Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [WLC] Configuring wired-authentication with fall-thru authentication of web-portal (web-portal page from SmartPass) and authentication on SmartPass server

0

0
Article ID: KB28254 KB Last Updated: 15 Jun 2020Version: 3.0 Summary:

This article discusses the configuration for wired-authentication using fall-thru authentication of web-portal (web-portal page from SmartPass) and authentication on SmartPass server.

Solution:

Clearing the port type in preparation for wired authentication

  1. Select the port for wired authentication, remove it from any VLANs and make sure it is not configured as an AP port. The port can be reset to its default configuration using the following command:
    WLC# clear port type <port_nr>

  2. Remove the port from one or more VLANs using the following command:
    WLC# clear vlan <vlan_name> port <port_nr>

Configure the WLC for web-portal wired-authentication

WLC Configuration

  1. Configure the SmartPass server as a RADIUS server on WLC. Default port for RADIUS authentication is 1812:
    WLC# set radius server <SP_name> address <SP_IP_address> auth-port <auth_port> deadtime 0 key <secret_key>

  2. Configure a server group and add the configured SmartPass server as a member:
    WLC# set server group <server_group_name> members <SP_name>

  3. Configure the SmartPass as a RADIUS dynamic authorization client (DAC):
    WCL# set radius dac <dac_name> address <SP_IP_address> replay-protect disable

  4. Configure the wired dynamic authorization to the configured RADIUS dynamic authorization client:
    WLC# set authorization dynamic wired <dac_name>

  5. Configure the web wired authentication to the SmartPass server group:
    WLC# set authentication web wired ** <server_group_name>

  6. Configure the VLAN attribute for web-portal-wired users:
    WLC# set user web-portal-wired attr vlan-name <VLAN_name>

  7. Name the port to a descriptive name using the following command:
    WLC# set port <port_nr> name <port_name>

  8. Set the port type, VLAN tag and the fall-thru authentication for web-portal:
    WLC# set port type wired-auth <port_nr> tag <VLAN_tag_nr> auth-fall-thru webportal

  9. The default maximum number of wired clients per port is 1. You can change that using the command:
    WLC# set port type wired-auth <port_nr> max-sessions

  10. Configure the web-portal form (web-portal page from SmartPass server):
    WLC# set port type wired-auth <port_nr> web-portal-form https://<SP_IP_address>:<SP_https_port>/gp2/webportal/ext/webPortalAuthLogin

  11. Configure the ACL and permit all IP addresses or a specific subnet --> SmartPass IP address. Default ACL for web-portal is named portalacl.
    WLC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
    WLC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 <SP_IP_address> 0.0.0.0
    WLC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
    WLC# commit security acl portalacl

    12.  

Example:

WLC-TAC# set radius server 2k8-sp address 10.144.121.11 auth-port 11812 deadtime 0 encrypted-key 03175e08140a35
WLC-TAC# set server group 2k8sp members 2k8-sp
WLC-TAC# set radius dac sp-radius-dac address 10.144.121.11 replay-protect disable encrypted-key 0518030c33495a
WLC-TAC# set vlan 424 name MD424
WLC-TAC# set vlan 424 port 1 tag 424
WLC-TAC# set authentication web wired ** 2k8sp
WLC-TAC# set authorization dynamic wired sp-radius-dac
WLC-TAC# set user web-portal-wired attr filter-id portalacl.in
WLC-TAC# set user web-portal-wired attr vlan-name MD424
WLC-TAC# set port type wired-auth 2 tag 424 max-sessions 1 auth-fall-thru web-portal web-portal-form https://10.144.121.11:4443/gp2/webportal/ext/webPortalAuthLogin
WLC-TAC# set security acl name portalacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
WLC-TAC# set security acl name portalacl permit ip 0.0.0.0 255.255.255.255 10.144.121.11 0.0.0.0
WLC-TAC# set security acl name portalacl deny 0.0.0.0 255.255.255.255 capture
WLC-TAC# commit security acl portalacl

SmartPass Configuration

Configure the WLC as a RADIUS Client on SmartPass.

  1. Go to SmartPass --> Setup --> Radius Client Settings --> Authorized Radius Clients
  2. Click on Add button
  3. Configure the IP Address, Shared Secret key (must be the same key as the one configured on WLC for the SmartPass server) and the Vendor type (which should be “Trapeze” ):


 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search