Network Policy Controller UAM/RADIUS Guide

Similar documents
Aruba Mobility. Setup Guide

Cisco WLC. (For Version ) CoA Setup Guide

Ruckus SmartCell Gateway. Setup Guide. Published April Version 1.0

TopGlobal MB8000 Hotspots Solution

Ruckus SmartZone 100 and Virtual SmartZone (Essentials)

HP MSM Series. Setup Guide

The Wifidog project is an open source captive portal solution It consists of two components:

BW1330. High Performance Hotspot Access Point

Cisco Meraki. Setup Guide. Published April Version 1.0

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Configuring RADIUS Servers

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills CA USA White Paper

Configuring RADIUS and TACACS+ Servers

Web and MAC Authentication

Connecting CoovaAP 1.x with RADIUSdesk - Basic

Installation & Configuration Guide Version 3.1

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

AAA Administration. Setting up RADIUS. Information About RADIUS

White Paper Copyright 2002 Nomadix, Inc. All Rights Reserved. Tuesday, January 21, 2003

Copyright 2011 Nomadix, Inc. All Rights Reserved Agnoura Road Suite 102 Agoura Hills, CA USA White Paper

LCOS 8.82 RC1 Feature Notes.

Grandstream Networks, Inc. Captive Portal Authentication via RADIUS

Configuring IEEE 802.1x Port-Based Authentication

CERIO Corporation AMR-3204G-L. Quick Installation Guide

Creating Wireless Networks

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

Network Controller 3500 Quick Start Guide

BW1330. High Performance Hotspot Access Point. Browan Communications. 6 August 2007 Version 1.0

Configuring Security for the ML-Series Card

Client Data Tunneling

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

RADIUS Attributes Overview and RADIUS IETF Attributes

Configuring IEEE 802.1x Port-Based Authentication

Application Example (Standalone EAP)

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

IEEE 802.1X RADIUS Accounting

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

HP 5120 SI Switch Series

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Contents. Cisco WAP121 and WAP321 Wireless Access Points, Firmware Version Release Notes. This document includes the following topics:

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139

Network Working Group Request for Comments: 2059 Category: Informational January 1997

Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide

Wireless LAN Controller Web Authentication Configuration Example

DWS-4000 Series DWL-3600AP DWL-6600AP

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

CERIO Corporation AMR-3204G. Quick Installation Guide

Ruckus ICX Flexible Authentication with Cloudpath ES 5.0 Deployment Guide

Cisco Exam Questions & Answers

This document includes the following topics: Cisco WAP121 and WAP321 Wireless Access Points, Firmware Version on page 2

Network Controller. Complete Control and Management of Public Access Networks

WLAN Roaming Guidelines (also known as Inter-Operator Handbook)

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

HP Unified Wired-WLAN Products

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

cnpilot Enterprise AP Release Notes

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Managing WCS User Accounts

Configuring ISG Policies for Automatic Subscriber Logon

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Configuring IEEE 802.1x Port-Based Authentication

AMR-3204G-M. AP Management Access Controller

Configuring Client Profiling

RADIUS Attributes Overview and RADIUS IETF Attributes

WHG711 Wireless LAN Controller

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

WiFi Command Reference

FortiNAC Motorola Wireless Controllers Integration

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Index. Numerics. Index 1

Table of Contents 1 AAA Overview AAA Configuration 2-1

Configuring the SSG. Basic SSG Configuration APPENDIX

Configuration Note. RADIUS for Secure Device Access. Multi-Service Business Routers. Enterprise Session Border Controllers. VoIP Media Gateways

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Verify Radius Server Connectivity with Test AAA Radius Command

NAC-Auth Fail Open. Prerequisites for NAC-Auth Fail Open. Restrictions for NAC-Auth Fail Open. Information About Network Admission Control

Configuring 802.1X Port-Based Authentication

INTEROPERABILITY DOCUMENT BETWEEN OMNIACCESS STELLAR SOLUTION AND OCTOPUS WIFI

thus, the newly created attribute is accepted if the user accepts attribute 26.

LevelOne. Quick Installation Guide. WHG series Secure WLAN Controller. Introduction. Getting Started. Hardware Installation

Managing NCS User Accounts

WAP551 Wireless-N Access Point with PoE

Wireless Access Point

RADIUS Attributes. RADIUS IETF Attributes

upgrade-mp through xlate-bypass Commands

thus, the newly created attribute is accepted if the user accepts attribute 26.

Table of Contents 1 AAA Overview AAA Configuration 2-1

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

System requirements The minimum system requirements for a gateway with less than 10Mbps of throughput are:

CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT

User Guide LAPN300. Wireless-N300. Access Point with POE. Model # LAPN300

Wireless Access Point

Remote access to router portal

Quick Start Guide for Standalone EAP

DR Introduction. CenOS5.0 Access Controller with VPN Gateway. Wireless and Wired Access Controller System

Highlight. Central AP Management with High Scalability

Implementing ADSL and Deploying Dial Access for IPv6

Transcription:

Network Policy Controller UAM/RADIUS Guide

1. Introduction... 3 1.1. Terminology... 3 2. Web Authentication... 5 2.1. Redirect URL Parameters... 5 2.2. UAM Login URL... 5 2.3. UAM Logout URL... 6 3. UAM/RADIUS Call Flow... 7 4. RADIUS... 8 4.1. Authentication Request Attributes... 8 4.2. Authentication Response Attributes... 9 4.3. Accounting Attributes... 10 4.4. VSA Dictionary... 13 2 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

1. Introduction This document describes the UAM and RADIUS functionality supported by the Global Reach Network Policy Controller. 1.1. Terminology Network Policy Controller The Network Policy Controller or NPC provides the services required by Wireless service providers (WISPs), such as AAA/RADIUS, captive portal redirect, ACLs, bandwidth shaping etc. Universal Access Method The universal access method (UAM) is frequently used by WISPs (Wireless Internet Service Provider) to allow access to a wireless network or access to another network while roaming. The roaming customer uses a regular web browser to access a login page on the captive portal where he can fill in his credentials (typically his username and password) to gain access to the network. MAC Address A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and Wi-Fi. User Equipment (UE) Defines a device that is used directly by an end-user to communicate and interact with the Wi-Fi service. Walled Garden The purpose of a walled garden is to restrict access to services for unauthorized users, allowing access to the external captive portal and other services required for the UE to authorize with the Wi-Fi service. Captive Portal A captive portal is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hot spots for Internet users. AAA Server RADIUS servers use the AAA protocol to manage network access in the following two-step process, also known as an AAA transaction. AAA stands for authentication, authorization and accounting. RADIUS Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. 3 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Access Point A wireless Access Point (AP) is a device that allows wireless devices to connect to a wired network using Wi-Fi, or related standards. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. 4 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

2. Web Authentication Before a user can be authorized access through the NPC, the UE must first authenticate via the UAM provided by the Web Authentication service. After redirection to the captive portal, the UE is required to authenticate with the NPC using the Web Authentication service described in this section. 2.1. Redirect URL Parameters Contained within the initial redirect URL to the captive portal (shown in Figure 1), are query string parameters used to identify the UE and the session, described in Figure 2. Figure 1. https://www.mycaptiveportal.com/?mac=00:11:22:33:44:55&state=3&sid=00112233-4455-6677-8899- aabbfdf5f0af&vlan=1&bssid=cc:dd:ee:ff:00:11&orig_url=http%3a%2f%2fwww.google.com%2f Figure 2. mac state sid vlan bssid orig_url The MAC address of the UE formatted as a UTF-8 string of colon delimited hex octets. The authorization state for the UE. State 3 indicates authorized, State 2 indicates authorized with HTTP/HTTPS redirect and State 1 indicates fully authorized. Uniquely identifies the session for accounting purposes Specifies the 802.1q VLAN for which the UE was discovered. Indicates the MAC address of the AP that the user is associated to at the time of redirection. The URL the UE requested prior to redirection to the captive portal. 2.2. UAM Login URL The host name for the UAM Login URL is configurable but a default of gateway.wifi-portals.com is provided by the NPC along with an SSL certificate issued by a trusted root CA for secure authentication. When using a custom hostname with SSL enabled, an appropriate SSL certificate from a trusted root CA is required. A certificate from a self-signed CA is also supported but results in a security warning to the user during authentication. The UAM Login URL accepts the parameters described in Figure 3 either as part of the query string for a HTTP GET request or as part of a HTTP POST with a Content-Type of application/x-www-form-urlencoded. An example UAM Login URL is shown in Figure 4. Figure 3. username password Username to be sent in the Access-Request to the AAA. Password to be sent in the Access-Request to the AAA. 5 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Figure 4. https://gateway.wifi-portals.com/login?username=joe&password=secret The UE is redirected to the captive portal redirect URL following an unsuccessful authentication attempt. As part of the query parameters, the NPC will include the Reply-Message contained within the Access- Request if specified or an internal error code indicating the reason for failure. Following a successful authentication, the UE is redirect to the success URL configured on the NPC. 2.3. UAM Logout URL The UE has the ability to terminate the session by calling the UAM Logout URL (Figure 5). This results in the session being terminated, an appropriate Accounting-Stop being transmitted to the AAA and the UE being redirected back to the portal. Figure 5. https://gateway.wifi-portals.com/logout 6 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

UE NPC AAA/RADIUS Portal DHCP Discover DHCP Offer DHCP Request Access-Request Access-Reject MAC authentication enables the NPC to update UE as authorised by sending Access-Accept from AAA/RADIUS. DHCP ACK HTTP/GET http://www.google.com HTTP/302 redirect https://www.mycaptiveportal.com/?mac=00:11:22:33:44:55&state=3 HTTP/GET https://www.mycaptiveportal.com/?mac=00:11:22:33:44:55&state=3 User registers or pays for WiFi access. HTTP/302 Redirect https://gateway.wifi-portals.com/login?username=joe&password=secret HTTP/GET https://gateway.wifi-portals.com/login?username=joe&password=secret Access-Request Access-Accept (Update UE as authorised) Accounting-Start HTTP/302 redirect https://www.mycaptiveportal.com/success Accounting-Response HTTP/GET https://www.mycaptiveportal.com/success HTTP/302 redirect http://www.google.com HTTP/GET http://www.google.com Accounting-Interim Periodically, the NPC will transmit Accounting-Interim to the AAA/RADIUS. Accounting-Response 7

4. RADIUS 4.1. Authentication Request Attributes User-Name This attribute indicates the name of the user to be authenticated. It is present in all Access-Requests sent to the remote AAA. For MAC authentication, the username is the MAC address of the UE. Service-Type The Service-Type attribute indicates the method of authentication requested. For MAC authentication, this is set to Framed. A value of Login indicates that the UE specified a username and password to authenticate itself. Calling-Station-Id This attribute indicates the MAC address of the UE, formatted as a UTF-8 string of colon delimited hex octets. For example: 00:11:22:33:44:55. Called-Station-Id This attribute indicates the MAC address of the NPC interface that the UE was discovered on, formatted as a UTF-8 string of colon delimited hex octets. For example, 66:77:88:99:AA:BB. Acct-Session-Id Specifies a UTF-8 encoded string that uniquely identifies the session for accounting purposes. NAS-Identifier The NAS-Identifier attribute contains the identity of the NPC. This consists of the NPC s hostname and the captive portal interface. For example, npc-01:eth1.829 Odyssys-VLAN-ID Specifies the VLAN for which the UE was discovered on. Odyssys-Called-Station-BSSID The NPC supports discovery of sessions via RADIUS Access-Requests that originate from an AP or WLAN controller. When configured, this attribute contains the MAC address of the AP that the user is connected to at the time the authentication request was transmitted. Chargable-User-Identity The RADIUS server (a RADIUS proxy, home RADIUS server) may include the CUI attribute in the Access- Accept packet destined to a roaming partner. 8 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Message-Authenticator This attribute is used to sign the authentication request with a digest. The AAA server must calculate the correct value for the message authenticator and discard the request if the values do not match. For more information about the Message-Authenticator attribute and digest algorithms, please refer RFC 3579. 4.2. Authentication Response Attributes Class Specifies octets of arbitrary length to be sent in all Accounting corresponding to the session. WISPr-Bandwidth-Min-Up Minimum guaranteed transmit rate (bps). WISPr-Bandwidth-Min-Down Minimum guaranteed receive rate (bps). WISPr-Bandwidth-Max-Up Limits the maximum transmit rate (bps) for the UE. WISPr-Bandwidth-Max-Down Limits the maximum receive rate (bps) for the UE. WISPr-Session-Terminate-Time The time when the user should be disconnected in ISO 8601 format (YYYY-MM-DDThh:mm:ssTZD). If TZD is not specified local time of the NPC is assumed. For example the session to terminate on 18 December 2001 at 7:00 PM UTC would be specified as 2001-12-18T19:00:00+00:00. Odyssys-Portal-Redirect Specifies the number of seconds after the session has started for which the UE should be redirected to the captive portal. After this period has elapsed, the UE will be redirected to the portal for HTTP/HTTPS requests, until instructed otherwise. Other traffic is allowed to traverse the NPC as usual. A value of 0 will immediately redirect the UE on first and subsequent HTTP/HTTPS request, until instructed otherwise. Odyssys-Portal-Redirect-Interval Specifies the interval in seconds for which the UE should be redirected to the captive portal. After this period has elapsed, the UE will be redirected to the portal for HTTP/HTTPS requests, until instructed otherwise. Other traffic is allowed to traverse the NPC as usual. Framed-Pool When present in an Access-Accept and NAT pooling is enabled on the NPC, this specifies the NAT pool to allocate a NAT address and ports from. 9 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Odyssys-Authentication-Error This attribute specifies a numerical error code for translation before being displayed to the user after an unsuccessful login attempt. Reply-Message This attribute specifies a UTF-8 string to display to the user following an unsuccessful login attempt. 4.3. Accounting Attributes Framed-IP-Address This attribute indicates the IP address that was assigned to the UE during DHCP. Class This attribute contains the value of the Class attribute that was received in the Access-Accept. Calling-Station-Id This attribute indicates the MAC address of the UE, formatted as a UTF-8 string of colon delimited hex octets. For example: 00:11:22:33:44:55. Called-Station-Id This attribute indicates the MAC address of the NPC interface that the UE was discovered on, formatted as a UTF-8 string of colon delimited hex octets. For example, 66:77:88:99:AA:BB. NAS-Identifier The NAS-Identifier attribute contains the identity of the NPC. This consists of the NPC s hostname and the captive portal interface. For example, npc-01:eth1.829. Acct-Status-Type This attribute specifies the type of accounting record. The NPC supports the Start, Stop or Interim accounting types. Acct-Delay-Time This attribute indicates how many seconds the NPC has been trying to send this accounting record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. This attribute is provided for backwards compatibility with old AAA servers. It s suggested to use the Event-Timestamp attribute. Acct-Input-Octets This attribute indicates how many octets have been received by the UE over the course of this service being provided. 10 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Acct-Input-Gigawords This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided. Acct-Output-Octets This attribute indicates how many octets have been transmitted by the UE over the course of this service being provided. Acct-Output-Gigawords This attribute indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 over the course of this service being provided. Acct-Session-Id Specifies a UTF-8 encoded string that uniquely identifies the session for accounting purposes. Acct-Session-Time This attribute indicates how many seconds the UE has received service for. This is present in records where the Acct-Status-Type is set to Interim and Stop. Acct-Input-Packets This attribute indicates how many packets have been received by the UE over the course of this service being provided. Acct-Output-Packets This attribute indicates how many packets have been transmitted by the UE over the course of this service being provided. Acct-Terminate-Cause This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. Possible values transmitted from the NPC are Session- Timeout, Idle-Timeout, Admin-Reset. Event-Timestamp The timestamp containing the time the Accounting-Request was first generated. Specified as Epoch Time, the time in seconds since January 1, 1970 00:00 UTC. Framed-Pool If NAT pooling is enabled on the NPC, this contains the name of the NAT pool that the UE was assigned to. Chargeable-User-Identity The RADIUS server (a RADIUS proxy, home RADIUS server) may include the CUI attribute in the Access- Accept packet destined to a roaming partner. 11 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Odyssys-VLAN-ID Specifies the VLAN for which the UE was discovered on. Odyssys-NAT-Address When NAT pooling is enabled on the NPC, this indicates the NAT IP address allocated to the UE. Odyssys-NAT-Port-Start When NAT pooling is enabled on the NPC, this indicates the NAT start port allocated to the UE. Odyssys-NAT-Port-End When NAT pooling is enabled on the NPC, this indicates the NAT end port allocated to the UE. Odyssys-Session-State This attribute indicates the current state of the UE session. The following are possible states; Unauthenticated, Authenticated or Authenticated-MAC (authenticated with redirect). 12 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

4.4. VSA Dictionary For enable a AAA/RADIUS server to interpret Odyssys VSAs, the dictionary must be installed. Figure 6 below shows the dictionary formatted for most open source RADIUS servers. Figure 6. # # Odyssys Radius Attributes # Copyright (C) 2011-2015 Global Reach Technology Limited # VENDOR Odyssys 39393 BEGIN-VENDOR Odyssys ATTRIBUTE Odyssys-VLAN-ID 1 integer ATTRIBUTE Odyssys-NAT-Address 2 ipaddr ATTRIBUTE Odyssys-NAT-Port-Start 3 integer ATTRIBUTE Odyssys-NAT-Port-End 4 integer ATTRIBUTE Odyssys-Portal-Redirect 5 integer ATTRIBUTE Odyssys-Portal-Redirect-Interval 6 integer ATTRIBUTE Odyssys-Interim-Update-Type 7 integer ATTRIBUTE Odyssys-Session-State 8 integer ATTRIBUTE Odyssys-Called-Station-BSSID 9 string VALUE Odyssys-Session-State Unauthenticated 0 VALUE Odyssys-Session-State Authenticated 1 VALUE Odyssys-Session-State Authenticated-MAC 2 VALUE Odyssys-Interim-Update-Type VLAN 1 VALUE Odyssys-Interim-Update-Type State 2 VALUE Odyssys-Interim-Update-Type BSSID 3 END-VENDOR Odyssys 13 Global Reach Technology Limited @GlobalReachLtd globalreachtech.com

Global Reach Technology Ltd Craven House, 121 Kingsway London WC2B 6PA T +44 (0) 207 831 5630 info@globalreachtech.com Copyright Global Reach Technology Limited All rights reserved. Global Reach and the Global Reach logo are registered trademarks.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback