1 / 56

Altai Certification Training Backend Network Planning

Altai Certification Training Backend Network Planning. Professional Services Altai Technologies Limited. Module Outline. Service Controller Solution Layer 2 Network Deployment Scenario Layer 3 Network Deployment Scenario A3 ACS Solution. Service Controller Solution.

clive
Download Presentation

Altai Certification Training Backend Network Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Altai Certification Training Backend Network Planning Professional Services Altai Technologies Limited

  2. Module Outline • Service Controller Solution • Layer 2 Network Deployment Scenario • Layer 3 Network Deployment Scenario • A3 ACS Solution

  3. Service Controller Solution RADIUS or Active Directory in the existing network as authentication server Multiple SSID for different groups of client to access; e.g. staff and guest Each group of client is only allowed to access specific network subnets Different authentication method can be applied to different SSID

  4. Layer 2 Network Deployment Scenario Deployment scenario: Enterprise only one or several buildings network based on layer 2 connection. Solution 1: SC internet port behavior as network backhaul, and LAN port connect to AP. Solution 2: one of SC ports behavior as network backhaul.

  5. Layer 2 Network Design Intranet for staff Ingress VLAN 1 Egress VLAN 10 Client IP subnet 192.168.1.x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Egress VLAN 10 Client IP subnet 192.168.2.x SC Local account HTML-Authentication

  6. Layer 2 Network Solution I DHCP server Intranet Router Firewall Radius Server Active Directory VLAN 10 VLAN 20 Service Controller Internet Port: VLAN 10 & 20 LAN Port: VLAN 1 & 2 Management Server VLAN 100 VLANSwitch VLAN 1, 2, 100 Altai AP VLAN 1 VLAN 2 VLAN 100 Trunk Port Trunk Port Trunk Port SSID_Intranet 192.168.1.x VLAN 1 SSID_Internet 192.168.2.x VLAN 2 Management SSID 192.168.100.x VLAN 100

  7. Layer 2 Network Solution II DHCP server Intranet Router Firewall Radius Server Active Directory VLAN 10 VLAN 20 Management Server VLAN 100 Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLANSwitch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20, 100 AP Port: VLAN 1,2, 100 Service Controller Altai AP VLAN 1 VLAN 2 VLAN 100 Trunk Port Trunk Port Trunk Port SSID_Intranet 192.168.1.x VLAN 1 SSID_Internet 192.168.2.x VLAN 2 Management SSID 192.168.100.x VLAN 100

  8. Layer 2 Active Directory authentication Procedure User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Service Controller EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back

  9. Layer 2 HTML authentication Procedure User User associate with wireless network Send DHCP request User attempts to browse an Web site User Login Transport page sends request for session and welcome page AP Redirect the request to DHCP server Redirect the request to Service Controller Service Controller Request is intercepted Login page is returned User login info is sent for authentication Transport page is sent Session and Welcome pages are sent Local account Login approved. User configuration setting are returned DHCP server Response DHCP request Send IP address back

  10. Layer 3 Network Deployment Scenario Deployment scenario: University & enterprise multiple buildings network based on layer 3 connection. Solution 1: Two buildings connect to each other based on layer 3 connection (Traffic forwarding based on IP address). Since SC establish communication with AP only by VLAN, each SC should be deployment for every building in such case. Solution 2: Two building connect to each other based on tunnel which support VLAN function. In this case, only one Service Controller is needed for the entire network.

  11. Layer 3 Network Design Solution_I Building 1 Intranet for staff Ingress VLAN 1 Egress VLAN 10 Client IP subnet 192.168.1.x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Egress VLAN 10 Client IP subnet 192.168.2.x SC Local account HTML-Authentication Building 2 Intranet for staff Ingress VLAN 3 Egress VLAN 10 Client IP subnet 192.168.3.x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 4 Egress VLAN 10 Client IP subnet 192.168.4.x SC Local account HTML-Authentication

  12. Layer 3 Network Solution_I DHCP server Intranet Router Firewall Radius Server Active Directory VLAN 10 & 30 VLAN 20 & 40 Service Controller Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 Service Controller Egress: VLAN 30 & 40 Ingress: VLAN 3 & 4 VLANSwitch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2 VLANSwitch Network: VLAN 30,40 SC Port: VLAN 3, 4, 30, 40 AP Port: VLAN 3,4 Altai AP VLAN 1 VLAN 2 Trunk Port Trunk Port Trunk Port Trunk Port Altai AP VLAN 3 VLAN 4 SSID_Intranet 192.168.1.x VLAN 1 SSID_Intranet 192.168.3.x VLAN 3 SSID_Internet 192.168.2.x VLAN 2 SSID_Internet 192.168.4.x VLAN 4

  13. Layer 3 Solution I Authentication Procedure User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Service Controller In Builing 1 EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back Building 1 for example

  14. Case study: ASTRI Deployment Intranet Router Firewall Active Directory VLAN 10 VLAN 20 Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLANSwitch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2 Service Controller DHCP server:192.168.0.x Altai AP VLAN 1 VLAN 2 Trunk Port Trunk Port Trunk Port SSID_Internet 192.168.0.x VLAN 2 HTML authentication SSID_Intranet 192.168.0.x VLAN 1 AD authentication

  15. Wireless Network

  16. VLAN Network

  17. Network configuration_ingress vlan

  18. Network configuration_egress vlan

  19. Network ports

  20. DHCP server_1

  21. DHCP server _2

  22. DNS

  23. Check IP routers

  24. Join Active Directory

  25. AD group configuration

  26. Add RADIUS secret

  27. Account Profiles_1

  28. Account Profile_2

  29. User account_1

  30. User account _2

  31. Access List

  32. VSC AD authenticaton_1

  33. VSC AD Authentication_2

  34. VSC AD Authentication_3

  35. VSC HTML Authentication_1

  36. VSC HTML Authentication_2

  37. Layer 3 Network Design Solution_II Intranet for staff Ingress VLAN 1 Egress VLAN 10 Client IP subnet 192.168.1.x AD or RADIUS Authentication Allowed access intranet and internet Internet for guest Ingress VLAN 2 Egress VLAN 10 Client IP subnet 192.168.2.x SC Local account HTML-Authentication

  38. Layer 3 Network Solution_II DHCP server Intranet Router Firewall Radius Server Active Directory VLAN 10 & 30 VLAN 20 & 40 Service Controller Egress: VLAN 10 & 20 Ingress: VLAN 1 & 2 VLANSwitch Network: VLAN 10,20 SC Port: VLAN 1, 2, 10, 20 AP Port: VLAN 1,2, Multiple Layer3 tunnel Altai AP VLAN 1 VLAN 2 Trunk Port Trunk Port Trunk Port Trunk Port Altai AP VLAN 1 VLAN 2 SSID_Intranet 192.168.1.x VLAN 1 SSID_Intranet 192.168.1.x VLAN 1 SSID_Internet 192.168.2.x VLAN 2 SSID_Internet 192.168.2.x VLAN 2

  39. Layer 3 Solution II Authentication Procedure User User associate with wireless network EAPOL start EAP Response/identity EAP response DHCP request AP EAP Request/identity Redirect the request to Service Controller EAP request EAP success Multiple Layer3 Tunnel Service Controller EAP Response/Identity Over AD EAP Response over AD AD Server EAP request over AD EAP success over AD and user configuration DHCP server Response DHCP request Send IP address back Building 1 for example

  40. Case Study: Operator Network Deployment Solution Internet xDSL xDSL xDSL ¿Tunnel between AP and Controller? IP Service with PPPoE (Internet or MPLS VPN) Tunneling Router Standard DSL Modem/Router AAA BAS DSLAM Tunneling Router Metro Ethernet Network IP Backbone ADSL Eth Controller TUNNEL GE Eth Wireless Backhaul WiFi Múltiple Access Point AP (Switch Mode)

  41. Altai A3 ACS Solution Deployment scenario: Hotzone whole network solution could be in one box. RADIUS or MAC in the existing network is authentication server, do not need to integrate with Active Director server Can use 3G as backhaul Roaming across A3s is not supported Local database is supported Multiple SSID for different groups of client to access, like staff and guest Each group of client is only allowed to access specific network subnets Different authentication method can be applied to different SSID

  42. ACS Network Design Solution Intranet for staff Intranet ACS Profile Client IP subnet 192.168.0.x RADIUS authentication HTML-authentication Allowed access intranet and internet Internet for guest Internet ACS Profile Client IP subnet 192.168.0.x MAC authentication Allowed access internet only

  43. Altai A3 Access Control System Web Server DHCP server Router Firewall Radius Server Switch A3_Gateway Mode ACS Profile SSID_Intranet Intranet ACS Profile SSID_Internet Internet ACS Profile

  44. ACS User Login Procedure

  45. Case Study: Hotspot Operator ACS Profile Configuration 3G network Radius Server 3G backhaul Web Server A3_Gateway Mode 10.6.127.200 DHCP server:192.168.0.1 Hotspot Operator Noc SSID_HTMLAuth SSID_MACAuthrnet

  46. Hotspot Operator Network Illustration 3G dongle as network backhaul A3 build-in DHCP server enabled Remote RADIUS server is for internal clients authentication and accounting Remote Web server is for RADIUS server authentication. Access controlled list establish to define network access difference for multiple kinds of clients Local account is for MAC authentication to clients who could only access internet

  47. ACS Profile

  48. Local Account

  49. RADIUS Server

  50. Access Rules 1

More Related