Huawei Access Controller (AC)

Owned by Marce De Miguel (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
10 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Huawei Access controller equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

  • On the other hand, in the network configuration of the guest wifi where the captive portal will be integrated, a vlan with DHCP server will be created, whose gateway will be the controller. If there is any other type of configuration, please contact the support team in case you need to make any changes.

2- Guest module configuration

2.1 RADIUS Server

Within the web interface of the controller, access to Configuration > Security > AAA and within the tab RADIUS go to RADIUS Server Profile, and click on the Create button to add a new profile.

Once created, access the configuration of the Radius Server Profile and configure the following parameters:

  • Profile name: Name identifier of the radius, for example: OctopusRadiusProfile

  • Mode: Active/Standby mode

  • Profile default shared key: <secret>

  • Pulsar el botón Create Server

    • IP Address <IP_Radius_1>

    • Shared secret: <secret>

    • Server Settings:

      • Authentication: Enabled

        • Port number: 1812

        • Weight: 1

      • Accounting: Enabled

        • Port number: 1813

        • Weight: 2

  • Create the second by pressing Create Server

    • IP Address <IP_Radius_2>

    • Shared secret: <secret>

    • Server Settings:

      • Authentication: Enabled

        • Port number: 1812

        • Weight: 1

      • Accounting: Enabled

        • Port number: 1813

        • Weight: 2

 

2.2 ACL

Access to Configuration > Security > ACL > Domain Name Configuration, where the different necessary service domains will be added that will have free access without the need for users to be authenticated.

To add a new one press the button Create

  • Domain name ID: Unique identifier.

  • Domain name: Domain or subdomain to be included.

Add all the necessary basics plus those required for the operation of the service depending on the access methods

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

 

Once the domains have been added, an ACL must be created containing a rule for each domain. For that access to ACL to the tab User ACL Settings.

 

Click on Create to add a new ACL:

  • ACL name: Identifying name, for example ACL_Octopus

  • ACL number: 6000

Once it is created and appears in the list, click on the link “Add Rule” for each of the previously added sub-domains in Domain Name Configuration

  • Rule ID: Number Identifier, which must be different for each of the rules

  • Action: Permit

  • Protocol type: IP

  • Dest domain: add the domain

After adding each rule, click on OK to add the rule to the ACL.

2.3 Captive Portal

Within the web interface, in Configuration > Security > AAA > Portal Server Global Configuration > External Portal

  • HTTP Protocol : Enabled

  • HTTP interoperation mode: HTTP-based

  • Por number for listening to HTTP packets: 2000

Dentro de Portal Authentication Sever List, pulsar Create

  • Server name: identifying name, for example: cp_Octopus

  • Server IP: Gateway of the guest interface. for example 10.10.0.1

  • Protocol type: portal

  • URL: http://<domain-name>/login/hotspot/huawei

  • URL Option Settings:

    • AC-MAC keyword: acmac

    • User access URL keyword: RedirectUrl

    • User IP address keyword: userip

    • login URL keyword/Login URL: abc / http://<gateway>:2000/login.html

    • AP-MAC keyword: apmac

    • User-MAC keywork: usermac

    • SSID keyword: ssid

  • Parameter Parting Configuration

    • Password encryption mode: Non-encryption

    • User name keyword: username (default)

    • Password keyword: password (default)

    • Original URL keyword: RedirectUrl

    • Login success response: Redirect to the original URL

    • Login failure response: Redirect to the specified URL

      • http://<domain-name>/login/hotspot/error/huawei

 

 

 

2.4 Portal Profile

In order to create a Portal Profile access to Configuration > AP Config> Profile > AAA and select Portal Profile.

Click on Create to add a new profile.

  • Profile name: identifying name, for example portalAccessProfile_Octopus

Open the created profile in the drop-down menu and configure:

  • Portal Authentication: External portal server

  • Interoperation protocol: Portal

  • Primary Portal server group: the previously created, in the example cp_Octopus

 

2.5 Authentication-free Rule Profile

To create an Authentication-free Profile access to Configuration > AP Config> Profile > AAA and select Authentication-free Rule Profile.

Click on Create to add the new profile.

  • Profile name: Identifying name, for example freeRuleProfile_Octopus

Open the created profile in the drop-down menu and select:

  • Control mode: ACL

  • ACL number: 6000

2.6 Athentication Scheme

To create an Authentication Scheme access to Configuration > AP Config> Profile > AAA and select Authentication Scheme.

Click on Create to add a new profile.

  • Profile name: Identifying name, for example AuthScheme_Octopus

Open the created profile in the drop-down menu and configure:

  • First Authentication: RADIUS authentication

2.7 Accounting Scheme

To create an Accounting Scheme access to Configuration > AP Config> Profile > AAA and select Accounting Scheme.

Click on Create to add a new profile.

  • Profile name: Identifying name, for example AcctScheme_Octopus

Open the created profile in the drop-down menu and select:

  • Accounting Mode: RADIUS accounting

  • Real-time accounting: Enabled

  • Real-time accounting interval (min): 10

 

2.8 Authentication Profile

To create an Authentication Profile access to Configuration > AP Config> Profile > AAA and select Authentication Profile.

Click on Create to add a new profile.

  • Profile name: Identifying name, for example authProfile_Octopus

Open the profile created in the drop-down menu and configure:

  • Portal Profile: Click on the three points and select the one created previously: In the example: portalAccessProfile_Octopus

  • Authentication-free Rule Profile: Click on the three points and select the one created previously: In the example: freeRuleProfile_Octopus

  • Radius Server Profile: Select the previously created: Octopus_Radius

  • Authentication Scheme: Select the previously created: authScheme_Octopus

  • Accounting Scheme: Select the previously created: acctScheme_Octopus

 

2.9 VAP Profile

Finally, it will be necessary to create a VAP Profile associated with the AP Group in which you want to broadcast the new SSID with the captive portal (if the AP Group does not exist, it must also be created) In order to create the new VAP profile go to AP Config > AP Group and access to the AP Group in which the APs are associated.

Within the AP Group click on VAP Configuration yand click on Create to add a new one:

  • VAP profile name: vapProfile-Octopus

  • WLAN ID: WLAN identifier not used

Once configured, select the parameters depending on our network topology: Forwarding mode, VLAN ID, etc.

Within the dropdown of the profile configure:

  • SSID Profile: Create a new one with a name identification, for example ssid_Guest

    • SSID: The name of the network that will be visible to users.

  • Security Profile: Create a new one with a name identification, for example securityprofile_Octopus

    • Security Policy: Open

  • Authentication Profile: Select the one created previously, in the example authProfile_Octopus

 

Don't forget to press the Save button in the header to save all the settings.

 

2.10 Validation in safe mode

In case you want to configure the whole login process to be HTTPS and the data is encrypted, it will be necessary to follow the following steps.

The first thing will be to generate a certificate in pem format or p12, associated with a subdomain with a DNS record resolving to the IP of the controller, where the login will be made (In the example 10.10.0.1)

To import the certificate into the driver configuration, go to Configuration > Security > Certificate Management

Click on Upload Certificate:

  • Certificate name: Identifying name of the certificate. For example: portal_securelogin

  • Certificate type: If imported, choose Local+CA+Private key

  • Certificate format: Select depending on the format we have generated.

  • Certificate file: Select the certificate in our PC.

  • Certificate password: Password of protection of the file with the certificates.

Click on “OK” and if everything is correct it will already appear in the list.

Then within the interface go to Configuration > Security > SSL

Click on Create:

  • SSL policy name: Identifying name, for example ssl-Securelogin.

  • SSL policy type: Server

  • Certificate Name: Select the previously created, in the example portal_securelogin

  • SSL protocol: it is recommended only tls 1.2

  • Support cipher suite: Both options.

Then within the interface go to Configuration > Security > AAA > Portal Server Global Configuration > External Portal

  • Http Protocol: HTTPS-based

  • SSL Policy: Select SSL policy name previously created, in the example ssl-Securelogin

  • Port number for listening to HTTP packets: 8443

  • Within Portal Authentication Server List Edit the server created for the integration, in the example cp_Octopus

    • URL: Put it with https: https://<domain-name>/login/hotspot/huawei

    • URL Opcions settings > Login URL keyword/Login URL: put the URL also https and the subdomain to which the certificate resolves and whose DNS record resolves to the IP of the controller interface: abc / https://<certificate-domainname>:8443/login.html

2.11 Authorized MAC Addresses

For user validation to work properly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case you must add all the MAC addresses of the Access Points that will radiate the configured SSID. To view the MAC addresses of the APs go to Configuration > AP Config > AP Config and in the APs list, column AP MAC, the necessary MAC are found.

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  Captive portal + MAC Authentication configuration

Create an Authentication Profile, For this purpose, access Configuration > AP Config> Profile > AAA and select MAC Authentication Profile.

Click on Create to add a new profile.

  • Profile name: Identifying name, for example macAuth_Octopus

 

 

 

AOpen the created profile in the drop-down menu and configure:

  • User name mode: MAC address

  • MAC address: xx-xx-xx-xx-xx-xx

  • MAC address case: Uppercase

 

 

Within the Profile > Authentication Profile and display the one we want to assign the MAC Authentication Profile. In the example authProfile_Octopus

  • MAC Authentication Profile.: Click on the three points and select the one created previously: In the example: macAuth_Octopus

Finally, select the Authentication Profile.

  • Portal option: Portal server-based MAC authentication: Enabled

After making these changes click on Apply to apply the changes. Finally, click the save button to save the new settings.

3.2 MAC Authentication configuration

To create an SSID dedicated only to MAC Authentication validation, you must first create a new WLAN with the following configuration:

  • SSID Name: Name to be radiated by the AP

  • Forwarding mode: Tunnel

Click on Next and in the Security Authentication section make the following settings:

  • Security settings: Open (applicable to personal networks)

Click on Next and in the Access control section configure:

  • Binding the  AP group: ap-group1

  • Finish

Next, go to Configuration > AP Config > AP Group and configure the AP group in which we want to configure MAC authentication, go to VAP Configuration > wlan-net > Authentication Profile click create to create a new MAC Authentication profile and click apply.

3.3 Configuration of “Access Profiles” funtionality in the Octopus Platform

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Huawei access controller. Although the most common and proprietary Huawei access controller radius dictionaries are available, the following is a list of some of the most interesting ones:

Attribute

Description

Format

Attribute

Description

Format

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

HW-Input-Peak-Burst-Size

Define downstream speed limits for a given session.

Bytes

HW-Output-Peak-Burst-Size

Define upload speed limits for a given session.

Bytes

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

For more information on how to create an Access Profile in Octopus Platform go to Access profiles