FAQ:AC 6605 V200R003版本如何配置无线MAC本地认证

发布时间:  2014-09-12 浏览次数:  621 下载次数:  0
问题描述
Q:
AC 6605 V200R003版本如何配置无线MAC本地认证
告警信息
处理过程
A:
1、先进行WLAN基本配置,不进行MAC认证配置,保证AP上线,无线终端能认证通过;
2、aaa视图创建一个用于MAC本地认证的域,以域名huawei为例  [AC 6605-aaa]domain huawei;
3、系统视图使能mac认证,并添加允许认证通过无线终端的MAC地址
      [AC 6605]mac-authen
      [AC 6605]mac-authen domain huawei mac-address f83d-ff76-83a7 mask ffff-ffff-ffff   //domain 后边加的域名必须和aaa视图创建的域名一致;
4、Wlan-ess口使能MAC认证
      [AC 6605-Wlan-Ess0]mac-authen
5、aaa视图下创建认证模板,认证模式为none,并将认证模板绑在huawei域
#
aaa                                      
authentication-scheme huawei
  authentication-mode none
domain huawei 
  authentication-scheme huawei
#
6、下发配置,MAC本地认证配置完毕
[AC 6605-wlan-view]commit ap 0
7、手机测试,MAC地址为 f83d-ff76-83a7  的手机认证通过,其余手机不能关联,认证失败。

[Quidway-wlan-view]dis mac-au
  MAC address authentication is Enabled.
  Username format: use MAC address with-hyphen as username
  Quiet period is 60s
  Authentication fail times before quiet is 1
  Offline detect period is 300s
  Server response timeout value is 30s
  Reauthenticate period is 1800s
  Guest user reauthenticate period is 60s
  Maximum users: 10240
  Current users: 1
  Global domain is not configured

  MAC-authen domain config by MAC address range:
  MAC-address     MAC-mask        domain
  -----------------------------------------------------------------------------
  f83d-ff76-83a7  ffff-ffff-ffff  huawei                                      
  -----------------------------------------------------------------------------

Wlan-Ess0 state: UP.  MAC address authentication is enabled
  Reauthentication is enabled
  Reauthen Period: 1800s
  Maximum users: 2048
  Current users: 1      

  Wlan-Dbss0:0 status: UP
  Authentication Success: 2, Failure: 6
  Guest VLAN is disabled

Online user(s) info:
UserId   MAC/VLAN            AccessTime              UserName
------------------------------------------------------------------------------
206      f83d-ff76-83a7/100  2013/12/10 16:28:06     f83d-ff76-83a7          
------------------------------------------------------------------------------
Total 1,1 printed

-----------------------------------------------------------------------------------
根因
建议与总结
AC6605 V200R003版本开始aaa视图下创建的用户名和密码不能相同,所以不能按照V200R002版本配置在aaa视图创建用户名和密码都是用户MAC地址的账号,V200R003需要参照上述配置。
配置脚本:
#
sysname Quidway
#
snmp-agent local-engineid 800007DB03DCD2FC2039C5
undo snmp-agent community complexity-check disable
snmp-agent
#
vlan batch 100 800
#
observe-port interface GigabitEthernet0/0/19
#
mac-authen
mac-authen username macaddress format with-hyphen
mac-authen domain huawei mac-address f83d-ff76-83a7 mask ffff-ffff-ffff
#
dhcp enable
#
diffserv domain default
#
pki realm default
enrollment self-signed
#
drop-profile default
#
aaa                                      
authentication-scheme default
authentication-scheme huawei
  authentication-mode none
authorization-scheme default
authorization-scheme huawei
  authorization-mode none
accounting-scheme default
domain default 
domain default_admin 
domain huawei 
  authentication-scheme huawei
local-user admin password cipher %@%@ZvP)7s4d"Bo4|!.<d'I3Iu*h%@%@
local-user admin service-type http
local-user huawei password cipher %@%@@tMC4A,~]Cree/U9Rp8$Iu*r%@%@
local-user huawei privilege level 15
local-user huawei service-type telnet http
#
interface Vlanif1
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
dhcp select interface
#
interface Vlanif800                      
ip address 1.1.1.1 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 800
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8           
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 2 to 4094
mirror to observe-port both
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18          
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
interface Wlan-Ess0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
mac-authen
#
interface NULL0
#                                        
ip route-static 192.169.111.0 255.255.255.0 192.168.108.1
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@!m~Y(gE<h,3>gI"C&={+,.Rya9u,)R[@R<!Nvg1+%s{6.R|,%@%@
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
wlan
wlan ac source interface vlanif800
ap id 0 type-id 30 mac e468-a352-1180 sn 210235555010D4000014
wmm-profile name huawei id 0
traffic-profile name HUAWEI id 0
security-profile name huawei id 0
  security-policy wpa2
  wpa2 authentication-method psk pass-phrase cipher %@%@X&dYDba]A3WT@~LH'>8)C9AW%@%@ encryption-method ccmp
service-set name huawei id 0
  wlan-ess 0
  ssid mac
  traffic-profile id 0
  security-profile id 0
  service-vlan 100
radio-profile name huawei id 0          
  wmm-profile id 0
ap 0 radio 0
  radio-profile id 0
  service-set id 0 wlan 1
#
return

END