Use Case Configuration Examples The following is a collection of common use cases and sample configuration to meet those requirements. The intention is to highlight the configuration differences across the use case scenarios, hence the common mandatory tasks of configuring a PMIPv6 Domain, and defining LMAs names and IP addresses has already been completed. Furthermore, for each use case, the configuration steps are the same regardless of the tunneling source (tunneling from the WLC vs. the AP). The one difference is the extra step required to enable “FlexConnect Local Switching, Central Association and Central Authentication” on the WLANs that will perform direct tunneling from the APs configured in FlexConnect mode. This step is not reiterated in each use case. The following topics are covered under this chapter: • Use Case 1: Open-Auth WLAN , page 1 • Use Case 2: 802.1x WLAN, and Need to PMIPv6 Tunnel All Clients, page 2 • Use Case 3: 802.1x WLAN, Per-Client Dynamic Service Selection, page 3 • Use Case 4: Central Web Authentication using ISE or QPS, page 6 • Use Case 5: Central Web Authentication Using ISE or QPS + Dynamic PMIP Parameters, page 8 Use Case 1: Open-Auth WLAN Since no authentication is performed, all clients naturally falls in one service category. Simply an Open-Auth WLAN either serves all clients as Simple-IP, or all clients as PMIPv6 tunneling. Perform the following configuration steps: Step 1 Configure a PMIPv6 profile with a single * entry pointing to the LMA destination, where all the wireless clients on this WLAN will be tunneled, that same * entry also serves defining the APN value to be sent in the PBU to that LMA. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 1 Use Case Configuration Examples Use Case 2: 802.1x WLAN, and Need to PMIPv6 Tunnel All Clients Step 2 In the WLAN advanced tab: 1 Enable PMIPv6. 2 Select the PMIPv6 Profile created in step 1. 3 Define the PMIP Realm value to be used in the PBU. With Open-Auth, the NAI value used in the PBU will be in the format client_mac_Realm (for example, if the Realm value was set to @openauth.ba-sp.com, the NAI sent in the PBU will be something like: [email protected] ). Note Unless the operator is expecting to receive a particular Realm value at the LMA, setting a default Realm value on the WLAN is not mandatory (for example, if a default MN profile is configured on the LMA). If different Open-Auth WLANs need to point to different LMA/APN combination, then the operator should create different profiles, one profile per WLAN with unique "LMA/APN" definition as needed. Note Use Case 2: 802.1x WLAN, and Need to PMIPv6 Tunnel All Clients This is the case of a service provider using 802.1x authentication on a WLAN (for example, if HotSpot2.0 is enabled on the WLAN). Additionally, there is no need for differential service type treatment per user. That is, all wireless clients must be PMIPv6 tunneled to the same LMA/APN. Perform the following configuration steps: Step 1 Configure a PMIPv6 profile with a single * entry pointing to the LMA destination, where all wireless clients on this WLAN will be tunneled, that same * entry also serves defining the APN value to be sent in the PBU to that LMA. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 2 Use Case Configuration Examples Use Case 3: 802.1x WLAN, Per-Client Dynamic Service Selection Step 2 In the WLAN advanced tab: Enable PMIPv6. Select the PMIPv6 Profile created in step 1. This profile ensures that all users are tunneled to the LMA. The NAI value sent to the LMA in the PBU will be the RADIUS user-name. If different WLANs need to point to different LMA/APN configuration, the operator should create different profiles, one profile per WLAN with unique (LMA, APN). Note This configuration does not support multiple LMAs per WLAN based on different realms, or multiple APNs per WLAN. Configuring a PMIP Realm value in the case of 802.1x WLANs has no effect. Use Case 3: 802.1x WLAN, Per-Client Dynamic Service Selection In this scenario, a dynamic decision is made on whether a client should be Simple-IP or PMIPv6 tunneled. Furthermore, be able to choose a particular LMA, and/or provide different APN value per client (for example, in a wholesale Wi-Fi scenario, the venue owner can direct the client tunneling to the corresponding service provider based on the returned RADIUS attributes). This configuration requires the use of the AAA Override feature to dynamically assign the PMIPv6 parameters to be used for each client. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 3 Use Case Configuration Examples Use Case 3: 802.1x WLAN, Per-Client Dynamic Service Selection Perform the following configuration steps: Step 1 On the RADIUS, define the attributes to be assigned to each group of users. Sample attributes for PMIPv6 users: home-lma-ipv4-address=172.20.227.199 [email protected] mn-network=malls_wifi cisco-mpc-protocol-interface=pmipv6 mn-service=ipv4 In the case of a Simple-IP user, the following attribute is mandatory: cisco-mpc-protocol-interface=none Note Even if other RADIUS attributes are defined (for example, LMA, APN, NAI), if the attribute cisco-mpc-protocol-interface is set to none , the client will be treated as Simple-IP, and all other PMIPv6 attributes will be ignored. In this case, the client will obtain its IP address from the WLAN's configured Dynamic Interface (or the IP address of the VLAN defined at the AP group as applicable). Step 2 To define the RADIUS information on the WLC, go to Security > RADIUS > Authentication. Step 3 From the WLANs security menu, on the AAA Servers tab, choose the desired RADIUS. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 4 Use Case Configuration Examples Use Case 3: 802.1x WLAN, Per-Client Dynamic Service Selection Step 4 In the WLAN advanced tab: 1 Enable PMIPv6. 2 Enable the AAA Override option. In release 8.0, if the " PMIP Mobility Type " is not checked, the PMIPv6 related AAA override values sent in the access accept will be ignored. This a change of behavior compared to 7.5 and 7.6 where the AAA override PMIPv6 attributes were applied even if PMIP Mobility Type is set to None . Note Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 5 Use Case Configuration Examples Use Case 4: Central Web Authentication using ISE or QPS Use Case 4: Central Web Authentication using ISE or QPS This use case employs the RADIUS NAC feature on the WLC, with the ISE or QPS acting as the Centralized Web Authentication server. In this scenario, all users on the WLAN are PMIPv6. The PMIPv6 configuration in this case is similar to that of an Open-Auth WLAN. Perform the following configuration steps: Step 1 Configure a PMIPv6 profile with a single * entry pointing to the LMA destination, where all wireless clients on this WLAN will be tunneled, and the same * entry also serves defining the APN value to be sent in the PBU to that LMA. Step 2 To define the ISE or QPS RADIUS parameters on the WLC, go to Security > RADIUS > Authentication. Step 3 Configure the WLAN's L2 Security as None and enable MAC Filtering. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 6 Use Case Configuration Examples Use Case 4: Central Web Authentication using ISE or QPS Step 4 On the WLAN Advanced tab: 1 Enable RADIUS NAC. 2 Enable PMIPv6. 3 Choose the PMIP Profile configured in Step 1. Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 7 Use Case Configuration Examples Use Case 5: Central Web Authentication Using ISE or QPS + Dynamic PMIP Parameters Note Refer to the Central Web Authentication on the WLC and ISE Configuration Example document for more details on configuring the ISE for CWA. Use Case 5: Central Web Authentication Using ISE or QPS + Dynamic PMIP Parameters This use case is very similar to that of "Central Web Authentication using ISE or QPS". The main difference is that the RADIUS Access-Accept for the MAC-Authentication, can be used to communicate the PMIPv6 parameters for a given client back to the WLC. In this scenario, the same WLAN can serve a mix of Simple-IP, as well as PMIPv6 clients terminating to different LMAs. Note For the WLC to make use of the PMIPv6 parameters sent from the RADIUS, all of the five required AVPs must be included in the Access-Accept message (that is, home-lma-ipv4-address, mn-nai, mn-service, mn-network, and cisco-mpc-protocol-interface). Cisco Wireless Proxy Mobile IPv6 Configuration Guide, Release 8.0 8
© Copyright 2024 ExpyDoc
