VLAN Steering/NAC

VLAN Steering

In this scenario, we showcase how we can use captive portal features to dynamically steer users to their respective VLAN based on the user profile. Traditionally, if we want to assign authorized users to different networks, we need to run multiple SSID to map to multiple VLANs and multiple portals for a different profile of users. Then users need to choose their respective SSID to connect and sign-in to their respective network. This can confuse users and also hard to maintain Wi-Fi configurations.

Image 1 :

RansNet Dynamic VLAN assignment (VLAN steering) over captive portal authentication significantly simplifies wireless configuration and improves network security. You just need to provision a single SSID on wireless setting, and manage all users/VLAN/captive portal settings on HSG. HSG will work with AP to dynamically steer users to their respective VLAN upon successful authentication.

Common Sectors

Hotels | Enterprises | Institutions | Airports | Stadium | Dormitories.

VLAN Steering Scenario Workflow

Image 2 : Workflow of VLAN Steering

  1. For any new device associated with SSID, they will be assigned to a quarantine/default VLAN (VLAN10)
  2. The Vlan10 assigns an IP and prompts with a captive portal login page.
  3. For Staff, after login with Staff accounts, they will be assigned to VLAN20-Staff VLAN
  4. For Guest, they will register with SMS OTP and auto-assigned to VLAN30-Guest VLAN

Deployment of VLAN Steering Using UI

Prerequisites
  1. Upgrade the Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
  2. Connect the WAN Interface of HSG to ISP device (ONT or Modem)
    • Info The WAN port (eth0) of HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
  3. Connect ETH1 port of HSG to the LAN Switch.
    • Info– The ETH1 port (eth1) of HSG is pre-configured to release IP to LAN.
  4. Connect the AP to the LAN Switch
    • Use default VLAN1 as management VLAN for AP/WLC
      • Access Point will be receiving DHCP IP from HSG from network 192.168.8.0/22
      • Info– Reserved IP for WLC or other devices, range from 192.168.8.2 to 192.168.8.99.
    • Add all VLANs on the switch (VLAN10, 20, 30), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
    • Configure APs to broadcast the VLAN100’s SSID and enable MAC-based Authentication.
    • Configure AP/WLC to point the HSG as a RADIUS server with the below settings (Radius) for MAC-based authentication.
      • NAME – RansNet-HSG-AUTH
      • AUTH TYPE – RADIUS
      • IP ADDRESS – 192.168.8.1
      • PORT – 1812
      • SHARED SECRET – testing123
  5. Connect ETH2 port to a PC for Management
    • Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.

Procedure

Step 1 – Access to Hotspot Management UI

  1. Login to Hotspot Gateway UI
    • on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.

Image 2 : Hotspot Gateway login screen

Step 2 – Create Entity, User Account, and Permission for the User Account

  1. Create Entity – See link Create Customer Entity
    • User can use the Company name as entity name
  2. Create and Configure Permission for the User Account
    • Navigate to ‘ADMIN > Permissions‘. Click on the button and configure the required permission.
    • Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.
  3. Create User Account – See link Create User Account

Step 3 – Create VLANs (10, 20 & 30) on eth1 interface

  1. Navigate to the ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the button, See link New VLAN interface
    • Configure three new VLANs as per the below Tables,
S/NSectionFieldValueRemarks
01New Interface VLAN (Quarantine VLAN)
VLAN Namevlan100
Admin StatusEnabled
Physical Interfaceeth1
IP/Netmask (IP Address/Mask)172.16.100.1/24
02Hotspot ServiceEnable
Table 1 : New VLANs settings for VLAN Steering Scenario – VLAN100

S/NSectionFieldValueRemarks
01New Interface VLAN (Staff VLAN)
VLAN Namevlan102
Admin StatusEnabled
Physical Interfaceeth1
IP/Netmask (IP Address/Mask)172.16.102.1/24
02DHCP ServerEnable
DNS Servers8.8.8.8 | 8.8.4.4
Client Default Gateway172.16.102.1
Lease Time (Seconds)86400
Client DHCP Pool Range172.16.102.2 – 172.16.102.254
Table 2 : New VLANs settings for VLAN Steering Scenario – VLAN102

S/NSectionFieldValueRemarks
01New Interface VLAN (Guest VLAN)
VLAN Namevlan103
Admin StatusEnabled
Physical Interfaceeth1
IP/Netmask (IP Address/Mask)172.16.103.1/24
02DHCP ServerEnable
DNS Servers8.8.8.8 | 8.8.4.4
Client Default Gateway172.16.103.1
Lease Time (Seconds)86400
Client DHCP Pool Range172.16.103.2 – 172.16.103.254
Table 3 : New VLANs settings for VLAN Steering Scenario – VLAN103

Step 4 – Create, Configure Captive Portal and Login Method

  1. User can create a Captive Portal. See link Create/Edit Captive portal.
    • Portal name – ‘Dy_Vlan100’ | portal template – ‘Central’
  2. Configure Login Method (SMS OTP and Username+Password methods). Enable Login Methods as mentioned below. See link Login Method Types.
Portal Name: Dy_Vlan100
Portal Template: Central
Entity: [Customer’s Entity name]
Login Method: SMS OTP (Guest Login) and Username & Password (Staff Login)

Step 5 – Configure Hotspot Instance (VLAN100) Interface.

  1. Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan100′ below the interface column heading and configure the vlan100 and all three sections of instance, as per the Table 2 settings below.
    • In the ‘Hotspot Instance Option Config Section‘, Refer to Table 2 below for configuration.

S/NSectionFieldValueRemarks
01 Hotspot Instance Base Config
Hotspot Enableenable by ticking the option
Hotspot PortalSelect the Portal according to the VLAN interface.
Eg: http://captive.ransnet.com/pid/Dy_Vlan100/login.php
02Hotspot Instance Optional Config
Client ParametersPermit External Client Network – 172.16.100.0
Permit External Client Netmask – 255.255.255.0
Redirect/Success URLhttp://www.ransnet.com
Bypass/Whitelist ByDestination Domain – .ransnet.com
Destination IP/URL – 2.1.2.1
Enable/Disable ParametersIntercept DNS Requests – enable by ticking the option
03DHCP Optional Config
DHCP Descriptionvlan100 Hotspot DHCP
Table 2 : VLAN 10 Hotspot Instance settings

Step 6 – Configure Access Control

User can create two different Access Profile for Default Quarantine (Vlan100), Staff (Vlan102) VLANs with different Profile Access Info as per the below table, and Guest (Vlan103) profile will be Auto-generated by the system.
Info – User can configure ‘Access Profile‘ name and the ‘Access info‘ setting for Quarantine Vlan, Staff Vlan manually and for the Guest Vlan the profile is created automatically and the Access Info setting can manually be edited.
See Link Manual Profile
See Link Auto Profile

  1. Configure Access Profile for Default Quarantine VLan and Staff VLan by navigating to ‘HOTSPOT USERS > Access Profile
    • Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for
    • Note To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp??>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.
S/NVLAN ReferenceAccess Profile NameAccess InfoValue
01Default Quarantine VLan (Manual Profile)Default_Vlan100 Access TimeSession Timeout – 60
Idle Timeout – 100
Access DeviceDynamic VLAN Assignment – 100
02Staff VLan (Manual Profile)Staff_Vlan102Access SpeedMaximum Upload – 1700
Maximum Downloads – 2000
Access DeviceDynamic VLAN Assignment – 102
03Guest VLan (Auto Profile)RansNet_Test04_br-vlan10_9a-b1_smsonepageotp
Info – This Profile name is Auto created, and should not be edited.
Access SpeedMaximum Upload – 2000
Maximum Downloads – 2000
Access DeviceDynamic VLAN Assignment – 102
Dynamic VLAN Assignment (Timeout) – 30
Access Data (MB)Total data quota – 100

NOTE

User should use UI to configure, Captive portal. Login Method and Access Profile.

-----------------------------------Default Configuration--------------------------
hostname HSG800-WT
!
interface eth0
 description "Default connection to WAN"
 enable
 ip address dhcp
!
interface eth1
 description "Default connection to LAN"
 enable
 ip address 192.168.8.1/22
 dhcp-server
  description "DHCP-ETH1 DHCP"
  lease-time 86400
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.100 192.168.11.254
!
interface eth2
 description "Default OOB-Mgmt"
 enable
 ip address 10.10.10.1/24
 dhcp-server
  lease-time 86400 86400
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.10 10.10.10.20
  enable
!
interface eth3
 description "Reserved network"
!
interface vlan 1 10
 description "Staff VLAN"
 enable
 ip address 172.16.10.1/24
!
interface vlan 1 20
 description "Guest VLAN"
 enable
 ip address 172.16.20.1/24
!
interface vlan 1 30
 description "Cafeteria VLAN"
 enable
 ip address 172.16.30.1/24
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip name-server 8.8.8.8 8.8.4.4
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip host macc.ransnet.com 2.1.2.1 rewrite
ip host splash.ransnet.com 2.1.2.1 rewrite
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 admin remark "WEB mgmt
from OOB"
firewall-input 11 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH mgmt from O
OB"
!
firewall-access 10 permit outbound eth0
!
firewall-snat 10 overload outbound eth0
!
security radius-server
 client 2.1.2.1 key testing123 name HSG800WT
 start
-----------------------------------Default Configuration--------------------------
!
security hotspot vlan10
 hotspot-server 172.16.10.1 ports 5205 4029
 client-network 172.16.10.0 255.255.255.0
 client-dhcp-server
  description "Staff VLAN10 DHCP"
  lease-time 86400
  router 172.16.10.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.10.2 172.16.10.254
  enable
 client-static 172.16.10.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start
!
security hotspot vlan20
 hotspot-server 172.16.20.1 ports 5549 4985
 client-network 172.16.20.0 255.255.255.0
 client-dhcp-server
  description "Guest VLAN20 DHCP"
  lease-time 86400
  router 172.16.20.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.20.2 172.16.20.254
  enable
 client-static 172.16.20.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start
!
security hotspot vlan30
 hotspot-server 172.16.30.1 ports 5780 5408
 client-network 172.16.30.0 255.255.255.0
 client-dhcp-server
  description "Cafeteria VLAN30 DHCP"
  lease-time 86400
  router 172.16.30.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.30.2 172.16.30.254
  enable
 client-static 172.16.30.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 start

NOTE

The below 2 commands need to configured in the Hotspot Instances to active Seamless Roaming in the Hotspot gateway.

client-sticky start <no of days> : This command settings keeps the user session for <x days> by counting from upon first time login.
client-sticky-vlanlist <VLANs x interfaces> : This command allows clients to roam across different VLANs without having to relogin again.

Deployment References Links (Videos/Demos)

NOTE

syslog server (user access logging) is enabled to collect DNS access logs and storing data up to last 5 days.

User access records are stored up to last 90 days

User info (username and profile data) is kept unlimited