Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

HP Procurve WiFi VLAN configuration using Microsoft IAS Index

advertisement 
HP Procurve WiFi VLAN configuration using Microsoft IAS
HP Procurve WiFi VLAN configuration
using Microsoft IAS
Index
Preface ..................................................................................................................................................... 2
Configuring the Access Point ................................................................................................................... 4
Configuring the switch ............................................................................................................................ 7
Configuring Microsoft IAS and some AD groups ................................................................................... 10
Quick look at the DHCP setup ............................................................................................................... 17
The wireless client ................................................................................................................................. 18
Some Windows XP security and registry hacks ..................................................................................... 21
Conclusion ............................................................................................................................................. 21
Johan Engdahl 2007
page 1
HP Procurve WiFi VLAN configuration using Microsoft IAS
Preface
Since this guide does not cover Windows 2003 server nor Radius installation, this
document assumes that you have knowledge in the following areas of expertice:
•
•
•
Networking security and planning
Radius setup and configuration
VLAN techniques and .1q knowledge
This is what we´ll be using in this guide:
•
•
•
•
•
•
•
HP Procurve 530 ww VLAN aware Access Point
HP Procurve 2510-24 switch
Radius server
Active Directory server
DHCP server
Laptop with WiFi capabilities
Units to act as resources
The purpose of this setup is to tighten and strengthen former wireless network zones
and to deliver the opportunity for our customers to have employees, as well as
visitors, on a mobile basis and still be able to control what resources each user is
entitled to use.
Johan Engdahl 2007
page 2
HP Procurve WiFi VLAN configuration using Microsoft IAS
The different steps taking place in the above structure when a mobile unit is
requesting access to the corporate resources is shown below in a very basic manner.
Johan Engdahl 2007
page 3
HP Procurve WiFi VLAN configuration using Microsoft IAS
Configuring the Access Point
The Access Point of choice here is HP Procurve 530 ww. It´s easy to configure and
it´s VLAN aware, as well as capable of QoS among other things.
VLAN support is always enabled on the access point and cannot be disabled. Traffic
passed to the wired network is tagged with the appropriate VLAN ID, either an
assigned client VLAN ID or the default VLAN ID.
By default the 530 ww is always VLAN aware and supporting .1q tagging directly out
of the box.
The AP is configured to belong to VLAN 1 (Default VLAN) to be able to talk to the
Radius server (mentioned further down).
As you can see there´s an entry for Untagged VLAN set to number 2. This is entry is
not needed and can be set to any number except one of your VLANs, since our setup
only work with .1q tagged VLANs for security reasons.
Johan Engdahl 2007
page 4
HP Procurve WiFi VLAN configuration using Microsoft IAS
Above screenshot shows the SSID which is shown to the mobile units and this is also
where they connect before they are redirected to the correct VLAN depending on
their permissions. It´s worth mentioning that the mobile clients cannot reach any
resources on VLAN 1 unless they are entitled to by their permissions.
Johan Engdahl 2007
page 5
HP Procurve WiFi VLAN configuration using Microsoft IAS
The above screenshot simply shows the configuration towards the radius server.
Using standard preferences this is no rocket science, just a matter of entering the
same pre-shared key on both sides.
Johan Engdahl 2007
page 6
HP Procurve WiFi VLAN configuration using Microsoft IAS
Configuring the switch
The switch of choice here is HP Procurve 2510-24. It´s nice, affordable with a
reasonable pricetag. The switch must of course be configured to match the VLANs of
the rest of the network infrastructure supporting the business-critical resources.
In this guide we will work mainly with four VLANs (the screenshots may show
additional VLANs, but the procedure is the same regardless of the amount of VLANs
you decide to configure):
•
•
•
•
VLAN 1 (Default VLAN)
VLAN 1000
VLAN 1001
VLAN 1002
Here you can see the three newly created VLANs, 1000 through 1002. By the way,
the menu in HP Procurve is very sweet to work with.
Johan Engdahl 2007
page 7
HP Procurve WiFi VLAN configuration using Microsoft IAS
Setting the IP addresses for each VLAN. Not necessary, but I choose to do so to
easy up any troubleshooting if needed. You should have an IP address on VLAN 1
though unless you configure your switches through console cable only.
Johan Engdahl 2007
page 8
HP Procurve WiFi VLAN configuration using Microsoft IAS
Now it´s time to configure the switch ports. Depending on your network infrastructure
this might look different from my setup.
As you can see from the above screenshot I use port 1 as the uplink towards the AP,
.1q tagging all the VLANs, including the default VLAN (this is why I didn´t care about
the untagged setting in the AP configuration earlier on)
In my lab environment I choose to grab the untagged VLANs from this switch on
ports 2 = VLAN 1000, 4 = VLAN 1001 and finally 6 = VLAN 1002 to be delivered
further in to the network infrastructure.
Also, my Radius server, the Microsoft IAS, resides on the untagged VLAN 1 grabbed
from port 24 on the switch together my Active Directory server. The DHCP server
resides on the .1q tagged, VLANs 1000 through 1002, port 23 since my DHCP server
assigns IP addresses according to which NIC the request came from.
Johan Engdahl 2007
page 9
HP Procurve WiFi VLAN configuration using Microsoft IAS
Configuring Microsoft IAS and some AD groups
First we need to create one Security Group for each VLAN we tend to have different
permissions for. Easily enough I call them vlan_access_1 & vlan_access_2 as
shown below.
User johan belongs to vlan_access_1 and the user administrator belongs to
vlan_access_2
Now it´s time to configure Microsoft IAS, our Radius server according to these steps:
1. Define the AP and use the same pre-shared key as the other side
2. Define Access Policies
3. Configure logging and auditing if applicable to your organization
Johan Engdahl 2007
page 10
HP Procurve WiFi VLAN configuration using Microsoft IAS
Johan Engdahl 2007
page 11
HP Procurve WiFi VLAN configuration using Microsoft IAS
Create a policy as usual, but be aware of the little details mentioned herein.
Be sure to ONLY let Wireless – IEEE 802.11 be the port type and not in conjunction
with Wireless – OTHER
This has not affect on the function, but is merely seen as a security measure to
remove everything not wanted or not used.
Also add the policy to be met:
Windows-Groups matches “SERVER\Security_Group”
This in order to be able to filter which users should be directed to which VLANs.
Johan Engdahl 2007
page 12
HP Procurve WiFi VLAN configuration using Microsoft IAS
Set IP assignment according to your environment. You might use DHCP från a .1q
tagged server, different IP pools or simply static IPs. I leave this completely in your
hands to decide and manage.
Johan Engdahl 2007
page 13
HP Procurve WiFi VLAN configuration using Microsoft IAS
Continue with the EAP configuration. In this guide I choose to work with PEAP, but
you can use smartcards or whatever is your choice.
Johan Engdahl 2007
page 14
HP Procurve WiFi VLAN configuration using Microsoft IAS
Johan Engdahl 2007
page 15
HP Procurve WiFi VLAN configuration using Microsoft IAS
Don´t forget the server certificate or this whole idea will fail. In my case this is a 7 day
certificate issued by SelfSSL found in the IIS 6 Resource Kit. Very nice to use
inhouse or in lab environments.
The server certificate is used by the server initially to identify itself upon contact with
the mobile units before the rest of the authentication process is taking place.
This is really the key part making all this work. Reverse injection to the AP containing
VLAN information based on the credentials given at logon and the matching Security
Group in Active Directory containing our users.
For VLAN assignment, the following tunnel attributes are used:
•
•
•
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID
This will result in that the AP vill pass the mobile unit session on to the VLAN
provided by the information from the Radius server.
Johan Engdahl 2007
page 16
HP Procurve WiFi VLAN configuration using Microsoft IAS
Quick look at the DHCP setup
In my case the DHCP server is connected to the network infrastructure by .1q tagged
switch port 23 allowing VLANs 1000 through 1002 to request IP information. For this
purpose there are multiple DHCP scoops defined on the server and by default the
DHCP server responds (ack) through the same NIC the request came from.
In my scenario where I use tagged VLANs, every single VLAN has it´s own unique IP
in the switch configuration. In addition to this I also use IP Helper-Address to point
out my DHCP server from each VLAN.
Layer3 switches can handle routing to some extent, but if you lack that option you´ll
simply have to provide suitable routing one way or another.
Johan Engdahl 2007
page 17
HP Procurve WiFi VLAN configuration using Microsoft IAS
The wireless client
Now you have to excuse me for using screenshots from a swedish Windows XP
client, but that was the only one I could get my hands on.
I´ll translate for you and besides, the dialogue windows are all the same anyway.
Yet again I want to state that the information below is completely depending on which
kind of authentication method you choose, Smartcards, Certificates or PEAP.
The information below reflects my environment for which this infrastructure was
created.
This is the SSID we want to establish a session with in order to reach our resources
on the corporate network. This screenshot shows the status Connected for the time
being, but should of course be in Connect to state.
Johan Engdahl 2007
page 18
HP Procurve WiFi VLAN configuration using Microsoft IAS
Click Properties just beneath the window showing the SSID.
Johan Engdahl 2007
page 19
HP Procurve WiFi VLAN configuration using Microsoft IAS
Have a look at the Authentication tab of that properties window. Choose EAP-type:
Secure EAP (PEAP). Be sure to deselect the boxes below.
Click Properties just below the EAP-type box.
Be sure to deselect Confirm servercertificate since this is our own homebrewed
certificate.
Make sure the authentication method is Secure password (EAP-MSCHAP v2)
Click Configure to the right of the authentication method box.
Deselect the checkbox Use the same username, password and Windows domain
text.
Johan Engdahl 2007
page 20
HP Procurve WiFi VLAN configuration using Microsoft IAS
Some Windows XP security and registry hacks
Now we are set up for connection and it should work flawlessly. However there are
one troublesome issue with Windows XP, namely that the operating system saves
the PEAP credentials making the unit reconnect to the wireless network next time
without asking for the credentials.
In my opinion this is a major security issue and must be resolved. Luckily we can
solve this issue rather smooth by removing the registry key containing our
credentials. One idea might be doing this by a GPO after successful login, another
idea is to have a script locally on the unit to trigger when the session is terminated.
Or you can simply have the user remove the key by themselves.
Open Regedit and remove this key:
HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo
To delete a registry key with a .reg file, put a hyphen (-) in front of the RegistryPath in
the .reg file. For example, to remove our registry key make a .reg file containing:
[-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo]
This will have immediate impact and won´t require a system reboot.
Conclusion
This solution is one of many on the market, but I was given the assignment to come
up with a solution, for nomad users, only with HP equipment with moderate pricetags
and Active Directory.
This solution is absolutely adequate for both smaller companys as well as larger
enterprises, but bear in mind that the equipment must be capable of handling the
amount of traffic it´s supposed to handle, meaning that don´t always let your wallet
speak.
To summarize and wrap up. This works nicely and with a tight security as well.
Johan Engdahl 2007
page 21
Related documents
CCNA3 Skills Exam 2
CCNA3 Skills Exam 2
Northampton Community College CISC271a – CCNA 3
Northampton Community College CISC271a – CCNA 3
London South Bank University Title: A Three Floor
London South Bank University Title: A Three Floor
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
3.4.1.2 Packer Tracer - Skills Integration Challenge Instructions
3.4.1.2 Packer Tracer - Skills Integration Challenge Instructions
CCNA3 Skills Test
CCNA3 Skills Test
Download
advertisement