HP Unified Wireless: AP Based (decentral) 802.1x authentication

Posted on June 4, 2014 by Peter Debruyne

This is a follow-up on the post which shows the basic 802.1x authentication. Make sure to read that post first before continuing with the this local authentication article:

https://abouthpnetworking.com/2014/06/03/hp-unified-wireless-central-802-1x-configuration/

This post configuration will result in:

  • Decentral (local AP) authentication: AP forwards all 802.1x directly to the RADIUS server
  • Decentral (local AP breakout) forwarding: AP forwards all user data directly with a VLAN tag to the Switch Port connecting the AP

The post assumes you have completed the central 802.1x configuration already (see link above), so only additional changes to that configuration are listed here.

The configuration was build using an 830 with software R3507P20

# RADIUS Clients: ensure you define RADIUS clients for the APs (make it easy for yourself: ensure you have an IP Subnet for the APs, next define a radius client with source IP: 10.1.3.0/24)

# Next step is to enable local data forwarding and local AP authentication. This is done through the controller on the Wireless service template. The admin can choose which VLANs will be using local breakout and which will use central forwarding. (That option will be used with the central guest portal – local AP guest traffic scenario).

wlan service-template 15 crypto
 # These changes require the SSID to be offline
 service-template disable

 # enable forwarding-mode local (specific vlans can be added to this
 # command
 client forwarding-mode local
 
 # enable local authentication (this instructs the AP to perform the 
 # authentication). Keep in mind that this is just an instruction.
 # The actual AP configuration must still be prepared in the next steps. 
 authentication-mode local

 # enable the service template again (but it will not work yet since 
 # APs have not been configured yet)
 service-template enable

# Now prepare a MAP (managed AP?)-configuration file. This file will be processed by the AP when it comes online with the AC. It is processed into the current(running) config of the AP. This allows use to configure the local RADIUS and DOMAIN objects on the AP configuration.

Contents of the map-sitea.cfg file (example for some Site A):

###################################################
# filename map-sitea.cfg # the hashed remarks may stay in this config file

# Make sure to create at least the vlan which is the PVID of the Virtual
# L2 Interface (in this case VLAN15), otherwise the 802.1x process
# fails on the AP
 vlan 12 to 19

# This the AP uplink, which must support VLAN tagging
 interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk permit vlan all

# Define the RADIUS scheme. being able to set this per AP or AP-group
# would allow you to configure each remote site to use a different set
# of RADIUS servers.
 radius scheme nps
 primary authentication 10.0.1.111
 primary accounting 10.0.1.111
 key authentication cipher $c$3$SEAb9X0b0VultDpnstaySSxkIA88
 key accounting cipher $c$3$BQKZiyLUsWLHvItdPUE9OeCusgKk

# Ensure the same domain is created as the domain on the AC
 domain dot1x
 authentication default none
 authorization default none
 accounting default none
 authentication lan-access radius-scheme nps
 authorization lan-access radius-scheme nps
 accounting lan-access radius-scheme nps

# Configure the global EAP auth method
 dot1x authentication-method eap

# Start the port-security process (required, not default on the AP!)
 port-security enable

###################################################

Upload this file to the root of the flash on the controller (use Web interface or tftp/ftp).

Next you need to configure the AP template to use this file. In this example the AP-group will be used, so all member APs will get this setting.

wlan ap-group sitea
 ap be-ant-ap01
 ap be-ant-ap02
 map-configuration map-sitea.cfg

Make sure the APs are rebooted, since the MAP file is only processed during the LWAPP session setup. Any changes made to the file afterwards will only take effect after an AP reboot.

This completes the local-authentication and local-breakout configuration.

However, in case the WAN connection to the controller would fail, the AP would go offline, since by default it must have an active LWAPP tunnel.

This can be handled with the Hybrid Remote AP feature, in which mode the AP can continue providing services to WLAN clients, using the last running configuration.

wlan ap-group sitea
 ap be-ant-ap01
 ap be-ant-ap02
 hybrid-remote-ap enable

The result will be:

  • Under normal conditions: WLAN users are authenticated by the AP, data is locally forwarded by AP.
  • When WAN or link to AC fails: Same as normal conditions, assuming the RADIUS server can still be reached. Existing users remain online, new users are accepted. No user impact.
  • When WAN or link to AC recovers: the LWAPP tunnel is re-established. When the config has not changed, the AP can remain online. However, all active clients will be disconnected and need to re-authenticate (even the locally authenticated 802.1x users !).
This entry was posted in Unified Wireless. Bookmark the permalink.

2 Responses to HP Unified Wireless: AP Based (decentral) 802.1x authentication

  1. sha says:
    February 17, 2016 at 00:41

    Hi my friend! Help me:
    I set up a scenario with forwarding and wpa2 for testing site. When I simulate the AP connection loss with the parent all the services are stopped and only users who are already logged keeps communication.

    Theoretically, the AP would not have to continue propagating the SSIDs with hybrid-remote-ap enable command?

    Reply

Leave a comment