D-Link DWS-3160 Configuration Manual

Configuration Guide

How to Configure a BYOD Environment with the DWS-3160

(RADIUS Server)

Overview

This guide describes how to configure and implement BYOD environment with the D-Link
DWS-3160 Unified Switch for user and device authentication.

How to Configure a BYOD Environment with the DWS-3160

NOTE: The screenshots in this guide are from the DWS-3160’s firmware version 4.3.0.5. If you are using an earlier

version of the firmware, the screenshots may not be identical to what you see on your browser.

Situation Note

The trend of Bring Your Own Device (BYOD) in working place is a new challenge on network security and
management. Many corporations that allow employees to use their own device at work expecting have
better performance and productivity; however, on the downside, corporations also concern the network
security and information leakage by using private device. How to distinguish corporate-provided device
and private device (BYOD device), and give different authorities is the major task for IT teams.

The scenario in this guide shows you how to implement a BYOD environment with single SSID on DWS­3160 and external RADIU (FreeRADIUS) server. Use username, password, and device MAC info to assign
particular VLAN. All connection from the SSID required performing authentication before granted
authority.

The security protocol on SSID dlink_employee is WPA2 Enterprise. The authentication database is
external RADIUS server. In the RADIUS database, one user account includes username, password, and
device MAC address which is the corporate-provided. The authorized network is assigned based on
authentication information:

 If authentication info matches username, password, and device MAC address of the user

account, the user is authorized in VLAN2 network.

 If authentication info matches username and password, but it doesn’t match the device MAC

address (for example, use the Private NB to log on), the user is authorized in VLAN3 network.

 If authentication info doesn’t match either username or password, the user doesn’t get any

access.

How to Configure a BYOD Environment with the DWS-3160

Software Type

Software Name

Version

Operation System

Fedora

3.9.5-301.fc19.x86_64

FreeRadius

freeradius

2.2.0-6.fc19.x86_64

FreeRadius

freeradius-utils

2.2.0-6.fc19.x86_64

FreeRadius

freeradius-postgresql

2.2.0-6.fc19.x86_64

Postgresql

postgresql-server

9.2.6-1.fc19.x86_64

Postgresql

postgresql-libs

9.2.6-1.fc19.x86_64

Configuration Steps (FreeRADIUS)

1. Basic Requirement

In order to setup the RADIUS server, the following is the minimum requirement.

 A standard x86/x86-64 PC
 Installed Fedora Linux distribution ( Fedora 18+ is preferred)
 10GB HDD storage at least
 1GB ram at least
 Internet connection

2. Recommend Software Package list

All configuration steps are verification base on software version below:

3. Configure IP address on Fedora via GUI.

3-1. Log in as root in GUI.

3-2. Select Network Settings.

3-3. Click the gear. Manually set the IP address, Netmask and Gateway. In this case, set the
FreeRADIUS IP address as 192.168.10.15. The Netmask is 255.255.255.0. The Gateway IP address
is 192.168.10.1.

Note: Make sure the RADIUS server connect to internet before process following procedures.

How to Configure a BYOD Environment with the DWS-3160

4. Manual-Installation Procedure

Install FreeRADIUS steps-by-steps through the following description.

4-1. Open a terminal console and switch to root account

Use the su command and enter root’s password to get the root privilege as the following steps are
all needed root privilege.

How to Configure a BYOD Environment with the DWS-3160

4-2. Install the required package (the table listed in above)

Use the following command to install freeradius, postgresql, and the libraries. In default, the
installation path for FreeRADIUS is /etc/raddb.

-----------------------

yum install postgresql-server postgresql-libs freeradius freeradius-postgresql freeradius-utils

-----------------------

4-3. Configure FreeRADIUS. All configuration files for FreeRADIUS will be stored under
/etc/raddb.

Add the management VLAN in the FreeRADIUS. Edit /etc/raddb/client.conf. Add shared secret
for each client or each subnet. And save.

The fill in information is as below:

 short_name : the name of this entry
 secret : the secret for to this entry
 ipaddr and netmask : the ip address for this entry, you can specify an address or a subnet

The red items are the options you can edit

--------------------------------------­client short_name{

secret = shared_secret
ipaddr = 192.168.0.0
netmask = 24

How to Configure a BYOD Environment with the DWS-3160

}

---------------------------------------

In this case, add VLAN1 IP subnet. For example, add a new entry named test1, secret is

testing123, and the subnet is 192.168.10.0/24

--------------------------------------­client test1{

secret=testing123
ipaddr=192.168.10.0
netmask=24

}

---------------------------------------

4-4. Setup SQL server is as source database. Uncomment sql.conf in /etc/raddb/radiusd.conf.

Remove “#” in the beginning of “$INCLUDE sql.conf” to enable SQL as the data source of
FreeRADIUS. And save.

4-5. Setup database type, host name and server username/ password.

How to Configure a BYOD Environment with the DWS-3160

Edit below info under /etc/raddb/sql.conf. And save.

4-5-1. Set “database” = “postgresql”
4-5-2. Set “server” = the database server ip. Leave it as “localhost” if you don’t have separate
database.
4-5-3. Change “password” as desired. Suggest keep it as “radpass”

4-6. Edit log in format.

Edit below info under /etc/raddb/sql/postgresql/dialup.conf. And save.

4-6-1. Remove “#” in the beginning of “sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-
Name}:-none}}" ”
4-6-2. Add “#” in the beginning of “sql_user_name = "%{User-Name}"”

4-7. Enable Authorize and Accounting function on the SQL.

Edit below info under /etc/raddb/sites-enabled/default. And save.

4-7-1. Remove “#” in the beginning of “sql” in the sections of “authorize”, “accounting”

How to Configure a BYOD Environment with the DWS-3160

4-7-2. Please insert text below to the /etc/raddb/sites-enabled/default after line 511 and save
change.

-----------------------------------------------------------------------------

if ( "%{request:Calling-Station-Id}" != "" && "%{request:Calling-Station-Id}" == "%{sql: SELECT
callingstationid FROM radmacvlan WHERE username='%{User-Name}' and
callingstationid=upper('%{request:Calling-Station-Id}')}" ) {
update reply {
Tunnel-Private-Group-ID := "%{sql: SELECT tunnelprivategroupid FROM
radmacvlan WHERE username='%{User-Name}' and callingstationid=upper('%{request:Calling­Station-Id}')}"
Tunnel-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Type' }"
Tunnel-Medium-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Medium­Type' }"
}
}
else {
update reply {
Tunnel-Private-Group-Id := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Private-Group­Id' }"
Tunnel-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Type' }"

Tunnel-Medium-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Medium­Type' }"

}
}

-----------------------------------------------------------------------------

3-8. Edit /etc/raddb/sites-enabled/ inner-tunnel

How to Configure a BYOD Environment with the DWS-3160

Remove “#” in the beginning of “sql” in the sections of “authorize”

5. Setup PostgreSQL server

5-1. Start Postgresql service

Execute the following commands to init and start postgresql. And save.

---------------------------

service postgresql initdb
service postgresql enable
service postgresql start

---------------------------

5-2. Create a database user for FreeRADIUS.

5-2-1. Create a database user for FreeRADIUS. Please note that the username and password must
be matched with username/password which set in /etc/raddb/sql.conf. In the settings of previous
steps, the username/ password are radius/ radpass.

----------------------------

sudo -u postgres createuser radius --no-superuser --no-createdb --no-createrole –P

----------------------------

5-2-2. Create a database for FreeRadius
Create a database for FreeRADIUS. The owner of this database should be the one we defined in
/etc/raddb/sql.conf.