HP Unified Wireless controller : Basic local guest management

Next to the MSM wireless controllers, HP has the Comware based wireless controllers, which are branded “Unified Controllers” in the portfolio.

There can be wireless deployments of all sizes, but any deployment will probably require some kind of Guest SSID.

Managing access to the Guest SSID depends on the business requirement:

  • Anyone can just access the internet through an open SSID
  • Guests are required to login with a Pre Shared Key or a predefined user account
  • Each Guest must connect with a personal guest account

Guest account management

In case an account is required for each guest, the Unified Controllers have several deployment options, which will depend on the size of the business and/or the existence of  an IMC UAM server.

In either case, the guest account will exist in some user database, this can be:

  • Local Comware user database : local users are defined in the configuration of the Unified Controller.
  • RADIUS server : linked to an external user database. This can be either a standard RADIUS server to  authenticate the guests, or IMC UAM (the RADIUS server module of IMC).

In this article, we review the local Comware user database. Although Comware is typically CLI based configuration, the management of the local guest users can be done in various ways:

  • Local CLI : not preferred (unless a single common guest account would be required), since reception desk users will not have access to the CLI
  • Local Web Interface : a limited Comware admin account can be defined with the guest-manager role. Using the Unified Controller web interface, guests (and only guests) can be created and managed
  • IMC GAM : The basic IMC Platform (not UAM!) has a module Guest Access Manager (GAM). This module will use SNMP read/write to interact with a Comware device and will be able to define the local guest accounts. IMC GAM provides a Web Interface, so it is fairly easy to use for reception desk users.

So next, we will look at the Unified Controller Local Web Interface.

The article assumes that the controller is already configured for wireless access / portal setup, so only the guest management is covered.

Step 1 – Define the guest manager

Here we define an account for the reception user.

  • The password simple will be replaced by the cyphered version
  • level 2 : maintainer, so the user can actually modify / save the config (required, otherwise no users could be created)
  • user-role guest-manager : this restricts the level 2 modify permissions again to guest management only
  • service-type web : no service-type ssh/telnet, so only the web interface can be used.

local-user reception
password simple hp
authorization-attribute level 2
authorization-attribute user-role guest-manager
service-type web

Step 2.1 – Define guest access settings : ACL

The guest users can be controller by pushing user attributes to them (like vlan, qos and ACL settings). This can be organized through a user-group.

In this example, a simple ACL is defined, which will be applied for the guest users.

# Test ACL, use for demo only

acl number 3001 name Guest-In
rule 0 deny ip destination 10.0.2.11 0
rule 5 permit ip
#

When the guests would access the internet through the internal network, a very simple ACL which blocks the private ranges can be used. Do not forget to add some permit add the beginning for any internal DNS you may be using.

acl number 3002 name Guest-No-Private-Net
rule 10 deny ip destination 10.0.0.0 0.255.255.255
rule 15 deny ip destination 172.16.0.0 0.15.255.255
rule 20 deny ip destination 192.168.0.0 0.0.255.255
rule 25 permit ip

Multiple guest profiles may be required. Suppose you have a requirement to allow Contractors access to the internal network, using RDP or some other protocol. This can be done by creating a Contractors ACL.

First the RDP (TCP 3389) is permitted, all other internal networks are blocked, and access to internet is allowed:

acl number 3003 name Contractors-Limited
rule 5 permit tcp destination-port eq 3389
rule 10 deny ip destination 10.0.0.0 0.255.255.255
rule 15 deny ip destination 172.16.0.0 0.15.255.255
rule 20 deny ip destination 192.168.0.0 0.0.255.255
rule 25 permit ip

Step 2.2 – Define guest access settings : User-group

There is a default group “system”, which can be used for the guests. In case multiple guest types would be required, multiple groups (and multiple ACLs) can be defined.

In this example, the default system group will be bound to the ACL 3001 (internet only guests).

user-group system
authorization-attribute acl 3001

When reviewing the user group configuration in the current configuration, you can see that the “allow-guest” option is by default enabled for this default guest group:

display current configuration ugroup
user-group system
authorization-attribute acl 3001
group-attribute allow-guest

Another group will be defined for the Contractors, which will be bound to the Contractors ACL:

user-group Contractors
authorization-attribute acl 3003 group-attribute allow-guest

Step 3 : As guest manager, access the web interface to define guests

The reception user can now open an http session to the Unified Controller (http://ip-of-controller ) and connect using the reception guest manager user.

unified-ac-guest-local-1

Since this is a restricted maintainer, only the guest user management will be available.

unified-ac-guest-local-2

So now the reception user can create for instance a guest user:

unified-ac-guest-local-3-guest1

And an account for a contractor user, which will be assigned to the Contractors user-group (with the different ACL)

unified-ac-guest-local-3-contractor1

At this point, both guest accounts should be visible:

unified-ac-guest-local-4

This has been done in the current (running) configuration, so make sure reception users use the “save” option to save the guest accounts in the startup config.

unified-ac-guest-local-5

On the Unified Controller side, the admin can  verify the new users are available in the configuration:

[wifi-uni-ac]dis cur conf luser
#
local-user admin
password cipher $c$3$D5VZaaDlcQuA2MLemXHklqIby6WQ
authorization-attribute level 3
service-type ssh telnet terminal
service-type portal
service-type web
local-user contractor1
password cipher $c$3$dwXUyFxCKQu7vCoDeXrESJmn7Wu4
authorization-attribute user-role guest
group Contractors
service-type lan-access
service-type portal
local-user guest1
password cipher $c$3$4ij6S7iyXYnbKMPVqi41U694B8GF
authorization-attribute user-role guest
service-type lan-access
service-type portal
local-user reception
password cipher $c$3$tEFffVWX7A94/6Voi6zmLi4uZzV5
authorization-attribute level 2
authorization-attribute user-role guest-manager
service-type web
#

Step 4 : Test the Guest access

So when the portal is accessed by the guest user, it can enter the credentials and will be online.

Test for guest1 account

unified-ac-guest-local-test-guest-1

After entering the credentials, the guest user will get a confirmation:

unified-ac-guest-local-test-guest-2

 

 

 

On the Unified Controller, a log message will be shown:

%Feb 10 16:50:21:084 2014 wifi-uni-ac PORTAL/5/PORTAL_USER_LOGON_SUCCESS: -UserName=guest1-IPAddr=10.0.3.100-IfName=Vlan-interface3-VlanID=3-MACAddr=0021-5c96-dd37-APMAC=F062-841B-20EA-SSID=guest-NasId=-NasPortId=; User got online successfully.

The online connections can be listed:

[wifi-uni-ac]dis connection

Index=31  ,Username=guest1@portal
MAC=00-21-5C-96-DD-37
IP=10.0.3.100
IPv6=N/A
Online=00h00m03s
Total 1 connection(s) matched.

And the connection settings, including the ACL, can be reviewed:

[wifi-uni-ac] dis portal user all
Index:31
State:ONLINE
SubState:NONE
ACL:3001
Work-mode:stand-alone
MAC              IP                Vlan   Interface
—————————————————————————-
0021-5c96-dd37   10.0.3.100        3      Vlan-interface3
Total 1 user(s) matched, 1 listed.

On the controller, the admin can disconnect the user:

[wifi-uni-ac]portal delete-user all

%Feb 10 17:03:25:872 2014 wifi-uni-ac PORTAL/5/PORTAL_USER_LOGOFF: -UserName=guest1-IPAddr=10.0.3.100-IfName=Vlan-interface3-VlanID=3-MACAddr=0021-5c96-dd37-APMAC=F062-841B-20EA-SSID=guest-NasId=-NasPortId=-Reason=Admin Reset-InputOctets=63794-OutputOctets=71155-InputGigawords=0-OutputGigawords=0-SessionTime=784; User logged off.

Test for contractor1 account

So now the contractor user can login:

unified-ac-guest-local-test-conttractor-1

And the controller will apply the ACL based on the Contractor user-group:

[wifi-uni-ac]dis portal user all
Index:32
State:ONLINE
SubState:NONE
ACL:3003
Work-mode:stand-alone
MAC              IP                Vlan   Interface
—————————————————————————-
0021-5c96-dd37   10.0.3.100        3      Vlan-interface3
Total 1 user(s) matched, 1 listed.

The administrator can also review the online “connections” :

[wifi-uni-ac]dis connection

Index=32  ,Username=contractor1@portal
MAC=00-21-5C-96-DD-37
IP=10.0.3.100
IPv6=N/A
Online=00h02m08s
Total 1 connection(s) matched.

Summary

In this article, we reviewed the basic guest management solution for small business environments, which does not require any external tools or IMC.

This entry was posted in Unified Wireless and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s