This post is a sample configuration of an 802.1x WPA2/AES WLAN service on the HP Unified Wireless platform.
This configuration assumes:
- Central authentication: AP forwards all 802.1x over the LWAPP tunnel to the Access Controller (AC). The AC is the radius client
- Central forwarding: AP forwards all user data over the LWAPP tunnel to the AC. the wired network will see the wireless mac address coming in from the AC switch port.
The configuration was build using an 830 with software R3507P20
# ensure the L2 VLANS you want to use have prepared on the AC, the internal SWITCH and any upstream Core switches.
# Configuration for AC vlan 15 # enable vlan tagging and VLAN15 on the AC to internal SWITCH BAGG int bagg 1 port link-type trunk port trunk permit vlan 15 quit # Configuration for the Internal SWITCH vlan 15 # enable vlan tagging and VLAN15 on the internal SWITCH BAGG to AC int bagg 1 port link-type trunk port trunk permit vlan 15 quit # Configure the physical uplink ports or BAGG (on the SWITCH) to external # switch as TRUNK and permit the VLAN. Step not shown.
# enable port-security (default) and configure 802.1x auth method:
port-security enable dot1x authentication-method eap
# Define a RADIUS scheme (add secondary for redundant RADIUS)
The authentication and accounting keys will be saved in ciphered format
Comware uses the concept of authentication domains in the configuration. We do not want to forward the internal name of this domain to the RADIUS server in this case. The domain is defined in the next step (name dot1x), by default the device would send username “john@dot1x” to the RADIUS server. After you configure “user-name-format without-domain”, the device will simply send “john”
radius scheme nps primary authentication 10.0.1.111 primary accounting 10.0.1.111 key authentication simple hp key accounting simple hp user-name-format without-domain nas-ip 10.1.2.11
# Define the authentication domain
This binds an authentication context to the back-end authentication methods (like local users, RADIUS, LDAP, TACACS etc). I configure all the defaults to none, to ensure this domain cannot be used for e.g. switch login authentication.
domain dot1x authentication default none authorization default none accounting default none authentication lan-access radius-scheme nps authorization lan-access radius-scheme nps accounting lan-access radius-scheme nps
# Configure the Virtual Layer2 Interface for the WLAN service. All traffic from wireless users will first land on this Virtual Layer2 interface. This is the interface which will be performing the 802.1x authentication.
interface WLAN-ESS15 description WLAN-Corporate-L2-Interface # If you want to use dynamic RADIUS assigned VLANs, you will need # a hybrid port, since multiple "untagged" wireless users will be # online on the same Virtual L2 port port link-type hybrid # configure VLAN15 as the base VLAN. When the RADIUS server # does not assign a VLAN, the user will be put into the PVID undo port hybrid vlan 1 untagged port hybrid vlan 15 untagged port hybrid pvid vlan 15 # When multiple users come online in multiple VLANs, the system # needs to program each authorized (authenticated 802.1x) MAC into # a specific (the RADIUS assigned) VLAN. This requires the mac-vlan # to be enabled. mac-vlan enable # Enable port-security with 802.1x for multiple users: port-security port-mode userlogin-secure-ext # The 802.1x process must provide the wireless (11) encryption key port-security tx-key-type 11key # I do not need the iNode supplicant handshake (would disconnect # e.g. online Windows supplicants after a few seconds, causing # continuous re-auth undo dot1x handshake # Configure the authentication domain (defined earlier) dot1x mandatory-domain dot1x # Disable the mcast EAP request ID. This would send an mcast EAP # request ID every 30 seconds, causing online users to re-auth. undo dot1x multicast-trigger #
# Next define the wireless service template, bind it to the Virtual L2 interface and enable WPA2 and AES/CCMP
wlan service-template 15 crypto # configure the SSID ssid Corp # Bind to the Virtual L2 Interface (which controls the auth and # VLAN assignment bind WLAN-ESS 15 # Configure AES/CCMP encryption cipher-suite ccmp # Enable WPA2 security-ie rsn # activate the template service-template enable
# Now activate the service template on the AP radio’s. In the current releases, this can be done through an AP-group, which will be inherited by the APs. This example assumes APs have been assigned to an AP-group SiteA
wlan ap-group sitea # Members of the group ap be-ant-ap01 ap be-ant-ap02 # Activate the service template on both radios dot11a service-template 15 dot11bg service-template 15 # Enable the radio's dot11a radio enable dot11bg radio enable
# this concludes the 802.1x configuration.
To ensure you can see the WLAN client IP Address information, enable the ARP/DHCP IP detection feature:
wlan client learn-ipaddr enable
To prevent rogue DHCP server on the wireless network, enable DHCP snooping
# enable global snooping dhcp-snooping # enable the uplink port to the Wired network as trusted # all the Virtual L2 ports facing the wireless clients will be # untrusted by default interface Bridge-Aggregation1 dhcp-snooping trust
Pingback: HP Unified Wireless: AP Based (decentral) 802.1x authentication | About HP Networking
Works for user authentication very well, Does anyone know of an article to setup machine (certificate) authentication?
Hi William, on the controller side, there is no difference in the setup when using computer auth and/or certificate based auth. These setting only change on the radius server host.
Hi Peter, these AP names look familiar 😉
We are trying to accomplish the following. Wifi client machine needs to be authenticated to AD before user logs on to AD.
So that users who are connected over Wifi are able to see their mapped network drives and such.
Is there a way to get this working using the HP 870 controllers?
We now have this on our controllers for users who authenticate through radius;
interface WLAN-ESS1
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
port-security port-mode userlogin-secure-ext
port-security tx-key-type 11key
undo dot1x handshake
dot1x mandatory-domain nps
undo dot1x multicast-trigger
We know there’s a way to do it but that will need a CA certificate and we don’t want to you use that option.
Thanks, Raymond
Hi Raymond,
That is a feature that would normally be handled by the RADIUS server, such as ClearPass. The controller is just passing the auth info from the client to the RADIUS, but it has no view in user/machine auth.
I am assuming that you want to use EAP-PEAP for the computer accounts, since you mentioned that you did not want a CA setup.
With ClearPass the logic would be something like:
* When a domain computer authenticates (can be checked since the account is member of the ‘domain computers’ group), mark the Endpoint (MAC) with a value such as ‘domain-pc’ set to ‘true’.
* When a user authenticates, the ClearPass service can check the connecting MAC (PC) in the Endpoint database, and you would only allow access if it has the value ‘domain-pc’ set to ‘true’.
* OPTIONAL: When not ‘true’, the user may be assigned to an internet-only access, so that would allow users to connect personal devices with PEAP on the corp SSID, but they would still be placed into an isolated VLAN/role.
best regards,Peter.
*
Hi Peter, thanks for the fast follow up.
I’ve read about the Clearpass option but we’re running a Microsoft NPS for RADIUS.
Implementing Clearpass will not be an option I’m afraid.
So there’s no way in achieving this when using NPS but no CA?
Cheers, Ray
Hi Ray,
With NPS only, you could just move to machine auth only, so only the domain computers would be allowed access to the wireless network.
But when you want to combine conditions and machine state etc. you need a more advanced RADIUS server I am afraid..
best regards,Peter.
Hi Peter,
Ok, thanks all clear.
Cheers, Ray
Got a U830 8P for myself at home and I am struggling with 802.1x authenticating against AAA on the AC itself. EAP using MD5, domain wlan with authentication and authorization for lan-access against local. User created and set for lan-access. port-security enabled, 802.1x enabled. Syslog always states: Rejected for inner authentication error. I need to get fast roaming inside my house because there is no mobile phone access inside. Any ideas or hints?
Dear Peter Debruyne,
I want to implement authentication for Active Directory users in employee network and for guests portal authentication…
Here NPS act as radius server
Could you please give me step by step(a-z) configuration
Thanks and Regards
John Napthali