Configuration

The goal is to provide secure and role-based access control for Guest Access using ACLs on Huawei WLC/Switch through Ivanti Policy Secure.

Using Guest Authentication Server

Use the Default Guest Authentication Server under Authentication > Auth.Servers.

The Guest configuration page is shown below.

Using Default Realm

Select User Realms > User Authentication Realms.

Using Default Sign-in Policy

Select Authentication > Signing In > Sign-in Policies.

Creating a Host Checker Policy

  1. Select Authentication > Endpoint Security > Host Checker.

  2. Under Policies, Click New and enter a policy name and click Continue.

  3. Under Rule Settings, select the rule type as Predefined Firewall and click Add.

  4. Enter the rule name and specify the criteria for compliance and click Save Changes.

Creating User Roles

  1. Select Users > User Roles > Guest Role (Default).

    User defined roles can also be created. For example, Remediation Role.

  2. Click Save Changes.

  3. Select User Roles > <Full Access Role> > General > Restrictions > Host Checker. Add the Firewall Policy restriction created earlier inCreating a Host Checker Policy for Full Access Role. Click Save Changes.

For Remediation Role, ensure that the Host Checker not required option is not selected.

  1. Set Role Mapping rules. Select User Realms > Guest > Role Mapping > New Rule

    Once the role mapping roles are configured the following screen is displayed.

Creating a new RADIUS Client

Add the Switch as RADIUS client

  1. Select Endpoint Policy > Network Access > RADIUS Client.

  2. Enter the name.

  3. Enter the IP address of the Switch.

  4. Select the make/model as Huawei.

  5. Select the default location group as Guest.

  6. Click Save Changes .

    Shared Secret will be used in the Huawei/RADIUS configuration.

Configuring RADIUS Return Attribute Policies

Define Radius Return Attribute policy based on ACL for different roles.

  1. Set RADIUS return attributes. Select Endpoint Policy > Network Access > RADIUS Return Attribute Policies. Click New Policy.

  2. Under RADIUS Attributes tab, select the check box for Return Attribute. Select appropriate Vendor Specific Attribute as Return Attribute. In the Value filed, define the ACL/Firewall Filter. For example, Return Attribute is Filter-Id and Value as full_access.in.

Similarly define a remediation policy with Return Attribute as Filter-Id and Value as limited_access.in.

The following example shows the Filter-Id radius attribute policy for Huawei Switches.

The following example shows RADIUS return attribute used to send the VLAN ID. In the below example, VLAN 101 is sent for Guest Access Role and VLAN 201 for Limited Access Role.

The following example shows the Filter-Id radius attribute policy for Huawei Switches.

  • When using VSAs there is no need to configure ACL/Firewall filters in the switches. These are managed by Ivanti Policy Secure and access control entries (ACEs) will be applied on the switches after User Authentication.
  • VLAN change using CoA is supported with Huawei Switches.

Configuring Huawei WLC/Switch

Administrator must configure hw_redirect_url as redirect url parameter key and hw_login_url as key for the login url parameter on Huawei switch.

Configure external Port Authentication on Access Controller

# Configure RADIUS authentication parameters.

# Configure a RADIUS server template.

[Huawei]radius-server template radius_wlc_pps

[Huawei-radius-radius_wlc_pps]display this

radius-server template radius_wlc_pps

radius-server shared-key cipher %^%#XX!84-3lJ~dR8X#p:-{0(TF+'=IOe<MG'BR2QrL&%^%#

radius-server authentication 192.168.10.11 1812 weight 80

radius-server accounting 192.168.10.11 1813 weight 80

calling-station-id mac-format hyphen-split mode2 uppercase

# Create an AAA scheme and set the authentication method to RADIUS.

[Huawei]aaa

[Huawei-aaa]authentication-scheme radius_wlc_pps

[Huawei-aaa-authen-radius_wlc_pps]display this

authentication-scheme radius_wlc_pps

authentication-mode radius

# Configure a Portal server profile

[Huawei]portal https-redirect enable

[Huawei] portal web-authen-server https ssl-policy ssl_policy port 8443

[Huawei]interface LoopBack 0

[Huawei-LoopBack0]display this

interface LoopBack0

ip address 10.0.0.1 255.255.255.255

[Huawei]free-rule-template name default_free_rule

[Huawei-free-rule-default_free_rule]display this

free-rule 0 destination ip 10.0.0.1 mask 255.255.255.255

[Huawei]url-template name test

[Huawei-url-template-test]display this

url-template name test

#URL of the guest login page

url https://<IPS-IP>/guest

# Configure hw_redirect_url as redirect url parameter key and hw_login_url as key for the login url parameter on Huawei.

# hw_redirect_url: URL that the user is redirected to after successful authentication.

# hw_login_url: Switch URL needed to post parameters. Admin must configure login url value.

url-parameter redirect-url hw_redirect_url login-url hw_login_url https://10.0.0.1:8443/login

# https://10.0.0.1:8443/login is the login page of the Huawei

[Huawei]web-auth-server wlan-net

[Huawei-web-auth-server-wlan-net] display this

web-auth-server wlan-net

server-ip 192.168.10.11

port 50100

url-template test

server-detect action log

protocol http

http get-method enable

http-method post login-fail response err-msg authenserve-reply-message (or) http-method post login-fail response err-msg msg AuthenticationFailed (Recommended to configure one of this)

#Configure the Portal access profile portal_access_profile

[Huawei-portal-acces-profile-portal_access_profile]display this

portal-access-profile name portal_access_profile

web-auth-server wlan-net direct

#Create the authentication profile wlan-authentication

[Huawei-authen-profile-wlan-authentication]display this

authentication-profile name wlan-authentication

portal-access-profile portal_access_profile

free-rule-template default_free_rule

access-domain wlc_pps dot1x

access-domain wlc_pps dot1x force

access-domain wlc_pps portal

Configure WLAN service parameters.

# Create the security profile wlan-net and retain the default security policy (open system authentication).

[Huawei]wlan

[Huawei-wlan-view]security-profile name wlan-security

# Create the SSID profile.

[Huawei-wlan-view]ssid-profile name wlan-ssid

[Huawei-wlan-ssid-prof-wlan-ssid]display this

ssid wlan-pps

# Create the VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and bind the security profile, authentication profile, and SSID profile to the VAP profile.

[Huawei-wlan-view]vap-profile name wlan-vap

[Huawei-wlan-vap-prof-wlan-vap]display this

forward-mode tunnel

service-vlan vlan-pool vlan_pool_101_201

ssid-profile wlan-ssid

security-profile wlan-security

authentication-profile wlan-authentication

# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[Huawei-wlan-view]ap-group name ap-group1

[Huawei-wlan-ap-group-ap-group1]display this

regulatory-domain-profile domain1

radio 0

vap-profile wlan-vap wlan 1

radio 1

vap-profile wlan-vap wlan 1

#Create the ACL for full access and limited access. Admin must use the same ACL names in IPS.

acl name full_access 3998

description full_access.in

rule 1 permit ip

acl name limited_access 3999

description limited_access.in

rule 1 deny ip destination <Resource-IP>