Native AC + Free Mobility Solution: Core Switches Function as the Authentication Point for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence. Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.
In this example, core switches set up a CSS, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:
- Agile Controller-Campus functions as both the access authentication server and user service data source server.
- Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.
- The free mobility solution is adopted, and security groups and inter-group policies are configured on Agile Controller-Campus to control user access rights.
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Core layer |
|
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure authentication, authorization, and accounting (AAA), including configuring a RADIUS server template, AAA schemes, and authentication domains to enable user authentication, authorization, and accounting through RADIUS, as well as configuring parameters for interconnection between switches and the RADIUS server. |
Core switches (CORE) |
2 |
Configure a pre-authentication domain and a post-authentication domain, so that users have corresponding rights before and after being authenticated as well as when Agile Controller-Campus is faulty. |
Core switches (CORE) |
3 |
Configure 802.1X authentication for employees. |
Core switches (CORE) |
4 |
Configure MAC address-prioritized Portal authentication for guests. |
Core switches (CORE) |
5 |
Enable the free mobility function and configure XMPP parameters for interconnection with Agile Controller-Campus. |
Core switches (CORE) |
6 |
Configure transparent transmission for 802.1X packets. |
Aggregation switches (AGG1 and AGG2) and access switches (ACC1 and ACC2) |
7 |
Log in to Agile Controller-Campus and perform the following operations:
|
Agile Controller-Campus |
Data Plan
Item |
VLAN ID |
Network Segment |
|---|---|---|
Management VLAN for APs |
VLAN 20 |
192.168.20.0/24 |
Service VLANs for wireless users |
VLAN 30 |
172.16.30.0/24 |
VLAN 40 |
172.16.40.0/24 |
|
Service VLAN for a wired user (PC1) |
VLAN 50 |
172.16.50.0/24 |
Service VLAN for a wired user (PC2) |
VLAN 60 |
172.16.60.0/24 |
VLAN for communication with servers |
VLAN 1000 |
192.168.11.254/24 |
Item |
Data |
|---|---|
AP group |
ap-group1 |
Regulatory domain profile |
domain1 |
SSID profiles |
test01, test02 |
VAP profiles |
vap1, vap2 (The data forwarding mode in the VAP profiles is tunnel forwarding.) |
Item |
Data |
|---|---|
AAA schemes |
Authentication scheme:
Accounting scheme:
|
RADIUS server |
|
Portal server |
|
802.1X access profile |
|
Portal access profile |
Name: web1 |
MAC access profile |
Name: mac1 |
Pre-authentication domain |
IP address of the DNS server: 192.168.11.2. Employees and guests can send domain names to the DNS server for resolution before being authenticated. |
Item |
Data |
|---|---|
IP address of CORE |
192.168.11.254 |
RADIUS parameters |
|
Portal parameters |
|
XMPP password |
YsHsjx_202206 |
Accounts |
Employee:
Guest:
|
Security groups |
|
Post-authentication domains |
|
Deployment Precautions
Free mobility is supported only in NAC unified mode.
In this example, Agile Controller-Campus runs V100R003C50.
For details about other precautions, see "Licensing Requirements and Limitations for Free Mobility" in the Product Use Precautions.
Procedure
- Enable campus network connectivity. For details, see Native AC Solution: Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access authentication modes.
User Access Authentication Mode
Security Policy
MAC address authentication or Portal authentication
Open system authentication
802.1X authentication
WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.
For employees who use 802.1X authentication, configure a security policy in security profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
For guests who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows:
[CORE-wlan-sec-prof-sec2] security open
- Configure AAA on CORE.# Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.
<CORE> system-view [CORE] radius-server template tem_rad [CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 [CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 [CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [CORE-radius-tem_rad] quit# Configure a RADIUS authorization server.
[CORE] radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206# Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[CORE] aaa [CORE-aaa] authentication-scheme auth [CORE-aaa-authen-auth] authentication-mode radius [CORE-aaa-authen-auth] quit [CORE-aaa] accounting-scheme acco [CORE-aaa-accounting-acco] accounting-mode radius [CORE-aaa-accounting-acco] accounting realtime 15 [CORE-aaa-accounting-acco] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.[CORE-aaa] domain huawei.com [CORE-aaa-domain-huawei.com] authentication-scheme auth [CORE-aaa-domain-huawei.com] accounting-scheme acco [CORE-aaa-domain-huawei.com] radius-server tem_rad [CORE-aaa-domain-huawei.com] quit [CORE-aaa] quit
- Configure a pre-authentication domain on CORE to allow packets destined for the DNS server to pass through.
[CORE] free-rule-template name default_free_rule [CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32 [CORE-free-rule-default_free_rule] quit
- Configure 802.1X authentication for employees on CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. You can run the display authentication mode command to check the current NAC mode on a switch. The switch will restart automatically after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
# Configure an 802.1X access profile.By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.
[CORE] dot1x-access-profile name d1 [CORE-dot1x-access-profile-d1] dot1x authentication-method eap [CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.
[CORE] authentication-profile name p1 [CORE-authen-profile-p1] dot1x-access-profile d1 [CORE-authen-profile-p1] free-rule-template default_free_rule [CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink interfaces Eth-Trunk 10 and Eth-Trunk 20.
[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] authentication-profile p1 [CORE-Eth-Trunk10] quit [CORE] interface eth-trunk 20 [CORE-Eth-Trunk20] authentication-profile p1 [CORE-Eth-Trunk20] quit
# Configure 802.1X authentication for wireless access of employees in VAP profile vap1.
[CORE] wlan [CORE-wlan-view] vap-profile name vap1 [CORE-wlan-vap-prof-vap1] authentication-profile p1 [CORE-wlan-vap-prof-vap1] quit [CORE-wlan-view] quit
- Configure MAC address-prioritized Portal authentication for guests on CORE.# Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.
[CORE] web-auth-server tem_portal [CORE-web-auth-server-tem_portal] server-ip 192.168.11.1 [CORE-web-auth-server-tem_portal] port 50200 //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server. [CORE-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206 [CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal [CORE-web-auth-server-tem_portal] quit# Configure a Portal access profile.
[CORE] portal-access-profile name web1 [CORE-portal-acces-profile-web1] web-auth-server tem_portal direct [CORE-portal-acces-profile-web1] quit
# Configure a MAC access profile.
[CORE] mac-access-profile name mac1 [CORE-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.
[CORE] authentication-profile name p2 [CORE-authen-profile-p2] portal-access-profile web1 [CORE-authen-profile-p2] mac-access-profile mac1 [CORE-authen-profile-p2] free-rule-template default_free_rule [CORE-authen-profile-p2] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests in the VAP profile vap2.
[CORE] wlan [CORE-wlan-view] vap-profile name vap2 [CORE-wlan-vap-prof-vap2] authentication-profile p2 [CORE-wlan-vap-prof-vap2] quit [CORE-wlan-view] quit
- Enable the free mobility function and configure XMPP parameters for interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password YsHsjx_202206 src-ip 192.168.11.254 //Set scr-ip to the IP address of VLANIF 1000. - Configure transparent transmission of 802.1X packets on both aggregation and access switches. The following uses access switch ACC1 (S5735-L) as an example. The configuration of other switches is similar to that of ACC1.
If a switch supports the bpdu enable command, run both the bpdu enable and l2protocol-tunnel user-defined-protocol 802.1x enable commands on an interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [ACC1] interface eth-trunk 30 [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-Eth-Trunk30] quit [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/3] quit [ACC1] interface gigabitethernet 0/0/4 [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/4] quit
- Configure Agile Controller-Campus.
Add a switch.
Table 2-46 Parameter settings on Agile Controller-Campus and COREParameter on Agile Controller-Campus
Configuration on Agile Controller-Campus
Configuration on CORE
Name
CORE
-
IP address
192.168.11.254
IP address of VLANIF 1000, which is used by CORE to communicate with Agile Controller-Campus
Device series
Huawei S Series
-
Authentication/Accounting key
YsHsjx_202206
radius-server shared-key cipher YsHsjx_202206
Authorization key
YsHsjx_202206
radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206
Real-time accounting interval (minute)
15
accounting realtime 15
Port
2000
Port 2000 is used by default. You can run the web-auth-server listening-port port-number command in the system view to change the port number.
Portal key
YsHsjx_202206
shared-key cipher YsHsjx_202206
Access terminal IPv4 list
172.16.30.0/24;172.16.40.0/24
IP addresses of guests, corresponding to IP address pools on VLANIF 30 and VLANIF 40
XMPP password
YsHsjx_202206
group-policy controller 192.168.11.1 password YsHsjx_202206 src-ip 192.168.11.254
- Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.Figure 2-25 Adding a device
Click the XMPP tab and set XMPP parameters.
Figure 2-26 XMPP- Click OK, select CORE, and click Synchronize. The communication status of the switch becomes
, and the synchronization status is Success.
- Check the communication status between Agile Controller-Campus and CORE.
[CORE] display group-policy status Controller IP address: 192.168.11.1 Controller port: 5222 Backup controller IP address: - Backup controller port: - Source IP address: 192.168.11.254 State: working Connected controller: master Device protocol version: 2 Controller protocol version: 2
- Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.
- Enable MAC address-prioritized Portal authentication.
Choose System > Terminal Configuration > Global Parameters > Access Management.
On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.
Figure 2-27 Configuring MAC address-prioritized Portal authentication Create employee and guest accounts. The following uses the employee account user1 as an example. The procedure for creating a guest account is similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create employee account user1.
Figure 2-28 Adding an accountConfigure security groups employee_group and guest_group to represent users, as well as security groups email_server and video_server to represent resources.
Choose Policy > Permission Control > Security Group > Dynamic Security Group Management.
Click Add and create security group employee_group.
Figure 2-29 Adding dynamic security group employee_group- Click Add and create security group guest_group.Figure 2-30 Adding dynamic security group guest_group
Choose Static Security Group Management, click Add, and create security group email_server.
Figure 2-31 Adding static security group mail_serverClick Add and create security group video_server.
Figure 2-32 Adding static security group video_serverClick Global Deployment. You can view the deployment result on the deployment details page.
- Bind employee_group to employees and guest_group to guests through quick authorization. After being authenticated, employees are added to employee_group and guests are added to guest_group.Choose Policy > Permission Control > Quick Authorization. According to the following table, bind employees to employee_group and click OK. Then bind guests to guest_group and click OK.Table 2-47 Quick authorization
User Category
User Information > User > Account
User Information > Location > SSID
Access Mode
User Permission > Security group
Wired employee user
user1
-
Wired Access
employee_group
Wireless employee user
user1
test01
Wireless Access
employee_group
Guest
user2
test02
-
guest_group
Figure 2-33 Quick authorization - Configure access control policies and perform global deployment.
Choose System > Terminal Configuration > Global Parameters > Free Mobility, and set Free mobility configuration mode to All devices.
- Choose Policy > Free Mobility > Policy Configuration > Permission Control, and add common policies. The following figure shows the configuration for allowing users in employee_group to access the email and video servers. Configure other policies in a similar way according to Table 2-48.
Table 2-48 Inter-group policies
Source Security Group
Destination Group email_server
Destination Group video_server
Destination Group Any
Destination Group employee_group
Destination Group guest_group
employee_group
Permit
Permit
Permit
N/A
Deny
guest_group
Deny
Permit
Permit
Deny
N/A
Figure 2-34 Adding network access rights Click OK and then Global Deployment. You can view the deployment result on the deployment details page.
After successful deployment, you can run the following commands on CORE to check the deployment information.
display ucl-group all: checks security groups.
[CORE] display ucl-group all ID UCL group name -------------------------------------------------------------------------------- 1 2 -------------------------------------------------------------------------------- Total : 2
display acl all: checks access control policies.
[CORE] display acl all Total nonempty ACL number is 2 Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule Acl's step is 5 Ucl-group ACL Auto_PGM_U2 9997, 4 rules Acl's step is 5 rule 1 deny ip source ucl-group 2 destination 192.168.11.100 0 rule 2 permit ip source ucl-group 2 destination 192.168.11.110 0 rule 3 deny ip source ucl-group 2 destination ucl-group 1 rule 4 permit ip source ucl-group 2 Ucl-group ACL Auto_PGM_U1 9998, 4 rules Acl's step is 5 rule 1 permit ip source ucl-group 1 destination 192.168.11.100 0 rule 2 permit ip source ucl-group 1 destination 192.168.11.110 0 rule 3 deny ip source ucl-group 1 destination ucl-group 2 rule 4 permit ip source ucl-group 1 Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule Acl's step is 5
Save the configuration of CORE.
Choose Resource > Device > Device Management and click
to save the configuration.
The save operation on Agile Controller-Campus is equivalent to running the save command on the device, which saves all the device configurations (including security groups and access control policies configured on Agile Controller-Campus) to the configuration file.
When security groups and access right control policies are saved to the configuration file of a device, these configurations can be restored from the configuration file after the device is restarted, without the need to request configurations from Agile Controller-Campus. If these configurations are not saved to the configuration file, user authentication will fail because such configurations are unavailable after the device is restarted.
, and the synchronization status is Success.
to save the configuration.Verifying the Deployment
- Run the display access-user username user-name detail command on CORE to check detailed user login information, such as the authentication mode (802.1X or Portal), terminal IP address, and security group.
[CORE] display access-user username user1 detail Basic: User ID : 49523 User name : user1 Domain-name : huawei.com User MAC : 00e0-fc12-4466 User IP address : 172.16.30.133 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss5111 User vlan event : Success QinQVlan/UserVlan : 0/30 User vlan source : user request User access time : 2019/08/08 08:45:00 User accounting session ID : CORE00220000000030aa****0104173 User access type : 802.1x AP name : area_2 Radio ID : 1 AP MAC : 00e0-fc12-3390 SSID : test01 Online time : 43(s) Dynamic group index(Effective) : 1 Service Scheme Priority : 0 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Basic: User ID : 115814 User name : user1 Domain-name : huawei.com User MAC : 00e0-fc12-3344 User IP address : 172.16.60.133 User vpn-instance : - User IPv6 address : FE80::E9AA:9FE9:95F9:C499 User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499 User access Interface : Eth-Trunk20 User vlan event : Success QinQVlan/UserVlan : 0/60 User vlan source : user request User access time : 2019/08/08 08:12:29 User accounting session ID : CORE002200000000604e****0304466 User access type : 802.1x Terminal Device Type : Data Terminal Dynamic group index(Effective) : 1 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 2, printed: 2
[CORE] display access-user username user2 detail Basic: User ID : 52993 User name : user2 Domain-name : huawei.com User MAC : 00e0-fc12-4466 User IP address : 172.16.40.9 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss5112 User vlan event : Success QinQVlan/UserVlan : 0/40 User vlan source : user request User access time : 2019/08/08 08:57:47 User accounting session ID : CORE0022000000004005****0104f01 User access type : WEB AP name : area_2 Radio ID : 1 AP MAC : 00e0-fc12-3390 SSID : test02 Online time : 23(s) Web-server IP address : 192.168.100.10 Dynamic group index(Effective) : 2 Service Scheme Priority : 0 AAA: User authentication type : WEB authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1
- Choose Resource > User > Online User Management on Agile Controller-Campus to check the user login information and the security groups to which users belong.
- Verify that you can access the mail and video servers using the employee account after passing 802.1X authentication, no matter where the terminals are located.
Verify that you can access only the video server using the guest account after passing MAC address-prioritized Portal authentication, no matter where the terminal is located.
Verify that the employee and guest can communicate with each other.
Configuration Files
- CORE configuration file
# sysname CORE # vlan batch 20 30 40 50 60 1000 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule access-domain huawei.com force ucl-group 1 ucl-group 2 # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%# radius-server authentication 192.168.11.1 1812 weight 80 radius-server accounting 192.168.11.1 1813 weight 80 radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/6;4[4'HJ(/<%^%# # acl name Auto_PGM_OPEN_POLICY 3999 # acl name Auto_PGM_U9 9997 rule 1 deny ip source ucl-group 9 destination 192.168.11.100 0 rule 2 permit ip source ucl-group 9 destination 192.168.11.110 0 rule 3 deny ip source ucl-group 9 destination ucl-group 8 rule 4 permit ip source ucl-group 9 acl name Auto_PGM_U8 9998 rule 1 permit ip source ucl-group 8 destination 192.168.11.100 0 rule 2 permit ip source ucl-group 8 destination 192.168.11.110 0 rule 3 deny ip source ucl-group 8 destination ucl-group 9 rule 4 permit ip source ucl-group 8 acl name Auto_PGM_PREFER_POLICY 9999 # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.11.1 port 50200 shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%# url http://192.168.11.1:8080/portal # portal-access-profile name web1 web-auth-server tem_portal direct # vlan 30 dhcp snooping enable vlan 40 dhcp snooping enable vlan 50 dhcp snooping enable vlan 60 dhcp snooping enable # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 domain huawei.com authentication-scheme auth accounting-scheme acco radius-server tem_rad # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 dhcp select interface # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.2 # interface Vlanif1000 ip address 192.168.11.254 255.255.255.0 # interface Eth-Trunk10 description con to AGG1 port link-type trunk port trunk allow-pass vlan 20 50 authentication-profile p1 # interface Eth-Trunk20 description con to AGG2 port link-type trunk port trunk allow-pass vlan 20 60 authentication-profile p1 # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # traffic-secure inbound acl name Auto_PGM_OPEN_POLICY traffic-filter inbound acl name Auto_PGM_PREFER_POLICY traffic-filter inbound acl name Auto_PGM_U8 traffic-filter inbound acl name Auto_PGM_U9 traffic-filter inbound acl 9996 # group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^%# src-ip 192.168.11.254 # capwap source interface vlanif20 # wlan traffic-profile name traff1 user-isolate l2 traffic-profile name traff2 user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid test01 ssid-profile name ssid2 ssid test02 vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff1 authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff2 authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 ap-id 2 type-id 56 ap-mac 00e0-fc12-3390 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group1 # dot1x-access-profile name d1 # mac-access-profile name mac1 # return
- AGG1 configuration file
# sysname AGG1 # vlan batch 20 50 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 30 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # return
- AGG2 configuration file
# sysname AGG2 # vlan batch 20 60 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk20 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 40 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # return
- ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return
- ACC2 configuration file
# sysname ACC2 # vlan batch 20 60 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # sysname ACC2 # vlan batch 20 60 # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return