This post is a sample configuration of an 802.1x WPA2/AES WLAN service on the HP Unified Wireless platform.
This configuration assumes:
- Central authentication: AP forwards all 802.1x over the LWAPP tunnel to the Access Controller (AC). The AC is the radius client
- Central forwarding: AP forwards all user data over the LWAPP tunnel to the AC. the wired network will see the wireless mac address coming in from the AC switch port.
The configuration was build using an 830 with software R3507P20
# ensure the L2 VLANS you want to use have prepared on the AC, the internal SWITCH and any upstream Core switches.
# Configuration for AC vlan 15 # enable vlan tagging and VLAN15 on the AC to internal SWITCH BAGG int bagg 1 port link-type trunk port trunk permit vlan 15 quit # Configuration for the Internal SWITCH vlan 15 # enable vlan tagging and VLAN15 on the internal SWITCH BAGG to AC int bagg 1 port link-type trunk port trunk permit vlan 15 quit # Configure the physical uplink ports or BAGG (on the SWITCH) to external # switch as TRUNK and permit the VLAN. Step not shown.
# enable port-security (default) and configure 802.1x auth method:
port-security enable dot1x authentication-method eap
# Define a RADIUS scheme (add secondary for redundant RADIUS)
The authentication and accounting keys will be saved in ciphered format
Comware uses the concept of authentication domains in the configuration. We do not want to forward the internal name of this domain to the RADIUS server in this case. The domain is defined in the next step (name dot1x), by default the device would send username “john@dot1x” to the RADIUS server. After you configure “user-name-format without-domain”, the device will simply send “john”
radius scheme nps primary authentication 10.0.1.111 primary accounting 10.0.1.111 key authentication simple hp key accounting simple hp user-name-format without-domain nas-ip 10.1.2.11
# Define the authentication domain
This binds an authentication context to the back-end authentication methods (like local users, RADIUS, LDAP, TACACS etc). I configure all the defaults to none, to ensure this domain cannot be used for e.g. switch login authentication.
domain dot1x authentication default none authorization default none accounting default none authentication lan-access radius-scheme nps authorization lan-access radius-scheme nps accounting lan-access radius-scheme nps
# Configure the Virtual Layer2 Interface for the WLAN service. All traffic from wireless users will first land on this Virtual Layer2 interface. This is the interface which will be performing the 802.1x authentication.
interface WLAN-ESS15 description WLAN-Corporate-L2-Interface # If you want to use dynamic RADIUS assigned VLANs, you will need # a hybrid port, since multiple "untagged" wireless users will be # online on the same Virtual L2 port port link-type hybrid # configure VLAN15 as the base VLAN. When the RADIUS server # does not assign a VLAN, the user will be put into the PVID undo port hybrid vlan 1 untagged port hybrid vlan 15 untagged port hybrid pvid vlan 15 # When multiple users come online in multiple VLANs, the system # needs to program each authorized (authenticated 802.1x) MAC into # a specific (the RADIUS assigned) VLAN. This requires the mac-vlan # to be enabled. mac-vlan enable # Enable port-security with 802.1x for multiple users: port-security port-mode userlogin-secure-ext # The 802.1x process must provide the wireless (11) encryption key port-security tx-key-type 11key # I do not need the iNode supplicant handshake (would disconnect # e.g. online Windows supplicants after a few seconds, causing # continuous re-auth undo dot1x handshake # Configure the authentication domain (defined earlier) dot1x mandatory-domain dot1x # Disable the mcast EAP request ID. This would send an mcast EAP # request ID every 30 seconds, causing online users to re-auth. undo dot1x multicast-trigger #
# Next define the wireless service template, bind it to the Virtual L2 interface and enable WPA2 and AES/CCMP
wlan service-template 15 crypto # configure the SSID ssid Corp # Bind to the Virtual L2 Interface (which controls the auth and # VLAN assignment bind WLAN-ESS 15 # Configure AES/CCMP encryption cipher-suite ccmp # Enable WPA2 security-ie rsn # activate the template service-template enable
# Now activate the service template on the AP radio’s. In the current releases, this can be done through an AP-group, which will be inherited by the APs. This example assumes APs have been assigned to an AP-group SiteA
wlan ap-group sitea # Members of the group ap be-ant-ap01 ap be-ant-ap02 # Activate the service template on both radios dot11a service-template 15 dot11bg service-template 15 # Enable the radio's dot11a radio enable dot11bg radio enable
# this concludes the 802.1x configuration.
To ensure you can see the WLAN client IP Address information, enable the ARP/DHCP IP detection feature:
wlan client learn-ipaddr enable
To prevent rogue DHCP server on the wireless network, enable DHCP snooping
# enable global snooping dhcp-snooping # enable the uplink port to the Wired network as trusted # all the Virtual L2 ports facing the wireless clients will be # untrusted by default interface Bridge-Aggregation1 dhcp-snooping trust