Ruijie
CONFIGURATION GUIDE
The purpose of the following manual is to describe the necessary configuration of Ruijie equipment for integration with Octopus Platform. The configuration here is related to the activation of authentication on a WLAN by activating an external captive portal together with RADIUS, so the internal configuration of the network as well as the network topology are outside the scope of this configuration manual.
1- Pre-requisites
If the installation has a firewall that blocks traffic, free access to certain domains and IPs must be allowed to enable user authentication.
Radius Servers:
Primary: <IP_Radius_1> 1812 and 1813 UDP ports
Secondary: <IP_Radius_2> 1812 and 1813 UDP ports
Splash Portal server:
Domain <captive_portal_domain> 80 and 443 TCP ports
For the Guest and Enterprise modules configuration to work, it will be necessary to previously purchase the Octopus platform licenses with the respective modules.
The configuration below can be performed both for use with AC + APs (performing the configuration on the AC) and for use without AC (performing the configuration directly on the chosen AP), in this guide the AC + APs model will be used.
It should be noted that this manufacturer does not allow authentication through the use of HTTPS encryption, so it can only be configured over HTTP and therefore, the "login via Google account" access method will not be available, being a requirement of Google itself the use of HTTPS in communications.
2- External Captive Portal access configuration + Mac Caching (Enterprise Module)
To perform the configuration of the equipment, most of it will be done by commands, for this from the web interface of the equipment itself, we can access the web console (or via SSH if it has been previously configured):
2.1 Radius Server
The first step to configure the Ruijie equipment will be to add the Radius Servers both for user authentication and for sending Accounting packets. To do this we execute the following commands:
To do this from the equipment's own web interface, we can access the web console (or via SSH if previously configured) and execute the following commands:
#enter configuration mode
AC# with ter
#launch as many radius as IPs we have
AC(config)# radius-server host <IP_Radius_1> key <secret>
#create a model and group and assign it as AAA
AC(config)# aaa new-model
AC(config)# aaa groupserver radius octopus_radius
#add as many as we have
AC(config-gs-radius)# server <IP_Radius_1>
AC(config-gs-radius)# exit
AC(config)# aaa authentication cpweb octopus group octopus_radius
AC(config)# aaa accounting network octopus start-stop group octopus_radius
AC(config)# aaa authentication dot1x octopus group octopus_radius
#save configuration
AC(config)# wr
2.2 Local HTTP server Authenticator
We raise the local server of the AC/AP that will receive the authentication requests from the external captive portal. To do this we execute the commands:
#enter configuration mode
AC# with ter
#activate the local server on the ip 1.1.1.1
AC(config)# web-auth auth-server ip 1.1.1.1
#in http (no permite https)
AC(config)# web-auth auth-server http
#and finally indicate the url that will receive the authentication data
AC(config)# web-auth auth-server submit-url http://1.1.1.1:8082/login
#save config
AC(config)# wr
MUY IMPORTANTE: El servidor local únicamente responde en la IP 1.1.1.1 en el puerto 8082 (si se configura una IP distinta de esta, no funcionará la integración). La URL configurada también debe ser la indicada arriba, de lo contrario no funcionará el portal.
2.3 Activación template Octopus
Para que el AC / AP maneje la redirección al portal cautivo, vamos a activar la plantilla correspondiente y a asignar los datos del portal. Para ello ejecutamos los comandos:
#enter configuration mode
AC# with ter
#activate the template for configuration
AC(config)# web-auth template cpweb
#specify the IP of the provided external captive portal
AC(config.tmplt.cpweb)#ip <IP_Portal>
#specify the url to redirect the request to
AC(config.tmplt.cpweb)# url http://<dominio_captive_portal>/login/hotspot/ruijie
#lastly we activate the extended sending of parameters to the captive portal
AC(config.tmplt.cpweb)# fmt custom encry none ac-name wlanacname ap-mac wlanapmac mac-format none ap-name wlanapname nas-ip wlannasip ssid ssid url url user-ip wlanuserip user-mac mac mac-format none
AC(config.tmplt.cpweb)# end
#save configuration
AC(config)# wr
2.4 Activación autenticación en WLAN
Activamos la autenticación mediante el portal cautivo para la WLAN requerida mediante la ejecución de los comandos:
2.5 Walled Garden
Once the configuration is done, the Walled Garden domains to which the user will have free access must be added. Below is an example of how it would be done through the web interface to add the domains within the DNS Whitelist, for this we must access the section: Authentication → web auth → Advanced settings. We must enable the check "Whitelisted URL enable" and add all the domains that are necessary for the operation of the captive portal:
If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link