User manual ALCATEL-LUCENT OMNISWITCH 9000

[. . . ] from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of Cisco Systems or Nortel Networks. ii Part 031650-00 May 2005 Contents Preface Document Organization Related Documents . . . . . . 11 12 12 14 22 Managing Software Feature Licenses Alcatel Software Licenses . . . . Contents iii OmniAccess RN: User Guide Additional Software License Information Permanent Licenses . . . 9 . 9 . 9 . 9 11 12 14 14 Configuring a Port to Be an Access Port . [. . . ] Captive Portal customization will talk about customizing the captive portal page. Configuring Captive Portals for Guest Logon Configuring captive portal for guest logon does not require an authentication server. The user will be re-directed to a logon page, where the user will need to enter the credentials (an email ID in this case). The user is then granted a default role with limited access to browse the internet. Navigate to the Configuration > Security > Authentication Methods > Captive Portal Authentication page. Configuring the Captive Portal 99 OmniAccess RN: User Guide 2 3 Configure the role that the guest logon users will take. (See "Configuring Firewall Roles and Policies" for information on configuring a role). HTTP: If the protocol selected is http, ensure that the following rules are included in the captiveportal policy: 100 Part 031650-00 May 2005 Chapter 10 user alias mswitch svc-http permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 HTTPs: If the protocol is https, ensure that the captiveportal policy has the following rules: user alias mswitch svc-https permit user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 4 In the default user role of un-authenticated users (logon role by default), ensure that the captiveportal policy has been added. The user traffic needs to hit the rules in this policy for captive portal to work. Configuring the Captive Portal 101 OmniAccess RN: User Guide 5 Configure the captive portal parameters. Parameter Default role Description The role assigned to the guest user on logon. Default: guest Enable Guest Logon This field need to be checked to enable guest logon as explained above. Default: Unchecked Enable User Logon This field needs to be checked to enable user logon authentication using an authentication server. In case of guest logon this field needs to be unchecked if captive portal is used for guest logon only. Default: Checked Enable Logout Popup Window When this is enabled, a pop up window will appear with the Logout link for the user to logout after the user logs in. http / https ­ If http is selected, the captive portal policy will have to be modified to allow http traffic. Default: https Redirect Pause Timeout This is the time (in seconds) that the system remains in the initial welcome page before re-directing the user to the final web URL. Default: 10s Configuring the Captive Portal 107 OmniAccess RN: User Guide Welcome Page Location The welcome page is the page that appears soon after logon and before re-direction to the web URL. Default: /auth/welcome. html Logon wait Interval Time range in seconds, the user will have to wait for the logon page to pop up in case the CPU load is high. Default: 5 ­ 10s CPU Utilization Threshold The CPU utilization percentage above which the Logon wait interval gets applied while presenting the user with the logon page. Default value: 60 % 6 From the pull-down menu select the desired role the user will be placed in after logon. Note that this role would be applied only if there are no other derivation rules that supersede it. Ensure that the Enable User Logon checkbox is selected Set the protocol type http or https as per the requirement. Set the welcome page location to the required URL. 7 8 9 Configuring the AAA Server for Captive Portal To configure the AAA server that captive portal will use for authentication: 1. Click Add under the Authentication Servers heading. 108 Part 031650-00 May 2005 Chapter 10 2 3 4 5 Under Choose an Authentication Server is a pull down menu. From this menu select the authentication server that will be the primary server. [. . . ] In this case however it is used during the transitional phase before converting all system to WPA-TKIP with PEAP authentication. 254 Part 031650-00 May 2005 Chapter 19 Topology Diagram Local 1 Local 2 Local 3 Topology Description Redundancy This topology uses the N+1 redundancy. The master is not redundant which means that if the master goes down, the network will be affected as there is no redundant master to take its place. However if a local switch goes down, the master will take over the operations of the local switch till the local switch recovers. Topology Example Four 255 OmniAccess RN: User Guide During failover, the operation state of the client is not maintained and the client will have to re-authenticate to gain access. VRRP instance VLAN 101 Switches involved VRRP address VRRP instance on local_101 VRRP instance on master VRRP instance VLAN 102 Switches involved VRRP address VRRP instance on local_102 VRRP instance on master VRRP instance VLAN 103 Switches involved VRRP address VRRP instance on local_103 VRRP instance on master Master and Local_101 10. 1. 101. 12 Priority = 150 Pre-empt = enable Priority = 100 Pre-empt = disable Master and Local_102 10. 1. 102. 12 Priority = 150 Pre-empt = enable Priority = 100 Pre-empt = disable Master and Local_101 10. 1. 103. 2 Priority = 150 Pre-empt = enable Priority = 100 Pre-empt = disable Requirements on the Master Switch The master switch should have an interface on each of the vlans the local switches belong to. The master switch also has a separate VRRP instance for each of the local switches corresponding to the local switch's VLAN and subnet. [. . . ]