Native AC + Free Mobility Solution: Parent (Core Switches) in an SVF System Functions as the Authentication Point

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Native AC + Free Mobility Solution: Parent (Core Switches) in an SVF System Functions as the Authentication Point

Networking Requirements

Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.

Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.

There are a large number of wired and wireless access devices that are widely distributed. To implement unified management and configuration and reduce management costs, SVF is deployed on the network. Core, aggregation, and access switches set up an SVF system. In the SVF system, the CSS of core switches functions as the parent, and aggregation and access switches function as ASs. The parent manages and configures ASs in a unified manner.

In this example, core switches set up an SVF system, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:

Agile Controller-Campus functions as both the access authentication server and user service data source server.
Users include employees and guests. Wired users use combined 802.1X + MAC + Portal authentication, and wireless users use 802.1X authentication and MAC address-prioritized Portal authentication.
The free mobility solution is adopted, and security groups and inter-group policies are configured on Agile Controller-Campus to control user access rights.

Figure 2-57 Parent (core switches) in an SVF system functioning as the authentication point

Device Requirements and Versions

Location	Device Requirement	Device Used in This Example	Version Used in This Example
Core layer	Modular switches configured with X series cards Layer 3 fixed switches that support the native AC function, such as S5731-H switches	S12700E	V200R019C10
Aggregation layer	-	S5731-H
Access layer	-	S5735-L
AP	-	AP6050DN	V200R019C00

Deployment Roadmap

Step	Deployment Roadmap	Devices Involved
1	Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains to enable user authentication, authorization, and accounting through RADIUS, as well as configuring parameters for interconnection between switches and the RADIUS server.	Core switches (CORE)
2	Configure a pre-authentication domain, a post-authentication domain, and the escape function, so that users have corresponding rights before and after being authenticated as well as when Agile Controller-Campus is faulty.	Core switches (CORE)
3	Configure combined 802.1X + MAC + Portal authentication for wired users.	Core switches (CORE)
4	Configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users.	Core switches (CORE)
5	Enable the free mobility function and configure XMPP parameters for interconnection with Agile Controller-Campus.	Core switches (CORE)
6	Log in to Agile Controller-Campus and perform the following operations: Configure parameters for interconnection with CORE, and configure RADIUS and Portal parameters. Configure security groups and inter-group policies.	Agile Controller-Campus

Data Plan

Table 2-80 Service data plan for core switches

Item	VLAN ID	Network Segment
Management VLAN	VLAN 20	192.168.20.0/24
Service VLANs for wireless users (AP1)	VLAN 30	172.16.30.0/24
Service VLANs for wireless users (AP1)	VLAN 40	172.16.40.0/24
Service VLAN for a wired user (PC1)	VLAN 50	172.16.50.0/24
Service VLAN for a wired user (PC2)	VLAN 60	172.16.60.0/24
Network segment for communication with servers	VLAN 1000	192.168.11.0/24

Table 2-81 Wireless service data plan for core switches

Item	Data
AP group	ap-group
Regulatory domain profile	domain
SSID profiles	ssid1, ssid2
VAP profiles	vap1, vap2 (The data forwarding mode in the VAP profiles is tunnel forwarding.)

Table 2-82 Data plan for the SVF system

Item	Data
Parent	CSS of two S12700E switches
Parent's cards connected to ASs	X1E cards of the same type in slot 1 of the two CSS member switches
MAC addresses of ASs and APs	as-layer1-1: 00e0-fc01-0011 as-layer1-2: 00e0-fc01-0022 as-layer2-1: 00e0-fc01-0033 as-layer2-2: 00e0-fc01-0044
Management VLAN of the SVF system	VLAN 20
IP address of the management VLANIF interface	192.168.20.1/24
Parent's interfaces connected to as-layer1-1	GE1/1/0/1 and GE2/1/0/2 Add the interfaces to Eth-Trunk 10 and bind them to fabric port 1.
Parent's interfaces connected to as-layer1-2	GE1/1/0/2 and GE2/1/0/1 Add the interfaces to Eth-Trunk 20 and bind them to fabric port 2.
as-layer1-1's interfaces connected to as-layer2-1	GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 30 and bind them to fabric port 3.
as-layer1-2's interfaces connected to as-layer2-2	GE0/0/3 and GE1/0/3 Add the interfaces to Eth-Trunk 40 and bind them to fabric port 4.
as-layer2-1's interface connected to AP1	GE0/0/4 Add the interface to an AP port group.
as-layer2-2's interface connected to AP2	GE0/0/4 Add the interface to an AP port group.
AS authentication mode	Whitelist authentication
Service configuration of an AS administrator profile	Administrator profile admin_profile, in which the administrator user name and password are configured AS group admin_group, which includes all ASs Bind the administrator profile admin_profile to the AS group admin_group.
Service configuration of AS network basic profiles	Network basic profile basic_profile_1, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_2, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_3, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through Network basic profile basic_profile_4, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through Port group port_group_1, which includes all downlink interfaces of as-layer1-1 Port group port_group_2, which includes all downlink interfaces of as-layer1-2 Port group port_group_3, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-1 Port group port_group_4, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-2 Bind network basic profile basic_profile_1 to port group port_group_1. Bind network basic profile basic_profile_2 to port group port_group_2. Bind network basic profile basic_profile_3 to port group port_group_3. Bind network basic profile basic_profile_4 to port group port_group_4.

Table 2-83 Authentication service data plan for core switches

Item	Data
AAA schemes	Authentication scheme: Name: auth Authentication mode: RADIUS Accounting scheme: Name: acco Accounting mode: RADIUS
RADIUS server	RADIUS server template name: tem_rad IP address of the authentication server: 192.168.11.1 Port number of the authentication server: 1812 IP address of the accounting server: 192.168.11.1 Port number of the accounting server: 1813 Accounting interval: 15 minutes Authentication and accounting keys: YsHsjx_202206 Authorization key: YsHsjx_202206
Portal server	Portal server template name: tem_portal IP address: 192.168.11.1 Port number: 50200 Shared key: YsHsjx_202206 Portal server detection: enabled
802.1X access profile	Name: d1 Authentication mode: EAP
Portal access profile	Name: web1
MAC access profile	Name: mac1
Pre-authentication domain	IP address of the DNS server: 192.168.11.2. Employees and guests can send domain names to the DNS server for resolution before being authenticated.

Table 2-84 Service data plan for Agile Controller-Campus

Item	Data
IP address of CORE	192.168.11.254
RADIUS parameters	Device series: Huawei S series switches Authentication and accounting keys: YsHsjx_202206 Authorization key: YsHsjx_202206 Real-time accounting interval: 15 minutes
Portal parameters	Port number: 2000 Portal key: YsHsjx_202206 IP addresses of access terminals: Wireless: 192.168.13.0/24 Wired: 192.168.14.0/24
XMPP password	YsHsjx_202206
Accounts	Employee: User name: user1 Password: YsHsjx_202206 Guest: User name: user2 Password: YsHsjx_202206
Security group	employee_group guest_group Email server: 192.168.11.100 Video server: 192.168.11.110
Post-authentication domains	Employees can access the mail and video servers after being authenticated. Guests cannot access the mail or video server even after they are authenticated. Employees and guests can communicate with each other. For service security purposes, users from unknown sources are not allowed to access any resources.

Table 2-85 Inter-group policies

Source Security Group	Destination Group email_server	Destination Group video_server	Destination Group Any	Destination Group employee_group	Destination Group guest_group
employee_group	Permit	Permit	Permit	N/A	Permit
guest_group	Deny	Permit	Permit	Permit	N/A

Procedure

Enable campus network connectivity. For details, see Native AC + SVF Solution: the Parent Containing Core Switches Functions as the Gateway for Wired and Wireless Users.

For wireless users, the security policies in security profiles vary according to access authentication modes.

User Access Authentication Mode	Security Policy
MAC address authentication or Portal authentication	Open system authentication
802.1X authentication	WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.

For users who use 802.1X authentication, configure a security policy in security profile sec1 as follows:

[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes

For users who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows:

[CORE-wlan-sec-prof-sec2] security open

Configure AAA on CORE.

# Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.

<CORE> system-view
[CORE] radius-server template tem_rad 
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 
[CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 
[CORE-radius-tem_rad] quit

# Configure a RADIUS authorization server.

[CORE] radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206

# Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.

[CORE] aaa 
[CORE-aaa] authentication-scheme auth     
[CORE-aaa-authen-auth] authentication-mode radius   
[CORE-aaa-authen-auth] quit 
[CORE-aaa] accounting-scheme acco 
[CORE-aaa-accounting-acco] accounting-mode radius 
[CORE-aaa-accounting-acco] accounting realtime 15 
[CORE-aaa-accounting-acco] quit

# Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.

[CORE-aaa] domain huawei.com 
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad 
[CORE-aaa-domain-huawei.com] quit 
[CORE-aaa] quit

Configure a pre-authentication domain on CORE to allow packets destined for the DNS server to pass through.

[CORE] free-rule-template name default_free_rule 
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32 
[CORE-free-rule-default_free_rule] quit

Configure combined 802.1X + MAC + Portal authentication for wired users on CORE.

# Change the NAC mode to unified.

By default, the unified mode is used. The switch will restart automatically after the NAC mode is changed between common and unified modes.

[CORE] authentication unified-mode

# Configure an 802.1X access profile.

By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.

[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit

# Configure a MAC access profile.

[CORE] mac-access-profile name mac1 
[CORE-mac-access-profile-mac1] quit

# Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.

[CORE] web-auth-server tem_portal 
[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1   
[CORE-web-auth-server-tem_portal] port 50200   //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal
[CORE-web-auth-server-tem_portal] quit

# Configure a Portal access profile.

[CORE] portal-access-profile name web1 
[CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-portal-acces-profile-web1] quit

# Configure an authentication profile for wired users, and bind the 802.1X access profile, MAC access profile, and Portal access profile to the authentication profile.

[CORE] authentication-profile name p1 
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] mac-access-profile mac1  
[CORE-authen-profile-p1] portal-access-profile web1 
[CORE-authen-profile-p1] free-rule-template default_free_rule 
[CORE-authen-profile-p1] access-domain huawei.com force   //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p1] quit

# Configure combined 802.1X + MAC + Portal authentication for wired users.

[CORE] uni-mng 
[CORE-um] user-access-profile name test01       //Configure a user access profile, which needs to be bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1  
[CORE-um-user-access-test01] quit 
[CORE-um] port-group name port_group_3           //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_1] user-access-profile test01 
[CORE-um-portgroup-port_group_1] as name as-layer2-1 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24  
[CORE-um-portgroup-port_group_1] quit 
[CORE-um] port-group name port_group_4           //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_2] user-access-profile test01 
[CORE-um-portgroup-port_group_2] as name as-layer2-2 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24  
[CORE-um-portgroup-port_group_2] quit 
[CORE-um] commit as all                           //Commit the configuration. Configurations in service profiles then are delivered to ASs.
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
[CORE-um] quit

On CORE, configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users.

# Configure an authentication profile for wireless users, and set the authentication mode to MAC address-prioritized Portal authentication.

[CORE] authentication-profile name p2
[CORE-authen-profile-p2] portal-access-profile web1
[CORE-authen-profile-p2] mac-access-profile mac1
[CORE-authen-profile-p2] free-rule-template default_free_rule 
[CORE-authen-profile-p2] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p2] quit

# Configure an authentication profile for wireless users, and set the authentication mode to 802.1X authentication.

[CORE] authentication-profile name p3 
[CORE-authen-profile-p3] dot1x-access-profile d1
[CORE-authen-profile-p3] free-rule-template default_free_rule 
[CORE-authen-profile-p3] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p3] quit

# Configure 802.1X authentication for wireless users in VAP profile vap1.

[CORE] wlan
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] authentication-profile p3 
[CORE-wlan-vap-prof-vap1] quit
[CORE-wlan-view] quit

# Configure MAC address-prioritized Portal authentication for wireless users in the VAP profile vap2.

[CORE] wlan
[CORE-wlan-view] vap-profile name vap2
[CORE-wlan-vap-prof-vap2] authentication-profile p2 
[CORE-wlan-vap-prof-vap2] quit
[CORE-wlan-view] quit

Enable the free mobility function and configure XMPP parameters for interconnection with Agile Controller-Campus.

[CORE] group-policy controller 192.168.11.1 password YsHsjx_202206 src-ip 192.168.11.254   //Set scr-ip to the IP address of VLANIF 1000.

Configure Agile Controller-Campus.

Add CORE.

Table 2-86 Parameter settings on Agile Controller-Campus and CORE

Parameter on Agile Controller-Campus	Configuration on Agile Controller-Campus	Configuration on CORE
Name	CORE	-
IP address	192.168.11.254	IP address of VLANIF 1000, which is used by CORE to communicate with Agile Controller-Campus
Device series	Huawei S Series	-
Authentication/Accounting key	YsHsjx_202206	radius-server shared-key cipher YsHsjx_202206
Authorization key	YsHsjx_202206	radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202206
Real-time accounting interval (minute)	15	accounting realtime 15
Port	2000	Port 2000 is used by default. You can run the web-auth-server listening-port port-number command in the system view to change the port number.
Portal key	YsHsjx_202206	shared-key cipher YsHsjx_202206
Access terminal IPv4 list	172.16.30.0/24;172.16.40.0/24;172.16.50.0/24;172.16.60.0/24	IP address lists of fixed and mobile terminals, corresponding to the interface address pools on VLANIF 30, VLANIF 40, VLANIF 50, and VLANIF 60
XMPP password	YsHsjx_202206	group-policy controller 192.168.11.1 password YsHsjx_202206 src-ip 192.168.11.254

Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.
Figure 2-58 Adding a device
Click the XMPP tab and set XMPP parameters.

Figure 2-59 XMPP
Click OK. The communication status of the switch becomes , and the synchronization status is Success.

Check the communication status between Agile Controller-Campus and CORE.

[CORE] display group-policy status 
Controller IP address: 192.168.11.1 
Controller port: 5222 
Backup controller IP address: - 
Backup controller port: - 
Source IP address: 192.168.11.254 
State: working 
Connected controller: master 
Device protocol version: 1 
Controller protocol version: 1

Enable MAC address-prioritized Portal authentication.
1. Choose System > Terminal Configuration > Global Parameters > Access Management.
2. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.
Figure 2-60 Configuring MAC address-prioritized Portal authentication
Create employee and guest accounts. The following uses the employee account user1 as an example. The procedure for creating a guest account is similar to that for creating an employee account.

Choose Resource > User > User Management. Click Add and create employee account user1.

Figure 2-61 Adding an account
Configure security groups employee_group and guest_group to represent users, as well as security groups email_server and video_server to represent resources.
1. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management.
  
  Click Add and create security group employee_group.
  
  Figure 2-62 Adding dynamic security group employee_group
2. Click Add and create security group guest_group.
  Figure 2-63 Adding dynamic security group guest_group
3. Choose Static Security Group Management, click Add, and create security group email_server.
  
  Figure 2-64 Adding static security group mail_server
4. Click Add and create security group video_server.
  
  Figure 2-65 Adding static security group video_server
5. Click Global Deployment. You can view the deployment result on the deployment details page.
Bind employee_group to employees and guest_group to guests through quick authorization. After being authenticated, employees are added to employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. The following describes how to add employee user1 to employee_group. The procedure of adding guest user2 to guest_group is similar.

Figure 2-66 Add employee user1 to employee_group.

Configure access control policies and perform global deployment.

Choose System > Terminal Configuration > Global Parameters > Free Mobility, and set Free mobility configuration mode to All devices.

Choose Policy > Free Mobility > Policy Configuration > Permission Control, and add common policies. The following figure shows the configuration for allowing users in employee_group to access the email and video servers. Configure other policies in a similar way according to Table 2-87.

Table 2-87 Inter-group policies

Source Security Group	Destination Group email_server	Destination Group video_server	Destination Group Any	Destination Group employee_group	Destination Group guest_group
employee_group	Permit	Permit	Permit	N/A	Deny
guest_group	Deny	Permit	Permit	Deny	N/A

Figure 2-67 Adding network access rights

Click OK and then Global Deployment. You can view the deployment result on the deployment details page.

After successful deployment, you can run the following commands on CORE to check the deployment information.

display ucl-group all: checks security groups.

[CORE] display ucl-group all 
ID       UCL group name                                                                                                             
--------------------------------------------------------------------------------                                                    
1                                                                                                                                   
2                                                                                                                                   
--------------------------------------------------------------------------------                                                    
Total : 2

display acl all: checks access control policies.

[CORE] display acl all                                                                                                                   
 Total nonempty ACL number is 2                                                                                                     

Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule                                                                                      
Acl's step is 5                                                                                                                     

Ucl-group ACL Auto_PGM_U2 9997, 4 rules                                                                                             
Acl's step is 5                                                                                                                     
 rule 1 deny ip source ucl-group 2 destination 192.168.11.100 0                                                                     
 rule 2 permit ip source ucl-group 2 destination 192.168.11.110 0                                                                   
 rule 3 deny ip source ucl-group 2 destination ucl-group 1                                                                          
 rule 4 permit ip source ucl-group 2                                                                                                

Ucl-group ACL Auto_PGM_U1 9998, 4 rules                                                                                             
Acl's step is 5                                                                                                                     
 rule 1 permit ip source ucl-group 1 destination 192.168.11.100 0                                                                   
 rule 2 permit ip source ucl-group 1 destination 192.168.11.110 0                                                                   
 rule 3 deny ip source ucl-group 1 destination ucl-group 2                                                                          
 rule 4 permit ip source ucl-group 1                                                                                                

Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule                                                                                   
Acl's step is 5

Save the configuration of CORE.

Choose Resource > Device > Device Management and click to save the configuration.

The save operation on Agile Controller-Campus is equivalent to running the save command on the device, which saves all the device configurations (including security groups and access control policies configured on Agile Controller-Campus) to the configuration file.

When security groups and access right control policies are saved to the configuration file of a device, these configurations can be restored from the configuration file after the device is restarted, without the need to request configurations from Agile Controller-Campus. If these configurations are not saved to the configuration file, user authentication will fail because such configurations are unavailable after the device is restarted.

Configuration Files

CORE configuration file

#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
 dot1x-access-profile d1
 mac-access-profile mac1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain huawei.com force
authentication-profile name p2
 mac-access-profile mac1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain huawei.com force
authentication-profile name p3
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
 radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-z\z_1{_|r~%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
 url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
 web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
 dhcp snooping enable
vlan 40
 dhcp snooping enable
vlan 50
 dhcp snooping enable
vlan 60
 dhcp snooping enable
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
 dhcp select interface
#
interface Vlanif30
 ip address 172.16.30.1 255.255.255.0
 dhcp select interface
#
interface Vlanif40
 ip address 172.16.40.1 255.255.255.0
 dhcp select interface
# 
interface Vlanif50                                                                                                                  
 ip address 172.16.50.1 255.255.255.0                                                                                              
 dhcp select interface                                                                                                              
#
interface Vlanif60
 ip address 172.16.60.1 255.255.255.0
 dhcp select interface
#
interface Vlanif1000
 ip address 192.168.11.254 255.255.255.0
 dhcp select interface
#
interface Eth-Trunk10
 port link-type hybrid
 port hybrid tagged vlan 1 20 50
 stp root-protection
 stp edged-port disable  
 mode lacp
 loop-detection disable
 mad relay
# 
interface XGigabitEthernet1/1/0/1
 eth-trunk 10
#
interface XGigabitEthernet2/1/0/2
 eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
 eth-trunk 20
#
interface XGigabitEthernet2/1/0/1
 eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
 port link-type access
 port default vlan 1000
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^%# src-ip 192.168.11.254
#
capwap source interface vlanif20
#
wlan
 traffic-profile name traff1
  user-isolate l2
 traffic-profile name default
 security-profile name sec1
  security wpa2 dot1x aes
 ssid-profile name ssid1
  ssid test01
 ssid-profile name ssid2
  ssid test02
 ssid-profile name default
 vap-profile name vap1
  forward-mode tunnel
  service-vlan vlan-id 30
  ssid-profile ssid1
  security-profile sec1
  traffic-profile traff1
  authentication-profile p3 
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name vap2
  forward-mode tunnel
  service-vlan vlan-id 40
  ssid-profile ssid2
  security-profile sec2
  traffic-profile traff2
  authentication-profile p2
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name default
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name domain
 regulatory-domain-profile name default
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-profile name default
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 ap-group name default
 ap-group name ap-group
  regulatory-domain-profile domain
 ap-group name ap-group1
  radio 0
   vap-profile vap1 wlan 1
  radio 1
   vap-profile vap1 wlan 1
 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316
  ap-name area_1
  ap-group ap-group
 provision-ap
 wlan work-group default
#
as-auth
 undo auth-mode
 whitelist mac-address 00e0-fc00-0011
 whitelist mac-address 00e0-fc00-0022
 whitelist mac-address 00e0-fc00-0033
 whitelist mac-address 00e0-fc00-0044
# 
uni-mng
 as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0011
  down-direction fabric-port 1 member-group interface Eth-Trunk 30
  port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
 as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0022
  down-direction fabric-port 1 member-group interface Eth-Trunk 40
  port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4
 as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033
 as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044
 interface fabric-port 1
  port member-group interface Eth-Trunk 10
 interface fabric-port 2
  port member-group interface Eth-Trunk 20
 interface fabric-port 3
  port member-group interface Eth-Trunk 30
 interface fabric-port 4
  port member-group interface Eth-Trunk 40
 as-admin-profile name admin_profile
  user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
 network-basic-profile name basic_profile_1
  pass-vlan 50
 network-basic-profile name basic_profile_2
  pass-vlan 60
 network-basic-profile name basic_profile_3
  pass-vlan 50
 network-basic-profile name basic_profile_4
  pass-vlan 60
 user-access-profile name test01
  authentication-profile p1
 as-group name admin_group
  as-admin-profile admin_profile
  as name as-layer1-1
  as name as-layer1-2
  as name as-layer2-1
  as name as-layer2-2
 port-group name port_group_1
  network-basic-profile basic_profile_1
  as name as-layer1-1 interface all
 port-group name port_group_2
  network-basic-profile basic_profile_2
  as name as-layer1-2 interface all
 port-group name port_group_3
  network-basic-profile basic_profile_3
  as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
  user-access-profile test01
 port-group name port_group_4
  network-basic-profile basic_profile_4
  as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
  user-access-profile test01
 port-group connect-ap name ap
  as name as-layer2-1 interface GigabitEthernet 0/0/3
  as name as-layer2-2 interface GigabitEthernet 0/0/3
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
return

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-10-27

Document ID: EDOC1000069520

Downloads: 41872

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate