CLI: Example for Configuring WeChat Authentication on Internet Access Users
Networking Requirements
A shopping mall has a FW deployed as the egress gateway at the network border to connect the intranet to the Internet, as shown in Figure 1. To attract customers, the mall has Wi-Fi deployed so that the customers can enjoy free Internet access after they enable the Wi-Fi function and pass the one-click authentication.
Free Internet access through one-click authentication is implemented by combining the one-click authentication function for Wi-Fi access through WeChat provided by the Agile Controller with the user-defined portal authentication function of the FW and by integrating with the WeChat platform.
Configuration Roadmap
To implement the function of free Internet access through one-click authentication, you need to perform configurations on the WeChat platform, Agile Controller, and FW. The configuration procedure is as follows:
- Configure relevant services on the WeChat platform.
- Use the applied WeChat official account to log in to the WeChat platform and add the plug-ins for Wi-Fi access through WeChat and for shop management.
Only an enterprise but not individual can apply for shop management.
- Add a shop and set its location and name.
Ensure the accuracy of the shop location so that users can properly obtain Wi-Fi information.
- Add a device and bind a WeChat account as the administrator for the function of Wi-Fi access through WeChat in this shop.
The device refers to the AP device corresponding to the SSID associated with this function. This step associates the shop name, Wi-Fi SSID, and Wi-Fi password. Configure the device as one authenticated through password.
- Activate the function of Wi-Fi access through the WeChat official account.
- View the AppID and AppSecret of the WeChat official account.
The preceding descriptions cover basic steps of configurations on the WeChat platform. For operation details, contact WeChat technical support.
- Use the applied WeChat official account to log in to the WeChat platform and add the plug-ins for Wi-Fi access through WeChat and for shop management.
- Configure the Agile Controller.
- Configure a third-party application and specify the parameters for interconnecting the Agile Controller with the WeChat platform.
- Configure the authentication page pushed by the Agile Controller to users.
- Configure the policy for pushing the portal authentication page to users.
- Configure the portal server and RADIUS server for them to properly interwork with the FW.
-
- Configure interfaces and assign them to security zones.
- Configure a NAT policy.
- Configure the DHCP function.
- Configure security policies.
- Configure the RADIUS server.
- Configure authentication, authorization, and accounting schemes.
- Configure an authentication domain and reference the RADIUS server and authentication, authorization, and accounting schemes.
- Configure Portal2.0 authentication.
- Configure the portal authentication page.
- Configure a domain name group.
- Configure authentication policies.
Data Planning
| Item | Data | Description |
|---|---|---|
Agile Controller |
The parameters for interconnecting with the WeChat platform include the Token, AppID, and AppSecret. |
The values shall be consistent with those on the WeChat platform. When the Agile Controller communicates with the WeChat platform, the WeChat platform needs to verify these values. |
Device IP address range of users: 10.3.0.0/24 |
If the device IP address of a user falls in the range of 10.3.0.0/24, the Agile Controller pushes the customized portal authentication page to the user. |
|
RADIUS parameters:
|
RADIUS parameters set on the Agile Controller shall be consistent with those on the FW. |
|
Portal parameters:
|
Portal authentication parameters set on the Agile Controller shall be consistent with those on the FW. |
|
| FW | RADIUS server:
|
RADIUS server parameters set on the FW shall be consistent with those on the Agile Controller. |
Portal server:
|
Portal server parameters set on the FW shall be consistent with those on the Agile Controller. |
|
FW listening port: 2000 |
This port is used by the FW to listen to portal server messages. You need also to configure this port on the Agile Controller. |
Procedure
- Configure relevant information on the Agile Controller.
- Choose , set the parameters for interconnecting the Agile Controller with the WeChat platform,
and keep default values for other parameters.
Ensure that the Agile Controller can communicate with the WeChat platform. In this step, the Agile Controller connects to the WeChat platform for verification. The configuration completes only after the verification succeeds.
- Choose , select a WeChat authentication template, and click
the button below to start customizing the authentication page.
- Set parameters of the WeChat authentication page template as follows and then click OK.
- Edit the authentication page as required. After that, click Release in the lower-left corner.
As shown in the following figure, click the red box on the left for the content and style editing page to be displayed on the right. Click the button in the line of Shop Info and select the shop bound to this authentication page. Edit other information as required or keep the default configurations.
Ensure that the Agile Controller can communicate with the WeChat platform. In this step, the Agile Controller connects to the WeChat platform and reads information about the added shop from the platform. The read shop information is shown in the following figure.
Till now, you have completed customizing the authentication page.
- Choose and perform configurations as shown in the following
figure. Keep default values for other information.
If the device IP address of a user falls in the range of 10.3.0.0/24, the Agile Controller pushes the customized portal authentication page to the user.
- Choose , add a device, and configure the portal and RADIUS servers.
Parameter
Description
IP address
The Agile Controller and this interface address on the FW must be reachable to each other.
RADIUS parameters
Authentication and accounting key
Must be consistent with the shared key for the FW to interact with the authentication and accounting server set on the 6.
Authorization key
Must be consistent with the shared key for the FW to interact with the authorization server set on the 6.
Realtime account period
Optional.
Device series
Keep the default value.
Portal parameters
Portal key
Must be consistent with the shared key set on the 9.
Port
Must be consistent with the listening port set on the 9.
- Choose , set the parameters for interconnecting the Agile Controller with the WeChat platform,
and keep default values for other parameters.
- Set IP addresses for interfaces on the FW and assign them to security zones. The following example describes how to configure interface GigabitEthernet 0/0/3. You can configure
other interfaces based on the networking diagram.
After completing the preceding configurations on the Agile Controller, perform the following configurations on the FW.
<FW> system-view [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet0/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit
- Configure a NAT policy so that the FW can replace the source IP address for accessing extranet packets with the public address of the extranet interface.
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] egress-interface GigabitEthernet0/0/1 [FW-policy-nat-rule-policy_nat1] action source-nat easy-ip [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] quit
- Configure the DHCP function so that the FW can allocate IP addresses to users after their devices connect to the SSID.
# Enable the DHCP function.
[FW] dhcp enable# Create an interface address pool and configure the DNS server address for user devices.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] dhcp select interface [FW-GigabitEthernet0/0/3] dhcp server ip-range 10.3.0.2 10.3.0.254 [FW-GigabitEthernet0/0/3] dhcp server dns-list 9.9.9.9 [FW-GigabitEthernet0/0/3] quit
- Create security policies on the FW.
- Configure a security policy for the Trust (where users reside) -> DMZ (where the portal server resides) interzone for users to access the portal authentication page of the portal server.
[FW] security-policy [FW-policy-security] rule name sec_policy_tsm [FW-policy-security-rule-sec_policy_tsm] source-zone trust [FW-policy-security-rule-sec_policy_tsm] source-address 10.3.0.0 24 [FW-policy-security-rule-sec_policy_tsm] destination-zone dmz [FW-policy-security-rule-sec_policy_tsm] destination-address 10.2.0.0 24 [FW-policy-security-rule-sec_policy_tsm] action permit [FW-policy-security-rule-sec_policy_tsm] quit
If the URL of the authentication page is a domain name and a DNS server for resolving the domain name is deployed in the DMZ, you need to enable the DNS server from the Trust zone to the DMZ.
- Configure a security policy for the Trust (where users reside) -> DMZ (where the portal server resides) interzone for users to access the portal authentication page of the portal server.
- Configure the RADIUS server on the FW. The parameters must be consistent with those on the RADIUS server.
# Configure the IP address and port of the RADIUS authentication and accounting server and the shared key for the FW to interact with the authentication and accounting server.
[FW] radius-server template auth_server_radius [FW-radius-auth_server_radius] radius-server authentication 10.2.0.50 1812 [FW-radius-auth_server_radius] radius-server accounting 10.2.0.50 1813 [FW-radius-auth_server_radius] radius-server shared-key cipher Admin@123 [FW-radius-auth_server_radius] test-aaa testname testpassword radius-template auth_server_radius [FW-radius-auth_server_radius] quit
# Configure the IP address of the RADIUS authorization server and the shared key for the FW to interact with the authorization server.
[FW] radius-server authorization 10.2.0.50 shared-key cipher Admin@123 - Configure authentication, authorization, and accounting schemes.
# Configure an authentication scheme and set the authentication mode to RADIUS.
[FW] aaa [FW-aaa] authentication-scheme radius //Configure authentication scheme radius. [FW-aaa-authen-radius] authentication-mode radius [FW-aaa-authen-radius] quit
# Configure an authorization scheme and set the authorization mode to RADIUS.
[FW] aaa [FW-aaa] authorization-scheme radius //Configure authorization scheme radius. [FW-aaa-author-radius] authorization-mode radius [FW-aaa-author-radius] quit
# Configure an accounting scheme and set the accounting mode to RADIUS.
[FW] aaa [FW-aaa] accounting-scheme radius //Configure accounting scheme radius. [FW-aaa-accounting-radius] accounting-mode radius [FW-aaa-accounting-radius] quit
- Configure an authentication domain and reference the RADIUS server template and authentication, authorization, and accounting schemes.
[FW-aaa] domain default [FW-aaa-domain-default] authentication-scheme radius [FW-aaa-domain-default] authorization-scheme radius [FW-aaa-domain-default] accounting-scheme radius [FW-aaa-domain-default] radius-server auth_server_radius [FW-aaa-domain-default] service-type internetaccess [FW-aaa-domain-default] quit [FW-aaa] quit
- Configure Portal2.0 authentication.
# Configure a portal server template and create portal server information in the portal server template.
[FW] web-auth-server default [FW-web-auth-server-default] server-ip 10.2.0.50 [FW-web-auth-server-default] port 50100 [FW-web-auth-server-default] shared-key cipher Admin@123 [FW-web-auth-server-default] server-detect interval 100 max-times 5 action log [FW-web-auth-server-default] user-sync interval 300 max-times 5 [FW-web-auth-server-default] quit
# Configure the Portal2.0 listening port and enable the device to transparently transmit user authentication messages replied by the RADIUS server to the portal server.
[FW] web-auth-server listening-port 2000 [FW] web-auth-server reply-message
# Configure a portal access template and bind it with the portal server template.
[FW] portal-access-profile name default [FW-portal-acces-profile-default] web-auth-server default
# Configure an authentication template and bind it with the portal access template. In this scheme, you can only create an authentication template named portal_authen_default.
[FW] authentication-profile name portal_authen_default [FW-authen-profile-portal_authen_default ] portal-access-profile default
# Configure a loopback0 interface and apply the authentication template to the loopback0 interface. Currently, you can only bind the authentication template named portal_authen_default to the loopback0 interface.
[FW] interface loopback 0 [FW-LoopBack0] authentication-profile portal_authen_default
- Configure the portal authentication page. The portal URL shall be consistent with that of the authentication page actually used by the portal.
[FW] user-manage portal-template portal [FW-portal-template-portal] portal-url http://10.2.0.50:8080/portal [FW-portal-template-portal] https enable [FW-portal-template-portal] portal-url push information [FW-portal-template-portal] portal-url parameter user-ip userip user-mac usermac [FW-portal-template-portal] portal-url parameter mac-address format delimiter - normal [FW-portal-template-portal] server-detect web-auth-server default
- Configure a domain name group and add wifi.weixin.qq.com to this group for it to be used by the authentication policy.
[FW] domain-set name weixin [FW-domain-set-weixin] add domain wifi.weixin.qq.com [FW-domain-set-weixin] quit
- Configure authentication policies.
# Set the action of the authentication policy for users to access the portal server to No authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_tsm [FW-policy-auth-rule-auth_policy_tsm] source-zone trust [FW-policy-auth-rule-auth_policy_tsm] destination-zone dmz [FW-policy-auth-rule-auth_policy_tsm] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_tsm] destination-address 10.2.0.50 32 [FW-policy-auth-rule-auth_policy_tsm] action none [FW-policy-auth-rule-auth_policy_tsm] quit
# Set the action of the authentication policy for the Agile Controller to access the extranet to No authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_01 [FW-policy-auth-rule-auth_policy_01] source-zone dmz [FW-policy-auth-rule-auth_policy_01] destination-zone untrust [FW-policy-auth-rule-auth_policy_01] source-address 10.2.0.0 24 [FW-policy-auth-rule-auth_policy_01] action none [FW-policy-auth-rule-auth_policy_01] quit
# Set the action of the authentication policy for users to access the WeChat platform to No authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_02 [FW-policy-auth-rule-auth_policy_02] source-zone trust [FW-policy-auth-rule-auth_policy_02] destination-zone untrust [FW-policy-auth-rule-auth_policy_02] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_02] destination-address domain-set weixin [FW-policy-auth-rule-auth_policy_02] action none [FW-policy-auth-rule-auth_policy_02] quit
# Set the action of the authentication policy for the WeChat platform to access the Agile Controller to No authentication.
[FW] auth-policy [FW-policy-auth] rule name auth_policy_03 [FW-policy-auth-rule-auth_policy_03] source-zone untrust [FW-policy-auth-rule-auth_policy_03] destination-zone dmz [FW-policy-auth-rule-auth_policy_03] destination-address 10.2.0.0 24 [FW-policy-auth-rule-auth_policy_03] action none [FW-policy-auth-rule-auth_policy_03] quit
# Set the action of the authentication policy for users to access other extranet resources to Portal authentication.
[FW-policy-auth] rule name auth_policy_service [FW-policy-auth-rule-auth_policy_service] source-zone trust [FW-policy-auth-rule-auth_policy_service] destination-zone untrust [FW-policy-auth-rule-auth_policy_service] source-address 10.3.0.0 24 [FW-policy-auth-rule-auth_policy_service] action auth portal-template portal
Verification
- Enable Wi-Fi on a mobile phone and connect to the SSID of the shop.
- Use a browser to access extranet resources through HTTP.
- The user request is redirected to the customized authentication page.
- Operate as prompted on the authentication page.
- The mobile phone automatically opens the local WeChat App.
- The mobile phone displays the page for Wi-Fi access through WeChat.
- Operate as prompted on the page for Wi-Fi access through WeChat and click Finish. The user can access the Internet through Wi-Fi.
Configuration Scripts
sysname FW # authentication-profile name portal_authen_default portal-access-profile default # user-manage portal-template portal https enable portal-url push information portal-url parameter user-ip userip user-mac usermac portal-url parameter mac-address format delimiter - normal portal-url http://10.2.0.50:8080/portal server-detect web-auth-server default # security-policy rule name sec_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 24 destination-address 10.2.0.0 24 action permit rule name local_policy_01 source-zone local destination-zone dmz action permit rule name local_policy_02 source-zone dmz destination-zone local action permit rule name policy_02 source-zone dmz destination-zone untrust source-address 10.2.0.0 24 action permit rule name policy_03 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit rule name policy_04 source-zone untrust destination-zone dmz destination-address 10.2.0.0 24 action permit # nat-policy rule name policy_nat1 egress-interface GigabitEthernet0/0/1 action source-nat easy-ip # radius-server template auth_server_radius radius-server shared-key cipher %^%#H**3(i3_k%ugc;,fvZG!,-:|*=(A5(y4Q_2t'3P%^% # radius-server authentication 10.2.0.50 1812 weight 80 radius-server accounting 10.2.0.50 1813 weight 80 radius-server group-filter class radius-server authorization 10.2.0.50 shared-key cipher %^%#K}(^&0opP~Q%fMUr3k*( 59%N:,+H$*!(Vs%%^%# # web-auth-server default server-ip 10.2.0.50 port 50100 shared-key cipher %^%#/.6y+B[H{Q'wPG"lpVK,bx*Yg9C*5VEC;'-K7~Z%^%# server-detect interval 100 max-times 5 action log user-sync max-times 5 # portal-access-profile name default web-auth-server default # aaa authentication-scheme radius authentication-mode radius authorization-scheme radius authorization-mode radius accounting-scheme radius accounting-mode radius domain default authentication-scheme radius accounting-scheme radius authorization-scheme radius radius-server auth_server_radius service-type internetaccess internet-access mode password # domain-set name weixin add domain wifi.weixin.qq.com # dhcp enable # interface GigabitEthernet0/0/3 undo shutdown ip address 10.3.0.1 255.255.255.0 dhcp select interface dhcp server ip-range 10.3.0.2 10.3.0.254 dhcp server dns-list 9.9.9.9 # interface LoopBack0 authentication-profile portal_authen_default # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # auth-policy rule name auth_policy_tsm source-zone trust destination-zone dmz source-address 10.3.0.0 mask 255.255.255.0 destination-address 10.2.0.50 mask 255.255.255.255 action none rule name auth_policy_01 source-zone dmz destination-zone untrust source-address 10.2.0.0 mask 255.255.255.0 action none rule name auth_policy_02 source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 destination-address domain-set weixin action none rule name auth_policy_03 source-zone untrust destination-zone dmz destination-address 10.2.0.0 mask 255.255.255.0 action none rule name auth_policy_service source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action auth portal-template portal # return