Backend network planning

1. Altai Super WiFi
1
Not for Distribution – Altai ConfidentialNot for Distribution – Altai Confidential
Altai Super WiFi
Altai Certification Training
Backend Network Planning
Professional Services
Altai Technologies Limited

2. Altai Super WiFi
2
Not for Distribution – Altai ConfidentialNot for Distribution – Altai Confidential
Altai Super WiFiModule Outline
• Service Controller Solution
– Layer 2 Network Deployment Scenario
– Layer 3 Network Deployment Scenario
• A3 ACS Solution

3. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
3
Service Controller Solution
• RADIUS or Active Directory in the existing network
as authentication server
• Multiple SSID for different groups of client to
access; e.g. staff and guest
• Each group of client is only allowed to access
specific network subnets
• Different authentication method can be applied
to different SSID

4. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
4
Layer 2 Network Deployment Scenario
• Deployment scenario: Enterprise only one or
several buildings network based on layer 2
connection.
• Solution 1: SC internet port behavior as network
backhaul, and LAN port connect to AP.
• Solution 2: one of SC ports behavior as network
backhaul.

5. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
5
Layer 2 Network Design
• Intranet for staff
• Ingress VLAN 1
• Egress VLAN 10
• Client IP subnet
192.168.1.x
• AD or RADIUS
Authentication
• Allowed access
intranet and internet
• Internet for guest
• Ingress VLAN 2
• Egress VLAN 10
• Client IP subnet
192.168.2.x
• SC Local account
• HTML-Authentication

6. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
6
Layer 2 Network Solution I
Radius Server
Active Directory
Service Controller
Internet Port: VLAN 10 & 20
LAN Port: VLAN 1 & 2
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
VLAN 1, 2, 100
SSID_Internet
192.168.2.x
VLAN 2
Management SSID
192.168.100.x
VLAN 100
Trunk Port
Altai AP
VLAN 1
VLAN 2
VLAN 100
Trunk Port Trunk Port
Firewall
DHCP
server
Intranet
VLAN 20
VLAN 10
Management Server
VLAN 100

7. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
7
Layer 2 Network Solution II
Radius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20, 100
AP Port: VLAN 1,2, 100
SSID_Internet
192.168.2.x
VLAN 2
Management SSID
192.168.100.x
VLAN 100
Trunk Port
Altai AP
VLAN 1
VLAN 2
VLAN 100
Trunk Port Trunk Port
Firewall
DHCP
server
Intranet
VLAN 20
VLAN 10
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
Service Controller
Management Server
VLAN 100

8. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
8
Layer 2 Active Directory authentication
Procedure
User
User associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to
Service Controller
EAP request
EAP success
Service Controller
EAP Response/Identity
Over AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over AD
and user configuration
DHCP server
Response DHCP request
Send IP address back

9. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
9
Layer 2 HTML authentication Procedure
User
User associate with
wireless network
Send DHCP request
User attempts to
browse an Web site
User Login
Transport page sends
request for session
and welcome page
AP
Redirect the request
to DHCP server
Redirect the request to
Service Controller
Service Controller
Request is intercepted
Login page is returned
User login info is
sent for authentication
Transport page is sent
Session and Welcome
pages are sent
Local account
Login approved.
User configuration
setting are returned
DHCP server
Response DHCP request
Send IP address back

10. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
10
Layer 3 Network Deployment Scenario
• Deployment scenario: University & enterprise
multiple buildings network based on layer 3
connection.
• Solution 1: Two buildings connect to each other
based on layer 3 connection (Traffic forwarding
based on IP address). Since SC establish
communication with AP only by VLAN, each SC
should be deployment for every building in such
case.
• Solution 2: Two building connect to each other
based on tunnel which support VLAN function. In
this case, only one Service Controller is needed
for the entire network.

11. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
11
Layer 3 Network Design Solution_I
Building 1
• Intranet for staff
• Ingress VLAN 1
• Egress VLAN 10
• Client IP subnet 192.168.1.x
• AD or RADIUS
Authentication
• Allowed access intranet
and internet
• Internet for guest
• Ingress VLAN 2
• Egress VLAN 10
• Client IP subnet 192.168.2.x
• SC Local account
• HTML-Authentication
Building 2
• Intranet for staff
• Ingress VLAN 3
• Egress VLAN 10
• Client IP subnet 192.168.3.x
• AD or RADIUS
Authentication
• Allowed access intranet
and internet
• Internet for guest
• Ingress VLAN 4
• Egress VLAN 10
• Client IP subnet 192.168.4.x
• SC Local account
• HTML-Authentication

12. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
12
Layer 3 Network Solution_I
Radius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
Firewall
DHCP
server
Intranet
VLAN 20 & 40
VLAN 10 & 30
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
SSID_Intranet
192.168.3.x
VLAN 3
VLAN Switch
Network: VLAN 30,40
SC Port: VLAN 3, 4, 30, 40
AP Port: VLAN 3,4
SSID_Internet
192.168.4.x
VLAN 4
Trunk PortTrunk Port
Service Controller
Egress: VLAN 30 & 40
Ingress: VLAN 3 & 4
Altai AP
VLAN 1
VLAN 2
Altai AP
VLAN 3
VLAN 4

13. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
13
Layer 3 Solution I Authentication
Procedure
User
User associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to
Service Controller
EAP request
EAP success
Service Controller
In Builing 1
EAP Response/Identity
Over AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over AD
and user configuration
DHCP server
Response DHCP request
Send IP address back
Building 1 for example

14. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
14
Case study: ASTRI Deployment
Active Directory
Router
SSID_Intranet
192.168.0.x
VLAN 1
AD authentication
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2
SSID_Internet
192.168.0.x
VLAN 2
HTML authentication
Trunk Port
Altai AP
VLAN 1
VLAN 2
Trunk Port Trunk Port
Firewall
Intranet
VLAN 20
VLAN 10
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
Service Controller
DHCP server:192.168.0.x

15. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
15
Wireless Network
SSID
Target Clients
VLAN Authentication Encryption
Intranet Staff 1 Active Directory WPA/WPA2
Internet Guest 2 Captive Portal WPA-PSK

16. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
16
VLAN Network
SSID VLAN_Ingress
Client IP Address
VLAN_Egress
Colubris
Interface IP address
Intranet 1 192.168.0.x 10 10.6.11.2
Internet 2 192.168.0.x 20 10.6.12.2

17. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
17
Network configuration_ingress vlan

18. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
18
Network configuration_egress vlan

19. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
19
Network ports

20. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
20
DHCP server_1

21. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
21
DHCP server _2

22. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
22
DNS

23. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
23
Check IP routers

24. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
24
Join Active Directory

25. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
25
AD group configuration

26. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
26
Add RADIUS secret

27. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
27
Account Profiles_1

28. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
28
Account Profile_2

29. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
29
User account_1

30. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
30
User account _2

31. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
31
Access List

32. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
32
VSC AD authenticaton_1

33. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
33
VSC AD Authentication_2

34. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
34
VSC AD Authentication_3

35. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
35
VSC HTML Authentication_1

36. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
36
VSC HTML Authentication_2

37. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
37
Layer 3 Network Design Solution_II
• Intranet for staff
• Ingress VLAN 1
• Egress VLAN 10
• Client IP subnet 192.168.1.x
• AD or RADIUS
Authentication
• Allowed access intranet
and internet
• Internet for guest
• Ingress VLAN 2
• Egress VLAN 10
• Client IP subnet 192.168.2.x
• SC Local account
• HTML-Authentication

38. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
38
Layer 3 Network Solution_II
Radius Server
Active Directory
Router
SSID_Intranet
192.168.1.x
VLAN 1
VLAN Switch
Network: VLAN 10,20
SC Port: VLAN 1, 2, 10, 20
AP Port: VLAN 1,2,
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
Firewall
DHCP
server
Intranet
VLAN 20 & 40
VLAN 10 & 30
Service Controller
Egress: VLAN 10 & 20
Ingress: VLAN 1 & 2
SSID_Intranet
192.168.1.x
VLAN 1
SSID_Internet
192.168.2.x
VLAN 2
Trunk PortTrunk Port
Altai AP
VLAN 1
VLAN 2
Multiple Layer3 tunnel
Altai AP
VLAN 1
VLAN 2

39. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
39
MultipleLayer3Tunnel
Layer 3 Solution II Authentication
Procedure
User
User associate with
wireless network
EAPOL start
EAP Response/identity
EAP response
DHCP request
AP
EAP Request/identity
Redirect the request to
Service Controller
EAP request
EAP success
Service Controller
EAP Response/Identity
Over AD
EAP Response over AD
AD Server
EAP request over AD
EAP success over AD
and user configuration
DHCP server
Response DHCP request
Send IP address back
Building 1 for example

40. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
40
Case Study: Operator Network
Deployment Solution
IP
Backbone
Metro
Ethernet
Network
BAS
DSLAM
ADSL
AAAStandard DSL
Modem/Router Internet
AP (Switch Mode)
Controller
¿Tunnel between AP and Controller?
IP Service with PPPoE (Internet or MPLS VPN)
WiFi
Eth
GE
Wireless
Backhaul
Eth
Tunneling Router
Tunneling Router
Múltiple Access Point
TUNNEL

41. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
41
Altai A3 ACS Solution
• Deployment scenario: Hotzone whole network solution could be in one
box.
• RADIUS or MAC in the existing network is authentication server, do not
need to integrate with Active Director server
• Can use 3G as backhaul
• Roaming across A3s is not supported
• Local database is supported
• Multiple SSID for different groups of client to access, like staff and guest
• Each group of client is only allowed to access specific network subnets
• Different authentication method can be applied to different SSID

42. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
42
ACS Network Design Solution
• Intranet for staff
• Intranet ACS Profile
• Client IP subnet 192.168.0.x
• RADIUS authentication
• HTML-authentication
• Allowed access intranet
and internet
• Internet for guest
• Internet ACS Profile
• Client IP subnet 192.168.0.x
• MAC authentication
• Allowed access internet
only

43. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
43
Altai A3 Access Control System
Radius Server
A3_Gateway Mode
ACS Profile
Router
SSID_Intranet
Intranet ACS Profile SSID_Internet
Internet ACS Profile
Firewall
DHCP
server
Web Server
Switch

44. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
44
ACS User Login Procedure

45. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
45
Case Study: Hotspot Operator ACS
Profile Configuration
Radius Server
A3_Gateway Mode
10.6.127.200
DHCP server:192.168.0.1
SSID_HTMLAuth SSID_MACAuthrnet
3G network
Web Server
Hotspot Operator Noc
3G backhaul

46. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
46
Hotspot Operator Network Illustration
• 3G dongle as network backhaul
• A3 build-in DHCP server enabled
• Remote RADIUS server is for internal clients authentication
and accounting
• Remote Web server is for RADIUS server authentication.
• Access controlled list establish to define network access
difference for multiple kinds of clients
• Local account is for MAC authentication to clients who
could only access internet

47. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
47
ACS Profile

48. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
48
Local Account

49. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
49
RADIUS Server

50. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
50
Access Rules 1

51. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
51
Access Rules 2

52. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
52
Access Rules Profile

53. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
53
HTMLAuth Profile

54. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
54
MACAuth Profile

55. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
55
Export ACS profile

56. Altai Super WiFi
Not for Distribution – Altai Confidential
Altai Super WiFi
www.altaitechnologies.com
56
Thank You