HPE IMC BYOD WLAN MAC Authentication Configuration Examples

Transcription

1 HPE IMC BYOD WLAN MAC Authentication Configuration Examples Part Number: Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

2 Contents Introduction 1 Prerequisites 1 Restrictions and guidelines 1 UAM server configuration 1 Service suffix configuration 1 Access device configuration 2 VLAN deployment configuration 3 MAC authentication configuration 3 Example: Configuring MAC authentication with MAC-bound accounts 3 Network configurationrequirements 3 Analysis 5 Software versions used 5 Configuring the DHCP server 6 Creating DHCP scopes 6 Configuring the DHCP Agent 10 Configuring UAM 11 Configuring a BYOD page 11 Configuring a page push policy 12 Configuring the AC as an access device 13 Configuring access policies 16 Configuring access services 18 Configuring access accounts ftest and byodanonymous 20 Enabling transparent MAC authentication 22 Configuring WX Associating WX6103 with the AP 23 Configuring authentication settings on WX Configuring MSM Configuring a RADIUS profile 27 Configuring a VSC profile 28 Configuring a VSC binding 29 Configuring VLAN deployment for the byodanonymous account 30 Configuring VLAN deployment for the access account 31 Deploying configurations from MSM 760 to the AP 32 Configuring the switch that connects the AP to MSM Configuring AIR-WLC2100-K9 34 Configuring the authentication and accounting server 34 Configuring VLAN deployment 36 Configuring the WLAN 38 Configuring the upstream switch of AIR-WLC2100-K9 41 Verifying the configuration 42 Triggering MAC authentication for the first time 42 Binding the device MAC address with the access account 45 Performing a second MAC authentication process 46 Example: Configuring WLAN MAC authentication with MAC-based accounts 47 Network configuration 47 Analysis 48 Software versions used 49 Configuring the DHCP server 49 Configuring UAM 49 Configure the AC as an access device in UAM 49 Configuring an access policy 50 i

3 Configuring an access service 50 Adding the MAC-based access account 51 Configuring WX Configuring MSM Configuring AIR-WLC2100-K9 53 Verifying the configuration 53 ii

4 Introduction This document provides examples for configuring UAM and an AC (H3C WX6103, HP MSM 760, or Cisco AIR-WLC2100-K9) to implement WLAN MAC authentication on mobile devices. The AC relays the mobile device's MAC address to a remote RADIUS server (UAM). UAM checks the address against the access user database. If a user account is bound with the MAC address, or uses the MAC address as both the username and password, the mobile device is permitted network access and assigned to a specific VLAN for permission control. The VLAN assignment is configured for the user account in UAM. For a mobile device to pass MAC authentication, you must create an access user account bound to or based on the MAC address of the device in UAM. A MAC-bound account is an access account that is bound with the MAC address of a mobile device. The account-to-mac address binding is created by the mobile device user through the BYOD page or the Self-Service Center. Use MAC-bound accounts when the mobile devices on the network are frequently changed. A MAC-based account uses the MAC address of the mobile device as the account name and password. This type of account is created by an operator in UAM. Use MAC-based accounts when the mobile devices on the network are seldom changed. Prerequisites Before you configure WLAN MAC authentication, complete the following tasks: Deploy a DHCP server and a DNS server on the network. The examples in this document use the DHCP server and DNS server that are embedded in Windows Server. On the DHCP server, install the DHCP Agent plugin to identify endpoint information and to obtain endpoint IP addresses for UAM. The DHCP Agent installation file HP IMC DHCP Agent.exe is located in the /UAM directory of the IMC installation path. Copy the file to the DHCP server and double-click it to install the DHCP Agent plugin. (Details not shown.) Restrictions and guidelines UAM server configuration When you configure UAM, follow these restrictions and guidelines: UAM must provide both authentication and accounting services. Do not use another server to provide the accounting service. UAM must have the same port and shared key settings for authentication and accounting communication as the configurations on the AC. Service suffix configuration When you configure a service suffix for an access service in UAM, follow these restrictions and guidelines: 1

5 The service suffix configuration on UAM is closely related to the ISP domain configuration on the AC and the account name used by the mobile device for authentication. The account name used by a mobile device for MAC authentication is always the device's MAC address with no domain information. Table 1, Table 2, and Table 3 list the parameter correlations when WX6103, MSM 760, or AIR-WLC2100-K9 is used. Table 1 Parameter correlation on WX6103 Account name Authentication domain on WX6103 RADIUS commands configured on WX6103 Service suffixes in UAM MAC address Y user-name-format with-domain user-name-format without-domain Y No suffix NOTE: You can configure the MAC authentication domain on WX6103 in both interface view and system view. WX6103 selects the MAC authentication domain for a mobile device in the following order: MAC authentication domain specified in interface view. MAC authentication domain specified in system view. Default authentication domain. Table 2 Parameter correlation on MSM 760 Account name MAC address How MSM 760 handles the account name MSM 760 directly forwards the account name to UAM without making any modifications. Service suffix in UAM No suffix Table 3 Parameter correlation on AIR-WLC2100-K9 Account name MAC address How AIR-WLC2100-K9 handles the account name AIR-WLC2100-K9 directly forwards the account name to UAM without making any modifications. Service suffix in UAM No suffix Access device configuration You can add the AC to UAM manually or by selecting it from the IMC platform. When you manually add the AC to UAM, follow these restrictions and guidelines: For WX6103, use the NAS IP address (configured with the nas-ip command on the AC) as the IP address of the AC on UAM. If the nas-ip command is not configured, use the IP address of the interface (including VLAN interface) that connects to UAM. For MSM 760 or AIR-WLC2100-K9, use the IP address of the interface that connects to the UAM. When you select the AC from the IMC platform, follow these restrictions and guidelines: Make sure the AC is already added to the IMC platform manually or through auto discovery and uses the correct IP address. 2

6 If the AC in the resource pool does not use the correct IP address, you must manually specify the correct IP address of the access device. VLAN deployment configuration When you configure VLANs to be deployed for an access policy in UAM, follow these restrictions and guidelines: To work with WX6103, specify the VLAN by its ID. To work with MSM 760 or AIR-WLC2100-K9, specify the VLAN by its name. To make the VLAN take effect, bind the VLAN name on MSM 760 or AIR-WLC2100-K9 to the corresponding VLAN ID. MAC authentication configuration On WX6103, you cannot enable MAC authentication on by executing the mac-authentication command in interface view. To configure MAC authentication, use the port security feature. This document uses the WPA-PSK-TKIP security scheme. In this scheme, the wireless client must pass pre-shared key verification before it can be associated with the AP. When the client is associated with the AP, data exchanged between them must be encrypted. For more information about security schemes, see the wireless device configuration guide. Example: Configuring MAC authentication with MAC-bound accounts Network configuration As shown in Figure 1, Figure 2, and Figure 3, a mobile device user intends to access the Internet through MAC authentication with an access account named ftest. The authentication process is as follows: 1. The mobile device connects to SSID ss_byod_jay_mac for transparent MAC authentication. After authentication, UAM automatically binds the MAC address of the mobile device with the byodanonymous account and assigns the device to a public VLAN (VLAN 66). 2. The mobile device user binds the access account ftest with the device's MAC address by using either of the following methods: Access the BYOD page and enter the account name ftest and the password to bind it with the device MAC address. Log in to the Self-Service Center with account ftest, and then bind the account with the MAC address of the mobile device. 3. Perform MAC authentication again. If the access account is bound on the BYOD page, UAM automatically initiates the second MAC authentication process without user intervention. If the access account is bound in the Self-Service Center, the user must manually initiate a second MAC authentication process. After passing the authentication, the mobile device is assigned to a user VLAN (VLAN 33). An AC (WX6103, MSM 760, or AIR-WLC2100-K9) serves as the access device. WX6103 manages the user in a mandatory MAC authentication domain named mac1 and removes the domain name from the usernames to be sent to UAM for authentication. 3

7 On the AC, enable PSK authentication and set the pre-shared key to Set the shared key for secure RADIUS communication to hello, and set the ports for authentication and accounting to 1812 and 1813, respectively. Figure 1 Network diagram (WX6103) Figure 2 Network diagram (MSM 760) Figure 3 Network diagram (AIR-WLC2100-K9) 4

8 Analysis To redirect the mobile device to a BYOD page after it passes transparent MAC authentication, complete the following configurations: In UAM, configure a BYOD page and set the page as the Default BYOD Page in the service to be assigned to the byodanonymous account. On WX6103, the switch attached to MSM 760, or the upstream switch of AIR-WLC2100-K9, configure VLAN 66, and then configure portal authentication in the VLAN to redirect Web access requests to the BYOD page. To implement MAC authentication on the mobile device and assign it to the correct VLAN, complete the following configurations: In UAM, configure the following: a. Configure the AC as an access device. b. Configure two access policies. One policy deploys VLAN 33 and the other policy deploys VLAN 66. c. Configure the previous policies as the default access policies of two access services. d. Configure the byodanonymous account and a regular access account ftest. e. Assign services to byodanonymous and ftest account. f. Enable transparent MAC authentication on UAM. On WX6103, configure the VLAN, RADIUS scheme, ISP domain, global security settings, and WLAN settings. On MSM 760, configure the VLAN, RADIUS profile, VSC profile, and VSC bindings. The VLAN settings must also be configured on the switch attached to MSM 760. On AIR-WLC2100-K9, configure the VLAN, authentication and accounting server, and WLAN settings. The VLAN settings must also be configured on the upstream switch of AIR-WLC2100-K9. On the mobile device, bind the device's MAC address with access account ftest through the BYOD page or the Self-Service Center. To assign an IP address to the endpoint through DHCP, configure DHCP relay on WX6103, the switch attached to MSM 760, or AIR-WLC2100-K9. Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0403) DHCP server embedded in Windows Server 2008 R2 Datacenter DHCP Agent plugin: HP IMC DHCP Agent Config Tool V7.0-E0102 H3C WX6103, Comware Software, Version 5.20, ESS2507P04 HP MSM 760, Software Version , Hardware Version B:48 Cisco AIR-WLC2100-K9, Software Version HUAWEI P6, Android

9 Configuring the DHCP server Creating DHCP scopes Create two scopes for MAC authentication. As listed in Table 4, scope guest_mac applies to access account ftest, and scope BYOD_mac applies to the byodanonymous account. Table 4 Scope configurations Scope name IP range Subnet mask Default gateway Usage guest_mac to Access accounts including ftest BYOD_mac to byodanonymous The procedure for creating scopes guest_mac and BYOD_mac is the same. Scope guest_mac is used as an example. To create scope guest_mac: 1. Start the DHCP server. 2. From the navigation tree, right-click a DHCP server and select New Scope from the shortcut menu. The New Scope Wizard opens. 3. Click Next. 4. On the Scope Name page, enter guest_mac in the Name field and click Next. Figure 4 Scope Name 5. On the IP Address Range page, enter as the start IP address, as the end IP addresses, and as the subnet mask, and click Next. 6

10 Figure 5 IP Address Range 6. On the Add Exclusions and Delay page, use the default settings and click Next. Figure 6 Add Exclusions and Delay 7. On the Lease Duration page, use the default settings and click Next. 7

11 Figure 7 Lease Duration 8. On the Configure DHCP Options page, select Yes, I want to configure these options now and click Next. Figure 8 Configure DHCP Options 9. On the Router (Default Gateway) page, specify the default gateway as and click Next. 8

12 Figure 9 Router (Default Gateway) 10. On the Domain Name and DNS Servers page, configure the name of the parent domain and IP address of the DNS server, and then click Next. This example uses uam.test.com as the parent domain name, and as the DNS server address. Figure 10 Domain Name and DNS Servers 11. On the WINS Servers page, specify the name and IP address of the WINS server and click Next. Alternatively, you can directly click Next without configuring a WINS Server. 9

13 Figure 11 WINS Servers 12. On the Activate Scope page, select Yes, I want to activate the scope now and click Next. Figure 12 Activate Scope 13. On the Completing the New Scope Wizard page, click Finish. Configuring the DHCP Agent 1. Double-click the DHCP Agent shortcut on the desktop to start the DHCP Agent. 10

14 2. Configure the DHCP agent parameters, as shown in Figure 13: a. Select the Enable Agent option. b. Enter the IP address of the UAM server. This example uses c. Use the default UAM server port and log level. d. Click Save Settings. e. Click Start DHCP Service. When the DHCP Agent is operating correctly, you can see a green check mark Status area. Figure 13 DHCP Agent in the Agent Configuring UAM Configuring a BYOD page Skip this configuration if you want the mobile device user to bind the device MAC address with an account in the Self-Service Center instead of through the BYOD page. To configure a BYOD page: 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Customize Terminal Pages > BYOD Page. The BYOD Page opens, as shown in Figure

15 Figure 14 Accessing the BYOD Page 3. Click the Phone tab. 4. Click Add next to Template1 or Template2. The Add BYOD Page opens. 5. Enter BYOD for mobile phone in the Custom Name field, select By Account Name from the Registration and Authentication list, and use the default value for other parameters, as shown in Figure 15. Figure 15 Adding a BYOD page 6. Click OK. The new BYOD page is added to the BYOD page list, as shown in Figure 16. Figure 16 Viewing the new BYOD page Configuring a page push policy 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Page Push Policy. 12

16 The page push policy list page opens. 3. Click Add. 4. On the Add Page Push Policy page, configure the following parameters, as shown in Figure 17: a. Enter BYOD for mobile phone in the Policy Name field. b. Select MAC from the Authentication Method list. c. Select PHONE-BYOD for mobile phone from the Default Authentication Page list. d. Click OK. Figure 17 Add Page Push Policy Configuring the AC as an access device 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Device Management > Access Device. The Access Device page opens, as shown in Figure 18. Figure 18 Accessing the Access Device page 3. In the access device list, click Add. The Add Access Device page opens, as shown in Figure

17 Figure 19 Add Access Device 4. Add the AC to UAM as an access device. You can manually add a device or select the device from the IMC platform. This example uses the manual method. To manually add the AC to UAM: a. In the Device List area, click Add Manually. b. Configure the IP address of the AC: For WX6103, enter in the Start IP field. For MSM 760, enter in the Start IP field. For AIR-WLC2100-K9, enter in the Start IP field. This example uses , as shown in Figure 20. c. Click OK. Figure 20 Adding a device manually 5. Configure access information for the access device, as shown in Figure 21: a. Enter 1812 and 1813 in the Authentication Port and Accounting Port fields, respectively. b. Select Fully Supported from the RADIUS Accounting list. c. Select LAN Access Service from the Service Type list. 14

18 d. Select the access device type from the Access Device Type list. For WX6103, select H3C(General). For MSM 760, select HP(General). For AIR-WLC2100-K9, select CISCO(General). e. Enter hello in the Shared Key field. Make sure the shared key you configure for the access device in UAM is the same as the shared key in the CLI configuration on the access device. If Displays Key in is set to Cipertext (Displays ******) in system settings, the Confirm Shared Key field appears. f. Use the default values for the Service Group and Access Device Group fields. 6. Click OK. Figure 21 Adding an access device 7. On the result page that opens, click Back to Access Device List. The AC is added to the access device list, as shown in Figure 22. Figure 22 Viewing the AC 15

19 Configuring access policies Configuring an access policy to deploy VLAN From the navigation tree, select User Access Policy > Access Policy. The Access Policy page opens, as shown in Figure 23. Figure 23 Accessing the Access Policy page 2. In the access policy list area, click Add. The Add Access Policy page opens. 3. Enter mac-access-policy1 in the Access Policy Name field. 4. Configure the deploy VLAN: For WX6103, enter 33 in the Deploy VLAN field, as shown in Figure 24. For MSM 760 or AIR-WLC2100-K9, enter byodjaymac in the Deploy VLAN field, as shown in Figure 25. Figure 24 Configuring the access policy for WX

20 Figure 25 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 5. Click OK. The new access policy is added to the access policy list, as shown in Figure 26. Figure 26 Viewing the access policy Configuring an access policy to deploy VLAN On the Access Policy page, click Add. The Add Access Policy page opens. 2. Enter mac-policy2 in the Access Policy Name field. 3. Configure the deploy VLAN: For WX6103, enter 66 in the Deploy Field, as shown in Figure 27. For MSM 760, enter byodjaymac2 in the Deploy Field, as shown in Figure Click OK. 17

21 Figure 27 Configuring the access policy for WX6103 Figure 28 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 Configuring access services Configuring an access service for the access account ftest 1. From the navigation tree, select User Access Policy > Access Service. The Access Service page opens. 2. Click Add, as shown in Figure 29. Figure 29 Accessing the Access Service page The Add Access Service page opens. 18

22 3. Configure the basic information for the access service, as shown in Figure 30: a. Enter mac-service in the Service Name field. b. Leave the Service Suffix field empty. For more information about the service suffix configuration, see "Service suffix configuration." c. Select the access policy named mac-access-policy1 from the Default Access Policy list. d. Use the default values for other parameters. Figure 30 Configuring an access service for the access user 4. Click OK. The new access service is added to the access service list, as shown in Figure 31. Figure 31 Viewing the access service Configuring an access service for the byodanonymous account 1. On the Access Service page, click Add. The Add Access Service page opens. 2. Configure the basic information for the access service, as shown in Figure 32: a. Enter mac-service2 in the Service Name field. b. Select the access policy named mac-policy2 from the Default Access Policy list. c. Select the BYOD page named PHONE - BYOD for mobile phone from the Default BYOD Page list. 3. Click OK. 19

23 Figure 32 Configuring an access service for the byodanonymous user Configuring access accounts ftest and byodanonymous Configuring the access account ftest 1. From the navigation tree, select Access User > All Access Users. The All Access Users page opens. 2. Click Add, as shown in Figure 33. The Add Access User page opens. Figure 33 Accessing the All Access Users page 3. Click Select next to the User Name field to select an IMC platform user to be associated with the access user. This example uses ftest, as shown in Figure

24 Figure 34 Selecting a platform user 4. Configure the following information for the access user, as shown in Figure 35: b. Enter ftest in the Account Name field. c. Enter a password in the Password and Confirm Password fields. This example uses 1 as the password. d. Select the access service named mac-service from the access service list. e. Use the default values for other parameters. Figure 35 Adding an access user 5. Click OK. 21

25 Configuring the byodanonymous account 1. On the All Access Users page, click Add. The Add Access User page opens. 2. Configure the following information for the byodanonymous account, as shown in Figure 36: a. Select Default BYOD User. b. Select the service named mac-service2 from the access service list. c. Use the default values for other parameters. 3. Click OK. Figure 36 Configuring the byodanonymous account Enabling transparent MAC authentication 1. From the navigation tree, select User Access Policy > Service Parameters > System Settings. 2. Click the Configure icon for User Endpoint Settings. The User Endpoint Settings page opens. 3. Select Yes for Enable MAC Transparent Authentication, as shown in Figure Click OK. Figure 37 Enabling transparent MAC authentication 22

26 Configuring WX6103 Associating WX6103 with the AP After you associate WX6103 with an AP, the two devices establish a tunnel to forward traffic. WX6103 can associate with the AP automatically or through configuration. This example uses the manual method. 1. On the AP, display information about the AP and record its model number, serial ID, hardware version, and software version. # Display AP information. <WA2612-AGN>display wlan ap Display AP Profile Model Number Serial-ID : WA2612-AGN AP Address : H/W Version S/W Version : A0ALC : Ver.D Boot Version : 1.23 Mode Device State Master AC: Description AC Address State : V100R001B71D024( ) : Split Mac Mode : Zero configuration state : -NA- : -NA- Transmitted control packets : 0 Received control packets : 0 Transmitted data packets : 0 Received data packets : 0 Latest AC IP address Tunnel Down Reason : BDisc : -NA- : -NA Unicast static AC IPv4 address: Not Configured Unicast static AC IPv6 address: Not Configured Configure WX6103. # Enable WLAN service. <H3C>system-view System View: return to User View with Ctrl+Z. [H3C]wlan enable % Info: WLAN service enabled # Create an AP template named byod and specify the AP model. [H3C]wlan ap byod model WA2612-AGN # Specify the AP serial ID. [H3C-wlan-ap-byod]serial-id A0ALC [H3C-wlan-ap-byod]quit # Specify the software and hardware version of the AP. 23

27 [H3C]wlan apdb WA2612-AGN Ver.D V100R001B71D On the AP, specify the IP address of WX6103 to associate the AP with WX6103. <WA2612-AGN>system-view System View: return to User View with Ctrl+Z. [WA2612-AGN]wlan ac ip On WX6103, display all associated APs. [H3C]display wlan ap all Total Number of APs configured : 1 Total Number of configured APs connected : 0 Total Number of auto APs connected : 1 AP Profiles State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad C = Config, R = Run, KU = KeyUpdate, KC = KeyCfm AP Name State Model Serial-ID Byod R/M WA2612-AGN A0ALC T The R/M state output shows that the AP has successfully associated with the active AC WX6103. Configuring authentication settings on WX Configure a RADIUS scheme: # Create a RADIUS scheme named byodjaymac and enter its view. <WX6103>system-view System View: return to User View with Ctrl+Z. [WX6103]radius scheme byodjaymac New Radius scheme # Specify the IP address of the authentication and accounting server (UAM) as , and set the shared key for RADIUS authentication and accounting communication to hello. [WX6103-radius-byodjaymac]primary authentication [WX6103-radius-byodjaymac]primary accounting [H3C-radius-test1]key authentication hello [H3C-radius-test1]key accounting hello # Specify the source IP address of RADIUS packets sent to UAM. [WX6103-radius-byodjaymac]nas-ip # Set the RADIUS server type as extended to support UAM. [WX6103-radius-byodjaymac]server-type extended # Configure the AC to remove domain information from the usernames to be sent to the RADIUS server. [WX6103-radius-byodjaymac]user-name-format without-domain [WX6103-radius-byodjaymac]quit 2. Configure an ISP domain: # Create an ISP domain to use RADIUS scheme byodjaymac for authentication, authorization, and accounting. [WX6103]domain mac1 [WX6103-isp-mac1]authentication default radius-scheme byodjaymac 24

28 [WX6103-isp-mac1]authorization default radius-scheme byodjaymac [WX6103-isp-mac1]accounting default radius-scheme byodjaymac [WX6103-isp-mac1]quit 3. Configure portal authentication: # Configure a portal server named formac. Specify the IP address of the portal server and the redirection URL. [WX6103]portal server formac ip key expert server-type imc url # Configure portal-free rules for the DHCP and DNS server. [WX6103]portal free-rule 1 destination ip mask [WX6103]portal free-rule 2 destination ip mask Configure DHCP relay: # Enable DHCP and configure DHCP server group 1. [WX6103]dhcp enable [WX6103]dhcp relay server-group 1 ip Configure the VLAN to be applied to the access user: # Create VLAN 33. [WX6103]vlan 33 [WX6103-vlan33]quit # Configure the gateway address of the DHCP scope guest_mac for VLAN-interface 33. [WX6103]interface Vlan-interface 33 [WX6103-Vlan-interface33]ip address # Enable DHCP relay on VLAN-interface 33, and correlate DHCP server group 1 with the interface. [WX6103-Vlan-interface33]dhcp select relay [WX6103-Vlan-interface33]dhcp relay server-select 1 [WX6103-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 6. Configure a VLAN to be applied to the byodanonymous user: # Create VLAN 66. [WX6103]vlan 66 [WX6103-vlan66]quit # Create the VLAN interface for VLAN 66, and configure the gateway address of the DHCP scope BYOD_mac for VLAN-interface 66. [WX6103]interface Vlan-interface 66 [WX6103-Vlan-interface66]ip address # Enable DHCP relay on the VLAN interface and correlate DHCP server group 1 with the interface. [WX6103-Vlan-interface66]dhcp select relay [WX6103-Vlan-interface66]dhcp relay server-select 1 # Enable portal authentication on the VLAN interface. [WX6103-Vlan-interface66]portal server formac method direct [WX6103-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) 7. Configure the WLAN-ESS interface for VLAN 33: # Create WLAN-ESS 33, set its link type to hybrid, and enable the MAC-based VLAN on the interface. [WX6103]interface wlan-ess 33 25

29 [WX6103-WLAN-ESS33]port link-type hybrid [WX6103-WLAN-ESS33]mac-vlan enable # Enable MAC authentication and PSK authentication on WLAN-ESS 33. [WX6103-WLAN-ESS33]port-security port-mode mac-and-psk # Enable key negotiation of the 11key type and set the pre-shared key to [WX6103-WLAN-ESS33]port-security tx-key-type 11key [WX6103-WLAN-ESS33]port-security preshared-key pass-phrase simple # Specify domain mac1 as the MAC authentication domain on WLAN-ESS 33. [WX6103-WLAN-ESS33]mac-authentication domain mac1 [WX6103-WLAN-ESS33]quit 8. Configure port security. For MAC authentication to takes effect on a port, you must enable port security globally and on the port. #Globally enable port security. [WX6103]port-security enable # Configure WX6103 to remove hyphens in the MAC addresses to be forwarded to UAM for authentication. [WX6103]mac-authentication user-name-format mac-address without-hyphen 9. Configure a WLAN service template for WLAN MAC authentication: # Create a crypto-type WLAN service template. [WX6103]wlan service-template 33 crypto # Configure the SSID of the service template as ss_byod_jay_mac. [WX6103-wlan-st-33]ssid ss_byod_jay_mac # Bind the service template to WLAN-ESS 33. [WX6103-wlan-st-33]bind wlan-ess 33 # Configure the service template to use open-system authentication method. This authentication method is required if WPA is used. [WX6103-wlan-st-33]authentication-method open-system # Configure the security IE as WPA and the cipher suite as TKIP. [WX6103-wlan-st-33]security-ie wpa [WX6103-wlan-st-33]cipher-suite tkip # Enable the service template. [WX6103-wlan-st-33]service-template enable Please wait... Done. [WX6103-wlan-st-33]quit 10. Create a radio policy. You can skip this step if you want to use the default radio policy. # Configure a radio policy named byodjaymac. [WX6103]wlan radio-policy byodjaymac [WX6103-wlan-rp-byodjaymac]beacon-interval 200 [WX6103-wlan-rp-byodjaymac]dtim 4 [WX6103-wlan-rp-byodjaymac]rts-threshold 2300 [WX6103-wlan-rp-byodjaymac]fragment-threshold 2200 [WX6103-wlan-rp-byodjaymac]short-retry threshold 6 [WX6103-wlan-rp-byodjaymac]long-retry threshold 5 [WX6103-wlan-rp-byodjaymac]max-rx-duration 500 [WX6103-wlan-rp-byodjaymac]quit 11. Configure the AP template. 26

30 # In AP template byod view, associate radio 1 with radio policy byodjaymac and service template 33. [WX6103]wlan ap byod [WX6103-wlan-ap-byod]radio 1 [WX6103-wlan-ap-byod-radio-1]channel auto [WX6103-wlan-ap-byod-radio-1]radio-policy byodjaymac [WX6103-wlan-ap-byod-radio-1]service-template 33 [WX6103-wlan-ap-byod-radio-1]radio enable [WX6103-wlan-ap-byod-radio-1]quit [WX6103-wlan-ap-byod]quit Configuring MSM 760 Configuring a RADIUS profile 1. From the navigation tree, select Network Tree > Controller. 2. In the top navigation bar, select Authentication > RADIUS profiles. 3. Click Add New Profile. The Add/Edit RADIUS profile page opens. 4. Configure the RADIUS profile, as shown in Figure 38: a. Enter byodjaymac in the Profile name field. b. Enter 1812 and 1813 in the Authentication port and Accounting port fields, respectively. c. Select PAP from the Authentication method list. d. Enter the IP address of the UAM server in the Server address field. e. Enter hello in the Secret and Confirm secret fields. f. Use the default values for other parameters. 5. Click Save. 27

31 Figure 38 Configuring a RADIUS profile Configuring a VSC profile 1. From the navigation tree, select Network Tree > Controller > VSCs. 2. In the top navigation bar, select Overview > VSC profiles. 3. Click Add New VSC Profile. 4. Configure the VSC profile, as shown in Figure 39: a. Configure Global parameters: Enter ss_byod_jay_mac in the Profile name field. Select the Authentication option for the Use Controller for field. b. Configure Virtual AP parameters: Select the Virtual AP option. Enter the secure SSID ss_byod_jay_mac in the Name (SSID) field. Select the Broadcast name (SSID) option. c. Configure Wireless protection parameters: Select the Wireless protection option and select WPA from the list next to the option. Select WPA (TKIP) from the Mode list. Select Preshared Key from the Key source list. Enter in the Key and Confirm key fields. d. Configure MAC-based authentication parameters: Select the MAC-based authentication option. Select the Remote option. Select the RADIUS profile byodjaymac from the RADIUS list. Select the RADIUS profile byodjaymac from the RADIUS accounting list. Clear the HTML-based user logins and VPN-based authentication options. 28

32 Use the default values for other parameters. 5. Click Save. Figure 39 Configuring a VSC profile Configuring a VSC binding 1. In the Network Tree area, expand the Controlled APs node and select an AP group. This example uses lixin_group. 2. In the top navigation bar, click the VSC bindings tab. 29

33 3. Click Add New Binding. The page for adding a VSC binding opens. 4. Select ss_byod_jay_mac from the VSC Profile list, as shown in Figure Click Save. Figure 40 Configuring a VSC binding Configuring VLAN deployment for the byodanonymous account 1. From the navigation tree, select Network Tree > Controller. 2. In the top navigation bar, select Network > Network profiles. 3. Click Add New Profile. 4. Configure the VLAN name as byodjaymac2 and VLAN ID as 66, as shown in Figure Click Save. 30

34 Figure 41 Configuring the VLAN for the access user Configuring VLAN deployment for the access account 1. Log in to the Web interface of MSM From the navigation tree, select Network Tree > Controller. 3. In the top navigation bar, select Network > Network profiles. 4. Click Add New Profile. 5. Configure the VLAN name as byodjaymac and VLAN ID as 33, as shown in Figure Click Save. 31

35 Figure 42 Configuring VLAN deployment for the access user Deploying configurations from MSM 760 to the AP 1. From the navigation tree, select Summary > Unsynchronized. 2. In the top navigation bar, select Overview > Discovered APs. 3. Select Synchronize Configuration from the Select the action to apply to all listed APs list, as shown in Figure Click Apply. 32

36 Figure 43 Deploying configurations to the AP Configuring the switch that connects the AP to MSM Configure the routing protocol and management VLAN on the switch. (Details not shown.) 2. Configure portal authentication: # Configure a portal server named formac. Specify the IP address of the portal server and the redirection URL. <SW>system-view System View: return to User View with Ctrl+Z. [WX6103]portal server formac ip key expert server-type imc url # Configure portal-free rules for the DHCP and DNS server. [WX6103]portal free-rule 1 destination ip mask [WX6103]portal free-rule 2 destination ip mask Configure DHCP relay: # Enable DHCP on the switch, and add DHCP server to DHCP server group 1. [SW]dhcp enable [SW]dhcp relay server-group 1 ip Configure the VLAN for the access user: # Create VLAN 33. [SW]vlan 33 [SW-vlan33]quit # Configure the gateway IP address of the DHCP scope guest_mac for VLAN-interface 33. [SW]interface Vlan-interface 33 [SW-Vlan-interface33]ip address # Enable DHCP relay on VLAN-interface 33 and associate DHCP server group 1 with the interface. 33

37 [SW-Vlan-interface33]dhcp select relay [SW-Vlan-interface33]dhcp relay server-select 1 [SW-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 5. Configure the VLAN for the byodanonymous user: # Create VLAN 66. [SW]vlan 66 [SW-vlan33]quit # Configure the gateway IP address of the DHCP scope BYOD_mac for VLAN-interface 66. [SW]interface Vlan-interface 66 [SW-Vlan-interface33]ip address # Enable DHCP relay on VLAN-interface 66 and associate DHCP server group 1 with the interface. [SW-Vlan-interface66]dhcp select relay [SW-Vlan-interface66]dhcp relay server-select 1 # Enable portal authentication on the VLAN interface 66. [SW-Vlan-interface66]portal server formac method direct [SW-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) Configuring AIR-WLC2100-K9 Configuring the authentication and accounting server Configuring the authentication server 1. Click the SECURITY tab. 2. From the navigation tree, select AAA > RADIUS > Authentication. 3. On the RADIUS Authentication Servers page, click New. 4. Configure the following parameters, as shown in Figure 44: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1812 in the Port Number field. d. Use the default values for other parameters. 5. Click Apply. 34

38 Figure 44 Configuring the authentication server Configuring the accounting server 1. From the navigation tree, select AAA > RADIUS > Accounting. 2. On the RADIUS Accounting Servers page, click New. 3. Configure the following parameters, as shown in Figure 45: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1813 in the Port Number field. d. Use the default values for other parameters. 4. Click Apply. Figure 45 Configuring the accounting server 35

39 Configuring VLAN deployment Configuring the public VLAN 1. Click the CONTROLLER tab. 2. From the navigation tree, select Interfaces. 3. On the Interfaces page, click New. 4. Configure the following parameters, as shown in Figure 46: a. Enter byodjaymac2 in the Interface Name field. b. Enter 66 in the VLAN Id field. Figure 46 Configuring a public VLAN 5. Click Apply. The page for editing the VLAN interface opens. 6. Configure the following parameters, as shown in Figure 47: a. Enter the port number of the upstream switch to which the AC connects in the Port Number field. This example uses 1. b. Enter 66 in the VLAN Identifier field. c. Enter in the IP Address field. d. Enter in the Netmask field. e. Enter in the Gateway field. f. Enter in the Primary DHCP Server field. g. Use the default values for other parameters. 7. Click Apply. 36

40 Figure 47 Configuring the public VLAN Configuring the user VLAN 1. Click the CONTROLLER tab. 2. From the navigation tree, select Interfaces. 3. On the Interfaces page, click New. 4. Configure the following parameters, as shown in Figure 48: a. Enter byodjaymac in the Interface Name field. b. Enter 33 in the VLAN Id field. Figure 48 Configuring the user VLAN 5. Click Apply. The page for editing the VLAN interface opens. 37

41 6. Configure the following parameters, as shown in Figure 49: a. Enter the port number of the upstream switch to which the AC connects in the Port Number field. This example uses 1. b. Enter 33 in the VLAN Identifier field. c. Enter in the IP Address field. d. Enter in the Netmask field. e. Enter in the Gateway field. f. Enter in the Primary DHCP Server field. g. Use the default values for other parameters. 7. Click Apply. Figure 49 Editing the VLAN interface Configuring the WLAN Creating a WLAN 1. Click the WLANs tab. 2. From the navigation tree, select WLANs > WLANs. 3. On the WLANs page, select Create New from the list in top-left corner and click Go. The page for creating a WLAN opens. 4. Configure the following parameters, as shown in Figure 50: a. Enter ss_byod_jay_mac in the Profile Name field. 38

42 b. Enter ss_byod_jay_mac in the SSID field. c. Use the default values for other parameters. Figure 50 Configuring a WLAN 5. Click Apply. The page for editing the WLAN opens. 6. Click the General tab and configure the following parameters, as shown in Figure 51: a. Select Enabled for Status. b. Use the default values for other parameters. Figure 51 Configuring the General tab 7. Click the Security tab and configure the following: a. Click the Layer 2 tab and configure the following parameters, as shown in Figure 52: Select WPA+WPA2 from the Layer 2 Security list. Select MAC Filtering. Select WPA Policy and WPA2 Policy. Select AES and TKIP for both WPA Encryption and WPA2 Encryption. 39

43 Select PSK from the Auth Key Mgmt list. Select ASCII from the PSK Format list Enter as the pre-shared key. b. Use the default settings on the Layer 3 tab. c. Click the AAA Servers tab and configure the following parameters, as shown in Figure 53: Select Enabled for Radius Server Overwrite interface. Select Enabled for Authentication Servers and select IP: , Port:1812 from the Server 1 list. Select Enabled for Accounting Servers and select IP: , Port:1813 from the Server 1 list. Figure 52 Configuring the Layer 2 tab Figure 53 Configuring the AAA Servers tab 8. Use the default settings on the QoS tab. 40

44 9. Click the Advanced tab and select None from the NAC State list, as shown in Figure Click Apply. Figure 54 Configuring the Advanced tab Viewing the new WLAN 1. Click the WLANs tab. 2. From the navigation tree, select Advanced > AP Groups. 3. In the AP groups list, click default-group. The Edit 'default-group' page opens. 4. Click the WLANs tab. The new WLAN named ss_byod_jay_mac is added to the WLAN list of the default group, as shown in Figure 55. Figure 55 Viewing the WLANs Configuring the upstream switch of AIR-WLC2100-K9 1. Configure the routing protocol and management VLAN on the switch. (Details not shown.) 41

45 2. Configure portal authentication: # Configure a portal server named formac. Specify the IP address of the portal server and the portal redirection URL. <SW>system-view System View: return to User View with Ctrl+Z. [SW]portal server formac ip key expert server-type imc url # Configure portal-free rules for the DHCP and DNS servers. [SW]portal free-rule 1 destination ip mask [SW]portal free-rule 2 destination ip mask Configure the VLAN for the access user: # Create VLAN 33. [SW]vlan 33 [SW-vlan33]quit # Configure the gateway address of DHCP scope guest_mac as the IP address of VLAN-interface 33. The setting must match the gateway address of VLAN 33 on AIR-WLC2100-K9. [SW]interface Vlan-interface 33 [SW-Vlan-interface33]ip address [SW-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 4. Configure the VLAN for the byodanonymous user: # Create VLAN 66. [SW]vlan 66 [SW-vlan66]quit # Configure the gateway address of DHCP scope BYOD_mac as the IP address of VLAN-interface 66. The setting must match the gateway address of VLAN 66 on AIR-WLC2100-K9. [SW]interface Vlan-interface 66 [SW-Vlan-interface66]ip address # Enable portal authentication on VLAN-interface 66. [SW-Vlan-interface66]portal server formac method direct [SW-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) Verifying the configuration Triggering MAC authentication for the first time 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_mac. 42

46 Figure 56 Locating SSID ss_byod_jay_mac 2. On the page that opens, enter pre-shared key as the password, as shown in Figure 57. Figure 57 Entering the pre-shared key 3. Click Connect. 4. Click SSID ss_byod_jay_mac to view connection details. As shown in Figure 58, the mobile device is assigned the IP address The mobile device user logs in as the byodanonymous account and is assigned to VLAN

47 Figure 58 Connection details 5. View the MAC-to-account bindings on UAM: Select Access Users > Online Users from the navigation tree. As shown in Figure 59, the online user list displays a user with byodanonymous as the account name and the MAC address of the mobile device as the login name. Figure 59 Viewing the MAC-to-account bindings in the online user list Select User Endpoint > Endpoint Management from the navigation tree. In the endpoint list, the MAC address of the mobile device is bound with the account byodanonymous, as shown in Figure 60. Figure 60 Viewing the MAC-to-account bindings in the endpoint list 44

48 Binding the device MAC address with the access account You can bind the MAC address of a mobile device with an access account on the BYOD page or through the Self-Service Center. Binding the device MAC address with the access account on the BYOD page 1. On the mobile device, enter a website URL in the Web browser. The BYOD page opens. 2. Configure the following parameters, as shown in Figure 61: Select Use an Existing Account from the Access Method list. Enter the account name ftest and the password. 3. Click OK. Figure 61 BYOD page UAM automatically binds the MAC address of the mobile device with the account the user provides on the BYOD page. Binding the device MAC address with the access account on the Self-Service Center 1. On the mobile device, enter in the address bar of the Web browser. The Self-Service Center login page opens. 2. Enter the account name ftest and the password. 3. Enter the verify code. 4. Click Login. The Self-Service Center homepage opens. 5. From the navigation tree, select Endpoint Management > Endpoint List. 6. In the MAC address list area, click Bind Online Endpoint. Viewing the MAC-to-account bindings on UAM In IMC, click the User tab and select User Endpoint > Endpoint Management from the navigation tree. In the endpoint list, you can see that the MAC address of the mobile device is bound with the account ftest, as shown in Figure

49 Figure 62 Viewing the MAC-to-account bindings Performing a second MAC authentication process When the device MAC address is bound to a regular account on the BYOD page, UAM immediately logs out the byodanonymous user and automatically performs a second MAC authentication process for the mobile device. If the binding is created on the Self-Service Center, the mobile device user must manually log out and re-login to trigger another MAC authentication process. After the user passes authentication, view the connection details. As shown in Figure 63, the mobile device is assigned IP address The mobile device logs in as the ftest account and is assigned to VLAN 33. Figure 63 Association details for second login In IMC, the online user list displays that user ftest is bound with the MAC address of the mobile device, as shown in Figure

50 Figure 64 Viewing the MAC-to-account bindings in the online user list Example: Configuring WLAN MAC authentication with MAC-based accounts Network configuration As shown in Figure 65, Figure 66, and Figure 67, a mobile device user intends to access the Internet through MAC authentication with a MAC-based account. The authentication process is as follows: 1. On UAM, an access user account is added and uses the MAC address of the mobile device (087A-4C11-A17F) as both the account name and password. 2. The mobile device connects to SSID ss_byod_jay_mac for MAC authentication. 3. The mobile device matches the access user account in UAM. It passes MAC authentication and is placed in VLAN 33 for permission control. An AC (WX6103, MSM 760, or AIR-WLC2100-K9) serves as the access device. WX6103 manages the user in a mandatory MAC authentication domain named mac1, and removes the domain name from the usernames to be sent to UAM for authentication. On the AC, enable PSK authentication and set the pre-shared key to Set the shared key for secure RADIUS communication to hello. Set the ports for authentication and accounting to 1812 and 1813, respectively. 47

51 Figure 65 Network diagram (WX6103) Figure 66 Network diagram (MSM 760) Figure 67 Network diagram (AIR-WLC2100-K9) Analysis To implement MAC authentication on mobile device, complete the following configurations: 48

52 In UAM, configure the following: a. Configure the AC as an access device. b. Configure VLAN deployment in an access policy. c. Use the previous access policy as the default access policy in an access service. d. Configure a MAC-based user account for the mobile device and assign the previous access service to the account. On WX6103, configure the deploy VLAN, RADIUS scheme, ISP domain, global security settings, and WLAN settings. On MSM 760, configure the deploy VLAN, RADIUS profile, VSC profile, and VSC bindings. On AIR-WLC2100-K9, configure the authentication and accounting server, the access user VLAN, and WLAN settings. To assign an IP address to the endpoint through DHCP, configure DHCP relay on WX6103, the switch attached to MSM 760, or AIR-WLC2100-K9. Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.0 (E0103P01) DHCP server embedded in Windows Server 2008 R2 Datacenter DHCP Agent plugin: HP IMC DHCP Agent Config Tool V7.0-E0102 H3C WX6103, Comware Software, Version 5.20, ESS2507P04 HP MSM 760, Software Version , Hardware Version B:48 Cisco AIR-WLC2100-K9, Software Version HUAWEI P6, Android Configuring the DHCP server 1. Configure a DHCP scope, as listed in Table 5. Table 5 DHCP scope Scope name IP address range Mask Default gateway guest_mac to Configure the DHCP Agent. This configuration is optional. The DHCP Agent does not participate in MAC authentication, but it can be leveraged to obtain and display endpoint information such as the IP address, type, vendor, and OS in UAM. For information about configuring the DHCP scope and the DHCP Agent, see "Configuring the DHCP server." Configuring UAM Configure the AC as an access device in UAM See "Configuring the AC as an access device." 49

53 Configuring an access policy 1. From the navigation tree, select User Access Policy > Access Policy. 2. In the access policy list area, click Add. The Add Access Policy page opens. 3. Enter mac-access-policy1 in the Access Policy Name field. 4. Configure the deploy VLAN: For WX6103, enter 33 in the Deploy VLAN field, as shown in Figure 68. For MSM 760 or AIR-WLC2100-K9, enter byodjaymac in the Deploy VLAN field, as shown in Figure 69. Figure 68 Configuring an access policy for WX6103 Figure 69 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 5. Click OK. Configuring an access service 1. From the navigation tree, select User Access Policy > Access Service. 50

54 2. On the Access Service page, click Add. The Add Access Service page opens. 3. Configure the basic information for the access service, as shown in Figure 70: a. Enter mac-service in the Service Name field. b. Select the access policy named mac-access-policy1 from the Default Access Policy list. c. Leave the Service Suffix field empty. For more information about the service suffix configuration, see "Service suffix configuration." d. Use the default values for other parameters. 4. Click OK. Figure 70 Configuring an access service Adding the MAC-based access account Adding a MAC-based account 1. From the navigation tree, select Access User > All Access Users. The All Access Users page opens, as shown in Figure 71. Figure 71 Accessing the All Access Users page 2. In the access user list area, click Add. The Add Access User page opens. 51

55 3. Configure the following information for the access user, as shown in Figure 73: a. Click Select next to the User Name field to select an IMC platform user to be associated with the access user. This example uses ftest, as shown in Figure 72. Figure 72 Selecting a platform user b. Enter the MAC address of the mobile device in the Account Name field. The MAC address can take the format of XXXXXXXXXXXX, XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, or XXXX-XXXX-XXXX. This example uses 087a4c11a17f. c. Enter 087a4c11a17f as the password in the Password and Confirm Password fields. d. Select the access service named mac-service from the access service list. e. Use the default values for other parameters. 4. Click OK. 52

56 Figure 73 Adding a MAC-based user account Configuring WX6103 Perform all the tasks described in "Configuring WX6103" except for the portal authentication (step 3) and VLAN 66 configuration (step 6) in "Configuring authentication settings on WX6103." Configuring MSM 760 Perform all the tasks described in "Configuring MSM 760" except for the following: Task "Configuring VLAN deployment for the byodanonymous account." Portal configuration (step 1) and VLAN 66 configuration (step 4) in "Configuring the switch that connects the AP to MSM 760." Configuring AIR-WLC2100-K9 Perform all the tasks as described in "Configuring AIR-WLC2100-K9" except for the following: Task "Configuring the public VLAN." Portal authentication (step 2) and VLAN deployment for the byodanonymous user (step 4)" in "Configuring the upstream switch of AIR-WLC2100-K9." Verifying the configuration 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_mac. 53

57 Figure 74 Locating SSID ss_byod_jay_mac 2. On the page that opens, enter the pre-shared key as the password, as shown in Figure 75. Figure 75 Entering the pre-shared key 3. Click Connect. The mobile device passes authentication and is connected to the network, as shown in Figure

58 Figure 76 Passing the authentication 4. Click SSID ss_byod_jay_mac to view the connection details. As shown in Figure 77, the mobile device is assigned an IP address and connected to the network. Figure 77 Connection details 5. On UAM, verify that the mobile device user 087a4c11a17f is displayed in the online user list, as shown in Figure

59 Figure 78 Viewing online users on UAM 6. If the access device is WX6103, execute the display connection command at the CLI to view the online users, as shown in Figure 79. Figure 79 Viewing online users on WX If the access device is MSM 760, view the online users through the Web interface, as shown in Figure

60 Figure 80 Viewing online users on MSM If the access device is AIR-WLC2100-K9, view the online users through the Web interface, as shown in Figure 81. Figure 81 Viewing online users on AIR-WLC2100-K9 57