D-Link DWS-3160 Configuration Manual

Configuration Guide

How to Configure a BYOD Environment with the DWS-3160

(RADIUS Server)

Overview

This guide describes how to configure and implement BYOD environment with the D-Link
DWS-3160 Unified Switch for user and device authentication.

How to Configure a BYOD Environment with the DWS-3160

NOTE: The screenshots in this guide are from the DWS-3160’s firmware version 4.3.0.5. If you are using an earlier

version of the firmware, the screenshots may not be identical to what you see on your browser.

Situation Note

The trend of Bring Your Own Device (BYOD) in working place is a new challenge on network security and
management. Many corporations that allow employees to use their own device at work expecting have
better performance and productivity; however, on the downside, corporations also concern the network
security and information leakage by using private device. How to distinguish corporate-provided device
and private device (BYOD device), and give different authorities is the major task for IT teams.

The scenario in this guide shows you how to implement a BYOD environment with single SSID on DWS­3160 and external RADIU (FreeRADIUS) server. Use username, password, and device MAC info to assign
particular VLAN. All connection from the SSID required performing authentication before granted
authority.

The security protocol on SSID dlink_employee is WPA2 Enterprise. The authentication database is
external RADIUS server. In the RADIUS database, one user account includes username, password, and
device MAC address which is the corporate-provided. The authorized network is assigned based on
authentication information:

 If authentication info matches username, password, and device MAC address of the user

account, the user is authorized in VLAN2 network.

 If authentication info matches username and password, but it doesn’t match the device MAC

address (for example, use the Private NB to log on), the user is authorized in VLAN3 network.

 If authentication info doesn’t match either username or password, the user doesn’t get any

access.

How to Configure a BYOD Environment with the DWS-3160

Software Type

Software Name

Version

Operation System

Fedora

3.9.5-301.fc19.x86_64

FreeRadius

freeradius

2.2.0-6.fc19.x86_64

FreeRadius

freeradius-utils

2.2.0-6.fc19.x86_64

FreeRadius

freeradius-postgresql

2.2.0-6.fc19.x86_64

Postgresql

postgresql-server

9.2.6-1.fc19.x86_64

Postgresql

postgresql-libs

9.2.6-1.fc19.x86_64

Configuration Steps (FreeRADIUS)

1. Basic Requirement

In order to setup the RADIUS server, the following is the minimum requirement.

 A standard x86/x86-64 PC
 Installed Fedora Linux distribution ( Fedora 18+ is preferred)
 10GB HDD storage at least
 1GB ram at least
 Internet connection

2. Recommend Software Package list

All configuration steps are verification base on software version below:

3. Configure IP address on Fedora via GUI.

3-1. Log in as root in GUI.

3-2. Select Network Settings.

3-3. Click the gear. Manually set the IP address, Netmask and Gateway. In this case, set the
FreeRADIUS IP address as 192.168.10.15. The Netmask is 255.255.255.0. The Gateway IP address
is 192.168.10.1.

Note: Make sure the RADIUS server connect to internet before process following procedures.

How to Configure a BYOD Environment with the DWS-3160

4. Manual-Installation Procedure

Install FreeRADIUS steps-by-steps through the following description.

4-1. Open a terminal console and switch to root account

Use the su command and enter root’s password to get the root privilege as the following steps are
all needed root privilege.

How to Configure a BYOD Environment with the DWS-3160

4-2. Install the required package (the table listed in above)

Use the following command to install freeradius, postgresql, and the libraries. In default, the
installation path for FreeRADIUS is /etc/raddb.

-----------------------

yum install postgresql-server postgresql-libs freeradius freeradius-postgresql freeradius-utils

-----------------------

4-3. Configure FreeRADIUS. All configuration files for FreeRADIUS will be stored under
/etc/raddb.

Add the management VLAN in the FreeRADIUS. Edit /etc/raddb/client.conf. Add shared secret
for each client or each subnet. And save.

The fill in information is as below:

 short_name : the name of this entry
 secret : the secret for to this entry
 ipaddr and netmask : the ip address for this entry, you can specify an address or a subnet

The red items are the options you can edit

--------------------------------------­client short_name{

secret = shared_secret
ipaddr = 192.168.0.0
netmask = 24

How to Configure a BYOD Environment with the DWS-3160

}

---------------------------------------

In this case, add VLAN1 IP subnet. For example, add a new entry named test1, secret is

testing123, and the subnet is 192.168.10.0/24

--------------------------------------­client test1{

secret=testing123
ipaddr=192.168.10.0
netmask=24

}

---------------------------------------

4-4. Setup SQL server is as source database. Uncomment sql.conf in /etc/raddb/radiusd.conf.

Remove “#” in the beginning of “$INCLUDE sql.conf” to enable SQL as the data source of
FreeRADIUS. And save.

4-5. Setup database type, host name and server username/ password.

How to Configure a BYOD Environment with the DWS-3160

Edit below info under /etc/raddb/sql.conf. And save.

4-5-1. Set “database” = “postgresql”
4-5-2. Set “server” = the database server ip. Leave it as “localhost” if you don’t have separate
database.
4-5-3. Change “password” as desired. Suggest keep it as “radpass”

4-6. Edit log in format.

Edit below info under /etc/raddb/sql/postgresql/dialup.conf. And save.

4-6-1. Remove “#” in the beginning of “sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-
Name}:-none}}" ”
4-6-2. Add “#” in the beginning of “sql_user_name = "%{User-Name}"”

4-7. Enable Authorize and Accounting function on the SQL.

Edit below info under /etc/raddb/sites-enabled/default. And save.

4-7-1. Remove “#” in the beginning of “sql” in the sections of “authorize”, “accounting”

How to Configure a BYOD Environment with the DWS-3160

4-7-2. Please insert text below to the /etc/raddb/sites-enabled/default after line 511 and save
change.

-----------------------------------------------------------------------------

if ( "%{request:Calling-Station-Id}" != "" && "%{request:Calling-Station-Id}" == "%{sql: SELECT
callingstationid FROM radmacvlan WHERE username='%{User-Name}' and
callingstationid=upper('%{request:Calling-Station-Id}')}" ) {
update reply {
Tunnel-Private-Group-ID := "%{sql: SELECT tunnelprivategroupid FROM
radmacvlan WHERE username='%{User-Name}' and callingstationid=upper('%{request:Calling­Station-Id}')}"
Tunnel-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Type' }"
Tunnel-Medium-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Medium­Type' }"
}
}
else {
update reply {
Tunnel-Private-Group-Id := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Private-Group­Id' }"
Tunnel-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Type' }"

Tunnel-Medium-Type := "%{sql: select value from radgroupreply right outer join
radusergroup on radgroupreply.groupname=radusergroup.groupname where
radusergroup.username='%{User-Name}' and radgroupreply.attribute='Tunnel-Medium­Type' }"

}
}

-----------------------------------------------------------------------------

3-8. Edit /etc/raddb/sites-enabled/ inner-tunnel

How to Configure a BYOD Environment with the DWS-3160

Remove “#” in the beginning of “sql” in the sections of “authorize”

5. Setup PostgreSQL server

5-1. Start Postgresql service

Execute the following commands to init and start postgresql. And save.

---------------------------

service postgresql initdb
service postgresql enable
service postgresql start

---------------------------

5-2. Create a database user for FreeRADIUS.

5-2-1. Create a database user for FreeRADIUS. Please note that the username and password must
be matched with username/password which set in /etc/raddb/sql.conf. In the settings of previous
steps, the username/ password are radius/ radpass.

----------------------------

sudo -u postgres createuser radius --no-superuser --no-createdb --no-createrole –P

----------------------------

5-2-2. Create a database for FreeRadius
Create a database for FreeRADIUS. The owner of this database should be the one we defined in
/etc/raddb/sql.conf.

How to Configure a BYOD Environment with the DWS-3160

----------------------------

sudo -u postgres createdb radius --owner=radius

----------------------------

5-2-2-1. Modify PostgreSQL listen address
Set IP address that PostgreSQL are listened on. Edit /var/lib/pgsql/data/postgresql.conf. Remove
“#” in the beginning listen_addresses. And save.

5-2-2-2. Edit /var/lib/pgsql/data/pg_hba.conf.
Remove “#” in the beginning of “local all all peer”.
Add two pieces info in the next line.

---------------------------------

local all all md5
host all all 0.0.0.0/0 md5

---------------------------------

5-2-2-3. Run the following command to re-start PostgreSQL

How to Configure a BYOD Environment with the DWS-3160

---------------------------------

service postgresql restart

---------------------------------

5-2-3. Import FreeRADIUS schemas.

Create a default group and insert a test user into the database. Please copy the schema.sql file
which provide by D-Link to replace the existence one under /etc/raddb/sql/postgresql/.

---------------------------------

cd /etc/raddb/sql/postgresql/
chown root:radius schema.sql

---------------------------------

Use the command below to create the table schema for database.

----------------------------

sudo cat /etc/raddb/sql/postgresql/schema.sql | psql -U radius radius

----------------------------

5-2-4. Set the default attribute to the default group.

How to Configure a BYOD Environment with the DWS-3160

Please use commands below to add the 3 default attributes to default group.

The values need to change:

 groupname: Define by user. We can only define one default vlan in the demo scenario.
 default_vlan_id: Define by user. We can only define one default vlan in the demo scenario.

----------------------------

echo “insert into radgroupreply (groupname,attribute,op,value) values('groupname','Tunnel­Private-Group-Id',':=','default_vlan_id');” | psql -U radius radius

----------------------------

----------------------------

echo “insert into radgroupreply (groupname,attribute,op,value) values('groupname',' Tunnel-
Type',':=','13');” | psql -U radius radius

----------------------------

----------------------------

echo “insert into radgroupreply (groupname,attribute,op,value) values('groupname',' Tunnel­Medium-Type',':=','6');” | psql -U radius radius

----------------------------

In this case, set the default VLAN as VLAN3. While the authentication information matches
username/ password but doesn’t match MAC address, the RADIUS accepts the authentication but
assign attribute default VLAN, VLAN3, to this client. The setting information is as below.

How to Configure a BYOD Environment with the DWS-3160

5-2-5. Create accounts in the database.

Please use command below to create accounts (username/ password/ MAC address) in database
for testing users.

The values need to change:

 Username: Define by user.
 Groupname: Define by user. We can only define one default vlan in the demo scenario.

----------------------------

echo “insert into radusergroup (username,groupname,priority)
values('username','groupname','1');” | psql -U radius radius

---------------------------

The values need to change:

 Username: Define by user.
 Value: Password for user

---------------------------

echo "insert into radcheck (username,attribute,op,value) values ('test','Cleartext­Password',':=','test');" |psql -U radius radius

---------------------------

How to Configure a BYOD Environment with the DWS-3160

The values need to change:

 Username: Define by user.
 Macaddr: MAC address of device
 Vlanid: Define by user

---------------------------

echo “insert into radmacvlan (username,callingstationid,tunnelprivategroupid)
values('username','macaddr','vlanid');” |psql -U radius radius

---------------------------

In this case, set the username/ password are as test/ test. The MAC address is the one of the
corporate-provided NB (08:11:96:71:00:00). While three factors are matched, the RADIUS assign
attribute VLAN2 to this client. The setting information is as below.

6. Stop the firewall process on FreeRadius server

---------------------------

service firewalld disable

How to Configure a BYOD Environment with the DWS-3160

service firewalld stop

---------------------------

7. Start FreeRADIUS service

7-1. Enable and start FreeRADIUS sevice

Use the following commands to enable and start FreeRADIUS service

---------------------------

service radiusd enable
service radiusd start

---------------------------

7-2. Test FreeRADIUS

Use the tool radtest of FreeRADIUS to check if FreeRADIUS run well. The example command is
as below.

---------------------------

radtest username password radius_ip 0 shared_secret

---------------------------

If the test is passed, it will show Access-Accept as below:

How to Configure a BYOD Environment with the DWS-3160

8. Post check after installation with RADIUS client

8-1. Download the FreeRadius client

There are many FreeRadius clients can be used for testing. The example in below is using

NTRadPing which is downloaded from internet.

7-2. Install the RADIUS client in your laptop which running with Win7.After installed, you can
configure RADIUS client through GUI.

Set few parameters when before start testing.

RADIUS Server/port: 192.168.10.15
Port: No need to change, default is 1812.
RADIUS Secret Key: Define by user.
User Name/Password: Define by user.
Additional RADIUS Attributes: Please select Calling-Station-Id in the left and input the MAC
Address of your device in the right.

Click Send to send the Authentication Request to the RADIUS server, you can find the reply from
RADIUS server in RADIUS Server reply window.

How to Configure a BYOD Environment with the DWS-3160

Configuration Steps (DWS-3160)

9. Set up VLAN based on the network architecture. VLAN1 is the default VLAN for AP

management. Associate VLAN1 on Port1.

Navigate to LAN> DWS-3160-24PC> L2 Feature> VLAN> 802.1Q VLAN Settings.

10. Create SSID. Enable security mode WPA2 Enterprise.

Navigate to WLAN> DWS-3160-24PC> Administration> Advanced Configuration> Networks.
Create a SSID. Assign VLAN1 on this SSID. Enable Security WAP/ WAP2. The security detail
setting is as below:
Security: WPA/ WPA2, WPA Enterprise
WPA Version: WPA2
WPA Ciphers: TKIP, CCMP (AES)

How to Configure a BYOD Environment with the DWS-3160

11. Create an AP Profile and associate the SSID on it.

3-1. Create an AP Profile “BYOD”. Navigate to WLAN> DWS-3160-24PC> Administration>
Advanced Configuration> AP Profiles> BYOD> Global.

How to Configure a BYOD Environment with the DWS-3160

3-2. Associate SSID dlink_employee on this AP Profile. Navigate to WLAN> DWS-3160-24PC>
Administration> Advanced Configuration> AP Profiles> BYOD> VAP.

12. Set RADIUS server.

Fill in RADIUS server IP address, and Key. Navigate to LAN> DWS-3160-24PC> Security>
RADIUS> Authentication RADIUS Server Settings.

13. Discover and manage an AP from the network.

How to Configure a BYOD Environment with the DWS-3160

Port1

Port2

Port3

Port4

Port5

VLAN1

Un-tag

Un-tag

Un-tag

-

Un-tag

VLAN2

Tag - -

Un-tag

Tag

VLAN3

Tag - - - Tag

Manage AP. Navigate to WLAN> DWS-4026> Monitoring> Access Point> All AP Status.

Configuration Steps (DGS-1210)

1. Set up VLANs based on the network architecture. Create three VLANs. VLAN1 is the default

VLAN for AP management and external RADIUS server, VLAN2 is for the user using corporate­provided NB with full access on internal resources (for example, internet and printer), and
VLAN3 is for the user using private NB with limited access (for example, internet). As DWS-3160
VLAN1 is un-tag VLAN, set VLAN1 as un-tag VLAN on switch. The VLAN table is as below.

How to Configure a BYOD Environment with the DWS-3160

2. (Option) Enable PoE on the ports which connect with APs if needed. In default, all ports are

enabled auto PoE detection.

Configuration Steps (DSR-500N)

1. Set up VLANs based on the network architecture. Create three VLANs. VLAN1 is the default

VLAN for AP management and external RADIUS server, VLAN2 is for the user using corporate­provided NB with full access on internal resources (for example, internet and printer), and
VLAN3 is for the user using private NB with limited access (for example, internet).

1-1. Set up VLAN2 and VLAN3. Navigate to SETUP> VLAN Settings> Available VLANs.

How to Configure a BYOD Environment with the DWS-3160

1-2. Enable DHCP server on default VLAN, VLAN2 and VLAN3. Navigate to SETUP> VLAN
Settings> Multiple VLAN Subnets.

How to Configure a BYOD Environment with the DWS-3160

1-3. Associate VLAN1 to 3 in Trunk mode on Port1.

How to Configure a BYOD Environment with the DWS-3160

Configuration Steps (Notebook, Microsoft/ Win7)

1. Set up wireless security.

1-1. Navigate to START> Control Panel> Network and Sharing Center. Click “Manage wireless
network”. Click “Add” to add a new wireless network. Select “Manually create a network
profile”.

How to Configure a BYOD Environment with the DWS-3160

1-2. Fill in the network name. Select security type as WPA2-Enterprise. Select the Encryption is
AES. Click “Next”.

1-3. Click “Change connection settings”.

1-3-1. Click tab “Security”. (Option) Tick “Remember my credentials for the connection each
time I’m logged on” to keep the username/ password information in the computer.

1-3-2. Click “Settings” of “Choose a network authentication method”. Un-check “Validate
server certification”.

How to Configure a BYOD Environment with the DWS-3160

1-3-3. Click “Configure..” of Select Authentication Method”. (Option) Un-check “Automatically
use my Windows logon name and password (and domain if any)” if the username/ password is
not the same as Windows logon information.

2. Connect the wireless. Insert the username and password.

Configuration Steps (Notebook, Apple/ iOS10)

1. Set up wireless security. Click WiFi and select “Join Other Network…”.

How to Configure a BYOD Environment with the DWS-3160

2. Fill in the network name. Select security type as WPA2-Enterprise. Click “Join”.

3. Click “Cancel” on Verify Certificate.

Proof of Concept

The NB with MAC 08:11:96:71, which is the corporate-provided device, is assigned VLAN2 after
pass the authentication. The NB would get IP address of VLAN2 subnet (for example,

192.168.0.x). It can access resources on VLAN2, for example, printer and internet.

The NB with MAC 00:13:02:69:7F:E9, which is the private device, even use the same username/
password, as the MAC address doesn’t match with the database, it is assigned VLAN3 after pass
authentication and get IP address of VLAN3 subnet (for example, 192.168.1.x). It can access
resources on VLAN3, for example, internet.

How to Configure a BYOD Environment with the DWS-3160

D-Link, D-Link logo, D-Link sub brand logos and D-Link product trademarks are trademarks or registered trademarks of D-Link Corporation and its subsidiaries.

All other third party marks mentioned herein are trademarks of the respective owners.

Copyright © 2014 D-Link Corporation. All Rights Reserved.

www.dlink.com