Typical NAC Configuration (Unified Mode) (iMaster NCE-Campus Functioning as the Authentication Server)

Networking Requirements

The user accounts and organization structure of an enterprise are maintained on the AD server. A wired network access solution is required on the campus network to meet the non-mobile office requirements. For security purposes, users access the network using wired 802.1X authentication.

Users can access the Internet only after they are authenticated.

Figure 3-227 Networking diagram

Data Plan

Configuration Roadmap

1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch, and core switch to ensure network connectivity.
2. Set RADIUS interconnection parameters and wired access service parameters on the aggregation switch to implement wired 802.1X access.
3. Add an authentication device on iMaster NCE-Campus, and configure authentication and authorization to assign specified rights to authenticated users.

Procedure

1. [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
   1. Configure the access switch.

      <HUAWEI> system-view 
      [HUAWEI] sysname ACC 
      [ACC] vlan 101    
      [ACC-vlan101] quit    
      [ACC] interface gigabitethernet 0/0/1   
      [ACC-GigabitEthernet0/0/1] port link-type access   
      [ACC-GigabitEthernet0/0/1] port default vlan 101   
      [ACC-GigabitEthernet0/0/1] quit 
      [ACC] interface gigabitethernet 0/0/2   
      [ACC-GigabitEthernet0/0/2] port link-type trunk 
      [ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 
      [ACC-GigabitEthernet0/0/2] quit 

   2. Configure the aggregation switch.

      <HUAWEI> system-view 
      [HUAWEI] sysname AGG 
      [AGG] dhcp enable    
      [AGG] vlan batch 101 to 102    
      [AGG] interface gigabitethernet 0/0/1   
      [AGG-GigabitEthernet0/0/1] port link-type trunk   
      [AGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 101  
      [AGG-GigabitEthernet0/0/1] quit 
      [AGG] interface vlanif 101 
      [AGG-Vlanif101] ip address 172.16.11.254 255.255.255.0 
      [AGG-Vlanif101] dhcp select interface     //Configure the device as a gateway to assign IP addresses to users.
      [AGG-Vlanif101] dhcp server dns-list 192.168.11.1 //Configure a DNS server to resolve Internet domain names for Internet access.
      [AGG-Vlanif101] quit 
      [AGG] interface gigabitethernet 0/0/2   
      [AGG-GigabitEthernet0/0/2] port link-type trunk 
      [AGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 102 
      [AGG-GigabitEthernet0/0/2] quit 
      [AGG] interface vlanif 102 
      [AGG-Vlanif102] ip address 192.168.100.100 255.255.255.0 
      [AGG-Vlanif102] quit 
      [AGG] ip route-static 192.168.11.0 255.255.255.0 192.168.100.200  //Configure a route to the network segment of the authentication server.

   3. Configure the core switch.

      <HUAWEI> system-view 
      [HUAWEI] sysname Core 
      [Core] vlan batch 102 200    
      [Core] interface gigabitethernet 1/0/1   
      [Core-GigabitEthernet1/0/1] port link-type trunk   
      [Core-GigabitEthernet1/0/1] port trunk allow-pass vlan 102  
      [Core-GigabitEthernet1/0/1] quit 
      [Core] interface vlanif 102 
      [Core-Vlanif102] ip address 192.168.100.200 255.255.255.0 
      [Core-Vlanif102] quit 
      [Core] interface gigabitethernet 1/0/2   
      [Core-GigabitEthernet1/0/2] port link-type trunk 
      [Core-GigabitEthernet1/0/2] port trunk allow-pass vlan 200 
      [Core-GigabitEthernet1/0/2] quit 
      [Core] interface vlanif 200 
      [Core-Vlanif200] ip address 192.168.11.254 255.255.255.0 
      [Core-Vlanif200] quit 
      [Core] ip route-static 172.16.11.0 255.255.255.0 192.168.100.100 //Configure a route to the network segment where terminals reside.

2. [Device] Configure EAP packet transparent transmission to transparently transmit EAP packets from terminal users to the authentication control device. (Aggregation-layer authentication)

   The values of protocol-mac and group-mac cannot be any of the following:

   • Reserved multicast MAC addresses: 0180-C200-0000 to 0180-C200-002F

   • Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD

   • Destination MAC address of Smart Link packets: 010F-E200-0004

   • Common multicast MAC addresses that have been used on the device
   1. Define Layer 2 transparent transmission of EAP packets.

      [ACC] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

   2. Enable transparent transmission of Layer 2 protocol packets on the uplink and downlink interfaces of the access switch.

      [ACC] interface GigabitEthernet 0/0/1 
      [ACC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable 
      [ACC-GigabitEthernet0/0/1] bpdu enable 
      [ACC-GigabitEthernet0/0/1] quit 
      [ACC] interface GigabitEthernet 0/0/2 
      [ACC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable 
      [ACC-GigabitEthernet0/0/2] bpdu enable 
      [ACC-GigabitEthernet0/0/2] quit

3. [Device] Set 802.1X authentication parameters to implement 802.1X authentication for terminal users.
   1. Configure a RADIUS server template, an authentication scheme, and an accounting scheme.

      [AGG] authentication unified-mode  //The default value is unified-mode. You can skip this command if the default mode is currently used.
      [AGG] radius-server template radius_huawei   
      [AGG-radius-radius_huawei] radius-server authentication 192.168.11.10 1812 source ip-address 192.168.100.100   
      [AGG-radius-radius_huawei] radius-server accounting 192.168.11.10 1813 source ip-address 192.168.100.100 
      [AGG-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206   
      [AGG-radius-radius_huawei] radius-attribute nas-ip 192.168.100.100
      [AGG-radius-radius_huawei] quit 
      [AGG] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206   
      [AGG] aaa   
      [AGG-aaa] authentication-scheme auth_scheme  //Configure an authentication scheme.
      [AGG-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication mode to RADIUS.
      [AGG-aaa-authen-auth_scheme] quit 
      [AGG-aaa] accounting-scheme acco_scheme  //Configure an accounting scheme.
      [AGG-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting mode to RADIUS.
      [AGG-aaa-accounting-acco_scheme] accounting realtime 15   
      [AGG-aaa-accounting-acco_scheme] quit

      Real-time accounting is configured between the authentication control device and iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent online status information. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the number of users.

      Table 3-128 Accounting interval

      Number of Users	Real-Time Accounting Interval
      1 to 99	3 minutes
      100 to 499	6 minutes
      500 to 999	12 minutes
      ≥ 1000	≥ 15 minutes

   2. Apply the RADIUS server template, authentication scheme, and accounting scheme to the global default domain.

      [AGG-aaa] domain default   
      [AGG-aaa-domain-default] authentication-scheme auth_scheme 
      [AGG-aaa-domain-default] accounting-scheme acco_scheme 
      [AGG-aaa-domain-default] radius-server radius_huawei 
      [AGG-aaa-domain-default] quit 
      [AGG-aaa] quit

   3. Configure a global default domain.

      [AGG] domain default  //Configure a global default domain.

      The global default domain is default. If the domain needs to be changed, create the required domain in the AAA view and set it as the global default domain.

4. [Device] Configure the bypass function so that services are not affected when iMaster NCE-Campus is faulty.
   1. Configure a service scheme and define resources that users can access when the bypass path is enabled.
      # Run the ucl-group { group-index | name group-name } command to bind a service scheme to the UCL group.

      [AGG] ucl-group 10 name ucl_server_down 
      [AGG] aaa 
      [AGG-aaa] service-scheme server_down 
      [AGG-aaa-service-server_down] ucl-group name ucl_server_down 
      [AGG-aaa-service-server_down] quit 
      [AGG-aaa] quit

      # Create a user ACL (with a number from 6000 to 9999) in the system view and specify the service resources that users in the UCL group can access in the ACL view. When the authentication server is down, users belong to the UCL group that is bound to the service scheme.

      [AGG] acl 6001 
      [AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination 192.168.11.1 0 
      [AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination 192.168.11.10 0 
      [AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination 192.168.11.100 0 
      [AGG-acl-ucl-6001] quit

      # Run the traffic-filter inbound acl acl-number command in the system view to configure ACL-based packet filtering. The UCL group-based rules take effect only after this command is executed.

      [AGG] traffic-filter inbound acl 6001

5. [Device] Configure pre-configuration and post-authentication access resources for terminal users.
   1. Configure pre-authentication domains, which specify resources that users can access in the server zone without authentication.

      [AGG] free-rule-template name default_free_rule
      [AGG-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  
      [AGG-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255  
      [AGG-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255  

   2. Configure an authentication profile and bind it to an 802.1X access profile.

      [AGG] dot1x-access-profile name dot1x_access_profile1 
      [AGG-dot1x-access-profile-dot1x_access_profile1] quit 
      [AGG] authentication-profile name dot1x_authen_profile1 
      [AGG-authen-profile-dot1x_authen_profile1] dot1x-access-profile dot1x_access_profile1
      [AGG-authen-profile-dot1x_authen_profile1] authentication event pre-authen action authorize service-scheme server_down

   3. Enable 802.1X authentication.

      [AGG] interface GigabitEthernet 0/0/1 
      [AGG-GigabitEthernet0/0/1] authentication-profile dot1x_authen_profile1 
      [AGG-GigabitEthernet0/0/1] quit

   4. Configure post-authentication domains, which specify resources that users can access after passing ACL-defined authentication.

      [AGG] acl 3001  
      [AGG-acl-adv-3001] rule 1 permit ip   
      [AGG-acl-adv-3001] quit

6. [iMaster NCE-Campus] Configure interconnection with an AD server (AD domain account authentication scenario) by referring to Configuring Interconnection with an AD/LDAP Server, and synchronize data by referring to Configuring Synchronization from an AD/LDAP Server.
7. [iMaster NCE-Campus] Add an authentication control device to implement RADIUS interconnection with the authentication control device.

   Choose Admission > Admission Resources > Admission Device, click Create, and add a switch.

   iMaster NCE-Campus Parameter	Device Command
   IP address	radius-attribute nas-ip 192.168.100.100
   Device Series	Huawei Engine
   Authentication/Accounting key	radius-server shared-key cipher YsHsjx_202206
   Authorization key	radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
   Accounting interval (min)	accounting realtime 15

8. [iMaster NCE-Campus] Configure authentication and authorization. Terminal users match the rules based on specified conditions.
   1. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authentication Rule tab and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is not added as a data source, AD accounts will fail to be authenticated.

   2. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Result tab, and add an ACL for authorization.

      The ACL numbers must be the same as those configured on the authentication control device.

   3. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Rules tab, and create an authorization rule. Associate the authorization result created in the previous step to the authorization rule to specify resources that users can access after being authenticated.

Verification

Users use the built-in 802.1X client of the OS for authentication.

1. Fixed terminal users can ping resources in the server zone before successful authentication.
2. Fixed terminal users can automatically obtain IP addresses on network segment 172.16.11.0/24 and ping Internet resources after successful authentication.
3. An administrator can view detailed online user information by running the display access-user and display access-user user-id user-id commands on the aggregation switch.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event Logs > Terminal Authentication Logs of iMaster NCE-Campus contain detailed information about fixed terminal users.

Configuration Files

ACC configuration file

#
sysname ACC
#
vlan 101
#
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
 l2protocol-tunnel user-defined-protocol dot1x enable
 bpdu enable
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
 l2protocol-tunnel user-defined-protocol dot1x enable
 bpdu enable
#
return

AGG configuration file

#
sysname AGG
#
vlan batch 101 to 102
#
dhcp enable
#
authentication-profile name dot1x_authen_profile1
 dot1x-access-profile dot1x_access_profile1
 free-rule-template default_free_rule
 authentication event pre-authen action authorize service-scheme server_down
#
dot1x-access-profile name dot1x_access_profile1
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#ANM|Cb!>GNo=U@V~_{E1fQ>;I2#2l(3Q%1~Z.u|R%^%#
 radius-server authentication 192.168.11.10 1812 source ip-address 192.168.100.100 weight 80
 radius-server accounting 192.168.11.10 1813 source ip-address 192.168.100.100 weight 80
 radius-attribute nas-ip 192.168.100.100
#
radius-server authorization 192.168.11.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%#
#
aaa
 authentication-scheme auth_scheme
  authentication-mode radius
 accounting-scheme acco_scheme
  accounting-mode radius
  accounting realtime 15
 service-scheme server_down 
  ucl-group name ucl_server_down
 domain default 
  authentication-scheme auth_scheme 
  accounting-scheme acco_scheme 
  radius-server radius_huawei
#
domain default
#
acl 3001
 rule 1 permit ip
#
acl 6001 
 rule permit ip source ucl-group name ucl_server_down destination 192.168.11.1 0
 rule permit ip source ucl-group name ucl_server_down destination 192.168.11.10 0
 rule permit ip source ucl-group name ucl_server_down destination 192.168.11.100 0 
#
traffic-filter inbound acl 6001
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
 free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255 
 free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255
#
ucl-group 10 name ucl_server_down 
#
interface vlanif 101
 ip address 172.16.11.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.1
#
interface vlanif 102
 ip address 192.168.100.100 255.255.255.0 
#
interface GigabitEthernet0/0/1
port link-type trunk
 port trunk allow-pass vlan 101
 authentication-profile dot1x_authen_profile1 
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return

Core configuration file

#
sysname Core
#
vlan 102 200
#
interface vlanif 102
 ip address 192.168.100.200 255.255.255.0
#
interface vlanif 200
 ip address 192.168.11.254 255.255.255.0 
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 200
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
return

Configuration Process Overview

Wireless 802.1X access process

Networking Requirements

The user accounts and organization structure of an enterprise are maintained on the AD server. A wireless network access solution is required on the campus network to meet the mobile office requirements. For security purposes, users access the network using wireless 802.1X authentication.

Users can access the Internet only after they are authenticated.

Figure 3-228 Networking diagram

Data Plan

Configuration Roadmap

To ensure unified user traffic control on the WAC, it is recommended that the tunnel forwarding mode be used to forward packets between the WAC and APs.

1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch, and WAC to ensure network connectivity.
2. Configure RADIUS interconnection parameters and wireless access service parameters on the WAC to implement wireless 802.1X access.
3. Add the WAC on iMaster NCE-Campus and configure the authentication and authorization rules to assign specified rights to authenticated users.

In this example, the core router functions as the user gateway. If the AC6605 needs to function as the user gateway, you only need to configure dhcp select interface in the service VLAN on the AC6605.

This example describes only the configurations of the WAC, aggregation switch, and access switch.

Procedure

1. [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
   1. Configure the access switch.

      <HUAWEI> system-view 
      [HUAWEI] sysname ACC 
      [ACC] vlan 10    
      [ACC-vlan10] quit    
      [ACC] interface gigabitethernet 0/0/3   
      [ACC-GigabitEthernet0/0/3] port link-type trunk 
      [ACC-GigabitEthernet0/0/3] port trunk pvid vlan 10 
      [ACC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 
      [ACC-GigabitEthernet0/0/3] quit
      [ACC] interface gigabitethernet 0/0/2   
      [ACC-GigabitEthernet0/0/2] port link-type trunk 
      [ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 
      [ACC-GigabitEthernet0/0/2] quit

   2. Configure the aggregation switch.

      <HUAWEI> system-view 
      [HUAWEI] sysname AGG 
      [AGG] vlan batch 10 100    
      [AGG] interface gigabitethernet 0/0/1   
      [AGG-GigabitEthernet0/0/1] port link-type trunk   
      [AGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 10  
      [AGG-GigabitEthernet0/0/1] quit 
      [AGG] interface gigabitethernet 0/0/2   
      [AGG-GigabitEthernet0/0/2] port link-type trunk 
      [AGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 
      [AGG-GigabitEthernet0/0/2] quit 
      [AGG] interface gigabitethernet 0/0/3   
      [AGG-GigabitEthernet0/0/3] port link-type trunk 
      [AGG-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100   
      [AGG-GigabitEthernet0/0/3] quit

   3. Configure the AC6605.
      # Configure the interface to allow traffic from the management VLAN and service VLAN to pass through.

      <HUAWEI> system-view 
      [HUAWEI] sysname AC6605 
      [AC6605] vlan batch 10 100 
      [AC6605] interface gigabitethernet 0/0/1   
      [AC6605-GigabitEthernet0/0/1] port link-type trunk 
      [AC6605-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 
      [AC6605-GigabitEthernet0/0/1] quit

      # Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to the APs. If the AC6605 functions as the user gateway, configure the gateway IP address on the interface of the service VLAN and enable DHCP.

      [AC6605] dhcp enable    
      [AC6605] interface vlanif 10 
      [AC6605-Vlanif10] ip address 10.10.10.254 24 
      [AC6605-Vlanif10] dhcp select interface 
      [AC6605-Vlanif10] quit

      # Configure a default route with the next hop pointing to the core router.

      [AC6605] ip route-static 0.0.0.0 0 172.16.21.254

2. [Device] Set related parameters to enable the AP to go online automatically after the AP connects to the network.

   If a Layer 3 network is deployed between the AP and WAC, you need to configure the DHCP Option 43 field on the DHCP server to carry the WAC's IP address in advertisement packets, allowing the AP to discover the WAC.

   1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
   2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the WAC.
   3. Run the following command to enable VLANIF 10 to use the global address pool.

      [AC6605] dhcp enable    
      [AC6605] interface vlanif 10 
      [AC6605-Vlanif10] ip address 10.10.10.254 24 
      [AC6605-Vlanif10] dhcp select global 
      [AC6605-Vlanif10] quit

   # Create an AP group, to which APs with the same configuration are added.

   [AC6605] wlan 
   [AC6605-wlan-view] ap-group name ap-group1 
   [AC6605-wlan-ap-group-ap-group1] quit 

   # Create a regulatory domain profile, configure the WAC country code in the profile, and apply the profile to the corresponding AP group.

   [AC6605-wlan-view] regulatory-domain-profile name domain1 
   [AC6605-wlan-regulatory-domain-prof-domain1] country-code cn 
   [AC6605-wlan-regulatory-domain-prof-domain1] quit 
   [AC6605-wlan-view] ap-group name ap-group1 
   [AC6605-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 
   Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
   [AC6605-wlan-ap-group-ap-group1] quit 
   [AC6605-wlan-view] quit 

   # Configure the WAC's source interface.

   [AC] capwap source interface vlanif 10   //Management VLAN interface

   # Import an AP to the WAC in offline mode and add the AP to the AP group ap-group1. Assume that the AP's MAC address is 00e0-fc76-a320. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in area 1.

   [AC6605] wlan 
   [AC6605-wlan-view] ap auth-mode mac-auth 
   [AC6605-wlan-view] ap-id 0 ap-mac 00e0-fc76-a320 
   [AC6605-wlan-ap-0] ap-name area_1 
   [AC6605-wlan-ap-0] ap-group ap-group1 
   Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
   [AC6605-wlan-ap-0] quit 
   [AC6605-wlan-view] quit

   # After the AP is powered on, run the display ap all command to check the AP status. If the State field is displayed as nor, the AP goes online normally.

   [AC6605] display ap all 
   Total AP information: 
   nor  : normal          [1] 
   ------------------------------------------------------------------------------------- 
   ID   MAC            Name   Group     IP            Type            State STA Uptime 
   ------------------------------------------------------------------------------------- 
   0    00e0-fc76-a320 area_1 ap-group1 10.10.10.122 AP6010DN-AGN    nor   0   10S 
   ------------------------------------------------------------------------------------- 
   Total: 1

3. [Device] Set 802.1X authentication parameters to implement 802.1X authentication for terminal users.
   1. Configure a RADIUS server template, an authentication scheme, and an accounting scheme.

      [AC6605] radius-server template radius_template   
      [AC6605-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254   
      [AC6605-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 
      [AC6605-radius-radius_template] radius-server shared-key cipher YsHsjx_202206 
      [AC6605-radius-radius_template] called-station-id wlan-user-format ac-mac include-ssid
      [AC6605-radius-radius_template] radius-attribute nas-ip 10.10.10.254
      [AC6605-radius-radius_template] radius-server user-name original  //Configure the device to send the original user name entered by a user to the RADIUS server.
      [AC6605-radius-radius_template] quit 
      [AC6605] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206  
      [AC6605] aaa   
      [AC6605-aaa] authentication-scheme auth_scheme  //Configure an authentication scheme.
      [AC6605-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication mode to RADIUS.
      [AC6605-aaa-authen-auth_scheme] quit 
      [AC6605-aaa] accounting-scheme acco_scheme  //Configure an accounting scheme.
      [AC6605-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting mode to RADIUS.
      [AC6605-aaa-accounting-acco_scheme] accounting realtime 15   
      [AC6605-aaa-accounting-acco_scheme] quit 
      [AC6605-aaa] quit

      Real-time accounting is configured between the authentication control device and iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent online status information. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the number of users.

      Table 3-132 Accounting interval

      Number of Users	Real-Time Accounting Interval
      1 to 99	3 minutes
      100 to 499	6 minutes
      500 to 999	12 minutes
      ≥ 1000	≥ 15 minutes

   2. Configure an access profile.

      The access profile defines the 802.1X authentication protocol and packet processing parameters. By default, the 802.1X access profile uses EAP authentication.

      [AC6605] dot1x-access-profile name acc_dot1x 
      [AC6605-dot1x-access-profile-acc_dot1x] quit

   3. Configure an authentication profile.
      The authentication profile specifies the user access mode through the access profile. Specify RADIUS authentication by binding the RADIUS authentication scheme, accounting scheme, and RADIUS server template.

      [AC6605] authentication-profile name auth_dot1x 
      [AC6605-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x 
      [AC6605-authentication-profile-auth_dot1x] authentication-scheme auth_scheme 
      [AC6605-authentication-profile-auth_dot1x] accounting-scheme acco_scheme 
      [AC6605-authentication-profile-auth_dot1x] radius-server radius_template 
      [AC6605-authentication-profile-auth_dot1x] quit

   4. Configure 802.1X service parameters for wireless users.
      # Create a security profile security_dot1x and configure a security policy in the profile.

      [AC6605] wlan 
      [AC6605-wlan-view] security-profile name security_dot1x 
      [AC6605-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes 
      [AC6605-wlan-sec-prof-security_dot1x] quit

      # Create an SSID profile wlan-ssid and set the SSID name to dot1x_access.

      [AC6605-wlan-view] ssid-profile name wlan-ssid 
      [AC6605-wlan-ssid-prof-wlan-ssid] ssid dot1x_access 
       Warning: This action may cause service interruption. Continue?[Y/N] 
      [AC-wlan-ssid-prof-wlan-ssid] quit

      # Create a VAP profile wlan-vap, configure the data forwarding mode and service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

      [AC6605-wlan-view] vap-profile name wlan-vap 
      [AC6605-wlan-vap-prof-wlan-vap] forward-mode tunnel 
       Warning: This action may cause service interruption. Continue?[Y/N] 
      [AC6605-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100 
      [AC6605-wlan-vap-prof-wlan-vap] security-profile security_dot1x 
      [AC6605-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid 
      [AC6605-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x 
      [AC6605-wlan-vap-prof-wlan-vap] quit

      # Bind a VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

      [AC6605-wlan-view] ap-group name ap-group1 
      [AC6605-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all 
      [AC6605-wlan-ap-group-ap-group1] quit 
      [AC6605-wlan-view] quit

4. [Device] Configure resources that terminal users can access after passing authentication.

   iMaster NCE-Campus can authorize authenticated terminal users based on static ACLs, dynamic ACLs, and VLANs. This example uses a static ACL as an example.

   For other modes, see Example for Configuring Authorization by VLAN and Example for Configuring Authorization by Dynamic ACL.

   [AC6605] acl 3001   
   [AC6605-acl-adv-3001] rule 1 permit ip   
   [AC6605-acl-adv-3001] quit

5. [iMaster NCE-Campus] Configure interconnection with an AD server (AD domain account authentication scenario) by referring to Configuring Interconnection with an AD/LDAP Server, and synchronize data by referring to Configuring Synchronization from an AD/LDAP Server.
6. [iMaster NCE-Campus] Add an authentication control device to implement RADIUS interconnection with the authentication control device.

   Choose Admission > Admission Resources > Admission Device, click Create, and add the AC6605.

   iMaster NCE-Campus Parameter	Device Command
   IP address	radius-attribute nas-ip 10.10.10.254
   Device Series	Huawei Engine
   CoA Type	Default CoA CoA allows administrators to change the permissions of online users or re-authenticate them through RADIUS. Default CoA: CoA packets are sent periodically to update user authorization information. No CoA: User authorization information cannot be updated. Port Bounce: User authorization information can be updated when the interface to which an online user's terminal connects alternates between Up and Down. Reauth: User authorization information can be updated by triggering re-authentication for an online user.
   Authentication/Accounting key	radius-server shared-key cipher YsHsjx_202206
   Authorization key	radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
   Accounting interval (min)	accounting realtime 15

7. [iMaster NCE-Campus] Configure authentication and authorization. Terminal users match the rules based on specified conditions.
   1. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authentication Rule tab and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is not added as a data source, AD accounts will fail to be authenticated.

   2. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Result tab, and add an ACL for authorization.

      The ACL numbers must be the same as those configured on the authentication control device.

   3. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Rules tab, and create an authorization rule. Associate the authorization result created in the previous step with the authorization rule. Specify resources that users can access after being authenticated.

Verification

1. Use a mobile phone to associate the dot1x_access SSID and enter an AD domain account and password.
2. After successful authentication, you can automatically obtain an IP address in the 172.16.21.0/24 network segment and access Internet resources.
3. An administrator can view detailed information about online users by running the display access-user and display access-user user-id user-id commands on the AC6605.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event Logs > Terminal Authentication Logs of iMaster NCE-Campus can be viewed.

Configuration Files

ACC configuration file

#
sysname ACC
#
vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk 
 port trunk allow-pass vlan 10

#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 10
 port trunk allow-pass vlan 10
#
return

AGG configuration file

#
sysname AGG
#
vlan batch 10 100
#
interface GigabitEthernet0/0/1
port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 100
#
return

AC6605 configuration file

#
sysname AC6605
#
vlan 10 100
#
dhcp enable
#
dot1x-access-profile name acc_dot1x
#
authentication-profile name auth_dot1x 
 dot1x-access-profile acc_dot1x 
 authentication-scheme auth_scheme 
 accounting-scheme acco_scheme 
 radius-server radius_template 
#
radius-server template radius_template   
 radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254   
 radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 
 radius-server shared-key cipher %^%#{0`>1>"`jKr#a-'_0u/$C2M5$3Oc.-giL;Srow9W%^%#
 called-station-id wlan-user-format ac-mac include-ssid
 radius-attribute nas-ip 10.10.10.254
 radius-server user-name original  
radius-server authorization 192.168.11.10 shared-key cipher %^%#x$`LC*6I3H&~})~8O[$F,,o6FN!+35|H-E3Wi}Z:%^%#
aaa   
 authentication-scheme auth_scheme  
  authentication-mode radius  
 accounting-scheme acco_scheme  
  accounting-mode radius  
  accounting realtime 15  
#
interface vlanif 10
 ip address 10.10.10.254 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 100
#
acl 3001   
 rule 1 permit ip  
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
wlan
 security-profile name security_dot1x
  security wpa2 dot1x aes 
 ssid-profile name wlan-ssid 
  ssid dot1x_access 
 regulatory-domain-profile name domain1 
  country-code cn 
 ap auth-mode mac-auth 
 ap-id 0 ap-mac 00e0-fc76-a320 
  ap-name area_1 
  ap-group ap-group1
 vap-profile name wlan-vap 
  forward-mode tunnel 
  service-vlan vlan-id 100 
  security-profile security_dot1x 
  ssid-profile wlan-ssid 
  authentication-profile auth_dot1x 
 ap-group name ap-group1 
  regulatory-domain-profile domain1
  vap-profile wlan-vap wlan 1 radio all 
#
capwap source interface vlanif 10
#
ip route-static 0.0.0.0 0 172.16.21.254
#
return

Networking Requirements

An enterprise needs to deploy an authentication system to implement access control for employees who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. All employees' accounts are maintained on the AD server.

The enterprise has the following requirements:

• The authentication operations should be simple. The authentication system only performs access authorization. Minimum client software is installed on user terminals.
• Moderate security control is required. To facilitate maintenance, a moderate number of authentication points need to be deployed on the aggregation switch.
• The authentication system performs unified identity authentication on all terminals attempting to access the campus network and denies the access from unauthorized terminals.
• Terminals can access only public servers (such as the AD and DNS servers) of the enterprise before authentication, and can access all network resources after they are successfully authenticated.
• A bypass path needs to be configured so that terminals can access the service system even when the Portal server is unavailable.

Figure 3-229 Networking of Portal authentication on the aggregation layer

Requirement Analysis

• The enterprise does not want to install extra software on terminals. For this, the Portal access control solution is recommended based on the networking so that terminals can access the network through web pages.
• Different ACL rules need to be configured on the aggregation switch to control access rights of employees.

VLAN Plan

Network Data Plan

Service Data Plan

Configuration Roadmap

1. Configure the access, aggregation, and core switches to ensure network connectivity.
2. On the aggregation switch, configure a RADIUS server template, configure authentication, accounting, and authorization schemes in the template, and specify the IP address of the Portal server. In this way, the aggregation switch can communicate with iMaster NCE-Campus.
3. Add the switch to iMaster NCE-Campus and configure parameters for the switch to ensure proper association between iMaster NCE-Campus and the switch.
4. Add authorization results and rules to grant different access rights to employees after they are successfully authenticated.

Prerequisites

All employees' accounts are maintained on the AD server. Therefore, AD/LDAP synchronization must have been configured so that users can use their AD accounts to complete authentication on iMaster NCE-Campus. For details about the configuration, see AD/LDAP Synchronization.

Procedure

1. [Device] Configure the access switch to ensure network connectivity.

   <HUAWEI> system-view 
   [HUAWEI] sysname ACC 
   [ACC] vlan 101    
   [ACC-vlan101] quit    
   [ACC] interface gigabitethernet 0/0/1   
   [ACC-GigabitEthernet0/0/1] port link-type access   
   [ACC-GigabitEthernet0/0/1] port default vlan 101   
   [ACC-GigabitEthernet0/0/1] quit 
   [ACC] interface gigabitethernet 0/0/2   
   [ACC-GigabitEthernet0/0/2] port link-type trunk 
   [ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 
   [ACC-GigabitEthernet0/0/2] quit 

2. [Device] Configure the aggregation switch to ensure network connectivity.

   <HUAWEI> system-view 
   [HUAWEI] sysname AGG 
   [AGG] dhcp enable    
   [AGG] vlan batch 101 to 102    
   [AGG] interface gigabitethernet 0/0/1   
   [AGG-GigabitEthernet0/0/1] port link-type trunk   
   [AGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 101  
   [AGG-GigabitEthernet0/0/1] quit 
   [AGG] interface vlanif 101 
   [AGG-Vlanif101] ip address 172.16.11.254 255.255.255.0 
   [AGG-Vlanif101] dhcp select interface     //Configure the device as a gateway to assign IP addresses to users.
   [AGG-Vlanif101] dhcp server dns-list 192.168.11.1 //Configure a DNS server to resolve Internet domain names for Internet access.
   [AGG-Vlanif101] quit 
   [AGG] interface gigabitethernet 0/0/2   
   [AGG-GigabitEthernet0/0/2] port link-type trunk 
   [AGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 102 
   [AGG-GigabitEthernet0/0/2] quit 
   [AGG] interface vlanif 102 
   [AGG-Vlanif102] ip address 192.168.100.100 255.255.255.0 
   [AGG-Vlanif102] quit 
   [AGG] ip route-static 192.168.11.0 255.255.255.0 192.168.100.200  //Configure a route to the network segment of the authentication server.

3. [Device] Configure the core switch to ensure network connectivity.

   <HUAWEI> system-view 
   [HUAWEI] sysname Core 
   [Core] vlan batch 102 200    
   [Core] interface gigabitethernet 1/0/1   
   [Core-GigabitEthernet1/0/1] port link-type trunk   
   [Core-GigabitEthernet1/0/1] port trunk allow-pass vlan 102  
   [Core-GigabitEthernet1/0/1] quit 
   [Core] interface vlanif 102 
   [Core-Vlanif102] ip address 192.168.100.200 255.255.255.0 
   [Core-Vlanif102] quit 
   [Core] interface gigabitethernet 1/0/2   
   [Core-GigabitEthernet1/0/2] port link-type trunk 
   [Core-GigabitEthernet1/0/2] port trunk allow-pass vlan 200 
   [Core-GigabitEthernet1/0/2] quit 
   [Core] interface vlanif 200 
   [Core-Vlanif200] ip address 192.168.11.254 255.255.255.0 
   [Core-Vlanif200] quit 
   [Core] ip route-static 172.16.11.0 255.255.255.0 192.168.100.100 //Configure a route to the network segment where terminals reside.

4. [Device] On the aggregation switch, configure parameters for connecting to the RADIUS server and Portal server to ensure association between iMaster NCE-Campus and the aggregation switch.
   1. Configure parameters for connecting to the RADIUS server.

      [AGG] authentication unified-mode  //The default value is unified-mode. You can skip this command if the default mode is used.
      [AGG] radius-server template radius_huawei   
      [AGG-radius-radius_huawei] radius-server authentication 192.168.11.10 1812 source ip-address 192.168.100.100   
      [AGG-radius-radius_huawei] radius-server accounting 192.168.11.10 1813 source ip-address 192.168.100.100 
      [AGG-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
      [AGG-radius-radius_huawei] radius-attribute nas-ip 192.168.100.100 
      [AGG-radius-radius_huawei] quit 
      [AGG] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
      [AGG] aaa   
      [AGG-aaa] authentication-scheme auth_scheme  //Configure an authentication scheme.
      [AGG-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication mode to RADIUS.
      [AGG-aaa-authen-auth_scheme] quit 
      [AGG-aaa] accounting-scheme acco_scheme  //Configure an accounting scheme.
      [AGG-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting mode to RADIUS.
      [AGG-aaa-accounting-acco_scheme] accounting realtime 15   
      [AGG-aaa-accounting-acco_scheme] quit

      NAC supports the common configuration mode and unified configuration mode. Compared with the common configuration mode, the unified configuration mode has the following advantages:

      • The command lines are easy to understand and the format design meets user requirements.

      • Similar concepts are deleted from the function design, and the configuration logic is simpler.

      Considering advantages of the unified configuration mode, you are advised to deploy NAC in unified configuration mode.

      Real-time accounting is configured between the authentication control device and iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent online status information. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the number of users.

      Table 3-136 Accounting interval

      Number of Users	Real-Time Accounting Interval
      1 to 99	3 minutes
      100 to 499	6 minutes
      500 to 999	12 minutes
      ≥ 1000	≥ 15 minutes

   2. Apply the RADIUS server template, authentication scheme, and accounting scheme to the global default domain.

      [AGG-aaa] domain default   
      [AGG-aaa-domain-default] authentication-scheme auth_scheme 
      [AGG-aaa-domain-default] accounting-scheme acco_scheme 
      [AGG-aaa-domain-default] radius-server radius_huawei 
      [AGG-aaa-domain-default] quit 
      [AGG-aaa] quit

   3. Configure a global default domain.

      [AGG] domain default  //Configure a global default domain.

      The global default domain is default. If the domain needs to be changed, create the required domain in the AAA view and set it as the global default domain.

   4. Configure parameters for connecting to the Portal server.

      [AGG] web-auth-server portal_huawei 
      [AGG-web-auth-server-portal_huawei] server-source ip-address 192.168.100.100  //Configure the local gateway address for receiving and responding to the packets sent by the Portal server.
      [AGG-web-auth-server-portal_huawei] protocol portal  //Set the protocol used in Portal authentication to Portal.
      [AGG-web-auth-server-portal_huawei] server-ip 192.168.11.10  //Configure the IP address of the Portal server.
      [AGG-web-auth-server-portal_huawei] source-ip 192.168.100.100  //Configure the IP address used by the device to communicate with the Portal server.
      [AGG-web-auth-server-portal_huawei] port 50100  //The port number is fixed at 50100 when iMaster NCE-Campus functions as the Portal server.
      [AGG-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-num 0 action log  
      //Enable the Portal server detection function. After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. 
      //If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation to allow the administrator to obtain the real-time Portal server status or ensure that the users have certain network access rights.
      //The recommended detection interval is 100s.
      [AGG-web-auth-server-portal_huawei] quit
      [AGG] url-template name url_huawei  //Configure a URL template.
      [AGG-url-template-url_huawei] url https://access.example.com:19008/portal  
      //access.example.com is the host name of the Portal server. You are advised to push Portal pages by domain name. In this case, you need to configure the mapping between the domain name and the iMaster NCE-Campus IP address on the DNS server.
      [AGG-url-template-url_huawei] url-parameter device-ip ac-ip device-mac lsw-mac redirect-url redirect-url user-ipaddress uaddress user-mac umac  
      //device-mac lsw-mac specifies the MAC address of the device in the URL and sets the parameter name displayed in the URL.
      //redirect-url redirect-url specifies the original URL that a user accesses in the URL and sets the parameter name displayed in the URL.
      //The first ssid indicates that the URL contains the SSID field, and the second ssid indicates the parameter name. For example, after ssid ssid is configured, the URL redirected to the user contains ssid=guest, where ssid indicates the parameter name and guest indicates the SSID with which the user associates.
      //The second ssid represents the transmitted parameter name and cannot be replaced with the actual user SSID.
      [AGG-url-template-url_huawei] url-parameter set device-ip 192.168.100.100 //Bind the device IP address.
      [AGG-url-template-url_huawei] quit
      [AGG] web-auth-server portal_huawei 
      [AGG-web-auth-server-portal_huawei] url-template url_huawei  //Bind the URL template.
      [AGG-web-auth-server-portal_huawei] quit
      [AGG] portal quiet-period  //Enable the quiet function for Portal authentication. With this function enabled, the device discards packets of an authentication user during the quiet period if the user fails Portal authentication for the specified number of times in 60 seconds. This function protects the device from being overloaded due to frequent authentications.
      [AGG] portal quiet-times 5  //Set the number of authentication failures within 60 seconds which, when exceeded, causes Portal authentication users to enter the quiet state.
      [AGG] portal timer quiet-period 240  //Set the quiet period for Portal authentication users to 240 seconds.
      [AGG] web-auth-server listening-port 2000  //The default port number is 2000. If you run this command to change the port number, set the same port number when adding the Portal device to iMaster NCE-Campus.
      [AGG] portal-access-profile name portal_access_profile1 
      [AGG-portal-acces-profile-portal_access_profile1] web-auth-server portal_huawei direct
      //Configure the Portal server template used by the Portal access profile. If the network between end users and the WAC is a Layer 2 network, configure the direct mode.
      //If the network is a Layer 3 network, configure the layer3 mode.
      [AGG-portal-acces-profile-portal_access_profile1] quit 
      [AGG] free-rule-template name default_free_rule
      [AGG-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  
      [AGG-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255  
      [AGG-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255  
      [AGG-free-rule-default_free_rule] quit  
      [AGG] authentication-profile name portal_authen_profile1 
      [AGG-authen-profile-portal_authen_profile1] portal-access-profile portal_access_profile1
      [AGG-authen-profile-portal_authen_profile1] free-rule-template default_free_rule
      [AGG-authen-profile-portal_authen_profile1] quit
      [AGG] interface vlanif 101 
      [AGG-Vlanif101] authentication-profile portal_authen_profile1  //Apply the Portal authentication profile to the interface.
      [AGG-Vlanif101] quit 
      [AGG] acl 3001   
      [AGG-acl-adv-3001] rule 1 permit ip   
      [AGG-acl-adv-3001] quit

      • By default, iMaster NCE-Campus supports only HTTPS, because HTTP may pose security risks. If the HTTP protocol needs to be used to push Portal pages, you need to enable the HTTP port on the iMaster NCE-Campus management plane For details, see (Optional) Enabling the HTTP Port. Then, run the following command:

        [AC-url-template-huawei] url http://access.example.com:8445/portal      
        //access.example.com is the host name of the Portal server.

      • By default, the switch permits resources of the Portal server. Therefore, you do not need to configure an authentication-free rule for the Portal server.
5. [Device] On the aggregation switch, configure the bypass path. This ensures that services are not affected when iMaster NCE-Campus becomes faulty.

   The bypass path is configured to allow users to access specified resources when they fail to be authenticated, ensuring service continuity.

   In this example, the bypass path is configured on a switch working in unified mode. The bypass path configuration on a switch working in common mode is different from that in unified mode. To configure a bypass path on a switch working in common mode, configure a critical VLAN using the authentication critical-vlan command or a VLAN using the authentication event command.

   1. Configure a service scheme and define resources that users can access when the bypass path is enabled.
      1. Run the service-scheme service-scheme-name command in the AAA view to create the bypass scheme.
      2. In the bypass scheme, define service resources that users can access when the bypass path is enabled based on ACLs or VLANs.
         Table 3-137 Service scheme definition modes

         Definition Mode	Usage Scenario	Procedure
         ACL	ACL-based authorization is deployed.	Run the acl-id acl-number command to bind an ACL to the service scheme. The ACL specifies resources that users can access after the bypass path is enabled. To retain service access permission after the bypass path is enabled, use the same ACL specified in an authorization result. The bypass path can only be configured globally. It cannot be enabled for employees and disabled for guests, or disabled for employees and enabled for guests. [HUAWEI] aaa [HUAWEI-aaa] service-scheme server_down [HUAWEI-aaa-service-server_down] acl-id 3001 [HUAWEI-aaa-service-server_down] quit [HUAWEI-aaa] quit
         VLAN	VLAN-based authorization is deployed.	Run the user-vlan vlan-id command to bind a VLAN to the service scheme. The VLAN specifies resources that users can access after the bypass path is enabled. To retain service access permission after the bypass path is enabled, use the same VLAN specified in an authorization result. [HUAWEI] aaa [HUAWEI-aaa] service-scheme server_down [HUAWEI-aaa-service-server_down] user-vlan 101 [HUAWEI-aaa-service-server_down] quit [HUAWEI-aaa] quit

   2. Configure the bypass path used when the authentication server or the Portal server is Down.
      Table 3-138 Bypass scenario

      Bypass Scenario	Procedure
      Users fail to be authenticated because the authentication server (RADIUS server) is Down.	Run the authentication event authen-server-down action authorize service-scheme service-scheme command to assign network access policies to users through the service scheme when users fail to be authenticated because the authentication server is Down.
      Users fail to be authenticated because the Portal server is Down.	Run the authentication event portal-server-down action authorize service-scheme service-scheme command to assign network access policies to users through the service scheme when users fail to be authenticated because the Portal server is Down.

      [HUAWEI] authentication-profile name portal_authen_profile1
      [HUAWEI-authen-profile-portal_authen_profile1] authentication event authen-server-down action authorize service-scheme server_down 
      [HUAWEI-authen-profile-portal_authen_profile1] quit
      [HUAWEI] portal-access-profile name portal_access_profile1
      [HUAWEI-portal-acces-profile-portal_access_profile1] authentication event portal-server-down action authorize service-scheme server_down

6. [iMaster NCE-Campus] Add the switch to ensure proper association between iMaster NCE-Campus and the switch.

   Choose Admission > Admission Resources > Admission Device, click Create, and add a switch.

   Parameter	Value	Description
   Device name	SW	-
   IP address	192.168.100.100	The switch interface with this IP address must be able to communicate with the service controller. radius-attribute nas-ip 192.168.100.100
   Device Series	Huawei Engine	-
   CoA Type	Default CoA	CoA allows administrators to change the permissions of online users or re-authenticate them through RADIUS. Default CoA: CoA packets are sent periodically to update user authorization information. No CoA: User authorization information cannot be updated. Port Bounce: User authorization information can be updated when the interface to which an online user's terminal connects alternates between Up and Down. Reauth: User authorization information can be updated by triggering re-authentication for an online user.
   Authentication/Accounting key	YsHsjx_202206	It must be the same as the RADIUS accounting key configured on the switch.
   Authorization key	YsHsjx_202206	It must be the same as the RADIUS authentication and authorization key configured on the switch.
   Accounting interval (min)	15	It must be the same as the real-time accounting interval configured on the switch.
   Portal heartbeat verification	Enabled	The Portal server can send heartbeat packets to the access device and synchronize user information to the access device only when Portal heartbeat verification is enabled. The access device then periodically detects heartbeat packets of the Portal server to determine the Portal server status and synchronize user information from the Portal server. This configuration corresponds to the server-detect and user-sync commands configured in the Portal server view on the access device.
   Portal key	YsHsjx_202206	It must be the same as the Portal shared key configured on the switch.
   Terminal IP address list	172.16.11.254/24	-
   Portal authentication port	2000	This is the port that the switch uses to communicate with the Portal server. Retain the default value.

7. [iMaster NCE-Campus] Configure authentication and authorization. Terminal users match the rules based on specified conditions.
   1. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authentication Rule tab and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is not added as a data source, AD accounts will fail to be authenticated.

   2. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Result tab, and add an ACL for authorization.

      The ACL numbers must be the same as those configured on the authentication control device.

   3. Choose Admission > Admission Policy > Authentication and Authorization, click the Authorization Rules tab, and create an authorization rule. Associate the authorization result created in the previous step with the authorization rule. Specify resources that users can access after being authenticated.

Verification

1. Verify that the terminal user can access only the iMaster NCE-Campus, DNS, and AD servers before authentication.
2. Verify that the Portal authentication page is pushed to the terminal user when the terminal user attempts to access the Internet. After the terminal user enters the correct user name and password, the requested web page is displayed.
3. Verify that the terminal user can access the Internet only after the authentication succeeds.
4. After the terminal user is successfully authenticated, run the display access-user command on the switch. The command output shows information about the online user.
5. Choose Admission > Admission Policy > Online User Control from the main menu and click Online User. Information about terminal users is displayed.
6. Choose Monitoring > Event Logs > Terminal Authentication Logs from the main menu and click Portal Login and Logout logs. The Portal authentication logs of the terminal user can be viewed.
7. Choose Monitoring > Event Logs > Terminal Authentication Logs from the main menu and click RADIUS Login and Logout logs. The RADIUS authentication logs of the terminal user can be viewed.

Summary and Suggestions

• The RADIUS authentication and accounting key, RADIUS authorization key, and Portal key must be the same on the device and iMaster NCE-Campus.
• Authorization rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition of a user matches a rule, iMaster NCE-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.
• The RADIUS accounting function is configured on the switch to enable iMaster NCE-Campus to obtain online user information by exchanging accounting packets. iMaster NCE-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.

Configuration Files

ACC configuration file

#
sysname ACC
#
vlan 101
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

AGG configuration file

#
sysname AGG
#
vlan batch 101 to 102
#
dhcp enable
#
authentication-profile name portal_authen_profile1 
 portal-access-profile portal_access_profile1
 free-rule-template default_free_rule
 authentication event authen-server-down action authorize service-scheme server_down
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#ANM|Cb!>GNo=U@V~_{E1fQ>;I2#2l(3Q%1~Z.u|R%^%#
 radius-server authentication 192.168.11.10 1812 source ip-address 192.168.100.100 weight 80
 radius-server accounting 192.168.11.10 1813 source ip-address 192.168.100.100 weight 80
 radius-attribute nas-ip 192.168.100.100
#
radius-server authorization 192.168.11.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%# 
#
aaa
 authentication-scheme auth_scheme
  authentication-mode radius
 accounting-scheme acco_scheme
  accounting-mode radius
  accounting realtime 15
 service-scheme server_down 
  acl-id 3001
 domain default 
  authentication-scheme auth_scheme 
  accounting-scheme acco_scheme 
  radius-server radius_huawei
#
domain default
#
acl 3001
 rule 1 permit ip
#
web-auth-server portal_huawei
 server-source ip-address 192.168.100.100 
 protocol portal
 server-ip 192.168.11.10 
 source-ip 192.168.100.100
 port 50100
 server-detect interval 100 max-times 5 critical-num 0 action log
#
url-template name url_huawei
 url https://access.example.com:19008/portal
 url-parameter device-ip ac-ip device-mac lsw-mac redirect-url redirect-url user-ipaddress uaddress user-mac umac
 url-parameter set device-ip 192.168.100.100
#
web-auth-server portal_huawei
 url-template url_huawei
#
portal-access-profile name portal_access_profile1
 web-auth-server portal_huawei direct
 authentication event portal-server-down action authorize service-scheme server_down
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  
 free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255  
 free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255  
#
portal quiet-period
portal quiet-times 5 
portal timer quiet-period 240 
web-auth-server listening-port 2000
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
 free-rule 2 destination ip 192.168.11.10 mask 255.255.255.255 
 free-rule 3 destination ip 192.168.11.100 mask 255.255.255.255
#
interface vlanif 101
 ip address 172.16.11.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.1
 authentication-profile portal_authen_profile1
#
interface vlanif 102
 ip address 192.168.100.100 255.255.255.0 
#
interface GigabitEthernet0/0/1
port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return

Core configuration file

#
sysname Core 
#
vlan batch 102 200    
#
interface vlanif 102 
 ip address 192.168.100.200 255.255.255.0 
#
interface vlanif 200 
 ip address 192.168.11.254 255.255.255.0
#
interface gigabitethernet 1/0/1   
 port link-type trunk   
 port trunk allow-pass vlan 102  
#
interface gigabitethernet 1/0/2   
 port link-type trunk 
 port trunk allow-pass vlan 200 
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100 
#
return

Networking Requirements

An enterprise has about 1000 employees and needs to deploy an identity authentication system to implement access control for all the wireless users who attempt to access the enterprise network. Only authorized users can access the enterprise network.

The enterprise has the following requirements:

• The authentication operations should be simple. The authentication system only performs access authorization and does not require any client software on user terminals.
• The authentication system performs unified identity authentication on all terminals attempting to access the campus network and denies the access from unauthorized terminals.
• Employees can only access public servers (such as the DHCP and DNS servers) of the enterprise before authentication, and can access both the enterprise's service systems and Internet after being authenticated.
• If authenticated employees move out of the wireless signal coverage area and move in again within a certain period (60 minutes for example), they can connect to the wireless network directly without entering their user names and passwords again. This ensures a good network access experience of employees.
• Guests can only access public servers (such as the DHCP and DNS servers) of the enterprise before authentication, and can only access the Internet after being authenticated.
• Different authentication pages are pushed to employees and guests.

Figure 3-230 Networking of Portal authentication for wireless users

Requirement Analysis

• The enterprise has no specific requirement on terminal security check and requires simple operations, without a need for authentication client on wireless terminals. Considering the networking and requirements of the enterprise, Portal authentication can be used on the campus network.
• To ensure unified user traffic control on the WAC, it is recommended that the tunnel forwarding mode be used to forward packets between the WAC and APs.
• To ensure network connectivity, plan VLANs as follows:
  • Add employees to VLAN 100 and guests to VLAN 101 to isolate employees from guests.
  • Use VLAN 10 as the management VLAN of the APs.
  • Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch to VLAN 10 so that these interfaces can transparently transmit packets from management VLAN 10 of the APs.
  • On the aggregation switch, add GE0/0/1 to management VLAN 10, GE0/0/3 to management VLAN 10 and service VLANs 100 and 101, and GE0/0/2 to service VLANs 100 and 101. In this way, these interfaces can transparently transmit data of the corresponding VLANs.
  • Add GE0/0/1 of the WAC to management VLAN 10 and service VLANs 100 and 101 so that the WAC can transparently transmit packets of these VLANs.
• Employees and guests are all authenticated on the web pages pushed by the Portal server. You need to configure different ACL rules on the WAC to control access rights of employees and guests.
• Different SSIDs need to be configured for employees and guests so that different authentication pages can be pushed to them based on their SSIDs.
• Enable MAC address-prioritized Portal authentication to allow employees to connect to the wireless network without entering user names and passwords when they move in and out of the wireless coverage area repeatedly within a period (60 minutes for example).

  MAC address-prioritized Portal authentication is a function provided by a WAC. When the Portal server needs to authenticate a user, the WAC first sends the user terminal's MAC address to the Portal server for identity authentication. If the authentication fails, the Portal server pushes the Portal authentication page to the terminal. The user then enters the account and password for authentication. The RADIUS server caches a terminal's MAC address and associated SSID during the first authentication for the terminal. If the terminal is disconnected and then connected to the network within the MAC address validity period, the RADIUS server searches for the SSID and MAC address of the terminal in the cache to authenticate the terminal.

VLAN Plan

Network Data Plan

Service Data Plan

Configuration Roadmap

1. Configure the access switch, aggregation switch, and WAC to ensure network connectivity.
2. On the WAC, configure a RADIUS server template, configure authentication, accounting, and authorization schemes in the template, and specify the IP address of the Portal server. In this way, the WAC can communicate with the RADIUS server and Portal server to perform MAC address-prioritized Portal authentication for employees.
3. Add the WAC on iMaster NCE-Campus and configure parameters for the WAC to ensure that iMaster NCE-Campus interacts properly with the WAC.
4. Configure authentication and authorization rules to grant different network access rights to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and configure Portal page push rules to ensure that different web pages are pushed to employees and guests.

Prerequisites

• You have configured a sub-interface, assigned an IP address to the sub-interface, and enabled DHCP relay on the core router to enable terminals to automatically obtain IP addresses from the DHCP server on a different network segment.
• The SMS server has been interconnected.

Procedure

1. [Device] Configure the access switch to ensure network connectivity.

   <HUAWEI> system-view 
   [HUAWEI] sysname ACC 
   [ACC] vlan 10    
   [ACC-vlan10] quit    
   [ACC] interface gigabitethernet 0/0/3   
   [ACC-GigabitEthernet0/0/3] port link-type trunk 
   [ACC-GigabitEthernet0/0/3] port trunk pvid vlan 10 
   [ACC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 
   [ACC-GigabitEthernet0/0/3] quit
   [ACC] interface gigabitethernet 0/0/1   
   [ACC-GigabitEthernet0/0/1] port link-type trunk 
   [ACC-GigabitEthernet0/0/1] port trunk pvid vlan 10 
   [ACC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 
   [ACC-GigabitEthernet0/0/1] quit
   [ACC] interface gigabitethernet 0/0/2   
   [ACC-GigabitEthernet0/0/2] port link-type trunk 
   [ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 
   [ACC-GigabitEthernet0/0/2] quit

2. [Device] Configure the aggregation switch to ensure network connectivity.

   <HUAWEI> system-view 
   [HUAWEI] sysname AGG 
   [AGG] vlan batch 10 100 101    
   [AGG] interface gigabitethernet 0/0/1   
   [AGG-GigabitEthernet0/0/1] port link-type trunk   
   [AGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 10  
   [AGG-GigabitEthernet0/0/1] quit 
   [AGG] interface gigabitethernet 0/0/2   
   [AGG-GigabitEthernet0/0/2] port link-type trunk 
   [AGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 
   [AGG-GigabitEthernet0/0/2] quit 
   [AGG] interface gigabitethernet 0/0/3   
   [AGG-GigabitEthernet0/0/3] port link-type trunk 
   [AGG-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100 101   
   [AGG-GigabitEthernet0/0/3] quit

3. [Device] Configure the AC6605 to enable network connectivity.

   # Add AC6605's GE0/0/1 connected to the aggregation switch to management VLAN 10 and service VLANs 100 and 101.

   <HUAWEI> system-view 
   [HUAWEI] sysname AC6605 
   [AC6605] vlan batch 10 100 101 
   [AC6605] interface gigabitethernet 0/0/1   
   [AC6605-GigabitEthernet0/0/1] port link-type trunk 
   [AC6605-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 101 
   [AC6605-GigabitEthernet0/0/1] quit

   # Configure the AC6605 to assign IP addresses to APs from an interface address pool.

   [AC6605] dhcp enable    
   [AC6605] interface vlanif 10 
   [AC6605-Vlanif10] ip address 10.10.10.254 24 
   [AC6605-Vlanif10] dhcp select interface 
   [AC6605-Vlanif10] quit

   # Configure a default route that the AC6605 uses to communicate with servers. Packets are forwarded to the core router by default.

   [AC6605] ip route-static 0.0.0.0 0 172.16.21.254

4. [Device] Configure the AP to go online.

   If a Layer 3 network is deployed between the AP and WAC, you need to configure the DHCP Option 43 field on the DHCP server to carry the WAC's IP address in advertisement packets, allowing the AP to discover the WAC.

   1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
   2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the WAC.

   # Create an AP group, to which APs with the same configuration are added.

   [AC6605] wlan 
   [AC6605-wlan-view] ap-group name employee  //Configure an AP group for employees.
   [AC6605-wlan-ap-group-employee] quit 
   [AC6605-wlan-view] ap-group name guest  //Configure an AP group for guests.
   [AC6605-wlan-ap-group-guest] quit 

   # Create a regulatory domain profile, configure the WAC country code in the profile, and apply the profile to the corresponding AP group.

   [AC6605-wlan-view] regulatory-domain-profile name domain1 
   [AC6605-wlan-regulatory-domain-prof-domain1] country-code cn 
   [AC6605-wlan-regulatory-domain-prof-domain1] quit 
   [AC6605-wlan-view] ap-group name employee 
   [AC6605-wlan-ap-group-employee] regulatory-domain-profile domain1 
   Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
   [AC6605-wlan-ap-group-employee] quit 
   [AC6605-wlan-view] ap-group name guest 
   [AC6605-wlan-ap-group-guest] regulatory-domain-profile domain1 
   Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
   [AC6605-wlan-ap-group-guest] quit 
   [AC6605-wlan-view] quit 

   # Configure the WAC's source interface.

   [AC6605] capwap source interface vlanif 10 

   # Import the AP offline on the WAC and add the AP to the AP group. This example assumes that the AP model is AP6010DN-AGN, the MAC address of AP_0 serving employees is 00e0-fc76-a320, and the MAC address of AP_1 serving guests is 00e0-fc76-a330.

   [AC6605] wlan 
   [AC6605-wlan-view] ap auth-mode mac-auth 
   [AC6605-wlan-view] ap-id 0 ap-mac 00e0-fc76-a320 
   [AC6605-wlan-ap-0] ap-name ap_0 
   [AC6605-wlan-ap-0] ap-group employee 
   Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y   
   [AC6605-wlan-ap-0] quit 
   [AC6605-wlan-view] ap-id 1 ap-mac 00e0-fc76-a330 
   [AC6605-wlan-ap-1] ap-name ap_1 
   [AC6605-wlan-ap-1] ap-group guest 
   Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
   [AC6605-wlan-ap-1] quit 
   [AC6605-wlan-view] quit

   # After the AP is powered on, run the display ap all command to check the AP status. If the State field is displayed as nor, the AP goes online normally.

   [AC6605] display ap all 
   Total AP information: 
   nor  : normal          [2] 
   ------------------------------------------------------------------------------------- 
   ID   MAC            Name   Group     IP            Type            State STA Uptime 
   ------------------------------------------------------------------------------------- 
   0    00e0-fc76-a320 ap_0   employee  10.10.10.252  AP6010DN-AGN    nor   0   10S 
   1    00e0-fc76-a330 ap_1   guest     10.10.10.253  AP6010DN-AGN    nor   0   20S 
   ------------------------------------------------------------------------------------- 
   Total: 2

5. [Device] Configure interconnection parameters for the WAC and RADIUS server as well as the WAC and Portal server, so that the WAC can associate with the RADIUS and Portal servers.
   Figure 3-231 Configuration flow for the Portal authentication service
   

   # Configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

   [AC6605] radius-server template radius_template   
   [AC6605-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254   
   [AC6605-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 
   [AC6605-radius-radius_template] called-station-id wlan-user-format ac-mac include-ssid
   [AC6605-radius-radius_template] radius-server shared-key cipher YsHsjx_202206 
   [AC6605-radius-radius_template] radius-attribute nas-ip 10.10.10.254
   [AC6605-radius-radius_template] radius-server user-name original  //Configure the device to send the original user name entered by a user to the RADIUS server.
   [AC6605-radius-radius_template] quit 
   [AC6605] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
   [AC6605] aaa   
   [AC6605-aaa] authentication-scheme auth_scheme  //Configure an authentication scheme.
   [AC6605-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication mode to RADIUS.
   [AC6605-aaa-authen-auth_scheme] quit 
   [AC6605-aaa] accounting-scheme acco_scheme  //Configure an accounting scheme.
   [AC6605-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting mode to RADIUS.
   [AC6605-aaa-accounting-acco_scheme] accounting realtime 15   
   [AC6605-aaa-accounting-acco_scheme] quit 
   [AC6605-aaa] quit 

   Real-time accounting is configured between the authentication control device and iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent online status information. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the number of users.

   Table 3-142 Accounting interval

   Number of Users	Real-Time Accounting Interval
   1 to 99	3 minutes
   100 to 499	6 minutes
   500 to 999	12 minutes
   ≥ 1000	≥ 15 minutes

   # Configure the Portal server.

   1. Configure the URL of the Portal authentication page. When a user attempts to access a website before authentication, the WAC redirects the user to the Portal server.

      You are advised to configure the URL using a domain name to ensure secure and fast page pushing. Before configuring the URL using a domain name, you must first configure the mapping between the domain name and IP address of the Portal server on the DNS server.

      [AC6605] url-template name huawei 
      [AC6605-url-template-huawei] url https://access.example.com:19008/portal       //access.example.com is the host name of the Portal server.

      By default, iMaster NCE-Campus supports only HTTPS, because HTTP may pose security risks. If the HTTP protocol needs to be used to push Portal pages, you need to enable the HTTP port on the iMaster NCE-Campus management plane For details, see (Optional) Enabling the HTTP Port. Then, run the following command:

      [AC6605-url-template-huawei] url http://access.example.com:8445/portal       //access.example.com is the host name of the Portal server.

   2. Configure parameters carried in the URL, which must be the same as those on the authentication server.

      [AC6605-url-template-huawei] url-parameter device-ip ac-ip redirect-url redirect-url ssid ssid user-ipaddress uaddress user-mac umac  
      //device-ip ac-ip specifies the IP address of the device carried in the URL and sets the parameter name displayed in the URL. In the wireless access scenario, the value of device-ip carried in the URL is the CAPWAP gateway address.
      //redirect-url redirect-url specifies the original URL that a user accesses in the URL and sets the parameter name displayed in the URL.
      //The first ssid indicates that the URL contains the SSID field, and the second ssid indicates the parameter name.
      //For example, after ssid ssid is specified, the redirect URL contains ssid=guest, where ssid indicates the parameter name and guest indicates the SSID with which the user associates.
      //The second ssid represents the transmitted parameter name and cannot be replaced with the actual user SSID.
      [AC6605-url-template-huawei] quit

   3. Specify the port number used to process Portal protocol packets. The default port number is 2000. If you change the port number on the WAC, set the same port number when you add this WAC to iMaster NCE-Campus.

      [AC6605] web-auth-server listening-port 2000

   4. Configure a Portal server template, including configuring the IP address and port number of the Portal server.

      [AC6605] web-auth-server portal_huawei 
      [AC6605-web-auth-server-portal_huawei] server-source ip-address 10.10.10.254  //Configure the local gateway address for receiving and responding to the packets sent by the Portal server.
      [AC6605-web-auth-server-portal_huawei] protocol portal  //Set the protocol used in Portal authentication to Portal.
      [AC6605-web-auth-server-portal_huawei] server-ip 192.168.11.10  //Configure the IP address of the Portal server.
      [AC6605-web-auth-server-portal_huawei] source-ip 10.10.10.254  //Configure the IP address used by the device to communicate with the Portal server.
      [AC6605-web-auth-server-portal_huawei] port 50100  //Set the destination port number in the packets sent to the Portal server to 50100.

   5. Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server.

      [AC6605-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206  //Configure the shared key used to communicate with the Portal server.
      [AC6605-web-auth-server-portal_huawei] url-template huawei  //Bind the URL template to the Portal server template.

   6. Enable the Portal server detection function.

      After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation, for example, sending a trap, reporting a log, or enabling Portal bypass. This enables the administrator to obtain the real-time Portal server status. The detection interval cannot be shorter than 15s, and the recommended value is 100s. Before enabling Portal bypass, you must enable Portal server detection.

      [AC6605-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-num 0 action log

   # Enable the Portal authentication quiet period function. With this function enabled, the WAC drops packets of an authentication user during the quiet period if the user fails Portal authentication for the specified number of times in 60 seconds. This function protects the WAC from being overloaded due to frequent authentication.

   [AC6605] portal quiet-period 
   [AC6605] portal quiet-times 5  //Set the number of authentication failures within 60 seconds which, when exceeded, causes Portal authentication users to enter the quiet state.
   [AC6605] portal timer quiet-period 240  //Set the quiet period for Portal authentication users to 240 seconds.

   # Create a Portal access profile, and bind the Portal server template to it.

   In this example, different Portal bypass solutions need to be configured for employees and guests. Therefore, configure two Portal access profiles.

   [AC6605] portal-access-profile name acc_portal_employee  //Create a Portal access profile for employees.
   [AC6605-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei direct 
   //Configure the Portal server template used by the Portal access profile. If the network between terminal users and the WAC is a Layer 2 network, configure the direct mode.
   //If the network is a Layer 3 network, configure the layer3 mode.
   [AC6605-portal-access-profile-acc_portal_employee] quit 
   [AC6605] portal-access-profile name acc_portal_guest  //Create a Portal access profile for guests.
   [AC6605-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct  
   [AC6605-portal-access-profile-acc_portal_guest] quit 

   # Create a MAC access profile so that MAC address-prioritized Portal authentication is performed on employees.

   [AC6605] mac-access-profile name acc_mac 
   [AC6605-mac-access-profile-acc_mac] quit

   # Configure pre-authentication and post-authentication access rules for employees and guests.

   [AC6605] free-rule-template name default_free_rule  
   [AC6605-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  //Configure an authentication-free rule for Portal authentication users, so that they can connect to the DNS server before authentication.
   [AC6605-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.100 mask 255.255.255.255  //Configure an authentication-free rule for Portal authentication users, so that they can connect to the AD server before authentication.
   [AC6605-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.2 mask 255.255.255.255  //Configure an authentication-free rule for Portal authentication users, so that they can connect to the DHCP server before authentication.
   [AC6605-free-rule-default_free_rule] quit 

   [AC6605] acl 3001  //Configure the post-authentication domain, including the intranet and Internet, for employees.
   [AC6605-acl-adv-3001] rule 5 permit ip 
   [AC6605-acl-adv-3001] quit 
   [AC6605] acl 3002  //Configure the post-authentication domain, including the Internet, for guests.
   [AC6605-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255  //192.168.11.200 is the service system IP address and cannot be accessed by guests.
   [AC6605-acl-adv-3002] rule 10 permit ip 
   [AC6605-acl-adv-3002]  quit

   # Configure different authentication profiles for employees and guests because MAC address-prioritized Portal authentication needs to be enabled for employees.

   [AC6605] authentication-profile name auth_portal_employee 
   [AC6605-authentication-profile-auth_portal_employee] mac-access-profile acc_mac   //Enable MAC address-prioritized Portal authentication for employees.
   [AC6605-authentication-profile-auth_portal_employee] portal-access-profile acc_portal_employee 
   [AC6605-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme 
   [AC6605-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme 
   [AC6605-authentication-profile-auth_portal_employee] radius-server radius_template 
   [AC6605-authentication-profile-auth_portal_employee] free-rule-template default_free_rule 
   [AC6605-authentication-profile-auth_portal_employee] quit

   [AC6605] authentication-profile name auth_portal_guest 
   [AC6605-authentication-profile-auth_portal_guest] portal-access-profile acc_portal_guest 
   [AC6605-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme 
   [AC6605-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme 
   [AC6605-authentication-profile-auth_portal_guest] radius-server radius_template 
   [AC6605-authentication-profile-auth_portal_guest] free-rule-template default_free_rule 
   [AC6605-authentication-profile-auth_portal_guest] quit

   # Enable terminal type awareness to allow the WAC to send the option fields containing the terminal type in DHCP packets to the authentication server. In this way, the authentication server can push correct Portal authentication pages to users based on terminal types.

   [AC6605] dhcp snooping enable 
   [AC6605] device-sensor dhcp option 12 55 60

   # Configure Portal bypass. Configure the device to grant network access rights of a user group to users when the Portal server is Down so that the users can access the post-authentication domain. In addition, configure the device to re-authenticate users when the Portal server changes from Down to Up.

   [AC6605] user-group group1 
   [AC6605-user-group-group1] acl 3001 
   [AC6605-user-group-group1] quit 
   [AC6605] portal-access-profile name acc_portal_employee 
   [AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-down action authorize user-group group1  //Configure the network access permission to be granted to employees when the Portal server is Down.
   [AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-up action re-authen  //Enable the device to re-authenticate users when the Portal server state changes from Down to Up.
   [AC6605-portal-access-profile-acc_portal_employee] quit 
   [AC6605] user-group group2 
   [AC6605-user-group-group2] acl 3002 
   [AC6605-user-group-group2] quit 
   [AC6605] portal-access-profile name acc_portal_guest 
   [AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-down action authorize user-group group2  //Configure the network access permission to be granted to guests when the Portal server is Down.
   [AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-up action re-authen 
   [AC6605-portal-access-profile-acc_portal_guest] quit

6. [Device] Set WLAN service parameters.

   # Create the security profile security_portal and set the security policy in the profile.

   [AC6605] wlan 
   [AC6605-wlan-view] security-profile name security_portal 
   [AC6605-wlan-sec-prof-security_portal] security open 
   [AC6605-wlan-sec-prof-security_portal] quit

   # Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to employee and guest, respectively.

   [AC6605-wlan-view] ssid-profile name wlan-ssid-employee 
   [AC6605-wlan-ssid-prof-wlan-ssid-employee] ssid employee 
   Warning: This action may cause service interruption. Continue?[Y/N]y 
   [AC6605-wlan-ssid-prof-wlan-ssid-employee] quit 
   [AC6605-wlan-view] ssid-profile name wlan-ssid-guest 
   [AC6605-wlan-ssid-prof-wlan-ssid-guest] ssid guest 
   Warning: This action may cause service interruption. Continue?[Y/N]y 
   [AC6605-wlan-ssid-prof-wlan-ssid-guest] quit

   # Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data forwarding mode and service VLANs, and apply the security, SSID, and authentication profiles to the VAP profiles.

   [AC6605-wlan-view] vap-profile name wlan-vap-employee 
   [AC6605-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel 
   Warning: This action may cause service interruption. Continue?[Y/N]y 
   [AC6605-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100 
   [AC6605-wlan-vap-prof-wlan-vap-employee] security-profile security_portal 
   [AC6605-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee 
   [AC6605-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal_employee  //Bind the authentication profile of employees.
   [AC6605-wlan-vap-prof-wlan-vap-employee] quit 
   [AC6605-wlan-view] vap-profile name wlan-vap-guest 
   [AC6605-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel 
   Warning: This action may cause service interruption. Continue?[Y/N]y 
   [AC6605-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101 
   [AC6605-wlan-vap-prof-wlan-vap-guest] security-profile security_portal 
   [AC6605-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest 
   [AC6605-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest   //Bind the authentication profile of guests.
   [AC6605-wlan-vap-prof-wlan-vap-guest] quit

   # Bind the VAP profile to the AP groups, and apply the VAP profile to radio 0 and radio 1 of APs.

   [AC6605-wlan-view] ap-group name employee 
   [AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0 
   [AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1 
   [AC6605-wlan-ap-group-employee] quit 
   [AC6605-wlan-view] ap-group name guest 
   [AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0 
   [AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1 
   [AC6605-wlan-ap-group-guest] quit

7. [iMaster NCE-Campus] Add the WAC to iMaster NCE-Campus to ensure that iMaster NCE-Campus interacts properly with the WAC.

   Choose Admission > Admission Resources > Admission Device, click Create, and add a WAC.

   Parameter	Value	Description
   Device name	WAC	-
   IP address	10.10.10.254	The interface with this IP address on the AC6605 must be able to communicate with the service controller. [AC6605-radius-radius_template] radius-attribute nas-ip 10.10.10.254
   Device Series	Huawei Engine	-
   CoA Type	Default CoA	CoA allows administrators to change the permissions of online users or re-authenticate them through RADIUS. Default CoA: CoA packets are sent periodically to update user authorization information. No CoA: User authorization information cannot be updated. Port Bounce: User authorization information can be updated when the interface to which an online user's terminal connects alternates between Up and Down. Reauth: User authorization information can be updated by triggering re-authentication for an online user.
   Authentication/Accounting key	YsHsjx_202206	[AC6605-radius-radius_template] radius-server shared-key cipher YsHsjx_202206
   Authorization key	YsHsjx_202206	[AC6605] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
   Accounting interval (min)	15	[AC6605-aaa-accounting-acco_scheme] accounting realtime 15
   Portal heartbeat verification	Select	The Portal server can send heartbeat packets to the access device and synchronize user information to the access device only when Portal heartbeat verification is enabled. The access device then periodically detects heartbeat packets of the Portal server to determine the Portal server status and synchronize user information from the Portal server. This configuration corresponds to the server-detect and user-sync commands configured in the Portal server view on the access device.
   Portal key	YsHsjx_202206	[AC6605-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206
   Terminal IP address list	172.20.0.0/16 172.21.0.0/16	You need to add the IP addresses of all the terminals that go online through Portal authentication to the access terminal IP address list. After the Portal server receives the account and password submitted by a terminal user, it searches for an access control device based on the terminal's IP address and allows the terminal to go online from the target access control device. If the IP address pool of the access control device does not include the terminal IP address, the Portal server cannot find an access control device to grant network access permission to the terminal, causing the terminal login failure.
   Port	2000	It is the port that the AC6605 uses to communicate with the Portal server. Use the default value.

8. [iMaster NCE-Campus] Configure authentication and authorization.
   1. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authentication Rule tab and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is not added as a data source, AD accounts will fail to be authenticated.

   2. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authorization Result tab and add authorization ACLs for employees and guests.

      The ACL numbers must be the same as those configured on the authentication control device.

   3. Choose Admission > Admission Policy > Authentication and Authorization. Click the Authorization Rule tab and bind the authorization result to specify resources accessible to employees and guests after successful authentication.

   4. Modify the default authorization rule by changing the authorization result to Deny Access.

      Choose Admission > Admission Policy > Authentication and Authorization. Click the Authorization Rule tab and click on the right of Default. Change the value of Authorization result to Deny Access.

9. [iMaster NCE-Campus] Customize a Portal authentication page for employees.
   1. Choose Admission > Admission Resources > Page Management. On the Page Customization tab page, click in the upper left corner.
   2. Set Page name, set System template to User Name and Password Template, and click Create.

   3. Customize Authentication Page, Authentication Success Page, and User Notice Page for mobile phones and PCs as required, and click Release.

10. [iMaster NCE-Campus] Customize a Portal authentication page for guests.
    1. Choose Admission > Admission Resources > Page Management. On the Page Customization tab page, click in the upper left corner.
    2. Set Page name, set System template to SMS Template, set the guest account policy, and click Create.

    3. Customize Authentication Page, Authentication Success Page, and User Notice Page for mobile phones and PCs as required, and click Release.

11. [iMaster NCE-Campus] Configure Portal page push rules to ensure that different authentication pages are pushed to employees and guests.
    1. Choose Admission > Admission Resources > Page Management and click Portal Page Push Policy. Click Create and set the push policy for employees.
       Table 3-143 Push policy for employees

       Parameter	Value
       Name	Employee Push Policy
       Access Mode	Wireless
       Customized parameter	ssid=employee
       Push page	Employee certification page
       First page to push	Authentication
       Page displayed after successful authentication	Continue access

    2. Configure push rules for guests in a similar manner and click OK.
       Table 3-144 Push rule for guests

       Parameter	Value
       Name	Guest Push Policy
       Access Mode	Wireless
       Customized parameter	ssid=guest
       Push page	Guest authentication page
       First page to push	Authentication
       Page displayed after successful authentication	Continue access

12. [iMaster NCE-Campus] Enable MAC address-prioritized Portal authentication on iMaster NCE-Campus.
    1. Choose Admission > Admission Policy > Online User Control. Click User Control Policy.
    2. Click Create. Configure a Portal authentication-free policy, enable Portal authentication-free, and set the authentication-free period.

    3. Open the created Portal authentication-free policy, assign it to a user group, bind employees and guests, and click OK.

Verification

Summary and Suggestions

• The RADIUS authentication and accounting key, RADIUS authorization key, and Portal key must be the same on the WAC and iMaster NCE-Campus. The URL encryption key and accounting interval must also be the same on the WAC and iMaster NCE-Campus.
• Authorization rules or Portal page push rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition or Portal push condition of a user matches a rule, iMaster NCE-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.
• The RADIUS accounting function is configured on the WAC to enable iMaster NCE-Campus to obtain online user information by exchanging accounting packets with the WAC. iMaster NCE-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.

Configuration Files

ACC configuration file

#
sysname ACC 
#
vlan 10 
#
interface gigabitethernet 0/0/1 
 port link-type trunk 
 port trunk pvid vlan 10 
 port trunk allow-pass vlan 10 
#
interface gigabitethernet 0/0/2 
 port link-type trunk
 port trunk allow-pass vlan 10 
#
interface gigabitethernet 0/0/3 
 port link-type trunk 
 port trunk pvid vlan 10 
 port trunk allow-pass vlan 10 
#
return

AGG configuration file

sysname AGG
#
vlan batch 10 100 101 
#
interface gigabitethernet 0/0/1   
 port link-type trunk   
 port trunk allow-pass vlan 10  
#
interface gigabitethernet 0/0/2   
 port link-type trunk 
 port trunk allow-pass vlan 100 101 
#
interface gigabitethernet 0/0/3   
 port link-type trunk
 port trunk allow-pass vlan 10 100 101
#
return

AC6605 configuration file

#
sysname AC6605
#
vlan batch 10 100 101  
#  
dhcp enable  
dhcp snooping enable
#
device-sensor dhcp option 12 55 60
#
radius-server template radius_template   
 radius-server shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%#
 radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254   
 radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 
 called-station-id wlan-user-format ac-mac include-ssid
 radius-attribute nas-ip 10.10.10.254
 radius-server user-name original
#
radius-server authorization 192.168.11.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%#  
#
aaa   
 authentication-scheme auth_scheme
  authentication-mode radius  
 accounting-scheme acco_scheme  
  accounting-mode radius  
  accounting realtime 15     
#
url-template name huawei 
 url https://access.example.com:19008/portal
 url-parameter device-ip ac-ip redirect-url redirect-url ssid ssid user-ipaddress uaddress user-mac umac
#
web-auth-server listening-port 2000
#
web-auth-server portal_huawei 
 shared-key cipher %^%#P[n27T`hLB$H1E=siWPS"rhE.uin=.2B}~6*R^:A%^%#
 server-source ip-address 10.10.10.254
 protocol portal 
 server-ip 192.168.11.10 
 source-ip 10.10.10.254 
 port 50100
 url-template huawei
 server-detect interval 100 max-times 5 critical-num 0 action log
#
portal quiet-period 
portal quiet-times 5 
portal timer quiet-period 240
#
portal-access-profile name acc_portal_employee 
 web-auth-server portal_huawei direct
 authentication event portal-server-down action authorize user-group group1
 authentication event portal-server-up action re-authen
portal-access-profile name acc_portal_guest  
 web-auth-server portal_huawei direct 
 authentication event portal-server-down action authorize user-group group2
 authentication event portal-server-up action re-authen
#
mac-access-profile name acc_mac
#
authentication-profile name auth_portal_employee 
 mac-access-profile acc_mac 
 portal-access-profile acc_portal_employee 
 authentication-scheme auth_scheme 
 accounting-scheme acco_scheme 
 radius-server radius_template 
 free-rule-template default_free_rule 
authentication-profile name auth_portal_guest 
 portal-access-profile acc_portal_guest 
 authentication-scheme auth_scheme 
 accounting-scheme acco_scheme 
 radius-server radius_template 
 free-rule-template default_free_rule 
#
user-group group1 
 acl 3001
user-group group2
 acl 3002
#
free-rule-template name default_free_rule  
 free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255  
 free-rule 2 destination ip 192.168.11.100 mask 255.255.255.255  
 free-rule 3 destination ip 192.168.11.2 mask 255.255.255.255
#
acl 3001
 rule 5 permit ip
acl 3002
 rule 5 deny ip destination 192.168.11.200 255.255.255.255  
 rule 10 permit ip
#
interface vlanif 10 
 ip address 10.10.10.254 24 
 dhcp select interface 
#
interface gigabitethernet 0/0/1   
 port link-type trunk   
 port trunk allow-pass vlan 10 100 101
#
wlan
 security-profile name security_portal
  security open
 ssid-profile name wlan-ssid-employee
  ssid employee
 ssid-profile name wlan-ssid-guest
  ssid guest 
 regulatory-domain-profile name domain1
  country-code cn
 vap-profile name wlan-vap-employee 
  forward-mode tunnel 
  service-vlan vlan-id 100 
  security-profile security_portal 
  ssid-profile wlan-ssid-employee 
  authentication-profile auth_portal_employee 
 vap-profile name wlan-vap-guest 
  forward-mode tunnel 
  service-vlan vlan-id 101 
  security-profile security_portal 
  ssid-profile wlan-ssid-guest 
  authentication-profile auth_portal_guest
 ap-group name employee  
  regulatory-domain-profile domain1 
  vap-profile wlan-vap-employee wlan 1 radio 0
  vap-profile wlan-vap-employee wlan 1 radio 1
 ap-group name guest
  regulatory-domain-profile domain1
  vap-profile wlan-vap-guest wlan 1 radio 0
  vap-profile wlan-vap-guest wlan 1 radio 1
 ap auth-mode mac-auth 
 ap-id 0 ap-mac 00e0-fc76-a320
  ap-name ap_0
  ap-group employee
 ap-id 1 ap-mac 00e0-fc76-a330
  ap-name ap_1
  ap-group guest
#
capwap source interface vlanif 10
# 
ip route-static 0.0.0.0 0 172.16.21.254
#
return