter in the Start IP field, as shown in Figure 16. For MSM 760, enter in the Start IP field. 12

15 For AIR-WLC2100-K9, enter in the Start IP field. Figure 16 Adding an access device manually c. Click OK. 5. Configure the access device, as shown in Figure 17: a. Enter 1812 in the Authentication Port field. The default authentication port is b. Enter 1813 in the Accounting Port field. The default accounting port is c. Select Fully Supported from the RADIUS Accounting list. d. Select LAN Access Service from the Service Type list. e. Select a device type from the Access Device Type list: Select H3C (General) for WX6103. Select HP (General) for MSM 760. Select CISCO (General) for AIR-WLC2100-K9. f. Enter hello in the Shared Key field. If the Confirm Shared Key field appears, also enter hello in that field. g. Use the default values for the Service Group and Access Device Group fields. 13

16 Figure 17 Configuring the access device 6. Click OK. 7. Click Back to Access Device List. The AC is added to the access device list, as shown in Figure 18. Figure 18 Viewing the AC Configuring a share control policy 1. From the navigation tree, select User Security Policy > Share Control. The share control list opens. 2. Click Add, as shown in Figure

17 Figure 19 Accessing the share control list 3. Configure the share control policy, as shown in Figure 20: a. Enter share for 1x in the Share Control Name field. b. Select the Forbid Default Share and Forbid Windows XP Simple Share options. c. Use the default values for other parameters. Figure 20 Configuring the share control policy 4. Click OK. The share control policy is added to the share control list, as shown in Figure 21. Figure 21 Viewing the share control policy 15

18 Configuring a security level 1. From the navigation tree, select User Security Policy > Security Level. The security level list opens. 2. Click Add, as shown in Figure 22. Figure 22 Accessing the security level list 3. Configure the security level, as shown in Figure 23: a. Enter level1x in the Security Level Name field. b. Enter 5 in the Action After field. c. In the Check Share Control area, select an action: For WX6103, select Isolate from the share for 1x list. For MSM 760 or AIR-WLC2100-K9, select Kick Out from the share for 1x list. d. Use the default values for other parameters. Figure 23 Configuring the security level 4. Click OK. The security level is added to the security level list, as shown in Figure

19 Figure 24 Viewing the security level Configuring a security policy 1. From the navigation tree, select User Security Policy > Security Policy. The security policy list opens. 2. Click Add, as shown in Figure 25. Figure 25 Accessing the security policy list 3. Configure the security policy, as shown in Figure 26: a. Enter policy1x in the Policy Name field. b. Select level1x from the Security Level list. c. Select the Monitor in Real Time option. d. Enter 5 in the Process After field. e. Configure the isolation mode: For WX6103, select the Configure Isolation Mode option, and specify VLAN 33 as the security VLAN and VLAN 66 as the isolation VLAN. For MSM 760 or AIR-WLC2100-K9, uncheck the Configure Isolation Mode option. f. Configure the share control parameters: Select the Check Share option. Select share for 1x from the Share Control list. g. Use the default values for other parameters. 17

20 Figure 26 Configuring the security policy 4. Click OK. The security policy is added to the security policy list, as shown in Figure 27. Figure 27 Viewing the security policy Configuring an endpoint MAC group This example uses an endpoint MAC group to implement access control on PCs. 18

21 When creating the endpoint MAC group, you can add MAC addresses one by one or import MAC addresses in batches to the group. Adding an endpoint MAC address 1. From the navigation tree, select User Access Policy > Access Condition > Endpoint MAC Group. The endpoint MAC group list opens. 2. Click Add, as shown in Figure 28. Figure 28 Accessing the endpoint MAC group list 3. Configure the endpoint MAC group: a. Enter for1x in the Endpoint MAC Group Name field, as shown in Figure 29. Figure 29 Configuring the group name b. In the Endpoint MAC List, click Add. c. Enter a MAC address in the Endpoint MAC field, and then click OK, as shown in Figure 30. The MAC address must be in the XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, or XXXX-XXXX-XXXX format. This example uses 00-B0-8C-D1-D3-D2. 19

22 Figure 30 Adding a MAC address Repeat steps b and c to add more MAC addresses. 4. On the Add Endpoint MAC Group page, click OK. Importing MAC addresses in batches 1. In the endpoint MAC group list, click Batch Import. 2. Configure the endpoint MAC group, as shown in Figure 31: a. Enter for1x in the Endpoint MAC Group Name field. b. Click Browse for the Import File field. c. Select the text file containing PC MAC addresses. The file must be in ANSI format. d. Select Space from the Column Separator list as the column separator used in the file. Figure 31 Configuring the group name 3. Click Next. 4. Select the file columns for the Access MAC Address and Description fields, as shown in Figure

23 Figure 32 Selecting file columns 5. Click Preview. The Preview Import Result page opens, as shown in Figure 33. Figure 33 Previewing the import result 6. Close the Preview Import Result page. 7. On the Batch Import Endpoint MACs page, click OK. Configuring an access policy 1. From the navigation tree, select User Access Policy > Access Policy. The access policy list opens. 2. Click Add, as shown in Figure 34. Figure 34 Accessing the access policy list 3. Configure the access policy, as shown in Figure 35: a. Enter byodjay1x in the Access Policy Name field. b. Select EAP-PEAP from the Preferred EAP Type list. 21

24 c. Select EAP-MSCHAPv2 from the Subtype list. d. Configure the deploy VLAN. For WX6103, do not configure the deploy VLAN, as shown in Figure 36. There is no need to configure the deploy VLAN for the access policy because the security and isolation VLANs of the security policy have a higher priority. Figure 35 Configuring the access policy (WX6103) For MSM 760 or AIR-WLC2100-K9, specify VLAN ssbyodjay1x as the deploy VLAN, as shown in Figure 36. Because no VLAN is configured in the security policy, you need to configure the deploy VLAN for users who pass the security check. The deploy VLAN name on UAM and the AC must be the same. Figure 36 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 e. Use the default values for other parameters. 4. Click OK. The access policy is added to the access policy list, as shown in Figure

25 Figure 37 Viewing the access policy Configuring an access service This example uses the endpoint MAC group, the access policy, and the security policy to provide the authorization service for users. To configure an access service: 1. From the navigation tree, select User Access Policy > Access Service. The access service list opens. 2. Click Add, as shown in Figure 38. Figure 38 Accessing the access service list 3. Configure the basic information for the access service, as shown in Figure 39: a. Enter 1x-service in the Service Name field. b. Enter 1x in the Service Suffix field. c. Select Access Forbidden from the Default Access Policy list. d. Use the default values for other parameters. 23

26 Figure 39 Configuring access service basic information 4. In the Access Scenario List area, click Add. 5. Configure the access scenario, as shown in Figure 40: a. Enter 1x in the Access Scenario Name field. b. Select for1x from the Endpoint MAC Group list. c. Select byodjay1x from the Access Policy list. d. Select policy1x from the Security Policy list. e. Use the default values for other parameters. Figure 40 Configuring the access scenario 24

27 6. On the Add Access Scenario page, click OK. 7. On the Add Access Service page, click OK. The access service is added to the access service list, as shown in Figure 41. Figure 41 Viewing the access service Adding or importing user accounts Adding a user account 1. From the navigation tree, select Access User > All Access Users. The access user list opens. 2. Click Add, as shown in Figure 42. Figure 42 Accessing the access user list The Add Access User page opens, as shown in Figure

28 Figure 43 Adding a user account 3. Click Select next to the User Name field, select a user from the IMC platform, and then click OK, as shown in Figure 44. This example uses ftest. Figure 44 Selecting a user from the IMC platform 4. Configure the user account, as shown in Figure 45: a. Enter jay in the Account Name field. b. Enter a password in the Password and Confirm Password fields. c. Select 1x-service from the Access Service list. d. Use the default values for other parameters. 26

29 Figure 45 Configuring the user account 5. Click OK. Importing user accounts in batches 1. In the access user list, click Batch Import. The Import Accounts in Batches page opens, as shown in Figure 46. Figure 46 Importing user accounts in batches 2. Click Browser next to the Import File field. 3. Select the text file containing user accounts. The file must be in ANSI format. 27

30 4. Select the column separator used in the file from the Column Separator list. 5. Select the Import Platform Users option. 6. Click Next. 7. Configure the user account parameters, as shown in Figure 47: a. Select the file columns for the User Name, Identity Number, Account Name, and Password fields. b. Select 1x-service from the Access Service list. c. Use the default values for other parameters. Figure 47 Configuring user account parameters 8. Click Preview. The Preview Import Result page opens, as shown in.figure 48 Figure 48 Previewing the import result 28

31 9. Close the Preview Import Result page. 10. Click OK. Importing server and root certificates 1. From the navigation tree, select User Access Policy > Service Parameters > Certificate. The Certificate page opens, as shown in Figure 49. Figure 49 Accessing the Certificate page 2. On the Root Certificate tab, click Import EAP Root Certificate. 3. Click Browse and select a root certificate, as shown in Figure 50. Figure 50 Selecting the root certificate 4. Click Next. The CRL configuration page opens, as shown in Figure 51. In this example, the CRL configuration is skipped. 29

32 Figure 51 CRL configuration 5. Click OK. The imported root certificate is added to the Root Certificate tab, as shown in Figure 52. Figure 52 Viewing the imported root certificate 6. Click the Server Certificate tab, as shown in Figure 53. Figure 53 Selecting a server certificate 7. Click Import EAP Server Certificate. 30

33 8. Select Private key is included in server certificate file, click Browse next to the Server Certificate File field, and select a server certificate, as shown in Figure 54. Figure 54 Selecting the server certificate 9. Click Next. 10. Enter the password for the server private key, as shown in Figure 55. Use the same password specified during server certificate export. Figure 55 Entering the server certificate key password 11. Click OK. The imported server certificate is added to the Server Certificate tab, as shown in Figure 56. Figure 56 Viewing the imported server certificate 31

34 Configuring WX6103 Associating WX6103 with an AP After you associate WX6103 with an AP, the two devices establish a tunnel to forward traffic. You can manually or automatically associate WX6103 with an AP. This example uses the manual method. 1. On the AP, display information about the AP and record its model number, serial ID, hardware version, and software version. <WA2612-AGN>display wlan ap Display AP Profile Model Number Serial-ID : WA2612-AGN AP Address : H/W Version S/W Version : A0ALC : Ver.D Boot Version : 1.23 Mode Device State Master AC: Description AC Address State : V100R001B71D024( ) : Split Mac Mode : Zero configuration state : -NA- Transmitted control packets : 0 : -NA- Received control packets : 0 Transmitted data packets : 0 Received data packets : 0 Latest AC IP address Tunnel Down Reason : BDisc : -NA- : -NA Unicast static AC IPv4 address: Not Configured Unicast static AC IPv6 address: Not Configured Configure WX6103: # Enable WLAN service. <H3C>system-view System View: return to User View with Ctrl+Z. [H3C]wlan enable % Info: WLAN service enabled # Create AP template byod and specify the AP model number. [H3C]wlan ap byod model WA2612-AGN # Specify the AP serial ID. [H3C-wlan-ap-byod]serial-id A0ALC [H3C-wlan-ap-byod]quit # Specify the software and hardware versions of the AP. [H3C]wlan apdb WA2612-AGN Ver.D V100R001B71D024 32

35 3. On the AP, specify the IP address of WX6103. <WA2612-AGN>system-view System View: return to User View with Ctrl+Z. [WA2612-AGN]wlan ac ip Verify that WX6103 is associated with the AP. # On WX6103, display all associated APs. [H3C]display wlan ap all Total Number of APs configured : 1 Total Number of configured APs connected : 0 Total Number of auto APs connected : 1 AP Profiles State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad C = Config, R = Run, KU = KeyUpdate, KC = KeyCfm AP Name State Model Serial-ID Byod R/M WA2612-AGN A0ALC The R/M state of the AP indicates that WX6103 and the AP have been associated. Configuring 802.1X authentication on WX Configure a RADIUS scheme: # On WX6103, create RADIUS scheme byodjay1x and enter its view. <WX6103>system-view System View: return to User View with Ctrl+Z. [WX6103]radius scheme byodjay1x New Radius scheme # Specify the IP address of the authentication and accounting servers (UAM) as , and set the shared key for authentication and accounting communications to hello. [WX6103-radius-byodjay1x]primary authentication [WX6103-radius-byodjay1x]primary accounting [WX6103-radius-byodjay1x]key authentication hello [WX6103-radius-byodjay1x]key accounting hello NOTE: UAM supports only one shared key. You must configure the same key for both authentication and accounting communications. # Specify the source IP address of RADIUS packets sent to UAM. [WX6103-radius-byodjay1x]nas-ip # Set the RADIUS server type to extended. [WX6103-radius-byodjay1x]server-type extended # Configure the usernames sent to the RADIUS server to include the ISP domain name. [WX6103-radius-byodjay1x]user-name-format with-domain [WX6103-radius-byodjay1x]quit 2. Configure an ISP domain: # Create ISP domain 1x and enter its view. 33

36 [WX6103]domain 1x # Configure the ISP domain to use RADIUS scheme byodjay1x for authentication, authorization, and accounting. [WX6103-isp-1x]authentication default radius-scheme byodjay1x [WX6103-isp-1x]authorization default radius-scheme byodjay1x [WX6103-isp-1x]accounting default radius-scheme byodjay1x [WX6103-isp-1x]quit # Configure ISP domain 1x as the default ISP domain. [WX6103]domain default enable 1x 3. Configure the DHCP relay agent and VLANs: # Enable DHCP and specify DHCP server for DHCP server group 1. [WX6103]dhcp enable [WX6103]dhcp relay server-group 1 ip # Create the security VLAN 33. [WX6103]vlan 33 [WX6103-vlan33]quit # Assign IP address to VLAN-interface 33. The IP address is the gateway address for DHCP scope 1x. [WX6103]interface Vlan-interface 33 [WX6103-Vlan-interface33]ip address # Enable DHCP relay agent on VLAN-interface 33, and associate DHCP server group 1 with the interface. [WX6103-Vlan-interface33]dhcp select relay [WX6103-Vlan-interface33]dhcp relay server-select 1 [WX6103-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) # Create the isolation VLAN 66. [WX6103]vlan 66 [WX6103-vlan66]quit # Assign IP address to VLAN-interface 66. The IP address is the gateway address for DHCP scope 1x-isolate. [WX6103]interface Vlan-interface 66 [WX6103-Vlan-interface66]ip address # Enable DHCP relay agent on VLAN-interface 66, and associate DHCP server group 1 with the interface. [WX6103-Vlan-interface66]dhcp select relay [WX6103-Vlan-interface66]dhcp relay server-select 1 [WX6103-Vlan-interface66]quit # Advertise the network /24, and configure ACLs to control user access in VLAN 66. (Details not shown.) 4. Configure 802.1X authentication: # Create WLAN-ESS interface 33, set its port link type to hybrid, and enable MAC-based VLAN on the interface. [WX6103]interface wlan-ess 33 [WX6103-WLAN-ESS33]port link-type hybrid [WX6103-WLAN-ESS33]mac-vlan enable # Enable 802.1X authentication on WLAN-ESS interface 33. [WX6103-WLAN-ESS33]port-security port-mode userlogin-secure-ext 34

37 # Enable key negotiation of the 11key type on WLAN-ESS interface 33. [WX6103-WLAN-ESS33]port-security tx-key-type 11key # Specify ISP domain 1x as the mandatory authentication domain on WLAN-ESS interface 33. [WX6103-WLAN-ESS33]dot1x mandatory-domain 1x [WX6103-WLAN-ESS33]quit # Globally enable port security. For 802.1X authentication to take effect on a port, you must enable port security globally and on the port. [WX6103]port-security enable # Set the 802.1X authentication method to EAP. [WX6103]dot1x authentication-method eap 5. Configure a service template: # Create crypto type WLAN service template 33 for 802.1X authentication. [WX6103]wlan service-template 33 crypto # Configure the SSID of the service template as ss_byod_jay_1x. [WX6103-wlan-st-33]ssid ss_byod_jay_1x # Associate the service template with WLAN-ESS interface 33. [WX6103-wlan-st-33]bind wlan-ess 33 # Configure the service template to use the open-system authentication method. This authentication method is required if WPA is used. [WX6103-wlan-st-33]authentication-method open-system # Configure the security IE as WPA and cipher suite as TKIP. [WX6103-wlan-st-33]security-ie wpa [WX6103-wlan-st-33]cipher-suite tkip # Enable the service template. [WX6103-wlan-st-33]service-template enable Please wait... Done. [WX6103-wlan-st-33]quit 6. Create radio policy byodjay1x. You can skip this step to use the default radio policy. [WX6103]wlan radio-policy byodjay1x [WX6103-wlan-rp-byodjay1x]beacon-interval 200 [WX6103-wlan-rp-byodjay1x]dtim 4 [WX6103-wlan-rp-byodjay1x]rts-threshold 2300 [WX6103-wlan-rp-byodjay1x]fragment-threshold 2200 [WX6103-wlan-rp-byodjay1x]short-retry threshold 6 [WX6103-wlan-rp-byodjay1x]long-retry threshold 5 [WX6103-wlan-rp-byodjay1x]max-rx-duration 500 [WX6103-wlan-rp-byodjay1x]quit 7. Enter AP template byod and associate radio 1 with radio policy byodjay1x and service template 33. [WX6103]wlan ap byod [WX6103-wlan-ap-byod]radio 1 [WX6103-wlan-ap-byod-radio-1]channel auto [WX6103-wlan-ap-byod-radio-1]radio-policy byodjay1x [WX6103-wlan-ap-byod-radio-1]service-template 33 [WX6103-wlan-ap-byod-radio-1]radio enable [WX6103-wlan-ap-byod-radio-1]quit [WX6103-wlan-ap-byod]quit 35

38 Configuring MSM 760 Configuring the security VLAN 1. Log in to the Web interface of MSM From the navigation tree, select Network Tree > Controller. 3. Select Network > Network profiles. 4. Click Add New Profile. 5. Configure the VLAN name as ssbyodjay1x and VLAN ID as 33, as shown in Figure 57. Figure 57 Configuring the security VLAN 6. Click Save. Configuring a RADIUS profile 1. From the navigation tree, select Network Tree > Controller. 2. Select Authentication > RADIUS profiles. 3. Click Add New Profile. 4. Configure the RADIUS profile, as shown in Figure 58: a. Enter ss_byod_jay_1x in the Profile name field. b. Enter 1812 in the Authentication port field and 1813 in the Accounting port field. c. Select EAP MD5 from the Authentication method list. d. Enter in the Server address field for the primary RADIUS server. e. Enter hello in the Secret and Confirm secret fields for the primary RADIUS server. f. Use the default values for other parameters. 36

39 Figure 58 Configuring a RADIUS profile 5. Click Save. Configuring a VSC profile 1. From the navigation tree, select Network Tree > Controller > VSCs. 2. Select Overview > VSC profiles. 3. Click Add New VSC Profile. 4. Configure the VSC profile, as shown in Figure 59: a. Configure Global parameters: Enter ss_byod_jay_1x in the Profile name field. Select Authentication and uncheck Access control for the Use Controller for field. b. Configure Virtual AP parameters: Select the Virtual AP option. Enter ss_byod_jay_1x in the Name (SSID) field. Select the Broadcast name (SSID) option. c. Configure Wireless protection parameters: Select the Wireless protection option, and select WPA from the list next to the option. 37

40 Select WPA (TKIP) from the Mode list. Select Dynamic from the Key source list. d. Configure 802.1X authentication parameters: Select the 802.1X authentication option. Select the Remote option. Select ss_byod_jay_1x from the RADIUS list. Select ss_byod_jay_1x from the RADIUS accounting list. e. Uncheck the MAC-based authentication option. f. Use the default values for other parameters. 38

41 Figure 59 Configuring a VSC profile 39

42 5. Click Save. Configuring a VSC binding 1. From the navigation tree, select Network Tree > Controller. 2. Expand the Controlled APs node, and select the AP group to which the AP belongs. 3. Click the VSC bindings tab. 4. Click Add New Binding. 5. Select ss_byod_jay_1x from the VSC Profile list, as shown in Figure 60. Figure 60 Configuring a VSC binding 6. Click Save. Deploying configurations from MSM 760 to the AP 1. From the navigation tree, select Unsynchronized. 2. Select Overview > Discovered APs. 3. Select Synchronize Configuration from the Select the action to apply to all listed APs list, and then click Apply, as shown in Figure 61. Figure 61 Deploying configurations to the AP 40

43 Configuring the switch that connects the AP to MSM On the switch, enable DHCP, and specify DHCP server for DHCP server group 1. <SW>system-view System View: return to User View with Ctrl+Z. [SW]dhcp enable [SW]dhcp relay server-group 1 ip Create the security VLAN 33. [SW]vlan 33 [SW-vlan33]quit 3. Assign IP address to VLAN-interface 33. The IP address is the gateway address for DHCP scope 1x. [SW]interface Vlan-interface 33 [SW-Vlan-interface33]ip address Enable DHCP relay agent on VLAN-interface 33 and associate DHCP server group 1 with the interface. [SW-Vlan-interface33]dhcp select relay [SW-Vlan-interface33]dhcp relay server-select 1 [SW-Vlan-interface33]quit 5. Advertise the network /24. (Details not shown.) Configuring AIR-WLC2100-K9 Configuring authentication and accounting servers Configuring the authentication server 1. Click the SECURITY tab. 2. From the navigation tree, select AAA > RADIUS > Authentication. 3. On the RADIUS Authentication Servers page, click New. 4. Configure the following parameters, as shown in Figure 62: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1812 in the Port Number field. d. Use the default values for other parameters. 41

44 Figure 62 Configuring the authentication server 5. Click Apply. Configuring the accounting server 1. From the navigation tree, select AAA > RADIUS > Accounting. 2. On the RADIUS Accounting Servers page, click New. 3. Configure the following parameters, as shown in Figure 63: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1813 in the Port Number field. d. Use the default values for other parameters. Figure 63 Configuring the accounting server 4. Click Apply. 42

45 Configuring the security VLAN 1. Click the CONTROLLER tab. 2. From the navigation tree, click Interfaces. 3. On the Interfaces page, click New. 4. Configure the following parameters, as shown in Figure 64: a. Enter ssbyodjay1x in the Interface Name field. b. Enter 33 in the VLAN ID field. Figure 64 Adding the security VLAN 5. Click Apply. 6. On the Edit page, configure the following parameters, as shown in Figure 65: a. Enter the number of the port that connects to the upstream switch in the Port Number field. This example uses 1. b. Enter 33 in the VLAN Identifier field. c. Enter in the IP Address field. d. Enter in the Netmask field. e. Enter in the Gateway field. f. Enter in the Primary DHCP Server field. g. Use the default values for other parameters. 43

46 Figure 65 Configuring the security VLAN 7. Click Apply. Configuring WLAN authentication 1. Click the WLANs tab. 2. From the navigation tree, select WLANs > WLANs. 3. On the WLANs page, select Create New from the list in top-left corner, and then click Go. 4. Configure the following parameters, as shown in Figure 66: a. Enter ss_byod_jay_1x in the Profile Name field. b. Enter ss_byod_jay_1x in the SSID field. c. Use the default values for other parameters. 44

47 Figure 66 Adding a WLAN 5. Click Apply. The page for editing the WLAN opens. 6. Click the General tab and configure the following parameters, as shown in Figure 67: a. Select the Enabled option for Status. b. Use the default values for other parameters. Figure 67 General settings 7. Click the Security tab and do the following: a. Click the Layer 2 tab and configure the following parameters, as shown in Figure 68: Select WPA+WPA2 from the Layer 2 Security list. Select WPA Policy and WPA2 Policy. Select TKIP for both WPA Encryption and WPA2 Encryption. Select 802.1X from the Auth Key Mgmt list. 45

48 Figure 68 Layer 2 settings b. Use the default settings on the Layer 3 tab. c. Click the AAA Servers tab and configure the following parameters, as shown in Figure 69: Select the Enabled option for Radius Server Overwrite interface. Select the Enabled option for Authentication Servers, and select IP: , Port:1812 from the Server 1 list. Select the Enabled option for Accounting Servers, and select IP: , Port:1813 from the Server 1 list. Figure 69 AAA Servers settings 8. Use the default settings on the QoS tab. 9. Click the Advanced tab and configure the following parameters, as shown in Figure 70: a. Select Radius NAC from the NAC State list. b. Use the default values for other parameters. 46

49 Figure 70 Advanced settings 10. Click Apply. 11. From the navigation tree, select Advanced > AP Groups. 12. In the AP groups list, click default-group. The Edit 'default-group' page opens. 13. Click the WLANs tab. The ss_byod_jay_1x WLAN is added to the WLAN list of the default group, as shown in Figure 71. Figure 71 WLAN ss_byod_jay_1x in the default group Configuring the upstream switch of AIR-WLC2100-K9 1. Create the security VLAN 33. [SW]vlan 33 [SW-vlan33]quit 2. Assign IP address /24 to VLAN-interface 33. The IP address is the gateway address for DHCP scope 1x. [SW]interface Vlan-interface 33 47

50 [SW-Vlan-interface33]ip address [SW-Vlan-interface33]quit 3. Advertise the network /24. (Details not shown.) Verifying the configuration If a PC's MAC address is not in the endpoint MAC group, the PC cannot pass 802.1X authentication. (Authentication details not shown.) To verify the configuration: 1. On the PC with MAC address 00-B0-8C-D1-D3-D2, install the inode client that supports WLAN access. 2. Start the inode client. 3. Click the Refresh icon to obtain all available SSIDs, as shown in Figure 72. Figure 72 Displaying all SSIDs 4. Double-click SSID ss_byod_jay_1x in the list. 5. Enter the username and password, as shown in Figure

51 Figure 73 Providing the user credentials 6. Click Connect. The authentication and security check process starts. After the process is completed, the client displays the security check result. In this example, the user fails security check. UAM allows the user to access the security VLAN within 300 seconds. When the threshold is reached, UAM does the following: If the unsecure condition is removed, UAM allows the user to continue accessing the security VLAN 33. If the unsecure condition is not removed, UAM assigns the user to the isolation VLAN 66 (for WX6103) or logs off the user (for MSM 760 and AIR-WLC2100-K9). In this example, the unsecure condition is not removed, and UAM isolates the user, as shown in Figure 74. Figure 74 Security check result 7. Remove the unsecure condition from the PC. (Details not shown.) 49

52 8. On the inode client, click the Refresh icon and initiate 802.1X authentication again. The user passes the security check and is assigned an IP address of the security VLAN 33, as shown in Figure 75. You can view the user IP address on the NICs tab of the Management Plat page. Figure 75 Viewing the user IP address 50