Trapeze Networks Integration Guide Revision 0.9 Date 27 May 2009 Copyright © 2007 amigopod Pty Ltd amigopod Head Office amigopod Pty Ltd Suite 101 349 Pacific Hwy North Sydney, NSW 2060 Australia ABN 74 124 753 420 Web www.amigopod.
Table of Contents Introduction ...................................................................................................................................3 Test Environment ......................................................................................................................4 Integration .................................................................................................................................5 Amigopod Configuration .............................................
Introduction This document outlines the configuration process on both the Trapeze Networks Mobility Exchanges (MX) and the amigopod appliance to create a fully integrated Visitor Management solution. The solution leverages the captive portal functionality built into the Trapeze Mobility System Software (MSS).
Test Environment The test environment referenced throughout this integration guide is based on a Trapeze MXR2 Mobility Exchange. Although this low end hardware platform has been used, the testing and therefore this procedure is valid for all hardware variants from Trapeze and their OEM partners as it is the MSS software that is providing the integration points with amigopod. The following table shows the software versions used during the integration testing.
Integration Although the MXR-2 MSS supports both internal and external Captive portal functionality, this integration guide will focus on the later as the internal Web-Portal dictates the use of the internal Login Page resident on the controller itself. The Login page is very basic and doesn’t allow for significant customization as is possible with the amigopod Web Logins feature.
Amigopod Configuration The following configuration procedure assumes that the amigopod software or appliance has been powered up and a basic IP configuration has been applied through the setup wizard to allow the administrator to access the Web User Interface.
Step 1 – Create RADIUS NAS for Trapeze Controller In order for the Trapeze controller to authenticate users it needs to be able to communicate with the amigopod RADIUS instance. This step configures the amigopod NAS definition for the Trapeze Controller. The RADIUS key used here needs to be configured exactly the same as what will be configured on the MXR-2 for the RADIUS transactions to be successful. For simplicity we will use a shared secret of wireless.
Step 2 – Restart RADIUS Services A restart of the RADIUS Service is required for the new NAS configuration to take effect. Click the Restart RADIUS Server button shown below and wait a few moments for the process to complete.
Step 3 – Create a Web-Login Page From the RADIUS ServicesÆWeb Logins page select the Trapeze Networks Login entry and Click the Edit button. From the RADIUS Web Login page enter the IP Address of the Trapeze MXR-2 and select the Skin that you would like presented as the branding for the Captive Portal page. Modify the sample HTML in the Header HTML, Footer HTML and Login Message section to customize for your local environment. Click the Save Changes button to commit the changes.
Step 4 - Review to Web Login Captive Portal page Returning to the Web Logins page, select the Trapeze Networks Login entry and Click the Test button and in a new window the configured captive portal page will be displayed as shown below: Click the Back button in the web browser to return to the amigopod configuration screen. Note: Make note of the URL presented in the web browser after the Test button has been clicked.
Trapeze MSS Configuration The following configuration procedure assumes that the Trapeze Mobility Exchange has been powered up and a basic IP configuration has been applied through the Quick Start CLI to allow the administrative access. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: MXR-2 IP Address Internet Gateway Address amigopod IP Address amigopod RADIUS port 10.9.4.50 10.9.4.1 10.
Step 1 – Create RADIUS Definition for amigopod From the Trapeze CLI ensure you are in enable mode by checking the # suffix on the hostname as shown below: mxr-2# Enter the following two set commands to create firstly a RADIUS server definition for amigopod including the IP address and shared secret and then a server group called for example radius with the new amigopod RADIUS definition as a member. set radius server amigopod address 10.9.4.
Step 2 – Create the Captive Portal service-profile A service profile within the context of the Trapeze configuration represents a set of options that may be configured and deployed on the wireless network. Services define networking specifics such as SSID, authentication type, local or RADIUS authentication, encryption and VLAN mappings.
Step 4 – Enable RADIUS Authentication & Accounting The next step is to enable both RADIUS Authentication and Accounting for the newly create amigopod SSID. This is done by entering the following two set commands from the enable prompt: set authentication web ssid amigopod ** radius set accounting web ssid amigopod ** start-stop radius Please note if you are not familiar with the ** notation above, refer to the Trapeze documentation regarding User Glob definitions.
Step 6 – Configure Trapeze to redirect new users to amigopod Now that we have created the new amigopod Web-Login in the previous section, we need to configure the MXR-2 to redirect any unauthenticated users to the amigopod to display the login page. Based on the URL, presented in the last section, enter the following set command to configure the redirect process: set service-profile captive-portal web-portal-form http://10.9.4.8/weblogin.
Testing the Configuration Now that the configuration of both the Trapeze Controller and the amigopod solution is complete, the following steps can be followed to verify the setup. Step 1 – Create a test user account Within the amigopod RADIUS Server a test user account can be created using the amigopod Guest Manager. From the Guest Manager menu, select the Create New Guest Account option.
Step 2 - Connect to the amigopod wireless network Using a test laptop with a compatible 802.11 based wireless card attempt to connect to the advertised amigopod wireless network. The screen capture below shows the interface used on a Windows XP SP2 based laptop. Although the process differs from laptop to laptop depending on the wireless card drivers installed and different operating systems in use, the basic premise of connecting to the unsecured Guest Wireless network should be fundamentally the same.
Step 2 – Confirm DHCP IP Address received Using the Windows Command Prompt or equivalent in the chosen operating system, confirm that a valid IP Address has been received from the DHCP server configured on the Trapeze Controller. Issue the ipconfig command from the Windows Command Prompt to display the IP information received from the DHCP process. By checking on the Wireless adaptor you should be able to confirm an IP Address in the range of 10.9.4.x has been received.
Step 4 – Launch Web Browser and login When the web browser on the test laptop is launched the Trapeze portalacl will automatically capture the session and redirect the user to the amigopod hosted login page as shown below: Enter the test user details entered and recorded in Step 1 above and click the Login button. At this point the test user should be successfully authenticated and allowed to transit through the controller and onto the Internet or Corporate network.
Step 5 – Confirm the login successful from Trapeze From the Trapeze CLI if you issues the show sessions command again you will now see the test user name and the star indicating that the user has been successfully authenticated: mxr-2# show sessions 1 session total User Name SessID Type Address VLAN AP/Radio --------------------- ------ ----- ----------------- --------------- ------cam 4* web 10.9.4.
rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup WHERE usergroup.Username = 'cam' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.
Step 7 – Check User Experience After successful login the user web browser should be displayed with a holding page informing them that they are about to be redirected to their original requested page (in our example www.amigopod.
Appendix A – Dynamic Authorisation (RFC 3576) The Trapeze Mobility Exchanges have strong in built support for RFC 3576 which is an extension of the RADIUS standard that allows RADIUS servers to participate in the dynamic disconnect or reauthorization of authenticated users.
Step 1 – Configure amigopod as a DAC entry Enter the following set command at the enable prompt of the CLI to enable the amigopod on 10.9.4.8 to be able to send RFC3576 messages to the Trapeze. Please note that the key is still the same as the entry configured in Step 1 of the Trapeze configuration so it matches the NAS definition on the amigopod. set radius dac amigopod address 10.9.4.
From the Guest Manager Æ Active Sessions as shown below we can also see the entry for the authenticated wireless user: To disconnect the wireless user, click on the top Active Session entry for your test user (depicted by the coloured wireless icon in the left hand column) and click the Disconnect button below.
Appendix B – Testing additional RADIUS attributes As with all amigopod deployments, User Roles can be configured to implement a wireless policy for each user once they have been authenticated. These roles definitions can be made up of both Standard RADIUS attributes as per RFC 2865 and also Vendor Specific Attributes (VSA) that enable vendors such as Trapeze to extend their functionality and apply policies based on their value-add features.
These included the following attributes: • • • • A hard coded Session-Timeout value to ensure that account durations would be honored. An Acct-Interim-Interval was set to make sure additional accounting information can be drawn from the MX if required for accounting purposes or dynamic billing A Filter-Id which allows a local defined ACL on the Trapeze MX to be invoked post authentication essentially controlling where and what the wireless user can access once authenticated.
Detailed RADIUS Debug rad_recv: Access-Request packet from host 10.9.4.50:20000, id=14, length=117 User-Name = "cam" Calling-Station-Id = "00-40-96-A1-F3-99" Called-Station-Id = "00-0B-0E-90-B8-83:amigopod" NAS-Port = 13 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.9.4.
rlm_sql (sql): Released sql socket id: 1 Sending Access-Accept of id 14 to 10.9.4.50 port 20000 Reply-Message = "Guest" Trapeze-URL = "http://www.amigopod.com" Filter-Id = "post-auth.in" Acct-Interim-Interval = 60 Session-Timeout = 180 rad_recv: Accounting-Request packet from host 10.9.4.
User-Name = "cam" Event-Timestamp = "Dec 31 1999 14:09:48 EST" Trapeze-VLAN-Name = "default" Calling-Station-Id = "00-40-96-A1-F3-99" NAS-Port-Id = "AP1/2" Called-Station-Id = "00-0B-0E-90-B8-83:amigopod" NAS-Port = 13 Framed-IP-Address = 10.9.4.207 Acct-Session-Time = 60 Acct-Output-Octets = 26247 Acct-Input-Octets = 7760 Acct-Output-Packets = 127 Acct-Input-Packets = 636 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.9.4.
Acct-Output-Packets = 196 Acct-Input-Packets = 797 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.9.4.50 NAS-Identifier = "Trapeze" Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: UPDATE radacct SET ??FramedIPAddress='10.9.4.
??AcctTerminateCause='', ??AcctStopDelay='0', ??FramedIPAddress='10.9.4.207', ??ConnectInfo_stop='' ??WHERE AcctSessionId='SESS-13-6c470a-609225-67c56c' AND UserName='cam' ??AND NASIPAddress='10.9.4.50' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 2 Sending Accounting-Response of id 18 to 10.9.4.
