Configuring

Creating a BYOD server

Configure a portal redirect web-server.

Syntax

[no] portal web-server [web-server-name] url [url-string]

Term Meaning
portal Configure the BYOD-redirect feature.
web-server Configure portal redirect web-server.
url Configure the URL of the BYOD server.
url-string A URL redirecting the client to the BYOD server must be in ASCII.

Associating a BYOD server

Associate a BYOD server with a specific VLAN to redirect clients to the assigned URL page.

Syntax

[no] vlan [vlan-id] <portal web-server [web-server-name]>

VLAN

Add, delete, edit VLAN configuration or enter a VLAN context

portal

Configure the BYOD-redirect feature on a VLAN.

web-server

Specify the BYOD web-server.

Creating a BYOD ACL rule

Configure a BYOD-free rule.

Syntax

[no] portal free-rule [rule-number] vlan [VLAN-ID] destination <<ip-address> | mask <mask-length> | any tcp <des-tcp-port> | udp <des-udp-port> | source <ip-address> | mask <mask-length> | any tcp <src-tcp-port> |udp <src-udp-port>>

Term Meaning
portal Configure the BYOD-redirect feature.
free-rule Configure a BYOD-free rule.
rule-number Free rule number as an INTEGER<1-6>.
vlan Free rule source VLAN ID.
VLAN-ID VLAN identifier or VLAN name.
destination Free rule destination.
ip-address IP address
mask Mask
mask-length Mask length.
tcp TCP protocol
udp UDP Protocol
des-udp-port tcp port destination
source Free rule source.
<src/des-tcp/udp-port> TCP or UDP port number, as an integer<1-65534>.
any Free rule source any.
ip Free rule source IP.
IP Free rule destination IP.
any Free rule source or destination any.

Implementing BYOD-redirect configuration

BYOD enables employees to register and access corporate resources with personally-owned devices. Though BYOD provides flexibility to employees, it can bring challenges to IT departments. BYOD-redirect is designed to help manage and control personal devices and policies at the enterprise network level.

Before implementing BYOD-redirect ensure that:

  • BYOD-redirect is configured on a VLAN.

  • BYOD-redirect is supported on up to three VLANs.

  • BYOD-redirect is supported with Mac and 802.1X authentications.

  • BYOD-redirect works with IMC 7.0 UAM module.

  • The switch supports Radius CoA Access-Accept (RFC 3576/5176).

  • The client URL and DHCP IP are included in the Re-direct URL to the IMC.


[NOTE: ]

NOTE: Until the registration process has been completed, a client device cannot access the internet or the enterprise network. Any traffic from this unauthorized device is redirected to the BYOD server.


Implementing BYOD-redirect configuration examples

The following examples show how to implement BYOD-redirect for both wired and wireless solutions.

BYOD configuration on a distribution switch

To facilitate the BYOD-redirect function, complete the following tasks on the distribution switch:

  1. Configure DNS and make FQDN solution successful: ip dns server-address priority 1 <DNS-server-IP>.


    [NOTE: ]

    NOTE: The argument to the URL can be an FQDN or IP address. If you use the IP address as an argument, this step is not necessary.


  2. Configure BYOD web-server URL: portal web-server "byod" url http://imc.com:8080/byod.

  3. Enable BYOD-redirect on a VLAN: vlan 101 portal web-server "byod."

  4. Configure BYOD-redirect free-rules on the on-boarding VLAN 101 to permit client traffic transit through DNS and DHCP servers using the following commands.

    To permit DNS traffic to/from a DNS server to a client through on-boarding VLAN:

    1. portal free-rule 1 vlan 101 source any udp 0 destination any udp 53

    2. portal free-rule 2 vlan 101 source any udp 53 destination any udp 0

    To permit DHCP traffic to/from DHCP server to client through on-boarding VLAN:

    1. portal free-rule 3 vlan 101 source any udp 68 destination any udp 67

    2. portal free-rule 4 vlan 101 source any udp 67 destination any udp 68

  5. Register device in IMC on the on-boarding VLAN. When registration is successful, client traffic is placed into different VLAN (guest/corporate) configurations.

Client authentication configuration on edge switch

Enable MAC authentication on edge switch port 1-2 using the following commands:

  • # enable mac authentication on ports 1-2

  • aaa port-access mac-based 1-2

  • # configure number of client limits on port 1 and port2

  • aaa port-access mac-based 1 addr-limit 32

  • aaa port-access mac-based 2 addr-limit 32

  • radius-server host <radius ip> dyn-authorization

  • radius-server host <radius ip> time-window 0

Wired and wireless components configured in a network topology

Access Type Edge Switch Distribution Switch Configuration ProcedureNote
Wired Access HP 2530 switch HP 5400 switch
  1. Register the HP 2530 switch in HP IMC.

  2. Create the configuration on HP 2530 switch.

  3. Create the configuration on HP 5400 switch.

Wireless Access    
  1. Make the HP MSM controller reachable by HP IMC.

  2. Ensure that access points (HP 422) are managed by the MSM controller.

  3. Configure MAC or 802.1X authentication on the MSM controller.

  4. Create the configuration on the HP 5400 switch.

Wired clients solution

Access Type Edge Switch Distribution Switch Configuration Procedure

Wired Access

HP 2530 switch

HP 3800 switch

  1. Register the HP 2530 switch and HP 3800 switch in IMC.

  2. Ensure that both HP 2530 switch and HP 3800 switch can reach the DHCP and DNS server.

  3. Create the configuration on HP 2530 switch.

  4. Create the configuration on HP 3800 switch.

Configuration and access for wired clients on an edge switch

Access Type

Edge Switch

Distribution Switch

Configuration Procedure

Wired Access HP 3500 switch N/A
  1. Register the HP 3500 switch in HP IMC.

  2. Ensure that the HP 3500 switch is reachable by the DHCP and DNS server.

  3. Create the configuration on the HP 3500 switch.

  4. Create the following configuration on the HP 3500 switch.

Show commands

Show portal server

Display all BYOD servers and their attributes or specify a BYOD web-server-name to display its details.

Syntax

show portal web-server [web-server-name]

Term Meaning
portal Display BYOD server details..
web-server Specify the BYOD web-server.
web-server name Enter BYOD web-server name in ASCII.
Sample output
Portal Server:
1)imc:
Resolved IP      : 15.146.197.224
VPN Instance     : n/a
URL              : http://15.146.197.224:80/byod
VLAN             : 101
DNS Cache Status : 20 seconds

Show portal redirect statistics

Show redirect statistics of a BYOD.

Syntax

show portal redirect statistics

Term Meaning
portal Display BYOD server details.
redirect Display redirect statistics
statistics Display the statistics.

Sample output

show portal redirect statistics
Status and Counters - Portal Redirect Information
Total Opens           : 0
Resets Connections    : 0
Current Opens         : 0
Packets Received      : 14997
Packets Sent          : 12013
 HTTP Packets Sent     : 3002
Current Connection States :
SYN_RECVD     : 0
ESTABLISHED   : 0

Show portal free rule

Display all BYOD free rules and their attributes; the user can specify a BYOD rule to display its free rule.

Syntax

show portal free-rule [free-rule-number]

Term Meaning
portal Display BYOD server details.
free-rule Display BYOD-free rule.
free-rule-number Free rule number as an integer <0-50>.

Sample output

Rule-Number  : 2
Vlan         : 0
Source:
Protocol  : UDP
Port      : 12345
IP        : 0.0.0.0
Mask      : 0.0.0.0
MAC       : n/a
Interface : n/a
Destination:
Protocol  : UDP
Port      : 123
IP        : 0.0.0.0
Mask      : 0.0.0.0

Associating with the BYOD server on a specified VLAN

Associate a BYOD server with a specific VLAN to redirect clients to the assigned URL page.

Syntax

[no] vlan <VLAN-ID > [portal web-server < web-server-name>]

Term Meaning
portal Configure the BYOD-redirect feature on the VLAN.
web-server Specify the BYOD web-server.
ASCII-STR BYOD web server name.
vlan Add, delete, edit VLAN configuration or enter a VLAN context.
VLAN-ID Enter a VLAN identifier or a VLAN name.