This is the second post in a series of posts to the topic of BYOD. This time I will describe the configuration of my Unified WLAN controller, which replaced my MSM controller. I still have my MSM controller in place, but I need to get familiar with the Unified Controllers. As in the first posts, I will assume that you already configured all general settings on the controller to let him work in your network Currently, I did all my testing with the latest firmware version, which is:
version 5.20.109, Release 2507P14
Before we start, you should have configured at least on AP to test with. With this new firmware, it is also possible to auto deploy the AP, without configure it first. If there is the need, I can create a post on this new feature, which is very great when deploying large amounts of AP at one time.
With the unified controller, we will do the same setup as with the MSM controller, with one exception, all traffic will go through the controller. As the Unified controllers have a lot of bandwidth available, this could be one argument, choosing the unified controller, instead of a MSM controller.
The steps, to make the controller ready for BYOD are nearly the same as the ones we did with the MSM controller.
- we will create the necessary VLAN’s
- create the SSID
- set UAM as the radius server
Let’s start with the first point, we need to create the VLAN’s which are necessary to get the BYOD stuff working. I use the same VLAN’s as with the MSM controller, so I will not explain the function of each VLAN, but this can be found in the first post here.
Below is the configuration of the VLAN’s:
vlan 50 description BYOD_registration name BYOD_registration vlan 51 description BYOD_Guest name BYOD_Guest
For me, it is always important to have a description, because without I will lose the information, what the VLAN is used for. This description is also used to assign this VLAN to clients, so make sure, that the description is always the same. I use the IMC VLAN Manager for this task.
If you need the traffic to be routed and/or NATed on the controller, you also have to create the VLAN interfaces and create the necessary NAT settings. Also, you have to make sure, that the VLAN’s are permitted at the uplink to the rest of the network.
The first step was quite easy. The next step, create the SSID, is also easy, but needs more steps. Before we start, creating the SSID, we need to create a radius scheme. This scheme has all information
radius scheme byod primary authentication 192.168.1.57 primary accounting 192.168.1.57 key authentication simple radius_key key accounting simple radius_key user-name-format without-domain
domain byod authentication lan-access radius-scheme byod authorization lan-access radius-scheme byod accounting lan-access radius-scheme byod access-limit disable state active idle-cut disable self-service-url disable domain system access-limit disable state active idle-cut disable self-service-url disable
All options, except the first three, are default. Later, we will use this domain with the SSID to send all authentication requests to the UAM server.
Next step, is to create the ESS interface for the SSID:
interface WLAN-ESS0 description BYOD port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 50 to 51 untagged port hybrid pvid vlan 50 mac-vlan enable dot1x mandatory-domain byod port-security port-mode mac-authentication
I always use the description, to know, which SSID is bind to this ESS interface. The interface needs to be a hybrid port. On Comware, there are 3 ports types:
- access ports – ports, which allow only one untagged VLAN
- trunk ports – ports, which allow only one untagged VLAN and many tagged VLAN’s
- hybrid ports – ports which allow many untagged and tagged VLAN’s
As we will have clients, connected to VLAN 50 and 51 at the same time, the port needs to be a hybrid port. It will be always a hybrid port when clients in different untagged VLAN’s should be supported.
The default VLAN is VLAN 50, which is the registration VLAN and only if the user is already registered and authenticated, the user will be assigned to VLAN 51.
The next option is also mandatory, “mac-vlan”, as the MAC address is used to separate the user from each other and send the traffic in the correct VLAN.
With “dot1x mandatory-domain byod” we use the BYOD domain as the authentication domain and will not use the suffix, which could be provided by the user.
The last point will enable mac authentication on the interface. This is the same as with the MSM controller, mac authentication is used to authenticate the device, and the UAM portal will authenticate the user of the device.
When the ESS interface is created, we can finally create the SSID itself:
wlan service-template 1 clear ssid BYOD bind WLAN-ESS 0 service-template enable
In this case, the SSID is not encrypted, so it is necessary, to create a clear service template. With the first option, you set the name of the SSID. The second option binds the service template to the ESS interface, which was created before. The last option will enable the service template. If you need to change any option in the service template or on the ESS interface, you need to disable the service template first.
The last step would be to bind the service template on a radio:
wlan ap msm-460 model MSM460-WW id 1 description LAB-AP ap-name LAB-AP serial-id serial_id radio 1 service-template 1 radio enable radio 2 service-template 1 radio enable
On the CLI, you have to go to every AP and every radio to configure the service template. On the web GUI, this could be done for many AP’s at the same time. With the new version, which I am using, you can also do it on a group level. I will explain this, in another post.
After some seconds, you should see the SSID.
In the next post, I will describe the configuration of IMC UAM to finish the setup and to get all the people one.