In this post a quick configuration overview of a new feature of the Unified controllers:
Central (guest) portal authentication with local (AP) data breakout after passing authentication.
This is very convenient for customers with remote sites, where the remote site has a local internet connection but no wireless controller available. So they want to have a Guest SSID with a portal authentication (which will be centrally provided by the AC), and after a guest passes authentication, it will be assigned to a local-breakout VLAN. This means the (remote site) AP will directly put the guest into the local guest internet VLAN (after passing authentication).
The configuration was build using an 830 with software R3507P20
- A combination of MAC-authentication and portal authentication will be used
- An initial connection of a guest will fail the mac-authentication and the user will be put into the mac-authentication guest vlan (failed mac auth vlan)
- This VLAN should be delivered centrally at the Access Controller
- Client will get an IP Address from the central DHCP server (AC or other DHCP)
- On this VLAN, the AC will provide portal authentication services
- Client will open browser, see the portal and enter credentials.
- For an authenticated portal user, a dynamic MAC user will be defined
- The AC will automatically trigger mac-auth after a success Portal login
- This time, the dynamic MAC user will pass the mac-authentication and the device is granted access to the authorized mac-auth vlan (the PVID)
- The PVID of the wlan service template should be configured as a client local forward VLAN
- The user is now assigned to the PVID and locally processed by the AP in the remote site
- The AP will trigger a reconnect of the client, which will understand it needs to renew the IP address, the client will get a new IP after a few seconds from the remote site local DHCP server.
# on the AC, define the Virtual L2 interface and wlan service template
This configuration assumes:
- VLAN 21 is used for the central portal authentication
- VLAN 13 is the local breakout VLAN after a guest passes authentication
On the AC prepare the authentication domain for guests:
domain guests # lan-access is used to configure mac and dot1x authentication # in this configuration, internal dynamic mac users are used # so no external mac-auth authentication servers should be configured. authentication lan-access none authorization lan-access none accounting lan-access none # Portal users are local AC users in this example # RADIUS server can be used as well authentication portal local authorization portal none accounting portal none # idle-cut controls the online time of the guest users # after passing portal authentication, the guest will be re-authenticated # with mac-auth. This means the AC portal will *not* be able to # detect that the user is still online. After the idle-cut time # passes, the user will be disconnected (online or not !) and # will need to login to the portal again # Sample is 480 minutes (60min x 8 hours) idle-cut enable 480
Prepare the central VLANs
vlan 13 vlan 21
Prepare the AP local VLANs. Prepare a map-sitea.cfg text file:
################################################### # filename map-sitea.cfg # the hashed remarks may stay in this config file vlan 13 # This the AP uplink, which must support VLAN tagging interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all
Upload this file to the root of the flash on the AC.
Configure the APs to use this file, example assumes APs have been placed into an ap-group sitea:
wlan ap-group sitea map-configuration map-sitea.cfg
Ensure the APs are rebooted to activate the map-configuration file.
# reset command is available in user-view return # reset the LWAPP tunnels reset wlan ap all
Prepare the Portal L3 Interface and a local DHCP scope for the guests. This is used for the central portal authentication phase. The example assumes the local-breakout DHCP services will be provided by some local Internet router/firewall in the remote site (Local internet router connected in remote site on VLAN13)
Enable local DNS proxy function (some remote DNS can be used as well, but then portal-free rules need to permit access to the remote DNS)
interface Vlan-interface21 ip address 10.1.21.1 255.255.255.0 dhcp enable dhcp server ip-pool v21-guests network 10.1.21.0 mask 255.255.255.0 gateway-list 10.1.21.1 dns-list 10.1.21.1 domain-name guests.hpnet.local # Set short lease time in case client device does not perform # or understand the dhcp renewal after a disassociate expired day 0 hour 0 minute 0 second 30 # Enable DNS client dns resolve # Enable DNS proxy (AC will act as DNS server and forward DNS) dns proxy enable # Configure a DNS server which can be used by the AC to perform # DNS lookup dns server 10.0.0.1
Enable the portal authentication with a local portal server
# define the local portal server portal server local ip 10.1.21.1 portal local-server http # enable portal authentication on the central L3 Interface interface Vlan-interface21 # method direct will ensure the client IP and MAC address are # learned by the Portal server portal server local method direct # link the portal auth to use the authentication domain guests portal domain guests
Next prepare the Virtual L2 Interface for the WLAN Service template
interface WLAN-ESS21 # multiple VLANs are used on this L2 interface, so hybrid port link-type hybrid undo port hybrid vlan 1 # enable the central and local vlans port hybrid vlan 13 21 untagged # PVID is critical configuration step. This will be the VLAN # in which authorized mac-authenticated users will be assigned # This will be the local breakout VLAN. # The wireless service template will be configured to perform # AP client local forwarding for this VLAN (see next step) port hybrid pvid vlan 13 mac-vlan enable # enable mac-authentication port-security port-mode mac-authentication # enable mac re-auth after success portal authentication mac-authentication trigger after-portal # enable the mac guest VLAN. Any new guest will fail the initial # mac-auth (new unknown user) and will be assigned to the guest # vlan. This VLAN will be a centrally forwarded VLAN. # The AC has a portal server configured on VLAN 21, so this is # how guests will initially arrive on the VLAN21 portal network. mac-authentication guest-vlan 21 # configure the portal authentication domain mac-authentication domain guests #
Configure the wlan service tempate for the guests
wlan service-template 21 clear ssid Guests bind WLAN-ESS 21 # All VLANs are central by default. This command will instruct # the AP to perform local forwarding if a user is assigned to VLAN13. # This would happen AFTER a user passes the central portal authentication # which will create a dynamic local mac-user for the guest. # Since the guest will then "PASS" the mac-authentication, the # guest device is assigned to the PVID (in this example VLAN13). # Since the wlan service template is configured with local # forwarding for this VLAN, the AP will forward the authenticated # guest traffic locally into VLAN13 client forwarding-mode local vlan 13 service-template enable #
Enable the template on the AP-Group
wlan ap-group sitea dot11a service-template 21 dot11bg service-template 21
Finally, create a sample guest user in the AC configuration:
local-user guest password simple hp authorization-attribute user-role guest service-type portal
Ensure that the remote site AP switch port supports tagged VLAN13 and that the remote site internet router(with dhcp) is connected to this VLAN.
This completes the configuration of the central portal authentication with local breakout.
Note: at this moment, only 1 local breakout VLAN can be defined. So you need to ensure that the VLAN13 in this example is the local internet VLAN in each remote site. (It is controlled by the PVID on the WLAN-ESS interface)
what about Employee Authentication on Branch offices with BYOD device profiling requirement.
-Windows and MAC user can access Corp network
-Mobile devices should locally switched to Branch ADSL
for this we create 3 vlans
problem is moving users between two different vlans which reside on the branch over MPLS-VRF