Presentation is loading. Please wait.

Presentation is loading. Please wait.

Altai Certification Training Backend Network Planning

Published byDelphia Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "Altai Certification Training Backend Network Planning"— Presentation transcript:

1 Altai Certification Training Backend Network Planning
Professional Services Altai Technologies Limited

2 Module Outline Service Controller Solution A3 ACS Solution
Layer 2 Network Deployment Scenario Layer 3 Network Deployment Scenario A3 ACS Solution

3 Service Controller Solution
RADIUS or Active Directory in the existing network as authentication server Multiple SSID for different groups of client to access; e.g. staff and guest Each group of client is only allowed to access specific network subnets Different authentication method can be applied to different SSID

4 Layer 2 Network Deployment Scenario
Deployment scenario: Enterprise only one or several buildings network based on layer 2 connection. Solution 1: SC internet port behavior as network backhaul, and LAN port connect to AP. Solution 2: one of SC ports behavior as network backhaul.

5 Layer 2 Network Design Intranet for staff Ingress VLAN 1
Egress VLAN 10 Client IP subnet x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Egress VLAN 10 Client IP subnet x SC Local account HTML-Authentication

6 Layer 2 Network Solution I
DHCP server Intranet Firewall Router Radius Server Active Directory VLAN 10 VLAN 20 Service Controller Internet Port: VLAN 10 & 20 LAN Port: VLAN 1 & 2 Management Server VLAN 100 VLAN Switch VLAN 1, 2, 100 Altai AP VLAN 1 VLAN 2 VLAN 100 Trunk Port Trunk Port Trunk Port SSID_Intranet x VLAN 1 SSID_Internet x VLAN 2 Management SSID x VLAN 100

7 Layer 2 Network Solution II
DHCP server Intranet Firewall Router Radius Server Active Directory VLAN 10 VLAN 20 Management Server VLAN 100 Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLAN Switch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20, 100 AP Port: VLAN 1,2, 100 Service Controller Trunk Port Trunk Port Altai AP VLAN 1 VLAN 2 VLAN 100 Trunk Port SSID_Intranet x VLAN 1 SSID_Internet x VLAN 2 Management SSID x VLAN 100

8 Layer 2 Active Directory authentication Procedure
User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Service Controller EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back

9 Layer 2 HTML authentication Procedure
User User associate with wireless network Send DHCP request User attempts to browse an Web site User Login Transport page sends request for session and welcome page AP Redirect the request to DHCP server Redirect the request to Service Controller Service Controller Request is intercepted Login page is returned User login info is sent for authentication Transport page is sent Session and Welcome pages are sent Local account Login approved. User configuration setting are returned DHCP server Response DHCP request Send IP address back

10 Layer 3 Network Deployment Scenario
Deployment scenario: University & enterprise multiple buildings network based on layer 3 connection. Solution 1: Two buildings connect to each other based on layer 3 connection (Traffic forwarding based on IP address). Since SC establish communication with AP only by VLAN, each SC should be deployment for every building in such case. Solution 2: Two building connect to each other based on tunnel which support VLAN function. In this case, only one Service Controller is needed for the entire network.

11 Layer 3 Network Design Solution_I
Building 1 Intranet for staff Ingress VLAN 1 Egress VLAN 10 Client IP subnet x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Client IP subnet x SC Local account HTML-Authentication Building 2 Intranet for staff Ingress VLAN 3 Egress VLAN 10 Client IP subnet x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 4 Client IP subnet x SC Local account HTML-Authentication

12 Layer 3 Network Solution_I
DHCP server Intranet Firewall Router Radius Server Active Directory VLAN 10 & 30 VLAN 20 & 40 Service Controller Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 Service Controller Egress: VLAN 30 & 40 Ingress: VLAN 3 & 4 VLAN Switch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2 VLAN Switch Network: VLAN 30,40 SC Port: VLAN 3, 4, 30, 40 AP Port: VLAN 3,4 Altai AP VLAN 1 VLAN 2 Trunk Port Trunk Port Trunk Port Trunk Port Altai AP VLAN 3 VLAN 4 SSID_Intranet x VLAN 1 SSID_Internet x VLAN 2 SSID_Intranet x VLAN 3 SSID_Internet x VLAN 4

13 Layer 3 Solution I Authentication Procedure
User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Service Controller In Builing 1 EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back Building 1 for example

14 Case study: ASTRI Deployment
Intranet Firewall Router Active Directory VLAN 10 VLAN 20 Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLAN Switch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2 Service Controller DHCP server: x Trunk Port Trunk Port Altai AP VLAN 1 VLAN 2 Trunk Port SSID_Internet x VLAN 2 HTML authentication SSID_Intranet x VLAN 1 AD authentication

15 Wireless Network SSID Target Clients VLAN Authentication Encryption
Intranet Staff 1 Active Directory WPA/WPA2 Internet Guest 2 Captive Portal WPA-PSK

16 VLAN Network SSID VLAN_Ingress Client IP Address VLAN_Egress Colubris
Interface IP address Intranet 1 x 10 Internet 2 20

17 Network configuration_ingress vlan

18 Network configuration_egress vlan

19 Network ports

20 DHCP server_1

21 DHCP server _2

22 DNS

23 Check IP routers

24 Join Active Directory

25 AD group configuration

26 Add RADIUS secret

27 Account Profiles_1

28 Account Profile_2

29 User account_1

30 User account _2

31 Access List

32 VSC AD authenticaton_1

33 VSC AD Authentication_2

34 VSC AD Authentication_3

35 VSC HTML Authentication_1

36 VSC HTML Authentication_2

37 Layer 3 Network Design Solution_II
Intranet for staff Ingress VLAN 1 Egress VLAN 10 Client IP subnet x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Egress VLAN 10 Client IP subnet x SC Local account HTML-Authentication

38 Layer 3 Network Solution_II
DHCP server Intranet Firewall Router Radius Server Active Directory VLAN 10 & 30 VLAN 20 & 40 Service Controller Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLAN Switch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2, Multiple Layer3 tunnel Altai AP VLAN 1 VLAN 2 Trunk Port Trunk Port Trunk Port Trunk Port Altai AP VLAN 1 VLAN 2 SSID_Intranet x VLAN 1 SSID_Internet x VLAN 2 SSID_Intranet x VLAN 1 SSID_Internet x VLAN 2

39 Layer 3 Solution II Authentication Procedure
User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Multiple Layer3 Tunnel Service Controller EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back Building 1 for example

40 Case Study: Operator Network Deployment Solution
¿Tunnel between AP and Controller? IP Service with PPPoE (Internet or MPLS VPN) Tunneling Router Standard DSL Modem/Router Internet AAA BAS DSLAM Tunneling Router Metro Ethernet Network IP Backbone Eth ADSL xDSL xDSL xDSL Controller TUNNEL GE Eth Wireless Backhaul WiFi Múltiple Access Point AP (Switch Mode)

41 Altai A3 ACS Solution Deployment scenario: Hotzone whole network solution could be in one box. RADIUS or MAC in the existing network is authentication server, do not need to integrate with Active Director server Can use 3G as backhaul Roaming across A3s is not supported Local database is supported Multiple SSID for different groups of client to access, like staff and guest Each group of client is only allowed to access specific network subnets Different authentication method can be applied to different SSID

42 ACS Network Design Solution
Intranet for staff Intranet ACS Profile Client IP subnet x RADIUS authentication HTML-authentication Allowed access intranet and internet Internet for guest Internet ACS Profile Client IP subnet x MAC authentication Allowed access internet only

43 Altai A3 Access Control System
Web Server DHCP server Firewall Router Radius Server Switch A3_Gateway Mode ACS Profile SSID_Intranet Intranet ACS Profile SSID_Internet Internet ACS Profile

44 ACS User Login Procedure

45 Case Study: Hotspot Operator ACS Profile Configuration
3G network Radius Server 3G backhaul Web Server A3_Gateway Mode DHCP server: Hotspot Operator Noc SSID_HTMLAuth SSID_MACAuthrnet

46 Hotspot Operator Network Illustration
3G dongle as network backhaul A3 build-in DHCP server enabled Remote RADIUS server is for internal clients authentication and accounting Remote Web server is for RADIUS server authentication. Access controlled list establish to define network access difference for multiple kinds of clients Local account is for MAC authentication to clients who could only access internet

47 ACS Profile

48 Local Account

49 RADIUS Server

50 Access Rules 1

51 Access Rules 2

52 Access Rules Profile

53 HTMLAuth Profile

54 MACAuth Profile

55 Export ACS profile

56 Thank You

Download ppt "Altai Certification Training Backend Network Planning"

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Www.solwise.co.uk Engenius Workshop 7 Mode of ECB-3500.

Engenius Workshop 7 Mode of ECB-3500.
AOC-2406n Operation Mode configuration guide

AOC-2406n Operation Mode configuration guide
Agenda Product Overview Hardware Interfaces Software Features

Agenda Product Overview Hardware Interfaces Software Features
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Www.sown.org.uk Southampton Open Wireless Network The Topology Talk.

Southampton Open Wireless Network The Topology Talk.
Wireless Network Designs WS-5000 / VLAN Capabilities.

Wireless Network Designs WS-5000 / VLAN Capabilities.
Altai Certification Training Operation & Maintenance

Altai Certification Training Operation & Maintenance
Hotspot Customization

Hotspot Customization
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
WiNG 5.3.

WiNG 5.3.

Similar presentations

Ads by Google