No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring MAC and IP Address Binding for Dumb Terminals and Deploying Them in Centralized Mode

Example for Configuring MAC and IP Address Binding for Dumb Terminals and Deploying Them in Centralized Mode

A MAC address and IP address binding table of dumb terminals can be configured on the Agile Controller-Campus. The Agile Controller-Campus delivers the binding table to a switch and the switch assigns IP addresses to the terminals based on their MAC addresses.

Involved Products and Versions

Product Type

Product Name

Version

Access switch

S3700

V200R008C00 and later versions

Aggregation switch

S12700

V200R009C00 and later versions

RADIUS server

Agile Controller-Campus

V100R002C00SPC105 or V100R003C10

Networking Requirements

A public security bureau wants to build a dedicated camera network without an independent DHCP server for controlling access of cameras in its jurisdiction area. The public security bureau has the following requirements:
  • The Agile Controller-Campus manages the MAC address and IP address binding table of cameras and delivers the table to a switch. The switch functioning as the DHCP server then dynamically assigns IP addresses to the cameras based on their MAC addresses.
  • Access of cameras configured with static IP addresses is prohibited.
  • Cameras are not allowed to move across police stations. If the IP address of a camera assigned based on its MAC address is not in the network segment of the local gateway, communication between the camera and the local gateway is prohibited.
Figure 1-10  Network diagram
NOTE:

The switch configuration of police station A is used as an example, which is the same as that of police station B.

Data Plan

Table 1-35  Network data plan for devices

Item

Data

Description

Agile Controller-Campus

IP address: 172.18.1.2

-

Aggregation switch (S12708)

GE1/0/1

VLAN: 10

IP address of VLANIF interface 10: 192.168.1.1/16

Camera gateway, which is connected to access switches.

GE1/0/2

VLAN: 100

IP address of VLANIF interface 100: 172.18.1.1/24

Connected to the Agile Controller-Campus.

Access switch (S3700)

GE0/0/1

VLAN: 10

Connected to cameras.

GE0/0/2

VLAN: 10

Connected to an aggregation switch.

Table 1-36  Service data plan for devices

Item

Data

Wired RADIUS

  • Authentication server IP address: 172.18.1.2

  • Authentication server port number: 1812

  • Shared key of the RADIUS server: Admin@123

  • Accounting server port number: 1813
  • Shared key of the RADIUS server: Admin@123
  • Accounting interval: 15 minutes
  • Authentication domain: mac

ACL number of the post-authentication domain

3001

Table 1-37  Service data plan for the Agile Controller-Campus

Item

Data

Terminal group

Police station A

Switch IP address

172.18.1.1

RADIUS authentication key

Admin@123

RADIUS accounting key

Admin@123

Prerequisites

The access switch, aggregation switch, and Agile Controller-Campus server can communicate with each other.

Procedure

  1. Configure the aggregation switch.
    1. Create VLANs and configure the allowed VLANs on the interfaces to ensure network connectivity.

      <HUAWEI> system-view
      [HUAWEI] sysname S12700
      [S12700] dhcp enable   //Enable the DHCP service.
      [S12700] vlan batch 10 100   //Create VLAN 10 and VLAN 100.
      [S12700] interface gigabitethernet 1/0/1  //Enter the view of the interface connected to the access switch.
      [S12700-GigabitEthernet1/0/1] port link-type trunk  //Change the link type of gigabitethernet1/0/1 to trunk.
      [S12700-GigabitEthernet1/0/1] port trunk pvid vlan 10  //Set the default VLAN of gigabitethernet1/0/1 to VLAN 10.
      [S12700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
      [S12700-GigabitEthernet1/0/1] quit
      [S12700] interface vlanif 10
      [S12700-Vlanif10] ip address 192.168.1.1 255.255.0.0
      [S12700-Vlanif10] dhcp select interface
      [S12700-Vlanif10] quit
      [S12700] interface gigabitethernet 1/0/2  //Enter the view of the interface connected to the Agile Controller-Campus.
      [S12700-GigabitEthernet1/0/2] port link-type access
      [S12700-GigabitEthernet1/0/2] port default vlan 100
      [S12700-GigabitEthernet1/0/2] quit
      [S12700] interface vlanif 100
      [S12700-Vlanif100] ip address 172.18.1.1 255.255.255.0
      [S12700-Vlanif100] quit
      [S12700] quit
      <S12700> save  //Save the configuration.

    2. Set parameters for connecting to the RADIUS server.

      [S12700] radius-server template policy  //Create a RADIUS server template.
      [S12700-radius-policy] radius-server authentication 172.18.1.2 1812 source ip-address 172.18.1.1  //Configure the IP address and port number for the RADIUS authentication server.
      [S12700-radius-policy] radius-server accounting 172.18.1.2 1813 source ip-address 172.18.1.1  //Configure an IP address and a port number for the RADIUS accounting server.
      [S12700-radius-policy] radius-server shared-key cipher Admin@123  //Configure a shared key for the RADIUS server.
      [S12700-radius-policy] quit
      [S12700] radius-server authorization 172.18.1.2 shared-key cipher Admin@123  //Configure an IP address for the RADIUS authorization server and the same shared key as that of the RADIUS authentication and accounting servers.
      
      [S12700] aaa  //Enter the AAA view.
      [S12700-aaa] authentication-scheme auth  //Configure an authentication scheme.
      [S12700-aaa-authen-auth] authentication-mode radius  //Set the authentication scheme to RADIUS. When the switch works with the Agile Controller-Campus, and the Service Controller functions as the RADIUS server, the authentication scheme must be set to RADIUS.
      [S12700-aaa-authen-auth] quit
      [S12700-aaa] accounting-scheme acco  //Configure an accounting scheme.
      [S12700-aaa-accounting-acco] accounting-mode radius  //Set the accounting scheme to RADIUS. The RADIUS accounting scheme must be used so that the RADIUS server can maintain account state information such as login/logout information and force users to go offline.
      [S12700-aaa-accounting-acco] accounting realtime 15  //Set the real-time accounting interval to 15 minutes. In applications, set the real-time accounting interval based on the number of users on your network by referring to Table 1-38.
      [S12700-aaa-accounting-acco] quit
      [S12700-aaa] domain mac  //Configure a domain, and bind the accounting scheme, accounting scheme, and RADIUS server template to the domain.
      [S12700-aaa-domain-portal] authentication-scheme auth
      [S12700-aaa-domain-portal] accounting-scheme acco
      [S12700-aaa-domain-portal] radius-server policy
      [S12700-aaa-domain-portal] quit
      [S12700-aaa] quit
      [S12700] authentication unified-mode  //Switch the NAC mode to unified. A switch works in unified mode by default. After switching the NAC mode to unified, the administrator must save the configuration and restart the switch to make the new mode take effect.
      NOTE:

      NAC supports the common configuration mode and unified configuration mode. Compared with the common mode, the unified mode has the following advantages:

      • The command lines are easy to understand and the format design meets user requirements.
      • Similar concepts are deleted from function design and configuration logic is simpler.

      Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.

      NOTE:
      The accounting realtime command sets the real-time accounting interval. A short real-time charging interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity. Table 1-38 lists the recommended real-time accounting intervals for different user quantities.
      Table 1-38  Accounting interval

      User Quantity

      Real-Time Accounting Interval

      1 to 99

      3 minutes

      100 to 499

      6 minutes

      500 to 999

      12 minutes

      More than 1000

      More than 15 minutes

    3. Configure MAC address authentication.

      [S12700] mac-access-profile name m1  //Configure a MAC access profile. In the profile, both the default user name and password are the terminal MAC address without the delimiter (-).
      [S12700-mac-access-profile-m1] quit
      [S12700] authentication-profile name p1  //Configure an authentication profile.
      [S12700-authen-profile-p1] mac-access-profile m1  //Bind the authentication profile to the MAC access profile.
      [S12700-authen-profile-p1] access-domain mac force  //In the authentication profile, specify the domain mac as the forcible authentication domain.
      [S12700-authen-profile-p1] authentication mode multi-authen  //Set the user access mode on an interface to multi-authen.
      [S12700-authen-profile-p1] quit
      [S12700] interface gigabitethernet 1/0/1
      [S12700-GigabitEthernet1/0/1] authentication-profile p1  //Enable MAC address authentication on the interface.
      [S12700-GigabitEthernet1/0/1] quit
      

    4. Set XMPP interworking parameters. The MAC address and IP address binding table configured on the Agile Controller-Campus is delivered to the switch using the XMPP protocol.

      [S12700] group-policy controller 172.18.1.2 password Admin@123 src-ip 172.18.1.1   //Set XMPP interworking parameters.
      [S12700] quit
      <S12700> save
      

  2. Configure the access switch.
    1. Create VLANs and configure the allowed VLANs on the interfaces to ensure network connectivity.

      # Create VLAN 10.
      <HUAWEI> system-view
      [HUAWEI] sysname S3700
      [S3700] vlan 10
      # Configure the interface connected to users as an access interface and add the interface to VLAN 10.
      [S3700] interface gigabitethernet 0/0/1
      [S3700-GigabitEthernet0/0/1] port link-type access
      [S3700-GigabitEthernet0/0/1] port default vlan 10 
      [S3700-GigabitEthernet0/0/1] quit
      

      # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 10 packets to pass.

      [S3700] interface gigabitethernet 0/0/2
      [S3700-GigabitEthernet0/0/2] port link-type trunk
      [S3700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
      [S3700-GigabitEthernet0/0/2] quit
      

    2. Configure DHCP snooping and IPSG to prevent access of cameras configured with static IP addresses.

      [S3700] dhcp enable  //Enable the DHCP function.
      [S3700] dhcp snooping enable  //In the system view, enable the DHCP snooping function.
      [S3700] vlan 10
      [S3700-Vlanif10] dhcp snooping enable  //Enable the DHCP snooping function in VLAN 10.
      [S3700-Vlanif10] ip source check user-bind enable  //Enable IP packet check function in VLAN 10.
      [S3700-Vlanif10] ip source check user-bind check-item ip-address mac-address  //Configure IP packet check items.
      [S3700-Vlanif10] quit
      <S3700> save

  3. Add devices on the Agile Controller-Campus and set RADIUS authentication and XMPP parameters.

    RADIUS is used for MAC address authentication of cameras. XMPP is used for delivering the MAC address and IP address binding table to the DHCP server (S12700). The parameter settings on the Agile Controller-Campus must be the same as those on the devices.

    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Set RADIUS authentication and XMPP parameters.

      Parameter

      Value

      Description

      Name

      SW

      -

      IP address

      172.18.1.1

      Specifies the IP address of the access control device for communicating with the Agile Controller-Campus.

      Authentication key

      Admin@123

      The value must be the same as the RADIUS shared key set on the access control device.

      Accounting key

      Admin@123

      The value must be the same as the RADIUS shared key set on the access control device.

      Real-time accounting interval (minute)

      15

      The value must be the same as the accounting interval set on the access control device.

      Configuration mode

      Manual

      -

      Password

      Admin@123

      The value must be the same as password specified when you set XMPP parameters on the access control device.

    4. Click OK.
  4. Add a terminal group, add cameras to the device list of the terminal group, and deliver terminal information to the switch.
    1. Choose Resource > Terminal > Terminal List.
    2. Choose the root node Device Group in the navigation tree, and click Add on the right pane to add a terminal group.
    3. Click the new terminal group in the navigation tree, and click the Device List tab to add terminals.

      Parameter

      Value

      Description

      MAC Address

      12-34-56-65-56-05

      Specifies the MAC address of a camera. Set this parameter based on the site requirements.

      IP Address

      192.168.1.5

      Specifies the IP address to be assigned to a camera.

      Access Device

      172.18.1.1

      Specifies the IP address of the access control device for communicating with the Agile Controller-Campus.

      XMPP server IP

      172.18.1.1

      Specifies the IP address of a device that communicates with the Agile Controller-Campus through XMPP.

      Pool type

      Interface pool

      -

      Pool name

      vlanif10

      Terminals obtain IP addresses from this pool.

      NOTE:

      If a large number of cameras need to be added, you can click Import on the Device Group List tab page to download a template. Enter camera information in the template and import the template to the Agile Controller-Campus.

    4. On the Device List tab page, choose Deploy All or Deploy Selected from the Deploy drop-down list box to deliver MAC address and IP address binding table to the switch.

      When the deployment is successful, you can view the delivered configuration on the access control device.

  5. Add an authentication rule to deny access from cameras connecting to the network from a remote police station.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.
    2. Click Add.

      Parameter

      Value

      Description

      Name

      MAC authentication

      -

      Service Type

      MAC Bypass Authentication Service

      Set Service Type to MAC Bypass Authentication Service because dumb terminals use MAC address authentication.

      Access Parameter

      Select Device IP Address.

      Dumb terminals are bound to the access control device to prevent them from moving between police stations.

    3. Click OK.
  6. Add an authorization rule for cameras to access the network.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.
    2. Click Add.

      Parameter

      Value

      Description

      Name

      MAC authentication

      -

      Service Type

      MAC Bypass Authentication Service

      Set this parameter to MAC Bypass Authentication Service for dumb terminals.

      Terminal Group

      Police station A

      Specifies the terminal group that is allowed to access the network.

      Authorization Result

      Permit Access

      Cameras meeting the authorization condition can access the network.

    3. Click OK.
  7. Change the authorization result in the default authorization rule to Deny Access.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.
    2. Click next to Default Authorization Rule.
    3. Set Authorization Result to Deny Access.

Verification

  1. When a camera passes MAC address bypass authentication, you can view information about the camera on the Online User page. The account is the camera's MAC address, and the terminal IP address is the IP address bound to the camera's MAC address.

    If authentication fails, locate the cause in RADIUS logs and rectify the fault with recommended actions.

  2. When a static IP address is configured for a camera, the camera is authenticated successfully but cannot access the network.
  3. When a camera of police station A is connected to an interface of the access switch of police station B, MAC address authentication of the camera fails.
  4. When a camera of police station A is connected to another interface of the access switch of police station A, MAC address authentication of the camera succeeds and the camera can access the network.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 51542

Downloads: 1696

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next