This article discusses the configuration for wired-authentication using fall-thru authentication of web-portal (web-portal page from SmartPass) and authentication on SmartPass server.
Clearing the port type in preparation for wired authentication
- Select the port for wired authentication, remove it from any VLANs and make sure it is not configured as an AP port. The port can be reset to its default configuration using the following command:
WLC# clear port type <port_nr>
- Remove the port from one or more VLANs using the following command:
WLC# clear vlan <vlan_name> port <port_nr>
Configure the WLC for web-portal wired-authentication
WLC Configuration
- Configure the SmartPass server as a RADIUS server on WLC. Default port for RADIUS authentication is 1812:
WLC# set radius server <SP_name> address <SP_IP_address> auth-port <auth_port> deadtime 0 key <secret_key>
- Configure a server group and add the configured SmartPass server as a member:
WLC# set server group <server_group_name> members <SP_name>
- Configure the SmartPass as a RADIUS dynamic authorization client (DAC):
WCL# set radius dac <dac_name> address <SP_IP_address> replay-protect disable
- Configure the wired dynamic authorization to the configured RADIUS dynamic authorization client:
WLC# set authorization dynamic wired <dac_name>
- Configure the web wired authentication to the SmartPass server group:
WLC# set authentication web wired ** <server_group_name>
- Configure the VLAN attribute for web-portal-wired users:
WLC# set user web-portal-wired attr vlan-name <VLAN_name>
- Name the port to a descriptive name using the following command:
WLC# set port <port_nr> name <port_name>
- Set the port type, VLAN tag and the fall-thru authentication for web-portal:
WLC# set port type wired-auth <port_nr> tag <VLAN_tag_nr> auth-fall-thru webportal
- The default maximum number of wired clients per port is 1. You can change that using the command:
WLC# set port type wired-auth <port_nr> max-sessions
- Configure the web-portal form (web-portal page from SmartPass server):
WLC# set port type wired-auth <port_nr> web-portal-form https://<SP_IP_address>:<SP_https_port>/gp2/webportal/ext/webPortalAuthLogin
- Configure the ACL and permit all IP addresses or a specific subnet --> SmartPass IP address. Default ACL for web-portal is named
portalacl
.
WLC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
WLC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 <SP_IP_address> 0.0.0.0
WLC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
WLC# commit security acl portalacl
Example:
WLC-TAC# set radius server 2k8-sp address 10.144.121.11 auth-port 11812 deadtime 0 encrypted-key 03175e08140a35
WLC-TAC# set server group 2k8sp members 2k8-sp
WLC-TAC# set radius dac sp-radius-dac address 10.144.121.11 replay-protect disable encrypted-key 0518030c33495a
WLC-TAC# set vlan 424 name MD424
WLC-TAC# set vlan 424 port 1 tag 424
WLC-TAC# set authentication web wired ** 2k8sp
WLC-TAC# set authorization dynamic wired sp-radius-dac
WLC-TAC# set user web-portal-wired attr filter-id portalacl.in
WLC-TAC# set user web-portal-wired attr vlan-name MD424
WLC-TAC# set port type wired-auth 2 tag 424 max-sessions 1 auth-fall-thru web-portal web-portal-form https://10.144.121.11:4443/gp2/webportal/ext/webPortalAuthLogin
WLC-TAC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
WLC-TAC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 10.144.121.11 0.0.0.0
WLC-TAC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
WLC-TAC# commit security acl portalacl
SmartPass Configuration
Configure the WLC as a RADIUS Client on SmartPass.
- Go to SmartPass --> Setup --> Radius Client Settings --> Authorized Radius Clients
- Click on Add button
- Configure the IP Address, Shared Secret key (must be the same key as the one configured on WLC for the SmartPass server) and the Vendor type (which should be “Trapeze” ):
