This document describes how to configure the embedded services that are available with the Wireless Edge Services Module (WESM).

Scenario: You want to extend your network from wired to wireless, without deploying new servers to support the needed services for authentication, security or scalability. Instead, you will use the embedded services that come with the ProCurve WESM.

» Return to top

You already have a wireless network and a ProCurve switch equipped with a Wireless Edge Services Module. The switch and WESM are managed with PCM+.

» Return to top

Figure 1. System configuration

Using this topology, you will configure the following WESM services:

• Internal RADIUS Server
• Access lists
• Internal DHCP server

The internal RADIUS server has the following capabilities:

• Supports user-based authentication (for wireless or wired users) in a network without a RADIUS server
• Authenticates wireless users in a WLAN that enforces:
• o 802.1X authentication
• Web authentication (Web-Auth)
• MAC authentication
• Uses its own local database or an LDAP-compliant server to verify login credentials
• Specifies group policies for authenticated users
• Creates accounting logs of user activity on a WLAN

Figure 2. Internal RADIUS server authentication

4.1 Supported EAP authentication methods

» Return to top

4.2 Guidelines for configuring the internal RADIUS server

• Each user should be a member of only one group.
  Exception: You can assign the user to two groups that do not have overlapping access times.
• To configure dynamic VLANs:
• Set the override VLAN ID in the group policy.
• Ensure that the Dynamic Assignment option is selected on the Network Setup > WLAN Setup > Edit screen.
• To use dynamic VLANs with Web-Auth, set the DHCP lease for the static VLAN very low.
• Do not use dynamic VLANs with WLANs that require Layer 3 mobility.

4.3 Main configuration steps for the RADIUS server

1. Select the EAP method for 802.1X authentication.
2. Specify the internal RADIUS server’s digital certificate.
3. Select and configure the source for policies and credentials:
• Local database of groups and user accounts
• LDAP-compliant server
4. Specify the internal RADIUS server as the RADIUS server for one or more WLANs.
• To allow the server to authenticate wired stations, add their switch as a RADIUS client.
5. Restart the RADIUS server (if you have not done so while configuring it).

» Return to top

4.4 Configure the internal RADIUS server
Select the authentication type, specify the server’s certificate, and select the database source.

» Return to top

4.5 Configure the local database

1. Create a group:
• Normal group—for normal users (who have permanent accounts)
• Guest group—for guest users (who have temporary accounts)

2. Create a user:
• Normal user—no specific expiration date and time
• Guest user—required expiration date and time

4.6 Configure LDAP settings

1. Enable the Wireless Edge Services Module to bind to and query the LDAP server.
2. Configure one group in the RADIUS server’s local database. Match this group name to a group on the LDAP server.

» Return to top

4.7 Configure the WLAN for RADIUS authentication
Remember to select the Dynamic Assignment option if you want to use dynamic VLANs.

1. Configure the WLAN’s RADIUS Server settings.
2. Enter the loopback address as the RADIUS server’s address.

» Return to top

• Examines packets routed from one VLAN to another
• Checks for and drops:
• Packets with invalid TCP flags
• Corrupted packets
• Packets associated with common DoS attacks
• Creates a log with the date and time of attack
• Enables stateful ACLs
  
  Figure 3. Operation of the WESM internal firewall

5.1 Screen traffic between the wireless and wired network
You need to do a few tasks before using ACLs. Make sure all these steps are complete before continuing:

1. Map the WLAN to a VLAN that exists only on the Wireless Edge Services Module.
2. Ensure that IP routing is enabled.
3. Assign the Wireless Edge Services Module an IP address on the WLAN’s VLAN, and configure other necessary services.

» Return to top

5.2 Details of ACLs
Access control lists (ACLs) on the WIRELESS EDGE SERVICES MODULE have these characteristics:

• Contain an ordered list of rules (or access control entries, ACEs) that control traffic to and from stations
• Select 802.11 frames, Ethernet frames, or IP packets based on information in the header
• Permit or deny selected traffic or mark it for special handling
• Must be applied to an interface
• Filter traffic that is inbound on an interface

» Return to top

5.3 Guidelines for configuring ACLs
Use these guidelines to help configure ACLs:

• There are four types of ACLs:
• MAC standard
• MAC extended
• Standard IP
• Extended IP
• Any traffic not explicitly permitted by an ACL’s rules is denied (except with standard MAC ACLs).
• You can create up to 500 rules per ACL.
• For each ACL, the Wireless Edge Services Module applies the rules in order of precedence.
• You can apply:
• One IP ACL to each VLAN or tunnel interface
• One MAC extended ACL and one IP ACL to the uplink port
• One MAC extended ACL and one IP ACL to the downlink port
• Traffic marking only takes effect on physical ports.
• Only use the WLAN index filter for ACLs applied to the downlink port.
• IP ACLs that are associated with VLAN or tunnel interfaces are applied only to routed traffic.

» Return to top

5.4 Create an ACL

1. Specify the ACL type and ACL ID:
   

2. Add rules for the ACL. Use the precedence number to determine the order in which the rules are processed:
   

3. Add rules for standard and extended IP ACLs:
   
   
4. Add rules for MAC extended ACLs:
   
5. Attach ACLs to interfaces:

6. View ACL statistics:
   

» Return to top

6.1 Details of DHCP services

• DHCP server:
• Stores client configurations in pools associated with VLAN or tunnel interfaces.
• Receives a DHCP request from a station in a VLAN and issues the configuration stored in the corresponding pool.
• DHCP relay services:
• Forwards DHCP requests from clients on one VLAN (subnet) to a DHCP server on a different subnet.
• DHCP interfaces:
• You can configure only one DHCP service (either a DHCP server or DHCP relay services) on each interface.
• A VLAN interface requires a static IP address to provide either DHCP service.

» Return to top

6.2 Create a network pool
A network pool contains a range of IP addresses and other configurations for multiple DHCP clients:

» Return to top

6.3 Exclude IP addresses from the network pool
Eliminate IP address conflicts by excluding IP addresses already assigned to devices on your network.

» Return to top

6.4 Create a host pool
A host pool contains an IP address and related configuration for a particular DHCP client or host.

» Return to top

6.5 View DHCP leases
The Wireless Edge Services Module tracks each DHCP client that receives an IP address.

» Return to top

6.6 Configure DHCP relay
Make sure that IP routing is enabled (Network Setup > Internet Protocol > IP Forwarding). Then specify the DHCP servers on your network and the gateway through which they can be reached.

» Return to top

• ProCurve Wireless Edge Services Management and Configuration Guide:
  http://cdn.procurve.com/training/Manuals/WESM-zl-MgmtCfg-Feb2008-59918626.pdf
• Other manuals for the ProCurve Wireless Edge Services Module:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=wireless_zl

» Return to top

» Return to top