Effective personalized access to network infrastructure. An example implementation from HP
Personalized control over access to the network is a troublesome task both on the part of the administrator and on the part of the user. Many system administrators are moving away from this task, using more “simple” methods of controlling access to user ports such as MAC authentication, portal authentication, or Port-security, or even not doing any control on the port.
But what to do if you still need to apply personalized control over access to the network? Moreover, access control should be carried out for both wired and wireless subscribers.
In this article I will explain how this problem can be solved using a link between the controller of wireless access points such as HP MSM (the model is not so important), the HP IMC control system with the User Access Management (UAM) module installed. Other infrastructure elements, such as a wireless access point and a wired access switch, are only a transmission link for traffic, and I will mention them in passing.
So, in the article, using screenshots and CLI configuration elements, I will show how the equipment is configured for this task.
')
I'll start with the HP MSM Wireless Access Point Controller, it will be the device of the “authenticator” or “NAS” type that will receive user requests for authentication and work with the RADIUS server, which will be the IMC system with an additional UAM module installed on it. By the way, the controller also has a local RADIUS server (in our example, we will use an external one).
The controller must first be configured to provide the basic “connectivity”, preferably via the Internet port, and also be connected to it in a separate VLAN, for example, in VLAN10 wireless access points. The controller can provide both L2 and L3 access point detection.
1.1. On the controller, you need to create an external RAIDIUS server profile. The settings are pretty standard and are shown in Figure 1. MSCHAPv2 authentication method
Pic1
1.2. Next, create a Virtual Service Community (VSC), which will provide our users with a wireless access service. VSC can be created manually or with the help of automated workflow, which are also provided in the HP MSM controllers.
The main parameters when configuring VSC are as follows and are shown in Fig.2, Fig.3.
1.2.1. Since HP MSM wireless access controllers allow you to implement a model of distributed transmission of user data traffic to a wired network, in which user data is directly transmitted to the wired network switch, bypassing the controller, uncheck the “Use controller for Access Control” checkbox .
1.2.2. Choose a wireless network security protocol such as WPA with dynamic key generation using the 802.1x method (the checkbox “802.1x authentication” will be selected automatically)
1.2.3. In the 802.1x field, select the use of an external server for 802.1x authentication and select the IMC profile created by us RADIUS
1.2.4. Set the field "Name SSID" : for example, X_marketing
1.2.5. In the “RADIUS accounting” field we also select our RADIUS IMC profile and set the “called station id” content field to macaddress: ssid
1.2.6. Remaining fields are left unchanged.
Pic2
Pic.3
1.3. Since we use a distributed model for transmitting data traffic to a network, it is necessary to specify the group of access points to which VLAN they should forward the data traffic of the VSC created by us (Fig. 4). Thus, we associate the VSC we created with an egress network profile. In our case, the name of the VLAN is marketing and its value is 20. Remember the name of the VLAN, it is still useful to us in the process of configuring IMC UAM to authorize our subscribers. And, of course, the switch port to which the access point is connected must be configured to send tagged traffic to 20 VLANs.
Pic.4
1.4. Even on the HP MSM controller, you must specify the IP address of the Mobility Manager, which has access to the functionality of the access controller. In our case, the IMC is the Mobility Manager address (Figure 5).
Pic.5
2. This completes the configuration of the controller. We are starting to configure IMC.
2.1. Using the EAP authentication method - PEAP, allows you not to use a client certificate, which significantly reduces overhead. But in IMC UAM you need to import the root and server certificates. This is done through the option User> User Access Policy> Service Parameters> Certificate
Pic.6
2.2. In the future, we need to create an Access Policy that will authorize our wireless subscriber. This is done through the menu User> User Access Policy> Access Policy> Add Access Policy . An example of the Access Policy created by me - msm_svc , is shown in Figure 7
Fig.7
“Certificate authentication” is selected . The “certificate type” field contains the EAP-PEAP authN value , and the “certificate sub-type” value is MS-CHAPv2 authN . In the “deploy VLAN” field , the VLAN value for the user is populated. In our case, marketing . The Access Policy allows you to associate a user with its other parameters, for example, Access Device IP or User IP, User MAC, which will allow you to further conduct a more accurate selection of the wireless subscriber for authentication.
2.3. The third step in configuring IMC UAM is the creation of a so-called access scenario, the Access Service, when the Access Policy created is associated with other access conditions, such as the access time interval, access security policy, the type of operating system, the end-user equipment manufacturer, and other parameters (see fig.8)
Fig.8
The Access Service created as a result of these manipulations is further associated with our user - Access User.
2.4. Create an access user in the IMC system by the link - User> All Access Users> Add Access User (Fig.9). At the same time, we tick the Access Service that we created - msm_as
Fig.9
2.5. The final step in configuring IMC is to add our NAS - the authenticator of the HP MSM wireless access point controller to the list of “official” access devices. This is done by the link User> User Access Policy> Access Device Management> Access Device> Add Access Device (Fig. 10).
Pic.10
2.6. In the future, all the erroneous and successful attempts to authenticate our user can be viewed in the logs located here: User> User Access Log> Authentication Failure Log (Fig. 11)
Figure 11
And also to receive detailed information about the user and his access time - User> Access Log> Access Details (Fig.12).
Fig.12
3. And finally, what should be the settings of the computer of the wireless subscriber to access the network? I will give an example for MS Windows 7.
You can manually create a wireless network profile. The network name is X_marketing, “security type” is WPA2-Enterprise, “Encryption type” is AES , clear the field “start this connection automatically” (Fig. 13).
Fig.13
Click next -> change connection settings-> security . For "choose authentication settings" choose Microsoft: Protected EAP (PEAP) (Fig.14).
Fig.14
Select the “Settings” button, then next to the “Select Authentication Method” field , select the “Configure” button (Fig. 15).
Fig.15
Clear the tick "Automatically use my Windows logon name and password" , click "OK" twice.
In the “X_Marketing Wireless Network Properties” window, select the “security” tab, click “advanced settings” , make sure that the “Specify authentication mode” box is checked (Fig. 16).
Figure 16
Select "OK", "OK". We are trying to connect to our wireless network. At the invitation of the user name and password, enter the parameters of our created user. The connection must be successful; the user must obtain an IP address in 20 VLANs.
PS
As for the price of controlled user access, for example, for 100 UAM users in price list prices !!! it is comparable to the price of a wired gigabit access port and decreases as the number of user licenses.
But what to do if you still need to apply personalized control over access to the network? Moreover, access control should be carried out for both wired and wireless subscribers.
In this article I will explain how this problem can be solved using a link between the controller of wireless access points such as HP MSM (the model is not so important), the HP IMC control system with the User Access Management (UAM) module installed. Other infrastructure elements, such as a wireless access point and a wired access switch, are only a transmission link for traffic, and I will mention them in passing.
So, in the article, using screenshots and CLI configuration elements, I will show how the equipment is configured for this task.
')
I'll start with the HP MSM Wireless Access Point Controller, it will be the device of the “authenticator” or “NAS” type that will receive user requests for authentication and work with the RADIUS server, which will be the IMC system with an additional UAM module installed on it. By the way, the controller also has a local RADIUS server (in our example, we will use an external one).
The controller must first be configured to provide the basic “connectivity”, preferably via the Internet port, and also be connected to it in a separate VLAN, for example, in VLAN10 wireless access points. The controller can provide both L2 and L3 access point detection.
1.1. On the controller, you need to create an external RAIDIUS server profile. The settings are pretty standard and are shown in Figure 1. MSCHAPv2 authentication method
Pic1
1.2. Next, create a Virtual Service Community (VSC), which will provide our users with a wireless access service. VSC can be created manually or with the help of automated workflow, which are also provided in the HP MSM controllers.
The main parameters when configuring VSC are as follows and are shown in Fig.2, Fig.3.
1.2.1. Since HP MSM wireless access controllers allow you to implement a model of distributed transmission of user data traffic to a wired network, in which user data is directly transmitted to the wired network switch, bypassing the controller, uncheck the “Use controller for Access Control” checkbox .
1.2.2. Choose a wireless network security protocol such as WPA with dynamic key generation using the 802.1x method (the checkbox “802.1x authentication” will be selected automatically)
1.2.3. In the 802.1x field, select the use of an external server for 802.1x authentication and select the IMC profile created by us RADIUS
1.2.4. Set the field "Name SSID" : for example, X_marketing
1.2.5. In the “RADIUS accounting” field we also select our RADIUS IMC profile and set the “called station id” content field to macaddress: ssid
1.2.6. Remaining fields are left unchanged.
Pic2
Pic.3
1.3. Since we use a distributed model for transmitting data traffic to a network, it is necessary to specify the group of access points to which VLAN they should forward the data traffic of the VSC created by us (Fig. 4). Thus, we associate the VSC we created with an egress network profile. In our case, the name of the VLAN is marketing and its value is 20. Remember the name of the VLAN, it is still useful to us in the process of configuring IMC UAM to authorize our subscribers. And, of course, the switch port to which the access point is connected must be configured to send tagged traffic to 20 VLANs.
Pic.4
1.4. Even on the HP MSM controller, you must specify the IP address of the Mobility Manager, which has access to the functionality of the access controller. In our case, the IMC is the Mobility Manager address (Figure 5).
Pic.5
2. This completes the configuration of the controller. We are starting to configure IMC.
2.1. Using the EAP authentication method - PEAP, allows you not to use a client certificate, which significantly reduces overhead. But in IMC UAM you need to import the root and server certificates. This is done through the option User> User Access Policy> Service Parameters> Certificate
Pic.6
2.2. In the future, we need to create an Access Policy that will authorize our wireless subscriber. This is done through the menu User> User Access Policy> Access Policy> Add Access Policy . An example of the Access Policy created by me - msm_svc , is shown in Figure 7
Fig.7
“Certificate authentication” is selected . The “certificate type” field contains the EAP-PEAP authN value , and the “certificate sub-type” value is MS-CHAPv2 authN . In the “deploy VLAN” field , the VLAN value for the user is populated. In our case, marketing . The Access Policy allows you to associate a user with its other parameters, for example, Access Device IP or User IP, User MAC, which will allow you to further conduct a more accurate selection of the wireless subscriber for authentication.
2.3. The third step in configuring IMC UAM is the creation of a so-called access scenario, the Access Service, when the Access Policy created is associated with other access conditions, such as the access time interval, access security policy, the type of operating system, the end-user equipment manufacturer, and other parameters (see fig.8)
Fig.8
The Access Service created as a result of these manipulations is further associated with our user - Access User.
2.4. Create an access user in the IMC system by the link - User> All Access Users> Add Access User (Fig.9). At the same time, we tick the Access Service that we created - msm_as
Fig.9
2.5. The final step in configuring IMC is to add our NAS - the authenticator of the HP MSM wireless access point controller to the list of “official” access devices. This is done by the link User> User Access Policy> Access Device Management> Access Device> Add Access Device (Fig. 10).
Pic.10
2.6. In the future, all the erroneous and successful attempts to authenticate our user can be viewed in the logs located here: User> User Access Log> Authentication Failure Log (Fig. 11)
Figure 11
And also to receive detailed information about the user and his access time - User> Access Log> Access Details (Fig.12).
Fig.12
3. And finally, what should be the settings of the computer of the wireless subscriber to access the network? I will give an example for MS Windows 7.
You can manually create a wireless network profile. The network name is X_marketing, “security type” is WPA2-Enterprise, “Encryption type” is AES , clear the field “start this connection automatically” (Fig. 13).
Fig.13
Click next -> change connection settings-> security . For "choose authentication settings" choose Microsoft: Protected EAP (PEAP) (Fig.14).
Fig.14
Select the “Settings” button, then next to the “Select Authentication Method” field , select the “Configure” button (Fig. 15).
Fig.15
Clear the tick "Automatically use my Windows logon name and password" , click "OK" twice.
In the “X_Marketing Wireless Network Properties” window, select the “security” tab, click “advanced settings” , make sure that the “Specify authentication mode” box is checked (Fig. 16).
Figure 16
Select "OK", "OK". We are trying to connect to our wireless network. At the invitation of the user name and password, enter the parameters of our created user. The connection must be successful; the user must obtain an IP address in 20 VLANs.
PS
As for the price of controlled user access, for example, for 100 UAM users in price list prices !!! it is comparable to the price of a wired gigabit access port and decreases as the number of user licenses.
Source: https://habr.com/ru/post/230023/
All Articles