HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples

Transcription

1 HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples Part Number: Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without notice. Copyright 2016 Hewlett Packard Enterprise Development LP

2 Contents Introduction 1 Prerequisites 1 Restrictions and guidelines 1 UAM server configuration 1 Service suffix configuration 1 Access device configuration 2 VLAN deployment configuration 3 Example: Configuring BYOD quick deployment with dual SSIDs 3 Network configuration 3 Analysis 4 Software versions used 6 Configuring the DHCP server 7 Configuring DHCP scopes 7 Configuring the DHCP Agent plugin 12 Configuring UAM 12 Configuring the AC as an access device 12 Configuring an access policy 15 Configuring an access service 17 Configuring an access user account for the 802.1X user 18 Configuring endpoint configuration templates 22 Configuring an endpoint configuration distribution policy 26 Importing server and root certificates 28 Configuring WX Associating WX6103 with the AP 31 Configuring authentication settings on WX Configuring MSM Configuring service WLAN settings 36 Configuring public WLAN settings 41 Deploying configurations from MSM 760 to the AP 44 Configuring the switch that connects the AP to MSM Configuring AIR-WLC2100-K9 46 Configuring authentication and accounting servers 46 Configuring service WLAN settings 47 Configuring public WLAN settings 51 Viewing the new WLANs 54 Configuring the upstream switch of AIR-WLC2100-K9 55 Verifying the configuration 55 Verifying the configuration on an Android device 55 Verifying the configuration on an ios device 62 Example: Configuring BYOD quick deployment in a single SSID 68 Network configuration 68 Analysis 69 Software versions used 71 Configuring the DHCP server 72 Configuring UAM 72 Configure the AC as an access device in UAM 72 Configuring access policies 72 Configuring access services 74 Configuring the public and personal user accounts 75 Configuring endpoint configuration templates 77 Configuring an endpoint configuration distribution policy 77 Importing server and root certificates 77 Configuring WX i

3 Configuring MSM Configuring AIR-WLC2100-K9 78 Verifying the configuration 78 Verifying the configuration on an Android device 78 Verifying the configuration on an ios device 79 ii

4 Introduction This document provides examples for configuring UAM and an AC (H3C WX6103, HP MSM 760, or Cisco AIR-WLC2100-K9) to deploy device provisioning and certificate enrollment to BYOD devices for quick WLAN 802.1X access. BYOD quick deployment can be implemented in the following ways: BYOD quick deployment with dual SSIDs. BYOD quick deployment in a single SSID. The examples use Android and ios devices. Prerequisites Before you configure BYOD quick deployment, complete the following tasks: Obtain a server certificate and a root certificate from a certification authority. Install the DHCP server, DNS server, and SCEP CA server on the network. This examples in this document use the DHCP server, DNS server, and CA server that are embedded in Windows Server. On the DHCP server, install the DHCP Agent plugin to identify endpoint information and to obtain endpoint IP addresses for UAM. The DHCP Agent installation file HP IMC DHCP Agent.exe is located in the /UAM directory of the IMC installation path. Copy the file to the DHCP server and double-click it to install the DHCP Agent plugin. (Details not shown.) Restrictions and guidelines UAM server configuration When you configure UAM, follow these restrictions and guidelines: UAM must provide both authentication and accounting services. Do not use another server to provide the accounting service. UAM must have the same port and shared key settings for authentication and accounting communication as the configurations on the AC. Service suffix configuration The service suffix configuration on UAM is closely related to the ISP domain configuration on the AC and the account name used by the mobile device for authentication. Table 1, Table 2, and Table 3 show the parameter correlations when WX6103, MSM 760, or AIR-WLC2100-K9 is used. 1

5 Table 1 Parameter correlation on WX6103 Account name Mandatory authentication domain on the WLAN-ESS interface Authentication domain on WX6103 RADIUS commands configured on WX6103 Service suffixes in UAM X or X@example Y Y user-name-format with-domain user-name-format without-domain Y No suffix X Not configured Default domain X@Z Not configured Z user-name-format with-domain user-name-format without-domain user-name-format with-domain user-name-format without-domain Default domain No suffix Z No suffix Table 2 Parameter correlation on MSM 760 Account name X X@Z How MSM 760 handles the account name MSM 760 directly forwards the account name to UAM without making any modifications. Service suffix in UAM No suffix Z Table 3 Parameter correlation on AIR-WLC2100-K9 Account name X X@Z How AIR-WLC2100-K9 handles the account name AIR-WLC2100-K9 directly forwards the account name to UAM without making any modifications. Service suffix in UAM No suffix Z Access device configuration You can add the AC to UAM manually or by selecting it from the IMC platform. When you manually add the AC to UAM, follow these restrictions and guidelines: For WX6103, use the NAS IP address (configured with the nas-ip command on the AC) as the IP address of the AC on UAM. If the nas-ip command is not configured, use the IP address of the interface (including VLAN interface) that connects to UAM. For MSM 760 or AIR-WLC2100-K9, use the IP address of the interface that connects to UAM. When you select the AC from the IMC platform, follow these restrictions and guidelines: Make sure the AC is already added to the IMC platform manually or through auto discovery and that it uses the correct IP address. If the AC in the resource pool does not use the correct IP address, you must manually specify the correct IP address of the access device. 2

6 VLAN deployment configuration When you configure VLANs to be deployed for an access policy in UAM, follow these restrictions and guidelines: To work with WX6103, specify the VLAN by its ID. To work with MSM 760 or AIR-WLC2100-K9, specify the VLAN by its name. To make the VLAN take effect, bind the VLAN name on MSM 760 or AIR-WLC2100-K9 to the corresponding VLAN ID. Example: Configuring BYOD quick deployment with dual SSIDs Network configuration As shown in Figure 1, Figure 2, and Figure 3, a mobile user intends to access the Internet through a wireless 802.1X connection by using an account named jay. An AC (WX6103, MSM 760, or AIR-WLC2100-K9) serves as the access device. WX6103 manages the user in a mandatory 802.1X authentication domain named 1x, and removes the domain name from the usernames to be sent to UAM for authentication. Configure UAM and the AC to implement BYOD quick deployment with two SSIDs. One SSID provides device provisioning and certificate enrollment, and the other SSID provides secure network access. The mobile device is first connected to the open SSID ss_byod_jay_free. After passing PSK authentication on the AC, the device is placed in a public VLAN (VLAN 66) for portal authentication. The portal feature redirects the mobile user to download an Android profile deployment tool or to deploy an ios profile. The mobile device connects to the secure SSID ss_byod_jay_1x for EAP-TLS authentication. After passing the authentication, the device is assigned to a service VLAN (VLAN 33) for secure network access, and it automatically obtains an IP address from the DHCP server. On the AC, enable PSK authentication and set the pre-shared key to for mobile device provisioning. Set the shared key for secure RADIUS communication to hello, and set the ports for authentication and accounting to 1812 and 1813, respectively. 3

7 Figure 1 Network diagram (WX6103) Figure 2 Network diagram (MSM 760) Figure 3 Network diagram (AIR-WLC2100-K9) Analysis To perform PSK authentication for the mobile device, do the following: Configure PSK as the authentication mode. Set the correct pre-shared key on WX6103, MSM 760, or AIR-WLC2100-K9. 4

8 To redirect the mobile device user to a BYOD deployment page after it passes PSK authentication, complete the following configurations: In UAM, use the predefined deployment tool download page (for Android) and a deployment page (for ios) with the same URL On WX6103, the switch attached to MSM 760, or the upstream switch of AIR-WLC2100-K9, do the following: Configure the public VLAN (VLAN 66). Configure portal authentication in the VLAN with the portal redirection URL set to To implement certificate-based authentication for the provisioned mobile device and assign it to the service VLAN, complete the following configurations: In UAM, configure the following: a. Configure the AC as an access device. b. Configure an access policy for EAP certificate authentication. The policy must contain the VLAN name or ID to be deployed. c. Configure the previous access policy as the default access policy in an access service. d. Configure a user account for 802.1X access and assign the previous access service to it. e. Configure an ios general template, a SCEP template, and a Wi-Fi template for the secure SSID ss_byod_jay_1x, and associate the templates with a distribution policy. f. Import root and server certificates to UAM. On WX6103, configure the service VLAN, RADIUS scheme, ISP domain, global security settings, and WLAN settings. On MSM 760, configure the service VLAN, RADIUS profile, VSC profile, and VSC binding. The service VLAN must also be configured on the switch attached to MSM 760. On AIR-WLC2100-K9, configure the service VLAN, authentication and accounting server, and WLAN settings. The service VLAN must also be configured on the upstream switch of AIR-WLC2100-K9. On the mobile device, obtain and install the user certificate and root certificate. These configurations are automatically performed during the mobile device provisioning process. To assign an IP address to the endpoint through DHCP, configure DHCP relay on WX6103, the switch attached to MSM 760, or AIR-WLC2100-K9. Figure 4 illustrates the steps that are followed when a mobile device connects to the wireless network: 5

9 Figure 4 BYOD quick deployment on mobile device with dual SSIDs (1) The mobile device connects to a provisioning SSID (ss_byod_jay_free) and is placed in a portal-enabled VLAN (VLAN 66 in this example). (3) The configuration templates contain SCEP configuration and Wi-Fi configuration with the parameters to connect to the secure SSID (ss_byod_jay_1x). (2) UAM deploys to the mobile device the OS-specific configuration templates (specified in the endpoint configuration distribution policy assigned to the user account or the user group to which the user account belongs). (4) The mobile device connects to the secure SSID and is granted all access rights. Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0403) Certification server embedded in Windows Server 2008 R2 Datacenter DHCP server embedded in Windows Server 2008 R2 Datacenter DHCP Agent plugin: HP IMC DHCP Agent Config Tool V7.0-E0102 H3C WX6103 Comware Software, Version 5.20, ESS2507P04 HP MSM 760 Software Version , Hardware Version B:48 Cisco AIR-WLC2100-K9, Software Version Samsung GT-I9100G, Android Apple iphone 4S, ios

10 Configuring the DHCP server Configuring DHCP scopes This example creates two scopes for 802.1X authentication. As shown in Table 4, scope 1x applies to users before fast deployment, and scope 1x-public applies to users after fast deployment. Table 4 Scope configurations Scope name IP range Subnet mask Default gateway Usage 1x to Used for device provisioning and certificate enrollment. 1x-public to For users who have completed the provisioning and certificate enrollment process. The procedure for creating scopes 1x and 1x-public is the same. Scope 1x is used as an example. To create scope 1x: 1. Start the DHCP server. 2. From the navigation tree, right-click the name of a DHCP server and select New Scope from the shortcut menu. The New Scope Wizard page opens. 3. Click Next. 4. On the Scope Name page, enter 1x in the Name field, and then click Next. Figure 5 Scope Name 5. On the IP Address Range page, configure the following parameters: 7

11 a. Enter in the Start IP address field, and in the End IP address field. b. Specify as the subnet mask. Figure 6 IP Address Range 6. Click Next. 7. On the Add Exclusions and Delay page, click Next. Figure 7 Add Exclusions and Delay 8. On the Lease Duration page, use the default settings, and then click Next. 8

12 Figure 8 Lease Duration 9. On the Configure DHCP Options page, select Yes, I want to configure these options now, and then click Next. Figure 9 Configure DHCP Options 10. On the Router (Default Gateway) page, specify as the default gateway, and then click Next. 9

13 Figure 10 Router (Default Gateway) 11. On the Domain Name and DNS Servers page, specify the parent domain name and the DNS server IP address, and then click Next. This example uses as the DNS server IP address. Figure 11 Domain Name and DNS Servers 12. On the WINS Servers page, click Next. 10

14 Figure 12 WINS Servers 13. On the Activate Scope page, select Yes, I want to activate this scope now, and then click Next. Figure 13 Activate Scope 14. On the Completing the New Scope Wizard page, click Finish. The new DHCP scope is added to the DHCP page. 11

15 Configuring the DHCP Agent plugin 1. Double-click the DHCP Agent shortcut on the desktop to start the DHCP Agent. 2. Configure the following parameters: a. Select the Enable Agent option. b. Enter as the IP address of the UAM server. c. Use the default UAM server port (1810) and log level. 3. Click Save Settings. 4. Click Start DHCP Service. When the DHCP Agent is operating correctly, you can see a green check mark Status area, as shown in Figure 14. Figure 14 DHCP Agent in the Agent Configuring UAM Configuring the AC as an access device 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Device Management > Access Device. The access device list page opens. 3. Click Add, as shown in Figure

16 Figure 15 Accessing the access device list The Add Access Device page opens, as shown in Figure 16. Figure 16 Adding an access device 4. Add the AC to UAM as an access device. You can manually add a device or select a device from the IMC platform. This example uses the manual method. To manually add the AC to UAM: a. In the Device List area, click Add Manually. b. Configure the IP address of the AC: For WX6103, enter in the Start IP field, as shown in Figure 17. For MSM 760, enter in the Start IP field. For AIR-WLC2100-K9, enter in the Start IP field. 13

17 Figure 17 Adding an access device manually c. Click OK. 5. Configure the access parameters for the access device, as shown in Figure 18: a. Enter 1812 in the Authentication Port field. The default authentication port is b. Enter 1813 in the Accounting Port field. The default accounting port is c. Select Fully Supported from the RADIUS Accounting list. d. Select LAN Access Service from the Service Type list. e. Select a device type from the Access Device Type list: Select H3C (General) for WX6103. Select HP (General) for MSM 760. Select CISCO (General) for AIR-WLC2100-K9. f. Enter hello in the Shared Key field. If the Confirm Shared Key field appears, also enter hello in that field. g. Use the default values for the Service Group and Access Device Group fields. 14

18 Figure 18 Configuring the access device 6. Click OK. 7. Click Back to Access Device List. The AC is added to the access device list, as shown in Figure 19. Figure 19 Viewing the AC Configuring an access policy 1. From the navigation tree, select User Access Policy > Access Policy. The access policy list page opens. 2. Click Add, as shown in Figure

19 Figure 20 Accessing the access policy list 3. Configure the following parameters for the access policy, as shown in Figure 21: a. Enter cer in the Access Policy Name field. b. Select EAP-TLS from the Preferred EAP Type list. c. Select Disable from the EAP Auto Negotiate list. d. Configure the deploy VLAN. For WX6103, enter 33 in the Deploy VLAN field, as shown in Figure 21. Figure 21 Configuring an access policy (WX6103) For MSM 760 or AIR-WLC2100-K9, enter ssbyodjay1x in the Deploy VLAN field, as shown in Figure

20 Figure 22 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 e. Use the default values for other parameters. 4. Click OK. Configuring an access service 1. From the navigation tree, select User Access Policy > Access Service. The access service list page opens. 2. Click Add, as shown in Figure 23. Figure 23 Accessing the access service list 3. Configure the basic information for the access service, as shown in Figure 24: a. Enter cer in the Service Name field. b. Leave the Service Suffix field empty. For information about the service suffix configuration, see "Service suffix configuration." c. Select the access policy named cer from the Default Access Policy list. d. Use the default values for other parameters. 17

21 Figure 24 Configuring an access service 4. Click OK. Configuring an access user account for the 802.1X user You can manually add the access user account or batch import user accounts to UAM from a file and assign access service cer to the account. Adding the access user account 1. From the navigation tree, select Access User > All Access Users. The access user list page opens, as shown in Figure 25. Figure 25 Accessing the access user list 2. In the access user list, click Add. The Add Access User page opens, as shown in Figure

22 Figure 26 Adding an access user 3. Associate a platform user with the access user: a. Click Select next to the User Name field. b. On the Select User page, select IMC platform user ftest, and click OK, as shown in Figure 27. Figure 27 Selecting a user from the IMC platform 4. Configure the access information and access service for the user, as shown in Figure 28: a. Enter jay in the Account Name field. b. Enter a password in the Password and Confirm Password fields. This example uses 1 as the password. c. Select the access service named cer from the Access Service list. d. Use the default values for other parameters. 19

23 Figure 28 Adding an access user account 5. Click OK. Importing the access user accounts 1. In the access user list, click Batch Import. The Import Accounts in Batches page opens, as shown in Figure 29. Figure 29 Accessing the Import Accounts in Batches page 2. Click Browse to select the text file that stores the user accounts including jay. 3. Select a column separator from the Column Separator list. This example uses Space as the column separator. 20

24 4. Click Next. 5. Configure the following parameters, as shown in Figure 30: a. Select the corresponding column numbers for the User Name, Identity Number, Account Name, and Password fields. b. Select the access service named cer from the access service list. c. Use the default values for other parameters. Figure 30 Configuring user account parameters 6. Click Preview to preview the import result, as shown in Figure 31. Figure 31 Previewing the import result 7. Close the Preview import Result page, and click OK to import accounts. 21

25 Configuring endpoint configuration templates 1. From the navigation tree, select User Endpoint > Endpoint Configuration Templates. The Endpoint Configuration Templates page opens, as shown in Figure 32. Figure 32 Accessing the Endpoint Configuration Template page 2. Add an ios general configuration template to be deployed to ios devices: a. In the endpoint configuration template list, click Add ios General Configuration Template. The Add ios General Configuration Template page opens. b. Configure the ios general configuration template, as shown in Figure 33: Enter for ios gen in the Template Name field. Configure the Name, Organization, Description, and License Agreement fields as appropriate. The configured values will be displayed on the ios devices to which the template is applied. Select Permitted for Manually Remove Description File. Select Never for Automatically Remove Description File. 22

26 Figure 33 Adding an ios general configuration template 3. Click OK. 4. Add a SCEP template to be deployed to both Android and ios devices: a. Click Add SCEP Template. The Add SCEP Template page opens. b. Configure the SCEP template, as shown in Figure 34: Enter for android ios SCEP in the Template Name field. Enter a URL in the format This example uses Use the default values for other parameters. 23

27 Figure 34 Adding a SCEP template c. Click OK. 5. Add a Wi-Fi template to be deployed to both ios and Android devices: a. In the endpoint configuration template list, click Add Wi-Fi Template. The Add Wi-Fi Template page opens. b. In the Basic Information area, enter for android ios wifi in the Template Name field. c. Click the ios tab. d. Configure the Wi-Fi parameters for ios devices, as shown in Figure 35: Select Enable. Enter ss_byod_jay_1x in the SSID field. Select Auto Join. Leave the Hide Network field unselected. Select WPA/WPA2 (Enterprise) from the Security list. Select TLS form the Mode list. The setting must be consistent with the certificate authentication mode configured in access policy cer. Select None from the HTTP Proxy list. 24

28 Figure 35 Configuring Wi-Fi parameters for ios devices e. Click the Android tab. f. Configure the Wi-Fi parameters for Android devices, as shown in Figure 36: Select Enable. Enter ss_byod_jay_1x in the SSID field. Leave the Hide Network field unselected. Select 802.1X EAP from the Security list. Select TLS from the Mode list. The setting must be consistent with the certificate authentication mode configured in access policy cer. Select Yes from the Deploy Root Certificate list. Figure 36 Configuring Wi-Fi parameters for Android devices 6. Click OK. The new templates are added to the endpoint configuration template list, as shown in Figure

29 Figure 37 Viewing the configuration templates Configuring an endpoint configuration distribution policy 1. From the navigation tree, select User Endpoint > Endpoint Configuration Distribution Policy. The endpoint configuration distribution policy list page opens, as shown in Figure 38. Figure 38 Accessing the endpoint configuration distribution policy list 2. In the endpoint configuration distribution policy list, click Add. The Add Endpoint Configuration Distribution Policy page opens. 3. Enter for android ios in the Policy Name field and select Ungrouped in the User Group List, as shown in Figure

30 Figure 39 Configuring the endpoint configuration distribution policy 4. Select endpoint configuration templates: a. In the Select Endpoint Configuration Template area, click Add. b. On the Select Configuration Template page that opens, select for android ios SCEP on the SCEP tab, for ios gen on the General Configuration Template tab, and for android ios wifi on the Wi-Fi tab, and then click OK, as shown in Figure 40. Figure 40 Selecting configuration templates 27

31 The selected configuration templates are added to the template list, as shown in Figure 41. Figure 41 Viewing the selected configuration templates 5. Click OK. Importing server and root certificates 1. From the navigation tree, select User Access Policy > Service Parameters > Certificate. The Certificate page opens, as shown in Figure

32 Figure 42 Accessing the Certificate page 2. On the Root Certificate tab, click Import EAP Root Certificate. 3. Click Browse and select a root certificate, as shown in Figure 43. Figure 43 Selecting a root certificate 4. Click Next. The CRL configuration page opens, as shown in Figure 44. This example skips the CRL configuration. Figure 44 CRL configuration 5. Click OK. The imported root certificate is added to the Root Certificate tab, as shown in Figure

33 Figure 45 Viewing the imported root certificate 6. Click the Server Certificate tab, as shown in Figure 46. Figure 46 Selecting a server certificate 7. Click Import EAP Server Certificate. 8. Select Private key is included in server certificate file, click Browse next to the Server Certificate File field, and select a server certificate, as shown in Figure 47. Figure 47 Selecting a server certificate 30

34 9. Click Next. 10. Enter the password for the private key of the server certificate, as shown in Figure 48. Use the same password specified during server certificate export. Figure 48 Entering the password of server private key 11. Click OK. The imported server certificate is added to the Server Certificate tab, as shown in Figure 49. Figure 49 Previewing the certificates Configuring WX6103 Associating WX6103 with the AP After you associate WX6103 with an AP, the two devices establish a tunnel to forward traffic. The WX6103 can associate with the AP automatically or through configuration. This example uses the manual method. 1. On the AP, display information about the AP and record its model number, serial ID, hardware version, and software version. # Display AP information. <WA2612-AGN>display wlan ap Display AP Profile Model Number Serial-ID : WA2612-AGN : A0ALC AP Address :

35 H/W Version : Ver.D S/W Version : V100R001B71D024( ) Boot Version : 1.23 Mode : Split Mac Mode Device State : Zero configuration state Master AC: Description : -NA- AC Address : -NA- State : BDisc Transmitted control packets : 0 Received control packets : 0 Transmitted data packets : 0 Received data packets : 0 Latest AC IP address : -NA- Tunnel Down Reason : -NA Unicast static AC IPv4 address: Not Configured Unicast static AC IPv6 address: Not Configured Configure WX6103: # Enable WLAN service. <H3C>system-view System View: return to User View with Ctrl+Z. [H3C]wlan enable % Info: WLAN service enabled # Create AP template byod and specify the AP model. [H3C]wlan ap byod model WA2612-AGN # Specify the AP serial ID. [H3C-wlan-ap-byod]serial-id A0ALC [H3C-wlan-ap-byod]quit # Specify the software and hardware versions of the AP. [H3C]wlan apdb WA2612-AGN Ver.D V100R001B71D On the AP, specify the IP address of WX6103. # Associate the AP with the AC. <WA2612-AGN>system-view System View: return to User View with Ctrl+Z. [WA2612-AGN]wlan ac ip On WX6103, display all associated APs. [H3C]display wlan ap all Total Number of APs configured : 1 Total Number of configured APs connected : 0 Total Number of auto APs connected : 1 AP Profiles State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad C = Config, R = Run, KU = KeyUpdate, KC = KeyCfm M = Master, B = Backup AP Name State Model Serial-ID 32

36 Byod R/M WA2612-AGN A0ALC The R/M state output shows that the AP has successfully associated with the active AC WX6103. Configuring authentication settings on WX Configure a RADIUS scheme: # Create RADIUS scheme byodjay1x and enter its view. <WX6103>system-view System View: return to User View with Ctrl+Z. [WX6103]radius scheme byodjay1x New Radius scheme # Specify the IP address of the authentication and accounting server (UAM) as , and set the shared key for RADIUS authentication and accounting communication to hello. [WX6103-radius-byodjay1x]primary authentication [WX6103-radius-byodjay1x]primary accounting [WX6103-radius-byodjay1x]key authentication hello [WX6103-radius-byodjay1x]key accounting hello # Specify the source IP address of RADIUS packets sent to UAM. [WX6103-radius-byodjay1x]nas-ip # Set the RADIUS server type to extended to support UAM. [WX6103-radius-byodjay1x]server-type extended # Configure the AC to remove the ISP domain name from the usernames to be sent to the RADIUS server. [WX6103-radius-byodjay1x]user-name-format without-domain [WX6103-radius-byodjay1x]quit 2. Configure an ISP domain: # Create ISP domain 1x and enter its view. [WX6103]domain 1x # Configure the ISP domain to use RADIUS scheme byodjay1x for authentication, authorization, and accounting. [WX6103-isp-1x]authentication default radius-scheme byodjay1x [WX6103-isp-1x]authorization default radius-scheme byodjay1x [WX6103-isp-1x]accounting default radius-scheme byodjay1x [WX6103-isp-1x]quit 3. Configure portal authentication: # Configure a portal server named changessid. Specify the IP address of the portal server and the redirection URL. [WX6103]portal server changessid ip url # Configure portal-free rules for the DHCP, DNS, and SCEP servers. [WX6103]portal free-rule 1 destination ip mask [WX6103]portal free-rule 2 destination ip mask [WX6103]portal free-rule 3 destination ip mask Configure DHCP relay: # Enable DHCP and configure DHCP server group 1. 33

37 [WX6103]dhcp enable [WX6103]dhcp relay server-group 1 ip Configure service VLAN 33, and enable DHCP relay on the VLAN interface: # Create VLAN 33. [WX6103]vlan 33 [WX6103-vlan33]quit # Configure the gateway address of DHCP scope 1x as the IP address of VLAN-interface 33. [WX6103]interface Vlan-interface 33 [WX6103-Vlan-interface33]ip address # Enable DHCP relay on VLAN-interface 33, and associate DHCP server group 1 with the interface. [WX6103-Vlan-interface33]dhcp select relay [WX6103-Vlan-interface33]dhcp relay server-select 1 [WX6103-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 6. Configure public VLAN 66, and enable DHCP relay and portal authentication on the VLAN interface: # Create VLAN 66. [WX6103]vlan 66 [WX6103-vlan66]quit # Configure the gateway address of DHCP scope 1x-public as the IP address of VLAN-interface 66. [WX6103]interface Vlan-interface 66 [WX6103-Vlan-interface66]ip address # Enable portal authentication and DHCP relay on VLAN-interface 66, and associate DHCP server group 1 with the interface. [WX6103-Vlan-interface66]dhcp select relay [WX6103-Vlan-interface66]dhcp relay server-select 1 [WX6103-Vlan-interface66]portal server changessid method direct [WX6103-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) 7. Configure the WLAN-ESS interface for service VLAN 33, and enable 802.1X authentication on the interface: # Create WLAN-ESS 33, set its port link type to hybrid, and enable MAC-based VLAN on the interface. [WX6103]interface wlan-ess 33 [WX6103-WLAN-ESS33]port link-type hybrid [WX6103-WLAN-ESS33]mac-vlan enable # Enable 802.1X authentication on WLAN-ESS 33. [WX6103-WLAN-ESS33]port-security port-mode userlogin-secure-ext # Enable key negotiation of the 11key type on WLAN-ESS 33. [WX6103-WLAN-ESS33]port-security tx-key-type 11key # Specify ISP domain 1x as the mandatory authentication domain on WLAN-ESS 33. [WX6103-WLAN-ESS33]dot1x mandatory-domain 1x [WX6103-WLAN-ESS33]quit 8. Configure port security: #Globally enable port security. [WX6103]port-security enable 34

38 # Set the 802.1X authentication method to EAP. [WX6103]dot1x authentication-method eap 9. Configure a WLAN service template for service VLAN 33: # Create crypto type WLAN service template 33 for wireless 802.1X authentication. [WX6103]wlan service-template 33 crypto # Configure the SSID of the service template as ss_byod_jay_1x. [WX6103-wlan-st-33]ssid ss_byod_jay_1x # Bind the service template to WLAN-ESS 33. [WX6103-wlan-st-33]bind wlan-ess 33 # Configure the service template to use the open-system authentication method. This authentication method is required if WPA is used. [WX6103-wlan-st-33]authentication-method open-system # Configure the security IE as WPA and cipher suite as TKIP. [WX6103-wlan-st-33]security-ie wpa [WX6103-wlan-st-33]cipher-suite tkip # Enable the service template. [WX6103-wlan-st-33]service-template enable Please wait... Done. [WX6103-wlan-st-33]quit 10. Configure the WLAN-ESS interface for public VLAN 66: # Create WLAN-ESS 66, set its port link type to access, and assign it to VLAN 66. [WX6103]interface wlan-ess 66 [WX6103-WLAN-ESS66]port access vlan 66 # Enable PSK authentication on WLAN-ESS 66 and set the pre-shared key to [WX6103-WLAN-ESS66]port-security port-mode psk [WX6103-WLAN-ESS66]port-security tx-key-type 11key [WX6103-WLAN-ESS66]port-security preshared-key pass-phrase simple [WX6103-WLAN-ESS66]quit 11. Configure a WLAN service template for public VLAN 66: # Create crypto type WLAN service template 66 for PSK authentication. [WX6103]wlan service-template 66 crypto # Configure the SSID of the service template as ss_byod_jay_free. [WX6103-wlan-st-66]ssid ss_byod_jay_free # Bind the service template to WLAN-ESS 66. [WX6103-wlan-st-66]bind wlan-ess 66 # Configure the security IE as WPA and cipher suite as TKIP. [WX6103-wlan-st-66]security-ie wpa [WX6103-wlan-st-66]cipher-suite tkip # Configure the service template to use the open-system authentication method. [WX6103-wlan-st-66]authentication-method open-system # Enable the service template. [WX6103-wlan-st-66]service-template enable Please wait... Done. [WX6103-wlan-st-66]quit 12. Create radio policy byodjay1x. You can skip this step and use the default radio policy. # Configure a radio policy. [WX6103]wlan radio-policy byodjay1x 35

39 [WX6103-wlan-rp-byodjay1x]beacon-interval 200 [WX6103-wlan-rp-byodjay1x]dtim 4 [WX6103-wlan-rp-byodjay1x]rts-threshold 2300 [WX6103-wlan-rp-byodjay1x]fragment-threshold 2200 [WX6103-wlan-rp-byodjay1x]short-retry threshold 6 [WX6103-wlan-rp-byodjay1x]long-retry threshold 5 [WX6103-wlan-rp-byodjay1x]max-rx-duration 500 [WX6103-wlan-rp-byodjay1x]quit 13. Configure the AP template. # In AP template byod view, associate radio 1 with radio policy byodjay1x and service templates 33 and 66. [WX6103]wlan ap byod [WX6103-wlan-ap-byod]radio 1 [WX6103-wlan-ap-byod-radio-1]channel auto [WX6103-wlan-ap-byod-radio-1]radio-policy byodjay1x [WX6103-wlan-ap-byod-radio-1]service-template 33 [WX6103-wlan-ap-byod-radio-1]service-template 66 [WX6103-wlan-ap-byod-radio-1]radio enable [WX6103-wlan-ap-byod-radio-1]quit [WX6103-wlan-ap-byod]quit Configuring MSM 760 Configuring service WLAN settings The service WLAN settings apply to mobile device users who have received and installed endpoint configuration templates from UAM. Configuring a service VLAN 1. From the navigation tree, select Network Tree > Controller. 2. In the top navigation bar, select Network > Network profiles. 3. Click Add New Profile. 4. Configure the VLAN name as ssbyodjay1x and VLAN ID as 33, as shown in Figure Click Save. 36

40 Figure 50 Configuring a service VLAN Configuring a RADIUS profile for 802.1X authentication 1. From the navigation tree, select Network Tree > Controller. 2. In the top navigation bar, select Authentication > RADIUS profiles. 3. Click Add New Profile. 4. Configure the RADIUS profile, as shown in Figure 51: a. Enter ss_byod_jay_1x in the Profile name field. b. Enter 1812 in the Authentication port field and 1813 in the Accounting port field. c. Select EAP MD5 from the Authentication method list. d. Enter in the Server address field for the primary RADIUS server. e. Enter hello in the Secret and Confirm secret fields for the primary RADIUS server. f. Use the default values for other parameters. 37

41 Figure 51 Configuring a RADIUS profile for 802.1X authentication 5. Click Save. Configuring a service VSC profile 1. From the navigation tree, select Network Tree > Controller > VSCs. 2. In the top navigation bar, select Overview > VSC profiles. 3. Click Add New VSC Profile. 4. Configure the VSC profile, as shown in Figure 52: a. Configure Global parameters: Enter ss_byod_jay_1x in the Profile name field. Select the Authentication option for the Use Controller for field. b. Configure Virtual AP parameters: Select the Virtual AP option. Enter the secure SSID ss_byod_jay_1x in the Name (SSID) field. Select the Broadcast name (SSID) option. c. Configure Wireless protection parameters: Select the Wireless protection option and select WPA from the list next to the option. Select WPA (TKIP) from the Mode list. 38

42 Select Dynamic from the Key source list. d. Configure 802.1X authentication parameters: Select the 802.1X authentication option. Select the Remote option. Select the RADIUS profile ss_byod_jay_1x from the RADIUS list. Select the RADIUS profile ss_byod_jay_1x from the RADIUS accounting list. e. Clear MAC-based authentication. f. Use the default values for other parameters. 39

43 Figure 52 Configuring a service VSC profile 40

44 5. Click Save. Configuring a VSC binding 1. In the Network Tree area, expand the Controlled APs node and select the AP group that the AP belongs to. 2. Click the VSC bindings tab. 3. Click Add New Binding. 4. Select ss_byod_jay_1x from the VSC Profile list, as shown in Figure 53. Figure 53 Configuring a VSC binding 5. Click Save. Configuring public WLAN settings The public WLAN settings apply to a mobile device user when the user accesses the wireless network for the first time without BYOD configuration templates deployed. Configuring a public VLAN 1. From the navigation tree, select Network Tree > Controller. 2. In the top navigation bar, select Network > Network profiles. 3. Click Add New Profile. 4. Configure the VLAN name as ssbyodjay1x3 and VLAN ID as 66, as shown in Figure

45 Figure 54 Configuring a public VLAN 5. Click Save. Configuring a public VSC profile 1. From the navigation tree, select Network Tree > Controller > VSCs. 2. In the top navigation bar, select Overview > VSC profiles. 3. Click Add New VSC Profile. 4. Configure the VSC profile, as shown in Figure 55: a. Configure Global parameters: Enter ss_byod_jay_free in the Profile name field. Select the Authentication option for the Use Controller for field. b. Configure Virtual AP parameters: Select the Virtual AP option. Enter the open SSID ss_byod_jay_free in the Name (SSID) field. Select the Broadcast name (SSID) option. c. Configure Wireless protection parameters: Select the Wireless protection option and select WPA from the list next to the option. Select WPA (TKIP) from the Mode list. Select Preshared Key from the Key source list. Enter in the Key field. d. Clear MAC-based authentication. e. Use the default values for other parameters. 42

46 Figure 55 Configuring a public VSC profile 5. Click Save. 43

47 Configuring a public VSC binding 1. In the Network Tree area, expand the Controlled APs node and select the AP group that the AP belongs to. 2. Click the VSC bindings tab. 3. Click Add New Binding. 4. Configure the VSC binding parameters, as shown in Figure 56: a. Select the public profile ss_byod_jay_free from the VSC Profile list. b. Select the Egress network option. c. Select ssbyodjay1x3 (66) from the Network profile list. Figure 56 Configuring the public VSC binding 5. Click Save. Deploying configurations from MSM 760 to the AP 1. From the navigation tree, select Unsynchronized. 2. In the top navigation bar, select Overview > Discovered APs. 3. Select Synchronize Configuration from the Select the action to apply to all listed APs list and click Apply, as shown in Figure 57. Figure 57 Deploying configurations to the AP 44

48 Configuring the switch that connects the AP to MSM Configure the routing protocol and management VLAN on the switch. (Details not shown.) 2. Configure portal authentication: # Configure a portal server named changessid. Specify the IP address of the portal server and the portal redirection URL. <SW>system-view System View: return to User View with Ctrl+Z. [SW]portal server changessid ip url # Configure portal-free rules for the DHCP, DNS, and SCEP servers. [SW]portal free-rule 1 destination ip mask [SW]portal free-rule 2 destination ip mask [SW]portal free-rule 3 destination ip mask Configure DHCP relay: # Enable DHCP on the switch, and add DHCP server to DHCP server group 1. [SW]dhcp enable [SW]dhcp relay server-group 1 ip Configure the service VLAN: # Create VLAN 33. [SW]vlan 33 [SW-vlan33]quit # Configure the gateway address of DHCP scope 1x as the IP address of VLAN-interface 33. [SW]interface Vlan-interface 33 [SW-Vlan-interface33]ip address # Enable DHCP relay on VLAN-interface 33, and associate DHCP server group 1 with the interface. [SW-Vlan-interface33]dhcp select relay [SW-Vlan-interface33]dhcp relay server-select 1 [SW-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 5. Configure the public VLAN: # Create VLAN 66. [SW]vlan 66 [SW-vlan66]quit # Configure the gateway address of DHCP scope 1x-public as the IP address of VLAN-interface 66. [SW]interface Vlan-interface 66 [SW-Vlan-interface66]ip address # Enable portal authentication and DHCP relay on VLAN-interface 66, and associate DHCP server group 1 with the interface. [SW-Vlan-interface66]dhcp select relay [SW-Vlan-interface66]dhcp relay server-select 1 [SW-Vlan-interface66]portal server changessid method direct [SW-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) 45

49 Configuring AIR-WLC2100-K9 Configuring authentication and accounting servers Configuring the authentication server 1. Click the SECURITY tab. 2. From the navigation tree, select AAA > RADIUS > Authentication. 3. On the RADIUS Authentication Servers page, click New. 4. Configure the following parameters, as shown in Figure 58: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1812 in the Port Number field. d. Use the default values for other parameters. Figure 58 Configuring the authentication server 5. Click Apply. Configuring the accounting server 1. From the navigation tree, select AAA > RADIUS > Accounting. 2. On the RADIUS Accounting Servers page, click New. 3. Configure the following parameters, as shown in Figure 59: a. Enter in the Server IP Address field. b. Enter hello in the Shared Secret and Confirm Shared Secret fields. c. Enter 1813 in the Port Number field. d. Use the default values for other parameters. 46

50 Figure 59 Configuring the accounting server 4. Click Apply. Configuring service WLAN settings The service WLAN settings apply to mobile device users who have received and installed endpoint configuration templates from UAM. Configuring a service VLAN 1. Click the CONTROLLER tab. 2. From the navigation tree, select Interfaces. 3. On the Interfaces page, click New. 4. Configure the following parameters, as shown in Figure 60: a. Enter ssbyodjay1x in the Interface Name field. b. Enter 33 in the VLAN Id field. Figure 60 Configuring the service VLAN 47

51 5. Click Apply. The page for editing the VLAN interface opens. 6. Configure the following parameters, as shown in Figure 61: a. Enter the port number of the upstream switch to which the AC connects in the Port Number field. This example uses 1. b. Enter 33 in the VLAN Identifier field. c. Enter in the IP Address field. d. Enter in the Netmask field. e. Enter in the Gateway field. f. Enter in the Primary DHCP Server field. g. Use the default values for other parameters. Figure 61 Editing the VLAN interface 7. Click Apply. Configuring a WLAN 1. Click the WLANs tab. 2. From the navigation tree, select WLANs > WLANs. 3. On the WLANs page, select Create New from the list in top-left corner and click Go. The page for creating a WLAN opens. 4. Configure the following parameters, as shown in Figure 62: a. Enter ss_byod_jay_1x in the Profile Name field. b. Enter ss_byod_jay_1x in the SSID field. c. Use the default values for other parameters. 48

52 Figure 62 Configuring a WLAN 5. Click Apply. The page for editing the WLAN opens. 6. Click the General tab and configure the following parameters, as shown in Figure 63: a. Select Enabled for Status. b. Select management from the Interface/Interface Group list. c. Use the default values for other parameters. Figure 63 Configuring the General tab 7. Click the Security tab and configure the following: a. Click the Layer 2 tab and configure the following parameters, as shown in Figure 64: Select WPA+WPA2 from the Layer 2 Security list. Select WPA Policy and WPA2 Policy. Select TKIP for both WPA Encryption and WPA2 Encryption. Select 802.1X from the Auth Key Mgmt list. 49

53 Figure 64 Configuring the Layer 2 tab b. Use the default settings on the Layer 3 tab. c. Click the AAA Servers tab and configure the following parameters, as shown in Figure 65: Select Enabled for Radius Server Overwrite interface. Select Enabled for Authentication Servers and select IP: , Port:1812 from the Server 1 list. Select Enabled for Accounting Servers and select IP: , Port:1813 from the Server 1 list. Figure 65 Configuring the AAA Servers tab 8. Use the default settings on the QoS tab. 9. Click the Advanced tab and select Radius NAC from the NAC State list, as shown in Figure

54 Figure 66 Configuring the Advanced tab 10. Click Apply. Configuring public WLAN settings The public WLAN settings apply to a mobile device user when the user accesses the wireless network for the first time without BYOD configuration templates deployed. Configuring a public VLAN 1. Click the CONTROLLER tab. 2. From the navigation tree, select Interfaces. 3. On the Interfaces page, click New. 4. Configure the following parameters, as shown in Figure 67: a. Enter ssbyodjay1x3 in the Interface Name field. b. Enter 66 in the VLAN Id field. Figure 67 Configuring the public VLAN 5. Click Apply. The page for editing the VLAN interface opens. 51

55 6. Configure the following parameters, as shown in Figure 68: a. Enter the port number of the upstream switch to which the AC connects in the Port Number field. This example uses 1. b. Enter 66 in the VLAN Identifier field. c. Enter in the IP Address field. d. Enter in the Netmask field. e. Enter in the Gateway field. f. Enter in the Primary DHCP Server field. g. Use the default values for other parameters. Figure 68 Configuring the public VLAN 7. Click Apply. Configuring a WLAN 1. Click the WLANs tab. 2. From the navigation tree, select WLANs > WLANs. 3. On the WLANs page, select Create New from the list in the top-left corner and click Go. The page for creating a WLAN opens. 4. Configure the following parameters, as shown in Figure 69: a. Enter ss_byod_jay_free in the Profile Name field. b. Enter ss_byod_jay_free in the SSID field. c. Use the default values for other parameters. 52

56 Figure 69 Configuring a WLAN 5. Click Apply. The page for editing the WLAN opens. 6. Click the General tab and configure the following parameters, as shown in Figure 70: a. Select Enabled for Status. b. Select ssbyodjay1x3 from the Interface/Interface Group list. c. Use the default values for other parameters. Figure 70 Configuring the General tab 7. Click the Security tab and configure the following: a. Click the Layer 2 tab and configure the following parameters, as shown in Figure 71: Select WPA+WPA2 from the Layer 2 Security list. Select WPA Policy and WPA2 Policy. Select TKIP for both WPA Encryption and WPA2 Encryption. Select PSK from the Auth Key Mgmt list. Select ASCII from the PSK Format list. Enter as the pre-shared key. 53

57 Figure 71 Configuring the Layer 2 tab b. Use the default settings on the Layer 3 tab and AAA Servers tab. 8. Use the default settings on the QoS tab and Advanced tab. 9. Click Apply. Viewing the new WLANs 1. Click the WLANs tab. 2. From the navigation tree, select Advanced > AP Groups. 3. In the AP groups list, click default-group. The Edit 'default-group' page opens. 4. Click the WLANs tab. The new WLANs named ss_byod_jay_1x and ss_byod_jay_free are added to the WLAN list of the default group, as shown in Figure 72. Figure 72 Viewing the WLANs 54

58 Configuring the upstream switch of AIR-WLC2100-K9 1. Configure the routing protocol and management VLAN on the switch. (Details not shown.) 2. Configure portal authentication: # Configure a portal server named guest. Specify the IP address of the portal server and the portal redirection URL. <SW>system-view System View: return to User View with Ctrl+Z. [SW]portal server guest ip url # Configure portal-free rules for the DHCP, DNS, and SCEP servers. [SW]portal free-rule 1 destination ip mask [SW]portal free-rule 2 destination ip mask [SW]portal free-rule 3 destination ip mask Configure the service VLAN: # Create VLAN 33. [SW]vlan 33 [SW-vlan33]quit # Configure the gateway address of DHCP scope 1x as the IP address of VLAN-interface 33. The setting must match the gateway address of VLAN 33 on AIR-WLC2100-K9. [SW]interface Vlan-interface 33 [SW-Vlan-interface33]ip address [SW-Vlan-interface33]quit # Advertise the network /24. (Details not shown.) 4. Configure the public VLAN: # Create VLAN 66. [SW]vlan 66 [SW-vlan66]quit # Configure the gateway address of DHCP scope 1x-public as the IP address of VLAN-interface 66. The setting must match the gateway address of VLAN 66 on AIR-WLC2100-K9. [SW]interface Vlan-interface 66 [SW-Vlan-interface66]ip address # Enable portal authentication on VLAN-interface 66. [SW-Vlan-interface66]portal server guest method direct [SW-Vlan-interface66]quit # Advertise the network /24. (Details not shown.) Verifying the configuration Verifying the configuration on an Android device IMPORTANT: If Android 4.0 or later is used, enable the lock screen feature and set the lock screen password. To verify the configuration: 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_free, as shown in Figure

59 Figure 73 Finding SSID ss_byod_jay_free on an Android device 2. On the page that opens, enter the pre-shared key and click Connect. The device is successfully connected to ss_byod_jay_free, as shown in Figure 74. Figure 74 SSID ss_byod_jay_free successfully connected 3. Open any website in a browser. You are redirected to the Welcome to the BYOD solution page, as shown in Figure

60 Figure 75 Welcome to the BYOD solution page 4. Click Configure My Android Device to download the Android deployment tool. The tool named byoddeploytool.apk is added to the Downloads page, as shown in Figure 76. Figure 76 BYOD deployment tool downloaded 5. Click the tool and install it on the mobile device. When the installation is complete, the BYOD Automated Deployment Tool page opens, as shown in Figure

61 Figure 77 Application installed 6. Click Open. The User Authentication page opens, as shown in Figure 78. Figure 78 User Authentication page 7. Enter the username jay and password 1, and then click OK. The tool automatically saves the credentials for subsequent authentication. The Install Certificate page opens, as shown in Figure

62 Figure 79 Install Certificate page 8. Click Next. The Extract from PKCS12 keystore page opens. 9. Enter password 1 again in the Enter the password to extract the certificates field, as shown in Figure 80. Figure 80 Entering the password to extract the certificates 10. Click OK. The Certificate name page opens, and the field is automatically populated with the certificate name, as shown in Figure

63 Figure 81 Configuring the certificate name 11. Click OK. If the mobile device is running Android of a version earlier than 4.0, the Enter password page opens, and the field is automatically populated with the password, as shown in Figure 82. Figure 82 Configuring credential storage password 12. Click OK. The configuration result page opens, displaying the account name and the new SSID to be connected, as shown in Figure 83. If the mobile device is running Android 4.0 or later, you directly enter the configuration result page. 60

64 Figure 83 Configuration result page 13. Click Close. The mobile device automatically connects to the new SSID and passes the certificate-based authentication, as shown in Figure 84. Figure 84 Connecting to the new SSID 14. Log in to UAM to verify that user jay is displayed in the online user list, as shown in Figure

65 Figure 85 Viewing online users on UAM Verifying the configuration on an ios device 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_free, as shown in Figure 86. Figure 86 Finding SSID ss_byod_jay_free on an ios device 2. On the page that opens, enter the pre-shared key , and then click Connect. 3. When the device is connected to ss_byod_jay_free, open any website in a browser. You are redirected to the Welcome to the BYOD solution page, as shown in Figure

66 Figure 87 Welcome to the BYOD solution page 4. Click Configure My ios Device. The Log In page opens. 5. Enter the account name jay and password 1, as shown in Figure 88. Figure 88 Entering login credentials 6. Click OK. 63

67 The system automatically downloads the device enrollment profile and displays the Install Profile page, as shown in Figure 89. Figure 89 Install Profile 7. Click Install. A Warning message is displayed, as shown in Figure 90. Figure 90 Warning 64

68 8. Click Install. The system starts to install the profile and the configuration templates configured in UAM. The Profile Installed page opens after the operation is complete, as shown in Figure 91. Figure 91 Profile Installed 9. Click Done. The Profiles page opens, as shown in Figure 92. Figure 92 Profiles 65

69 10. Click the profile named ios gen test. The Profile page opens, as shown in Figure 93. It displays basic information about the profile. Figure 93 Viewing the profile information 11. Click More Details to view the root certificate, client certificate, and WLAN configuration contained in the profile. 12. Remember the SSID displayed in the Wi-Fi configuration, as shown in Figure

70 Figure 94 Viewing the profile details 13. Open the WLAN settings page and connect to the SSID ss_byod_jay_1x. The system automatically authenticates the user with the account name and password specified on the Welcome to the BYOD Solution page, as shown in Figure 95. The authentication process is encrypted with the previously configured certificates. Figure 95 Connecting to ss_byod_jay_1x 14. Log in to UAM to verify that user jay is displayed in the online user list, as shown in Figure

71 Figure 96 Viewing online users on UAM Example: Configuring BYOD quick deployment in a single SSID Network configuration As shown in Figure 97, Figure 98, and Figure 99, a mobile user intends to access the Internet through a wireless 802.1X connection by using an account named jay. An AC (WX6103 or MSM 760) serves as the access device. WX6103 does the following: Manages the user in a mandatory 802.1X authentication domain named 1x. Removes the domain name from the usernames to be sent to UAM for authentication. Configure UAM and the AC to implement BYOD quick deployment in a single SSID. The mobile user first uses a public user account named hello to connect to SSID ss_byod_jay_1x. After passing the PEAP authentication, the device is placed in a public VLAN (VLAN 66) for portal authentication. The portal feature redirects the mobile user to download an Android profile deployment tool or to deploy an ios profile. The mobile user then uses a personal user account named jay to perform EAP-TLS authentication. After passing the authentication, the user is assigned to a service VLAN (VLAN 33) for secure network access. On the AC, do the following: Set the shared key for secure RADIUS communication to hello. Set the ports for authentication and accounting to 1812 and 1813, respectively. 68

72 Figure 97 Network diagram (WX6103) Figure 98 Network diagram (MSM 760) Figure 99 Network diagram (AIR-WLC2100-K9) Analysis To enable the user to pass authentication by using a public account for mobile device provisioning, complete the following configurations: In UAM, configure the following: a. Configure the AC as an access device. 69

73 b. Configure an access policy for EAP-PEAP certificate authentication. c. Configure the previous access policy as the default access policy in an access service. d. Configure a public user account for 802.1X access and assign the previous access service to it. On WX6103, configure the service VLAN, RADIUS scheme, ISP domain, global security settings, and WLAN settings. On MSM 760, configure the service VLAN, RADIUS profile, VSC profile, and VSC bindings. On AIR-WLC2100-K9, configure the service VLAN, authentication and accounting server and WLAN settings. To redirect the mobile device user to a BYOD deployment page after it passes authentication by using the public account, complete the following configurations: In UAM, use the predefined deployment tool download page (for Android) and a deployment page (for ios) with the same URL On WX6103, the switch attached to MSM 760, or the upstream switch of AIR-WLC2100-K9, do the following: Configure a public VLAN (VLAN 66). Configure portal authentication in the VLAN with the portal redirection URL set to To implement EAP-TLS certificate authentication for the provisioned mobile device, complete the following configurations: In UAM, configure the following: a. Configure an access policy for EAP-TLS certificate authentication. The policy must contain the VLAN name or ID to be deployed. b. Configure the previous access policy as the default access policy in an access service. c. Configure a personal user account for 802.1X access and assign the previous access service to it. d. Configure an ios general template, a SCEP template, and a Wi-Fi template for SSID ss_byod_jay_1x, and associate the templates with a distribution policy. e. Import root and server certificates to UAM. On the mobile device, obtain and install the user certificate and root certificate. These configurations are automatically performed during the mobile device provisioning process. To assign an IP address to the endpoint through DHCP, configure DHCP agent on WX6103, the switch attached to MSM 760, or AIR-WLC2100-K9. Figure 100 illustrates the steps that are followed when the mobile device connects to the wireless network: 70

74 Figure 100 Enrollment and provisioning on mobile device with a single SSID (1) The mobile user uses the public user account (hello) to connect to SSID ss_byod_jay_1x and is placed in a portal-enabled VLAN after passing the authentication in UAM. (3) The configuration templates contain SCEP configuration and Wi-Fi configuration with the parameters to connect to the secure SSID. (2) UAM deploys to the mobile device the OS-specific configuration templates (specified in the endpoint configuration distribution policy assigned to the user account or the user group to which the user account belongs). (4) The user connects to SSID ss_byod_jay_1x again by using a personal user account. After passing EAP-TLS authentication, the user is placed in a service VLAN for secure network access. Software versions used This configuration example was created and verified on the following platforms: IMC UAM 7.2 (E0403) Certification server embedded in Windows Server 2008 R2 Datacenter DHCP server embedded in Windows Server 2008 R2 Datacenter DHCP Agent plugin: HP IMC DHCP Agent Config Tool V7.0-E0102 H3C WX6103 Comware Software, Version 5.20, ESS2507P04 HP MSM 760 Software Version , Hardware Version B:48 Cisco AIR-WLC2100-K9, Software Version Samsung GT-I9100G, Android Apple iphone 4S, ios

75 Configuring the DHCP server Configure the DHCP server and DHCP agent as described in "Configuring the DHCP server." Configuring UAM Configure the AC as an access device in UAM See "Configuring the AC as an access device." Configuring access policies Configuring an access policy for the public user account 1. Click the User tab. 2. From the navigation tree, select User Access Policy > Access Policy. 3. In the access policy list, click Add. 4. Configure the following parameters for the access policy: a. Enter initial in the Access Policy Name field. b. Select EAP-PEAP from the Preferred EAP Type list, and select EAP-MSCHAPv2 from the Subtype list. c. Select Disable from the EAP Auto Negotiate list. d. Configure the deploy VLAN. For WX6103, enter 66 in the Deploy VLAN field, as shown in Figure 101. Figure 101 Configuring an access policy for the public user account (WX6103) For MSM 760 or AIR-WLC2100-K9, enter ssbyodjay1x3 in the Deploy VLAN field, as shown in Figure

76 Figure 102 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 5. Click OK. Configuring an access policy for the personal user account 1. In the access policy list, click Add. 2. Configure the following parameters for the access policy: a. Enter cer in the Access Policy Name field. b. Select EAP-TLS from the Preferred EAP Type list. c. Select Disable from the EAP Auto Negotiate list. d. Configure the deploy VLAN. For WX6103, enter 33 in the Deploy VLAN field, as shown in Figure 103. Figure 103 Configuring an access policy for the personal user account (WX6103) For MSM 760 or AIR-WLC2100-K9, enter ssbyodjay1x in the Deploy VLAN field, as shown in Figure

77 Figure 104 Deploy VLAN for MSM 760 or AIR-WLC2100-K9 e. Use the default values for other parameters. 3. Click OK. Configuring access services Configuring an access service for the public user account 1. From the navigation tree, select User Access Policy > Access Service. 2. In the access service list, click Add. 3. Configure the following parameters, as shown in Figure 105: a. Enter initial in the Service Name field. b. Leave the Service Suffix field empty. c. Select initial from the Default Access Policy list. d. Use the default values for other parameters. Figure 105 Configuring an access service for the public user account 4. Click OK. Configuring an access service for the personal user account 1. In the access service list, click Add. 2. Configure the following parameters, as shown in Figure 106: a. Enter cer in the Service Name field. b. Leave the Service Suffix field empty. c. Select cer from the Default Access Policy list. 74

78 d. Use the default values for other parameters. Figure 106 Configuring an access service for the personal user account 3. Click OK. Configuring the public and personal user accounts Configuring a public user account 1. From the navigation tree, select Access User > All Access Users. 2. In the access user list, click Add. The Add Access User page opens. 3. Configure the following parameters, as shown in Figure 107: a. Click Select next to the User Name field, select an IMC platform user, and then click OK. b. Enter hello in the Account Name field. c. Enter 1 in the Password and Confirm Password field. d. Select the service named initial from the Access Service list. 75

79 Figure 107 Adding a public user account 4. Click OK. Configuring a personal user account 1. In the access user list, click Add. The Add Access User page opens. 2. Configure the following parameters, as shown in Figure 108: a. Click Select next to the User Name field, select the IMC platform user named ftest, and then click OK. b. Enter jay in the Account Name field. c. Enter 1 in the Password and Confirm Password field. d. Select the service named cer. 76

80 Figure 108 Adding a personal user account 3. Click OK. Configuring endpoint configuration templates See "Configuring endpoint configuration templates." Configuring an endpoint configuration distribution policy See "Configuring an endpoint configuration distribution policy." Importing server and root certificates See "Importing server and root certificates." Configuring WX6103 Perform all the tasks described in "Configuring WX6103" except for the WLAN-ESS 66 configuration (step 9) and service template 66 configuration (step 10) in "Configuring authentication settings on WX6103." Configuring MSM 760 Perform all the tasks described in "Configuring MSM 760" except for tasks "Configuring a public VSC profile" and "Configuring a public VSC binding." 77

81 Configuring AIR-WLC2100-K9 Perform all the tasks as described in "Configuring AIR-WLC2100-K9" except for those in "Configuring public WLAN settings." Verifying the configuration Verifying the configuration on an Android device IMPORTANT: If Android 4.0 or later is used, enable the lock screen feature and set the lock screen password. 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_1x, as shown in Figure 109. Figure 109 Finding SSID ss_byod_jay_1x on an Android device 2. On the page that opens, configure the following parameters as shown in Figure 110: a. Select PEAP from the EAP method list. b. Enter hello in the Identity field. c. Enter 1 as the password. 78

82 Figure 110 Specifying the connection parameters 3. Click Connect. The device is successfully connected to SSID ss_byod_jay_1x, as shown in Figure 111. Figure 111 SSID ss_byod_jay_1x successfully connected 4. Perform steps 4 through 15 described in "Verifying the configuration on an Android device." Verifying the configuration on an ios device 1. On the mobile device, enable WLAN to search and connect to SSID ss_byod_jay_1x, as shown in Figure

83 Figure 112 Finding SSID ss_byod_jay_1x on an ios device 2. On the Enter Password page, perform the following tasks, as shown in Figure 113: a. Enter hello in the Identity field. b. Enter 1 as the password. c. Select Automatic for Mode. Figure 113 Entering account name and password 80

84 3. Click Join. The user is successfully connected to SSID ss_byod_jay_1x, as shown in Figure 114. Figure 114 SSID ss_byod_jay_1x successfully connected 4. Perform steps 4 through 15 described in "Verifying the configuration on an ios device." 81