This guide provides a comprehensive overview of configuring and managing Guest authentication (via captive portal) and IoT authentication (via MAC-based authentication) using Huawei (in Third-Party Portal Server mode) and the Cloudi-Fi platform, with one single SSID. By following the steps outlined in this document, network administrators can ensure secure and efficient connectivity for Guest and IoT devices within their network.
Prerequisites
Before starting,
- Ensure you have deployed Cloudi-Fi captive portal using the following documentation (How to integrate Huawei iMaster NCE-Campus in Third-Party Portal Server mode)
- Contact Cloudi-Fi Support (see How to contact your Cloudi-Fi support) to enable MAC based authentication for your Cloudi-Fi tenant
1. Create your IOT Security Profile
The Security Profile determines whether we will share an Access-Accept during the RADIUS authentication of the IoT device.
Go to your Cloudi-Fi Admin Console and navigate to Network > Security Profiles and select "Add profile"
Name ( e.g. Whitelist)
Location (e.g. All)
Description
Type : Whitelist
By default, for an unknwon IOT (i.e. never connected to Cloudi-Fi solution and not added in Whitelist), Cloudi-Fi Radius will return to Huawei an Access-Reject.
2. Update your SSID configuration
Go to Network Configuration > Site Configuration > Site Configuration then Site > Quick configuration and edit your existing SSID (with Guest captive portal authentication)
Then in Security Authentication, update the following parameters
- Portail authentication exemption : Enable
- Portal authentication-free validity period : 1 Minute
Portal authentication‑free validity period in Huawei networking (Portal authentication) refers to the duration after a user successfully authenticates via the captive portal during which they can reconnect to the Wi‑Fi/network without having to authenticate again. In other words, once a user logs in through the portal (e.g., on a guest Wi‑Fi), they can leave and return to the network within this configured time without repeating the login process.
Click Next, then Ok to save the change.
3. Set your NAS_ID
The NAS_ID allows identifying the location from which the Mac Based Authentication occurs when the device connects to the SSID. Therefore, it is necessary to use the NAS_ID to determine the site from which the user is connecting. In the context of Huawei, the NAS_ID corresponds to the MAC address of the Access Point used for authentication.
This NAS_ID must be added under Cloudi-Fi > Locations, in the identifiers as a MAC address.
Example below.
4. Add and Register IoT Devices in Cloudi-Fi
Go to your Cloudi-Fi Admin Console and navigate to Network > Devices.
Then, click Add Device and enter the following:
In Network
- Device Name (e.g., SmartPrinter-001)
- MAC Address of the device
- Security Profile (e.g. Whitelist)
In Identification
- Device type
- Linked user
For an IoT device, if you assign both a Security Profile and a linked user, the profile of the linked user will be the one shared in the Access-Accept response.
For example, if you configure an IoT device with
Security profiles : "Whitelist"
Linked user : John Doe as linked user who has the visitor-profile called "Partner"
Once added
- The device is automatically whitelisted.
- It can connect to the SSID without a captive portal.
Additional Notes
- Any device that attempts to connect to the SSID will be available on the Cloudi-Fi platform.
- You can view unassigned devices and manually assign them to a user to apply relevant policies.