Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Standalone AC + NAC Solution: Core Switches and ACs Function as the Authentication Points for Wired and Wireless Users Respectively
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. A standalone AC is deployed in off-path mode. It functions as a gateway to assign IP addresses to APs and wireless users, and centrally manages APs and wireless users on the entire network.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.
In this example, core switches set up a CSS, which functions as the gateway and authentication point for wired users, and standalone ACs in a hot standby (HSB) group functions as the gateway and authentication point for wireless users. The wired and wireless users can access the network only after being authenticated. The specific requirements are as follows:
Users include employees (wired and wireless) who use 802.1X authentication and guests (wireless only) who use MAC address-prioritized Portal authentication.
- Agile Controller-Campus functions as both the authentication server and user service data source server.
- Agile Controller-Campus delivers ACLs for authorization of successfully authenticated users to control network access rights of these users of different roles.
- Port isolation needs to be configured on access and aggregation switches to control Layer 2 traffic of users.
Figure 2-77 Core switches and standalone ACs functioning as the authentication points for wired and wireless users respectively
![]()
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Authentication server |
Agile Controller-Campus running V100R001, V100R002, or V100R003 |
Agile Controller-Campus |
V100R003C60SPC206 |
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AC |
- |
AC6605 |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
|---|---|
Enable campus network connectivity. |
1. For details, see Standalone AC Solution: Core Switches and ACs Function as the Gateways for Wired and Wireless Users Respectively. |
Configure core switches and ACs. |
2. Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains, as well as configuring parameters for interconnection between switches and the RADIUS server and between ACs and the RADIUS server. |
3. Configure resources accessible to users before they are authenticated (referred to as authentication-free resources), and network access rights to be granted to successfully authenticated employees and guests. |
|
4. Configure 802.1X authentication for employees. |
|
5. Configure MAC address-prioritized Portal authentication for guests only on ACs. |
|
Configure aggregation and access switches. |
6. Configure Layer 2 transparent transmission for 802.1X authentication packets. |
Configure Agile Controller-Campus. |
7. Add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters. |
8. Add user groups and user accounts. |
|
9. Enable MAC address-prioritized Portal authentication. |
|
10. Configure network access rights for successfully authenticated employees and guests. |
Data Plan
Table 2-95 Data plan for campus network connectivity
Item |
VLAN ID |
Network Segment |
|---|---|---|
VLANs for communication between core switches and ACs |
VLAN 20 (management VLAN for APs) |
192.168.20.0/24 |
VLAN 30 (service VLAN for wireless access of employees) |
172.16.30.0/24 |
|
VLAN 40 (service VLAN for guests) |
172.16.40.0/24 |
|
Service VLAN for wired users (on AGG1) |
VLAN 50 |
172.16.50.0/24 |
Service VLAN for wired users (on AGG2) |
VLAN 60 |
172.16.60.0/24 |
VLAN for communication between CORE-AC1 and CORE-AC2 |
VLAN 100 |
172.16.100.0/24 |
VLAN for communication between core switches and servers |
VLAN 1000 |
192.168.100.0/24 |
Table 2-96 Wireless service data plan for ACs
Item |
Employee |
Guest |
|---|---|---|
Traffic profile |
traff: The user isolation mode is Layer 2 isolation and Layer 3 communication. |
|
Security profiles |
sec1: WPA/WPA2-802.1X authentication |
sec2: open system authentication (default security policy) |
SSID profiles |
ssid1 (SSID: Employee) |
ssid2 (SSID: Guest) |
AP group |
ap-group1 |
|
Regulatory domain profile |
domain1 |
|
Service data forwarding mode |
Tunnel forwarding |
|
Service VLANs |
VLAN 30 |
VLAN 40 |
VAP profiles |
vap1 |
vap2 |
Table 2-97 Authentication service data plan for core switches and ACs
Item |
Data |
|---|---|
AAA schemes |
|
RADIUS server |
|
Portal server |
|
802.1X access profile |
|
Portal access profile |
Name: web1 |
MAC access profile |
Name: mac1 |
Authentication-free resources |
DNS server: 192.168.100.2 |
Network access rights for successfully authenticated users |
The IP addresses of the service server, special server, and campus egress device are 192.168.100.3, 192.168.100.100, and 172.16.3.1, respectively. |
Table 2-98 Service data plan for Agile Controller-Campus
Item |
Data |
|---|---|
User accounts (user name/password) |
|
Device IP addresses |
|
RADIUS authentication parameters |
|
Portal authentication parameters |
|
Deployment Precautions
- It is not recommended that VLAN 1 be used as a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
In tunnel forwarding mode, the management VLAN and service VLAN must be different. Otherwise, MAC address flapping will occur, leading to a packet forwarding error. The network between the AC and APs needs to permit only packets tagged with the management VLAN ID and deny packets tagged with the service VLAN ID.
In tunnel forwarding mode, service packets from APs are encapsulated in CAPWAP data tunnels and transmitted to the AC. The AC then forwards the packets to the upper-layer network. Therefore, service packets and management packets can be transmitted properly when the interfaces that connect the AC to APs are added to the management VLAN and the interface that connects the AC to the upper-layer network is added to a service VLAN.
- WLAN service configurations (for example, WMM profile, radio profile, radio, traffic profile, security profile, security policy, and WLAN ID) of the AP associated with the master and backup ACs must be consistent on the two ACs; otherwise, user services may be affected after a master/backup switchover between the ACs.
The models and software versions of the master and backup ACs must be the same.
- When deploying the DHCP server in the scenario where VRRP and HSB are configured, note the following:
- In versions earlier than V200R019C00, the DHCP server-enabled interface must be the interface on which a VRRP group is created. Otherwise, the master and backup ACs will allocate IP addresses at the same time. In V200R019C00 and later versions, there is no restriction on the DHCP server-enabled interface. Only the master AC allocates IP addresses. IP address allocation information on the master AC will be synchronized to the backup AC.
- The IP address pools configured on the master and backup ACs must be the same. If they are different, data backup between the master and backup ACs will fail.
- You need to run the hsb-service-type dhcp hsb-group group-index command to bind the DHCP service to the HSB group. Otherwise, IP address allocation information on the master and backup ACs cannot be backed up.
- The RADIUS authentication, accounting, and authorization keys, as well as the Portal key configured on Agile Controller-Campus must be the same as those configured on switches.
- By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure any authentication-free rule for these packets on switches.
- In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled switch and users, Layer 2 transparent transmission must be enabled for 802.1X authentication packets on the Layer 2 switch; otherwise, users cannot be successfully authenticated.
Procedure
- Enable campus network connectivity. For details, see Standalone AC Solution: Core Switches and ACs Function as the Gateways for Wired and Wireless Users Respectively.# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view [CORE] interface Eth-Trunk 30 [CORE-Eth-Trunk30] mode lacp [CORE-Eth-Trunk30] description con to Internet [CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/5 [CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/5 [CORE-Eth-Trunk30] undo portswitch [CORE-Eth-Trunk30] ip address 172.16.3.1 24 [CORE-Eth-Trunk30] quit
- Configure the authentication service on CORE.
- Configure AAA parameters.# Configure the RADIUS server template tem_rad, and configure the parameters for interconnection between CORE and the RADIUS server, including the IP addresses, port numbers, authentication key, and accounting key of the RADIUS authentication and accounting servers.
[CORE] radius-server template tem_rad [CORE-radius-tem_rad] radius-server authentication 192.168.100.10 1812 [CORE-radius-tem_rad] radius-server accounting 192.168.100.10 1813 [CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [CORE-radius-tem_rad] quit# Configure a RADIUS authorization server and an authorization key.[CORE] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206# Configure an AAA authentication scheme and an AAA accounting scheme, set the authentication and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[CORE] aaa [CORE-aaa] authentication-scheme auth [CORE-aaa-authen-auth] authentication-mode radius [CORE-aaa-authen-auth] quit [CORE-aaa] accounting-scheme acco [CORE-aaa-accounting-acco] accounting-mode radius [CORE-aaa-accounting-acco] accounting realtime 15 [CORE-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and RADIUS server template to this domain.[CORE-aaa] domain huawei.com [CORE-aaa-domain-huawei.com] authentication-scheme auth [CORE-aaa-domain-huawei.com] accounting-scheme acco [CORE-aaa-domain-huawei.com] radius-server tem_rad [CORE-aaa-domain-huawei.com] quit [CORE-aaa] quit
- Configure authentication-free resources and network access rights for successfully authenticated employees.# Configure authentication-free resources to allow packets destined for the DNS server and packets from the AP management VLAN to pass through.
[CORE] free-rule-template name default_free_rule [CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32 [CORE-free-rule-default_free_rule] free-rule 2 source vlan 20 [CORE-free-rule-default_free_rule] quit
# Configure network access rights for successfully authenticated employees to allow them to access the Internet, DNS server, and service server and to communicate with each other.[CORE] acl 3001 [CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the Internet after being authenticated. [CORE-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the DNS server after being authenticated. [CORE-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the service server after being authenticated. [CORE-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to communicate with each other. [CORE-acl-adv-3001] rule 5 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to communicate with each other. [CORE-acl-adv-3001] rule 6 permit ip destination 172.16.60.0 0.0.0.255 //Allow employees to communicate with each other. [CORE-acl-adv-3001] rule 7 deny ip destination any [CORE-acl-adv-3001] quit
- Configure 802.1X authentication for employees.# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[CORE] dot1x-access-profile name d1 [CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.[CORE] authentication-profile name p1 [CORE-authen-profile-p1] dot1x-access-profile d1 [CORE-authen-profile-p1] free-rule-template default_free_rule [CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a forcible domain. [CORE-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink interfaces.[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] authentication-profile p1 [CORE-Eth-Trunk10] quit [CORE] interface eth-trunk 20 [CORE-Eth-Trunk20] authentication-profile p1 [CORE-Eth-Trunk20] quit
- Configure AAA parameters.
- Configure the authentication service on ACs. The following uses CORE-AC1 as an example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
- Configure AAA parameters.# Configure the RADIUS server template tem_rad, and configure the parameters for interconnection between ACs and the RADIUS server, including the IP addresses, port numbers, authentication key, and accounting key of the RADIUS authentication and accounting servers.
<CORE-AC1> system-view [CORE-AC1] radius-server template tem_rad [CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812 [CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813 [CORE-AC1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206 [CORE-AC1-radius-tem_rad] quit# Configure a RADIUS authorization server and an authorization key.[CORE-AC1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206# Configure an AAA authentication scheme and an AAA accounting scheme, set the authentication and accounting modes to RADIUS, and set the accounting interval to 15 minutes.[CORE-AC1] aaa [CORE-AC1-aaa] authentication-scheme auth [CORE-AC1-aaa-authen-auth] authentication-mode radius [CORE-AC1-aaa-authen-auth] quit [CORE-aaa] accounting-scheme acco [CORE-AC1-aaa-accounting-acco] accounting-mode radius [CORE-AC1-aaa-accounting-acco] accounting realtime 15 [CORE-AC1-aaa-accounting-acco] quit
- Configure authentication-free resources and network access rights for successfully authenticated users.# Configure authentication-free resources to allow packets destined for the DNS server to pass through.
[CORE-AC1] free-rule-template name default_free_rule [CORE-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32 [CORE-AC1-free-rule-default_free_rule] quit
# Configure network access rights for successfully authenticated employees to allow them to access the Internet, DNS server, and service server and to communicate with each other.ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network segments of wireless users and all the network segments that wireless users can access. Otherwise, all packets of wireless users are discarded on APs even if the users are successfully authenticated.
[CORE-AC1] acl 3001 [CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 [CORE-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 [CORE-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 [CORE-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 [CORE-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.50.0 0.0.0.255 [CORE-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.60.0 0.0.0.255 [CORE-AC1-acl-adv-3001] rule 7 deny ip destination any [CORE-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to allow them to access the Internet and DNS server and to communicate with each other.[CORE-AC1] acl 3002 [CORE-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the Internet after being authenticated. [CORE-AC1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to access the DNS server after being authenticated. [CORE-AC1-acl-adv-3002] rule 3 permit ip destination 172.16.40.0 0.0.0.255 //Allow guests to communicate with each other. [CORE-AC1-acl-adv-3002] rule 4 deny ip destination any [CORE-AC1-acl-adv-3002] quit
- Configure 802.1X authentication for employees.# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[CORE-AC1] dot1x-access-profile name d1 [CORE-AC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.[CORE-AC1] authentication-profile name p1 [CORE-AC1-authen-profile-p1] dot1x-access-profile d1 [CORE-AC1-authen-profile-p1] free-rule-template default_free_rule [CORE-AC1-authen-profile-p1] authentication-scheme auth [CORE-AC1-authen-profile-p1] accounting-scheme acco [CORE-AC1-authen-profile-p1] radius-server tem_rad [CORE-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.[CORE-AC1] wlan [CORE-AC1-wlan] security-profile name sec1 [CORE-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes Warning: This action may cause service interruption. Continue?[Y/N]y [CORE-AC1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees.[CORE-AC1-wlan-view] vap-profile name vap1 [CORE-AC1-wlan-vap-prof-vap1] authentication-profile p1 Warning: This action may cause service interruption. Continue?[Y/N]y [CORE-AC1-wlan-vap-prof-vap1] quit [CORE-AC1-wlan-view] quit
- Configure MAC address-prioritized Portal authentication for guests.# Configure a Portal server template. Configure parameters for interconnection between the AC and Portal server, including the IP address and port number of the Portal server, Portal key, and URL of the Portal page.
[CORE-AC1] web-auth-server tem_portal [CORE-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10 [CORE-AC1-web-auth-server-tem_portal] port 50200 [CORE-AC1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206 [CORE-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal [CORE-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //Enable the Portal server detection function so that you can learn the Portal server status in real time and users can still access the network even if the Portal server is faulty. Note that the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100. [CORE-AC1-web-auth-server-tem_portal] quit# Configure a Portal access profile.[CORE-AC1] portal-access-profile name web1 [CORE-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct [CORE-AC1-portal-acces-profile-web1] quit
# Configure a MAC access profile.[CORE-AC1] mac-access-profile name mac1 [CORE-AC1-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.[CORE-AC1] authentication-profile name p2 [CORE-AC1-authen-profile-p2] portal-access-profile web1 [CORE-AC1-authen-profile-p2] mac-access-profile mac1 [CORE-AC1-authen-profile-p2] free-rule-template default_free_rule [CORE-AC1-authen-profile-p2] authentication-scheme auth [CORE-AC1-authen-profile-p2] accounting-scheme acco [CORE-AC1-authen-profile-p2] radius-server tem_rad [CORE-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.[CORE-AC1] wlan [CORE-AC1-wlan-view] vap-profile name vap2 [CORE-AC1-wlan-vap-prof-vap2] authentication-profile p2 Warning: This action may cause service interruption. Continue?[Y/N]y [CORE-AC1-wlan-vap-prof-vap2] quit [CORE-AC1-wlan-view] quit
- Configure AAA parameters.
- Configure Layer 2 transparent transmission for 802.1X authentication packets on access and aggregation switches. The following uses ACC1 as an example. The configurations of other switches are similar to that of ACC1.# Enable this function on all interfaces through which 802.1X authentication packets pass. If a switch does not support the bpdu enable command, you only need to run the l2protocol-tunnel user-defined-protocol 802.1x enable command on its interface.
<ACC1> system-view [ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 [ACC1] interface Eth-Trunk 30 [ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-Eth-Trunk30] quit [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/3] quit [ACC1] interface gigabitethernet 0/0/4 [ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable [ACC1-GigabitEthernet0/0/4] quit
- Log in to Agile Controller-Campus, add devices that need to communicate with Agile Controller-Campus, and configure RADIUS and Portal authentication parameters.
# Choose Resource > Device > Device Management, click Add, set parameters according to Table 2-99, and click OK.
Table 2-99 Parameter settings for adding core switches and ACs on Agile Controller-CampusParameter on Agile Controller-Campus
Setting for Core Switches
Setting for ACs
Name
CORE
AC
IP address
192.168.100.1
192.168.20.1
Enable RADIUS (mandatory for 802.1X, Portal, and MAC address authentication, Free Mobility, and Service Chain)
Selected
Standby device IP address
-
192.168.20.2
Device series
Huawei S Series
Authentication/Accounting key
YsHsjx_202206
Authorization key
YsHsjx_202206
Real-time accounting interval (minute)
15
Enable Portal (mandatory for Portal authentication)
-
Selected
Portal protocol type
HUAWEI portal protocol
Portal key
YsHsjx_202206
Access terminal IPv4 list
172.16.30.0/24;172.16.40.0/24
Enable heartbeat between access device and Portal server
Selected
Portal server IP address list
192.168.100.10
- Add user groups and user accounts. The following describes how to create an employee group and an employee account. The procedure for creating a guest group and a guest account is similar.
# Choose Resource > User > User Management. Click
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
- Enable MAC address-prioritized Portal authentication.
# Choose System > Terminal Configuration > Global Parameters > Access Management. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, set Validity period of MAC address (min) to 60, and click OK.
- Configure network access rights for successfully authenticated employees and guests.
# Configure authorization results. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, click Add, set parameters according to Table 2-100, and click OK. Here, the employee authorization result is used as an example.
Table 2-100 Authorization results for employees and guestsName
Authorization Parameter: ACL Number/AAA User Group
Employee authorization result
3001
Guest authorization result
3002
# Configure authorization rules. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule, click Add, set parameters according to Table 2-101, and click OK. Here, the employee authorization rule is used as an example.
Table 2-101 Authorization rules for employees and guestsName
Authorization Condition: User Group
Authorization Result
Employee authorization rule
Employee
Employee authorization result
Guest authorization rule
Guest
Guest authorization result
in the operation area on the left, add a user group named Employee, and click OK. Click Add in the operation area on the right, and add an employee account.
Expected Results
- The employees and guest can access only the authentication-free resources, but not resources in post-authentication domains, before they are authenticated or when they fail the authentication.
- The employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.
- After being authenticated, the employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains.
- Employees can communicate with each other, but cannot communicate with the guest.
When a guest accesses the network for the first time, the guest can associate with the WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in the address box of a browser for Portal authentication. On the redirection page that is displayed, the guest can enter the user name and password, and then is successfully authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can directly connect to the WLAN without entering the user name and password again.
Verifying the Deployment
- Verify that the employees and guest can access only the authentication-free resources, but not resources in post-authentication domains, before they are authenticated or when they fail the authentication. The following uses wired access of an employee as an example.# Enter an incorrect user name or password on PC1, and then run the display access-user command on CORE to view information about online users. The command output shows that user1 is online but is in Pre-authen state; that is, authentication has not been performed or user authentication fails.
[CORE] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 114337 user1 172.16.50.110 00e0-fc12-3344 Pre-authen ------------------------------------------------------------------------------------------------------ Total: 1, printed: 1
# On PC1, ping an authentication-free resource, for example, the DNS server with IP address 192.168.100.2. The ping operation succeeds.C:\Users\*******>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time<1ms TTL=253 Reply from 192.168.100.2: bytes=32 time<1ms TTL=253 Reply from 192.168.100.2: bytes=32 time<1ms TTL=253 Reply from 192.168.100.2: bytes=32 time<1ms TTL=253 Ping statistics for 192.168.100.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource in the post-authentication domain, for example, the campus egress device with IP address 172.16.3.1. The ping operation fails.C:\Users\*******>ping 172.16.3.1 Pinging 172.16.3.1 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 172.16.3.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******> - Verify that the employees and guest can be successfully authenticated and access the network after selecting the correct access mode and entering the correct user names and passwords.# Enter the correct user name and password on PC1, connect to the WLANs Employee and Guest in wireless mode, and then run the display access-user command on CORE and CORE-AC1 to check information about online users. The command output shows that user1, user2, and guest4 are all in Success state.
[CORE] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 115318 user1 172.16.50.110 00e0-fc12-3344 Success ------------------------------------------------------------------------------------------------------ Total: 1, printed: 1
[CORE-AC1] display access-user ------------------------------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------------------------------ 16401 guest4 172.16.40.210 00e0-fc12-3355 Success 32788 user2 172.16.30.165 00e0-fc12-3366 Success ------------------------------------------------------------------------------------------------------ Total: 2, printed: 2
# Run the display access-user username user1 detail command on CORE to view detailed authentication and authorization information of user1.[CORE] display access-user username user1 detail Basic: User ID : 115318 User name : user1 Domain-name : huawei.com User MAC : 00e0-fc12-3344 User IP address : 172.16.50.110 User vpn-instance : - User IPv6 address : FE80::E9AA:9FE9:95F9:C499 User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499 User access Interface : Eth-Trunk10 User vlan event : Success QinQVlan/UserVlan : 0/50 User vlan source : user request User access time : 2019/11/26 11:08:16 User accounting session ID : CORE002100000000506e****0304276 User access type : 802.1x Terminal Device Type : Data Terminal Dynamic ACL ID(Effective) : 3001 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1# Run the display access-user username user2 detail and display access-user username guest4 detail commands on CORE-AC1 to view detailed authentication and authorization information of user2 and guest4.[CORE-AC1] display access-user username user2 detail Basic: User ID : 32788 User name : user2 User MAC : 00e0-fc12-3366 User IP address : 172.16.30.165 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss17496 User vlan event : Success QinQVlan/UserVlan : 0/30 User vlan source : user request User access time : 2019/11/26 21:22:53 User accounting session ID : CORE-AC00000000000030f0****0200014 User accounting mult session ID : AC853DA6A42038CADA5E441A5DDD9****690329A User access type : 802.1x AP name : area_1 Radio ID : 0 AP MAC : 00e0-fc12-6660 SSID : Employee Online time : 494(s) Dynamic ACL ID(Effective) : 3001 User Group Priority : 0 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1[CORE-AC1] display access-user username guest4 detail Basic: User ID : 16401 User name : guest4 User MAC : 00e0-fc12-3355 User IP address : 172.16.40.210 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Dbss17497 User vlan event : Success QinQVlan/UserVlan : 0/40 User vlan source : user request User access time : 2019/11/26 21:25:05 User accounting session ID : CORE-AC000000000000401c****0100011 User accounting mult session ID : AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF User access type : WEB AP name : area_1 Radio ID : 0 AP MAC : 00e0-fc12-6660 SSID : Guest Online time : 421(s) Web-server IP address : 192.168.100.10 Dynamic ACL ID(Effective) : 3002 User Group Priority : 0 AAA: User authentication type : WEB authentication Current authentication method : RADIUS Current authorization method : - Current accounting method : RADIUS ------------------------------------------------------------------------------ Total: 1, printed: 1 - Verify that the successfully authenticated employees and guest can access authentication-free resources and resources in post-authentication domains, but cannot access resources that are denied in the post-authentication domains. The following uses wired access of an employee as an example.# On PC1, ping an authentication-free resource, for example, the DNS server with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2 Pinging 192.168.100.2 with 32 bytes of data: Reply from 192.168.100.2: bytes=32 time=1ms TTL=253 Reply from 192.168.100.2: bytes=32 time=1ms TTL=253 Reply from 192.168.100.2: bytes=32 time=1ms TTL=253 Reply from 192.168.100.2: bytes=32 time=1ms TTL=253 Ping statistics for 192.168.100.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms C:\Users\*******># On PC1, ping the service server with IP address 192.168.100.3. The ping operation succeeds.C:\Users\*******>ping 192.168.100.3 Pinging 192.168.100.3 with 32 bytes of data: Reply from 192.168.100.3: bytes=32 time=1ms TTL=253 Reply from 192.168.100.3: bytes=32 time=1ms TTL=253 Reply from 192.168.100.3: bytes=32 time=1ms TTL=253 Reply from 192.168.100.3: bytes=32 time=1ms TTL=253 Ping statistics for 192.168.100.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms C:\Users\*******># On PC1, ping a resource in the post-authentication domain, for example, the campus egress device with IP address 172.16.3.1. The ping operation succeeds.C:\Users\*******>ping 172.16.3.1 Pinging 172.16.3.1 with 32 bytes of data: Reply from 172.16.3.1: bytes=32 time<1ms TTL=254 Reply from 172.16.3.1: bytes=32 time<1ms TTL=254 Reply from 172.16.3.1: bytes=32 time<1ms TTL=254 Reply from 172.16.3.1: bytes=32 time<1ms TTL=254 Ping statistics for 172.16.3.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\*******># On PC1, ping a resource denied in the post-authentication domain, for example, the special server with IP address 192.168.100.100. The ping operation fails.C:\Users\*******>ping 192.168.100.100 Pinging 192.168.100.100 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 192.168.100.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******> - Verify that employees can communicate with each other, but cannot communicate with the guest.# On PC1, ping the IP address of the terminal used by the wireless employee account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.165 Pinging 172.16.30.165 with 32 bytes of data: Reply from 172.16.30.165: bytes=32 time=175ms TTL=62 Reply from 172.16.30.165: bytes=32 time=60ms TTL=62 Reply from 172.16.30.165: bytes=32 time=81ms TTL=62 Reply from 172.16.30.165: bytes=32 time=102ms TTL=62 Ping statistics for 172.16.30.165: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 60ms, Maximum = 175ms, Average = 104ms C:\Users\*******># On PC1, ping the IP address of the wireless terminal used by guest4. The ping operation fails.C:\Users\*******>ping 172.16.40.210 Pinging 172.16.40.210 with 32 bytes of data: Request time out. Request time out. Request time out. Request time out. Ping statistics for 172.16.40.210: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\*******>
Configuration Files
- CORE configuration file
# sysname CORE # vlan batch 20 30 40 50 60 1000 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule access-domain huawei.com force # dhcp enable # dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.50.0 0.0.0.255 rule 6 permit ip destination 172.16.60.0 0.0.0.255 rule 7 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 free-rule 2 source vlan 20 # vlan 50 dhcp snooping enable vlan 60 dhcp snooping enable # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 domain huawei.com authentication-scheme auth accounting-scheme acco radius-server tem_rad # interface Vlanif20 ip address 192.168.20.20 255.255.255.0 # interface Vlanif30 ip address 172.16.30.3 255.255.255.0 # interface Vlanif40 ip address 172.16.40.3 255.255.255.0 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.100.2 # interface Vlanif1000 ip address 192.168.100.1 255.255.255.0 # interface Eth-Trunk1 description con to CORE-AC1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 40 mode lacp # interface Eth-Trunk2 description con to CORE-AC2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 40 mode lacp # interface Eth-Trunk10 description con to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 authentication-profile p1 mode lacp # interface Eth-Trunk20 description con to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 authentication-profile p1 mode lacp # interface Eth-Trunk30 description con to Internet undo portswitch ip address 172.16.3.1 255.255.255.0 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/3 eth-trunk 1 # interface XGigabitEthernet1/1/0/4 eth-trunk 2 # interface XGigabitEthernet1/1/0/5 eth-trunk 30 # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/3 eth-trunk 1 # interface XGigabitEthernet2/1/0/4 eth-trunk 2 # interface XGigabitEthernet2/1/0/5 eth-trunk 30 # dot1x-access-profile name d1 # return - CORE-AC1 configuration file
# sysname CORE-AC1 # vrrp recover-delay 60 # vlan batch 20 30 40 100 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 40 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.50.0 0.0.0.255 rule 6 permit ip destination 172.16.60.0 0.0.0.255 rule 7 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.40.0 0.0.0.255 rule 4 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 192.168.20.2 dhcp server excluded-ip-address 192.168.20.20 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.30.2 172.16.30.3 dhcp server dns-list 192.168.100.2 # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.40.2 172.16.40.3 dhcp server dns-list 192.168.100.2 # interface Vlanif100 ip address 172.16.100.1 255.255.255.0 # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 40 mode lacp # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface XGigabitEthernet0/0/21 eth-trunk 1 # interface XGigabitEthernet0/0/22 eth-trunk 1 # ip route-static 0.0.0.0 0.0.0.0 192.168.20.20 # capwap source interface vlanif20 # hsb-service 0 service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group1 master controller master-redundancy track-vrrp vrid 1 interface Vlanif20 master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%# # dot1x-access-profile name d1 # mac-access-profile name mac1 # return - CORE-AC2 configuration file
# sysname CORE-AC2 # vrrp recover-delay 60 # vlan batch 20 30 40 100 # authentication-profile name p1 dot1x-access-profile d1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad authentication-profile name p2 mac-access-profile mac1 portal-access-profile web1 free-rule-template default_free_rule authentication-scheme auth accounting-scheme acco radius-server tem_rad # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 40 dhcp snooping enable # radius-server template tem_rad radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%# radius-server authentication 192.168.100.10 1812 weight 80 radius-server accounting 192.168.100.10 1813 weight 80 radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%# # acl number 3001 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 192.168.100.3 0 rule 4 permit ip destination 172.16.30.0 0.0.0.255 rule 5 permit ip destination 172.16.50.0 0.0.0.255 rule 6 permit ip destination 172.16.60.0 0.0.0.255 rule 7 deny ip acl number 3002 rule 1 permit ip destination 172.16.3.0 0.0.0.255 rule 2 permit ip destination 192.168.100.2 0 rule 3 permit ip destination 172.16.40.0 0.0.0.255 rule 4 deny ip # free-rule-template name default_free_rule free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255 # web-auth-server tem_portal server-ip 192.168.100.10 port 50200 shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%# url http://192.168.100.10:8080/portal server-detect interval 100 max-times 5 action log # portal-access-profile name web1 web-auth-server tem_portal direct # aaa authentication-scheme auth authentication-mode radius accounting-scheme acco accounting-mode radius accounting realtime 15 # interface Vlanif20 ip address 192.168.20.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 192.168.20.1 dhcp server excluded-ip-address 192.168.20.20 # interface Vlanif30 ip address 172.16.30.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.30.1 dhcp server excluded-ip-address 172.16.30.3 dhcp server dns-list 192.168.100.2 # interface Vlanif40 ip address 172.16.40.2 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server excluded-ip-address 172.16.40.1 dhcp server excluded-ip-address 172.16.40.3 dhcp server dns-list 192.168.100.2 # interface Vlanif100 ip address 172.16.100.2 255.255.255.0 # interface Eth-Trunk2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 40 mode lacp # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface XGigabitEthernet0/0/21 eth-trunk 2 # interface XGigabitEthernet0/0/22 eth-trunk 2 # ip route-static 0.0.0.0 0.0.0.0 192.168.20.20 # capwap source interface vlanif20 # hsb-service 0 service-ip-port local-ip 172.16.100.2 peer-ip 172.16.100.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff user-isolate l2 security-profile name sec1 security wpa2 dot1x aes security-profile name sec2 security open ssid-profile name ssid1 ssid Employee ssid-profile name ssid2 ssid Guest vap-profile name vap1 forward-mode tunnel service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff authentication-profile p1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode tunnel service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff authentication-profile p2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group1 master controller master-redundancy track-vrrp vrid 1 interface Vlanif20 master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%# # dot1x-access-profile name d1 # mac-access-profile name mac1 # return - AGG1 configuration file
# sysname AGG1 # vlan batch 20 50 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk10 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet1/0/3 eth-trunk 30 # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # return
- AGG2 configuration file
# sysname AGG2 # vlan batch 20 60 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk20 description connect to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp port-isolate enable group 1 # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet1/0/3 eth-trunk 40 # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # return
- ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return
- ACC2 configuration file
# sysname ACC2 # vlan batch 20 60 # l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 60 l2protocol-tunnel user-defined-protocol 802.1x enable mode lacp # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable l2protocol-tunnel user-defined-protocol 802.1x enable port-isolate enable group 1 # return