Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZoneDirector WISPr/Guest/Web Auth

Published byAngelina Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "ZoneDirector WISPr/Guest/Web Auth"— Presentation transcript:

1 ZoneDirector WISPr/Guest/Web Auth
By Vincent Wang

2 Agenda WISPr Introduction WISPr ZD Setting WISPr Work Flow
Guest Access Setting Guest Access Work Flow Web Authentication Setting Web Authentication Work Flow Q & A

3 WISPr Introduction WISPr, Wireless Internet Service Provider roaming, Pronounced "whisper" WISPr is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cellphone users to roam between carriers

4 WISPr Introduction

5 WISPr ZD Setting

6 WISPr ZD Setting Login Page
Unauthenticated users shall be redirected to the login page Start Page After user is authenticated, the user shall be redirected to the start page Location information Describe hotspot service location information Walled Garden Walled Garden is effective for unauthenticated users only. It shall be able to provide at most 16 IP addresses or subnets these destinations are allowed to be accessed by unauthenticated users Restricted Subnet Access Users can define L3/4 IP address access control rules for each hotspot service to allow or deny wireless devices based on their IP addresses.

7 WISPr ZD Setting

8 WISPr Authentication Process
Station AP ZD Web Server Radius Server Login Process Http Request(GET) Visit: Restrict Mode Tunnel Response Http Redirect( ZD IP, URL Request) Http Redirect( ZD IP, URL Request) (GET) Response Http Redirect( ZD IP, URL Request, login page) Login Page(GET) Response Login Page Post user ID and Password on Login page Radius Access Request(user ID/password) Radius Access Accept / Reject Response Result Page(ZD IP, URL Request) Un-Restrict Mode

9 WISPr Authentication Process
AP SIDE When created WLAN with hotpot services, ZD will put all station in RESTRICT mode by default both ZD&AP, until stamgr tell apmgr to “UN-RESTRICT ” the station. When station association with AP successful, station’ traffic will be forward to ZD in RESTRICT mode, except: ARP DNS DHCP All the traffic from station will be tunnel into ZD

10 WISPr Authentication Process
AP SIDE When created WLAN with hotpot services, ZD will dispatch LWAPP message to notify AP policy, similar with ACL for station, you will check the policy under “/proc/afmod/policy/xx-xx” ZD: AP: WEB SERVER:

11 WISPr Authentication Process
ZD SIDE UAM Server(Universal Access Method) UAM Server listen 9997(http)/9998(https) port on ZD, when user submit user ID/Password, it server will post data into UAM Server, UAM Server will verify it. Rhttpd Server Rhttpd Server will listen 9999 port on ZD, this is a front gate of redirect Emfd + webs Provide correct URL for user to login and user authentication Afmod + NAT When station was UN-authorized, all traffic from station will tunnel into ZD, the packets will DNAT to Rhttpd Server. If station ip address have the different subnet with ZD ip address, so ZD will add HOST route for station.

12 WISPr Authentication Process
ZD SIDE Afmod + NAT When created WLAN with hotpot services on ZD, it also will create policy list under “/proc/afmod/policy/xx-xx” ZD: AP: WEB SERVER:

13 WISPr Authentication Process
ZD SIDE Afmod + NAT + Rhttpd (TCP Three handshakes) Station AP Afmod + NAT Rhttpd Login Process Visit: Restrict Mode SYN ( DNAT SYN (ZDIP:9999) SYN ACK (ZDIP:9999) SNAT SYN ACK ( ACK ( DNAT ACK (ZDIP:9999)

14 WISPr Authentication Process
ZD SIDE Afmod + NAT + Rhttpd (Implement) AP:00:24:82:0b:74:c0 STA:00:26:5e:44:4c:fb STA IP: ZD MAC: 00:25:C4:09:B4:10 ZD IP: lwapp_process_input 80211 data from 00:24:82:0b:74:c0 net80211_forward packet from 00:26:5e:44:4c:fb hdrlen = 28 tac_check_layer3_policy packet: ip->protocol 6 l4_hdr->sport = 4750 l4_hdr->dport = 80 performs redirect s_ip = d_ip = proto = 6 s_port = 4750 d_port = 80 to host s_ip = tacip = match rule 10, action 3(NAT) tac_policy_apply_nat nat dst, src_port=4750 vif_xmit packet from 00:25:c4:09:b4:10 to 00:26:5e:44:4c:fb lwapp_send_net80211_packet change dev into br0 tac_policy_apply_nat nat src, dst_port=4750 lwapp_process_input 80211 data from 00:24:82:0b:74:c0 net80211_forward packet from 00:26:5e:44:4c:fb hdrlen = 28 tac_check_layer3_policy packet: ip->protocol 6 l4_hdr->sport = 4750 l4_hdr->dport = 80 performs redirect s_ip = d_ip = proto = 6 s_port = 4750 d_port = 80 to host s_ip = tacip = match rule 10, action 3(NAT) tac_policy_apply_nat nat dst, src_port=4750

15 WISPr Authentication Process
ZD SIDE Rhttpd + emfd Station AP Rhttpd Emfd WEB Server Login Process Visit: Restrict Mode GET ( Send HTTP 302 Redirect ,Location: GET ( Function : SessionCheck() Send HTTP 302 Redirect, Location: GET (

16 WISPr Authentication Process
ZD SIDE External WEB Server Login Page Hotspot user shall be able to login Hotspot service via login page. Login page is provided by Hotspot Service Provider and is hosted on external HTTP server. A typical login page contains a form for username and password. User submits the form data to UAM Login URL for authentication. Below is an example for login page: <html> <head><title>Wireless Internet Service</title></head> <body> <br/><center><h2>Wireless Internet Service</h2> <form action=" <table border="0" cellpadding="5" cellspacing="0" style="width: 200px;"> <tr><th>Username:</th><td><input type="text" name="username" size="20"></td></tr> <tr><th>Password:</th><td><input type="password" name="password" size="20"></td></tr> <tr><td align="center" colspan="2" height="23"><input type="submit" value="Login"></td></tr> </table></form> </body> </html>

17 WISPr Authentication Process
ZD SIDE User Authentication Station AP Emfd Radius Server Login Process UAM Server Submit User ID/Password AuthHotspotUser authUserEx authUserImpl("authd", credential) Access Request Authd Access Accept / Reject Authd to tell stamgr this client has been Authenticated success/failure Stamgr notifies Apmgr to update this station So that it will be “un-restriced Un-Restrict Mode

18 Guest Access Setting

19 Guest Access Setting You need visit to create guest role

20 Guest Access Authentication Process
Station AP Rhttpd Emfd Login Process Visit: Restrict Mode GET ( Send HTTP 302 Redirect ,Location: GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL Submit key Function : SessionCheck() Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL

21 Guest Access Authentication Process
Station AP Rhttpd Emfd Login Process Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL

22 Guest Access Authentication Process
Policy list on AP side Guest users are automatically blocked from the subnets to which ZoneDirector and its managed APs are connected

23 Web authentication Setting

24 Web Authentication Process
Station AP Rhttpd Emfd Login Process Visit: Restrict Mode GET ( Send HTTP 302 Redirect ,Location: GET redirect URL Function : SessionCheck() Send HTTP 302 Redirect, Location: GET redirect URL Submit username and password

25 This is the tricky part!! Everything is in tunnel when STA hasn’t passed the authentication. After authentication For local bridge WLAN, STA has been removed from afmod on ZD(tunnel will be teardown at this point), then send updated flag to update remote STA. For tunnel WLAN, only need to update flag of STA from afmod on ZD and send updated flag to update remote STA. If you see a web redirect works in tunnel, but not in local bridge mode, it usually means there is a problem of tunnel teardown timing. When user submit username and password which asks emfd to send “auth” command to stamgr, then tunnel teardown.

Download ppt "ZoneDirector WISPr/Guest/Web Auth"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Everything.

Everything.
Technical Overview July, 2004.

Technical Overview July, 2004.
Hotspot Customization

Hotspot Customization
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
Networking Components

Networking Components
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Everything. MACIP End-host IP: 10.1.2.3 MAC: 11:11:11:11:11 gateway IP: 10.1.2.1 MAC: 22:22:22:22:22 Google server IP: 201.1.2.3 MACIP MACInterfaceMACInterface.

Everything. MACIP End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: MACIP MACInterfaceMACInterface.
Lecture 8 Modeling & Simulation of Communication Networks.

Lecture 8 Modeling & Simulation of Communication Networks.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.

Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google