Description:
If an access point is installed in a public space and is freely accessible, we recommend that you configure a secure network scenario that ensures that a client (e.g. a notebook PC) is unable to gain access to a company network even if it is connected by cable to the Ethernet socket that is intended for use by the access point.
This document uses an example to demonstrate how to modify the configuration of an existing scenario to prevent an unauthorized client from gaining access to the company network.

In this scenario two WLC-Tunnels are used. Regarding the use of WLC-Tunnels please also refer to the Knowledge Base article Possible causes and solutions with increased CPU load when using WLC-Tunnels.




Requirements:
  • LANCOM WLAN-Controller
  • LCOS-based access point
  • GS-23xx series switch
  • LCOS as of version 8.80 (download latest version)
  • LANtools as of version 8.80 (download latest version)
  • Installed and functional Wi-Fi.
  • Installed and functional Public Spot.


Scenario:
  • A hotel operates an internal management network for use by the hotel’s employees, including their Wi-Fi devices.
  • The access points are connected by Ethernet to a central switch and are managed by a LANCOM WLAN controller.
  • The access points are set up with two SSIDs, so that hotel guests can also use the hotel's Wi-Fi by means of a Public Spot.


The following adjustments to the configuration ensure that solely the access point is able to access the company network when it is connected to the Ethernet socket:
  • The switch port that the access point connects to performs authentication as per IEEE 802.1X.
  • In the final configuration state only one MAC address is permitted per switch port, so one WLC tunnel per SSID is configured between the access point and WLAN controller.



Procedure:
1) Configuration steps on the LANCOM WLAN controller:
1.1) Open the configuration of the WLAN controller in LANconfig, go to the menu RADIUS → Server and enable the WLAN controller's RADIUS server by setting the checkmark for RADIUS authentication active.
1.2) Open the RADIUS services ports menu and ensure that the Authentication port is set to the value 1812.
1.3) In the User table, create an account for each access point in order for it to use 802.1X to authenticate at the RADIUS server of the WLAN controller.
1.4) In this example, both the Name/MAC address and the Password are set to ap1. In live operation, please be sure to use secure usernames and passwords.
1.5) Switch to the menu RADIUS → Server → IPv4 clients and add the LANCOM switch as an approved RADIUS communication partner.
  • In this example, the LANCOM switch has the local IP address 192.168.1.200 and the subnet mask is 255.255.255.255
  • Set the protocols to RADIUS.
  • In order for the switch to authenticate as a permitted RADIUS client at the RADIUS server, you need to set a password (shared secret). The password set here is required for the subsequent configuration of the switch (see step 3.3).
1.6) Switch to the menu WLAN controller → Profiles → Logical WLAN networks (SSIDs) and create the necessary WLC tunnels for the SSIDs used; in this example, these are Hotel-Internal and Hotel-Guest.
1.7) The SSID Hotel-Internal is to be connected with the WLC-Tunnel-1.
The SSID Hotel-Internal is secured with WPA2 encryption and a passphrase.
1.8) The SSID Hotel-Guest is to be connected with the WLC-Tunnel-2.
The SSID Hotel-Guest is operated without encryption as guests login to this Wi-Fi network via the Public Spot.
1.9) Navigate to the menu Public-Spot → Server → Operational settings → Interfaces.
1.10) Enable user authentication on the Public Spot for the WLC-Tunnel-2.


2) Configuration steps on the LANCOM access point:
In order for the access point to be able to authenticate at the RADIUS server of the WLAN controller, the authentication method must be set and user data have to be set for logging in. This example uses the authentication method TLS. The user data of the access point were configured on the WLAN controller in step 1.4.
2.1) Open a Telnet or SSH session on the access point and go to the path Supplicant-Ifc-Setup:
cd /Setup/LAN/IEEE802.1x/Supplicant-Ifc-Setup
2.2) Go to the path for the LAN interface. For this example we are using interface LAN-1.
cd LAN-1
2.3) Use the following command to set the user data for authentication at the RADIUS server:
set credentials <username>:<password>
In this example, the command is set credentials ap1:ap1
2.4) Use the following command to set the authentication method as PEAP/MSCHAPv2:
set Method PEAP/MSCHAPv2

Alternatively, you can use the following script to upload the changes to the access point with LANconfig. Please be sure to add the relevant username and password to the file first.

Skript_Credentials_Auth-Method.lcs 

In a WLAN-Controller scenario the script can also be rolled out to the access points via the WLAN-Controller.



3) Configuration steps on the LANCOM switch:
3.1) Open the configuration interface for the LANCOM switch and navigate to the menu item Security → NAS → Configuration.
  • Set the Mode option to Enabled.
  • Under Port configuration, set the option Single 802.1 X for those ports that are to operate with authentication as per 802.1X.

The mode Single 802.1X can only be used, when only the access point authenticates itself and the traffic of the end devices is transmitted via WLC-Tunnels. When using LAN at AP for an SSID the mode Port-based 802.1X has to be used.

3.2) Scroll to the end of the configuration page and click on apply to accept the new settings.
3.3) Switch to the menu Security → AAA → Configuration. In the section RADIUS authentication server configuration, set the option in the first line to Enabled.
  • In the section IP address/host name, enter the local IP address of the LANCOM WLAN controller.
  • The default port 1812 can be accepted as the WLAN controller also uses this as the RADIUS authentication port.
  • In the field Secret you enter the same shared secret as that entered into the configuration of LANCOM WLAN controller in step 1.5.
3.4) Scroll to the end of the configuration page and click on Apply to accept the new settings.
3.5) In order for the settings to be saved as boot persistent, go to the Maintenance → Save/restore menu and save the configuration as the start configuration.
3.6) The configuration of the switch is now complete.