Contents

VLAN Steering

In this scenario, we showcase how we can use captive portal features to dynamically steer users to their respective VLAN based on the user profile. Traditionally, if we want to assign authorized users to different networks, we need to run multiple SSID to map to multiple VLANs and multiple portals for a different profile of users. Then users need to choose their respective SSID to connect and sign-in to their respective network. This can confuse users and also hard to maintain Wi-Fi configurations.

RansNet Dynamic VLAN assignment (VLAN steering) over captive portal authentication significantly simplifies wireless configuration and improves network security. You just need to provision a single SSID on wireless setting, and manage all users/VLAN/captive portal settings on HSG. HSG will work with AP to dynamically steer users to their respective VLAN upon successful authentication.

Common Sectors

VLAN Steering Scenario Workflow

For any new device associated with SSID, they will be assigned to a quarantine/default VLAN (VLAN10)
The Vlan10 assigns an IP and prompts with a captive portal login page.
For Staff, after login with Staff accounts, they will be assigned to VLAN20-Staff VLAN
For Guest, they will register with SMS OTP and auto-assigned to VLAN30-Guest VLAN

Deployment of VLAN Steering Using UI

Prerequisites

Upgrade the Hotspot Gateway box firmware version 20210213-2300. See link Upgrade Firmware
Connect the WAN Interface of HSG to ISP device (ONT or Modem)
- Info– The WAN port (eth0) of HSG is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router).
Connect ETH1 port of HSG to the LAN Switch.
- Info– The ETH1 port (eth1) of HSG is pre-configured to release IP to LAN.
Connect the AP to the LAN Switch
- Use default VLAN1 as management VLAN for AP/WLC
  - Access Point will be receiving DHCP IP from HSG from network 192.168.8.0/22
  - Info– Reserved IP for WLC or other devices, range from 192.168.8.2 to 192.168.8.99.
- Add all VLANs on the switch (VLAN100, 102, 103), configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)
- Configure APs to broadcast the VLAN100’s SSID and enable MAC-based Authentication.
- Configure AP/WLC to point the HSG as a RADIUS server with the below settings (Radius) for MAC-based authentication.
  - NAME – RansNet-HSG-AUTH
  - AUTH TYPE – RADIUS
  - IP ADDRESS – 192.168.8.1
  - PORT – 1812
  - SHARED SECRET – testing123
Connect ETH2 port to a PC for Management
- Info– The ETH2 port (eth2) of HSG is pre-configured to release IP.

Procedure

Step 1 – Access to Hotspot Management UI

Login to Hotspot Gateway UI
- on-premises Hotspot Gateway – Use the Management PC and browse to http://10.10.10.1 and login with the Credentials.

**Image 2** : Hotspot Gateway login screen

Step 2 – Create Entity, User Account, and Permission for the User Account

Create Entity – See link Create Customer Entity
- User can use the Company name as entity name

Create and Configure Permission for the User Account
- Navigate to ‘ADMIN > Permissions‘. Click on the button and configure the required permission.
- Recommendation – Create the new User Account and in the Profile field select ‘Super admin’ for this Scenario.

Create User Account – See link Create User Account

Step 3 – Create VLANs (100, 102 & 103) on eth1 interface

Navigate to the ‘NETWORK SETTINGS > Interfaces > VLAN‘ tab and click on the button, See link New VLAN interface
- Configure three new VLANs as per the below Tables,

S/N	Section	Field	Value
01	New Interface VLAN (Quarantine VLAN)
		VLAN Name	vlan100
		Admin Status	Enabled
		Physical Interface	eth1
		IP/Netmask (IP Address/Mask)	172.16.100.1/24
02	Hotspot Service		Enable

Table 1 : New VLANs settings for VLAN Steering Scenario – VLAN100

S/N	Section	Field	Value
01	New Interface VLAN (Staff VLAN)
		VLAN Name	vlan102
		Admin Status	Enabled
		Physical Interface	eth1
		IP/Netmask (IP Address/Mask)	172.16.102.1/24
02	DHCP Server		Enable
		DNS Servers	8.8.8.8 \| 8.8.4.4
		Client Default Gateway	172.16.102.1
		Lease Time (Seconds)	86400
		Client DHCP Pool Range	172.16.102.2 – 172.16.102.254

Table 2 : New VLANs settings for VLAN Steering Scenario – VLAN102

S/N	Section	Field	Value
01	New Interface VLAN (Guest VLAN)
		VLAN Name	vlan103
		Admin Status	Enabled
		Physical Interface	eth1
		IP/Netmask (IP Address/Mask)	172.16.103.1/24
02	DHCP Server		Enable
		DNS Servers	8.8.8.8 \| 8.8.4.4
		Client Default Gateway	172.16.103.1
		Lease Time (Seconds)	86400
		Client DHCP Pool Range	172.16.103.2 – 172.16.103.254

Table 3 : New VLANs settings for VLAN Steering Scenario – VLAN103

Step 4 – Create, Configure Captive Portal and Login Method

User can create a Captive Portal. See link Create/Edit Captive portal.
- Portal name – ‘Dy_Vlan100’ | portal template – ‘Central’

Configure Login Method (SMS OTP and Username+Password methods). Enable Login Methods as mentioned below. See link Login Method Types.

Step 5 – Configure Hotspot Instance (VLAN100) Interface.

Navigate to ‘Hotspot Settings > Hotspot Instances‘. Click on ‘vlan100′ below the interface column heading and configure the vlan100 and all three sections of instance, as per the Table 2 settings below.
- Configure the VLAN interfaces as per below
  - vlan100 – http://captive.ransnet.com/pid/Dy_Vlan100/login.php
- In the ‘Hotspot Instance Option Config Section‘, Refer to Table 2 below for configuration.

S/N	Section	Field	Value
01	Hotspot Instance Base Config
		Hotspot Enable	enable by ticking the option
		Hotspot Portal	Select the Portal according to the VLAN interface. Eg: http://captive.ransnet.com/pid/Dy_Vlan100/login.php
02	Hotspot Instance Optional Config
		Client Parameters	Permit External Client Network – 172.16.100.0 Permit External Client Netmask – 255.255.255.0
		Redirect/Success URL	http://www.ransnet.com
		Bypass/Whitelist By	Destination Domain – .ransnet.com Destination IP/URL – 2.1.2.1
		Enable/Disable Parameters	Intercept DNS Requests – enable by ticking the option
03	DHCP Optional Config
		DHCP Description	vlan100 Hotspot DHCP

Table 2 : VLAN 10 Hotspot Instance settings

Step 6 – Configure Access Control

User can create two different Access Profile for Default Quarantine (Vlan100), Staff (Vlan102) VLANs with different Profile Access Info as per the below table, and Guest (Vlan103) profile will be Auto-generated by the system.
Info – User can configure ‘Access Profile‘ name and the ‘Access info‘ setting for Quarantine Vlan, Staff Vlan manually and for the Guest Vlan the profile is created automatically and the Access Info setting can be manually edited.
See Link Manual Profile
See Link Auto Profile

Configure Access Profile for Default Quarantine VLan and Staff VLan by navigating to ‘HOTSPOT USERS > Access Profile‘
- Navigate to ‘HOTSPOT USERS > Access Profile‘ and locate for
- Note – To configure the Email Registration profile, the user has to first test the Captive portal Email Registration Authentication. After the first test is successful, the Email OTP auto-creates the profile in ‘Access Profile’ in the format of (RansNet_[Device Name]_[Interface Name]_[MAC Address, last 4 digits]_<<emailonepageotp??>>. Eg : RansNet_mbox_br-vlan10_96-19_emailonepageotp). User can click on the Profile name and configure the account info settings as per the user requirement.

S/N	VLAN Reference	Access Profile Name	Access Info	Value
01	Default Quarantine VLan (Manual Profile)	Default_Vlan100	Access Time	Session Timeout – 60 Idle Timeout – 100
			Access Device	Dynamic VLAN Assignment – 100
02	Staff VLAN (Manual Profile)	Staff_Vlan102	Access Speed	Maximum Upload – 1700 Maximum Downloads – 2000
			Access Device	Dynamic VLAN Assignment – 102
03	Guest VLAN (Auto Profile)	RansNet_Test04_br-vlan10_9a-b1_smsonepageotp Info – This Profile name is Auto-created, and should not be edited.	Access Speed	Maximum Upload – 2000 Maximum Downloads – 2000
			Access Device	Dynamic VLAN Assignment – 102 Dynamic VLAN Assignment (Timeout) – 30
			Access Data (MB)	Total data quota – 100

NOTE

User should use UI to configure the Captive portal. Login Method and Access Profile.

-----------------------------------Default Configuration--------------------------
hostname HSG800-WT
!
interface eth0
 description "Default connection to WAN"
 enable
 ip address dhcp
!
interface eth1
 description "Default connection to LAN"
 enable
 ip address 192.168.8.1/22
 dhcp-server
  description "DHCP-ETH1 DHCP"
  lease-time 86400
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.100 192.168.11.254
!
interface eth2
 description "Default OOB-Mgmt"
 enable
 ip address 10.10.10.1/24
 dhcp-server
  lease-time 86400 86400
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.10 10.10.10.20
  enable
!
interface eth3
 description "Reserved network"
!
interface vlan 1 100
 description "Quarantine VLAN"
 enable
 ip address 172.16.10.1/24
 dhcp-server
 dns 8.8.8.8 8.8.4.4
 router 172.16.10.1
 leasetime 86400 86400
 range 172.16.10.20 172.16.10.254
 enable
!
interface vlan 1 102
 description "Staff VLAN"
 enable
 ip address 172.16.20.1/24
dhcp-server
 dns 8.8.8.8 8.8.4.4
 router 172.16.20.1
 leasetime 86400 86400
 range 172.16.20.20 172.16.20.254
 enable
!
interface vlan 1 103
 description "Guest VLAN"
 enable
 ip address 172.16.30.1/24
dhcp-server
 dns 8.8.8.8 8.8.4.4
 router 172.16.30.1
 leasetime 86400 86400
 range 172.16.30.20 172.16.30.254
 enable
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip name-server 8.8.8.8 8.8.4.4
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip host macc.ransnet.com 2.1.2.1 rewrite
ip host splash.ransnet.com 2.1.2.1 rewrite
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 admin remark "WEB mgmt
from OOB"
firewall-input 11 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH mgmt from O
OB"
firewall-input 12 permit all tcp dport 443 src 10.0.0.0/8 remark "Web (Https) mgmt from O
OB"
firewall-input 13 permit all udp dport 1812
firewall-input 14 permit all upd dport 1813
!
firewall-access 10 permit outbound eth0
!
firewall-snat 10 overload outbound eth0
!
security radius-server
 client 2.1.2.1 key testing123 name HSG800WT
 client 0.0.0.0/0 key testing123 name RansNet_AAA
 start
-----------------------------------Default Configuration--------------------------
!
security hotspot vlan10
 hotspot-server 172.16.10.1 ports 5205 4029
 client-network 172.16.10.0 255.255.255.0
 client-static 172.16.10.0 255.255.255.0
 client-local-dns on
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-access-udp 1812, 1813
 hotspot-portal https://captive.ransnet.com/RNSrilanka/Portal_Roam1/login.php
 hotspot-nac NACDEFAULT
 start

NOTE

The below 2 commands need to be configured in the Hotspot Instances to active Seamless Roaming in the Hotspot gateway.

client-sticky start <no of days>: This command setting keeps the user session for <x days> by counting from upon first-time login.

client-sticky-vlanlist <VLANs x interfaces>: This command allows clients to roam across different VLANs without having to re-login again.

Deployment References Links (Videos/Demos)

Create Captive portal and Configure Login Methods – https://youtu.be/yrjAkt8XkT8
Configure Seamless User Relogin – https://www.youtube.com/watch?v=CABBfKHO4gY

NOTE

syslog server (user access logging) is enabled to collect DNS access logs and storing data up to last 5 days.

User access records are stored up to last 90 days

User info (username and profile data) is kept unlimited