No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring User Authorization Based on User Groups (CLI)

Example for Configuring User Authorization Based on User Groups (CLI)

Introduction to User Authorization Based on User Groups

In user authorization, the device controls network access rights based on the user role during each phase of user authentication.

A user group consists of users (terminals) with the same attributes such as the role and rights. For example, you can divide users on a campus network into the R&D group, finance group, marketing group, and guest group based on the enterprise department structure, and grant different security policies to different departments.

When the AC is interconnected with the Aruba ClearPass, three authentication methods, that is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication. The configurations for the three authentication methods are similar. The following uses EAP as an example.

For details about how to configure user authorization based on user groups on the AC, see Configure a user group.

For details about how to configure user authorization based on user groups on the Aruba ClearPass server, see Configure the Aruba ClearPass.

Applicable Products and Versions

Table 3-19  Applicable products and versions

Product

Version

Huawei AC

V200R007C10 and later versions

Aruba ClearPass Policy Manager

6.5.0.71095

Service Requirements

Different user groups are created to assign network access rights to different users when they access the WLAN through 802.1X authentication. Furthermore, users' services are not affected during roaming in the coverage area.

Networking Requirements

  • AC networking mode: Layer 2 bypass mode
  • DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP addresses to APs and STAs, respectively.
  • Service data forwarding mode: direct forwarding
  • WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 3-7  Networking for configuring user authorization based on user groups

Data Plan

Table 3-20  Data planning on the AC

Configuration Item

Data

Management VLAN

VLAN 100

Service VLAN

VLAN 101

AC's source interface

VLANIF 100: 10.23.100.1/24

DHCP server

The AC functions as a DHCP server to assign IP addresses to APs, and SwitchB functions as a DHCP server to assign IP addresses to STAs.

IP address pool for APs

10.23.100.2-10.23.100.254/24

IP address pool for the STAs

10.23.101.2-10.23.101.254/24

RADIUS authentication parameters

  • RADIUS server template name: wlan-net
  • IP address: 10.23.103.1
  • Authentication port number: 1812
  • Shared key: huawei@123
  • Authentication scheme: wlan-net

802.1X access profile

  • Name: wlan-net
  • Authentication mode: EAP

Authentication profile

  • Name: wlan-net
  • Bound profile and authentication scheme: 802.1X access profile wlan-net, RADIUS server template wlan-net, and RADIUS authentication scheme wlan-net

AP group

  • Name: ap-group1
  • Bound profile: VAP profile wlan-net and regulatory domain profile default

Regulatory domain profile

  • Name: default
  • Country code: China

SSID profile

  • Name: wlan-net
  • SSID name: wlan-net

Security profile

  • Name: wlan-net
  • Security policy: WPA-WPA2+802.1X+AES

VAP profile

  • Name: wlan-net
  • Forwarding mode: direct forwarding
  • Service VLAN: VLAN 101
  • Bound profiles: SSID profile wlan-net, security profile wlan-net, and authentication profile wlan-net

User group

  • Name: group1
  • Bound ACL number: 3001
  • User group right: Only members in the user group can access network resources on 10.23.200.0/24.
Table 3-21  Data planning on the Aruba ClearPass

Configuration Item

Data

Department

R&D

Account

Account: huawei

Password: huawei123

Device profile

Huawei

Device name

AC6605

Device's IP address

10.23.102.2/32

RADIUS shared key

huawei@123

Authentication protocol

  • MS-CHAPv2
  • PEAP
  • CHAP (only for the test-aaa test)

User group

User-group

Configuration Roadmap

  1. Configure network interworking.
  2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
  3. Configure APs to go online.
  4. Configure 802.1x authentication and user authorization on the AC.
  5. Configure the Aruba ClearPass server.

Configuration Notes

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • The AC and server must have the same RADIUS shared key.

Procedure

  1. Configure network interworking.

    # Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 100 101
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type trunk
    [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
    [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
    [SwitchA-GigabitEthernet0/0/1] port-isolate enable
    [SwitchA-GigabitEthernet0/0/1] quit
    [SwitchA] interface gigabitethernet 0/0/2
    [SwitchA-GigabitEthernet0/0/2] port link-type trunk
    [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
    [SwitchA-GigabitEthernet0/0/2] quit
    
    # Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next hop of the address of Router.
    <HUAWEI> system-view
    [HUAWEI] sysname SwitchB
    [SwitchB] vlan batch 100 to 104
    [SwitchB] interface gigabitethernet 0/0/1
    [SwitchB-GigabitEthernet0/0/1] port link-type trunk
    [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
    [SwitchB-GigabitEthernet0/0/1] quit
    [SwitchB] interface gigabitethernet 0/0/2
    [SwitchB-GigabitEthernet0/0/2] port link-type trunk
    [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
    [SwitchB-GigabitEthernet0/0/2] quit
    [SwitchB] interface gigabitethernet 0/0/3
    [SwitchB-GigabitEthernet0/0/3] port link-type trunk
    [SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
    [SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
    [SwitchB-GigabitEthernet0/0/3] quit
    [SwitchB] interface gigabitethernet 0/0/4
    [SwitchB-GigabitEthernet0/0/4] port link-type trunk
    [SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
    [SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
    [SwitchB-GigabitEthernet0/0/4] quit
    [SwitchB] interface vlanif 102
    [SwitchB-Vlanif102] ip address 10.23.102.1 24
    [SwitchB-Vlanif102] quit
    [SwitchB] interface vlanif 103
    [SwitchB-Vlanif103] ip address 10.23.103.2 24
    [SwitchB-Vlanif103] quit
    [SwitchB] interface vlanif 104
    [SwitchB-Vlanif104] ip address 10.23.104.1 24
    [SwitchB-Vlanif104] quit
    [SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
    
    # Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure the static route to the RADIUS server.
    <AC6605> system-view
    [AC6605] sysname AC
    [AC] vlan batch 100 101 102
    [AC] interface gigabitethernet 0/0/1
    [AC-GigabitEthernet0/0/1] port link-type trunk
    [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
    [AC-GigabitEthernet0/0/1] quit
    [AC] interface vlanif 102
    [AC-Vlanif102] ip address 10.23.102.2 24
    [AC-Vlanif102] quit
    [AC] ip route-static 10.23.103.0 24 10.23.102.1
    
    # Configure the IP address of GE0/0/1 on Router and a static route to the network segment for STAs.
    <Huawei> system-view
    [Huawei] sysname Router
    [Router] interface gigabitethernet 0/0/1
    [Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
    [Router-GigabitEthernet0/0/1] quit
    [Router] ip route-static 10.23.101.0 24 10.23.104.1
    

  2. Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs and STAs respectively.

    # On the AC, configure the VLANIF 100 to assign IP addresses to APs.
    [AC] dhcp enable
    [AC] interface vlanif 100
    [AC-Vlanif100] ip address 10.23.100.1 24
    [AC-Vlanif100] dhcp select interface
    [AC-Vlanif100] quit
    # On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.
    NOTE:
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [SwitchB] dhcp enable
    [SwitchB] interface vlanif 101
    [SwitchB-Vlanif101] ip address 10.23.101.1 24
    [SwitchB-Vlanif101] dhcp select interface
    [SwitchB-Vlanif101] quit

  3. Configure APs to go online.

    # Create an AP group to which the APs with the same configuration can be added.

    [AC] wlan
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and bind the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name default
    [AC-wlan-regulate-domain-default] country-code cn
    [AC-wlan-regulate-domain-default] quit
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-ap-group1] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100
    
    # Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure names for the APs based on the AP locations, so that you can know where the APs are located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
    NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate on the 2.4 GHz and 5 GHz bands respectively.

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name area_1
    [AC-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AC-wlan-ap-0] quit
    

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

    [AC-wlan-view] display ap all
    Total AP information:
    nor  : normal          [1]
    -------------------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime   ExtraInfo
    -------------------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S      -
    -------------------------------------------------------------------------------------------------
    Total: 1
    

  4. Configure the AP channel and power.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The settings of the AP channel and power in this example are for reference only. You need to configure the AP channel and power based on the actual country code and network planning.

    # Disable automatic channel and power calibration functions of radio 0, and configure the channel and power for radio 0.
    [AC-wlan-view] ap-id 0
    [AC-wlan-ap-0] radio 0
    [AC-wlan-radio-0/0] calibrate auto-channel-select disable
    [AC-wlan-radio-0/0] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/0] eirp 127
    [AC-wlan-radio-0/0] quit
    # Disable automatic channel and power calibration functions of radio 1, and configure the channel and power for radio 1.
    [AC-wlan-ap-0] radio 1
    [AC-wlan-radio-0/1] calibrate auto-channel-select disable
    [AC-wlan-radio-0/1] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/1] channel 20mhz 149
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/1] eirp 127
    [AC-wlan-radio-0/1] quit
    [AC-wlan-ap-0] quit

  5. Configure 802.1X authentication on the AC.
    1. Configure RADIUS authentication parameters.

      # Create a RADIUS server template.

      [AC-wlan-view] quit
      [AC] radius-server template wlan-net
      [AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
      [AC-radius-wlan-net] radius-server shared-key cipher huawei@123
      [AC-radius-wlan-net] quit
      

      # Create a RADIUS authentication scheme.

      [AC] aaa
      [AC-aaa] authentication-scheme wlan-net
      [AC-aaa-authen-wlan-net] authentication-mode radius
      [AC-aaa-authen-wlan-net] quit
      [AC-aaa] quit
      
      # Configure the NAS-Identifier attribute.
      NOTE:

      The NAS-Identifier value must be the same on the AC and ClearPass server. If this attribute is not configured on the AC, set the value of NAS-Identifier on the ClearPass server to the AC name.

      [AC] radius-server template wlan-net
      [AC-radius-wlan-net] radius-attribute set NAS-Identifier huaweiac
      [AC-radius-wlan-net] quit
      

    2. Configure an 802.1X access profile to manage 802.1X access control parameters.

      # Create the 802.1X access profile wlan-net.

      [AC] dot1x-access-profile name wlan-net
      

      # Configure EAP relay authentication.

      [AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
      [AC-dot1x-access-profile-wlan-net] quit
      

    3. Create the authentication profile wlan-net and bind it to the 802.1X access profile, authentication scheme, and RADIUS server template.

      [AC] authentication-profile name wlan-net
      [AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
      [AC-authentication-profile-wlan-net] authentication-scheme wlan-net
      [AC-authentication-profile-wlan-net] radius-server wlan-net
      [AC-authentication-profile-wlan-net] quit

    4. Configure WLAN service parameters.

      # Create the security profile wlan-net and set the security policy in the profile.

      [AC] wlan
      [AC-wlan-view] security-profile name wlan-net
      [AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
      [AC-wlan-sec-prof-wlan-net] quit
      

      # Create the SSID profile wlan-net and set the SSID name to wlan-net.

      [AC-wlan-view] ssid-profile name wlan-net
      [AC-wlan-ssid-prof-wlan-net] ssid wlan-net
      [AC-wlan-ssid-prof-wlan-net] quit
      

      # Create the VAP profile wlan-net, configure the direct data forwarding mode and service VLANs, and bind the security profile, authentication profile, and SSID profile to the VAP profile.

      [AC-wlan-view] vap-profile name wlan-net
      [AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
      [AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
      [AC-wlan-vap-prof-wlan-net] security-profile wlan-net
      [AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
      [AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
      [AC-wlan-vap-prof-wlan-net] quit
      

      # Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
      [AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
      [AC-wlan-ap-group-ap-group1] quit
      [AC-wlan-view] quit
      

  6. Configure a user group.

    # Configure the user group group1 that can access the post-authentication domain. Enable users in group1 to access network resources on the network segment 10.23.200.0/24.

    NOTE:

    Configure the RADIUS server to authorize the user group group1 to authenticated employees.

    [AC] acl 3001
    [AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
    [AC-acl-adv-3001] rule 2 deny ip destination any
    [AC-acl-adv-3001] quit
    [AC] user-group group1
    [AC-user-group-group1] acl-id 3001
    [AC-user-group-group1] quit
    

  7. Configure the Aruba ClearPass.
    1. Log in to the Aruba ClearPass server.

      # Enter the access address of the Aruba ClearPass server in the address box, which is in the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the Aruba ClearPass server.

      # Choose ClearPass Policy Manager.

      # On the displayed page, enter the user name and password to log in to the Aruba ClearPass server.

    2. Create a local account.

      # Choose Configuration > Identity > Local Users. In the pane on the right side, click Add to create the account with the user name of huawei and password of huawei123. Select Enable User and choose Role. Then, click Add.



    3. Add the AC so that the Aruba ClearPass can interwork with the AC.

      # Choose Configuration > Network > Devices. In the pane on the right side, click Add. Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name. Then, click Add.



    4. Configure the service Radius.

      # Choose Configuration > Services. In the pane on the right side, click Add.

      # On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to Radius, and select Authorization.On the Service Rule tab, click Click to add. On the page that is displayed, set Type to Radius:IETF, Name to NAS-Identifier, Operator to EQUALS, and Value to huaweiac

      NOTE:

      The NAS-Identifier value must be the same on the AC and ClearPass server. If this attribute is not configured on the AC, set the value of NAS-Identifier on the ClearPass server to the AC name.



      # On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to Authentication Methods and [Local User Repository][Local SQL DB] to Authentication Sources.



      # On the Authorization tab, add [Local User Repository][Local SQL DB] to Authentication Source.



      # On other tabs, use default settings. Click Save.

    5. Configure the service TEST-AAA.

      NOTE:

      The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the AC.

      Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS authentication.

      The NAS-Identifier value must be the same on the AC and ClearPass server. If this attribute is not configured on the AC, set the value of NAS-Identifier on the ClearPass server to the AC name.

      # Choose Configuration > Services. In the pane on the right side, click Add.

      # On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).On the Service Rule tab, click Click to add. On the page that is displayed, set Type to Radius:IETF, Name to NAS-Identifier, Operator to EQUALS, and Value to huaweiac



      # On the Authentication tab, add PAP to Authentication Methods and [Local User Respository][Local SQL DB] to Authentication Sources. Then, click Save.



      # On other tabs, use default settings.

    6. Configure an authorized user group.

      # Choose Configuration > Enforcement > Profiles. In the pane on the right side, click Add. On the Profile tab, set Template to RADIUS Based Enforcement and Name to User-group.



      # On the Attributes tab, set Type to Radius:IETF and Filter-ID to group1. Then, click Save.



      # Choose Configuration > Enforcement > Policies. In the pane on the right side, click Add. Set Name to User-group, Enforcement Type to RADIUS, and Default Profile to [Allow Access Profile].



      # On the Rules tab, click Add Rule. On the displayed Rules Editor tab, set Type to Authentication, Name to Username, Operator to EQUALS, Value to huawei, and Profile Names to [RADIUS] User-group. This configuration is used to deliver rights configured for User-group to user huawei. Click Save.



      # Use the same method to add a new rule. Set Type to Authentication, Name to Username, Operator to NOT_EQUALS, Value to huawei, Profile Names to [RADIUS] [Allow Access Profile]. This configuration is used to allow users to pass authentication without authorization operations. Click Save.



      # Click Save in the lower right corner.

    7. Bind authorization policies.

      # Choose Configuration > Services. Click service Radius to open the edit tab. Select the Enforcement tab, and then set Enforcement Policy to User-group. Click Save.



  8. On the AC, check whether users can pass RADIUS authentication.

    [AC] test-aaa huawei huawei123 radius-template wlan-net pap
    Info: Account test succeed.
    

  9. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
    • The STAs obtain IP addresses when they successfully associate with the WLAN.
    • A user can use the 802.1X authentication client on an STA for authentication. After entering the correct user name and password, the user is successfully authenticated and can access resources on the network segment 10.23.200.0/24. You need to configure the 802.1X authentication client based on the configured authentication mode PEAP.
      • Configuration on the Windows XP operating system:

        1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-net, set the authentication mode to WPA2, and encryption algorithm to AES.
        2. On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
      • Configuration on the Windows 7 operating system:

        1. Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID wlan-net. Set the authentication mode to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
        2. Click Change connection settings. On the Wireless Network Properties page that is displayed, select the Security tab page and click Settings. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
        3. Click OK. On the Wireless Network Properties page, click Advanced settings. On the Advanced settings page that is displayed, select Specify authentication mode, set the identity authentication mode to User authentication, and click OK.

Configuration Files

  • SwitchA configuration file

    #
    sysname SwitchA
    #
    vlan batch 100 to 101
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk pvid vlan 100
     port trunk allow-pass vlan 100 to 101
     port-isolate enable group 1
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 100 to 101
    #
    return
  • SwitchB configuration file

    #
    sysname SwitchB
    #
    vlan batch 100 to 104
    #
    dhcp enable
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
    #
    interface Vlanif102
     ip address 10.23.102.1 255.255.255.0
    #
    interface Vlanif103
     ip address 10.23.103.2 255.255.255.0
    #
    interface Vlanif104
     ip address 10.23.104.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 to 101
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 100 102
    #
    interface GigabitEthernet0/0/3
     port link-type trunk
     port trunk pvid vlan 103
     port trunk allow-pass vlan 103
    #
    interface GigabitEthernet0/0/4
     port link-type trunk
     port trunk pvid vlan 104
     port trunk allow-pass vlan 104
    #
    ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
    #
    return
  • Router configuration file

    #
    sysname Router
    #
    interface GigabitEthernet0/0/1
     ip address 10.23.104.2 255.255.255.0
    #
    ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
    #
    return
    
  • AC configuration file

    #
     sysname AC
    #
    vlan batch 100 102
    #
    authentication-profile name wlan-net
     dot1x-access-profile wlan-net
     authentication-scheme wlan-net
     radius-server wlan-net
    #
    dhcp enable
    #
    radius-server template wlan-net
     radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$%^%#
     radius-server authentication 10.23.103.1 1812 weight 80
     radius-attribute set NAS-Identifier huaweiac
    #
    acl number 3001
     rule 1 permit ip destination 10.23.200.0 0.0.0.255
     rule 2 deny ip
    #
    user-group group1
     acl-id 3001
    #
    aaa
     authentication-scheme wlan-net
      authentication-mode radius
    #
    interface Vlanif100
     ip address 10.23.100.1 255.255.255.0
     dhcp select interface
    #
    interface Vlanif102
     ip address 10.23.102.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 102
    #
    ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
    #
    capwap source interface vlanif100
    #
    wlan
     security-profile name wlan-net
      security wpa-wpa2 dot1x aes
     ssid-profile name wlan-net
      ssid wlan-net
     vap-profile name wlan-net
      service-vlan vlan-id 101
      ssid-profile wlan-net
      security-profile wlan-net
      authentication-profile wlan-net
     regulatory-domain-profile name default
     ap-group name ap-group1
      radio 0
       vap-profile wlan-net wlan 1
      radio 1
       vap-profile wlan-net wlan 1
     ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
      ap-name area_1
      ap-group ap-group1
      radio 0
       channel 20mhz 6
       eirp 127
      radio 1
       channel 20mhz 149
       eirp 127
    #
    dot1x-access-profile name wlan-net
    #
    return
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 51431

Downloads: 1693

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next