ZoneDirector WISPr/Guest/Web Auth

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Everything.
Technical Overview July, 2004.
Hotspot Customization
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Networking Components
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Everything. MACIP End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: MACIP MACInterfaceMACInterface.
Lecture 8 Modeling & Simulation of Communication Networks.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
A Brief Taxonomy of Firewalls
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Lab How to Use WANem Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
Chapter 6: Packet Filtering
NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Altai Certification Training Backend Network Planning
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
The complete picture Linux Network Management. End to End Connection Being able to describe the end to end connection sequence is a useful thing Very.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
PRESENTATION ON WI-FI TECHNOLOGY
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Integrating and Troubleshooting Citrix Access Gateway.
Configuring the PIX Firewall Presented by Drew Spesard.
Security fundamentals Topic 10 Securing the network perimeter.
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
7.4 Update - ISE Session.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
LINCWorks Mesh Networking User Guide. This user guide will give a brief overview of mesh networking followed by step by step instructions for configuring.
1/117 Switch internals Floor SwitchCore Switch L3 Default NSNA port VLAN L2 Filter NSNA default VLANs access Filter per VLAN DHCP Relay Agent DHCP Relay.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
ArubaOS-Switch Tunneled Node
Security fundamentals
NAT、DHCP、Firewall、FTP、Proxy
Em4 Ethernet tutorial Remote connection.
Introduction to Networking
Firewall Exercise.
* Essential Network Security Book Slides.
Access Control Lists CCNA 2 v3 – Module 11
Setting Up Firewall using Netfilter and Iptables
Firewalls Routers, Switches, Hubs VPNs
TCP/IP Networking An Example
Firewalls By conventional definition, a firewall is a partition made
Firewalls Chapter 8.
Computer Networks Protocols
Agenda Comware 5 and Comware 7 device based AAA:
Presentation transcript:

ZoneDirector WISPr/Guest/Web Auth By Vincent Wang

Agenda WISPr Introduction WISPr ZD Setting WISPr Work Flow Guest Access Setting Guest Access Work Flow Web Authentication Setting Web Authentication Work Flow Q & A

WISPr Introduction WISPr, Wireless Internet Service Provider roaming, Pronounced "whisper" WISPr is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cellphone users to roam between carriers

WISPr Introduction

WISPr ZD Setting

WISPr ZD Setting Login Page Unauthenticated users shall be redirected to the login page Start Page After user is authenticated, the user shall be redirected to the start page Location information Describe hotspot service location information Walled Garden Walled Garden is effective for unauthenticated users only. It shall be able to provide at most 16 IP addresses or subnets these destinations are allowed to be accessed by unauthenticated users Restricted Subnet Access Users can define L3/4 IP address access control rules for each hotspot service to allow or deny wireless devices based on their IP addresses.

WISPr ZD Setting

WISPr Authentication Process Station AP ZD Web Server Radius Server Login Process Http Request(GET) Visit: www.google.com Restrict Mode Tunnel Response Http Redirect( ZD IP, URL Request) Http Redirect( ZD IP, URL Request) (GET) Response Http Redirect( ZD IP, URL Request, login page) Login Page(GET) Response Login Page Post user ID and Password on Login page Radius Access Request(user ID/password) Radius Access Accept / Reject Response Result Page(ZD IP, URL Request) Un-Restrict Mode

WISPr Authentication Process AP SIDE When created WLAN with hotpot services, ZD will put all station in RESTRICT mode by default both ZD&AP, until stamgr tell apmgr to “UN-RESTRICT ” the station. When station association with AP successful, station’ traffic will be forward to ZD in RESTRICT mode, except: ARP DNS DHCP All the traffic from station will be tunnel into ZD

WISPr Authentication Process AP SIDE When created WLAN with hotpot services, ZD will dispatch LWAPP message to notify AP policy, similar with ACL for station, you will check the policy under “/proc/afmod/policy/xx-xx” ZD:172.18.110.231 AP:172.18.110.234 WEB SERVER:172.18.110.20

WISPr Authentication Process ZD SIDE UAM Server(Universal Access Method) UAM Server listen 9997(http)/9998(https) port on ZD, when user submit user ID/Password, it server will post data into UAM Server, UAM Server will verify it. Rhttpd Server Rhttpd Server will listen 9999 port on ZD, this is a front gate of redirect Emfd + webs Provide correct URL for user to login and user authentication Afmod + NAT When station was UN-authorized, all traffic from station will tunnel into ZD, the packets will DNAT to Rhttpd Server. If station ip address have the different subnet with ZD ip address, so ZD will add HOST route for station.

WISPr Authentication Process ZD SIDE Afmod + NAT When created WLAN with hotpot services on ZD, it also will create policy list under “/proc/afmod/policy/xx-xx” ZD:172.18.110.231 AP:172.18.110.234 WEB SERVER:172.18.110.20

WISPr Authentication Process ZD SIDE Afmod + NAT + Rhttpd (TCP Three handshakes) Station AP Afmod + NAT Rhttpd Login Process Visit: www.google.com Restrict Mode SYN (www.google.com:80) DNAT SYN (ZDIP:9999) SYN ACK (ZDIP:9999) SNAT SYN ACK (www.google.com:80) ACK (www.google.com:80) DNAT ACK (ZDIP:9999)

WISPr Authentication Process ZD SIDE Afmod + NAT + Rhttpd (Implement) AP:00:24:82:0b:74:c0 STA:00:26:5e:44:4c:fb STA IP:172.18.110.198 ZD MAC: 00:25:C4:09:B4:10 ZD IP:172.18.110.231 lwapp_process_input 80211 data from 00:24:82:0b:74:c0 net80211_forward packet from 00:26:5e:44:4c:fb hdrlen = 28 tac_check_layer3_policy packet: ip->protocol 6 l4_hdr->sport = 4750 l4_hdr->dport = 80 performs redirect s_ip = 172.18.110.198 d_ip = 61.135.169.105 proto = 6 s_port = 4750 d_port = 80 to host s_ip = 172.18.110.198 tacip = 172.18.110.231 match rule 10, action 3(NAT) tac_policy_apply_nat nat dst, src_port=4750 vif_xmit packet from 00:25:c4:09:b4:10 to 00:26:5e:44:4c:fb lwapp_send_net80211_packet change dev into br0 tac_policy_apply_nat nat src, dst_port=4750 lwapp_process_input 80211 data from 00:24:82:0b:74:c0 net80211_forward packet from 00:26:5e:44:4c:fb hdrlen = 28 tac_check_layer3_policy packet: ip->protocol 6 l4_hdr->sport = 4750 l4_hdr->dport = 80 performs redirect s_ip = 172.18.110.198 d_ip = 61.135.169.105 proto = 6 s_port = 4750 d_port = 80 to host s_ip = 172.18.110.198 tacip = 172.18.110.231 match rule 10, action 3(NAT) tac_policy_apply_nat nat dst, src_port=4750

WISPr Authentication Process ZD SIDE Rhttpd + emfd Station AP Rhttpd Emfd WEB Server Login Process Visit: www.google.com Restrict Mode GET (www.google.com) Send HTTP 302 Redirect ,Location: http://172.18.110.231/user/index.jsp?url=www.google.com GET (http://172.18.110.231/user/index.jsp?url=www.google.com) Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.20/hotspot.html?sip=172.18.110.231&mac=0024820b74c0&client_mac=00265e444cfb&uip=172.18.110.198&lid=&dn=&url=http%3a%2f%2fwww%2ebaidu%2ecom%2f&ssid=hotspot%5fdemo&loc= GET (http://172.18.110.20/hotspot.html?sip=172.18.110.231...................)

WISPr Authentication Process ZD SIDE External WEB Server Login Page Hotspot user shall be able to login Hotspot service via login page. Login page is provided by Hotspot Service Provider and is hosted on external HTTP server. A typical login page contains a form for username and password. User submits the form data to UAM Login URL for authentication. Below is an example for login page: <html> <head><title>Wireless Internet Service</title></head> <body> <br/><center><h2>Wireless Internet Service</h2> <form action="http://172.18.110.231:9997/login"> <table border="0" cellpadding="5" cellspacing="0" style="width: 200px;"> <tr><th>Username:</th><td><input type="text" name="username" size="20"></td></tr> <tr><th>Password:</th><td><input type="password" name="password" size="20"></td></tr> <tr><td align="center" colspan="2" height="23"><input type="submit" value="Login"></td></tr> </table></form> </body> </html>

WISPr Authentication Process ZD SIDE User Authentication Station AP Emfd Radius Server Login Process UAM Server Submit User ID/Password AuthHotspotUser authUserEx authUserImpl("authd", credential) Access Request Authd Access Accept / Reject Authd to tell stamgr this client has been Authenticated success/failure Stamgr notifies Apmgr to update this station So that it will be “un-restriced Un-Restrict Mode

Guest Access Setting

Guest Access Setting You need visit https://[zdip]/guestpass to create guest role

Guest Access Authentication Process Station AP Rhttpd Emfd Login Process Visit: www.google.com Restrict Mode GET (www.google.com) Send HTTP 302 Redirect ,Location: http://172.18.110.231/user/index.jsp?url=www.google.com GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231/user/guest_proxy.jsp GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231/user/guest_login.jsp?cookie=? GET redirect URL Submit key Function : SessionCheck() http://172.18.110.231/user/guest_login.jsp?cookie=&ok=ok&key=JXDWH-WZUDK Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231//user/guest_proxy.jsp?cookie=2b9d78f88e5aa91e9c91f621a3ab3886aa0e88d427f6929d1b0b1f11141a1f1977cc3cb2cd1af324 GET redirect URL

Guest Access Authentication Process Station AP Rhttpd Emfd Login Process Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231/user/guest_authed.jsp?cookie=2b9d78f88e5aa91e9c91f621a3ab3886aa0e88d427f6929d1b0b1f11141a1f1977cc3cb2cd1af324&guestname=vincent&expiretime=1358327385&guestpassid=2&reauthtime=0&redirecturl=http://www.google.com/b1f11141a1f1977cc3cb2cd1af324 GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231/user/_allowguest.jsp?cookie=2b9d78f88e5aa91e9c91f621a3ab3886aa0e88d427f6929d1b0b1f11141a1f1977cc3cb2cd1af324&guestname=vincent&expiretime=1358327385&guestpassid=2&reauthtime=0 GET redirect URL

Guest Access Authentication Process Policy list on AP side Guest users are automatically blocked from the subnets to which ZoneDirector and its managed APs are connected

Web authentication Setting

Web Authentication Process Station AP Rhttpd Emfd Login Process Visit: www.google.com Restrict Mode GET (www.google.com) Send HTTP 302 Redirect ,Location: http://172.18.110.231/user/index.jsp?url=www.google.com GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: http://172.18.110.231/user/user_login_auth.jsp GET redirect URL Submit username and password

This is the tricky part!! Everything is in tunnel when STA hasn’t passed the authentication. After authentication For local bridge WLAN, STA has been removed from afmod on ZD(tunnel will be teardown at this point), then send updated flag to update remote STA. For tunnel WLAN, only need to update flag of STA from afmod on ZD and send updated flag to update remote STA. If you see a web redirect works in tunnel, but not in local bridge mode, it usually means there is a problem of tunnel teardown timing. When user submit username and password which asks emfd to send “auth” command to stamgr, then tunnel teardown.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.