HPE IMC BYOD WLAN 802.1X Authentication with Machine and

HPE IMC BYOD
WLAN 802.1X Authentication with Machine
and User Certificates Configuration Examples
Part Number: 5200-1386
Software version: IMC UAM 7.2 (E0403)
Document version: 2
The information in this document is subject to change without notice.
© Copyright 2016 Hewlett Packard Enterprise Development LP
Contents
Introduction ·····················································································1
Prerequisites ···················································································1
Example: Configuring WLAN 802.1X authentication with machine and user
certificates ······················································································1
Network configuration ··················································································································· 1
Analysis ····································································································································· 2
Software versions used ················································································································· 3
Restrictions and guidelines ············································································································ 3
Configuring the DHCP server ········································································································· 3
Configuring UAM ························································································································· 8
Configuring the AC as an access device ···················································································· 8
Configuring an access policy ································································································· 11
Configuring an access service ······························································································· 12
Adding user accounts ··········································································································· 13
Importing server and root certificates······················································································· 16
Configuring WX6103··················································································································· 19
Associating WX6103 with an AP ···························································································· 19
Configuring 802.1X authentication on WX6103 ········································································· 20
Configuring MSM 760 ················································································································· 23
Deploying configurations from MSM 760 to the AP ···································································· 27
Configuring the switch that connects the AP to MSM 760 ···························································· 27
Configuring the PC ····················································································································· 28
Disabling wireless connection management in the iNode client ···················································· 28
Importing certificates to the PC ······························································································ 29
Configuring machine certificate authentication in Windows ·························································· 31
Configuring user certificate authentication for account client212 ··················································· 35
Verifying the configuration ··········································································································· 37
i
Introduction
This document provides examples for configuring UAM and an AC (H3C WX6103 or HP MSM 760)
to implement WLAN 802.1X authentication for Windows users based on machine and user
certificates.
The examples apply to scenarios that automatically do both of the following:
•
Implement machine certificate authentication at the Windows startup.
•
Implement user certificate authentication on Windows logon users for WLAN 802.1X access.
With certificate authentication, Windows users do not need to manually provide credentials for
network access.
Prerequisites
Before you configure WLAN 802.1X authentication with machine and user certificates, obtain a root
certificate, a server certificate, a machine certificate, and a user certificate from a certification
authority. The name of the machine certificate must be the same as the full computer name of the PC.
The name of the user certificate must be the same as the account name of the access user in UAM.
Example: Configuring WLAN 802.1X
authentication with machine and user
certificates
Network configuration
As shown in Figure 1 and Figure 2, a Windows user intends to access the Internet through WLAN
802.1X.
An AC (WX6103 or MSM 760) serves as the access device.
•
WX6103 manages the user in a mandatory 802.1X authentication domain named 1x, and
removes the domain name from the usernames to be sent to UAM for authentication.
•
MSM 760 directly forwards the account name to UAM without changing it.
Configure UAM and the AC to implement 802.1X EAP-TLS certificate authentication.
•
When Windows starts up, it automatically connects to SSID ss_byod_jay_1x for machine
certificate authentication.
•
When the user logs on to Windows, the user automatically passes user certificate
authentication to access the network. The account name is client212.
•
After the two certificate authentication processes, the PC automatically obtains an IP address
from the DHCP server and is assigned to VLAN 33.
When WX6103 is used, configure 802.1X authentication and DHCP relay agent on it.
When MSM 760 is used, do the following:
•
Configure 802.1X authentication on MSM 760.
•
Configure DHCP relay agent on the switch that connects the AP to MSM 760.
Set the shared keys for secure RADIUS communication to hello, and set the ports for authentication
and accounting to 1812 and 1813, respectively.
1
Figure 1 Network diagram (WX6103)
Figure 2 Network diagram (MSM 760)
Analysis
To implement WLAN 802.1X authentication based on machine and user certificates, complete the
following configurations:
•
In UAM, configure the following:
a. Configure the AC as an access device.
b. Configure an access policy for EAP-TLS certificate authentication.
c. Configure the previous access policy as the default access policy in an access service that
has no suffix.
d. Configure the computer user account and an access user account for 802.1X access, and
assign the previous access service to the accounts.
e. Import root and server certificates to UAM.
•
On WX6103, configure the RADIUS scheme, ISP domain, VLAN, global security settings, and
WLAN settings.
•
On MSM 760, configure the VLAN, RADIUS profile, VSC profile, and VSC bindings.
•
On the PC, obtain and install the root certificate, machine certificate, and user certificate.
2
To enable the PC to obtain an IP address through DHCP, configure the DHCP relay agent on
WX6103 or the switch that connects the AP to MSM 760.
Software versions used
This configuration example was created and verified on the following platforms:
•
IMC UAM 7.2 (E0403)
•
DHCP server embedded in Windows Server 2008 R2 Datacenter
•
Certificate server embedded in Windows Server 2008 R2 Datacenter
•
H3C WX6103 Comware Software, Version 5.20, ESS2507P04
•
HP MSM 760 Software Version 6.0.0.69-12510, Hardware Version B:48
•
Windows XP SP3
Restrictions and guidelines
When you configure WLAN 802.1X authentication with machine and user certificates, follow these
restrictions and guidelines:
•
UAM must provide both authentication and accounting services. Do not use another server
other than the UAM server to provide accounting.
•
When you add the AC to UAM as an access device, follow these restrictions and guidelines:

For WX6103, use the NAS IP address that is configured with the nas-ip command on the
AC. If the nas-ip command is not configured, use the IP address of the interface (including
VLAN interface) that connects to UAM.

For MSM 760, use the IP address of the interface that connects to UAM.

To select the AC from the resource pool, make sure it is already added to the IMC platform
manually or through auto discovery and that it uses the correct IP address.

If the AC in the resource pool does not use the correct IP address, you must manually
specify the correct IP address of the access device.

Use the same port and shared key settings for authentication and accounting
communication as the CLI configurations on the AC.
•
On WX6103, you cannot enable 802.1X authentication by executing the dot1x command in
interface view. To configure 802.1X authentication, use the port security feature.
•
When you configure VLAN 33 to be deployed for an access policy in UAM, follow these
restrictions and guidelines:
•

To work with WX6103, specify the VLAN by its ID, which is 33.

To work with MSM 760, specify the VLAN by its name. To make the VLAN take effect on
MSM 760, bind VLAN 33 on MSM 760 to a network profile with this VLAN name.
The iNode client does not support machine authentication and is not required. However, if the
PC is already installed with the iNode client, disable wireless connection management in it. For
more information, see "Disabling wireless connection management in the iNode client."
Configuring the DHCP server
1.
Start the DHCP server.
2.
From the navigation tree, right-click the name of a DHCP server, and select New Scope from
the shortcut menu.
The New Scope Wizard page opens.
3
3.
Click Next.
4.
On the Scope Name page, enter 1x in the Name field, and then click Next, as shown in Figure
3.
Figure 3 Scope Name
5.
On the IP Address Range page, configure IP address range parameters, as shown in Figure 4:
a. Enter 33.33.33.2 and 33.33.33.254 in the Start IP address field and End IP address field,
respectively.
b. Specify 255.255.255.0 as the subnet mask.
c. Click Next.
Figure 4 IP Address Range
4
6.
On the Add Exclusions and Delay page, click Next, as shown in Figure 5.
Figure 5 Add Exclusions and Delay
7.
On the Lease Duration page, use the default settings, and then click Next, as shown in Figure
6.
Figure 6 Lease Duration
8.
On the Configure DHCP Options page, select Yes, I want to configure these options now,
and then click Next, as shown in Figure 7.
5
Figure 7 Configure DHCP Options
9.
On the Router (Default Gateway) page, specify 33.33.33.1 as the default gateway, and then
click Next, as shown in Figure 8.
Figure 8 Router (Default Gateway)
10. On the Domain Name and DNS Servers page, specify the parent domain name and the DNS
server IP address, and then click Next, as shown in Figure 9.
This example uses uam.test.com as the parent domain name and 1.2.2.33 as the DNS server
IP address.
6
Figure 9 Domain Name and DNS Servers
11. On the WINS Servers page, click Next, as shown in Figure 10.
Figure 10 WINS Servers
12. On the Activate Scope page, select Yes, I want to activate this scope now, and then click
Next, as shown in Figure 11.
7
Figure 11 Activating Scope
13. On the Completing the New Scope Wizard page, click Finish.
The new DHCP scope is added to the DHCP page. The DHCP server applies this scope to
wireless users who pass 802.1X authentication.
Configuring UAM
Configuring the AC as an access device
1.
Click the User tab.
2.
From the navigation tree, select User Access Policy > Access Device Management >
Access Device.
The access device list opens.
3.
Click Add, as shown in Figure 12.
8
Figure 12 Accessing the access device list
The Add Access Device page opens, as shown in Figure 13.
Figure 13 Adding an access device
4.
Add the AC to UAM as an access device.
You can add the AC to UAM manually or by selecting it from the IMC platform. This example
uses the Add Manually option.
To manually add the AC to UAM:
a. In the Device List area, click Add Manually.
b. Configure the IP address of the AC:
−
For WX6103, enter 1.2.2.249 in the Device IP field, as shown in Figure 14.
−
For MSM 760, enter 1.2.2.76 in the Device IP field.
c. Click OK.
9
Figure 14 Adding an access device manually
5.
Configure common parameters for the access device, as shown in Figure 15.
a. Enter 1812 and 1813 in the Authentication Port and Accounting Port fields, respectively.
b. Select Fully Supported from the RADIUS Accounting list.
c. Select LAN Access Service from the Service Type list.
d. Select the access device type from the Access Device Type list.
−
For WX6103, select H3C (General).
−
For MSM 760, select HP (General).
e. Enter hello in the Shared Key and Confirm Shared Key fields.
f. Use the default value of other parameters.
Figure 15 Configuring the access device
6.
Click OK.
7.
On the result page that opens, click Back to Access Device List.
The AC is added to the access device list, as shown in Figure 16.
10
Figure 16 Viewing the AC
Configuring an access policy
1.
From the navigation tree, select User Access Policy > Access Policy.
The access policy page opens, as shown in Figure 17.
Figure 17 Accessing the Access Policy page
2.
Click Add.
The Add Access Policy page opens.
3.
Configure access policy parameters, as shown in Figure 18:
a. Enter cer in the Access Policy Name field.
b. Select EAP-TLS from the Preferred EAP Type field.
c. Select Disable from the EAP Auto Negotiate list.
d. Configure the VLAN to be deployed:
−
For WX6103, enter 33.
−
For MSM 760, enter ssbyodjay1x, as shown in Figure 19.
e. Use the default values for other parameters.
11
Figure 18 Adding an access policy when the access device is WX6103
Figure 19 Adding an access policy when the access device is MSM 760
4.
Click OK.
Configuring an access service
1.
From the navigation tree, select User Access Policy > Access Service.
The Access Service page opens, as shown in Figure 20.
Figure 20 Accessing the Access Service page
12
2.
In the access service list, click Add.
The Add Access Service page opens.
3.
Configure the basic information for the access service, as shown in Figure 21.
a. Enter cer in the Service Name field.
c. Select cer from the Default Access Policy list.
d. Use the default values for other parameters.
Figure 21 Configuring an access service
4.
Click OK.
Adding user accounts
Adding the computer user account
1.
From the navigation tree, select Access User > All Access Users.
The All Access User page list opens.
2.
In the access user list, click Add, as shown in Figure 22.
Figure 22 Accessing the access user list
The Add Access User page opens, as shown in Figure 23.
13
Figure 23 Adding a computer user account
3.
Click Select next to the User Name field, select a user from the IMC platform, and click OK.
This example uses ftest, as shown in Figure 24.
Figure 24 Selecting a user from the IMC platform
4.
Configure access user parameters, as shown in Figure 25:
a. Select Computer User. IMC automatically populates the Account Name field with
computer.
b. Select cer in the access service list.
c. Use the default values for other parameters.
14
Figure 25 Configuring the user account
5.
Click OK.
Adding an access user account named client212
1.
In the access user list, click Add.
The Add Access User page opens.
2.
Configure the following parameters, as shown in Figure 26:
a. Click Select next to the User Name field to associate the access user with the IMC platform
user named ftest.
b. Enter client212 in the Account Name field.
c. Configure a password in the Password and Confirm Password fields.
d. Select cer in the access service list.
e. Use the default values for other parameters.
15
Figure 26 Adding an access user account named client212
3.
Click OK.
Importing server and root certificates
1.
From the navigation tree, select User Access Policy > Service Parameters > Certificate.
The Certificate page opens, as shown in Figure 27.
Figure 27 Accessing the Certificate page
2.
On the Root Certificate tab, click Import EAP Root Certificate.
3.
Click Browse to select a root certificate, as shown in Figure 28.
16
Figure 28 Selecting a root certificate
4.
Click Next.
The CRL configuration page opens, as shown in Figure 29.
This example does not include the CRL configuration.
Figure 29 CRL configuration
5.
Click OK.
The Root Certificate tab displays the imported root certificate, as shown in Figure 30.
Figure 30 Root certificate import result
17
6.
Click the Server Certificate tab, and then click Import EAP Server Certificate, as shown in
Figure 31.
Figure 31 Importing the server certificate
7.
Select Private key is included in server certificate file, and then click Browse to select a
server certificate, as shown in Figure 32.
Figure 32 Selecting a server certificate
8.
Click Next.
9.
Enter the password of the server private key, which was configured during the export of the
server certificate, as shown in Figure 33.
Figure 33 Entering the server certificate key password
10. Click OK.
The Server Certificate tab displays the imported server certificate, as shown in Figure 34.
18
Figure 34 Server certificate import result
Configuring WX6103
Associating WX6103 with an AP
After you associate WX6103 with an AP, the two devices establish a tunnel to forward traffic.
You can manually or automatically associate WX6103 with the AP. This example uses the manual
method.
1.
On the AP, display information about the AP and record its model number, serial ID, hardware
version, and software version.
<WA2612-AGN>display wlan ap
Display AP Profile
------------------------------------------------------------------------------Model Number
: WA2612-AGN
Serial-ID
: 210235A0ALC116001253
AP Address
: 1.2.1.205
H/W Version
: Ver.D
S/W Version
: V100R001B71D024(271698944)
Boot Version
: 1.23
Mode
: Split Mac Mode
Device State
: Zero configuration state
Master AC:
Description
: -NA-
AC Address
: -NA-
State
: BDisc
Transmitted control packets
: 0
Received control packets
: 0
Transmitted data packets
: 0
Received data packets
: 0
Latest AC IP address
: -NA-
Tunnel Down Reason
: -NA-
------------------------------------------------------------------------------Unicast static AC IPv4 address: Not Configured
19
Unicast static AC IPv6 address: Not Configured
-------------------------------------------------------------------------------
2.
Configure WX6103.
# Log in to WX6103 and enable WLAN on the AC.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]wlan enable
% Info: WLAN service enabled
# Create an AP template named byod. Set the AP model to be the same as the Model Number
field in the AP information.
[H3C]wlan ap byod model WA2612-AGN
# Set the serial ID of the AP to be the same as the Serial-ID field in the AP information.
[H3C-wlan-ap-byod]serial-id 210235A0ALC116001253
[H3C-wlan-ap-byod]quit
# Designate software version of the AP model with hardware version. Make sure the AP model,
hardware version, and software version are the same as those in the AP information.
[H3C]wlan apdb WA2612-AGN Ver.D V100R001B71D024
3.
On the AP, specify the IP address of WX6103.
<WA2612-AGN>system-view
System View: return to User View with Ctrl+Z.
[WA2612-AGN]wlan ac ip 1.2.2.249
4.
Verify that the AP is successfully associated with WX6103.
# Telnet to WX6103 and display all associated APs.
[H3C]display wlan ap all
Total Number of APs configured
: 1
Total Number of configured APs connected : 0
Total Number of auto APs connected
: 1
AP Profiles
State : I = Idle,
J = Join, JA = JoinAck,
C = Config, R = Run,
IL = ImageLoad
KU = KeyUpdate, KC = KeyCfm
M = Master, B = Backup
-------------------------------------------------------------------------------AP Name
State
Model
Serial-ID
-------------------------------------------------------------------------------Byod
R/M
WA2612-AGN
210235A0ALC116001253
--------------------------------------------------------------------------------T
The R/M state shows that the AP named byod is successfully associated with WX6103.
Configuring 802.1X authentication on WX6103
1.
Configure a RADIUS scheme and an ISP domain:
# Log in to WX6103. Create RADIUS scheme byodjay1x and enter its view.
<WX6103>system-view
System View: return to User View with Ctrl+Z.
[WX6103]radius scheme byodjay1x
New Radius scheme
# Specify the IP address of the authentication and accounting server (UAM) as 1.2.2.137, and
set the shared key for RADIUS authentication and accounting communication to hello.
20
[WX6103-radius-byodjay1x]primary authentication 1.2.2.137
[WX6103-radius-byodjay1x]primary accounting 1.2.2.137
[WX6103-radius-byodjay1x]key authentication hello
[WX6103-radius-byodjay1x]key accounting hello
# Specify the source IP address of RADIUS packets sent to UAM.
[WX6103-radius-byodjay1x]nas-ip 1.2.2.249
# Configure the RADIUS server type as extended to support UAM.
[WX6103-radius-byodjay1x]server-type extended
# Configure the AC to remove domain information from the usernames to be sent to the
RADIUS server.
[WX6103-radius-byodjay1x]user-name-format without-domain
[WX6103-radius-byodjay1x]quit
# Create an ISP domain named 1x.
[WX6103]domain 1x
# Configure the ISP domain to use RADIUS scheme byodjay1x for authentication,
authorization, and accounting.
[WX6103-isp-1x]authentication default radius-scheme byodjay1x
[WX6103-isp-1x]authorization default radius-scheme byodjay1x
[WX6103-isp-1x]accounting default radius-scheme byodjay1x
[WX6103-isp-1x]quit
2.
Configure DHCP relay:
# Enable DHCP and configure DHCP server group 1.
[WX6103]dhcp enable
[WX6103]dhcp relay server-group 1 ip 1.2.2.32
# Create VLAN 33.
[WX6103]vlan 33
[WX6103-vlan33]quit
# Configure the gateway address of DHCP scope 1x as the IP address of VLAN-interface 33.
[WX6103]interface Vlan-interface 33
[WX6103-Vlan-interface33]ip address 33.33.33.1 24
# Enable DHCP relay agent on VLAN-interface 33, and associate DHCP server group 1 with the
interface.
[WX6103-Vlan-interface33]dhcp select relay
[WX6103-Vlan-interface33]dhcp relay server-select 1
[WX6103-Vlan-interface33]quit
# Configure a routing protocol to advertise the network 33.33.33.0/24. (Details not shown.)
3.
Configure 802.1X authentication:
# Create WLAN-ESS 33, set its port link type to hybrid, and enable MAC-based VLAN on the
interface.
[WX6103]interface wlan-ess 33
[WX6103-WLAN-ESS33]port link-type hybrid
[WX6103-WLAN-ESS33]mac-vlan enable
# Enable 802.1X authentication on WLAN-ESS 33.
[WX6103-WLAN-ESS33]port-security port-mode userlogin-secure-ext
# Enable key negotiation of the 11key type on WLAN-ESS 33.
[WX6103-WLAN-ESS33]port-security tx-key-type 11key
# Specify ISP domain 1x as the mandatory authentication domain on WLAN-ESS 33.
21
[WX6103-WLAN-ESS33]dot1x mandatory-domain 1x
# Disable the handshaking function, because the wireless client that is embedded in Windows
Server does not support the handshaking function.
[WX6103-WLAN-ESS33]undo dot1x handshake
[WX6103-WLAN-ESS33]quit
# Globally enable port security.
[WX6103]port-security enable
# Set the 802.1X authentication method to EAP.
[WX6103]dot1x authentication-method eap
# Create crypto type WLAN service template 33 for 802.1X authentication.
[WX6103]wlan service-template 33 crypto
# Configure the SSID of the service template as ss_byod_jay_1x.
[WX6103-wlan-st-33]ssid ss_byod_jay_1x
# Bind the service template to WLAN-ESS 33.
[WX6103-wlan-st-33]bind wlan-ess 33
# Configure the service template to use the open-system authentication method. This
authentication method is required if WPA is used.
[WX6103-wlan-st-33]authentication-method open-system
# Configure the security IE as WPA and cipher suite as TKIP.
[WX6103-wlan-st-33]security-ie wpa
[WX6103-wlan-st-33]cipher-suite tkip
# Enable the service template.
[WX6103-wlan-st-33]service-template enable
Please wait... Done.
[WX6103-wlan-st-33]quit
# Create radio policy byodjay1x. You can skip this step and use the default radio policy.
[WX6103]wlan radio-policy byodjay1x
[WX6103-wlan-rp-byodjay1x]beacon-interval 200
[WX6103-wlan-rp-byodjay1x]dtim 4
[WX6103-wlan-rp-byodjay1x]rts-threshold 2300
[WX6103-wlan-rp-byodjay1x]fragment-threshold 2200
[WX6103-wlan-rp-byodjay1x]short-retry threshold 6
[WX6103-wlan-rp-byodjay1x]long-retry threshold 5
[WX6103-wlan-rp-byodjay1x]max-rx-duration 500
[WX6103-wlan-rp-byodjay1x]quit
# In AP template byod view, associate radio 1 with radio policy byodjay1x and service
template 33.
[WX6103]wlan ap byod
[WX6103-wlan-ap-byod]radio 1
[WX6103-wlan-ap-byod-radio-1]channel auto
[WX6103-wlan-ap-byod-radio-1]radio-policy byodjay1x
[WX6103-wlan-ap-byod-radio-1]service-template 33
[WX6103-wlan-ap-byod-radio-1]radio enable
[WX6103-wlan-ap-byod-radio-1]quit
[WX6103-wlan-ap-byod]quit
22
Configuring MSM 760
1.
Configure the VLAN to be deployed to the authenticated user:
a. From the navigation tree, select Network Tree > Controller.
b. In the top navigation bar, select Network > Network profiles.
c. Click Add New Profile.
The Add/Edit network profile page opens.
d. Configure the VLAN name as byodjay1x and VLAN ID as 33, as shown in Figure 35.
Figure 35 Configuring VLANs
e. Click Save.
2.
Configure a RADIUS profile for 802.1X authentication, as shown in Figure 36:
a. From the navigation tree, select Network Tree > Controller.
b. In the top navigation bar, select Authentication > RADIUS profiles.
c. Click Add New Profile.
The Add/Edit RADIUS profile page opens.
d. Enter ss_byod_jay_1x in the Profile name field.
e. Enter 1812 in the Authentication port field and 1813 in the Accounting port field.
f. Select EAP MD5 from the Authentication method list.
g. Enter 1.2.2.137 in the Server address field for the primary RADIUS server.
h. Enter hello in the Secret and Confirm secret fields for the primary RADIUS server.
i.
Use the default values for other parameters.
23
Figure 36 Configuring the RADIUS profile for 802.1X authentication
j.
3.
Click Save.
Configure a VSC profile, as shown in Figure 37:
a. From the navigation tree, select Network Tree > Controller > VSCs.
b. In the top navigation bar, select Overview > VSC profiles.
c. Click Add New VSC Profile.
The VSC profile page opens.
d. Configure Global parameters:
−
Enter ss_byod_jay_1x in the Profile name field.
−
Select the Authentication option for the Use Controller for field.
e. Configure Virtual AP parameters:
−
Select the Virtual AP option.
−
Enter ss_byod_jay_1x in the Name (SSID) field.
−
Select the Broadcast name (SSID) option.
f. Configure Wireless protection parameters:
−
Select the Wireless protection option, and select WPA from the list next to the option.
−
Select WPA (TKIP) from the Mode list.
24
−
Select Dynamic from the Key source list.
g. Configure 802.1X authentication parameters:
−
Select the 802.1X authentication option.
−
Select the Remote option.
−
Select the RADIUS profile ss_byod_jay_1x from the RADIUS list.
−
Select the RADIUS profile ss_byod_jay_1x from the RADIUS accounting list.
h. Clear MAC-based authentication.
i.
Use the default values for other parameters.
25
Figure 37 Configuring a VSC profile
26
j.
4.
Click Save.
Configure a VSC binding, as shown in Figure 38:
a. From the navigation tree, expand the Controlled APs node, and select an AP group. This
example uses default_group.
b. Click the VSC bindings tab.
c. Click Add New Binding.
The page for adding a VSC binding opens.
d. Select ss_byod_jay_1x from the VSC Profile list.
Figure 38 Configuring a VSC binding
e. Click Save.
Deploying configurations from MSM 760 to the AP
1.
From the navigation tree, select Unsynchronized.
2.
Select Overview > Discovered APs.
3.
Select Synchronize Configuration from the Select the action to apply to all listed APs list
and click Apply, as shown in Figure 39.
Figure 39 Deploying configurations to the AP
Configuring the switch that connects the AP to MSM 760
# Enable DHCP and configure DHCP server group 1.
<SW>system-view
27
System View: return to User View with Ctrl+Z.
[SW]dhcp enable
[SW]dhcp relay server-group 1 ip 1.2.2.32
# Create the security VLAN 33.
[SW]vlan 33
[SW-vlan33]quit
# Configure the gateway address of DHCP scope 1x as the IP address of VLAN-interface 33.
[SW]interface Vlan-interface 33
[SW-Vlan-interface33]ip address 33.33.33.1 255.255.255.0
# Enable DHCP relay agent on VLAN-interface 33, and associate DHCP server group 1 with the
interface.
[SW-Vlan-interface33]dhcp select relay
[SW-Vlan-interface33]dhcp relay server-select 1
[SW-Vlan-interface33]quit
Configuring the PC
Disabling wireless connection management in the iNode
client
Perform this task if the iNode client is installed on your PC and is integrated with wireless connection
management. Otherwise, skip this task.
When wireless connection management is enabled in the iNode client, you cannot manage wireless
connections in the Windows client or configure machine authentication.
To disable wireless connection management, click the Management icon
, click Settings on the
Management Plat page, and select Manage Wireless by Windows, as shown in Figure 40.
28
Figure 40 Disabling wireless connection management in the iNode client
Importing certificates to the PC
Import the root certificate, machine certificate, and the user certificate to the PC. For more
information about obtaining and importing certificates, see related documentation about CA
certificates. Figure 41 and Figure 42 show the import results.
29
Figure 41 Root certificate
30
Figure 42 Machine certificate and user certificate
Configuring machine certificate authentication in Windows
1.
Right-click Wireless Network Connection and select Properties from the shortcut menu.
2.
Click the Wireless Networks tab and click View Wireless Networks, as shown in Figure 43.
31
Figure 43 Wireless network connection properties
.
3.
Configure parameters for the Association tab, as shown in Figure 44:
a. In the Network name field, enter ss_byod_jay_1x.
b. Select WPA from the Network Authentication field.
c. Select TKIP from the Data encryption list.
d. Use the default values for other parameters.
32
Figure 44 Configuring association parameters
4.
Configure parameters for the Authentication tab:
a. Click the Authentication tab.
b. Select Smart Card or other Certificate from the EAP type list and click Properties, as
shown in Figure 45.
33
Figure 45 Selecting the EAP type
c. On the page that opens, select the following options, as shown in Figure 46:
−
Use a certificate on this computer.
−
Use simple certificate selection (Recommended).
−
Validate server certificate.
−
In the Trusted Root Certification Authorities area, select the certification authority of
the root certificate that you have imported to the PC. This example uses
03-CNSQL05-0222.
34
Figure 46 Configuring the smart and other certificate properties
d. Click OK.
e. On the Authentication tab, select the Authenticate as computer when computer
information is available option.
f. Click OK.
5.
Click OK.
Configuring user certificate authentication for account
client212
1.
Right-click the wireless icon in the system tray and select View Available Wireless Networks
from the shortcut menu.
2.
On the page that opens, double click the wireless network named ss_byod_jay_1x, as shown
in Figure 47.
35
Figure 47 Selecting the wireless network
An authentication message is displayed in the system tray, as shown in Figure 48.
Figure 48 Authentication message
3.
Click the authentication message.
4.
On the page that opens, select client212 and click OK, as shown in Figure 49.
36
Figure 49 Selecting the user certificate
Verifying the configuration
1.
Restart the PC.
Machine certificate authentication is automatically performed when the Windows operating
system starts.
2.
Check the online user list in UAM.
The computer user is displayed in the list, as shown in Figure 50.
Figure 50 The computer user is online
3.
Log in to Windows.
The user is automatically authenticated by using the user certificate and can access the
Internet.
4.
Check the online user list in UAM.
The access user named client212 is displayed in the list, as shown in Figure 51.
37
Figure 51 The access user named client212 is online
38
Download PDF
Similar pages