Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] Configuring wired-authentication with fall-thru authentication of web-portal and local authentication

0

0
Article ID: KB28253 KB Last Updated: 21 Feb 2020Version: 3.0 Summary:

This document discusses the configuration for wired-authentication using fall-thru authentication of the web-portal (web-portal page from SmartPass) and local authentication on the WLC.

Solution:

Clearing the port type in preparation for wired authentication

  1. Select the port for wired authentication, remove it from any VLANs and make sure it’s not configured as an AP port. You can reset the port to the port’s default configuration using the following command:

  2. WLC# clear port type <port_nr>



    3.  
  3. Remove the port from one or more VLANs using the following command:

  4. WLC# clear vlan <vlan_name> port <port_nr>



    5.  

Configure the WLC for web-portal wired-authentication

 

WLC Configuration

  1. Configure the SmartPass server as a radius server on WLC. Default port for radius authentication is 1812:

  2. WLC# set radius server <SP_name> address <SP_IP_address> auth-port <auth_port> deadtime 0 key <secret_key>



    3.  
  3. Configure a server group and add the configured SmartPass server as a member:

  4. WLC# set server group <server_group_name> members <SP_name>



    5.  
  5. Configure the SmartPass as a RADIUS dynamic authorization client (DAC):

  6. WCL# set radius dac <dac_name> address <SP_IP_address> replay-protect disable



    7.  
  7. Configure the wired dynamic authorization to the configured RADIUS dynamic authorization client:

  8. WLC# set authorization dynamic wired <dac_name>



    9.  
  9. Configure the web wired authentication local on the WLC:

  10. WLC# set authentication web wired ** local



    11.  
  11. Configure the VLAN attribute for web-portal-wired users

  12. WLC# set user web-portal-wired attr vlan-name <VLAN_name>



    13.  
  13. Name the port with a descriptive name using the following command:

  14. WLC# set port <port_nr> name <port_name>



    15.  
  15. Set the port type, VLAN tag and the fall-thru authentication for web-portal:

  16. WLC# set port type wired-auth <port_nr> tag <VLAN_tag_nr> auth-fall-thru webportal



    17.  
  17. The default maximum number of wired clients per port is 1. This can be changed using the command:

  18. WLC# set port type wired-auth <port_nr> max-sessions



    19.  
  19. Configure the web-portal form(web-portal page from SmartPass server):

  20. WLC# set port type wired-auth <port_nr> web-portal-form https://<SP_IP_address>:<SP_https_port>/gp2/webportal/ext/webPortalAuthLogin



    21.  
  21. Configure the ACL and permit all IP addresses or a specific subnet --> SmartPass IP address. The default ACL for web-portal is named portalacl.

  22. WLC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
    WLC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 <SP_IP_address> 0.0.0.0
    WLC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
    WLC# commit security acl portalacl


    23.  

Example:

WLC-TAC# set radius server 2k8-sp address 10.144.121.11 auth-port 11812 deadtime 0 encrypted-key ABC123
WLC-TAC# set server group 2k8sp members 2k8-sp
WLC-TAC# set radius dac sp-radius-dac address 10.144.121.11 replay-protect disable encrypted-key ABC123
WLC-TAC# set vlan 424 name MD424
WLC-TAC# set vlan 424 port 1 tag 424
WLC-TAC# set authentication web wired ** local
WLC-TAC# set authorization dynamic wired sp-radius-dac
WLC-TAC# set user web-portal-wired attr filter-id portalacl.in
WLC-TAC# set user web-portal-wired attr vlan-name MD424
WLC-TAC# set port type wired-auth 2 tag 424 max-sessions 1 auth-fall-thru web-portal web-portal-form https://10.144.121.11:4443/gp2/webportal/ext/webPortalAuthLogin
WLC-TAC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
WLC-TAC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 10.144.121.11 0.0.0.0
WLC-TAC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
WLC-TAC# commit security acl portalacl

SmartPass configuration

Configure the WLC as a RADIUS client on SmartPass.

  1. Go to SmartPass --> Setup --> RADIUS Client Settings --> Authorized Radius Clients -->

  2. Click Add button --> configure the IP Address, Shared Secret key (must be the same key as the one configured on WLC for the SmartPass server) and the Vendor type (which should be “Trapeze” ).
Modification History:

2020-02-21: Changed password to “ABC123".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search