Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

TPS10-031_rev1.1_Section-8-Backend-Network-Planning

advertisement 
Altai Super WiFi
Altai Super WiFi
Altai Certification Training
Backend Network Planning
Professional Services
Altai Technologies Limited
1
Not for Distribution – Altai Confidential
Module Outline
Altai Super WiFi
Altai Super WiFi
• Service Controller Solution
– Layer 2 Network Deployment Scenario
– Layer 3 Network Deployment Scenario
• A3 ACS Solution
2
Not for Distribution – Altai Confidential
Service Controller Solution
Altai Super WiFi
Altai Super WiFi
• RADIUS or Active Directory in the existing network
as authentication server
• Multiple SSID for different groups of client to
access; e.g. staff and guest
• Each group of client is only allowed to access
specific network subnets
• Different authentication method can be applied
to different SSID
3
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Layer 2 Network Deployment Scenario
Altai Super WiFi
• Deployment scenario: Enterprise only one or
several buildings network based on layer 2
connection.
• Solution 1: SC internet port behavior as network
backhaul, and LAN port connect to AP.
• Solution 2: one of SC ports behavior as network
backhaul.
4
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 2 Network Design
Intranet for staff
Ingress VLAN 1
Egress VLAN 10
Client IP subnet
192.168.1.x
• AD or RADIUS
Authentication
• Allowed access
intranet and internet
•
•
•
•
Altai Super WiFi
Altai Super WiFi
Internet for guest
Ingress VLAN 2
Egress VLAN 10
Client IP subnet
192.168.2.x
• SC Local account
• HTML-Authentication
•
•
•
•
5
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 2 Network Solution I
DHCP
server
Altai Super WiFi
Altai Super WiFi
Intranet
Router
Firewall
Radius Server
VLAN 10
Internet
Active Directory
VLAN 20
Service Controller
Internet Port: VLAN 10 & 20
LAN Port: VLAN 1 & 2
Management Server
VLAN Switch
VLAN 100
VLAN 1, 2, 100
Altai AP
VLAN 1
Trunk Port
VLAN 2
Trunk Port
Trunk Port
VLAN 100
SSID_Intranet
SSID_Internet
Management SSID
192.168.1.x
192.168.2.x
192.168.100.x
VLAN 1
VLAN 2
VLAN 100
6
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 2 Network Solution II
DHCP
server
Altai Super WiFi
Altai Super WiFi
Intranet
Router
Firewall
VLAN 10
Radius Server
Internet
Active Directory
VLAN 20
Management Server
Egress: VLAN 10 & 20
VLAN 100
VLAN Switch
Network: VLAN 10,20
Ingress: VLAN 1 & 2
Service Controller
SC Port: VLAN 1, 2, 10, 20, 100
AP Port: VLAN 1,2, 100
Trunk Port
Trunk Port
Altai AP
VLAN 1
Trunk Port
VLAN 2
VLAN 100
SSID_Intranet
SSID_Internet
Management SSID
192.168.1.x
192.168.2.x
192.168.100.x
VLAN 1
VLAN 2
VLAN 100
7
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 2 Active Directory authentication
Altai Super WiFi
Altai Super WiFi
Procedure
User
User associate with
wireless network
AP
Service Controller
AD Server
DHCP server
EAPOL start
EAP Request/identity
EAP Response/identity
Redirect the request to
Service Controller
EAP Response/Identity
Over AD
EAP request
EAP response
EAP request over AD
EAP Response over AD
EAP success
EAP success over AD
and user configuration
DHCP request
Response DHCP request
Send IP address back
8
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Layer 2 HTML authentication Procedure
Altai Super WiFi
User
User associate with
wireless network
AP
Send DHCP request
Redirect the request
to DHCP server
Service Controller
Local account
DHCP server
Response DHCP request
Send IP address back
User attempts to
browse an Web site
Redirect the request to
Service Controller
Request is intercepted
Login page is returned
User Login
User login info is
sent for authentication
Login approved.
User configuration
setting are returned
Transport page is sent
Transport page sends
request for session
and welcome page
Session and Welcome
pages are sent
9
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Layer 3 Network Deployment Scenario
Altai Super WiFi
• Deployment scenario: University & enterprise
multiple buildings network based on layer 3
connection.
• Solution 1: Two buildings connect to each other
based on layer 3 connection (Traffic forwarding
based on IP address). Since SC establish
communication with AP only by VLAN, each SC
should be deployment for every building in such
case.
• Solution 2: Two building connect to each other
based on tunnel which support VLAN function. In
this case, only one Service Controller is needed
for the entire network.
10
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Layer 3 Network Design Solution_I
Altai Super WiFi
Building 1
• Intranet for staff
• Ingress VLAN 1
• Egress VLAN 10
• Client IP subnet 192.168.1.x
• AD or RADIUS
Authentication
• Allowed access intranet
and internet
• Internet for guest
• Ingress VLAN 2
• Egress VLAN 10
• Client IP subnet 192.168.2.x
• SC Local account
• HTML-Authentication
Building 2
• Intranet for staff
• Ingress VLAN 3
• Egress VLAN 10
• Client IP subnet 192.168.3.x
• AD or RADIUS
Authentication
• Allowed access intranet
and internet
• Internet for guest
• Ingress VLAN 4
• Egress VLAN 10
• Client IP subnet 192.168.4.x
• SC Local account
• HTML-Authentication
11
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 3 Network Solution_I
DHCP
server
Altai Super WiFi
Altai Super WiFi
Intranet
Firewall
Radius Server
Router
VLAN 10 & 30
Internet
Active Directory
VLAN 20 & 40
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
VLAN Switch
Service Controller
Egress: VLAN 30 & 40
Ingress: VLAN 3 & 4
VLAN Switch
Network: VLAN 10,20
Network: VLAN 30,40
SC Port: VLAN 1, 2, 10, 20
SC Port: VLAN 3, 4, 30, 40
AP Port: VLAN 1,2
AP Port: VLAN 3,4
Altai AP
Trunk Port
Trunk Port
Trunk Port
VLAN 1
Trunk Port
VLAN 2
Altai AP
VLAN 3
VLAN 4
SSID_Intranet
SSID_Internet
SSID_Intranet
SSID_Internet
192.168.1.x
192.168.2.x
192.168.3.x
192.168.4.x
VLAN 1
VLAN 2
VLAN 3
VLAN 4
www.altaitechnologies.com
Not for Distribution – Altai Confidential
12
Layer 3 Solution I AuthenticationAltai Super WiFi
Altai Super WiFi
Procedure
User
User associate with
wireless network
AP
Service Controller
In Builing 1
AD Server
DHCP server
EAPOL start
EAP Request/identity
EAP Response/identity
Redirect the request to
Service Controller
EAP Response/Identity
Over AD
EAP request
EAP response
EAP request over AD
EAP Response over AD
EAP success
EAP success over AD
and user configuration
DHCP request
Response DHCP request
Send IP address back
Building 1 for example
www.altaitechnologies.com
Not for Distribution – Altai Confidential
13
Altai Super WiFi
Case study: ASTRI Deployment Altai
Super WiFi
Intranet
Firewall
Router
VLAN 10
Active Directory
Internet
VLAN 20
Egress: VLAN 10 & 20
VLAN Switch
Network: VLAN 10,20
Ingress: VLAN 1 & 2
Service Controller
SC Port: VLAN 1, 2, 10, 20
DHCP server:192.168.0.x
AP Port: VLAN 1,2
Trunk Port
Trunk Port
Altai AP
VLAN 1
Trunk Port
VLAN 2
SSID_Intranet
SSID_Internet
192.168.0.x
192.168.0.x
VLAN 1
VLAN 2
AD authentication
HTML authentication
www.altaitechnologies.com
Not for Distribution – Altai Confidential
14
Wireless Network
Altai Super WiFi
Altai Super WiFi
Target Clients
SSID
VLAN
Authentication
Encryption
Intranet
Staff
1
Active Directory
WPA/WPA2
Internet
Guest
2
Captive Portal
WPA-PSK
15
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VLAN Network
Altai Super WiFi
Altai Super WiFi
Client IP Address
SSID
VLAN_Ingress
Intranet
1
Internet
2
VLAN_Egress
Colubris
Interface IP address
192.168.0.x
10
10.6.11.2
192.168.0.x
20
10.6.12.2
16
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Network configuration_ingress vlan
Altai Super WiFi
17
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Network configuration_egress vlan
Altai Super WiFi
18
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Network ports
Altai Super WiFi
Altai Super WiFi
19
www.altaitechnologies.com
Not for Distribution – Altai Confidential
DHCP server_1
Altai Super WiFi
Altai Super WiFi
20
www.altaitechnologies.com
Not for Distribution – Altai Confidential
DHCP server _2
Altai Super WiFi
Altai Super WiFi
21
www.altaitechnologies.com
Not for Distribution – Altai Confidential
DNS
Altai Super WiFi
Altai Super WiFi
22
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Check IP routers
Altai Super WiFi
Altai Super WiFi
23
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Join Active Directory
Altai Super WiFi
Altai Super WiFi
24
www.altaitechnologies.com
Not for Distribution – Altai Confidential
AD group configuration
Altai Super WiFi
Altai Super WiFi
25
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Add RADIUS secret
Altai Super WiFi
Altai Super WiFi
26
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Account Profiles_1
Altai Super WiFi
Altai Super WiFi
27
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Account Profile_2
Altai Super WiFi
Altai Super WiFi
28
www.altaitechnologies.com
Not for Distribution – Altai Confidential
User account_1
Altai Super WiFi
Altai Super WiFi
29
www.altaitechnologies.com
Not for Distribution – Altai Confidential
User account _2
Altai Super WiFi
Altai Super WiFi
30
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Access List
Altai Super WiFi
Altai Super WiFi
31
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VSC AD authenticaton_1
Altai Super WiFi
Altai Super WiFi
32
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VSC AD Authentication_2
Altai Super WiFi
Altai Super WiFi
33
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VSC AD Authentication_3
Altai Super WiFi
Altai Super WiFi
34
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VSC HTML Authentication_1
Altai Super WiFi
Altai Super WiFi
35
www.altaitechnologies.com
Not for Distribution – Altai Confidential
VSC HTML Authentication_2
Altai Super WiFi
Altai Super WiFi
36
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Layer 3 Network Design Solution_II
Altai Super WiFi
Intranet for staff
Ingress VLAN 1
Egress VLAN 10
Client IP subnet 192.168.1.x
AD or RADIUS
Authentication
• Allowed access intranet
and internet
•
•
•
•
•
•
•
•
•
•
•
Internet for guest
Ingress VLAN 2
Egress VLAN 10
Client IP subnet 192.168.2.x
SC Local account
HTML-Authentication
37
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Layer 3 Network Solution_II
DHCP
server
Altai Super WiFi
Altai Super WiFi
Intranet
Firewall
Radius Server
Router
VLAN 10 & 30
Internet
Active Directory
VLAN 20 & 40
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
VLAN Switch
Network: VLAN 10,20
Multiple Layer3 tunnel
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2,
Altai AP
Trunk Port
Trunk Port
Trunk Port
VLAN 1
Trunk Port
Altai AP
VLAN 2
VLAN 1
VLAN 2
SSID_Intranet
SSID_Internet
SSID_Intranet
SSID_Internet
192.168.1.x
192.168.2.x
192.168.1.x
192.168.2.x
VLAN 1
VLAN 2
VLAN 1
VLAN 2
www.altaitechnologies.com
Not for Distribution – Altai Confidential
38
Layer 3 Solution II Authentication
Altai Super WiFi
Altai Super WiFi
Procedure
User
User associate with
wireless network
AP
Service Controller
AD Server
DHCP server
EAPOL start
EAP Response/identity
Redirect the request to
Service Controller
EAP request
EAP response
EAP success
DHCP request
Multiple Layer3 Tunnel
EAP Request/identity
EAP Response/Identity
Over AD
EAP request over AD
EAP Response over AD
EAP success over AD
and user configuration
Response DHCP request
Send IP address back
Building 1 for example
www.altaitechnologies.com
Not for Distribution – Altai Confidential
39
Case Study: Operator Network Altai Super WiFi
Altai Super WiFi
Deployment Solution
Tunneling Router
Standard DSL
Modem/Router
DSLAM
Tunneling Router
Eth
Eth
ADSL
TUNNEL
BAS
Metro
Ethernet
Network
IP Service with PPPoE (Internet or MPLS VPN)
¿Tunnel between AP and Controller?
AAA
IP
Backbone
Internet
Controller
GE
Wireless
Backhaul
WiFi
AP (Switch Mode)
Múltiple Access Point
www.altaitechnologies.com
Not for Distribution – Altai Confidential
40
Altai A3 ACS Solution
•
•
•
•
•
•
•
•
Altai Super WiFi
Altai Super WiFi
Deployment scenario: Hotzone whole network solution could be in one
box.
RADIUS or MAC in the existing network is authentication server, do not
need to integrate with Active Director server
Can use 3G as backhaul
Roaming across A3s is not supported
Local database is supported
Multiple SSID for different groups of client to access, like staff and guest
Each group of client is only allowed to access specific network subnets
Different authentication method can be applied to different SSID
41
www.altaitechnologies.com
Not for Distribution – Altai Confidential
ACS Network Design Solution
•
•
•
•
•
•
Intranet for staff
Intranet ACS Profile
Client IP subnet 192.168.0.x
RADIUS authentication
HTML-authentication
Allowed access intranet
and internet
•
•
•
•
•
Altai Super WiFi
Altai Super WiFi
Internet for guest
Internet ACS Profile
Client IP subnet 192.168.0.x
MAC authentication
Allowed access internet
only
42
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Altai A3 Access Control SystemAltai
Super WiFi
Web Server
DHCP
server
Firewall
Router
Radius Server
Internet
Switch
A3_Gateway Mode
ACS Profile
SSID_Intranet
Intranet ACS Profile
SSID_Internet
Internet ACS Profile
43
www.altaitechnologies.com
Not for Distribution – Altai Confidential
ACS User Login Procedure
Altai Super WiFi
Altai Super WiFi
44
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Case Study: Hotspot Operator ACS
Altai Super WiFi
Altai Super WiFi
Profile Configuration
Radius Server
3G network
3G backhaul
Web Server
A3_Gateway Mode
10.6.127.200
DHCP server:192.168.0.1
Hotspot Operator Noc
SSID_HTMLAuth
SSID_MACAuthrnet
45
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Hotspot Operator Network Illustration
Altai Super WiFi
• 3G dongle as network backhaul
• A3 build-in DHCP server enabled
• Remote RADIUS server is for internal clients authentication
and accounting
• Remote Web server is for RADIUS server authentication.
• Access controlled list establish to define network access
difference for multiple kinds of clients
• Local account is for MAC authentication to clients who
could only access internet
46
www.altaitechnologies.com
Not for Distribution – Altai Confidential
ACS Profile
Altai Super WiFi
Altai Super WiFi
47
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Local Account
Altai Super WiFi
Altai Super WiFi
48
www.altaitechnologies.com
Not for Distribution – Altai Confidential
RADIUS Server
Altai Super WiFi
Altai Super WiFi
49
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Access Rules 1
Altai Super WiFi
Altai Super WiFi
50
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Access Rules 2
Altai Super WiFi
Altai Super WiFi
51
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Access Rules Profile
Altai Super WiFi
Altai Super WiFi
52
www.altaitechnologies.com
Not for Distribution – Altai Confidential
HTMLAuth Profile
Altai Super WiFi
Altai Super WiFi
53
www.altaitechnologies.com
Not for Distribution – Altai Confidential
MACAuth Profile
Altai Super WiFi
Altai Super WiFi
54
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Export ACS profile
Altai Super WiFi
Altai Super WiFi
55
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Altai Super WiFi
Altai Super WiFi
Thank You
56
www.altaitechnologies.com
Not for Distribution – Altai Confidential
Related documents
The ALTAI Solution
The ALTAI Solution
Indoor Localization System
Indoor Localization System
Presentation
Presentation
White-Fi: What are the Applications
White-Fi: What are the Applications
Presentation: the data link layer, Ethernet and WiFi
Presentation: the data link layer, Ethernet and WiFi
Corporate-Presentation-Eng-131004
Corporate-Presentation-Eng-131004
IIM (Independent Investigation Method)
IIM (Independent Investigation Method)
Our network story - Curveball Solutions
Our network story - Curveball Solutions
TPS13-020_rev1.2_Section-6-WiFi-Network-Optimization
TPS13-020_rev1.2_Section-6-WiFi-Network-Optimization
Download
advertisement