Altai Certification Training Backend Network Planning - PowerPoint PPT Presentation
1 / 56
Title: Altai Certification Training Backend Network Planning
1
Altai Certification Training Backend Network
Planning
- Professional Services
- Altai Technologies Limited
2
Module Outline
- Service Controller Solution
- Layer 2 Network Deployment Scenario
- Layer 3 Network Deployment Scenario
- A3 ACS Solution
3
Service Controller Solution
- RADIUS or Active Directory in the existing
network as authentication server - Multiple SSID for different groups of client to
access e.g. staff and guest - Each group of client is only allowed to access
specific network subnets - Different authentication method can be applied to
different SSID
4
Layer 2 Network Deployment Scenario
- Deployment scenario Enterprise only one or
several buildings network based on layer 2
connection. - Solution 1 SC internet port behavior as network
backhaul, and LAN port connect to AP. - Solution 2 one of SC ports behavior as network
backhaul.
5
Layer 2 Network Design
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
6
Layer 2 Network Solution I
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10
VLAN 20
Service Controller Internet Port VLAN 10
20 LAN Port VLAN 1 2
Management Server VLAN 100
VLAN Switch VLAN 1, 2, 100
Altai AP VLAN 1 VLAN 2 VLAN 100
Trunk Port
Trunk Port
Trunk Port
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
Management SSID 192.168.100.x VLAN 100
7
Layer 2 Network Solution II
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10
VLAN 20
Management Server VLAN 100
Egress VLAN 10 20 Ingress VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20, 100 AP Port VLAN 1,2, 100
Service Controller
Altai AP VLAN 1 VLAN 2 VLAN 100
Trunk Port
Trunk Port
Trunk Port
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
Management SSID 192.168.100.x VLAN 100
8
Layer 2 Active Directory authentication Procedure
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller EAP Response/Identity Ov
er AD EAP Response over AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
9
Layer 2 HTML authentication Procedure
User User associate with wireless network Send
DHCP request User attempts to browse an Web
site User Login Transport page sends
request for session and welcome page
AP Redirect the request to DHCP
server Redirect the request to Service
Controller
Service Controller Request is
intercepted Login page is returned User login
info is sent for authentication Transport
page is sent Session and Welcome pages are
sent
Local account Login approved. User
configuration setting are returned
DHCP server Response DHCP request Send IP
address back
10
Layer 3 Network Deployment Scenario
- Deployment scenario University enterprise
multiple buildings network based on layer 3
connection. - Solution 1 Two buildings connect to each other
based on layer 3 connection (Traffic forwarding
based on IP address). Since SC establish
communication with AP only by VLAN, each SC
should be deployment for every building in such
case. - Solution 2 Two building connect to each other
based on tunnel which support VLAN function. In
this case, only one Service Controller is needed
for the entire network.
11
Layer 3 Network Design Solution_I
- Building 1
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
- Building 2
- Intranet for staff
- Ingress VLAN 3
- Egress VLAN 10
- Client IP subnet 192.168.3.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 4
- Egress VLAN 10
- Client IP subnet 192.168.4.x
- SC Local account
- HTML-Authentication
12
Layer 3 Network Solution_I
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10 30
VLAN 20 40
Service Controller Egress VLAN 10 20 Ingress
VLAN 1 2
Service Controller Egress VLAN 30 40 Ingress
VLAN 3 4
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2
VLAN Switch Network VLAN 30,40 SC Port VLAN 3,
4, 30, 40 AP Port VLAN 3,4
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
Trunk Port
Altai AP VLAN 3 VLAN 4
SSID_Intranet 192.168.1.x VLAN 1
SSID_Intranet 192.168.3.x VLAN 3
SSID_Internet 192.168.2.x VLAN 2
SSID_Internet 192.168.4.x VLAN 4
13
Layer 3 Solution I Authentication Procedure
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller In Builing 1 EAP
Response/Identity Over AD EAP Response over
AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
Building 1 for example
14
Case study ASTRI Deployment
Intranet
Router
Firewall
Active Directory
VLAN 10
VLAN 20
Egress VLAN 10 20 Ingress VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2
Service Controller DHCP server192.168.0.x
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
SSID_Internet 192.168.0.x VLAN 2 HTML
authentication
SSID_Intranet 192.168.0.x VLAN 1 AD authentication
15
Wireless Network
SSID Target Clients VLAN Authentication Encryption
Intranet Staff 1 Active Directory WPA/WPA2
Internet Guest 2 Captive Portal WPA-PSK
16
VLAN Network
SSID VLAN_Ingress Client IP Address VLAN_Egress Colubris Interface IP address
Intranet 1 192.168.0.x 10 10.6.11.2
Internet 2 192.168.0.x 20 10.6.12.2
17
Network configuration_ingress vlan
18
Network configuration_egress vlan
19
Network ports
20
DHCP server_1
21
DHCP server _2
22
DNS
23
Check IP routers
24
Join Active Directory
25
AD group configuration
26
Add RADIUS secret
27
Account Profiles_1
28
Account Profile_2
29
User account_1
30
User account _2
31
Access List
32
VSC AD authenticaton_1
33
VSC AD Authentication_2
34
VSC AD Authentication_3
35
VSC HTML Authentication_1
36
VSC HTML Authentication_2
37
Layer 3 Network Design Solution_II
- Intranet for staff
- Ingress VLAN 1
- Egress VLAN 10
- Client IP subnet 192.168.1.x
- AD or RADIUS Authentication
- Allowed access intranet and internet
- Internet for guest
- Ingress VLAN 2
- Egress VLAN 10
- Client IP subnet 192.168.2.x
- SC Local account
- HTML-Authentication
38
Layer 3 Network Solution_II
DHCP server
Intranet
Router
Firewall
Radius Server Active Directory
VLAN 10 30
VLAN 20 40
Service Controller Egress VLAN 10 20 Ingress
VLAN 1 2
VLAN Switch Network VLAN 10,20 SC Port VLAN 1,
2, 10, 20 AP Port VLAN 1,2,
Multiple Layer3 tunnel
Altai AP VLAN 1 VLAN 2
Trunk Port
Trunk Port
Trunk Port
Trunk Port
Altai AP VLAN 1 VLAN 2
SSID_Intranet 192.168.1.x VLAN 1
SSID_Intranet 192.168.1.x VLAN 1
SSID_Internet 192.168.2.x VLAN 2
SSID_Internet 192.168.2.x VLAN 2
39
Layer 3 Solution II Authentication Procedure
Multiple Layer3 Tunnel
User User associate with wireless network EAPOL
start EAP Response/identity EAP
response DHCP request
AP EAP Request/identity Redirect the
request to Service Controller EAP
request EAP success
Service Controller EAP Response/Identity Ov
er AD EAP Response over AD
AD Server EAP request over AD EAP
success over AD and user configuration
DHCP server Response DHCP
request Send IP address back
Building 1 for example
40
Case Study Operator Network Deployment Solution
Tunnel between AP and Controller?
IP Service with PPPoE (Internet or MPLS VPN)
Tunneling Router
Standard DSL Modem/Router
AAA
BAS
DSLAM
Tunneling Router
Metro Ethernet Network
IP Backbone
ADSL
Eth
Controller
TUNNEL
GE
Eth
Wireless Backhaul
WiFi
MĂșltiple Access Point
AP (Switch Mode)
41
Altai A3 ACS Solution
- Deployment scenario Hotzone whole network
solution could be in one box. - RADIUS or MAC in the existing network is
authentication server, do not need to integrate
with Active Director server - Can use 3G as backhaul
- Roaming across A3s is not supported
- Local database is supported
- Multiple SSID for different groups of client to
access, like staff and guest - Each group of client is only allowed to access
specific network subnets - Different authentication method can be applied to
different SSID
42
ACS Network Design Solution
- Intranet for staff
- Intranet ACS Profile
- Client IP subnet 192.168.0.x
- RADIUS authentication
- HTML-authentication
- Allowed access intranet and internet
- Internet for guest
- Internet ACS Profile
- Client IP subnet 192.168.0.x
- MAC authentication
- Allowed access internet only
43
Altai A3 Access Control System
Web Server
DHCP server
Router
Firewall
Radius Server
Switch
A3_Gateway Mode ACS Profile
SSID_Intranet Intranet ACS Profile
SSID_Internet Internet ACS Profile
44
ACS User Login Procedure
45
Case Study Hotspot Operator ACS Profile
Configuration
Radius Server
3G backhaul
Web Server
A3_Gateway Mode 10.6.127.200 DHCP
server192.168.0.1
Hotspot Operator Noc
SSID_HTMLAuth
SSID_MACAuthrnet
46
Hotspot Operator Network Illustration
- 3G dongle as network backhaul
- A3 build-in DHCP server enabled
- Remote RADIUS server is for internal clients
authentication and accounting - Remote Web server is for RADIUS server
authentication. - Access controlled list establish to define
network access difference for multiple kinds of
clients - Local account is for MAC authentication to
clients who could only access internet
47
ACS Profile
48
Local Account
49
RADIUS Server
50
Access Rules 1
51
Access Rules 2
52
Access Rules Profile
53
HTMLAuth Profile
54
MACAuth Profile
55
Export ACS profile
56
Thank You
