Title: Altai Certification Training Backend Network Planning
1Altai Certification Training Backend Network
Planning
- Professional Services
- Altai Technologies Limited
2Module Outline
- Service Controller Solution
- Layer 2 Network Deployment Scenario
- Layer 3 Network Deployment Scenario
- A3 ACS Solution
3Service Controller Solution
- RADIUS or Active Directory in the existing
network as authentication server - Multiple SSID for different groups of client to
access e.g. staff and guest - Each group of client is only allowed to access
specific network subnets - Different authentication method can be applied to
different SSID
4Layer 2 Network Deployment Scenario
- Deployment scenario Enterprise only one or
several buildings network based on layer 2
connection. - Solution 1 SC internet port behavior as network
backhaul, and LAN port connect to AP. - Solution 2 one of SC ports behavior as network
backhaul.
5Layer 2 Network Design
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
6Layer 2 Network Solution I
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10
VLAN 20
Service Controller Internet Port VLAN 10
20 LAN Port VLAN 1 2
Management Server VLAN 100
VLAN Switch VLAN 1, 2, 100
Altai AP VLAN 1 VLAN 2 VLAN 100
Trunk Port
Trunk Port
Trunk Port
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
Management SSID 192.168.100.x VLAN 100
7Layer 2 Network Solution II
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10
VLAN 20
Management Server VLAN 100
Egress VLAN 10 20 Ingress VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20, 100 AP Port VLAN 1,2, 100
Service Controller
Altai AP VLAN 1 VLAN 2 VLAN 100
Trunk Port
Trunk Port
Trunk Port
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
Management SSID 192.168.100.x VLAN 100
8Layer 2 Active Directory authentication Procedure
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller EAP Response/Identity Ov
er AD EAP Response over AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
9Layer 2 HTML authentication Procedure
User User associate with wireless network Send
DHCP request User attempts to browse an Web
site User Login Transport page sends
request for session and welcome page
AP Redirect the request to DHCP
server Redirect the request to Service
Controller
Service Controller Request is
intercepted Login page is returned User login
info is sent for authentication Transport
page is sent Session and Welcome pages are
sent
Local account Login approved. User
configuration setting are returned
DHCP server Response DHCP request Send IP
address back
10Layer 3 Network Deployment Scenario
- Deployment scenario University enterprise
multiple buildings network based on layer 3
connection. - Solution 1 Two buildings connect to each other
based on layer 3 connection (Traffic forwarding
based on IP address). Since SC establish
communication with AP only by VLAN, each SC
should be deployment for every building in such
case. - Solution 2 Two building connect to each other
based on tunnel which support VLAN function. In
this case, only one Service Controller is needed
for the entire network.
11Layer 3 Network Design Solution_I
- Building 1
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
- Building 2
- Intranet for staff
- Ingress VLAN 3
- Egress VLAN 10
- Client IP subnet 192.168.3.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 4
- Egress VLAN 10
- Client IP subnet 192.168.4.x
- SC Local account
- HTML-Authentication
12Layer 3 Network Solution_I
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10 30
VLAN 20 40
Service Controller Egress VLAN 10 20 Ingress
VLAN 1 2
Service Controller Egress VLAN 30 40 Ingress
VLAN 3 4
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2
VLAN Switch Network VLAN 30,40 SC Port VLAN 3,
4, 30, 40 AP Port VLAN 3,4
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
Trunk Port
Altai AP VLAN 3 VLAN 4
SSID_Intranet 192.168.1.x VLAN 1
SSID_Intranet 192.168.3.x VLAN 3
SSID_Internet 192.168.2.x VLAN 2
SSID_Internet 192.168.4.x VLAN 4
13Layer 3 Solution I Authentication Procedure
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller In Builing 1 EAP
Response/Identity Over AD EAP Response over
AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
Building 1 for example
14Case study ASTRI Deployment
Intranet
Router
Firewall
Active Directory
VLAN 10
VLAN 20
Egress VLAN 10 20 Ingress VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2
Service Controller DHCP server192.168.0.x
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
SSID_Internet 192.168.0.x VLAN 2 HTML
authentication
SSID_Intranet 192.168.0.x VLAN 1 AD authentication
15Wireless Network
SSID Target Clients VLAN Authentication Encryption
Intranet Staff 1 Active Directory WPA/WPA2
Internet Guest 2 Captive Portal WPA-PSK
16VLAN Network
SSID VLAN_Ingress Client IP Address VLAN_Egress Colubris Interface IP address
Intranet 1 192.168.0.x 10 10.6.11.2
Internet 2 192.168.0.x 20 10.6.12.2
17Network configuration_ingress vlan
18Network configuration_egress vlan
19Network ports
20DHCP server_1
21DHCP server _2
22DNS
23Check IP routers
24Join Active Directory
25AD group configuration
26Add RADIUS secret
27Account Profiles_1
28Account Profile_2
29User account_1
30User account _2
31Access List
32VSC AD authenticaton_1
33VSC AD Authentication_2
34VSC AD Authentication_3
35VSC HTML Authentication_1
36VSC HTML Authentication_2
37Layer 3 Network Design Solution_II
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
38Layer 3 Network Solution_II
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10 30
VLAN 20 40
Service Controller Egress VLAN 10 20 Ingress
VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2,
Multiple Layer3 tunnel
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
Trunk Port
Altai AP VLAN 1 VLAN 2
SSID_Intranet 192.168.1.x VLAN 1
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
SSID_Internet 192.168.2.x VLAN 2
39Layer 3 Solution II Authentication Procedure
Multiple Layer3 Tunnel
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller EAP Response/Identity Ov
er AD EAP Response over AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
Building 1 for example
40Case Study Operator Network Deployment Solution
Tunnel between AP and Controller?
IP Service with PPPoE (Internet or MPLS VPN)
Tunneling Router
Standard DSL Modem/Router
AAA
BAS
DSLAM
Tunneling Router
Metro Ethernet Network
IP Backbone
ADSL
Eth
Controller
TUNNEL
GE
Eth
Wireless Backhaul
WiFi
MĂșltiple Access Point
AP (Switch Mode)
41Altai A3 ACS Solution
- Deployment scenario Hotzone whole network
solution could be in one box. - RADIUS or MAC in the existing network is
authentication server, do not need to integrate
with Active Director server - Can use 3G as backhaul
- Roaming across A3s is not supported
- Local database is supported
- Multiple SSID for different groups of client to
access, like staff and guest - Each group of client is only allowed to access
specific network subnets - Different authentication method can be applied to
different SSID
42ACS Network Design Solution
- Intranet for staff
- Intranet ACS Profile
- Client IP subnet 192.168.0.x
- RADIUS authentication
- HTML-authentication
- Allowed access intranet and internet
- Internet for guest
- Internet ACS Profile
- Client IP subnet 192.168.0.x
- MAC authentication
- Allowed access internet only
43Altai A3 Access Control System
Web Server
DHCP server
Router
Firewall
Radius Server
Switch
A3_Gateway Mode ACS Profile
SSID_Intranet Intranet ACS Profile
SSID_Internet Internet ACS Profile
44ACS User Login Procedure
45Case Study Hotspot Operator ACS Profile
Configuration
Radius Server
3G backhaul
Web Server
A3_Gateway Mode 10.6.127.200 DHCP
server192.168.0.1
Hotspot Operator Noc
SSID_HTMLAuth
SSID_MACAuthrnet
46Hotspot Operator Network Illustration
- 3G dongle as network backhaul
- A3 build-in DHCP server enabled
- Remote RADIUS server is for internal clients
authentication and accounting - Remote Web server is for RADIUS server
authentication. - Access controlled list establish to define
network access difference for multiple kinds of
clients - Local account is for MAC authentication to
clients who could only access internet
47ACS Profile
48Local Account
49RADIUS Server
50Access Rules 1
51Access Rules 2
52Access Rules Profile
53HTMLAuth Profile
54MACAuth Profile
55Export ACS profile
56Thank You