Embed Size (px)
Citation preview
Altai Super WiFi
1
Not for Distribution – Altai ConfidentialNot for Distribution – Altai Confidential
Altai Super WiFi
Altai Certification Training
Backend Network Planning
Professional ServicesAltai Technologies Limited
Altai Super WiFi
2
Not for Distribution – Altai ConfidentialNot for Distribution – Altai Confidential
Altai Super WiFi
Module Outline
• Service Controller Solution– Layer 2 Network Deployment Scenario– Layer 3 Network Deployment Scenario
• A3 ACS Solution
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
3
Service Controller Solution
• RADIUS or Active Directory in the existing network as authentication server
• Multiple SSID for different groups of client to access; e.g. staff and guest
• Each group of client is only allowed to access specific network subnets
• Different authentication method can be applied to different SSID
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
4
Layer 2 Network Deployment Scenario
• Deployment scenario: Enterprise only one or several buildings network based on layer 2 connection.
• Solution 1: SC internet port behavior as network backhaul, and LAN port connect to AP.
• Solution 2: one of SC ports behavior as network backhaul.
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
5
Layer 2 Network Design
• Intranet for staff• Ingress VLAN 1• Egress VLAN 10• Client IP subnet
192.168.1.x• AD or RADIUS
Authentication• Allowed access
intranet and internet
• Internet for guest• Ingress VLAN 2• Egress VLAN 10• Client IP subnet
192.168.2.x• SC Local account• HTML-Authentication
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
6
Layer 2 Network Solution I
InternetRadius Server
Active Directory
Service Controller
Internet Port: VLAN 10 & 20
LAN Port: VLAN 1 & 2
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
VLAN 1, 2, 100
SSID_Internet
192.168.2.x
VLAN 2
Management SSID
192.168.100.x
VLAN 100
Trunk Port
Altai AP
VLAN 1
VLAN 2
VLAN 100
Trunk Port Trunk Port
FirewallDHCP server
Intranet
VLAN 20
VLAN 10
Management Server
VLAN 100
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
7
Layer 2 Network Solution II
InternetRadius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20, 100
AP Port: VLAN 1,2, 100
SSID_Internet
192.168.2.x
VLAN 2
Management SSID
192.168.100.x
VLAN 100
Trunk Port
Altai AP
VLAN 1
VLAN 2
VLAN 100
Trunk Port Trunk Port
FirewallDHCP server
Intranet
VLAN 20
VLAN 10
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2Service Controller
Management Server
VLAN 100
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
8
Layer 2 Active Directory authentication Procedure
UserUser associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to Service Controller
EAP request
EAP success
Service Controller
EAP Response/IdentityOver AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over ADand user configuration
DHCP server
Response DHCP request Send IP address back
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
9
Layer 2 HTML authentication Procedure
UserUser associate with
wireless network
Send DHCP request
User attempts to browse an Web site
User Login
Transport page sends request for session and welcome page
AP
Redirect the request to DHCP server
Redirect the request to Service Controller
Service Controller
Request is intercepted
Login page is returned
User login info is sent for authentication
Transport page is sent
Session and Welcome pages are sent
Local account
Login approved.User configuration setting are returned
DHCP server
Response DHCP request Send IP address back
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
10
Layer 3 Network Deployment Scenario
• Deployment scenario: University & enterprise multiple buildings network based on layer 3 connection.
• Solution 1: Two buildings connect to each other based on layer 3 connection (Traffic forwarding based on IP address). Since SC establish communication with AP only by VLAN, each SC should be deployment for every building in such case.
• Solution 2: Two building connect to each other based on tunnel which support VLAN function. In this case, only one Service Controller is needed for the entire network.
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
11
Layer 3 Network Design Solution_I
Building 1• Intranet for staff• Ingress VLAN 1• Egress VLAN 10• Client IP subnet
192.168.1.x• AD or RADIUS
Authentication• Allowed access intranet
and internet• Internet for guest• Ingress VLAN 2• Egress VLAN 10• Client IP subnet
192.168.2.x• SC Local account• HTML-Authentication
Building 2• Intranet for staff• Ingress VLAN 3• Egress VLAN 10• Client IP subnet
192.168.3.x• AD or RADIUS
Authentication• Allowed access intranet
and internet• Internet for guest• Ingress VLAN 4• Egress VLAN 10• Client IP subnet
192.168.4.x• SC Local account• HTML-Authentication
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
12
Layer 3 Network Solution_I
InternetRadius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
FirewallDHCP server
Intranet
VLAN 20 & 40
VLAN 10 & 30
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
SSID_Intranet
192.168.3.x
VLAN 3
VLAN Switch
Network: VLAN 30,40
SC Port: VLAN 3, 4, 30, 40
AP Port: VLAN 3,4
SSID_Internet
192.168.4.x
VLAN 4
Trunk PortTrunk Port
Service Controller
Egress: VLAN 30 & 40
Ingress: VLAN 3 & 4
Altai AP
VLAN 1
VLAN 2Altai AP
VLAN 3
VLAN 4
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
13
Layer 3 Solution I Authentication Procedure
UserUser associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to Service Controller
EAP request
EAP success
Service ControllerIn Builing 1
EAP Response/IdentityOver AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over ADand user configuration
DHCP server
Response DHCP request Send IP address back
Building 1 for example
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
14
Case study: ASTRI Deployment
InternetActive Directory
Router
SSID_Intranet
192.168.0.x
VLAN 1
AD authentication
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2
SSID_Internet
192.168.0.x
VLAN 2
HTML authentication
Trunk Port
Altai AP
VLAN 1
VLAN 2
Trunk Port Trunk Port
FirewallIntranet
VLAN 20
VLAN 10
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2Service Controller
DHCP server:192.168.0.x
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
15
Wireless Network
SSIDTarget Clients VLAN Authentication Encryption
Intranet Staff 1 Active Directory WPA/WPA2
Internet Guest 2 Captive Portal WPA-PSK
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
16
VLAN Network
SSID VLAN_IngressClient IP Address VLAN_Egress
Colubris Interface IP address
Intranet 1 192.168.0.x 10 10.6.11.2
Internet 2 192.168.0.x 20 10.6.12.2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
17
Network configuration_ingress vlan
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
18
Network configuration_egress vlan
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
19
Network ports
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
20
DHCP server_1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
21
DHCP server _2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
22
DNS
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
23
Check IP routers
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
24
Join Active Directory
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
25
AD group configuration
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
26
Add RADIUS secret
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
27
Account Profiles_1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
28
Account Profile_2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
29
User account_1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
30
User account _2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
31
Access List
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
32
VSC AD authenticaton_1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
33
VSC AD Authentication_2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
34
VSC AD Authentication_3
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
35
VSC HTML Authentication_1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
36
VSC HTML Authentication_2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
37
Layer 3 Network Design Solution_II
• Intranet for staff• Ingress VLAN 1• Egress VLAN 10• Client IP subnet
192.168.1.x• AD or RADIUS
Authentication• Allowed access intranet
and internet
• Internet for guest• Ingress VLAN 2• Egress VLAN 10• Client IP subnet
192.168.2.x• SC Local account• HTML-Authentication
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
38
Layer 3 Network Solution_II
InternetRadius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2,
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
FirewallDHCP server
Intranet
VLAN 20 & 40
VLAN 10 & 30
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
SSID_Intranet
192.168.1.x
VLAN 1
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
Altai AP
VLAN 1
VLAN 2
Multiple Layer3 tunnel
Altai AP
VLAN 1
VLAN 2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
39
Mu
ltiple Layer3 T
unnel
Layer 3 Solution II Authentication Procedure
UserUser associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to Service Controller
EAP request
EAP success
Service Controller
EAP Response/IdentityOver AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over ADand user configuration
DHCP server
Response DHCP request Send IP address back
Building 1 for example
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
40
Case Study: Operator Network Deployment Solution
IP Backbone
Metro Ethernet Network
BASDSLAM
ADSL
AAAStandard DSL Modem/Router Internet
AP (Switch Mode)
Controller
¿Tunnel between AP and Controller?IP Service with PPPoE (Internet or MPLS VPN)
WiFi
Eth
GE
Wireless Backhaul
Eth
Tunneling Router
Tunneling Router
Múltiple Access Point
TUNNEL
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
41
Altai A3 ACS Solution
• Deployment scenario: Hotzone whole network solution could be in one box.
• RADIUS or MAC in the existing network is authentication server, do not need to integrate with Active Director server
• Can use 3G as backhaul• Roaming across A3s is not supported• Local database is supported• Multiple SSID for different groups of client to access, like staff and
guest• Each group of client is only allowed to access specific network subnets• Different authentication method can be applied to different SSID
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
42
ACS Network Design Solution
• Intranet for staff• Intranet ACS Profile• Client IP subnet
192.168.0.x• RADIUS authentication• HTML-authentication• Allowed access intranet
and internet
• Internet for guest• Internet ACS Profile• Client IP subnet
192.168.0.x• MAC authentication• Allowed access internet
only
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
43
Altai A3 Access Control System
InternetRadius Server
A3_Gateway Mode
ACS Profile
Router
SSID_Intranet
Intranet ACS Profile SSID_Internet
Internet ACS Profile
FirewallDHCP server
Web Server
Switch
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
44
ACS User Login Procedure
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
45
Case Study: Hotspot Operator ACS Profile Configuration
Radius Server
A3_Gateway Mode
10.6.127.200
DHCP server:192.168.0.1
SSID_HTMLAuth SSID_MACAuthrnet
3G network
Web Server
Hotspot Operator Noc
3G backhaul
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
46
Hotspot Operator Network Illustration
• 3G dongle as network backhaul• A3 build-in DHCP server enabled• Remote RADIUS server is for internal clients
authentication and accounting• Remote Web server is for RADIUS server authentication.• Access controlled list establish to define network access
difference for multiple kinds of clients• Local account is for MAC authentication to clients who
could only access internet
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
47
ACS Profile
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
48
Local Account
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
49
RADIUS Server
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
50
Access Rules 1
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
51
Access Rules 2
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
52
Access Rules Profile
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
53
HTMLAuth Profile
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
54
MACAuth Profile
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
55
Export ACS profile
Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
56
Thank You
