Huawei Wireless CWA with Identity Services

EngineBoarding&Internal CA Configuration Guide 4 Verification

1 Networking Requirements

Figure 1-1 Networking diagram

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 1

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

2 Configuration Roadmap

1. Configure network interworking and enable APs to go online on the AC.

2. Configure AAA and MAC authentication on the AC.
3. Configure the CWA on the ISE.

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 2

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3 Procedure

3.1 [Device] Network Configuration

3.1.1 Configuration on Access Controller (AC)
Configure AP to go online

capwap source interface Vlanif4094

ap auth-mode no-auth

AAA configuration

radius-server template ise-78

radius-server shared-key cipher %^%#T#2]/M2wg7-[FSEW.h>Gj+z<6z\c]~eR_M;M>)s4%^%#

radius-server authentication 189.180.13.78 1812 source ip-address 189.180.11.162 weight 80

radius-server accounting 189.180.13.78 1813 source ip-address 189.180.11.162 weight 80

undo radius-server user-name domain-included

calling-station-id mac-format hyphen-split mode2

radius-attribute set Service-Type 10 auth-type mac

#
radius-server authorization 189.180.13.78 shared-key cipher %^%#p_<,*s5j`J58|gHg7g*6TxrWTA#Ub!h9xs/RSW
%5%^%# #

radius-server authorization calling-station-id decode-mac-format ascii hyphen-split common

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 3

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

aaa

authentication-scheme radius

authentication-mode radius

accounting-scheme radius

accounting-mode radius

accounting realtime 15

domain ise-78

authentication-scheme radius

accounting-scheme radius

radius-server ise-78

# Authentication profile configuration

mac-access-profile name ise

mac-authen username macaddress format with-hyphen normal uppercase

authentication-profile name ise-123-mac

mac-access-profile ise

access-domain ise-78

acl number 3001 //redirect URL

rule 1 deny udp destination-port eq dns

rule 2 deny udp source-port eq dns

rule 3 deny udp destination-port eq bootps

rule 4 deny udp destination-port eq bootpc

rule 5 deny udp source-port eq bootpc

rule 6 deny udp source-port eq bootps

rule 7 deny ip destination 189.180.13.78 0

rule 9 permit ip

WLAN service configuration

ssid-profile name lyy-mac

ssid ise-cwa-137

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 4

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

#
vap-profile name ise-cwa
forward-mode tunnel
service-vlan vlan-id 2247
ssid-profile lyy-mac
authentication-profile ise-123-mac
#

3.2 [Cisco ISE]Configuration on ISE

3.2.1.1 Adding Huawei Private Attributes
Navigation path: Policy > Policy Elements > Dictionaries > Radius
Pay attention to the data type and description of the attribute. Add the attribute strictly according to the following

figures.
Use the following Huawei private attributes as examples:
(1) 26-155 HW-Portal-URL
(2) 26-173 HW-Redirect-ACL
(3) 26-238 HW-Ext-Specific

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 5

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3.2.1.2 Create a new device profile for Huawei devices

Navigation path: Administration > Network Resources > Network Device Profiles
add a new device profile

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 6

Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 7

Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 8

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3.2.1.3 Configure Huawei Devices as Network Access Devices (NADs)

Navigation path: Administration > Network Resources > Network Devices

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 9

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3.2.1.4 Configure authorization policies.

 Configure an authorization result: Choose Policy > Policy Elements > Results, and select Authorization >
Authorization Profiles from the navigation tree. Click Add in the right pane to create the authorization
profile cwa-redirect to authorize guests the redirect ACL and URL. Then click Submit.

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 10

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

An other authorization prifle for permitting all

3.2.1.5 Add user and group for authentication.

 Add user and group set: Choose Administration > Identity Management > Groups.

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 11

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3.2.1.6 Configure authentication policies.

 Configure a new policy set: Choose Policy > Policy Sets.

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 12

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

4 Verification

1.Connect to CWA signal

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 13

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

2.Guest Portal and Self-Registration Portal

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 14

 Huawei Wireless CWA with Identity Services
EngineBoarding&Internal CA Configuration Guide 4 Verification

3. Logs on ISE:

Issue 01 (2018-09-265) Copyright © Huawei Technologies Co., Ltd. 15