Operating algorithm
Информация |
---|
Supported from versions: Devices: WLC-15/30/3200, ESR-15/15R/30/3200 WLC firmware version: 1.26.0 Devices: WEP-1L/2L/30L/30L-Z/200L и WOP-2L/20L/30L/30LS AP firmware version: 2.5.0 |
RADIUS portal authorisation method is supported on the access point (next "AP").
The client connects to an open SSID. When the client first connects, there is no account for the client in the external system (RADIUS server) yet, therefore all client traffic is blocked except:
- DHCP;
- DNS;
- Requests to the portal address;
- URL/IP whitelist request.
After the client is connected, the AP tries to perform MAC Authentication Bypass (MAB) on the RADIUS server by substituting the client's MAC address into the User-Name and User-Password attributes in the Access-Request to the RADIUS server. Since the RADIUS server does not currently have an account with these parameters, the server sends an Access-Reject.
Next, the client accesses the HTTP resource. The AP intercepts the request and redirects the client to the guest portal that was set in the SSID (portal-profile) settings. The client goes to the portal using the received URL, which contains:
- switch_url – URL for redirecting the client after authorisation on the portal;
- ap_mac – MAC address of the AP to which the client is connected;
- client_mac – MAC address of the client;
- wlan – name of the SSID to which the client is connected;
- redirect – the URL that the client originally requested.
URL example:
Блок кода |
---|
https://eltex-co.ru/?switch_url=http://redirect.loc:10081&ap_mac=68:13:E2:35:1F:30&client_mac=38:d5:7a:e1:e0:13&wlan=Portal-SSID&redirect=http://www.msftconnecttest.com/connecttest.txt |
Next, the user self-registers on the guest portal and is returned a redirect URL to the AP via the portal form, which contains parameters:
- username – user name;
- password – user password;
- redirect_url – URL that the client originally requested as the portal may have spoofed the address. In our example, the client tried to connect to http://www.msftconnecttest.com, but was redirected to https://eltex-co.ru;
- error_url – URL for redirecting the client in case of authorisation error. This parameter is not used in our example.
Информация |
---|
Parameter names can be redefined in the ap-profile configuration. |
URL example:
Блок кода |
---|
http://redirect.loc:10081/?username=60336144&password=3hMYEPEW0tdb&buttonClicked=4&redirect_url=https://eltex-co.ru/ |
The client device opens the redirect URL received from the portal. The AP reads username and password from it, substitutes them into the User-Name and User-Password attributes in the Access-Request and sends the request to the RADIUS server. After the client is successfully authorised on the RADIUS server, the AP removes access restrictions and redirects the client to the URL specified in redirect_url. After the user is logged, his account for MAB authorisation is created in the RADIUS database.
If the client reconnects to the AP or connects to another AP (to the same SSID), authorisation will be performed by MAC address; an Access-Request MAB-authorisation request will return Access-Accept, as the RADIUS server already has the corresponding client account (MAB-authorisation is requested when the client connects to the AP, if the AP does not "remember" the client). The client will not be redirected to the portal until the client's MAC address is removed from the database.
WLC configuration
An example of the configuration will be made on the WLC configuration.
Configuration order:
- Create URL whitelist.
- Create IP address whitelist.
- Сreate portal-profile.
- Сreate radius-profile.
- Create ssid-profile.
- Add ssid-profile to ap-location.
Whitelists are designed to allow a user to access certain resources before authorisation if necessary. The list of these resources can be specified via URL, RegExp or IP subnet. Whitelists is not mandatory. The portal address is added to the whitelist automatically, so there is no need to specify it.
Create a whitelist of URLs, it can contain URLs and/or RegExp. Access to the specified addresses will be allowed before authorisation.
Блок кода |
---|
object-group url white_url
url eltex-co.ru
regexp '(.+\.)eltex-co\.com'
exit |
Create a whitelist of IP addresses, access to the specified addresses will be allowed before authorisation. You can add to the whitelist the addresses of subnets that are required for authorisation.
Блок кода |
---|
object-group network white_ip
ip prefix 192.168.0.0/24
exit |
Create portal-profile.
Parameters description:
redirect-url – portal address;
age-timeout – the time interval during which the access point "remembers" the client and does not perform MAB authorisation;
verification-mode – portal operation mode;
white-list domain – URL whitelist;
white-list address – IP addresses whitelist.
Блок кода |
---|
wlc
portal-profile portal-pr
redirect-url https://eltex-co.ru
age-timeout 10
verification-mode external-portal
white-list domain white_url
white-list address white_ip
exit
exit |
Информация |
---|
With verification-mode external-portal, parameters are automatically added to the specified URL in redirect-url so that the resulting URL has the form: Блок кода |
---|
https://eltex-co.ru/?switch_url=<SWITCH_URL>&ap_mac=<AP_MAC>&client_mac=<CLIENT_MAC>&wlan=<SSID>&redirect=<ORIGINAL_URL> |
If you need to change the names of the parameters switch_url, ap_mac, client_mac, wlan, redirect you can specify the line yourself through the parameter redirect-url-custom, for example: Блок кода |
---|
redirect-url-custom https://eltex-co.ru/?action_url=<SWITCH_URL>&ap_addr=<AP_MAC>&client_addr=<CLIENT_MAC>&ssid_name=<SSID>&red_url=<ORIGINAL_URL>&nas=<NAS_ID> |
In the example, <NAS_ID> was added to the line and the following parameter names were changed: - switch_url → action_url
- ap_mac → ap_addr
- client_mac →client_addr
- wlan →ssid_name
- redirect →red_url
The redirect line may contain placeholders:<NAS_ID> - <SWITCH_URL>
- <AP_MAC>
- <CLIENT_MAC>
- <SSID>
- <ORIGINAL_URL>
|
Create radius-profile.
Блок кода |
---|
wlc
radius-profile portal_radius
auth-address 192.168.4.5
auth-password ascii-text encrypted 92BB3C7EB50C5AFE80
auth-acct-id-send
acct-enable
acct-address 192.168.4.5
acct-password ascii-text encrypted 92BB3C7EB50C5AFE80
acct-periodic
acct-interval 300
exit
exit |
Create ssid-profile.
Блок кода |
---|
wlc
ssid-profile portal_test
ssid portal_test
radius-profile portal_radius
portal-enable
portal-profile portal-pr
vlan-id 3
band 5g
enable
exit
exit |
Add ssid-profile to ap-location.
Блок кода |
---|
wlc
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
ssid-profile portal_test
exit
exit |
Full configuration
Раскрыть |
---|
Блок кода |
---|
#!/usr/bin/clish
#260
#1.26.1
#02/07/2024
#21:56:21
object-group service airtune
port-range 8099
exit
object-group service dhcp_client
port-range 68
exit
object-group service dhcp_server
port-range 67
exit
object-group service dns
port-range 53
exit
object-group service netconf
port-range 830
exit
object-group service ntp
port-range 123
exit
object-group service radius_auth
port-range 1812
exit
object-group service sa
port-range 8043-8044
exit
object-group service ssh
port-range 22
exit
object-group service web
port-range 443
exit
object-group network white_ip
ip prefix 192.168.0.0/24
ip prefix 192.168.1.0/24
ip prefix 100.110.0.0/23
exit
object-group url white_url
url eltex-co.ru
regexp '(.+\.)eltex-co\.com'
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
severity info
exit
radius-server local
nas ap
key ascii-text encrypted 8CB5107EA7005AFF
network 192.168.1.0/24
exit
nas local
key ascii-text encrypted 8CB5107EA7005AFF
network 127.0.0.1/32
exit
domain default
exit
virtual-server default
enable
exit
enable
exit
username admin
password encrypted $6$mxcmBjMFhD3le5vZ$3qVKBN4Y6Uh126nuH/9VWOiH5m1pMWI1KvRTrrie5ZgmKaYxxZgeinS6Y210.3P2n.ZhlVHbaCcLKlfbOJzEG.
exit
radius-server host 127.0.0.1
key ascii-text encrypted 8CB5107EA7005AFF
exit
aaa radius-profile default_radius
radius-server host 127.0.0.1
exit
boot host auto-config
boot host auto-update
vlan 3
force-up
exit
vlan 2
exit
no spanning-tree
domain lookup enable
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 1
vlan 1
security-zone trusted
ip address 192.168.1.1/24
no spanning-tree
enable
exit
bridge 2
vlan 2
security-zone untrusted
ip address dhcp
no spanning-tree
enable
exit
bridge 3
vlan 3
mtu 1458
security-zone users
ip address 192.168.2.1/24
no spanning-tree
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
mode switchport
exit
interface gigabitethernet 1/0/3
mode switchport
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface tengigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
mode switchport
exit
tunnel softgre 1
mode data
local address 192.168.1.1
default-profile
enable
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port object-group ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group ntp
enable
exit
rule 50
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 60
action permit
match protocol udp
match destination-port object-group dns
enable
exit
rule 70
action permit
match protocol tcp
match destination-port object-group netconf
enable
exit
rule 80
action permit
match protocol tcp
match destination-port object-group sa
enable
exit
rule 90
action permit
match protocol udp
match destination-port object-group radius_auth
enable
exit
rule 100
action permit
match protocol gre
enable
exit
rule 110
action permit
match protocol tcp
match destination-port object-group airtune
enable
exit
rule 120
action permit
match protocol tcp
match destination-port object-group web
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port object-group dhcp_server
match destination-port object-group dhcp_client
enable
exit
exit
security zone-pair users self
rule 10
action permit
match protocol icmp
enable
exit
rule 20
action permit
match protocol udp
match source-port object-group dhcp_client
match destination-port object-group dhcp_server
enable
exit
rule 30
action permit
match protocol tcp
match destination-port object-group dns
enable
exit
rule 40
action permit
match protocol udp
match destination-port object-group dns
enable
exit
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security passwords default-expired
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool ap-pool
network 192.168.1.0/24
address-range 192.168.1.2-192.168.1.254
default-router 192.168.1.1
dns-server 192.168.1.1
option 42 ip-address 192.168.1.1
vendor-specific
suboption 12 ascii-text "192.168.1.1"
suboption 15 ascii-text "https://192.168.1.1:8043"
exit
exit
ip dhcp-server pool users-pool
network 192.168.2.0/24
address-range 192.168.2.2-192.168.2.254
default-router 192.168.2.1
dns-server 192.168.2.1
exit
softgre-controller
nas-ip-address 127.0.0.1
data-tunnel configuration wlc
aaa radius-profile default_radius
keepalive-disable
service-vlan add 3
enable
exit
wlc
outside-address 192.168.1.1
service-activator
aps join auto
exit
airtune
enable
exit
ap-location default-location
description default-location
mode tunnel
ap-profile default-ap
airtune-profile default_airtune
ssid-profile default-ssid
ssid-profile portal_test
exit
airtune-profile default_airtune
description default_airtune
exit
ssid-profile default-ssid
description default-ssid
ssid default-ssid
radius-profile default-radius
vlan-id 3
security-mode WPA2_1X
802.11kv
band 2g
band 5g
enable
exit
ssid-profile portal_test
ssid portal_test
radius-profile portal_radius
portal-enable
portal-profile portal-pr
vlan-id 3
band 5g
enable
exit
radio-2g-profile default_2g
description default_2g
exit
radio-5g-profile default_5g
description default_5g
exit
ap-profile default-ap
description default-ap
password ascii-text encrypted 8CB5107EA7005AFF
exit
portal-profile portal-pr
redirect-url https://eltex-co.ru
age-timeout 10
verification-mode external-portal
white-list domain white_url
white-list address white_ip
exit
radius-profile default-radius
description default-radius
auth-address 192.168.1.1
auth-password ascii-text encrypted 8CB5107EA7005AFF
domain default
exit
radius-profile portal_radius
auth-address 192.168.4.5
auth-password ascii-text encrypted 92BB3C7EB50C5AFE80
auth-acct-id-send
acct-enable
acct-address 192.168.4.5
acct-password ascii-text encrypted 92BB3C7EB50C5AFE80
acct-periodic
acct-interval 300
exit
ip-pool default-ip-pool
description default-ip-pool
ap-location default-location
exit
enable
exit
wlc-journal all
limit days 365
exit
ip ssh server
ntp enable
ntp broadcast-client enable
ip https server |
|
Connection diagram
Drawio |
---|
border | true |
---|
viewerToolbar | true |
---|
| |
---|
fitWindow | false |
---|
diagramName | wlc_ap_portal |
---|
simpleViewer | false |
---|
width | |
---|
diagramWidth | 1294 |
---|
revision | 1 |
---|
|