Deployment Model: Centralized Captive Porta Server with Internal Pages
This is typically deployed by small and medium business offices - which want a quick way to setup hotspot access to visitors. This solution do not require any external devices to setup the hotspot for guest access. A guest user admin account can log into the system and create user accounts to visitors as and when required.
Captive Portal Server
The Controller acts as the Captive Portal Server.
Captive Portal Pages
The redirection web pages are stored in the controller.
RADIUS Server
The controller acts as the AAA server.
User Database
The user database is also stored in the controller.
The figure below depicts the message flow of this deployment model.
Message Flow
Configuration Steps
1) Create AAA Policy
a. Under the context: Configuration->Wireless->AAA Policy, click ‘Add’
Enter the AAA Policy Name and click ‘Continue’
b. Add RADIUS server by clicking ‘Add’
Enter the ‘Server Id’
Select ‘Server Type’ as ‘onboard-controller’
Click ‘OK’
2) Create DNS Whitelist
a. Under the context: Configuration->Services->Captive Portals->DNS Whitelist, click ‘Add’
Enter a name for the DNS Whitelist
b. Click ‘Add Row’
Enter the list of IP address that you want to grant access even if the client is not authenticated.
Click ‘OK’
Note: Since we are using the controller to host the pages, we should allow the client to access the controller’s IP Address used to host the pages. In this example we are using the controller’s VLAN 20 interface to host the captive portal pages, so we are allowing access to 172.16.10.2.
3) Create Captive Portal Policy
a. Under the context: Configuration->Services->Captive Portals->Captive Portals, click ‘Add’
Enter the Captive Portal Policy Name
Set ‘Captive Portal Server Mode’ to ‘Centralized’
Set ‘Simultaneous Users’ to 100
Set AAA Policy to ‘Mot-Hotspot’ (created in Step 1)
Set Access Type to ‘Radius Authentication’
Set DNS Whitelist to ‘Mot-Hotspot’ (created in Step 2)
Click ‘OK’
b. On the ‘Web Page’ tab ensure the ‘Web Page Source’ is set to ‘Internal’
4) Create RADIUS Group Policy
a. Under the context: Configuration->Services->RADIUS, click ‘Add’
Enter the ‘Radius Group Policy’ Name
Enable ‘Guest User Group’
Set VLAN to ‘20’ – this will override any settings on the WLAN
Set WLAN SSID to ‘Mot-Hotspot’
Click ‘OK’
5) Create RADIUS User Pools
a. Under the context: Configuration->Services->RADIUS->User Pools, Click ‘Add’
Enter ‘User Pool’ name
Click ‘Continue’
b. In the newly created Radius User Pool, Click ‘Add’ to add Users
Enter the ‘User Id’
Enter ‘Password’
Select ‘Guest User’
Set Group to ‘Mot-Hotspot’ (create in step 4)
Set Start Date, Start Time, Expiry Date and Expiry Time accordingly
Click ‘OK’
6) Create RADIUS Server Policy
a. Under the context: Configuration->Services->RADIUS->Server Policy, Click ‘Add’
Set ‘RADIUS Server Policy’ name
Set ‘RADIUS User Pools’ to ‘Mot-Hotspot’ (created in Step 5)
Set ‘LDAP Groups’ to ‘Mot-Hotspot’ (created in Step 4)
Set ‘Authentication Data Source’ to ‘Local’
Click ‘OK’
7) Create VLAN 20 for Wireless Hotspot Users and set the IP Address of the VLAN 20 interface as 172.16.20.1
8) Create DHCP Server Policy to give IP address on VLAN20 for Wireless Hotspot Users
a. Under the context: Configuration->Services->DHCP Server Policy, Click ‘Add’
Set ‘DHCP Server Policy Name’
Click ‘Continue’
b. Under the context of newly created DHCP Server Policy, Click ‘Add’ to create a DHCP
pool
Set ‘DHCP Pool’ name
Set ‘Subnet’ to VLAN 20 subnet – 172.16.20.0/24
Set ‘Default Routers’ to VLAN 20 interface IP address – 172.16.20.1
Under ‘IP Address Range’ Click ‘Add Row’
Enter the range of IP Addresses – 172.16.20.100 to 172.16.20.150
Click ‘OK’
9) Map RADIUS Server, DHCP Server and Captive Portal policy in rfs4000 profile
a. Under the context: Configuration->Profiles->Profile->default-rfs4000->services
Set ‘Captive Portal Policies’ to ‘Mot-Hotpot’ (created in Step 3)
Set ‘DHCP Server Policy’ to ‘Motorola Lab DHCP Server’ (created in Step 8)
Set ‘RADIUS Server Policy’ to ‘Mot-Hotspot’ (created in Step 6)
Click ‘OK’
10) Create WLAN for Hotspot
a. Under the context: Configuration->Wireless->Wireless LANs, click ‘Add’
Set ‘WLAN’ name
Set ‘SSID’ – this should match the one you entered in Step 4b
Set ‘Bridging Mode’ to ‘Tunnel’
Set ‘VLAN’ to ‘20’
Click ‘OK’
b. Under the Security Menu of the newly created WLAN
Set ‘Enforcement’ to ‘Captive Portal Enable’
Set ‘Captive Portal Policy’ to ‘Mot-Hotspot’ (created in Step 3)
Click ‘OK’
11) Map WLAN to radios of the AP650 profile
a. Under the context: Configuration->Profiles->Profile->default-ap650->Interface->Radios
Select ‘Radio 1’ and Click ‘Edit’
Under ‘WLAN Mapping’ tab, add ‘Mot-Hotspot’ WLAN (created in Step 10)
Click ‘OK’
Repeat the above 3 steps for Radio 2
To Test the setup
1) Connect the Wireless Client to ‘Mot-Hotspot’ SSID
Observe that the Wireless client is assigned IP address in the VLAN 20 range.
2) Open the browser, type www.google.com
Note: Ensure that DNS resolution happens for the website – the Controller should be connected
to the internet which can resolve the entry. Else type any IP Address on the browser.
3) The web page should be redirected to the internal login.html page
4) Enter the user credentials (create in Step 5b)
**** Source: Best Practices WING Deployments by Extreme Networks
No comments:
Post a Comment