BYOD: Part 2 – Unified WLAN Configuration

This is the second post in a series of posts to the topic of BYOD. This time I will describe the configuration of my Unified WLAN controller, which replaced my MSM controller. I still have my MSM controller in place, but I need to get familiar with the Unified Controllers. As in the first posts, I will assume that you already configured all general settings on the controller to let him work in your network Currently, I did all my testing with the latest firmware version, which is:

version 5.20.109, Release 2507P14 

Before we start, you should have configured at least on AP to test with. With this new firmware, it is also possible to auto deploy the AP, without configure it first. If there is the need, I can create a post on this new feature, which is very great when deploying large amounts of AP at one time. 

With the unified controller, we will do the same setup as with the MSM controller, with one exception, all traffic will go through the controller. As the Unified controllers have a lot of bandwidth available, this could be one argument, choosing the unified controller, instead of a MSM controller. 

The steps, to make the controller ready for BYOD are nearly the same as the ones we did with the MSM controller. 

  1. we will create the necessary VLAN’s
  2. create the SSID
  3. set UAM as the radius server

Let’s start with the first point, we need to create the VLAN’s which are necessary to get the BYOD stuff working. I use the same VLAN’s as with the MSM controller, so I will not explain the function of each VLAN, but this can be found in the first post here.

Below is the configuration of the VLAN’s:

vlan 50 
 description BYOD_registration 
 name BYOD_registration 

 vlan 51 
 description BYOD_Guest 
 name BYOD_Guest  

For me, it is always important to have a description, because without I will lose the information, what the VLAN is used for. This description is also used to assign this VLAN to clients, so make sure, that the description is always the same. I use the IMC VLAN Manager for this task.

If you need the traffic to be routed and/or NATed on the controller, you also have to create the VLAN interfaces and create the necessary NAT settings. Also, you have to make sure, that the VLAN’s are permitted at the uplink to the rest of the network.

The first step was quite easy. The next step, create the SSID, is also easy, but needs more steps. Before we start, creating the SSID, we need to create a radius scheme. This scheme has all information of the radius server. I use the Scheme BYOD, but feel free and use your own naming convention:

radius scheme byod 
 primary authentication 192.168.1.57 
 primary accounting 192.168.1.57 
 key authentication simple radius_key 
 key accounting simple radius_key 
 user-name-format without-domain 

I think, the options are very simple. 192.168.1.57 is my UAM server and the last line will make sure, that the “@byod” (from the username “[email protected]”) is not send to the radius server. For some scenarios, this would make sense, but in this situation, it is not needed. The “@byod” is added to every username, because we will now create a domain, which will use the BYOD radius scheme for authentication. The configuration is below:

domain byod 
 authentication lan-access radius-scheme byod 
 authorization lan-access radius-scheme byod 
 accounting lan-access radius-scheme byod 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
 domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 

All options, except the first three, are default. Later, we will use this domain with the SSID to send all authentication requests to the UAM server.

Next step, is to create the ESS interface for the SSID:

interface WLAN-ESS0 
 description BYOD 
 port link-type hybrid 
 undo port hybrid vlan 1 
 port hybrid vlan 50 to 51 untagged 
 port hybrid pvid vlan 50 
 mac-vlan enable  dot1x mandatory-domain byod  port-security port-mode mac-authentication 

I always use the description, to know, which SSID is bind to this ESS interface. The interface needs to be a hybrid port. On Comware, there are 3 ports types:

  1. access ports – ports, which allow only one untagged VLAN
  2. trunk ports – ports, which allow only one untagged VLAN and many tagged VLAN’s
  3. hybrid ports – ports which allow many untagged and tagged VLAN’s

As we will have clients, connected to VLAN 50 and 51 at the same time, the port needs to be a hybrid port. It will be always a hybrid port when clients in different untagged VLAN’s should be supported.

The default VLAN is VLAN 50, which is the registration VLAN and only if the user is already registered and authenticated, the user will be assigned to VLAN 51.

The next option is also mandatory, “mac-vlan”, as the MAC address is used to separate the user from each other and send the traffic in the correct VLAN.

With “dot1x mandatory-domain byod” we use the BYOD domain as the authentication domain and will not use the suffix, which could be provided by the user.

The last point will enable mac authentication on the interface. This is the same as with the MSM controller, mac authentication is used to authenticate the device, and the UAM portal will authenticate the user of the device.

When the ESS interface is created, we can finally create the SSID itself:

wlan service-template 1 clear
 ssid BYOD 
 bind WLAN-ESS 0 
 service-template enable 

In this case, the SSID is not encrypted, so it is necessary, to create a clear service template. With the first option, you set the name of the SSID. The second option binds the service template to the ESS interface, which was created before. The last option will enable the service template. If you need to change any option in the service template or on the ESS interface, you need to disable the service template first.

The last step would be to bind the service template on a radio:

wlan ap msm-460 model MSM460-WW id 1 
 description LAB-AP 
 ap-name LAB-AP 
 serial-id serial_id 
 radio 1 
  service-template 1 
  radio enable 
 radio 2 
  service-template 1 
  radio enable 

On the CLI, you have to go to every AP and every radio to configure the service template. On the web GUI, this could be done for many AP’s at the same time. With the new version, which I am using, you can also do it on a group level. I will explain this, in another post.

After some seconds, you should see the SSID.

In the next post, I will describe the configuration of IMC UAM to finish the setup and to get all the people one.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.