Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Standalone AC + NAC Solution: Aggregation Switches and ACs Function as the Authentication Points for Wired and Wireless Users Respectively
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth. A standalone AC is deployed in off-path mode. It centrally manages APs on the entire network.
In this example, aggregation switches function as the gateways for wired and wireless users and also function the authentication points for wired users. Standalone ACs function as the authentication points for wireless users. The wired and wireless users can access the network only after being authenticated. The specific requirements are as follows:
Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.
- Agile Controller-Campus functions as both the authentication server and user service data source server.
- Agile Controller-Campus delivers ACLs for authorization of successfully authenticated users to control network access rights of these users of different roles.
- Port isolation needs to be configured on access switches to control Layer 2 traffic of users.
Figure 2-78 Aggregation switches and standalone ACs functioning as the authentication points for wired and wireless users respectively
![]()
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Authentication server |
Agile Controller-Campus running V100R001, V100R002, or V100R003 |
Agile Controller-Campus |
V100R003C60SPC206 |
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AC |
- |
AC6605 |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
|---|---|
Enable campus network connectivity. |
1. For details, see Standalone AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users. |
Configure aggregation switches and ACs. |
2. Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains, as well as configuring parameters for interconnection between switches and the RADIUS server. |
3. Configure resources accessible to users before they are authenticated (referred to as authentication-free resources), and network access rights to be granted to successfully authenticated employees and guests. |
|
4. Configure 802.1X authentication for employees. |
|
5. Configure MAC address-prioritized Portal authentication for guests only on ACs. |
|
Configure access switches. |
6. Configure Layer 2 transparent transmission for 802.1X authentication packets. |
Configure Agile Controller-Campus. |
7. Add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters. |
8. Add user groups and user accounts. |
|
9. Enable MAC address-prioritized Portal authentication. |
|
10. Configure network access rights for successfully authenticated employees and guests. |
Data Plan
Table 2-102 Service data plan for core switches
Item |
VLAN ID |
Network Segment |
|---|---|---|
Network segment for connecting to the Internet |
- |
172.16.3.0/24 |
Network segment for communication with AGG1 |
VLAN 70 |
172.16.70.0/24 |
Network segment for communication with AGG2 |
VLAN 80 |
172.16.80.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.100.0/24 |
Table 2-103 Service data plan for aggregation switches
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG1 |
Management VLAN for APs |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users |
VLAN 30 (employee) |
172.16.30.0/24 |
|
VLAN 31 (guest) |
172.16.31.0/24 |
||
Service VLAN for wired users |
VLAN 50 |
172.16.50.0/24 |
|
Network segment for communication with CORE |
VLAN 70 |
172.16.70.0/24 |
|
AGG2 |
Management VLAN for APs |
VLAN 21 |
192.168.21.0/24 |
Service VLANs for wireless users |
VLAN 40 (employee) |
172.16.40.0/24 |
|
VLAN 41 (guest) |
172.16.41.0/24 |
||
Service VLAN for wired users |
VLAN 60 |
172.16.60.0/24 |
|
Network segment for communication with CORE |
VLAN 80 |
172.16.80.0/24 |
Table 2-104 Wireless service data plan for ACs
Item |
Employee |
Guest |
|---|---|---|
Traffic profile |
traff: The user isolation mode is Layer 2 isolation and Layer 3 communication. |
|
Security profiles |
sec1: WPA/WPA2-802.1X authentication |
sec2: open system authentication (default security policy) |
SSID profiles |
ssid1 |
ssid2 |
AP groups |
ap-group1, ap-group2 |
|
Regulatory domain profile |
domain1 |
|
Service data forwarding mode |
Tunnel forwarding |
|
VAP profiles |
vap1 |
vap2 |
Table 2-105 Authentication service data plan for aggregation switches and ACs
Item |
Data |
|---|---|
AAA schemes |
|
RADIUS server |
|
Portal server |
|
802.1X access profile |
|
Portal access profile |
Name: web1 |
MAC access profile |
Name: mac1 |
Authentication-free resources |
DNS server: 192.168.100.2 |
Network access rights for successfully authenticated users |
The IP addresses of the service server, special server, and campus egress device are 192.168.100.3, 192.168.100.100, and 172.16.3.1, respectively. |
Table 2-106 Service data plan for Agile Controller-Campus
Item |
Data |
|---|---|
User accounts (user name/password) |
|
Device IP addresses |
|
RADIUS authentication parameters |
|
Portal authentication parameters |
|
Configuration Precautions
- It is not recommended that VLAN 1 be used as the management VLAN or a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
- In direct forwarding mode, it is recommended that different VLANs be used as the management VLAN and service VLAN. Otherwise, service interruptions may occur. If a VLAN is configured as both the management VLAN and service VLAN, and the interface connecting a switch to an AP has the management VLAN ID as the PVID, downstream packets in the service VLAN are terminated when going out from the switch. In this case, services are interrupted.
- In direct forwarding mode, service packets from APs are not encapsulated in CAPWAP tunnels, but are directly forwarded to the upper-layer network. Service packets and management packets can be transmitted properly only if the network between APs and the upper-layer network is added to the service VLAN and the network between ACs and APs is added to the management VLAN.
- WLAN service configurations (for example, WMM profile, radio profile, radio, traffic profile, security profile, security policy, and WLAN ID) of the AP associated with the master and backup ACs must be consistent on the two ACs; otherwise, user services may be affected after a master/backup switchover between the ACs.
The models and software versions of the master and backup ACs must be the same.
- When deploying the DHCP server in the scenario where VRRP and HSB are configured, note the following:
- In versions earlier than V200R019C00, the DHCP server-enabled interface must be the interface on which a VRRP group is created. Otherwise, the master and backup ACs will allocate IP addresses at the same time. In V200R019C00 and later versions, there is no restriction on the DHCP server-enabled interface. Only the master AC allocates IP addresses. IP address allocation information on the master AC will be synchronized to the backup AC.
- The IP address pools configured on the master and backup ACs must be the same. If they are different, data backup between the master and backup ACs will fail.
- You need to run the hsb-service-type dhcp hsb-group group-index command to bind the DHCP service to the HSB group. Otherwise, IP address allocation information on the master and backup ACs cannot be backed up.
Procedure
- Enable campus network connectivity. For details, see Standalone AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users.# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view [CORE] interface Eth-Trunk 30 [CORE-Eth-Trunk30] mode lacp [CORE-Eth-Trunk30] description con to Internet [CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/5 [CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/5 [CORE-Eth-Trunk30] undo portswitch [CORE-Eth-Trunk30] ip address 172.16.3.1 24 [CORE-Eth-Trunk30] quit [CORE] ospf [CORE-ospf-1] area 0 [CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] quit [CORE-ospf-1] quit
- Configure the authentication service on aggregation switches. The following uses AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.
- Configure AAA parameters.# Configure the RADIUS server template tem_rad, and configure the parameters for interconnection between CORE and the RADIUS server, including the IP addresses, port numbers, authentication key, and accounting key of the RADIUS authentication and accounting servers.
<AGG1> system-view [AGG1] radius-server template tem_rad [AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812 [AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813 [AGG1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [AGG1-radius-tem_rad] quit# Configure a RADIUS authorization server and an authorization key.[AGG1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206# Configure an AAA authentication scheme and an AAA accounting scheme, set the authentication and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[AGG1] aaa [AGG1-aaa] authentication-scheme auth [AGG1-aaa-authen-auth] authentication-mode radius [AGG1-aaa-authen-auth] quit [AGG1-aaa] accounting-scheme acco [AGG1-aaa-accounting-acco] accounting-mode radius [AGG1-aaa-accounting-acco] accounting realtime 15 [AGG1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and RADIUS server template to this domain.[AGG1-aaa] domain huawei.com [AGG1-aaa-domain-huawei.com] authentication-scheme auth [AGG1-aaa-domain-huawei.com] accounting-scheme acco [AGG1-aaa-domain-huawei.com] radius-server tem_rad [AGG1-aaa-domain-huawei.com] quit [AGG1-aaa] quit
- Configure authentication-free resources and network access rights for successfully authenticated employees.# Configure authentication-free resources to allow packets destined for the DNS server and packets from the AP management VLAN to pass through.
[AGG1] free-rule-template name default_free_rule [AGG1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32 [AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20 [AGG1-free-rule-default_free_rule] quit
# Configure network access rights for successfully authenticated employees to allow them to access the Internet, DNS server, and service server and to communicate with each other.[AGG1] acl 3001 [AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the Internet after being authenticated. [AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the DNS server after being authenticated. [AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the service server after being authenticated. [AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255 //Allow employees to communicate with each other. [AGG1-acl-adv-3001] rule 8 deny ip destination any [AGG1-acl-adv-3001] quit
- Configure 802.1X authentication for employees.# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[AGG1] dot1x-access-profile name d1 [AGG1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.[AGG1] authentication-profile name p1 [AGG1-authen-profile-p1] dot1x-access-profile d1 [AGG1-authen-profile-p1] free-rule-template default_free_rule [AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [AGG1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink interfaces.[AGG1] interface Eth-Trunk 30 [AGG1-Eth-Trunk30] authentication-profile p1 [AGG1-Eth-Trunk30] quit
- Configure AAA parameters.
- Configure the authentication service on ACs. The following uses AGG-AC1 as an example. The configurations of other ACs are similar to that of AGG-AC1.
- Configure AAA parameters.# Configure the RADIUS server template tem_rad, and configure the parameters for interconnection between ACs and the RADIUS server, including the IP addresses, port numbers, authentication key, and accounting key of the RADIUS authentication and accounting servers.
<AGG-AC1> system-view [AGG-AC1] radius-server template tem_rad [AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812 [AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813 [AGG-AC1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [AGG-AC1-radius-tem_rad] quit# Configure a RADIUS authorization server and an authorization key.[AGG-AC1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206# Configure an AAA authentication scheme and an AAA accounting scheme, set the authentication and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[AGG-AC1] aaa [AGG-AC1-aaa] authentication-scheme auth [AGG-AC1-aaa-authen-auth] authentication-mode radius [AGG-AC1-aaa-authen-auth] quit [AGG-AC1-aaa] accounting-scheme acco [AGG-AC1-aaa-accounting-acco] accounting-mode radius [AGG-AC1-aaa-accounting-acco] accounting realtime 15 [AGG-AC1-aaa-accounting-acco] quit
- Configure authentication-free resources and network access rights for successfully authenticated users.# Configure authentication-free resources to allow packets destined for the DNS server to pass through.
[AGG-AC1] free-rule-template name default_free_rule [AGG-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32 [AGG-AC1-free-rule-default_free_rule] quit
# Configure network access rights for successfully authenticated employees to allow them to access the Internet, DNS server, and service server and to communicate with each other.ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network segments of wireless users and all the network segments that wireless users can access. Otherwise, all packets of wireless users are discarded on APs even if the users are successfully authenticated.
[AGG-AC1] acl 3001 [AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 [AGG-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 [AGG-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 [AGG-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 [AGG-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 [AGG-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 [AGG-AC1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255 [AGG-AC1-acl-adv-3001] rule 8 deny ip destination any [AGG-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to allow them to access the Internet and DNS server and to communicate with each other.[AGG-AC1] acl 3002 [AGG-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the Internet after being authenticated. [AGG-AC1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to access the DNS server after being authenticated. [AGG-AC1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate with each other. [AGG-AC1-acl-adv-3002] rule 4 permit ip destination 172.16.41.0 0.0.0.255 //Allow guests to communicate with each other. [AGG-AC1-acl-adv-3002] rule 5 deny ip destination any [AGG-AC1-acl-adv-3002] quit
- Configure 802.1X authentication for employees.# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[AGG-AC1] dot1x-access-profile name d1 [AGG-AC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.[AGG-AC1] authentication-profile name p1 [AGG-AC1-authen-profile-p1] dot1x-access-profile d1 [AGG-AC1-authen-profile-p1] free-rule-template default_free_rule [AGG-AC1-authen-profile-p1] authentication-scheme auth [AGG-AC1-authen-profile-p1] accounting-scheme acco [AGG-AC1-authen-profile-p1] radius-server tem_rad [AGG-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.[AGG-AC1] wlan [AGG-AC1-wlan] security-profile name sec1 [AGG-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes Warning: This action may cause service interruption. Continue?[Y/N]y [AGG-AC1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees.[AGG-AC1-wlan-view] vap-profile name vap1 [AGG-AC1-wlan-vap-prof-vap1] authentication-profile p1 Warning: This action may cause service interruption. Continue?[Y/N]y [AGG-AC1-wlan-vap-prof-vap1] quit [AGG-AC1-wlan-view] quit
- Configure MAC address-prioritized Portal authentication for guests.# Configure a Portal server template. Configure parameters for interconnection between the AC and Portal server, including the IP address and port number of the Portal server, Portal key, and URL of the Portal page.
[AGG-AC1] web-auth-server tem_portal [AGG-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10 [AGG-AC1-web-auth-server-tem_portal] port 50200 [AGG-AC1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206 [AGG-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal [AGG-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //Enable the Portal server detection function so that you can learn the Portal server status in real time and users can still access the network even if the Portal server is faulty. Note that the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100. [AGG-AC1-web-auth-server-tem_portal] quit# Configure a Portal access profile.[AGG-AC1] portal-access-profile name web1 [AGG-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct [AGG-AC1-portal-acces-profile-web1] quit
# Configure a MAC access profile.[AGG-AC1] mac-access-profile name mac1 [AGG-AC1-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.[AGG-AC1] authentication-profile name p2 [AGG-AC1-authen-profile-p2] portal-access-profile web1 [AGG-AC1-authen-profile-p2] mac-access-profile mac1 [AGG-AC1-authen-profile-p2] free-rule-template default_free_rule [AGG-AC1-authen-profile-p2] authentication-scheme auth [AGG-AC1-authen-profile-p2] accounting-scheme acco [AGG-AC1-authen-profile-p2] radius-server tem_rad [AGG-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.[AGG-AC1] wlan [AGG-AC1-wlan-view] vap-profile name vap2 [AGG-AC1-wlan-vap-prof-vap2] authentication-profile p2 Warning: This action may cause service interruption. Continue?[Y/N]y [AGG-AC1-wlan-vap-prof-vap2] quit [AGG-AC1-wlan-view] quit
- Configure AAA parameters.
- Configure Layer 2 transparent transmission for 802.1X authentication packets on the access switch. The following uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.# Enable this function on all interfaces through which 802.1X authentication packets pass. If a switch does not support the bpdu enable command, you only need to run the l2protocol-tunnel user-defined-protocol 802.1x enable command on its interface.
<ACC1> system-view [ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [ACC1] interface Eth-Trunk 30 [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-Eth-Trunk30] quit [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/3] quit [ACC1] interface gigabitethernet 0/0/4 [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/4] quit
- Log in to Agile Controller-Campus, add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters.
# Choose Resource > Device > Device Management, click Add, set parameters according to Table 2-105, and click OK.
Table 2-107 Parameter settings for adding aggregation switches and ACs on Agile Controller-CampusParameter on Agile Controller-Campus
Setting for Aggregation Switches
Setting for ACs
Names and IP addresses
- AGG1: 172.16.70.2
- AGG2: 172.16.80.2
- AGG-AC1: 192.168.20.1 (IP address of the backup AC: 192.168.20.2)
- AGG-AC3: 192.168.21.1 (IP address of the backup AC: 192.168.21.2)
Enable RADIUS (mandatory for 802.1X, Portal, and MAC address authentication, Free Mobility, and Service Chain)
Selected
Device series
Huawei S Series
Authentication/Accounting key
YsHsjx_202206
Authorization key
YsHsjx_202206
Real-time accounting interval (minute)
15
Enable Portal (mandatory for Portal authentication)
-
Selected
Portal protocol type
HUAWEI portal protocol
Portal key
YsHsjx_202206
Access terminal IPv4 list
- AGG-AC1: 172.16.30.0/24;172.16.31.0/24
- AGG-AC3: 172.16.40.0/24;172.16.41.0/24
Enable heartbeat between access device and Portal server
Selected
Portal server IP address list
192.168.100.10
- Add user groups and user accounts. The following describes how to create an employee group and an employee account. The procedure for creating a guest group and a guest account is similar.
# Choose Resource > User > User Management. Click
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
- Enable MAC address-prioritized Portal authentication.
# Choose System > Terminal Configuration > Global Parameters > Access Management. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, set Validity period of MAC address (min) to 60, and click OK.
- Configure network access rights for successfully authenticated employees and guests.
# Configure authorization results. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, click Add, set parameters according to Table 2-108, and click OK. Here, the employee authorization result is used as an example.
Table 2-108 Authorization results for employees and guestsName
Authorization Parameter: ACL Number/AAA User Group
Employee authorization result
3001
Guest authorization result
3002
# Configure authorization rules. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule, click Add, set parameters according to Table 2-109, and click OK. Here, the employee authorization rule is used as an example.
Table 2-109 Authorization rules for employees and guestsName
Authorization Condition: User Group
Authorization Result
Employee authorization rule
Employee
Employee authorization result
Guest authorization rule
Guest
Guest authorization result
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
Expected Results
- The employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.
- After being authenticated, the employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains.
- Employees can communicate with each other, but cannot communicate with the guest.
When a guest accesses the network for the first time, the guest can associate with the WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in the address box of a browser for Portal authentication. On the redirection page that is displayed, the guest can enter the user name and password, and then is successfully authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can directly connect to the WLAN without entering the user name and password again.
Verifying the Deployment
- Verify that the employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.# Enter the correct user name and password on PC1, connect to the WLANs Employee and Guest in wireless mode, and then run the display access-user command on AGG1 and AGG-AC1 to check information about online users. The command output shows that user1, user2, and guest4 are all in Success state.
[AGG1] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 32792 user1 172.16.50.216 00e0-fc12-3344 Success ------------------------------------------------------------------------------------------------------ Total: 1, printed: 1
[AGG-AC1] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 16434 user2 172.16.30.97 00e0-fc12-3366 Success 32809 guest4 172.16.31.165 00e0-fc12-3355 Success ------------------------------------------------------------------------------------------------------ Total: 2, printed: 2
# Run the display access-user username user1 detail command on AGG1 to view detailed authentication and authorization information of user1.[AGG1] display access-user username user1 detail Basic: User ID : 32792 User name : user1 Domain-name : huawei.com User MAC : 00e0-fc12-3344 User IP address : 172.16.50.216 User vpn-instance : - User IPv6 address : FE80::E9AA:9FE9:95F9:C499 User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499 User access Interface : Eth-Trunk10 User vlan event : Success QinQVlan/UserVlan : 0/50 User vlan source : user request User access time : 2019/12/30 10:01:33 User accounting session ID : AGG00018000000050ef****0200018 User access type : 802.1x Terminal Device Type : Data Terminal Dynamic ACL ID(Effective) : 3001 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1# Run the display access-user username user2 detail and display access-user username guest4 detail commands on AGG-AC1 to view detailed authentication and authorization information of user2 and guest4.[AGG-AC1] display access-user username user2 detail Basic: User ID : 16434 User name : user2 User MAC : 00e0-fc12-3366 User IP address : 172.16.30.97 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss17498 User vlan event : Success QinQVlan/UserVlan : 0/30 User vlan source : user request User access time : 2019/12/30 10:02:55 User accounting session ID : AC2000000000000308d****0100032 User accounting mult session ID : AC853DA6A42038CADA5E441A5E09C****B2526E4 User access type : 802.1x AP name : area_1 Radio ID : 1 AP MAC : 00e0-fc12-4400 SSID : Employee Online time : 115(s) Dynamic ACL ID(Effective) : 3001 User Group Priority : 0 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1[AGG-AC1] display access-user username guest4 detail Basic: User ID : 32809 User name : guest4 User MAC : 00e0-fc12-3355 User IP address : 172.16.31.165 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss17497 User vlan event : Success QinQVlan/UserVlan : 0/31 User vlan source : user request User access time : 2019/12/30 09:52:57 User accounting session ID : AC200000000000031dd****0200029 User accounting mult session ID : AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF User access type : WEB AP name : area_1 Radio ID : 0 AP MAC : 00e0-fc12-4400 SSID : Guest Online time : 764(s) Web-server IP address : 192.168.100.10 Dynamic ACL ID(Effective) : 3002 User Group Priority : 0 AAA: User authentication type : WEB authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1 - Verify that the successfully authenticated employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains. The following uses wired access of an employee as an example.# On PC1, ping an authentication-free resource, for example, the DNS server with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time=1ms TTL=252 Reply from 192.168.100.2: bytes=32 time=1ms TTL=252 Reply from 192.168.100.2: bytes=32 time=1ms TTL=252 Reply from 192.168.100.2: bytes=32 time=1ms TTL=252 Ping statistics for 192.168.100.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms C:\Users\*******># On PC1, ping the service server with IP address 192.168.100.3. The ping operation succeeds.C:\Users\*******>ping 192.168.100.3 Pinging 192.168.100.3 with 32 bytes of data: Reply from 192.168.100.3: bytes=32 time=1ms TTL=252 Reply from 192.168.100.3: bytes=32 time=1ms TTL=252 Reply from 192.168.100.3: bytes=32 time=1ms TTL=252 Reply from 192.168.100.3: bytes=32 time=1ms TTL=252 Ping statistics for 192.168.100.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms C:\Users\*******># On PC1, ping a resource in the post-authentication domain, for example, the campus egress device with IP address 172.16.3.1. The ping operation succeeds.C:\Users\*******>ping 172.16.3.1 Pinging 172.16.3.1 with 32 bytes of data: Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Reply from 172.16.3.1: bytes=32 time<1ms TTL=253 Ping statistics for 172.16.3.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource denied in the post-authentication domain, for example, the special server with IP address 192.168.100.100. The ping operation fails.C:\Users\*******>ping 192.168.100.100 Pinging 192.168.100.100 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 192.168.100.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******> - Verify that employees can communicate with each other, but cannot communicate with the guest.# On PC1, ping the IP address of the terminal used by the wireless employee account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.97 Pinging 172.16.30.97 with 32 bytes of data: Reply from 172.16.30.97: bytes=32 time=131ms TTL=62 Reply from 172.16.30.97: bytes=32 time=39ms TTL=62 Reply from 172.16.30.97: bytes=32 time=169ms TTL=62 Reply from 172.16.30.97: bytes=32 time=93ms TTL=62 Ping statistics for 172.16.30.97: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 39ms, Maximum = 169ms, Average = 108ms C:\Users\*******># On PC1, ping the IP address of the wireless terminal used by guest4. The ping operation fails.C:\Users\*******>ping 172.16.31.165 Pinging 172.16.31.165 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 172.16.31.165: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******>
Configuration Files
# CORE configuration file
# sysname CORE # vlan batch 70 80 1000 # interface Vlanif70 ip address 172.16.70.1 255.255.255.0 # interface Vlanif80 ip address 172.16.80.1 255.255.255.0 # interface Vlanif1000 ip address 192.168.100.1 255.255.255.0 # interface Eth-Trunk10 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk20 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface Eth-Trunk30 undo portswitch description connect to Internet ip address 172.16.3.1 255.255.255.0 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/5 eth-trunk 30 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/5 eth-trunk 30 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.3.0 0.0.0.255 network 172.16.70.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.100.0 0.0.0.255 # return
# AGG1 configuration file
# sysname AGG1 # vlan batch 20 30 to 31 50 70 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/w"2uWP\'%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 free-rule 2 source vlan 20 # vlan 50 dhcp snooping enable # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 domain huawei.com authentication-scheme auth accounting-scheme acco radius-server tem_rad # interface Vlanif20 ip address 192.168.20.20 255.255.255.0 # interface Vlanif30 ip address 172.16.30.3 255.255.255.0 # interface Vlanif31 ip address 172.16.31.3 255.255.255.0 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif70 ip address 172.16.70.2 255.255.255.0 # interface Eth-Trunk1 description con to AC port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 to 31 mode lacp # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 authentication-profile p1 mode lacp # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet0/0/4 eth-trunk 1 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet0/0/5 eth-trunk 1 # interface GigabitEthernet1/0/3 eth-trunk 30 # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/10 mad detect mode direct # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 172.16.30.0 0.0.0.255 network 172.16.31.0 0.0.0.255 network 172.16.50.0 0.0.0.255 network 172.16.70.0 0.0.0.255 # dot1x-access-profile name d1 # return
# AGG2 configuration file
# sysname AGG2 # vlan batch 21 40 to 41 60 80 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/w"2uWP\'%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 free-rule 2 source vlan 21 # vlan 60 dhcp snooping enable # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 domain huawei.com authentication-scheme auth accounting-scheme acco radius-server tem_rad # interface Vlanif21 ip address 192.168.21.20 255.255.255.0 # interface Vlanif40 ip address 172.16.40.3 255.255.255.0 # interface Vlanif41 ip address 172.16.41.3 255.255.255.0 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif80 ip address 172.16.80.2 255.255.255.0 # interface Eth-Trunk2 description con to AC port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 40 to 41 mode lacp # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 authentication-profile p1 mode lacp # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet0/0/4 eth-trunk 2 # interface GigabitEthernet0/0/5 eth-trunk 2 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 40 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # ospf 1 router-id 7.7.7.7 area 0.0.0.0 network 172.16.40.0 0.0.0.255 network 172.16.41.0 0.0.0.255 network 172.16.60.0 0.0.0.255 network 172.16.80.0 0.0.0.255 # dot1x-access-profile name d1 # return
# AGG-AC1 configuration file
# sysname AGG-AC1 # vrrp recover-delay 60 # vlan batch 20 30 to 31 200 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.31.0 0.0.0.255 rule 4 permit ip destination 172.16.41.0 0.0.0.255 rule 5 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 192.168.20.2 dhcp server excluded-ip-address 192.168.20.20 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.30.2 172.16.30.3 dhcp server dns-list 192.168.100.2 # interface Vlanif31 ip address 172.16.31.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.31.2 172.16.31.3 dhcp server dns-list 192.168.100.2 # interface Vlanif200 ip address 172.16.200.1 255.255.255.0 # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 to 31 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 1 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.30.0 0.0.0.255 network 172.16.31.0 0.0.0.255 # capwap source interface vlanif20 # hsb-service 0 service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 31 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 provision-ap # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
# AGG-AC2 configuration file
# sysname AGG-AC2 # vrrp recover-delay 60 # vlan batch 20 30 to 31 200 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.31.0 0.0.0.255 rule 4 permit ip destination 172.16.41.0 0.0.0.255 rule 5 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif20 ip address 192.168.20.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 192.168.20.1 dhcp server excluded-ip-address 192.168.20.20 # interface Vlanif30 ip address 172.16.30.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.30.1 dhcp server excluded-ip-address 172.16.30.3 dhcp server dns-list 192.168.100.2 # interface Vlanif31 ip address 172.16.31.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.31.1 dhcp server excluded-ip-address 172.16.31.3 dhcp server dns-list 192.168.100.2 # interface Vlanif200 ip address 172.16.200.2 255.255.255.0 # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 to 31 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 1 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.30.0 0.0.0.255 network 172.16.31.0 0.0.0.255 # capwap source interface vlanif20 # hsb-service 0 service-ip-port local-ip 172.16.200.2 peer-ip 172.16.200.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 31 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 provision-ap # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
# AGG-AC3 configuration file
# sysname AGG-AC3 # vrrp recover-delay 60 # vlan batch 21 40 to 41 201 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 40 dhcp snooping enable vlan 41 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.31.0 0.0.0.255 rule 4 permit ip destination 172.16.41.0 0.0.0.255 rule 5 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif21 ip address 192.168.21.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.21.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 192.168.21.2 dhcp server excluded-ip-address 192.168.21.20 # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.40.2 172.16.40.3 dhcp server dns-list 192.168.100.2 # interface Vlanif41 ip address 172.16.41.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.41.2 172.16.41.3 dhcp server dns-list 192.168.100.2 # interface Vlanif201 ip address 172.16.201.1 255.255.255.0 # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 40 to 41 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 1 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.40.0 0.0.0.255 network 172.16.41.0 0.0.0.255 # capwap source interface vlanif21 # hsb-service 0 service-ip-port local-ip 172.16.201.1 peer-ip 172.16.201.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif21 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 41 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group2 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group2 provision-ap # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
# AGG-AC4 configuration file
# sysname AGG-AC4 # vrrp recover-delay 60 # vlan batch 21 40 to 41 201 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 40 dhcp snooping enable vlan 41 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.40.0 0.0.0.255 rule 6 permit ip destination 172.16.50.0 0.0.0.255 rule 7 permit ip destination 172.16.60.0 0.0.0.255 rule 8 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.31.0 0.0.0.255 rule 4 permit ip destination 172.16.41.0 0.0.0.255 rule 5 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif21 ip address 192.168.21.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.21.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 192.168.21.1 dhcp server excluded-ip-address 192.168.21.20 # interface Vlanif40 ip address 172.16.40.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.40.1 dhcp server excluded-ip-address 172.16.40.3 dhcp server dns-list 192.168.100.2 # interface Vlanif41 ip address 172.16.41.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.41.1 dhcp server excluded-ip-address 172.16.41.3 dhcp server dns-list 192.168.100.2 # interface Vlanif201 ip address 172.16.201.2 255.255.255.0 # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 40 to 41 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 1 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 201 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 172.16.40.0 0.0.0.255 network 172.16.41.0 0.0.0.255 # capwap source interface vlanif21 # hsb-service 0 service-ip-port local-ip 172.16.201.2 peer-ip 172.16.201.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif21 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 41 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group2 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group2 provision-ap # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
# ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return
# ACC2 configuration file
# sysname ACC2 # vlan batch 21 60 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 21 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return