Dell PowerConnect W Clearpass 100 Software D-Link DSA-3600 Integration Guide
Dell PowerConnect W Clearpass 100 Software Manual
View all Dell PowerConnect W Clearpass 100 Software manuals
Add to My Manuals
Save this manual to your list of manuals |
Dell PowerConnect W Clearpass 100 Software manual content summary:
- Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 1
D-Link DSA-3600 Integration Guide Revision 0.9 Date 15th December 2009 Copyright © 2007 amigopod Pty Ltd amigopod Head Office amigopod Pty Ltd Suite 101 349 Pacific Hwy North Sydney, NSW 2060 Australia ABN 74 124 753 420 Web www.amigopod.com Phone +61 2 8669 1140 Fax +61 7 3009 0329 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 2
18! Step 4 - Enable Authentication on Default Service Zone 20! Step 5 - Define Login Page External Destination 22! Step 6 - Apply Access Policy to all Guest Users (Optional 24! Testing the Configuration...25! Step 1 - Create a test user account 25! Step 2 - Confirm DHCP IP Address received - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 3
on both the D-Link Multi-Service Business Gateways and the amigopod appliance of authentication to use and requires no software installation or configuration on the client. The The following table outlines the D-Link Gateways that have been tested with the amigopod solution by either a partner or the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 4
referenced throughout this integration guide is based on a D-Link DSA3600 Multi-Service Business Gateway. Although this low end hardware platform has been used, the testing and therefore this procedure is valid for all DSA hardware variants from D-Link as it is the DSA software that is providing the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 5
test lab topology: Integration Although the D-Link DSA-3600 supports both internal and external Captive portal functionality, this integration guide reference external RADIUS servers for the authentication and accounting of visitor accounts. In the standalone DLink ONDEMAND Guest provisioning - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 6
Service Zone IP Address Internet Gateway Address amigopod IP Address amigopod RADIUS port 10.0.20.166 192.168.1.1 10.0.20.1 10.0.20.54 Auth 1812 Acc 1813 (default settings) Please refer to the amigopod Quick Start Guide for more information on the basic configuration of the amigopod software - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 7
a shared secret of wireless. Please note this as it will be required in the first step of the D-Link DSA-3600 configuration. From the RADIUS Services!Network Access Servers screen click on the Create button to add a new NAS device. Enter the IP Address of the D-Link DSA-3600 Gateway, set - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 8
Step 2 - Restart RADIUS Services A restart of the RADIUS Service is required for the new NAS configuration to take effect. Click the Restart RADIUS Server button shown below and wait a few moments for the process to complete. CONFIDENTIAL 8 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 9
IP Address of the D-Link DSA-3600 and a URL suffix defined by D-Link to be: /loginpages/userlogin.shtml In the Lab network design, the Default Service Zone is being used for the basis of all subsequent configurations and therefore the default IP address used by D-Link on this interface is 192 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 10
Ensure the Submit Method is set to POST. By default the D-Link DSA-3600 uses port 80 for unsecured HTML authentication and 443 for secure HTML authentication. Via the System!General settings on the D-Link DSA-3600 all we login traffic can be configured to use HTTPS (port 443) and therefore provide - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 11
Access then the expectation would be that all transactions would be secure and protected by a https session. On the other hand if you are running a Free Hotspot this may not be as much of a concern. Make sure you select the Skin that you would like presented as the branding for the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 12
the Web Logins page, select the D-Link Web Login entry and Click the Test button and in a new window the configured captive portal page will be displayed Note: Make note of the URL presented in the web browser after the Test button has been clicked. This URL will be required in the configuration of - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 13
steps detailed in the Quick Install Guide. The following table again reviews the IP Addressing used in the test environment but this would be replaced with the site specific details of each customer deployment: DSA WAN1 IP Address DSA Default Service - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 14
you intend to run your network in a routed environment you will either need to update your routing tables on the default gateway router that is servicing the network the WAN1 port of the DSA is connected to and / or add a static route to the amigopod configuration. To add a static route to - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 15
Click on the Routes option and add in the details for your IP address range allocated to the LAN port on the DSA as shown below: CONFIDENTIAL 15 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 16
environment DHCP needs to be enabled on the Default Service Zone to provide IP addresses to both downstream D-Link Access Points and any wired clients connected to this interface of the DSA-3600. This is configured again under System!Service Zones!Default!Configure as shown in the following screen - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 17
to the D-Link User Guide for further information on these topics and the best method for configuring your wireless environment. For the lab environment used through the rest of this document, the DSA-3600 will be used and configured as a wired Access Controller and the test client will be attached - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 18
for the Authentication Protocol • Enter the Shared Secret recorded in Step 1 of the amigopod config as the Secret Key ie. wireless • Enable the Accounting Service if you wish to receive session statistics and be able to leverage the amigopod Guest Manager!Active Sessions display. Be sure to save the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 19
Note: The Secret above needs to be the same as the one defined in Step 1 of the amigopod configuration. For example, wireless. The User!Authentication table should now look something like the following screenshot: CONFIDENTIAL 19 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 20
Step 4 - Enable Authentication on Default Service Zone In order for the DSA to be able to intercept and redirect any new Guest users to the amigopod hosted Web Login page, the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 21
Scroll to the bottom of the page and click the Apply button to save the changes so far. CONFIDENTIAL 21 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 22
Service Zones!Default configuration section, scroll down to the Custom Pages part of the configuration page as shown below: There are various configuration options on this screen allow the Pages displayed during the Login and Logout procedures support of this integration guide was: http://10 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 23
Enter the URL from the previous step and click the Apply button to commit the changes to the Default Security Zone. CONFIDENTIAL 23 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 24
chose to apply a blanket policy definition to all Guest Users of this Service Zone by selecting a Policy in the Default Policy in this Service Zone option shown below. Policies are covered extensively in the D-Link User Guide for the DSA-3600 in Chapter 4.2.3 and are therefore considered outside - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 25
Gateway and the amigopod solution is complete, the following steps can be followed to verify the setup. Step 1 - Create a test user account Within the amigopod RADIUS Server a test user account can be created using the amigopod Guest Manager. From the Guest Manager menu, select the Create New Guest - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 26
Step 2 - Confirm DHCP IP Address received Assuming our test laptop is connected to the LAN1 port on the back of the DSA-3600 we should successfully receive an IP address via DHCP. Using the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 27
page as shown below (which was defined in the Custom Pages!Login Page) Enter the test user details entered and recorded in Step 1 above and click the Login button. At this point the test user should be successfully authenticated and allowed to transit through the controller and onto the Internet - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 28
Step 4 - Confirm the login successful from DSA-3600 From the Status!Online Users menu option you will be able to monitor the number and details of authenticated Guest access sessions at any given time. From this interface you also have to option to Logout a user from the Kick Out column of the table - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 29
and now able to browse the Internet, an entry should appear in the RADIUS logs confirming the positive authentication of the test user - in this example, cam. Select the RADIUS Services!Server Control menu option and the screen displayed will show the status of the RADIUS server and a tail of the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 30
socket id: 2 Sending Access-Accept of id 80 to 10.0.20.166 port 1027 Reply-Message = "Employee" rad_recv: Accounting-Request packet from host 10.0.20.166:1027, id=124, length=145 Service-Type = Call-Check NAS-Identifier = "dsa-3600" NAS-Port = 1 NAS-Port-Id = "Controlled" NAS-Port-Type = Wireless - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 31
LEFT JOIN roledef ON useraccount.role_id=roledef.id WHERE useraccount.username='cam')) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 1 Sending Accounting-Response of id 124 to 10.0.20.166 port 1027 CONFIDENTIAL 31 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 32
Step 7 - Check User Experience The following Login Success page will be displayed within the test laptop browser to confirm the successful authentication and also provide the opportunity for the user to explicitly logout: This page can be changed from the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 33
RADIUS As mentioned in the Service Zone configuration section of the RADIUS dictionary of vendors and includes the full list of supported VSAs from D-Link. For more details on the definition Attributes • Define a test user that is part of this role to test out any Policy elements that have - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 34
Create D-Link Specific User Role The following screenshot from the amigopod RADIUS Services ! Users Roles shows how several RADIUS attributes have been added to a new role called D-Link Guest. As you can see we have added the 2 attributes - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 35
Create Test D-Link user The next step is to create a RADIUS user that can be configured to return all of the above attributes defined in the User - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 36
Enable Class-Mapping on the DSA-3600 Returning to the DSA-3600 configuration for User Authentication, navigate to the Users!Authentication!RADIUS!Configure section and you will find the Edit Class-Policy Mapping button. Clicking on this button will display the configuration page shown below: From - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 37
details of configuring Policies is covered extensively in the D-Link DSA-3600 Users Guide so any detailed discussion of Policies will not be covered in this document. In to block SMTP access outbound from the test client • QoS Profile to rate-limit the upstream and downstream bandwidth available to - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 38
seen from the above screenshot, a Filter Rule for Policy 12 has been edited to Block any client traffic trying to access the SMTP Service Protocol on any Internet based server. Several other options are available to build granular firewall filters to match your deployment security policy. Once all - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 39
Moving onto the QoS Profile, the following screenshot details some sample settings of how the Policy 12 configuration has been modified to constrain the available upstream and downstream client traffic. The Traffic Class that is associated with generic Internet access is Best Effort. CONFIDENTIAL - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 40
changes to the DSA-3600 configuration, returning to the test laptop you can now test that both the firewalling and bandwidth management controls have been prior to the new Firewall policy being applied the test laptop can successfully connect to an Internet based mail server on port 25 (SMTP - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 41
After Firewall Policy Applied Now that the test user has re-authenticated and the new Firewall policy applied, any attempt to connect on port 25 is successfully blocked. CONFIDENTIAL 41 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 42
Before QoS Policy Applied As can be seen from the Internet Speed Test results below that the available downstream bandwidth in the test environment is approaching 9Mbps without any QoS Profile applied. After QoS Policy Applied As expected after the configured QoS Profile is applied the Internet - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 43
to be applied to the policy configuration. Ready to process requests. rad_recv: Access-Request packet from host 10.0.20.166:1027, id=150, length=127 Service-Type = Call-Check NAS-Identifier = "dsa-3600" NAS-Port = 1 NAS-Port-Id = "Controlled" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 10.0.20 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 44
Access-Accept of id 150 to 10.0.20.166 port 1027 Class = 0x616d69676f706f64 Idle-Timeout = 300 rad_recv: Accounting-Request packet from host 10.0.20.166:1027, id=194, length=145 Service-Type = Call-Check NAS-Identifier = "dsa-3600" NAS-Port = 1 NAS-Port-Id = "Controlled" NAS-Port-Type = Wireless - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 45
DSA-3600 configuration section, there is support for either customizing internally or redirecting to an external server many of the web pages that make up the user experience. This configuration is performed under the Custom Pages section the Service Zones configuration as shown below: The previous - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 46
Amigopod has several options for creating client facing web pages that support the use of the Skin technology for branding. The chosen platform for creating these simple landing pages is the Guest Self Registration pages that are - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 47
Now that the Guest Registration functionality has been disabled in the previous step, clicking on the Register Page part of the flow diagram will take you to the Disable Message configuration screen. The page will only be displayed whilst the Self Registration page is disabled and provides us with a - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 48
The following screenshot and HTML code extract provide a sample of how these customized pages can be hosted on the amigopod. CONFIDENTIAL 48 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 49
Although the sample HTML below is not very aesthetically pleasing, it is the functionality of parsing and using the Session identifier that we are trying to highlight. The Session identifier provides the appropriate unique identifier to allow the Logout button to execute the logout command on the - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 50
Testing the configuration After successfully logging in the user experience should by simply clicking on the Logout button. The Session Identifier is just shown for illustrative and troubleshooting purposes. Before issuing the Logout command you can verify the active session on the DSA-3600 by - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 51
Garden configuration option shown below several websites can be defined that will be served without requiring any user authentication. These sites may include sponsors or support web pages of the Hotspot in question. CONFIDENTIAL 51 - Dell PowerConnect W Clearpass 100 Software | D-Link DSA-3600 Integration Guide - Page 52
Appendix C - Advanced RADIUS VSA Configuration To be tested in new 3.60.00 firmware update from D-Link CONFIDENTIAL 52
D-Link DSA-3600
Integration Guide
Revision
Date
0.9
15
th
December 2009
Copyright © 2007 amigopod Pty Ltd
amigopod Head Office
amigopod Pty Ltd
Suite 101
349 Pacific Hwy
North Sydney, NSW 2060
Australia
ABN 74 124 753 420
Web
www.amigopod.com
Phone
+61 2 8669 1140
Fax
+61 7 3009 0329