hp msm series setup guide - odyssys · pdf filethe following document applies to hp msm series...

HP MSM Series Setup Guide

of 22

Global Reach Technology Ltd Commercial in Confidence

Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. GLOBAL REACH AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. GLOBAL REACH RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME.

Limitation of Liability IN NO EVENT SHALL GLOBAL REACH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL.

VERSION 1.1 PUBLISHED APRIL 2015

of 22


IMPORTANT - BEFORE YOU START The following document applies to HP MSM Series controllers (e.g. 720, 760). Before attempting to configure your MSM controller to use Odyssys, please ensure that ALL of the following requirements are met:

Your MSM is installed in an environment where compatible Access Points are configured to work with the controller, i.e. - DNS, DHCP options configured correctly The following components are required to be configured and working in your environment before attempting integration with Odyssys:

DHCP Server

DNS Server

Firewall NAT In addition, to protect the privacy of your Wi-Fi users, it is highly recommended that you obtain a SSL certificate signed by a trusted 3rd-party certificate authority. This will ensure the secure submission of usernames and passwords and prevent warning messages from being displayed on client devices. Details of how to upload and apply a custom SSL certificate are given later in this guide. PLEASE NOTE - This is a technical document and as such, integration of your hardware with Odyssys should only be handled by trained individuals.

TECH NOTE Odyssys does not use standard RADIUS ports, therefore please make sure you allow the ports in your firewall, defined in your manager.odyssys.net Captive Portal settings.

TECH NOTE Due to a limitation of the MSM firmware, the use of wildcard SSL certificates may cause your Wi-Fi users to experience connectivity issues. You should therefore check that your certificate's common name (CN) attribute does not contain the wildcard character '*'. For help viewing your certificate's common name, please refer to step 1 of the "Preparing Your Certificate Chain" section.

of 22


GETTING STARTED WITH ODYSSYS Before you attempt to configure your HP controller for use with Odyssys, you will first need to create your own captive portal. 1. First, navigate to https://manager.odyssys.net and log in using your assigned Customer ID, username and password.

2. Select Captive Portals > Captive Portals from the left-hand navigation menu and click Create Captive Portal.

The following dialog should appear:

of 22


You should complete the form as follows: Name: An arbitrary name for your captive portal. Hardware Vendor: Set this to HP MSM. Click Create to confirm.

of 22


CONFIGURING ODYSSYS WITHIN THE MSM 1. Navigate to your HP controller's web UI and log in using an account with sufficient privileges to make configuration changes.

2. Next, you should configure your MSM controller to authenticate your Wi-Fi users using your captive portal's RADIUS authentication and accounting servers. To do this, select Authentication > RADIUS profiles from the main navigation menu and click Add New Profile....

The following form should be displayed:

of 22


You should complete the form as follows, referring to the information provided in step 4 of "Getting Started with Odyssys". Profile name: An arbitrary name identifying this RADIUS profile, e.g. your portal's unique identifier. Server Address: Your captive portal's RADIUS Primary Server IP. Secret/Confirm Secret: Your captive portal's RADIUS Shared Secret. Authentication Port: Your captive portal's RADIUS Authentication Port. Accounting Port: Your captive portal's RADIUS Accounting Port. You may also optionally fill in the fields under Secondary RADIUS server. You should use the same shared secret as for the primary server but set the Server address to your captive portal's RADIUS Secondary Server IP. Click Save to confirm.

of 22


3. Now select Public access > Web content and the following form should be displayed:

You should complete the form as follows: Support a local Welcome page: This should be unchecked. Redirect users to the Login page via: This should be set to HTTPS1. HMAC tag required: This should be unchecked. Click Save to confirm.

1 To avoid warnings about invalid certificates on client devices and to protect the privacy of your Wi-Fi users, you should upload a custom SSL certificate signed by a trusted 3rd party certificate authority. Details of how to do this are given later in this guide.

of 22


4. Next, select the Attributes tab and click Add New Attribute....

The following form should be displayed:

of 22


To complete this step you will need to add several attributes, configuring each as specified below. You will also need to refer to the information provided in step 4 of "Getting Started with Odyssys". a) First, allow HTTP access to Odyssys by adding the following attribute: Name: Set this to ACCESS-LIST. Value: Set this to unauth,ACCEPT,tcp,manager.odyssys.net,80 b) Add another attribute to allow HTTPS access: Name: Set this to ACCESS-LIST. Value: Set this to unauth,ACCEPT,tcp,manager.odyssys.net,443 c) Apply the ACL to unauthenticated users: Name: Set this to USE-ACCESS-LIST-UNAUTH. Value: Set this to unauth d) Now set the redirect URL to your captive portal's splash page: Name: Set this to LOGIN-URL. Value: Set this to your captive portal's Splash Page URL followed by ?client_mac=%m&login_url=%l&original_url=%o e.g. https://manager.odyssys.net/account/captivePortal/44354925?client_mac=%m&login_url=%l&original_url=%o e) Finally, set the authentication error URL to your captive portal's splash page: Name: Set this to LOGIN-ERR-URL. Value Set this to your captive portal's Splash Page URL followed by ?error=true&error_msg=User+authentication+failed. e.g. https://manager.odyssys.net/account/captivePortal/44354925?error=true&error_msg=User+authentication+failed.

TECH NOTE If your organization uses a custom domain to access Odyssys (e.g. wifi.examplenetworks.com), you should replace manager.odyssys.net in the atttributes above with your custom domain. For example, the first attribute would become unauth,tcp,wifi.examplenetworks.com,80

of 22


5. Next, select Controller > VSCs from the left-hand navigation menu and click Add New VSC Profile....

The following should be displayed:

of 22


The form should be completed as follows: Global:

Profile Name: An arbitrary name for this VSC profile. Virtual AP:

Name: The SSID you want your APs to broadcast.

of 22


HTML-based user logins:

Local: Should be unchecked.

Remote: Should be checked. Select RADIUS and choose the RADIUS profile you created in step 1.

RADIUS accounting: Should be checked. Select the RADIUS profile you created in step 1.

of 22


6. In this step, you will assign your newly created VSC to an AP group, which this guide assumes to be the default group. If you would prefer to use a different AP group, then please take this opportunity to create and assign APs to it as necessary. For a more detailed explanation of this process, please refer to the supporting documentation provided with your MSM controller. Once you have chosen an appropriate group, select it under Controlled APs from the left-hand navigation menu. Then select the VSC bindings tab and click Add New Binding....

The following should be displayed:

You should use the following settings: VSC Profile: Set this to the Profile name you chose in step 5. Click Save to confirm.

of 22


7. You now need to push your configuration changes to your APs. To do so, select Overview > Discovered APs from the main navigation menu.

Then select Synchronize Configuration from the drop-down menu and click Apply. Your MSM controller is now configured and ready to use Odyssys. Please take this opportunity to make a backup of your configuration. If you have opted to upload a custom SSL certificate, then you will also need to complete the next step.

of 22


8. (Optional) To complete this step you will first need to create a PKCS#12 file containing your custom SSL certificate, private key and accompanying certificate chain. For more information on creating a PKCS#12 file, please refer to the section of this guide entitled "Preparing Your Certificate Chain". a) To upload your PKCS#12 file, select Controller from the left-hand navigation menu and then Security > Certificate stores from the main navigation menu.

Click Choose File and select your PKCS#12 file. Enter your PKCS#12 file's password, if any, in the PKCS#12 password field. Click Install to confirm. b) Now select the Certificate usage tab and click HTML authentication.

Choose the certificate you just uploaded from the Local certificate drop-down list. The entry that corresponds to your certificate will match the common name attribute of your certificate's Subject field.

of 22


Click Save to confirm.

of 22


PREPARING YOUR CERTIFCATE CHAIN This section demonstrates how to bundle your custom certificate/private key pair and certificate chain into a PKCS#12 file using OpenSSL. To check that OpenSSL is installed, enter the following at the terminal (Mac OS X/Linux) or Command Prompt (Windows).

You should see the following OpenSSL command prompt. Type quit to exit.

This section assumes the following certificates: a self-signed root CA certificate (globalsign.pem), an intermediate CA certificate (alphassl.pem), a custom certificate (login.odyssys.net.pem) and private key (login.odyssys.net.key). Accordingly, you will need to substitute the filenames of your own certificates/keys with those given in the following examples. 1. First, you should print and note the value of the Common Name (CN) attribute of your SSL certificate's Subject field, e.g.:

$ openssl x509 -subject -noout -in login.odyssys.net.pem This should produce:

subject= /OU=Domain Control Validated/CN=login.odyssys.net

Please ensure that your certificate's common name (CN) does not contain the wildcard character '*', as this is likely to cause problems for your Wi-Fi users. 2. To create the PKCS#12 file containing your certificates and private key, you should issue the following commands. Remember, your PKCS#12 file should not contain the self-signed root CA certificate (globalsign.pem in this example).

$ cat alphasign.pem login.odyssys.net.pem > all.pem

$ cat login.odyssys.net.key >> all.pem

$ openssl pkcs12 -export -in all.pem -out login.odyssys.net.pfx

You should make a note of the password, if any, you chose to encrypt the file with, as this will be required during the configuration. Your PKCS#12 file is now ready to be uploaded to your MSM controller.

$ openssl

OpenSSL>

of 22


ACCESS CONTROL LIST ADDRESSES Odyssys 54.246.95.205 54.243.42.241 Twitter api.twitter.com *.twimg.com Google 74.125.29.84 74.125.226.243 74.125.228.10 74.125.228.74 74.125.228.111 130.111.19.240 173.194.74.95 Facebook *.facebook.com *.akamaihd.net *.fbcdn.net connect.facebook.com LinkedIn 8.247.88.225 23.202.203.120 64.94.107.57 138.108.7.20 216.52.242.80 216.52.242.86 PayPal Express Checkout 173.0.82.77/32 92.122.246.85/32 66.117.29.34/32 216.113.188.89/32 66.235.147.113/32 If you wish to disable Apple's Captive Assistant please add the following to your walled garden www.apple.com www.airport.us www.ibook.info www.thinkdifferent.us www.itools.info www.appleiphonecell.com captive.apple.com

of 22


FREQUENTLY ASKED QUESTIONS

Q. I want to add different authentication provider types, how do I do this? A. Please see our Odyssys Authentication guide for further information.

Q. I need more information on how to setup Odyssys A. Please see our Odyssys setup guide.

of 22


GLOSSARY

ACL - Access Control List AAA - Authentication, Authorization, and Accounting CA - Certificate Authority DHCP - Dynamic Host Configuration Protocol DNS - Domain Name Service NAT - Network Address Translation PORT - A process-specific or an application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP) RADIUS - Remote Authentication Dial In User Service (RADIUS) SHARED SECRET - A single password shared between two devices SSID - Service Set Identifier - A unique identifier for your Wi-Fi service WLAN - Wireless Local Area Network WLC - Wireless Local Area Network Controller

Global Reach Technology Ltd Craven House, 121 Kingsway London WC2B 6PA T +44 (0) 20 7831 5630 [email protected] Copyright © Global Reach Technology Limited All rights reserved. Global Reach and the Global Reach logo are registered trademarks.

hp msm series setup guide - odyssys · pdf filethe following document applies to hp msm series...

Documents