No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Key Configuration Check

Key Configuration Check

VAP Profile Configuration

Find the corresponding VAP profile based on the SSID, and check the configurations of the VAP profile, including the configurations of the security profile and authentication profile.

  1. Run the display vap-profile all command to check all VAP profiles and find the corresponding VAP profile based on the SSID.

    [HUAWEI] display vap-profile all
FMode   : Forward mode
STA U/D : Rate limit client up/down
VAP U/D : Rate limit VAP up/down
BR2G/5G : Beacon 2.4G/5G rate
---------------------------------------------------------------------------------------------------------------------
Name     FMode     Type     VLAN      AuthType      STA U/D(Kbps)  VAP U/D(Kbps)  BR2G/5G(Mbps)  Reference  SSID
---------------------------------------------------------------------------------------------------------------------
default  direct   service  VLAN 1    Open          -/-               -/-              1/6               0            HUAWEI-WLAN
vap_dot1x tunnel service  VLAN 200  WPA2+802.1X  -/-              -/-              1/6               3            dot1x_test
---------------------------------------------------------------------------------------------------------------------
Total: 2

    It is not recommended that the same SSID be bound to multiple VAP profiles because exceptions (such as access failures) will occur when multiple VAP profiles with the same SSID are bound to the same AP.

  2. Check the configurations of the VAP profile, and find the security profile and authentication profile bound to the VAP profile.

    [HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap_dot1x
[HUAWEI-wlan-vap-prof-vap_dot1x] display this
#
 forward-mode tunnel
 service-vlan vlan-id 200
 ssid-profile dot1x
 security-profile security_dot1x
 authentication-profile authen_dot1x
#

  3. Check the configuration of the security profile. The security policy must be set to WPA/WPA2-802.1X authentication and encryption.

    [HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name security_dot1x
[HUAWEI--wlan-sec-prof-security_dot1x] display this
#
 security wpa2 dot1x aes
#

  4. Check the configuration of the authentication profile. It must have an 802.1X access profile bound.

    [HUAWEI] authentication-profile name authen_dot1x
[HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authen_dot1x
 dot1x-access-profile access_dot1x
 access-domain domain_test
#

  5. Check the configuration of the 802.1X access profile. The authentication mode must be the EAP relay mode, which is the default value.

    [HUAWEI] dot1x-access-profile name access_dot1x
[HUAWEI--dot1x-access-profile-access_dot1x] display this
#
dot1x-access-profile name access_dot1x
#

Authentication Mode Configuration

In 802.1X authentication scenarios, the authentication mode must be set to RADIUS authentication.

802.1X authentication supports local and RADIUS authentication modes. In local authentication mode, you need to create a local user and configure the built-in EAP server. This document uses RADIUS authentication as an example.

The authentication mode is specified in an authentication scheme. An authentication scheme can be applied using either of the following two methods: Method 1: Apply it to an authentication profile directly. Method 2: Apply it to a domain, which is then bound to the authentication profile. The first method has a higher priority (because the domain configuration does not need to be considered). The two methods cannot be used together. If both methods are configured, the first method takes effect, and the default or forcible domain configured in the authentication profile using the second method does not take effect. In actual projects, method 2 is recommended.

  • Method 1: Apply an authentication scheme to an authentication profile.

    When applying an authentication scheme to an authentication profile, you must also apply a RADIUS server template. If accounting is required, apply an accounting scheme.

    [HUAWEI] authentication-profile name authen_dot1x
[HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authen_dot1x
 dot1x-access-profile access_dot1x
 authentication-scheme radius
 accounting-scheme radius
 radius-server radius_test
#
  • Method 2: Apply an authentication scheme to a domain.

    When applying an authentication scheme to a domain, you must also apply a RADIUS server template. If accounting is required, apply an accounting scheme to the domain.

    [HUAWEI] aaa
[HUAWEI-aaa] domain domain_test
[HUAWEI-aaa-domain-domain_test] display this
#
 domain domain_test
  authentication-scheme radius
  accounting-scheme radius
  radius-server radius_test
#

    Then configure the default domain or forcible domain in the authentication profile. It is recommended that you configure a default domain with no access type specified in the authentication profile.

    [HUAWEI] authentication-profile name authen_dot1x
[HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test
#

    The authentication domain for a terminal is selected in descending order of priority: forcible domain for a specified access type > forcible domain with no access type specified > valid domain carried in the user name > default domain for a specified access type > default domain with no access type specified > global default domain. The following are configuration examples of different domains:

    • Forcible domain for a specified access type:
      [HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test dot1x force
    • Forcible domain with no access type specified:
      [HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test force
    • Valid domain carried in the user name: The user name used for authentication contains the domain name in @ format, and the domain has been created on the device.
    • Default domain for a specified access type:
      [HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test dot1x
    • Default domain with no access type specified:
      [HUAWEI-authentication-profile-authen_dot1x] display this
#
authentication-profile name authendot1x
 dot1x-access-profile accessdot1x
 access-domain domain_test
    • Global default domain: It is specified by the domain xxx command in the system view.
Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1842524

Downloads: 5824

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :