Arista Networks

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Pedro Doroshenko
9 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Arista Networks equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 WLAN Settings

The first step is to create a new WLAN network. To do this go to the Configuration tab and access the Device Configuration section.

Once this section is displayed, click on SSID Profiles to access the WLANs configuration.

Then, click on Add New WiFi Profile to add the new WLAN. 

Within the configuration options that appear, you must add a name for the new profile as well as the SSID that will be radiated by the APs.

In addition, select Open as security mode in the Security section:

2.2 Captive Portal

To perform the configuration related to the external captive portal, go to the section Captive Portal inside the same configuration window. Firstly, check the option Enable Captive Portal and select the option External Splash Page with RADIUS Authentication and fill up the parameters as shown below:

  • Splash Page URL: https://<captive_portal_domain>/login/hotspot/mojo

  • Shared Secret: xieylpgxoypwzqtb

The next step is to add the parameters that the access point will send in the HTTP Redirect. Go to the option Advanced Parameters and fill up the following parameters as shown below:

  • Request Attributes:

    • Request Type: res

    • Challenge: challenge

    • Client MAC Address: client_mac

    • AP MAC Address: ap_id

    • AP IP Address: uamip

    • AP Port Number: uamport

    • Failure Count: failure_count

    • Requested URL: userurl

    • Login URL: login_url

    • Logoff URL: logoff_url

    • Remaining Blackout Time: blackout_time

    • Service Identifier: service_id

On the other hand, inside the same popup it is necessary to configure the parameters that the access point will accept in the reply message. Please, perform the configuration of the following parameters:

  • Request Attributes:

    • Challenge: challenge

    • Response Type: res

    • Challenge Response: digest

    • Redirect URL: redirect

    • Login Timeout: session_timeout

    • Username: username

    • Password: password

Once all these changes have been done, click Save to apply the configuration. 

2.3 Radius Server

Next you need to add all the Radius server configuration by clicking on the RADIUS Profiles option in Configuration:

 

Later click on the Add RADIUS Profile option:

And perform the following configuration:

  • Profile Name: RADIUS1

  • IP Address: <IP_Radius_1>

  • Authentication Port: 1812

  • Accounting Port: 1813

  • Shared secret: <Secret>

Before click OK, configure the parameters of the Secondary Radius Server with the following data:

  • Profile Name: RADIUS2

  • IP Address: <IP_Radius_2>

  • Authentication Port: 1812

  • Accounting Port: 1813

  • Shared secret: <Secret>

Finally click on Radius Settings in the same page of the created SSID. Fill all teh fields with the following parameters and select Radius Authentication and Radius Accounting serveres created previously:

  • Authentication

    • Called Station ID: %m:%s

    • NAS ID: %m:%s

  • Primary Authentication Server:

    • RADIUS1

  • Secondary Authentication Server:

    • RADIUS2

  • Accounting (this option must be enabled in order to control the sessions)

  • Interval: 10 mins

  • Primary Accounting Server:

    • RADIUS1

  • Secondary Accounting Server:

    • RADIUS2

 

 

After having performed this configuration, click Save to apply the changes done. 

2.4 Walled Garden

Finally in the WLAN configuration, it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. To do that, click in Captive Portal and then in Add Walled Garden Sites to add the required domains. 

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

After having accomplished the configuration in the Security section and in the Captive Portal section, it is necessary to click on Save to apply the changes. 

2.5 Device Templates

Once the external captive portal is configured, the WLAN created must be linked to a template that will be associated to the access points. Go to Configuration > Device Configuration > Device Templates. 

Once inside this tab you must create a new Device Template by clicking on Add Device Template (if there is already a template created you can edit this template to add the WLAN).

Within the configuration options configure the following parameters:

  • Template Name: Template Name

  • Operating Region: Spain

 

Then, it is required to add the WLAN in the section Radio Settings and click on Define settings for model.

Select your AP model from the list. If there are different models it would be necessary to repeat this process for each one. 

After having added the AP model it is necessary to link the SSID Profile to this access point. Click Add SSID Profile and select the SSID profile linked to the captive portal.

 

 

Once you have added the SSID Profile in both interfaces (2.4GHz and 5GHz) click on Save to apply the configuration. 

When saving the changes, if no password has been configured for access to the APs within the Template, an error will appear. Therefore, it will be necessary to add a password to save the changes made. To do this go to Device Settings > Device Password and add the password for access to the APs.

 

2.6 Managed devices

Finally, it is necessary to link the Device Template added before with the Access Points that will radiate the SSID. Go to Monitoring > Managed Devices:

Once the list of the access points is displayed, select all the APs that you want them to radiate the SSID with the captive portal and click on the button at the bottom of the page.

After clicking on this button, select the Template created in the drop-down menu and confirm that you want to make these changes.

Then, select the Template you have created before and confirm that you want to perform the change.

2.7 Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. The MAC address of all APs must be added.

These MAC addresses can be obtained in the Monitor section. Go to Monitoring > Managed Devices:

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  Captive portal + MAC Authentication configuration

To enable MAC Authentication it is necessary to edit the SSID Profile in use. Firstly, it is necessary to add a new role that will be assigned to the users authenticated by their MAC address.

Go to Configuration > Device Configuration and click on Role Profiles.

Once this section is displayed, click on Add Role Profile and configure the following parameters:

  • Profile Name: MAC AUTH USER

  • Role: MAC AUTH USER

  • Inherit from SSID: disabled this option.

  • VLAN: check this option and configure:

    • VLAN ID: type the vlan configured in teh network.

Then, click on Save to create the new role.

Next, MAC Authentication must be enabled within the SSID Profile and assign the above role to users who validate themselves by their MAC address.

Go to Configuration > Device Configuration > SSID Profiles and select the SSID profile linked to the access points.

Once the configuration window of the SSID Profile is displayed, go to Security and check the option Secondary Authentication.

Then enable the option Radius MAC Authentication and click on RADIUS Settings to perform the following configuration:

  • Authentication

    • Called Station ID: %m:%s

    • NAS ID: %m:%s

  • Username and Password:

    • Username: MAC Address with Colon

    • Password: MAC Address with Colon

  • Primary Authentication Server:

    • RADIUS1

  • Secondary Authentication Server:

    • RADIUS2

  • Accounting (it is mandatory to enable this option)

    • Interval: 10 mins

  • Primary Accounting Server:

    • RADIUS1

  • Secondary Accounting Server:

    • RADIUS2

 

After clicking on Save, check the option Assign SSID Profile and select the role created previously in the section Select Role for Succesful Clients. This way the users authenticated with their MAC address will not have to authenticate themselves in the captive portal.

Once all these changes are performed, please click on Save to apply the new configuration.

3.2 MAC Authentication configuration

To create an SSID dedicated only to MAC Authentication validation, go to Configuration and access the Device Configuration section.

Once inside, click on the SSID Profiles tab to access the WLAN configuration.

Next, add a new WLAN. To do so, click on Add New WiFi Profile.

Within the configuration options that appear, you must add a name for the new profile as well as the SSID that will be radiated by the APs, for example Mac_Auth_Guest.

In addition, under Security select Open as the authentication method for the newly created WLAN:

Then it will be necessary to create a role that will be assigned to users who validate themselves through their MAC address to prevent the captive portal from appearing.

To do this go to Configuration > Device Configuration and click on Role Profiles.

Once inside click on Add Role Profile to create a new role and configure the following parameters:

  • Profile Name: MAC AUTH USER

  • Role: MAC AUTH USER

  • Inherit from SSID: disable.

  • VLAN: Enable this option and configure:

    • VLAN ID: indicate the vlan configured on the network

 

Finally, click on Save to save the created role.

Next, enable MAC Authentication within the SSID Profile and assign the above role to the users who validate themselves through their MAC address.

To do this, go to Configuration > Device Configuration > SSID Profiles and select the SSID profile created earlier to edit its configuration.

Once inside the SSID Profile drop down the Security section and check the Secondary Authentication option:

Next, check the RADIUS MAC Authentication option and click RADIUS Settings to configure the following parameters:

  • Authentication

    • Called Station ID: %m:%s

    • NAS ID: %m:%s

  • Username and Password:

    • Username: MAC Address with Colon

    • Password: MAC Address with Colon

  • Primary Authentication Server:

    • RADIUS1

  • Secondary Authentication Server:

    • RADIUS2

  • Accounting (this option must be enabled in order to control the sessions)

    • Interval: 10 mins

  • Primary Accounting Server:

    • RADIUS1

  • Secondary Accounting Server:

    • RADIUS2

Associate the radius servers created in point 2.3 of this guide.

 

 

 

After clicking on Save enable the Assign SSID Profile option and select the role created earlier under Select Role for Successful Clients. If the MAC authentication is successful, the user will have free access to the network.

Once all these changes have been made within the SSID Profile edition, click on Save to save the new configuration.