Campus Deployments with Anchor Controllers

In this example the Dependent / Independent Access Points are adopted and managed by a cluster of RFS 6000 Wireless Controllers in the private network using Level 1 MINT links. The Dependent / Independent Access Points are adopted and managed over VLAN 21 and communicate with the RFS 6000 Wireless Controllers over a high-speed local area network. The guest / visitor Wireless LAN traffic (VLAN 25) is tunneled from the Dependent / Independent Access Points to the cluster of RFS 6000 Wireless Controllers managing the Access Points.

The guest / visitor traffic is then tunneled over static MINT links to a cluster of RFS 4000 Wireless Controllers in the isolated network that perform the captive portal capture redirection using a virtual hostname. User authentication is provided by the RFS 6000 Wireless Controllers managing the Dependent / Independent Access Points. This model allows the guest / visitor traffic to be completely isolated from the internal private network.

Figure 2.3 – Campus Deployment with Anchor Controllers



Note: This configuration example can also b e followed for deployments using a single RFS X000 Wireless Controller in the isolated network or DMZ.

Page 49 This deployment leverages Virtual Router Redundancy Protocol (VRRP) to provide redundancy for the captive portal capture and redirection on the cluster of RFS 4000 Wireless Controllers. VRRP is enabled on VLAN 25 on the RFS 4000 Wireless Controllers which use a virtual IP address and hostname to provide the captive portal capture and redirection. Each RFS 4000 Wireless Controller has a unique SVI defined on VLAN 25 and share a VRRP virtual IP address (one is master, one is backup). During normal operation the RFS 4000 operating as the VRRP master provides the capture and redirection services.

To forward the captive portal capture and redirection traffic to the cluster of RFS 4000 Wireless, an SVI is defined on an isolated VLAN 125 on both RFS 6000 Wireless Controllers in the private network with their IP addresses set to the VRRP virtual IP address assigned to the RFS 4000 Wireless Controllers. The isolated VLAN is not extended between the RFS 6000 Wireless Controllers. These SVIs allow the RFS 6000 Wireless Controllers to redirect the captive portal traffic over MINT to the VRRP virtual IP interface in the isolated network.

2.3.1 RFS 6000 Wireless Controllers – Private Network 2.3.1.1 AAA Policy

Each guest / visitor user will be authenticated by the integrated AAA server on the cluster of RFS 6000 Wireless Controllers. An AAA policy needs to be defined to tell the WiNG 5 system where to forward the authentication requests when a guest / visitor user provides their credentials on the captive portal login page. The AAA policy will be assigned to the captive portal enabled Wireless LAN.

1 Using the Web-UI select Configuration  Wireless  AAA Policy  Add:

Page 50 2 Name the policy then click Continue:

3 Set the Server Type to onboard-self then click OK, Exit then Exit again:

4 A AAA policy has now been defined:

5 Commit and Save the changes:

Page 51 Running-Configuration Changes:

!

aaa-policy INTERNAL-AAA

authentication server 1 onboard controller

!

2.3.1.2 Management Policy

To allow front desk personnel to create guest / visitor user accounts on the cluster of RFS 6000 Wireless Controllers, a special administrative user account must be defined in the Management policy assigned to the Controllers. This will allow front desk personnel to login to the web-based management interface on RFS 6000 Wireless Controllers to create guest / visitor user IDs, passwords and define time limits as guest / visitors check into the site.



Note: Front desk personnel are only provided limited access to the RFS 6000 Wireless Controllers and will not b e ab le to view or change configuration parameters.

1 Using the Web-UI select Configuration  Management  <policy>  Edit:

Page 52 2 Click Add. Enter a User Name and Password then set the Administrator Role to Web User.

Click OK then Exit:

3 A guest administrative user account has now been defined:

4 Commit and Save the changes:

Page 53 Running-Configuration Changes:

!

management-policy WIRELESS-CONTROLLERS no http server

https server ssh

user admin password 0 motorola role superuser access all user guestadmin password 0 hellomoto role web-user-admin snmp-server user snmptrap v3 encrypted des auth md5 0 motorola snmp-server user snmpoperator v3 encrypted des auth md5 0 operator snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola

!

Page 54

2.3.1.3 RADIUS Server Policy, Groups and User Pools

The cluster of RFS 6000 Wireless Controllers will authenticate the guest / visitor users internally using an integrated RADIUS server running on both RFS 6000 Wireless Controllers. Guest / visitor user accounts created by front desk personnel will be automatically assigned to an internal user pool and group which is synchronized on both Controllers. Upon expiration the guest / visitor user accounts are automatically purged from the system.

To authenticate guest / visitor users a RADIUS Server policy, Group and User Pool need to be defined.

The Group determines authorization and permissions for the guest / visitor users such as permitted Wireless LANs, time of day, day of week and bandwidth restrictions. The RADIUS Server policy is assigned to the RFS 6000 Wireless Controllers using their profile. All guest / visitor users will be created in the User Pool and will be assigned to the guest Group.

1 Using the Web-UI select Configuration  Services  RADIUS  Groups  Add:

Page 55 2 Name the policy then check the option Guest User Group. In the WLAN SSID field enter the

exact SSID name for the captive portal enabled Wireless LAN and add it to the list. Optionally enable Time of Day, Day of Week and Rate Limits then click OK and Exit:

3 Select User Pools then click Add:

Page 56 4 Name the User Pool then click Continue and Exit:

5 Select Server Policy then click Add:

Page 57 6 Name the policy then assign the User Pool name created above. Click OK then Exit:

7 Commit and Save the changes:

Running-Configuration Changes:

!

radius-group TMELABS-GUEST guest

policy ssid TMELABS-GUEST policy day mo

policy day tu policy day we policy day th policy day fr

policy time start 08:00 end 18:00

!

radius-user-pool-policy TMELABS-GUEST

!

radius-server-policy INTERNAL-AAA

use radius-user-pool-policy TMELABS-GUEST

!

Page 58

2.3.1.4 Captive Portal Policy

A captive portal policy will be defined that enables captive portal capture and redirection on the cluster of RFS 6000 Wireless Controllers and requires guest / visitor users to provide valid credentials prior to being permitted access to the Internet. The guest / visitor users will be authenticated via the Integrated AAA services running on the RFS 6000 Wireless Controllers over a secure HTTPS connection. The captive portal policy will be assigned to the Guest Wireless LAN as well as the Controller profile.



Note: For this example the authentication for the captive portal users will b e controlled b y the captive portal policy assigned to the RFS 6000 Wireless Controllers. The captive portal page locations and formatting will b e controlled using the captive portal policy assigned to the RFS 4000 Wireless Controllers in the isolated network which perform the actual capture and redirection.

1 Using the Web-UI select Configuration  Services  Captive Portals  Add:

Page 59 2 Name the policy then set the Captive Portal Server Mode to Centralized Controller. Set the

Access Type to RADIUS Authentication and assign the AAA Policy created earlier. Set the Hosting VLAN Interface to an isolated internal VLAN ID (VLAN 125 in this example) then in the Captive Portal Server field enter a non-resolvable hostname. Finally set the Connection Mode to HTTPS then click OK and Exit:

3 The Captive Portal policy has been defined:

4 Commit and Save the changes:

Running-Configuration Changes:

!

captive-portal TMELABS-GUEST connection-mode https

server host virtual.tmelabs.local

server mode centralized-controller hosting-vlan-interface 125 use aaa-policy INTERNAL-AAA

!

Page 60

2.3.1.5 Wireless LAN

A Wireless LAN with captive portal enforcement enabled will be defined that maps guest / visitor users to VLAN 25 which is tunneled to the cluster of RFS 6000 Wireless Controllers at the site. The captive portal enabled Wireless LAN will be mapped to the Access Points 2.4 GHz radios using Access Point profiles.

1 Using the Web-UI select Configuration  Wireless  Wireless LANs  Add:

Page 61 2 Name the Wireless LAN and SSID then set the Bridging Mode to Tunnel. Define the VLAN id

where the captive portal user traffic is being mapped then click OK:

3 Select Security then set the Authentication to PSK/None. Check the option Captive Portal Enable then assign the Captive Portal Policy created in the previous step. Click OK then Exit:

Page 62 4 The Captive Portal policy has been defined:

5 Commit and Save the changes:

Running-Configuration Changes:

!

wlan TMELABS-GUEST ssid TMELABS-GUEST vlan 25

bridging-mode tunnel encryption-type none authentication-type none

use captive-portal TMELABS-GUEST captive-portal-enforcement

!

Page 63

2.3.1.6 Access Point Profile

The Access Points will tunnel the guest / visitor user traffic to the cluster of RFS 6000 Wireless Controllers where the capture and redirection and authentication will be performed. Using a profile the captive portal enabled Wireless LAN will be assigned to each Access Points 2.4 GHz radio.

1 Using the Web-UI select Configuration  Profiles  <ap-profile-name>  Edit:

2 Select Interface  Radios  radio1  Edit. Select the WLAN Mapping / Mesh Mapping tab then under WLANs select the Guest / Visitor Wireless LAN created earlier and add it to the radio. Click OK then Exit:

Page 64 3 Commit and Save the changes:

Running-Configuration Changes:

! Configuration removed for brevity !

interface radio1

wlan TMELABS-GUEST bss 1 primary interface radio2

interface ge1

switchport mode trunk

switchport trunk native vlan 21 no switchport trunk native tagged switchport trunk allowed vlan 21-22 ip dhcp trust

qos trust dscp qos trust 802.1p interface vlan21 ip address dhcp

ip dhcp client request options all interface pppoe1

Page 65

2.3.1.7 Wireless Controller Overrides

For captive portal capture and redirection to function on the RFS 4000 Wireless Controllers in the isolated network, each RFS 6000 Wireless Controller will have a Switched Virtual Interface (SVI) defined on an isolated VLAN 125 with their IP addresses set to the VRRP virtual IP defined on the RFS 4000 Wireless Controllers. The SVI and static IP addresses are defined on each individual RFS 6000 Wireless Controller device as an override.

1 Using the Web-UI select Configuration  Devices  <controller-1>  Edit:

Page 66 2 Select Profile Overrides  Interface  Virtual Interfaces  Add. Define the isolated VLAN Id in

the VLAN ID field then check the option None. In the Primary Address field define the VRRP virtual IP Address and Subnet Mask length used on the RFS 4000 Wireless Controllers in the DMZ . Click OK then Exit:

Page 67 3 Select Configuration  Devices  <controller-2>  Edit:

Page 68 4 Select Profile Overrides  Interface  Virtual Interfaces  Add. Define an isolated VLAN Id in

the VLAN ID field then check the option None. In the Primary Address field define the VRRP virtual IP Address and Subnet Mask length used on the RFS 4000 Wireless Controllers in the DMZ . Click OK then Exit:

5 Commit and Save the changes:

Page 69

! Configuration removed for brevity !

ip default-gateway 192.168.20.1 interface me1

ip address 192.168.0.1/24 interface vlan20

ip address 192.168.20.22/24 interface vlan125

description VRRP\ Helper ip address 192.168.25.10/24 cluster name CAMPUS

cluster member ip 192.168.20.23 cluster master-priority 254

! Configuration removed for brevity !

ip default-gateway 192.168.20.1 interface me1

ip address 192.168.0.1/24 interface vlan20

ip address 192.168.20.23/24 interface vlan125

description VRRP\ Helper ip address 192.168.25.10/24 cluster name CAMPUS

cluster member ip 192.168.20.22 cluster master-priority 128 logging on

logging console warnings logging buffered warnings

!

Page 70

2.3.1.8 Wireless Controller Profile

The cluster of RFS 6000 Wireless Controllers tunnel will forward captive portal capture and redirection traffic to a virtual hostname which resides on the RFS 4000 Wireless Controllers in the isolated network or DMZ. Using a profile each RFS 6000 Wireless Controller will be assigned the Captive Portal and RADIUS Server policies. In addition both RFS 6000 Wireless Controllers will be configured to tunnel the guest / visitor traffic for VLAN 25 over statically defined IP based MINT links which terminate on the RFS 4000 Wireless Controllers management interfaces in the isolated network.



Note: If a firewall resides b etween the private and isolated networks, the firewall must b e configured to permit UDP port 24576 (MINT traffic).

1 Using the Web-UI select Configuration  Profiles  <controller-profile-name>  Edit:

Page 71 2 Select Network  Bridge VLAN  Add. Add the Guest / Visitor VLAN Id to the VLAN field then

set the Bridging Mode to Tunnel. Click OK then Exit.

3 Select Advanced  MINT Protocol  IP  Add. In the IP Address field enter the Management IP address of the Active RFS 4000 Wireless Controller in the isolated network or DMZ. In this example the Primary RFS 4000 Wireless Controller is assigned the management IP address 192.168.30.20/24. Click OK then Exit:

Page 72 4 Select Add. In the IP Address field enter the Management IP address of the Standby RFS 4000

Wireless Controller in the isolated network or DMZ. In this example the Standby RFS 4000 Wireless Controller is assigned the management IP address 192.168.30.21/24. Click OK then Exit:

5 Select Services then assign the Captive Portal and RADIUS Server policies. Click OK then Exit:

Page 73 6 Commit and Save the changes:

Running-Configuration Changes:

!

profile rfs6000 CAMPUS-RFS6000 mint link ip 192.168.30.20 mint link ip 192.168.30.21 bridge vlan 25

bridging-mode tunnel ip igmp snooping

ip igmp snooping querier !

! Configuration removed for brevity !

use radius-server-policy INTERNAL-AAA !

! Configuration removed for brevity !

interface me1 interface up1 description UPLINK switchport mode trunk

switchport trunk native vlan 20 switchport trunk native tagged switchport trunk allowed vlan 20,23 ip dhcp trust

qos trust dscp qos trust 802.1p !

! Configuration removed for brevity !

use firewall-policy default

use auto-provisioning-policy CAMPUS use captive-portal server TMELABS-GUEST ntp server 192.168.10.6

no auto-learn-staging-config service pm sys-restart router ospf

!

Page 74

2.3.2 RFS 4000 Wireless Controllers – DMZ 2.3.2.1 Captive Portal Policy

A captive portal policy will be defined on the RFS 4000 Wireless Controllers that closely mirrors the captive portal policy defined on the RFS 6000 Wireless Controllers. The Captive Portal Policy on the RFS 6000 Wireless Controllers defines the remote virtual hostname used for capture and redirection as well as how the users are authenticated. The RFS 6000 Wireless Controllers simply forward the capture and redirected traffic to the RFS 4000 Wireless Controllers.

The captive portal policy on the RFS 4000 Wireless Controllers defines the same non-resolvable virtual hostname but also the captive portal page location and customization. In this example the default internal captive portal pages will be utilized which will be hosted on the RFS 4000 Wireless Controllers. The captive portal policy will be assigned to the Controller profile.



Note: For this example the default login, welcome, failed and agreement pages hosted on the RFS 4000 Wireless Controllers in the isolated network will b e displayed. The content of the default pages can b e modified to suit the customer’s requirements then uploaded onto both RFS 4000 Wireless Controllers.

1 Using the Web-UI select Configuration  Services  Captive Portals  Add:

Page 75 2 Name the policy then set the Captive Portal Server Mode to Centralized Controller. Set the

Access Type to RADIUS Authentication but do not assign an AAA Policy. Set the Hosting VLAN Interface to guest / visitor VLAN Id (VLAN 25 in this example) then in the Captive Portal Server field enter the non-resolvable hostname define on the RFS 6000 Wireless Controllers.

Finally set the Connection Mode to HTTPS then click OK and Exit:

3 The Captive Portal policy has been defined:

4 Commit and Save the changes:

Running-Configuration Changes:

!

captive-portal TMELABS-GUEST connection-mode https

server host virtual.tmelabs.local

server mode centralized-controller hosting-vlan-interface 25

!

Page 76

2.3.2.2 Auto-Provisioning Policy

As the RFS 4000 Wireless Controllers in the isolated network are dedicated to providing captive portal capture and redirection, we do not want Access Points to adopt to these devices. To disable adoption an Auto-Provisioning policy will be defined and assigned to the Controller profile with no rules which will deny all adoptions by default.

1 Using the Web-UI select Configuration  Devices  Auto-Provisioning Policy  Add:

Page 77 2 Name the policy DENY-ADOPTION then click Continue and Exit:

3 Commit and Save the changes:

Running-Configuration Changes:

!

auto-provisioning-policy DENY-ADOPTION

!

Page 78

2.3.2.3 Wireless Controller Overrides

To provide captive portal capture and redirection each RFS 4000 Wireless Controller will have a Switched Virtual Interface (SVI) defined for VLAN 25 with a static IPv4 address assigned. Additionally VRRP will be enabled on VLAN 25 with a virtual IP assigned to provide high-availability in the event that one of the RFS 4000 Controllers fails. The SVI and static IPv4 addressing will be defined on each individual RFS 4000 Wireless Controller device as an override.

1 Using the Web-UI select Configuration  Devices  <controller-1>  Edit:

Page 79 2 Select Profile Overrides  Interface  Virtual Interfaces  Add. Define the Guest / Visitor

VLAN Id in the VLAN ID field then check the option None. In the Primary Address field enter a static Address and Subnet Mask length. In this example 192.168.25.20/24 has been defined.

Click OK then Exit:

Page 80 3 Select Profile Overrides  VRRP  Add. Define the Guest / Visitor VLAN Id in the Virtual

Router ID and Interface fields then set the Priority to 200. This device will become the VRRP master and own the virtual IP during normal operation. In the Virtual IP Addresses field enter the VRRP virtual IP address shared between RFS 4000 Controllers for capture and redirection.

In this example 192.168.25.10 has been defined. Set the Advertisement Interval value to 1 then click OK then Exit:

Page 81 4 Select Configuration  Devices  <controller-2>  Edit:

Page 82 5 Select Profile Overrides  Interface  Virtual Interfaces  Add. Define the Guest / Visitor

VLAN Id in the VLAN ID field then check the option None. In the Primary Address field enter a static Address and Subnet Mask length. In this example 192.168.25.21/24 has been defined.

Click OK then Exit:

Page 83 6 Select Profile Overrides  VRRP  Add. Define the Guest / Visitor VLAN Id in the Virtual

Router ID and Interface fields. In the Virtual IP Addresses field enter the VRRP virtual IP address shared between RFS 4000 Controllers for capture and redirection. In this example 192.168.25.10 has been defined. Set the Advertisement Interval value to 1 then click OK then Exit:

7 Commit and Save the changes:

Page 84

! Configuration removed for brevity !

ip default-gateway 192.168.30.1 interface vlan25

ip address 192.168.25.20/24 interface vlan30

ip address 192.168.30.20/24 cluster name DMZ

cluster member ip 192.168.30.21 cluster master-priority 254 logging on

logging console warnings logging buffered warnings vrrp 25 priority 200 vrrp 25 timers advertise 1 vrrp 25 ip 192.168.25.10 vrrp 25 preempt

vrrp 25 interface vlan25 no vrrp 25 sync-group

no vrrp 25 monitor critical-resource no vrrp 25 delta-priority

!

! Configuration removed for brevity !

ip default-gateway 192.168.30.1 interface vlan25

ip address 192.168.25.21/24 interface vlan30

ip address 192.168.30.21/24 cluster name DMZ

cluster mode standby

cluster member ip 192.168.30.20 cluster master-priority 128 logging on

logging console warnings logging buffered warnings vrrp 25 priority 100 vrrp 25 timers advertise 1 vrrp 25 ip 192.168.25.10 vrrp 25 preempt

vrrp 25 interface vlan25 no vrrp 25 sync-group

no vrrp 25 monitor critical-resource no vrrp 25 delta-priority

!

Page 85

2.3.2.4 Wireless Controller Profile

The cluster of RFS 4000 Wireless Controllers tunnel will provide the captive portal capture and redirection using a virtual hostname which resides on the RFS 4000 Wireless Controllers in the isolated network.

Using a profile each RFS 4000 Wireless Controller will be assigned the Captive Portal policy. In addition

Using a profile each RFS 4000 Wireless Controller will be assigned the Captive Portal policy. In addition

In document WiNG 5.X How-To Guide (Page 48-90)