Arista / WatchGuard

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Pedro Doroshenko
8 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the configuration required on Arista Networks or WatchGuard equipment for integration with Octopus Platform.

 

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Server

The first step is to add all the configuration of the Radius servers. To do this go to Configuration > RADIUS Profiles > Add RADIUS Profile and create one with the following parameters:

  • Profile Name: RADIUS1

  • IP Address: <IP_Radius_1>

  • Authentication Port: 1812

  • Accounting Port: 1813

  • Shared secret: <Secret>

After clicking OK, configure the parameters of the second Radius server with the following data:

  • Profile Name: RADIUS2

  • IP Address: <IP_Radius_2>

  • Authentication Port: 1812

  • Accounting Port: 1813

  • Shared secret: <Secret>

Click on Save to save the changes

2.2 WLAN Settings

The first step is to create a new WLAN network. To do this go to the Configuration > Device Configuration > SSID Profiles tab, to add a new WLAN click on Add New WiFi Profile.

  • Add a name for the new profile as well as the SSID to be radiated by the APs.

  • In the Security tab select Open as the authentication method for the newly created WLAN.

2.3 Captive Portal

The configuration required to enable an external captive portal must be done within Captive Portal on the configuration page of the created SSID. First, check the Enable Captive Portal option and select from the possible options that appear External Splash Pag with RADIUS Authenticaction and fill in the fields with the following information:

  • Splash Page URL: https://<captive_portal_domain>/login/hotspot/mojo

  • Shared Secret: xieylpgxoypwzqtb

In the next step we will select the Radius server for the SSID, click on Radius Settings on the configuration page. Within the dropdown that appears fill in all the fields with the following parameters and select the Authentication and Accounting Radius created previously:

  • Authentication

    • Called Station ID: %m:%s

    • NAS ID: %m:%s

  • Primary Authentication Server:

    • RADIUS1

  • Secondary Authentication Server:

    • RADIUS2

  • Accounting (this option must be enabled to perform session control)

    • Interval: 10 mins

  • Primary Accounting Server:

    • RADIUS1

  • Secondary Accounting Server:

    • RADIUS2

 

Once all the parameters have been filled in, click on the Save button to save the changes made.

The next step is to enter the parameters that the AP will send in the HTTP redirect. To do this, access the Advanced Parameters option and fill in all the fields with the following configuration:

  • Request Attributes:

    • Request Type: res

    • Challenge: challenge

    • Client MAC Address: client_mac

    • AP MAC Address: ap_id

    • AP IP Address: uamip

    • AP Port Number: uamport

    • Failure Count: failure_count

    • Requested URL: userurl

    • Login URL: login_url

    • Logoff URL: logoff_url

    • Remaining Blackout Time: blackout_time

    • Service Identifier: service_id

On the other hand, within the same drop-down list it is also necessary to fill in the fields that the AP will accept as an answer, Within these fields are included the username and password and the url to which the user will be redirected after validation. The parameters to be included are detailed below:

  • Request Attributes:

    • Challenge: challenge

    • Response Type: res

    • Challenge Response: digest

    • Redirect URL: redirect

    • Login Timeout: session_timeout

    • Username: username

    • Password: password

Once the fields have been filled in, click on Save to save the changes made.

2.4 Walled Garden

Finally, within the WLAN configuration it is necessary to include the domains to which free access should be allowed within the walled garden. To do this, click on Captive Portal and then Add on Walled Garden Sites and add all the necessary domains within the drop-down menu that appears.

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

Once all the changes have been made in both Security and Captive Portal, the configuration must be saved by clicking on Save.

2.5 Device Templates

Once the external captive portal has been configured, the WLAN created within a template must be associated. To do this go to Configuration > Device Configuration > Device Template and click on Add Device Template to create a new one or modify an existing one. In the configuration options set the following parameters.

  • Template Name: Template Name

Next, you need to add the WLAN created earlier. To do this, go to Radio Settings and click on Universal Configuration, select Add SSID Profile from the drop-down menu and select the SSID profile that contains the captive portal:

Once you have added the SSID Profile in both the 2.4GHz and 5GHz bands, click Save to save all changes.

When saving the changes, if no password has been configured for access to the APs within the Template, an error will appear. Therefore, it will be necessary to add a password to save the changes made. To do this go to Device Settings > Device Password and add the password for access to the APs.

2.5 Managed devices

To finish the configuration of the APs of the installation it is necessary to associate the Device Template created previously to the APs in which you want the SSID created to be radiated. To do this, go to Monitoring > Managed Devices and once inside select all the APs of the installation that should radiate the SSID created previously and click on the button at the bottom of the page to change the Template associated to the APs.

After clicking on this button, select the Template created in the drop-down menu and confirm that you want to make these changes.

 

Finally, check that once these changes have been made, the template has been associated with the APs.

2.6 Authorized MAC Addresses

For user validation to work properly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. The MAC address of all APs must be added.

These MAC addresses are easily accessible within Monitoring > Managed Devices:

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link Locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  Captive portal + MAC Authentication configuration

To enable MAC authentication it is necessary to edit the WLAN in use.

To do so, go to Configuration > Device Configuration > SSID Proflies and select the SSID profile created earlier to edit its configuration and once inside the SSID Profile, go to the Security section and check the Secondary Authentication option.

Next, check the RADIUS MAC Authentication option and click RADIUS Settings to configure the following parameters:

Associate the radius servers created in point 2.3 (Radius section) of this guide.

  • Authentication

    • Called Station ID: %m:%s

    • NAS ID: %m:%s

  • Username and Password:

    • Username: MAC Address with Colon

    • Password: MAC Address with Colon

  • Primary Authentication Server: RADIUS1

  • Secondary Authentication Server: RADIUS2

  • Accounting (this option must be enabled in order to control the sessions)

    • Interval: 10 mins

  • Primary Accounting Server: RADIUS1

  • Secondary Accounting Server: RADIUS2

Once all the changes have been made within the SSID Profile edition, click on Save to save the new configuration.

3.2 MAC Authentication configuration

To create an SSID dedicated only to MAC Authentication go to Configuration > Device Configuration and click on Role Profiles and once inside click on Add Role Profile to create a new role and configure the following parameters:

  • Profile Name: MAC AUTH USER

  • Role: MAC AUTH USER

  • Inherit from SSID: disable.

  • VLAN: enable this option and configure:

    • VLAN ID: indicate the vlan configured on the network

Once you have done this, you have to create the SSID, to do this go to Configuration > Device Configuration > SSID Profiles, to add a new WLAN click on Add New WiFi Profile

  • Add a name for the new profile as well as the SSID to be radiated by the APs, e.g. Mac_Auth_Guest

  • In the Security tab, select Open as the authentication method for the newly created WLAN.

Next, enable MAC Authentication within the SSID Profle and assign the above role to users who validate themselves by their MAC address.

To do this go to Configuration > Device Configuration > SSID Proflies and select the SSID profile created earlier to be able to edit its configuration and once inside the SSID Profile, drop down the Security section and check the Secondary Authentication option.

Next, check the RADIUS MAC Authentication option and click RADIUS Settings to configure the following parameters:

Associate the radius servers created in point 2.3 (Radius section) of this guide.

After clicking on Save enable the Assign SSID Profile option and select the role created earlier under Select Role for Sucessful Clients.

In this way, if the MAC authentication is correct, the user will have free access without the need to validate through the captive portal.

Once all the changes have been made within the SSID Profile edition, click on Save to save the new configuration.

Â