Captive Portal Enhancements
Dynamic VLANs – How Does it Work?
1. 无线客户端连接一个开启Captive Portal 的WLAN ,并且这个WLAN 已经映射了VLAN
2. 无线客户端获得IP 地址从DHCP 服务器基于不同的vlan
3. 无线客户端被捕获和重定向到Captive Portal 登录页面做验证
4. 当验证成功后,无线客户端是 de-authenticated 并且移动到验证VLAN 里
a) 能够有一个静态VLAN 被定义在Captive Portal 策略里
b) 能够定义一个动态VLAN 基于RADIUS tunnel-private-group-id 属性
5. 无线客户端获得网络地址从DHCP 服务器在验证VLAN 里
在wing5.5中之前的版本中,无论portal 认证用户的认证状态如何,使用的都是wlan 中定义的VLAN ; 在wing5.5中,对于portal 认证,增加了一个新的功能,即在用户认证成功之前,给用户分配一个访客vlan ,在用户认证成功之后,再重新给用户分配一个VLAN,这样根据VLAN 的不同,可以给用户提供不同的网络服务。
1. TOP:
2. 配置
i. AAA policy 配置
!
aaa-policy portaltest
authentication server 1 host 192.168.1.199 secret 0 mysecret
authentication server 1 proxy-mode through-controller
authentication protocol chap
! RFS4000 AP7131 SSID: portaltest Vlan 10 IP:192.168.1.199
Radius Server: Chap 认证
Portal server
Portal user:
Before auth success: VLAN10
After auth success: VLAN30
IP:192.168.10.1 IP:192.168.1.1
ii.dns-white list 配置,将相关ip地址放入白名单.
!
dns-whitelist portaltest
permit 192.168.1.1
permit 192.168.1.199
permit 192.168.10.1
!
iii.captive-portal policy配置.
!
captive-portal portaltest
server host 192.168.1.1
server mode centralized
webpage-location external
webpage external login
webpage external welcome
webpage external fail
post-authentication-vlan 30 -------- 用户Portal认证成功后的VLAN use aaa-policy portaltest
use dns-whitelist portaltest
!
iv.wlan配置.
!
wlan portaltest
ssid portaltest
vlan 10 ------- Portal认证成功之前的用户VLAN
bridging-mode local
encryption-type none
authentication-type none
use captive-portal portaltest
captive-portal-enforcement
!
v.配置内置dhcp server.
!
dhcp-server-policy dspvlan1
dhcp-pool vlan1
network 192.168.1.0/24
address range 192.168.1.10 192.168.1.60
default-router 192.168.1.1
!
dhcp-server-policy dspvlan10
dhcp-server-policy dspvlan10
dhcp-pool vlan30 --------- VLAN30 DHCP Server
network 192.168.30.0/24
address range 192.168.30.10 192.168.30.30
default-router 192.168.30.1
dhcp-pool vlan10 --------- VLAN10 DHCP Server
network 192.168.10.0/24
address range 192.168.10.10 192.168.10.60
default-router 192.168.10.1
!
vi.Nat 配置:
!
ip access-list natinside
permit ip 192.168.10.0/24 any rule-precedence 10
!
vii.在设备profile或device 模式下使能CP及radius server policy配置.
对于AC:
!
rfs4000 B4-C7-99-6F-56-62
interface vlan1
ip address 192.168.1.1/24
no ip dhcp client request options all
use dhcp-server-policy dspvlan1
use captive-portal server portaltest
!
对于AP:
!
ap71xx 00-15-70-E5-A4-F0
interface radio1
power 7
wlan portaltest bss 1 primary
interface vlan1
ip address dhcp
ip dhcp client request options all
ip nat outside
interface vlan10
ip address 192.168.10.1/24
ip nat inside
use dhcp-server-policy dspvlan10
ip nat inside source list natinside precedence 10 interface vlan1 overload
!
3.portal 认证调试
测试时可以打开portal认证的debug:
rfs4000-6F5662#debug captive-portal all
rfs4000-6F5662#debug wireless client
rfs4000-6F5662#logging monitor 7
附:RADIUS服务器、Portal页面设置:
1.将用于portal登录的页面
复制的WAS服务器安装根目录C:\Program Files (x86)\WAS\webapps\ROOT
2.安装Moto无线
培训
焊锡培训资料ppt免费下载焊接培训教程 ppt 下载特设培训下载班长管理培训下载培训时间表下载
\testscript\中兴portalWAS\WAS下的portal服务器的安装文件:
按提示默认安装完成。
3.安装,FreeRADIUS服务器,默认安装完成。
安装完成后,打开
4.在Radius服务器中添加用于测试的用户名和密码:
打开Edit Users,编辑用户名“abc”,使用“chap”
协议
离婚协议模板下载合伙人协议 下载渠道分销协议免费下载敬业协议下载授课协议下载
,密码为“12345”
5.然后在WAS服务下开启StartWas.bat
6.找到portaltest这个wlan并连接
用户认证之前的状态:
rfs4000-6F5662#show wireless client
=================================================================================================================
MAC IP VENDOR RADIO-ID WLAN VLAN STATE
-----------------------------------------------------------------------------------------------------------------
18-3D-A2-9B-57-3C 192.168.10.60 Intel Corp 00-15-70-E5-A4-F0:R1 portaltest 10 Data-Ready
=================================================================================================================
Total number of wireless clients displayed: 1
rfs4000-6F5662#show captive-portal client
=======================================================================================================
CLIENT IP CAPTIVE-PORTAL WLAN VLAN STATE SESSION TIME
-------------------------------------------------------------------------------------------------------
18-3D-A2-9B-57-3C 192.168.10.60 portaltest portaltest 10 Pending 0:00:00
=======================================================================================================
Total number of captive portal clients displayed: 1
从上面的日志可以看到,在用户认证成功之前,用户VLAN 是VLAN 10
ii. 用户Portal认证成功之后,有如下日志:
Mar 12 02:58:54 2014: ap7131-E5A4F0 : %CAPTIVE-PORTAL-6-AUTH_SUCCESS: Captive-portal authentication success for client 18-3D-A2-9B-57-3C(192.168.10.60) user 'abc'
Mar 12 02:58:59 2014: ap7131-E5A4F0 : %DOT11-6-CLIENT_DISASSOCIATED: Client '18-3D-A2-9B-57-3C' disassociated from wlan 'portaltest' radio 'ap7131-E5A4F0:R1': vlan changed (reason code:2)
Mar 12 02:58:59 2014: ap7131-E5A4F0 : %CAPTIVE-PORTAL-6-VLAN_SWITCH: Client 18-3D-A2-9B-57-3C(192.168.10.60) switching from vlan 10 to vlan 30
Mar 12 02:58:59 2014: ap7131-E5A4F0 : %DOT11-6-CLIENT_ASSOCIATED: Client '18-3D-A2-9B-57-3C' associated to wlan 'portaltest' ssid 'portaltest' on radio 'ap7131-E5A4F0:R1'
从上面的日志,可以看到:
用户Portal 认证成功后,首先会被AC踢下线,reason code:2;
然后用户重新关联成功后,VLAN从10切换到30;
最后再检查一下用户认证状态:
#show captive-portal client
=======================================================================================================
CLIENT IP CAPTIVE-PORTAL WLAN VLAN STATE SESSION TIME
-------------------------------------------------------------------------------------------------------
18-3D-A2-9B-57-3C 192.168.30.30 portaltest portaltest 30 Success 23:51:45
=======================================================================================================
Total number of captive portal clients displayed: 1
rfs4000-6F5662#show wireless client
=================================================================================================================
MAC IP VENDOR RADIO-ID WLAN VLAN STATE
-----------------------------------------------------------------------------------------------------------------
18-3D-A2-9B-57-3C 192.168.30.30 Intel Corp 00-15-70-E5-A4-F0:R1 portaltest 30 Data-Ready
=================================================================================================================
Total number of wireless clients displayed: 1
从上面的日志看,用户掉线再重新上线后,从VLAN10切换到VLAN30,并且用户状态为Success。
7.输入网址,会自动弹出portal页面,需要输入用户名和密码进行验证,验证通过才能正常上网。
验证成功,弹出