Wired-Authentication 2380 for Guest VLAN

[trentsteenholdt]

Hi All,

This is my first post on Michael's forums so please bare with me if I fail to follow some of the basic processes. 

Essentially my question is very breif though I suspect the answer to be a long one. I want to set up a Guest VLAN (whether or not this uses the ERS5500 series technology for Guest VLAN's is up to what people suggest) that diverts on HTTP request traffic to web-auth on a WSS 2380.

Almost identical to how Wireless web-portal authentication works. Except users plug a network cable into their NIC, not connect via Wireless to a SSID.

In all, I'm not looking for the complex solutions of 802.1x and profiling... I'm just looking so that the Guest VLAN users must authenticate using web-auth (back end to Active Directory) when they plug a network cable into the network.

I have configured up one the the ports on the 2380 to be wired-auth and have got this connected to a brand new VLAN (FREGUEST145)

VLAN FREGUEST145
10.251.144.0
255.255.254.0
10.251.144.1


WSS Config.
frwss2380# show config
# Configuration nvgen'd at 2012-1-12 15:16:32
# Image 7.1.6.3.0
# Model 2380
# Last change occurred at 2012-1-12 14:19:33
set ip dns server 10.9.30.30/21 PRIMARY
set ip dns server 10.9.30.31/21 SECONDARY
set ip dns domain nd.edu.au
set ip dns enable
set ip route default 10.9.2.1 1
set log trace enable severity info
set system name frwss2380
set system ip-address 10.9.2.254
set system contact Trent Steenholdt
set system location Fremantle
set system countrycode AU
set timezone WST 8 0
set service-profile freClear ssid-name FremantleND
set service-profile freClear ssid-type clear
set service-profile freClear auth-fallthru web-portal
set service-profile freClear web-portal-form ndu-webaaa/ndu-login.html
set service-profile freClear web-portal-acl portalacl
set service-profile freClear attr vlan-name FREWIR160
set service-profile freClearOld ssid-name NDU_WLAN
set service-profile freClearOld ssid-type clear
set service-profile freClearOld beacon disable
set service-profile freClearOld auth-fallthru web-portal
set service-profile freClearOld web-portal-form ndu-webaaa/ndu-login.html
set service-profile freClearOld web-portal-acl portalacl
set service-profile freClearOld attr vlan-name FREWIR160
set radius timeout 10
set radius server frmvradius01 address 10.9.30.19 auth-port 1645 acct-port 1645 encrypted-key 135d16003e390723020a3d157325
set server group RadGroup members frmvradius01
set enablepass password 152a9a229c48ab7e183fbb4d6b7b5dc36257
set authentication console * local
set authentication web ssid NDU_WLAN ** RadGroup
set authentication web ssid FremantleND ** RadGroup
set user admin password encrypted 123a0a1a1f182d0027222a617b7f
set user web-portal-wired attr filter-id portalacl.in
set user web-portal-wired attr vlan-name FREGUEST145
set radio-profile default auto-tune power-config enable
set radio-profile default countermeasures rogue
set radio-profile default service-profile freClear
set radio-profile default service-profile freClearOld
set ap security none
set ap auto mode enable
set ap auto force-image-download enable
set ap auto time-out 3000
set port 1 name Management
set port media-type 1 rj45
set port negotiation 1 disable
set port 2 name Wireless-Access
set port media-type 2 rj45
set port negotiation 2 disable
set port 3 name Wired-Auth
set port media-type 3 rj45
set port type wired-auth 3 max-sessions 10 auth-fall-thru web-portal
set port negotiation 3 disable
set port 4 name Wired-Access
set port media-type 4 rj45
set port negotiation 4 disable
set vlan 2 name FREMGT002
set vlan 2 port 1 tag 2
set vlan 160 name FREWIR160
set vlan 160 port 2 tag 160
set vlan 145 name FREGUEST145
set interface 2 ip 10.9.2.254 255.255.255.0
set interface 160 ip 10.251.192.2 255.255.240.0
set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
commit security acl portalacl

Avaya Engineer Comments (he mentions GUEST VLAN on ERS 5500, but I've never set this up before. I can see the eapol commands, but dont understand their function!)

-----
There are several aspects to the web portal solution
1)   The ERS5500 switches support a guest VLAN feature as part of the 802.1x authentication such that if the client does not have a 802.1x supplicant they can be placed automatically and dynamically into a guest VLAN. This is how guest users would be capture as they generally do not have an 802.1x configuration or account on the NDU system. Note there is no web portal on the ERS5500 switch, this would sit somewhere on the guest VLAN. I.e. The user is constrained to be in the guest VLAN and then authenticates against any web portal sitting behind that. So…..
2)   The web portal can also be hosted from the existing WLAN 2380, it supports a wired authentication option so that you can provide web portal for both wireless and wired users from the one WLAN 2380
3)   Identity Engines is our User Authentication Server, so the all user authentication requests (802.1x, MAC, web port, management access) from all devices (WLAN, Wired, VPN, etc) are centrally managed linking into backed LDAP directories. This solution today has a web based guest management tool to allow non-IT people to manage the creation of temporary user accounts for guest users. We are about to release 8.0 of this solution that will add an embedded web portal and self registration capabilities – in fact we are looking for Beta customers now for 8.0.
-----

What do I need to do to get this happening?

Thanks guys!


Trent

[Flintstone]

Hi trentsteenholdt and welcome to the forum,

I use Nortel's/Avaya's Ignition product with the ERS 45xx switches.  This is basically a Radius server where the users can authenticate using 802.1x supplicant (Using EAPOL) and MAC address only authentication.  Depending on the Ignition configuration you can block an unauthorised user (Which is what we do) or put them into the Guest Vlan.

It sounds like you also have the Ignition product with the Guest management add on.  I will see if I can find any information on how you setup the Guest Vlan with Ignition?

CheerZ

[trentsteenholdt]

Hi Flinstone.

Thanks for the reply. We actually use Windows NPA (Windows Server 2008 R2 Radius) for our web-auth backend on the WSS2380. We found it very simple to set up as we do not do any 802.1x inspection or even any encryption (we have server level encryption for our critical data, as these are just student accounts we're talking about - we ain't fussed)

As for our ERS5500 series switches, we have no radius configured- not even for mgmt auth.

Maybe if you can post the details up here, I might be able to translate them for someone else as well as getting it to work for me. I'm actually a certified MCTS on Windows Server 2008 R2 (Its actually my primary function of my job).

To just clarify, all I'm looking for is a simple VLAN network where authentication must be made via a web browser before being able to access everything (doesnt need to be just the internet)

Cheers,

Trent.

The University of Notre Dame Australia

[Flintstone]

Hi trentsteenholdt,

I checked our configuration and within Ignition you can configure the Guest Vlan as an option; which would be dynamically allocated to the un-authenticated user port.

I have found some user guides you might be able to use:

http://support.avaya.com/css/P8/documents/100125543
http://support.avaya.com/css/P8/documents/100141496
http://support.avaya.com/css/Products/P0846/All_Documents

CheerZ

[Michael McNamara]

Hi trentsteenholdt and welcome to the forums!

If you have the Ignition product by all means review the links that @Flintstone has provided.

However, I'll give you another way to skin the cat along with a little story/history.

We built our own WiFi HotSpot Captive Portal years back on CentOS Linux. This is essentially a server with 2 NICs and is setup to perform routing, act as a DHCP and DNS server and also provide a firewall between the public network and the internal corporate network. We also setup rate-limiting to keep our guests from consuming too much of our Internet link.

We use the single server for both wired and wireless guest access. The server doesn't care how the client is connected, so long as it's in VLAN 45 (that's our guest VLAN).  Our own solution is not setup to provide authentication instead we just require the guest click on the I AGREE button to the AUP. It wouldn't be hard to throw some Perl or PHP together to make some LDAP queries to perform authentication.

Now with that said there are probably captive portal solutions out today that have caught up. In 2005 there was nothing that fit our requirements so I sat down and built the thing myself. You might find a freeware or even commercial solution today that does everything you want it to-do.

Just an option... good luck!