HP Unified Wireless: Central 802.1x configuration

This post is a sample configuration of an 802.1x WPA2/AES WLAN service on the HP Unified Wireless platform.

This configuration assumes:

  • Central authentication: AP forwards all 802.1x over the LWAPP tunnel to the Access Controller (AC). The AC is the radius client
  • Central forwarding: AP forwards all user data over the LWAPP tunnel to the AC. the wired network will see the wireless mac address coming in from the AC switch port.

The configuration was build using an 830 with software R3507P20

# ensure the L2 VLANS you want to use have prepared on the AC, the internal SWITCH and any upstream Core switches.

# Configuration for AC
vlan 15
 # enable vlan tagging and VLAN15 on the AC to internal SWITCH BAGG
int bagg 1
 port link-type trunk
 port trunk permit vlan 15
 quit

# Configuration for the Internal SWITCH
vlan 15
 # enable vlan tagging and VLAN15 on the internal SWITCH BAGG to AC
int bagg 1
 port link-type trunk
 port trunk permit vlan 15
 quit

# Configure the physical uplink ports or BAGG (on the SWITCH) to external 
# switch as TRUNK and permit the VLAN. Step not shown.

# enable port-security (default) and configure 802.1x auth method:

port-security enable
dot1x authentication-method eap

# Define a RADIUS scheme (add secondary for redundant RADIUS)

The authentication and accounting keys will be saved in ciphered format

Comware uses the concept of authentication domains in the configuration. We do not want to forward the internal name of this domain to the RADIUS server in this case. The domain is defined in the next step (name dot1x), by default the device would send username “john@dot1x” to the RADIUS server. After you configure “user-name-format without-domain”, the device will simply send “john”

radius scheme nps
 primary authentication 10.0.1.111
 primary accounting 10.0.1.111
 key authentication simple hp
 key accounting simple hp
 user-name-format without-domain
 nas-ip 10.1.2.11

# Define the authentication domain

This binds an authentication context to the back-end authentication methods (like local users, RADIUS, LDAP, TACACS etc). I configure all the defaults to none, to ensure this domain cannot be used for e.g. switch login authentication.

domain dot1x
 authentication default none
 authorization default none
 accounting default none
 authentication lan-access radius-scheme nps
 authorization lan-access radius-scheme nps
 accounting lan-access radius-scheme nps

# Configure the Virtual Layer2 Interface for the WLAN service. All traffic from wireless users will first land on this Virtual Layer2 interface. This is the interface which will be performing the 802.1x authentication.

interface WLAN-ESS15
 description WLAN-Corporate-L2-Interface 
  # If you want to use dynamic RADIUS assigned VLANs, you will need 
  # a hybrid port, since multiple "untagged" wireless users will be 
  # online on the same Virtual L2 port
 port link-type hybrid

  # configure VLAN15 as the base VLAN. When the RADIUS server 
  # does not assign a VLAN, the user will be put into the PVID
 undo port hybrid vlan 1 untagged
 port hybrid vlan 15 untagged
 port hybrid pvid vlan 15

  # When multiple users come online in multiple VLANs, the system 
  # needs to program each authorized (authenticated 802.1x) MAC into
  # a specific (the RADIUS assigned) VLAN. This requires the mac-vlan
  # to be enabled.
 mac-vlan enable

  # Enable port-security with 802.1x for multiple users: 
 port-security port-mode userlogin-secure-ext

  # The 802.1x process must provide the wireless (11) encryption key 
 port-security tx-key-type 11key

  # I do not need the iNode supplicant handshake (would disconnect 
  # e.g. online Windows supplicants after a few seconds, causing
  # continuous re-auth  
 undo dot1x handshake

  # Configure the authentication domain (defined earlier) 
 dot1x mandatory-domain dot1x

  # Disable the mcast EAP request ID. This would send an mcast EAP
  # request ID every 30 seconds, causing online users to re-auth.
 undo dot1x multicast-trigger
#

# Next define the wireless service template, bind it to the Virtual L2 interface and enable WPA2 and AES/CCMP

wlan service-template 15 crypto
  # configure the SSID
 ssid Corp

  # Bind to the Virtual L2 Interface (which controls the auth and 
  # VLAN assignment 
 bind WLAN-ESS 15

  # Configure AES/CCMP encryption 
 cipher-suite ccmp
  # Enable WPA2 
 security-ie rsn
  
  # activate the template
 service-template enable

# Now activate the service template on the AP radio’s. In the current releases, this can be done through an AP-group, which will be inherited by the APs. This example assumes APs have been assigned to an AP-group SiteA

wlan ap-group sitea
  # Members of the group
 ap be-ant-ap01
 ap be-ant-ap02
  # Activate the service template on both radios
 dot11a service-template 15
 dot11bg service-template 15
  # Enable the radio's 
 dot11a radio enable
 dot11bg radio enable

# this concludes the 802.1x configuration.

To ensure you can see the WLAN client IP Address information, enable the ARP/DHCP IP detection feature:

wlan client learn-ipaddr enable

To prevent rogue DHCP server on the wireless network, enable DHCP snooping

 # enable global snooping
dhcp-snooping
 # enable the uplink port to the Wired network as trusted
 # all the Virtual L2 ports facing the wireless clients will be 
 # untrusted by default
interface Bridge-Aggregation1
 dhcp-snooping trust

 

This entry was posted in Unified Wireless. Bookmark the permalink.

8 Responses to HP Unified Wireless: Central 802.1x configuration

  1. Pingback: HP Unified Wireless: AP Based (decentral) 802.1x authentication | About HP Networking

  2. Works for user authentication very well, Does anyone know of an article to setup machine (certificate) authentication?

    • Hi William, on the controller side, there is no difference in the setup when using computer auth and/or certificate based auth. These setting only change on the radius server host.

  3. Raymond Sauer says:

    Hi Peter, these AP names look familiar 😉

    We are trying to accomplish the following. Wifi client machine needs to be authenticated to AD before user logs on to AD.
    So that users who are connected over Wifi are able to see their mapped network drives and such.
    Is there a way to get this working using the HP 870 controllers?
    We now have this on our controllers for users who authenticate through radius;

    interface WLAN-ESS1
    port link-type hybrid
    port hybrid vlan 1 untagged
    mac-vlan enable
    port-security port-mode userlogin-secure-ext
    port-security tx-key-type 11key
    undo dot1x handshake
    dot1x mandatory-domain nps
    undo dot1x multicast-trigger

    We know there’s a way to do it but that will need a CA certificate and we don’t want to you use that option.

    Thanks, Raymond

    • Hi Raymond,

      That is a feature that would normally be handled by the RADIUS server, such as ClearPass. The controller is just passing the auth info from the client to the RADIUS, but it has no view in user/machine auth.
      I am assuming that you want to use EAP-PEAP for the computer accounts, since you mentioned that you did not want a CA setup.

      With ClearPass the logic would be something like:
      * When a domain computer authenticates (can be checked since the account is member of the ‘domain computers’ group), mark the Endpoint (MAC) with a value such as ‘domain-pc’ set to ‘true’.
      * When a user authenticates, the ClearPass service can check the connecting MAC (PC) in the Endpoint database, and you would only allow access if it has the value ‘domain-pc’ set to ‘true’.
      * OPTIONAL: When not ‘true’, the user may be assigned to an internet-only access, so that would allow users to connect personal devices with PEAP on the corp SSID, but they would still be placed into an isolated VLAN/role.

      best regards,Peter.

      *

      • Raymond Sauer says:

        Hi Peter, thanks for the fast follow up.
        I’ve read about the Clearpass option but we’re running a Microsoft NPS for RADIUS.
        Implementing Clearpass will not be an option I’m afraid.
        So there’s no way in achieving this when using NPS but no CA?

        Cheers, Ray

      • Hi Ray,

        With NPS only, you could just move to machine auth only, so only the domain computers would be allowed access to the wireless network.
        But when you want to combine conditions and machine state etc. you need a more advanced RADIUS server I am afraid..

        best regards,Peter.

  4. Raymond Sauer says:

    Hi Peter,

    Ok, thanks all clear.

    Cheers, Ray

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s