Arista Networks
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Arista Networks equipment for integration with Octopus Platform
1- Pre-requisites
If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.
2- Guest module configuration
2.1 WLAN Settings
The first step is to create a new WLAN network. To do this go to the Configuration tab and access the Device Configuration section.
Once this section is displayed, click on SSID Profiles to access the WLANs configuration.
Then, click on Add New WiFi Profile to add the new WLAN.
Within the configuration options that appear, you must add a name for the new profile as well as the SSID that will be radiated by the APs.
In addition, select Open as security mode in the Security section:
2.2 Captive Portal
To perform the configuration related to the external captive portal, go to the section Captive Portal inside the same configuration window. Firstly, check the option Enable Captive Portal and select the option External Splash Page with RADIUS Authentication and fill up the parameters as shown below:
Splash Page URL: https://<captive_portal_domain>/login/hotspot/mojo
Shared Secret: xieylpgxoypwzqtb
The next step is to add the parameters that the access point will send in the HTTP Redirect. Go to the option Advanced Parameters and fill up the following parameters as shown below:
Request Attributes:
Request Type: res
Challenge: challenge
Client MAC Address: client_mac
AP MAC Address: ap_id
AP IP Address: uamip
AP Port Number: uamport
Failure Count: failure_count
Requested URL: userurl
Login URL: login_url
Logoff URL: logoff_url
Remaining Blackout Time: blackout_time
Service Identifier: service_id
On the other hand, inside the same popup it is necessary to configure the parameters that the access point will accept in the reply message. Please, perform the configuration of the following parameters:
Request Attributes:
Challenge: challenge
Response Type: res
Challenge Response: digest
Redirect URL: redirect
Login Timeout: session_timeout
Username: username
Password: password
Once all these changes have been done, click Save to apply the configuration.
2.3 Radius Server
Next you need to add all the Radius server configuration by clicking on the RADIUS Profiles option in Configuration:
Later click on the Add RADIUS Profile option:
And perform the following configuration:
Profile Name: RADIUS1
IP Address: <IP_Radius_1>
Authentication Port: 1812
Accounting Port: 1813
Shared secret: <Secret>
Before click OK, configure the parameters of the Secondary Radius Server with the following data:
Profile Name: RADIUS2
IP Address: <IP_Radius_2>
Authentication Port: 1812
Accounting Port: 1813
Shared secret: <Secret>
Finally click on Radius Settings in the same page of the created SSID. Fill all teh fields with the following parameters and select Radius Authentication and Radius Accounting serveres created previously:
Authentication
Called Station ID: %m:%s
NAS ID: %m:%s
Primary Authentication Server:
RADIUS1
Secondary Authentication Server:
RADIUS2
Accounting (this option must be enabled in order to control the sessions)
Interval: 10 mins
Primary Accounting Server:
RADIUS1
Secondary Accounting Server:
RADIUS2
After having performed this configuration, click Save to apply the changes done.
2.4 Walled Garden
Finally in the WLAN configuration, it is necessary to add the domains that the users will be able to visit without being authenticated in the captive portal. To do that, click in Captive Portal and then in Add Walled Garden Sites to add the required domains.
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.
After having accomplished the configuration in the Security section and in the Captive Portal section, it is necessary to click on Save to apply the changes.
2.5 Device Templates
Once the external captive portal is configured, the WLAN created must be linked to a template that will be associated to the access points. Go to Configuration > Device Configuration > Device Templates.
Once inside this tab you must create a new Device Template by clicking on Add Device Template (if there is already a template created you can edit this template to add the WLAN).
Within the configuration options configure the following parameters:
Template Name: Template Name
Operating Region: Spain
Then, it is required to add the WLAN in the section Radio Settings and click on Define settings for model.
Select your AP model from the list. If there are different models it would be necessary to repeat this process for each one.
After having added the AP model it is necessary to link the SSID Profile to this access point. Click Add SSID Profile and select the SSID profile linked to the captive portal.
Once you have added the SSID Profile in both interfaces (2.4GHz and 5GHz) click on Save to apply the configuration.
When saving the changes, if no password has been configured for access to the APs within the Template, an error will appear. Therefore, it will be necessary to add a password to save the changes made. To do this go to Device Settings > Device Password and add the password for access to the APs.
2.6 Managed devices
Finally, it is necessary to link the Device Template added before with the Access Points that will radiate the SSID. Go to Monitoring > Managed Devices:
Once the list of the access points is displayed, select all the APs that you want them to radiate the SSID with the captive portal and click on the button at the bottom of the page.
After clicking on this button, select the Template created in the drop-down menu and confirm that you want to make these changes.
Then, select the Template you have created before and confirm that you want to perform the change.
2.7 Authorized MAC Addresses
For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. The MAC address of all APs must be added.
These MAC addresses can be obtained in the Monitor section. Go to Monitoring > Managed Devices:
For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations
3- Enterprise module configuration
In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.
3.1 Captive portal + MAC Authentication configuration
To enable MAC Authentication it is necessary to edit the SSID Profile in use. Firstly, it is necessary to add a new role that will be assigned to the users authenticated by their MAC address.
Go to Configuration > Device Configuration and click on Role Profiles.
Once this section is displayed, click on Add Role Profile and configure the following parameters:
Profile Name: MAC AUTH USER
Role: MAC AUTH USER
Inherit from SSID: disabled this option.
VLAN: check this option and configure:
VLAN ID: type the vlan configured in teh network.
Then, click on Save to create the new role.
Next, MAC Authentication must be enabled within the SSID Profile and assign the above role to users who validate themselves by their MAC address.
Go to Configuration > Device Configuration > SSID Profiles and select the SSID profile linked to the access points.
Once the configuration window of the SSID Profile is displayed, go to Security and check the option Secondary Authentication.
Then enable the option Radius MAC Authentication and click on RADIUS Settings to perform the following configuration:
Authentication
Called Station ID: %m:%s
NAS ID: %m:%s
Username and Password:
Username: MAC Address with Colon
Password: MAC Address with Colon
Primary Authentication Server:
RADIUS1
Secondary Authentication Server:
RADIUS2
Accounting (it is mandatory to enable this option)
Interval: 10 mins
Primary Accounting Server:
RADIUS1
Secondary Accounting Server:
RADIUS2
After clicking on Save, check the option Assign SSID Profile and select the role created previously in the section Select Role for Succesful Clients. This way the users authenticated with their MAC address will not have to authenticate themselves in the captive portal.
Once all these changes are performed, please click on Save to apply the new configuration.
3.2 MAC Authentication configuration
To create an SSID dedicated only to MAC Authentication validation, go to Configuration and access the Device Configuration section.
Once inside, click on the SSID Profiles tab to access the WLAN configuration.
Next, add a new WLAN. To do so, click on Add New WiFi Profile.
Within the configuration options that appear, you must add a name for the new profile as well as the SSID that will be radiated by the APs, for example Mac_Auth_Guest.
In addition, under Security select Open as the authentication method for the newly created WLAN:
Then it will be necessary to create a role that will be assigned to users who validate themselves through their MAC address to prevent the captive portal from appearing.
To do this go to Configuration > Device Configuration and click on Role Profiles.
Once inside click on Add Role Profile to create a new role and configure the following parameters:
Profile Name: MAC AUTH USER
Role: MAC AUTH USER
Inherit from SSID: disable.
VLAN: Enable this option and configure:
VLAN ID: indicate the vlan configured on the network
Finally, click on Save to save the created role.
Next, enable MAC Authentication within the SSID Profile and assign the above role to the users who validate themselves through their MAC address.
To do this, go to Configuration > Device Configuration > SSID Profiles and select the SSID profile created earlier to edit its configuration.
Once inside the SSID Profile drop down the Security section and check the Secondary Authentication option:
Next, check the RADIUS MAC Authentication option and click RADIUS Settings to configure the following parameters:
Authentication
Called Station ID: %m:%s
NAS ID: %m:%s
Username and Password:
Username: MAC Address with Colon
Password: MAC Address with Colon
Primary Authentication Server:
RADIUS1
Secondary Authentication Server:
RADIUS2
Accounting (this option must be enabled in order to control the sessions)
Interval: 10 mins
Primary Accounting Server:
RADIUS1
Secondary Accounting Server:
RADIUS2
Associate the radius servers created in point 2.3 of this guide.
After clicking on Save enable the Assign SSID Profile option and select the role created earlier under Select Role for Successful Clients. If the MAC authentication is successful, the user will have free access to the network.
Once all these changes have been made within the SSID Profile edition, click on Save to save the new configuration.