In this post a quick configuration overview of a new feature of the Unified controllers:

Central (guest) portal authentication with local (AP) data breakout after passing authentication.

This is very convenient for customers with remote sites, where the remote site has a local internet connection but no wireless controller available. So they want to have a Guest SSID with a portal authentication (which will be centrally provided by the AC), and after a guest passes authentication, it will be assigned to a local-breakout VLAN. This means the (remote site) AP will directly put the guest into the local guest internet VLAN (after passing authentication).

The configuration was build using an 830 with software R3507P20

Base principles

• A combination of MAC-authentication and portal authentication will be used
• An initial connection of a guest will fail the mac-authentication and the user will be put into the mac-authentication guest vlan (failed mac auth vlan)
• This VLAN should be delivered centrally at the Access Controller
• Client will get an IP Address from the central DHCP server (AC or other DHCP)
• On this VLAN, the AC will provide portal authentication services
• Client will open browser, see the portal and enter credentials.
• For an authenticated portal user, a dynamic MAC user will be defined
• The AC will automatically trigger mac-auth after a success Portal login
• This time, the dynamic MAC user will pass the mac-authentication and the device is granted access to the authorized mac-auth vlan (the PVID)
• The PVID of the wlan service template should be configured as a client local forward VLAN
• The user is now assigned to the PVID and locally processed by the AP in the remote site
• The AP will trigger a reconnect of the client, which will understand it needs to renew the IP address, the client will get a new IP after a few seconds from the remote site local DHCP server.

Configuration steps

# on the AC, define the Virtual L2 interface and wlan service template

This configuration assumes:

• VLAN 21 is used for the central portal authentication
• VLAN 13 is the local breakout VLAN after a guest passes authentication

On the AC prepare the authentication domain for guests:

domain guests
  # lan-access is used to configure mac and dot1x authentication
  # in this configuration, internal dynamic mac users are used
  # so no external mac-auth authentication servers should be configured. 
 authentication lan-access none
 authorization lan-access none
 accounting lan-access none
  # Portal users are local AC users in this example
  # RADIUS server can be used as well
 authentication portal local
 authorization portal none
 accounting portal none
  # idle-cut controls the online time of the guest users
  # after passing portal authentication, the guest will be re-authenticated
  # with mac-auth. This means the AC portal will *not* be able to
  # detect that the user is still online. After the idle-cut time 
  # passes, the user will be disconnected (online or not !) and 
  # will need to login to the portal again 
  # Sample is 480 minutes (60min x 8 hours)
 idle-cut enable 480

Prepare the central VLANs

vlan 13
vlan 21

Prepare the AP local VLANs. Prepare a map-sitea.cfg text file:

###################################################
# filename map-sitea.cfg # the hashed remarks may stay in this config file

 vlan 13

# This the AP uplink, which must support VLAN tagging
 interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan all

Upload this file to the root of the flash on the AC.

Configure the APs to use this file, example assumes APs have been placed into an ap-group sitea:

wlan ap-group sitea
 map-configuration map-sitea.cfg

Ensure the APs are rebooted to activate the map-configuration file.

 # reset command is available in user-view
return
 # reset the LWAPP tunnels
reset wlan ap all

Prepare the Portal L3 Interface and a local DHCP scope for the guests. This is used for the central portal authentication phase. The example assumes the local-breakout DHCP services will be provided by some local Internet router/firewall in the remote site (Local internet router connected  in remote site on VLAN13)

Enable local DNS proxy function (some remote DNS can be used as well, but then portal-free rules need to permit access to the remote DNS)

interface Vlan-interface21
 ip address 10.1.21.1 255.255.255.0

dhcp enable
dhcp server ip-pool v21-guests
 network 10.1.21.0 mask 255.255.255.0
 gateway-list 10.1.21.1
 dns-list 10.1.21.1
 domain-name guests.hpnet.local
  # Set short lease time in case client device does not perform
  # or understand the dhcp renewal after a disassociate
 expired day 0 hour 0 minute 0 second 30


  # Enable DNS client
 dns resolve

  # Enable DNS proxy (AC will act as DNS server and forward DNS) 
 dns proxy enable

  # Configure a DNS server which can be used by the AC to perform
  # DNS lookup
 dns server 10.0.0.1

Enable the portal authentication with a local portal server

 # define the local portal server
portal server local ip 10.1.21.1
portal local-server http

 # enable portal authentication on the central L3 Interface 
interface Vlan-interface21
  # method direct will ensure the client IP and MAC address are 
  # learned by the Portal server
 portal server local method direct
  # link the portal auth to use the authentication domain guests
 portal domain guests

Next prepare the Virtual L2 Interface for the WLAN Service template

interface WLAN-ESS21
  # multiple VLANs are used on this L2 interface, so hybrid
 port link-type hybrid
 undo port hybrid vlan 1
  # enable the central and local vlans
 port hybrid vlan 13 21 untagged
  # PVID is critical configuration step. This will be the VLAN 
  # in which authorized mac-authenticated users will be assigned
  # This will be the local breakout VLAN.
  # The wireless service template will be configured to perform
  # AP client local forwarding for this VLAN (see next step)
 port hybrid pvid vlan 13

 mac-vlan enable

  # enable mac-authentication   
 port-security port-mode mac-authentication

  # enable mac re-auth after success portal authentication
 mac-authentication trigger after-portal

  # enable the mac guest VLAN. Any new guest will fail the initial
  # mac-auth (new unknown user) and will be assigned to the guest
  # vlan. This VLAN will be a centrally forwarded VLAN.
  # The AC has a portal server configured on VLAN 21, so this is 
  # how guests will initially arrive on the VLAN21 portal network.
 mac-authentication guest-vlan 21
  # configure the portal authentication domain
 mac-authentication domain guests
#

Configure the wlan service tempate for the guests

wlan service-template 21 clear
 ssid Guests
 bind WLAN-ESS 21
  # All VLANs are central by default. This command will instruct
  # the AP to perform local forwarding if a user is assigned to VLAN13.
  # This would happen AFTER a user passes the central portal authentication
  # which will create a dynamic local mac-user for the guest.
  # Since the guest will then "PASS" the mac-authentication, the 
  # guest device is assigned to the PVID (in this example VLAN13).
  # Since the wlan service template is configured with local
  # forwarding for this VLAN, the AP will forward the authenticated
  # guest traffic locally into VLAN13 
 client forwarding-mode local vlan 13
 service-template enable
#

Enable the template on the AP-Group

wlan ap-group sitea
 dot11a service-template 21
 dot11bg service-template 21

Finally, create a sample guest user in the AC configuration:

local-user guest
 password simple hp
 authorization-attribute user-role guest
 service-type portal

Ensure that the remote site AP switch port supports tagged VLAN13 and that the remote site internet router(with dhcp) is connected to this VLAN.

This completes the configuration of the central portal authentication with local breakout.

Note: at this moment, only 1 local breakout VLAN can be defined. So you need to ensure that the VLAN13 in this example is the local internet VLAN in each remote site. (It is controlled by the PVID on the WLAN-ESS interface)