Дерево страниц
Перейти к концу метаданных
Переход к началу метаданных

Operating algorithm

Supported from versions:

Devices: WLC-15/30/3200, ESR-15/15R/30/3200

WLC firmware version: 1.26.0

Devices: WEP-1L/2L/30L/30L-Z/200L и WOP-2L/20L/30L/30LS

AP firmware version: 2.5.0

RADIUS portal authorisation is supported on the access point (thereafter "AP").

The client connects to an open SSID. When the client first connects, there is no account for the client in the external system (RADIUS server) yet, therefore all client traffic is blocked except:

  • DHCP;
  • DNS;
  • Requests to the portal address;
  • URL/IP whitelist request.

After the client is connected, the AP tries to perform MAC Authentication Bypass (MAB) on the RADIUS server by substituting the client's MAC address into the User-Name and User-Password attributes in the Access-Request to the RADIUS server. Since the RADIUS server does not currently have an account with these parameters, the server sends an Access-Reject.

Next, the client accesses the HTTP resource. The AP intercepts the request and redirects the client to the guest portal that was set in the SSID (portal-profile) settings. The client goes to the portal using the received URL, which contains:

  • switch_url – URL for redirecting the client after authorisation on the portal;
  • ap_mac – MAC address of the AP to which the client is connected;
  • client_mac – MAC address of the client;
  • wlan – name of the SSID to which the client is connected;
  • redirect – the URL that the client originally requested.

URL example:

https://eltex-co.ru/?switch_url=http://redirect.loc:10081&ap_mac=68:13:E2:35:1F:30&client_mac=38:d5:7a:e1:e0:13&wlan=Portal-SSID&redirect=http://www.msftconnecttest.com/connecttest.txt

Next, the user self-registers on the guest portal and is returned a redirect URL to the AP via the portal form, which contains parameters:

  • username – user name;
  • password – user password;
  • redirect_url – URL that the client originally requested as the portal may have spoofed the address. In our example, the client tried to connect to http://www.msftconnecttest.com, but was redirected to https://eltex-co.ru;
  • error_url – URL for redirecting the client in case of authorisation error. This parameter is not used in our example.

Parameter names can be redefined in the ap-profile configuration.

URL example:

http://redirect.loc:10081/?username=60336144&password=3hMYEPEW0tdb&buttonClicked=4&redirect_url=https://eltex-co.ru/

The client device opens the redirect URL received from the portal. The AP reads username and password from it, substitutes them into the User-Name and User-Password attributes in the Access-Request and sends the request to the RADIUS server. After the client is successfully authorised on the RADIUS server, the AP removes access restrictions and redirects the client to the URL specified in redirect_url. After the user is logged, his account for MAB authorisation is created in the RADIUS database.

If the client reconnects to the AP or connects to another AP (to the same SSID), authorisation will be performed by MAC address; an Access-Request MAB-authorisation request will return Access-Accept, as the RADIUS server already has the corresponding client account (MAB-authorisation is requested when the client connects to the AP, if the AP does not "remember" the client). The client will not be redirected to the portal until the client's MAC address is removed from the database.

WLC configuration

An example of the configuration will be made on the WLC configuration.

Configuration order:

  1. Create URL whitelist.
  2. Create IP address whitelist.
  3. Сreate portal-profile.
  4. Сreate radius-profile.
  5. Create ssid-profile.
  6. Add ssid-profile to ap-location. 

Whitelists are designed to allow a user to access certain resources before authorisation if necessary. The list of these resources can be specified via URL, RegExp or IP subnet. Whitelists are not mandatory. The portal address is added to the whitelist automatically, so there is no need to specify it.

  1. Create a whitelist of URLs, it can contain URLs and/or RegExp. Access to the specified addresses will be allowed before authorisation.

    object-group url white_url
      url eltex-co.ru
      regexp '(.+\.)eltex-co\.com'
    exit
  2. Create a whitelist of IP addresses, access to the specified addresses will be allowed before authorisation. It is possible to add to the whitelist the addresses of subnets that are required for authorisation.

    object-group network white_ip
      ip prefix 192.168.0.0/24
    exit
  3. Create portal-profile.

    Parameters description:
    redirect-url – portal address;
    age-timeout – the time interval during which the access point "remembers" the client and does not perform MAB authorisation;
    verification-mode – portal operation mode;
    white-list domain  – URL whitelist;
    white-list address – IP addresses whitelist.

    wlc
      portal-profile portal-pr
        redirect-url https://eltex-co.ru
        age-timeout 10
        verification-mode external-portal
        white-list domain white_url
        white-list address white_ip 
      exit
    exit

    With verification-mode external-portal, parameters are automatically added to the specified URL in redirect-url so that the resulting URL has the form:

    https://eltex-co.ru/?switch_url=<SWITCH_URL>&ap_mac=<AP_MAC>&client_mac=<CLIENT_MAC>&wlan=<SSID>&redirect=<ORIGINAL_URL>

    If the names of the parameters switch_url, ap_mac, client_mac, wlan, redirect need to be changed, it is possible to specify the line yourself through the parameter redirect-url-custom, for example:

    redirect-url-custom https://eltex-co.ru/?action_url=<SWITCH_URL>&ap_addr=<AP_MAC>&client_addr=<CLIENT_MAC>&ssid_name=<SSID>&red_url=<ORIGINAL_URL>&nas=<NAS_ID>

    In the example <NAS_ID> was added to the line and the following parameter names were changed:

    • switch_url → action_url
    • ap_mac → ap_addr
    • client_mac → client_addr
    • wlan → ssid_name
    • redirect → red_url

    The redirect line may contain placeholders: 

    • <NAS_ID>
    • <SWITCH_URL>
    • <AP_MAC>
    • <CLIENT_MAC>
    • <SSID>
    • <ORIGINAL_URL>
  4. Create radius-profile.

    wlc
      radius-profile portal_radius
        auth-address 192.168.4.5
        auth-password ascii-text encrypted 92BB3C7EB50C5AFE80
        auth-acct-id-send
        acct-enable
        acct-address 192.168.4.5
        acct-password ascii-text encrypted 92BB3C7EB50C5AFE80
        acct-periodic
        acct-interval 300
      exit
    exit

  5. Create ssid-profile.

    wlc
      ssid-profile portal_test
        ssid portal_test
        radius-profile portal_radius
        portal-enable
        portal-profile portal-pr
        vlan-id 3
        band 5g
        enable
      exit
    exit


  6. Add ssid-profile to ap-location. 

    wlc
      ap-location default-location
        description default-location
        mode tunnel
        ap-profile default-ap
        ssid-profile portal_test
      exit
    exit

Full configuration

 Нажмите здесь для раскрытия...
#!/usr/bin/clish
#260
#1.26.1
#02/07/2024
#21:56:21
object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service web
  port-range 443
exit

object-group network white_ip
  ip prefix 192.168.0.0/24
  ip prefix 192.168.1.0/24
  ip prefix 100.110.0.0/23
exit

object-group url white_url
  url eltex-co.ru
  regexp '(.+\.)eltex-co\.com'
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text encrypted 8CB5107EA7005AFF
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text encrypted 8CB5107EA7005AFF
    network 127.0.0.1/32
  exit
  domain default
  exit
  virtual-server default
    enable
  exit
  enable
exit
username admin
  password encrypted $6$mxcmBjMFhD3le5vZ$3qVKBN4Y6Uh126nuH/9VWOiH5m1pMWI1KvRTrrie5ZgmKaYxxZgeinS6Y210.3P2n.ZhlVHbaCcLKlfbOJzEG.
exit

radius-server host 127.0.0.1
  key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit

bridge 1
  vlan 1
  security-zone trusted
  ip address 192.168.1.1/24
  no spanning-tree
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.1/24
  no spanning-tree
  enable
exit

interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 1/0/3
  mode switchport
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
  rule 120
    action permit
    match protocol tcp
    match destination-port object-group web
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.2-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.2-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit

softgre-controller
  nas-ip-address 127.0.0.1
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  ap-location default-location
    description default-location
    mode tunnel
    ap-profile default-ap
    airtune-profile default_airtune
    ssid-profile default-ssid
    ssid-profile portal_test
  exit
  airtune-profile default_airtune
    description default_airtune
  exit
  ssid-profile default-ssid
    description default-ssid
    ssid default-ssid
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ssid-profile portal_test
    ssid portal_test
    radius-profile portal_radius
    portal-enable
    portal-profile portal-pr
    vlan-id 3
    band 5g
    enable
  exit
  radio-2g-profile default_2g
    description default_2g
  exit
  radio-5g-profile default_5g
    description default_5g
  exit
  ap-profile default-ap
    description default-ap
    password ascii-text encrypted 8CB5107EA7005AFF
  exit
  portal-profile portal-pr
    redirect-url https://eltex-co.ru
    age-timeout 10
    verification-mode external-portal
    white-list domain white_url
    white-list address white_ip 
  exit
  radius-profile default-radius
    description default-radius
    auth-address 192.168.1.1
    auth-password ascii-text encrypted 8CB5107EA7005AFF
    domain default
  exit
  radius-profile portal_radius
    auth-address 192.168.4.5
    auth-password ascii-text encrypted 92BB3C7EB50C5AFE80
    auth-acct-id-send
    acct-enable
    acct-address 192.168.4.5
    acct-password ascii-text encrypted 92BB3C7EB50C5AFE80
    acct-periodic
    acct-interval 300
  exit
  ip-pool default-ip-pool
    description default-ip-pool
    ap-location default-location
  exit
  enable
exit

wlc-journal all
  limit days 365
exit

ip ssh server

ntp enable
ntp broadcast-client enable

ip https server

Connection diagram

  • Нет меток