1. Manuals
  2. Brands
  3. AMIGOPOD Manuals
  4. Software
  5. PowerConnect W Clearpass 100 Software
  6. Integration manual

AMIGOPOD PowerConnect W Clearpass 100 Software Integration Manual

D-link dsa-3600 integration guide
Hide thumbs Also See for PowerConnect W Clearpass 100 Software:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
D-Link DSA-3600
Integration Guide
Revision
0.9
th
Date
15
December 2009
Copyright © 2007 amigopod Pty Ltd
amigopod Head Office
amigopod Pty Ltd
Suite 101
349 Pacific Hwy
North Sydney, NSW 2060
Australia
ABN 74 124 753 420
Web
www.amigopod.com
Phone
+61 2 8669 1140
Fax
+61 7 3009 0329

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PowerConnect W Clearpass 100 Software and is the answer not in the manual?

Questions and answers

Related Manuals for AMIGOPOD PowerConnect W Clearpass 100 Software

Summary of Contents for AMIGOPOD PowerConnect W Clearpass 100 Software

  • Page 1 D-Link DSA-3600 Integration Guide Revision Date December 2009 Copyright © 2007 amigopod Pty Ltd amigopod Head Office amigopod Pty Ltd Suite 101 349 Pacific Hwy North Sydney, NSW 2060 Australia ABN 74 124 753 420 www.amigopod.com Phone +61 2 8669 1140 +61 7 3009 0329...

  • Page 2: Table Of Contents

    Table of Contents Introduction ........................... 3 Test Environment........................4 Integration ..........................5 Amigopod Configuration ....................... 6 Step 1 – Create RADIUS NAS for D-Link DSA-3600 Gateway ..........7 Step 2 – Restart RADIUS Services................... 8 Step 3 – Create a Web-Login Page ..................9 Step 4 - Review to Web Login Captive Portal page..............

  • Page 3: D-Link Dsa

    Introduction This document outlines the configuration process on both the D-Link Multi-Service Business Gateways and the amigopod appliance to create a fully integrated Visitor Management solution. The solution leverages the captive portal functionality built into the D-Link DSA-3600. D-Link uses the terminology of User Login Pages to refer to their internal captive portal functionality and it can be generally defined as follows: Captive portal allows a wireless client to authenticate using a web-based portal.

  • Page 4: Test Environment

    Test Environment The test environment referenced throughout this integration guide is based on a D-Link DSA- 3600 Multi-Service Business Gateway. Although this low end hardware platform has been used, the testing and therefore this procedure is valid for all DSA hardware variants from D-Link as it is the DSA software that is providing the integration points with amigopod.

  • Page 5: Integration

    The following diagram provides a high level overview of the test lab topology: Integration Although the D-Link DSA-3600 supports both internal and external Captive portal functionality, this integration guide will focus on the later as the internal HTML Authentication dictates the use of the internal Login Page resident on the controller itself.

  • Page 6: Amigopod Configuration

    Amigopod Configuration The following configuration procedure assumes that the amigopod software or appliance has been powered up and a basic IP configuration has been applied through the setup wizard to allow the administrator to access the Web User Interface. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: DSA WAN1 IP Address...

  • Page 7: Step 1 – Create Radius Nas For D-Link Dsa-3600 Gateway

    Step 1 – Create RADIUS NAS for D-Link DSA-3600 Gateway In order for the D-Link DSA-3600 to authenticate users it needs to be able to communicate with the amigopod RADIUS instance. This step configures the amigopod NAS definition for the D- Link DSA-3600 Gateway.

  • Page 8: Step 2 – Restart Radius Services

    Step 2 – Restart RADIUS Services A restart of the RADIUS Service is required for the new NAS configuration to take effect. Click the Restart RADIUS Server button shown below and wait a few moments for the process to complete. CONFIDENTIAL...

  • Page 9: Step 3 – Create A Web-Login

    Step 3 – Create a Web-Login Page From the RADIUS Services ! Web Logins page select the Create New Web Login page option at the bottom of the page. From the RADIUS Web Login page enter a name and description of the Web Login page you are creating.
  • Page 10 Ensure the Submit Method is set to POST. By default the D-Link DSA-3600 uses port 80 for unsecured HTML authentication and 443 for secure HTML authentication. Via the System ! General settings on the D-Link DSA-3600 all we login traffic can be configured to use HTTPS (port 443) and therefore provide secure encryption for the username and password traffic being sent over the wireless network.
  • Page 11 The decision to use either secure (https) or non-secure (http) authentication will be determined by what sort of Guest Access you intend to provide. If you are providing credit card based billable Guest Access then the expectation would be that all transactions would be secure and protected by a https session.

  • Page 12: Step 4 - Review To Web Login Captive Portal

    Step 4 - Review to Web Login Captive Portal page Returning to the Web Logins page, select the D-Link Web Login entry and Click the Test button and in a new window the configured captive portal page will be displayed as shown below: Click the Back button in the web browser to return to the amigopod configuration screen.

  • Page 13: D-Link Dsa-3600 Configuration

    D-Link DSA-3600 Configuration The following configuration procedure assumes that the D-Link DSA-3600 has been powered up and a basic IP configuration has been applied through the steps detailed in the Quick Install Guide. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: DSA WAN1 IP Address 10.0.20.166...
  • Page 14 If your design requires the use of other Service Zones than the Default Service Zone then the NAT settings for these zones will also have to be updated. If you intend to run your network in a routed environment you will either need to update your routing tables on the default gateway router that is servicing the network the WAN1 port of the DSA is connected to and / or add a static route to the amigopod configuration.
  • Page 15 Click on the Routes option and add in the details for your IP address range allocated to the LAN port on the DSA as shown below: CONFIDENTIAL...
  • Page 16 Step 1 – Enable DHCP on LAN port In our Lab environment DHCP needs to be enabled on the Default Service Zone to provide IP addresses to both downstream D-Link Access Points and any wired clients connected to this interface of the DSA-3600. This is configured again under System ! Service Zones ! Default ! Configure as shown in the following screen shot: CONFIDENTIAL...

  • Page 17: Step 2 – Install Managed D-Link Access Points (Optional)

    Step 2 – Install Managed D-Link Access Points (Optional) Although the D-Link DSA-3600 range of gateways is designed primarily for the centralized control of D-Link Access Points, the gateway can be equally used for providing Access Control in pure wired environments. The many different methods of configuring the D-Link Access Points is covered extensively in the D-Link DSA-3600 User Guide in Chapters 4.3 and is therefore considered outside of the scope of this Integration guide.

  • Page 18: Step 3– Create Radius Definition For Amigopod

    Step 3– Create RADIUS Definition for amigopod From the Users ! Authentication screen click the Server 3 RADIUS Auth option. In the following screen be sure to enter and confirm the following details: Enter a descriptive name for the Name •...
  • Page 19 Note: The Secret above needs to be the same as the one defined in Step 1 of the amigopod configuration. For example, wireless. The User ! Authentication table should now look something like the following screenshot: CONFIDENTIAL...

  • Page 20: Step 4 – Enable Authentication On Default Service Zone

    Step 4 – Enable Authentication on Default Service Zone In order for the DSA to be able to intercept and redirect any new Guest users to the amigopod hosted Web Login page, the gateway must have Authentication Required enabled for the Security Zone in question.
  • Page 21 Scroll to the bottom of the page and click the Apply button to save the changes so far. CONFIDENTIAL...

  • Page 22: Step 5 – Define Login Page External Destination

    Step 5 – Define Login Page External Destination Returning to the System ! Service Zones ! Default configuration section, scroll down to the Custom Pages part of the configuration page as shown below: There are various configuration options on this screen allow the Pages displayed during the Login and Logout procedures support by the DSA-3600 to be either customised on the Gateway itself or redirected to an external host such as the amigopod.
  • Page 23 Enter the URL from the previous step and click the Apply button to commit the changes to the Default Security Zone. CONFIDENTIAL...

  • Page 24: Step 6 – Apply Access Policy To All Guest Users (Optional)

    Step 6 – Apply Access Policy to all Guest Users (Optional) Following on directly from the Custom Pages configuration above, the administrator can chose to apply a blanket policy definition to all Guest Users of this Service Zone by selecting a Policy in the Default Policy in this Service Zone option shown below.

  • Page 25: Testing The Configuration

    Testing the Configuration Now that the configuration of both the D-Link DSA-3600 Gateway and the amigopod solution is complete, the following steps can be followed to verify the setup. Step 1 – Create a test user account Within the amigopod RADIUS Server a test user account can be created using the amigopod Guest Manager.

  • Page 26: Step 2 – Confirm Dhcp Ip Address Received

    Step 2 – Confirm DHCP IP Address received Assuming our test laptop is connected to the LAN1 port on the back of the DSA-3600 we should successfully receive an IP address via DHCP. Using the Windows Command Prompt or equivalent in the chosen operating system, confirm that a valid IP Address has been received from the DHCP server configured on the DSA-3600 Gateway Issue the ipconfig command from the Windows Command Prompt to display the IP information...

  • Page 27: Step 3 – Launch Web Browser And Login

    Step 3 – Launch Web Browser and login When the web browser on the test laptop is launched the DSA will automatically capture the session and redirect the user to the amigopod hosted login page as shown below (which was defined in the Custom Pages ! Login Page) Enter the test user details entered and recorded in Step 1 above and click the Login button.

  • Page 28: Step 4 – Confirm The Login Successful From Dsa-3600

    Step 4 – Confirm the login successful from DSA-3600 From the Status ! Online Users menu option you will be able to monitor the number and details of authenticated Guest access sessions at any given time. From this interface you also have to option to Logout a user from the Kick Out column of the table shown below: You can also check the Status ! User Logs option to display a table of successful Login and Logout transactions and summaries of traffic transmitted in each session as shown below:...
  • Page 29 Step 6 – Confirm RADIUS debug messages on amigopod Once the test laptop has successfully authenticated and now able to browse the Internet, an entry should appear in the RADIUS logs confirming the positive authentication of the test user – in this example, cam.
  • Page 30 User-Name = "cam" User-Password = "wireless" Called-Station-Id = "00-15-E9-DB-22-0B" Calling-Station-Id = "00-13-D4-09-D3-F9" rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username='cam' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup WHERE usergroup.Username = 'cam' AND usergroup.GroupName =...
  • Page 31 Acct-Delay-Time = 0 Acct-Authentic = RADIUS Called-Station-Id = "00-15-E9-DB-22-0B" Calling-Station-Id = "00-13-D4-09-D3-F9" Framed-IP-Address = 192.168.1.41 rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_postgresql: query: INSERT INTO radacct ??(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctAuthentic, ??ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, RoleName) ??VALUES('1260793628', 'd065a0a421bdf720', 'cam', '', '10.0.20.166', ??'Controlled', 'Wireless-802.11', ('2009-12-10 14:36:46'::timestamp - '0'::interval), 'RADIUS', '', ??'00-15-E9-DB-22-0B', '00-13-D4-...

  • Page 32: Step 7 – Check User Experience

    Step 7 – Check User Experience The following Login Success page will be displayed within the test laptop browser to confirm the successful authentication and also provide the opportunity for the user to explicitly logout: This page can be changed from the default branding through either the use of the Internal Templates configure within the Custom Pages ! Login Success Page or by following some of the Advanced amigopod configuration guidelines in Appendix B.

  • Page 33: Appendix A – Per User Policy Definition Via Radius

    Appendix A – Per User Policy Definition via RADIUS As mentioned in the Service Zone configuration section of the D-Link DSA-3600 configuration, RADIUS attributes can be used to trigger Per-User policy definitions used to drive the Guest access user experience. In this case we will use the amigopod RADIUS technology to manage the Per-User policy configuration and it will be implemented using amigopod User Roles.

  • Page 34: Create D-Link Specific User Role

    Create D-Link Specific User Role The following screenshot from the amigopod RADIUS Services ! Users Roles shows how several RADIUS attributes have been added to a new role called D-Link Guest. As you can see we have added the 2 attributes that are part of the Standard RADIUS dictionary in Idle-Timeout &...

  • Page 35: Create Test D-Link User

    Create Test D-Link user The next step is to create a RADIUS user that can be configured to return all of the above attributes defined in the User Role D-Link Guest. The following screen capture shows our RADIUS user known as cam and the User Role has been set to D-Link Guest as discussed. CONFIDENTIAL...

  • Page 36: Enable Class-Mapping On The Dsa-3600

    Enable Class-Mapping on the DSA-3600 Returning to the DSA-3600 configuration for User Authentication, navigate to the Users!Authentication!RADIUS!Configure section and you will find the Edit Class-Policy Mapping button. Clicking on this button will display the configuration page shown below: From this screen enter the same name for the RADIUS Class attribute that was configured in the new amigopod role in the previous section.
  • Page 37 Moving onto the Policy definition steps in this example, chose the Users!Policy menu option and the following configuration screen will be presented: The details of configuring Policies is covered extensively in the D-Link DSA-3600 Users Guide so any detailed discussion of Policies will not be covered in this document. In the interests of proving that the Class Policy Mapping feature is working as part of the RADIUS authentication process, we have configured the following elements of Policy 12: Firewall Profile rule to block SMTP access outbound from the test client...
  • Page 38 As can be seen from the above screenshot, a Filter Rule for Policy 12 has been edited to Block any client traffic trying to access the SMTP Service Protocol on any Internet based server. Several other options are available to build granular firewall filters to match your deployment security policy.
  • Page 39 Moving onto the QoS Profile, the following screenshot details some sample settings of how the Policy 12 configuration has been modified to constrain the available upstream and downstream client traffic. The Traffic Class that is associated with generic Internet access is Best Effort. CONFIDENTIAL...

  • Page 40: Test Result

    Test Result After making these changes to the DSA-3600 configuration, returning to the test laptop you can now test that both the firewalling and bandwidth management controls have been applied. For the changes to take affect you must logout and re-authenticate against the amigopod RADIUS server to apply these policy changes.

  • Page 41: After Firewall Policy Applied

    After Firewall Policy Applied Now that the test user has re-authenticated and the new Firewall policy applied, any attempt to connect on port 25 is successfully blocked. CONFIDENTIAL...

  • Page 42: Before Qos Policy Applied

    Before QoS Policy Applied As can be seen from the Internet Speed Test results below that the available downstream bandwidth in the test environment is approaching 9Mbps without any QoS Profile applied. After QoS Policy Applied As expected after the configured QoS Profile is applied the Internet bandwidth has been successfully constrained to 512Kbps CONFIDENTIAL...

  • Page 43: Detailed Radius Debug

    Detailed RADIUS Debug Also the following RADIUS debug successfully shows the additional Class attribute being sent back to the DSA-3600 to be applied to the policy configuration. Ready to process requests. rad_recv: Access-Request packet from host 10.0.20.166:1027, id=150, length=127 Service-Type = Call-Check NAS-Identifier = "dsa-3600"...
  • Page 44 rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 2 Sending Access-Accept of id 150 to 10.0.20.166 port 1027 Class = 0x616d69676f706f64 Idle-Timeout = 300 rad_recv: Accounting-Request packet from host 10.0.20.166:1027, id=194, length=145 Service-Type = Call-Check NAS-Identifier = "dsa-3600" NAS-Port = 1 NAS-Port-Id = "Controlled"...

  • Page 45: Appendix B – Advanced Customisation

    Appendix B – Advanced Customisation As discussed in the DSA-3600 configuration section, there is support for either customizing internally or redirecting to an external server many of the web pages that make up the user experience. This configuration is performed under the Custom Pages section the Service Zones configuration as shown below: The previous configuration steps detailed the process for redirecting the Login Page option to the amigopod hosted Web Login to ensure consistent branding for the customer environment.
  • Page 46 Amigopod has several options for creating client facing web pages that support the use of the Skin technology for branding. The chosen platform for creating these simple landing pages is the Guest Self Registration pages that are available from the Guest Manager ! Customisation menu option.
  • Page 47 Now that the Guest Registration functionality has been disabled in the previous step, clicking on the Register Page part of the flow diagram will take you to the Disable Message configuration screen. The page will only be displayed whilst the Self Registration page is disabled and provides us with a simple method of configuring a Skin enabled blank web page host on the amigopod.
  • Page 48 The following screenshot and HTML code extract provide a sample of how these customized pages can be hosted on the amigopod. CONFIDENTIAL...
  • Page 49 Although the sample HTML below is not very aesthetically pleasing, it is the functionality of parsing and using the Session identifier that we are trying to highlight. The Session identifier provides the appropriate unique identifier to allow the Logout button to execute the logout command on the DSA-3600.

  • Page 50: Testing The Configuration

    Testing the configuration After successfully logging in the user experience should have changed from the default Login Success page hosted on the DSA-3600 to the new branded login page on the amigopod as shown below. Verify the Logout button works as expected by simply clicking on the Logout button. The Session Identifier is just shown for illustrative and troubleshooting purposes.

  • Page 51: Optional Walled Garden Access

    As can be seen the Logout button code worked as expected and the session has been redirected to the standard Logout Success web page hosted on the DSA-3600. The same process as shown here can be applied to each of the Custom Pages to achieve a consistent look and feel for the customer deployment.

  • Page 52: Appendix C – Advanced Radius Vsa Configuration

    Appendix C – Advanced RADIUS VSA Configuration To be tested in new 3.60.00 firmware update from D-Link CONFIDENTIAL...

This manual is also suitable for:

Amigopod

Table of Contents