No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Portal Authentication for Wireless Users in an AC N+1 Environment

Example for Configuring Portal Authentication for Wireless Users in an AC N+1 Environment

This example illustrates how to configure Portal authentication on an AC N+1 network. The RADIUS server and Portal server are both deployed in a two-node cluster, improving network access reliability.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus Agile Controller-Campus V100R002C10
WLAN AC AC6605 V200R006C20
Access switch S2750EI V200R008C00
Aggregation switch S5720HI V200R008C00
Core switch S7700 V200R008C00

Networking Requirements

A company has about 5000 employees and needs to deploy an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network.

The company has the following requirements:
  • A unified identity authentication mechanism is used to authenticate all terminals attempting to connect to the campus network and deny access from unauthorized terminals.
  • Employees and guests access the campus network using different SSIDs.
  • Employees use laptops to access the network, and guests use mobile terminals to access the network.
  • Employees can connect only to the DNS server, DHCP server, and Agile Controller-Campus of the company before authentication, and can connect to both the intranet and Internet after being authenticated.
  • Guests can connect only to the DNS server, DHCP server, and Agile Controller-Campus of the company before authentication, and can connect only to the Internet after being authenticated.
  • There are three ACs on the network. Two ACs are deployed as the active ACs, and one as the standby AC to improve network reliability.
Figure 1-9  Networking of Portal authentication for wireless users in N+1 mode

Requirement Analysis

  • Considering the networking and requirements of the company, without specific requirement on terminal security check. Portal authentication can be used on the campus network to authenticate employees and guests, and authentication points are deployed on the ACs.
  • It is recommended that authentication packets be forwarded in tunnel mode and user data packets be forwarded in local mode to release the burden on the ACs.

VLAN Plan

Table 1-30  VLAN plan

VLAN ID

Function

100

mVLAN for APs

101

Service VLAN for employees

102

Service VLAN for guests

103

VLAN for connecting the core switch to the server domain

Network Data Plan

Table 1-31  Network data plan

Item

No.

Interface Number

VLAN

IP address

Description

Access switch S2750EI

(1)

GE0/0/1

100, 101, and 102

-

Connected to the AP in the guest area

(2)

GE0/0/2

100, 101, and 102

-

Connected to the AP in the guest area

(3)

GE0/0/3

100, 101, and 102

-

Connected to the aggregation switch S5720HI

Aggregation switch S5720HI

(4)

GE0/0/1

100, 101, and 102

-

Connected to the access switch S2750EI

(5)

GE0/0/2

100, 101, and 102

-

Connected to the core switch S7700

(6)

GE0/0/3

100

-

Connected to AC1

(7)

GE0/0/4

100

-

Connected to AC2

(8)

GE0/0/5

100

-

Connected to AC3

AC1

(9)

GE0/0/1

100

VLANIF 100: 172.18.10.1

Connected to the S5720HI

AC2

(10)

GE0/0/1

100

VLANIF 100: 172.18.10.2

Connected to the S5720HI

AC3

(11)

GE0/0/1

100

VLANIF 100: 172.18.10.3

Connected to the S5720HI

S7700

(12)

GE1/0/1

100, 101, and 102

VLANIF 100: 172.18.10.4

VLANIF 101: 172.20.10.1

VLANIF 102: 172.19.10.1

Connected to the S5720HI

VLANIF 100 for communicating with ACs and as the gateway for APs

VLANIF 101 as the gateway for employees

VLANIF 102 as the gateway for guests

(13)

GE1/0/2

103

VLANIF 103: 172.22.10.1

Connected to the server domain

Server

SM + SC1 (RADIUS server + Portal server)

172.22.10.2

-

SC2 (RADIUS server + Portal server)

172.22.10.3

-

DNS server

172.22.10.4

-

DHCP server

172.22.10.6

IP address pool:
  • IP address range for APs: 172.18.10.0/24
  • IP address range for employees: 172.20.0.0/16
  • IP address range for guests: 172.19.0.0/16

Internal server

172.22.10.5

-

Service Data Plan

Table 1-32  Service data plan

Item

Data

Description

AC

Number of the ACL for employees' post-authentication domain: 3001

SSID of the employee area: employee

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Number of the ACL for guests' post-authentication domain: 3002

SSID of the guest area: guest

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

RADIUS authentication server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1812
  • Shared key: Admin@123
  • The Service Controller of the Agile Controller-Campus provides RADIUS server and Portal server functions; therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are all the IP address of the Service Controller.
  • Configure a RADIUS accounting server to obtain user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as those of the authentication server and accounting server.
RADIUS accounting server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1813
  • Shared key: Admin@123
  • Accounting interval: 15 minutes
RADIUS authorization server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Shared key: Admin@123
Portal server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number that the AC uses to listen on Portal protocol packets: 2000
  • Destination port number in the packets that the AC sends to the Portal server: 50200
  • Shared key: Admin@123
  • Encryption key for the URL parameters that the AC sends to the Portal server: Admin@123

Agile Controller-Campus

Host name1: access1.example.com

Host name2: access2.example.com

Users can use the domain name to access the Portal server.

IP address of the active device 1: 172.18.10.1

IP address of the active device 2: 172.18.10.2

IP address of the standby device: 172.18.10.3

-

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

It must be the same as the RADIUS shared key configured on the AC.

Port number of the Portal server: 50200

-

Portal key: Admin@123

It must be the same as the Portal key configured on the AC.

Department: Employee
  • Account: tony
  • Password: Admin@123
Department: Guest
  • Account: susan
  • Password: Admin@123

Department Employee, employee account tony, and guest account susan have been created on the Agile Controller-Campus.

Pre-authentication domain

SM + SC1 (RADIUS server + Portal server), SC2 (RADIUS server + Portal server), and DNS server

-

Post-authentication domain for employees

Internal servers and Internet

-

Post-authentication domain for guests

Internet

-

Configuration Roadmap

  1. Configure the access switch, aggregation switch, and core switch to ensure network connectivity.
  2. On the ACs, configure a RADIUS server template, configure authentication, accounting, and authorization schemes in the template, and specify the IP addresses of Portal servers. In this way, the ACs can communicate with RADIUS servers and Portal servers.
  3. Configure reliability services and basic WLAN services for the ACs.
  4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the Agile Controller-Campus can manage the ACs.
  5. Add authorization results and rules to grant different access rights to employees and guests after they are successfully authenticated.

Procedure

  1. [Device] Configure the access switch S2750EI to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S2700
    [S2700] vlan batch 100 101 102   //Create VLAN 100, VLAN 101, and VLAN 102 in a batch.
    [S2700] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to an AP.
    [S2700-GigabitEthernet0/0/1] port link-type trunk  //Change the link type of gigabitethernet0/0/1 to trunk.
    [S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100  //Set the default VLAN of gigabitethernet0/0/1 to VLAN 100.
    [S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102  //Add gigabitethernet0/0/1 to VLAN 100, VLAN 101, and VLAN 102.
    [S2700-GigabitEthernet0/0/1] port-isolate enable  //Configure port isolation to prevent unwanted broadcast packets in a VLAN and Layer 2 communication between WLAN users connected to different APs.
    [S2700-GigabitEthernet0/0/1] quit
    [S2700] interface gigabitethernet 0/0/2  //Enter the view of the interface connected to another AP.
    [S2700-GigabitEthernet0/0/2] port link-type trunk
    [S2700-GigabitEthernet0/0/2] port trunk pvid vlan 100
    [S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
    [S2700-GigabitEthernet0/0/2] port-isolate enable
    [S2700-GigabitEthernet0/0/2] quit
    [S2700] interface gigabitethernet 0/0/3  //Enter the view of the interface connected to the aggregation switch S5700.
    [S2700-GigabitEthernet0/0/3] port link-type trunk
    [S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102
    [S2700-GigabitEthernet0/0/3] quit
    [S2700] quit
    <S2700> save  //Save the configuration.

  2. [Device] Configure the aggregation switch S5700 to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S5700
    [S5700] vlan batch 100 101 102   //Create VLAN 100, VLAN 101, and VLAN 102 in a batch.
    [S5700] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to the access switch S2700.
    [S5700-GigabitEthernet0/0/1] port link-type trunk
    [S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
    [S5700-GigabitEthernet0/0/1] quit
    [S5700] interface gigabitethernet 0/0/2  //Enter the view of the interface connected to the core switch S7700.
    [S5700-GigabitEthernet0/0/2] port link-type trunk
    [S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
    [S5700-GigabitEthernet0/0/2] quit
    [S5700] interface gigabitethernet 0/0/3  //Enter the view of the interface connected to AC1.
    [S5700-GigabitEthernet0/0/3] port link-type trunk
    [S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
    [S5700-GigabitEthernet0/0/3] quit
    [S5700] interface gigabitethernet 0/0/4  //Enter the view of the interface connected to AC2.
    [S5700-GigabitEthernet0/0/4] port link-type trunk
    [S5700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
    [S5700-GigabitEthernet0/0/4] quit
    [S5700] interface gigabitethernet 0/0/5  //Enter the view of the interface connected to AC3.
    [S5700-GigabitEthernet0/0/5] port link-type trunk
    [S5700-GigabitEthernet0/0/5] port trunk allow-pass vlan 100
    [S5700-GigabitEthernet0/0/5] quit
    [S5700] quit
    <S5700> save  //Save the configuration.

  3. [Device] Configure the core switch S7700 to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S7700
    [S7700] dhcp enable   //Enable the DHCP service.
    [S7700] vlan batch 100 to 103   //Create VLAN 100, VLAN 101, VLAN 102, and VLAN 103 in a batch.
    [S7700] interface gigabitethernet 1/0/1  //Enter the view of the interface connected to the aggregation switch S5700.
    [S7700-GigabitEthernet1/0/1] port link-type trunk
    [S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 101 102
    [S7700-GigabitEthernet1/0/1] quit
    [S7700] interface vlanif 100
    [S7700-Vlanif100] ip address 172.18.10.4 24
    [S7700-Vlanif100] dhcp select relay  //Enable the DHCP relay agent.
    [S7700-Vlanif100] dhcp relay server-ip 172.22.10.6  //Configure the DHCP server connected to the DHCP relay agent.
    [S7700-Vlanif100] quit
    [S7700] interface vlanif 101
    [S7700-Vlanif101] ip address 172.20.10.1 24
    [S7700-Vlanif101] dhcp select relay
    [S7700-Vlanif101] dhcp relay server-ip 172.22.10.6
    [S7700-Vlanif101] quit
    [S7700] interface vlanif 102
    [S7700-Vlanif102] ip address 172.19.10.1 24
    [S7700-Vlanif102] dhcp select relay
    [S7700-Vlanif102] dhcp relay server-ip 172.22.10.6
    [S7700-Vlanif102] quit
    [S7700] interface gigabitethernet 1/0/2  //Enter the view of the interface connected to the server domain.
    [S7700-GigabitEthernet1/0/2] port link-type trunk
    [S7700-GigabitEthernet1/0/2] port trunk allow-pass vlan 103
    [S7700-GigabitEthernet1/0/2] quit
    [S7700] interface vlanif 103
    [S7700-Vlanif103] ip address 172.22.10.1 24
    [S7700-Vlanif103] quit
    [S7700] quit
    <S7700> save  //Save the configuration.

  4. [Device] Configure the ACs to ensure network connectivity.

    # Configure network connectivity, connect GE0/0/1 on AC1 to the S5700, and add GE0/0/1 to mVLAN 100 and service VLANs 101 and 102.

    <AC6605> system-view
    [AC6605] sysname AC1
    [AC1] vlan batch 100 101 102
    [AC1] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to the aggregation switch S5700.
    [AC1-GigabitEthernet0/0/1] port link-type trunk
    [AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
    [AC1-GigabitEthernet0/0/1] quit
    [AC1] interface vlanif 100
    [AC1-Vlanif100] ip address 172.18.10.1 24  //Configure a source IP address for AC1.
    [AC1-Vlanif100] quit
    [AC1] ip route-static 0.0.0.0 0 172.18.10.4  //Configure a default route between AC1 and the server zone so that packets are forwarded to the core switch by default.

    # Configure network connectivity, connect GE0/0/1 on AC2 to the S5700, and add GE0/0/1 to mVLAN 100 and service VLANs 101 and 102.

    <AC6605> system-view
    [AC6605] sysname AC2
    [AC2] vlan batch 100 101 102
    [AC2] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to the aggregation switch S5700.
    [AC2-GigabitEthernet0/0/1] port link-type trunk
    [AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
    [AC2-GigabitEthernet0/0/1] quit
    [AC2] interface vlanif 100
    [AC2-Vlanif100] ip address 172.18.10.2 24  //Configure a source IP address for AC2.
    [AC2-Vlanif100] quit
    [AC2] ip route-static 0.0.0.0 0 172.18.10.4  //Configure a default route between AC2 and the server zone so that packets are forwarded to the core switch by default.

    # Configure network connectivity, connect GE0/0/1 on AC3 to the S5700, and add GE0/0/1 to mVLAN 100 and service VLANs 101 and 102. Configure AC3 as the standby AC of AC1 and AC2.

    <AC6605> system-view
    [AC6605] sysname AC3
    [AC3] vlan batch 100 101 102
    [AC3] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to the aggregation switch S7700.
    [AC3-GigabitEthernet0/0/1] port link-type trunk
    [AC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
    [AC3-GigabitEthernet0/0/1] quit
    [AC3] interface vlanif 100
    [AC3-Vlanif100] ip address 172.18.10.3 24  //Configure a source IP address for AC3.
    [AC3-Vlanif100] quit
    [AC3] ip route-static 0.0.0.0 0 172.18.10.4  //Configure a default route between AC3 and the server zone so that packets are forwarded to the core switch by default.

  5. [Device] Configure the AP to go online.

    On AC1, configure the AP to go online.

    # Create an AP group to which APs with the same configuration can be added.

    [AC1] wlan
    [AC1-wlan-view] ap-group name ap_group
    [AC1-wlan-ap-group-ap_group] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC1-wlan-view] regulatory-domain-profile name domain1
    [AC1-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC1-wlan-regulatory-domain-prof-domain1] quit
    [AC1-wlan-view] ap-group name ap_group
    [AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC1-wlan-ap-group-ap_group] quit
    [AC1-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC1] capwap source interface vlanif 100
    

    # Import the AP offline on the AC and add the AP to the AP group. This example assumes that the AP type is AP6010DN-AGN and the MAC address of the AP is 60de-4476-e360.

    [AC1] wlan
    [AC1-wlan-view] ap auth-mode mac-auth
    [AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC1-wlan-ap-0] ap-name ap_0
    [AC1-wlan-ap-0] ap-group ap_group
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
    [AC1-wlan-ap-0] quit
    [AC1-wlan-view] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC1] display ap all
    Total AP information:
    nor  : normal          [1]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    0    60de-4476-e360 ap_0 ap_group  172.18.10.254 AP6010DN-AGN    nor   0   10S
    -------------------------------------------------------------------------------------
    Total: 1

    On AC2, configure the AP to go online.

    NOTE:
    The configuration process on AC2 is the same as that on AC1. The detailed process is as follows:
    1. Create the AP group ap_group on AC2 and add APs managed by AC2 to this AP group.
    2. Create a regulatory domain profile on AC2, configure the AC country code in the profile, and apply the profile to the AP group.
    3. Specify the IP address of VLANIF 100 on AC2 as the source address.
    4. Add an AP with the type AP6010DN-AGN and MAC address 60de-4476-e380 to AC2 offline, and add the AP to ap_group.

    On AC3, configure the AP to go online.

    # Create an AP group to which APs with the same configuration can be added.

    [AC3] wlan
    [AC3-wlan-view] ap-group name ap_group
    [AC3-wlan-ap-group-ap_group] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC3-wlan-view] regulatory-domain-profile name domain1
    [AC3-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC3-wlan-regulatory-domain-prof-domain1] quit
    [AC3-wlan-view] ap-group name ap_group
    [AC3-wlan-ap-group-ap_group] regulatory-domain-profile domain1
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
    [AC3-wlan-ap-group-ap_group] quit
    [AC3-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC3] capwap source interface vlanif 100
    

    # Import the AP offline on the AC and add the AP to the AP group. This example assumes that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are 60de-4476-e360 and 60de-4476-e380 respectively.

    [AC3] wlan
    [AC3-wlan-view] ap auth-mode mac-auth
    [AC3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC3-wlan-ap-0] ap-name ap_0
    [AC3-wlan-ap-0] ap-group ap_group
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
    [AC3-wlan-ap-0] quit
    [AC3-wlan-view] ap-id 1 ap-mac 60de-4476-e380
    [AC3-wlan-ap-1] ap-name ap_1
    [AC3-wlan-ap-1] ap-group ap_group
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
    [AC3-wlan-ap-1] quit
    [AC3-wlan-view] quit

  6. [Device] Configure interconnection parameters for the AC and RADIUS server as well as the AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.

    # On AC1, configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

    [AC1] radius-server template radius_template
    [AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source ip-address 172.18.10.1 weight 80  //Configure a primary RADIUS authentication server with a higher weight than that of the secondary authentication server. 
    Set the authentication port to 1812 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source ip-address 172.18.10.1 weight 40  //Configure a secondary RADIUS authentication server with a lower weight than that of the primary authentication server. 
    Set the authentication port to 1812 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-address 172.18.10.1 weight 80  //Configure a primary RADIUS accounting server with a higher weight than that of the secondary accounting server to obtain user login and logout information. 
    Set the accounting port to 1813 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-address 172.18.10.1 weight 40  //Configure a secondary RADIUS accounting server with a lower weight than that of the primary accounting server to obtain user login and logout information. 
    Set the accounting port to 1813 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server shared-key cipher Admin@123  //Configure a shared key for the RADIUS server.
    [AC1-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.
    [AC1-radius-radius_template] quit
    [AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. 
    Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server. 
    [AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. 
    //Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server.
    //The access control device can process CoA/DM Request packets initiated by the Agile Controller-Campus only after the authorization servers are configured. 
    //Authentication servers and authorization servers must have a one-to-one mapping, that is, the number of authentication servers and authorization servers must be the same. 
    //If not, the Agile Controller-Campus will fail to kick some users offline.
    [AC1] aaa
    [AC1-aaa] authentication-scheme auth_scheme
    [AC1-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
    [AC1-aaa-authen-auth_scheme] quit
    [AC1-aaa] accounting-scheme acco_scheme
    [AC1-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS. 
    //The RADIUS accounting scheme must be used so that the RADIUS server can maintain account state information such as login/logout information and force users to go offline.
    [AC1-aaa-accounting-acco_scheme] accounting realtime 15  //Set the real-time accounting interval to 15 minutes.
    [AC1-aaa-accounting-acco_scheme] quit
    [AC1-aaa] quit
    NOTE:

    The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

    Table 1-33  Accounting interval

    User Quantity

    Real-Time Accounting Interval

    1 to 99

    3 minutes

    100 to 499

    6 minutes

    500 to 999

    12 minutes

    ≥ 1000

    ≥ 15 minutes

    # Check whether a user can use a RADIUS template for authentication. (User name test and password Admin_123 have been configured on the RADIUS server.)

    [AC1] test-aaa test Admin_123 radius-template radius_template pap
    Info: Account test succeed.
    # Configure the Portal server.
    1. Configure the URL of the primary Portal authentication page. When a user attempts to access a website before authentication, the AC redirects the website to the primary Portal server.

      You are advised to configure the URL using a domain name to ensure secure and fast page pushing. Before configuring the URL using a domain name, you must first configure the mapping between the domain name and IP address of the Agile Controller-Campus server on the DNS server.

      [AC1] url-template name huawei1
      [AC1-url-template-huawei1] url http://access1.example.com:8080/portal  //access1.example.com is the host name of the primary Portal server.
    2. Configure parameters carried in the URL, which must be the same as those on the authentication server.

      [AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url  //Specify the names of the parameters included in the URL. The parameter names must the same as those on the authentication server. 
      //This first ssid indicates that the URL contains the SSID field, and the second ssid indicates the parameter name. 
      //For example, after ssid ssid is configured, the URL redirected to the user contains sid=guest, where ssid indicates the parameter name, and guest indicates the SSID with which the user associates. 
      //The second SSID represents the transmitted parameter name only and cannot be replaced with the actual user SSID.
      //When the AC uses URL as the parameter name, the URL must be entered on the Portal server to specify to which URL users' access request will be redirected.
      [AC1-url-template-huawei1] quit
    3. Configure the URL of the secondary Portal authentication page. When the primary Portal server is unavailable, the AC redirects the website that a user attempts to access to the secondary Portal server.

      [AC1] url-template name huawei2
      [AC1-url-template-huawei2] url http://access2.example.com:8080/portal  //access2.example.com is the host name of the secondary Portal server.
      [AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
      [AC1-url-template-huawei2] quit
    4. Specify the port number used to process Portal protocol packets. The default port number is 2000. If you change the port number on the AC, set the same port number when you add this AC to the Agile Controller-Campus.

      [AC1] web-auth-server listening-port 2000
    5. Configure a primary Portal server template, including configuring the IP address and port number of the primary Portal server.

      Set the destination port number in the packets sent to the Portal server to 50200. The Portal server accepts packets with destination port 50200, but the AC uses port 50100 to send packets to the Portal server by default. Therefore, you must change the port number to 50200 on the AC so that the AC can communicate with the Portal server.

      [AC1] web-auth-server portal_huawei1
      [AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2  //Configure an IP address for the primary Portal server.
      [AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1  //Configure an IP address for the device to communicate with the Portal server.
      [AC1-web-auth-server-portal_huawei1] port 50200  //Set the destination port number in the packets sent to the Portal server to 50200.
    6. Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server. In addition, enable the AC to transmit encrypted URL parameters to the Portal server.

      [AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123  //Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server.
      [AC1-web-auth-server-portal_huawei1] url-template huawei1  //Bind the URL template to the Portal server profile.
      
    7. Enable the Portal server detection function.

      After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation to allow the administrator to obtain the real-time Portal server status. The detection interval cannot be shorter than 15s, and the recommended value is 100s. The AC only supports Portal server detection but not Portal escape.

      [AC1-web-auth-server-portal_huawei1] server-detect interval 100 max-times 5 critical-num 0 action log
    8. Configure a secondary Portal server template, including configuring the IP address, port number, and shared key of the secondary Portal server.

      [AC1] web-auth-server portal_huawei2
      [AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3  //Configure an IP address for the secondary Portal server.
      [AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
      [AC1-web-auth-server-portal_huawei2] port 50200
      [AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
      [AC1-web-auth-server-portal_huawei2] url-template huawei2
      [AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5 critical-num 0 action log
      [AC1-web-auth-server-portal_huawei2] quit

    # Enable the Portal authentication quiet period function. With this function enabled, the AC drops packets of an authentication user during the quiet period if the user fails Portal authentication for the specified number of times in 60 seconds. This function protects the AC from overloading caused by frequent authentication.

    [AC1] portal quiet-period
    [AC1] portal quiet-times 5  //Set the maximum number of authentication failures in 60 seconds before a Portal authentication is set to quiet state.
    [AC1] portal timer quiet-period 240  //Set the quiet period to 240 seconds.
    

    # Create a Portal access profile, and bind the Portal server template to it.

    [AC1] portal-access-profile name acc_portal  //Create a Portal access profile.
    [AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1 portal_huawei2 direct  //Configure the primary and secondary Portal server templates used by the Portal access profile. If the network between end users and the AC is a Layer 2 network, configure the direct mode; if the network is a Layer 3 network, configure the layer3 mode.
    [AC1-portal-access-profile-acc_portal] quit
    

    # Configure pre-authentication and post-authentication access rules for employees and guests.

    [AC1] free-rule-template name default_free_rule 
    [AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the DNS server before authentication.
    [AC1-free-rule-default_free_rule] free-rule 2 destination ip 172.22.10.6 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the DNS server before authentication.
    [AC1-free-rule-default_free_rule] quit
    
    [AC1] acl 3001  //Configure the post-authentication domain for employees, including the intranet and Internet.
    [AC1-acl-adv-3001]  rule 5 permit ip
    [AC1-acl-adv-3001]  quit
    [AC1] acl 3002  //Configure the post-authentication domain for guests, including the Internet.
    [AC1-acl-adv-3002]  rule 5 deny ip destination 172.22.10.5 0  //172.22.10.5 is the company's server resource and cannot be accessed by guests.
    [AC1-acl-adv-3002]  rule 10 permit ip
    [AC1-acl-adv-3002]  quit
    # Configure an authentication profile.
    [AC1] authentication-profile name auth_portal
    [AC1-authentication-profile-auth_portal] portal-access-profile acc_portal
    [AC1-authentication-profile-auth_portal] authentication-scheme auth_scheme
    [AC1-authentication-profile-auth_portal] accounting-scheme acco_scheme
    [AC1-authentication-profile-auth_portal] radius-server radius_template
    [AC1-authentication-profile-auth_portal] free-rule-template default_free_rule
    [AC1-authentication-profile-auth_portal] quit

    # Enable terminal type awareness to allow the ACs to send the option fields containing the terminal type in DHCP packets to the authentication server. In this way, the authentication server can push the correct Portal authentication pages to users based on their terminal types.

    [AC1] dhcp snooping enable
    [AC1] device-sensor dhcp option 12 55 60

    The configurations of AC2 and AC3 are the same as that of AC1 and are not described here. When configuring the authentication server, specify the IP address of VLANIF 100 on a device as the source address.

  7. [Device] Set WLAN service parameters.

    Set WLAN service parameters on AC1.

    # Create the security profile security_portal and set the security policy in the profile.

    [AC1] wlan
    [AC1-wlan-view] security-profile name security_portal
    [AC1-wlan-sec-prof-security_portal] quit

    # Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to employee and guest respectively.

    [AC1-wlan-view] ssid-profile name wlan-ssid-employee
    [AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC1-wlan-ssid-prof-wlan-ssid-employee] quit
    [AC1-wlan-view] ssid-profile name wlan-ssid-guest
    [AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC1-wlan-ssid-prof-wlan-ssid-guest] quit

    # Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data forwarding mode and service VLANs, and apply the security, SSID, and authentication profiles to the VAP profiles.

    [AC1-wlan-view] vap-profile name wlan-vap-employee
    [AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward  //Configure direct forwarding for employees.
    [AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
    [AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
    [AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
    [AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal  //Bind the authentication profile.
    [AC1-wlan-vap-prof-wlan-vap-employee] quit
    [AC1-wlan-view] vap-profile name wlan-vap-guest
    [AC1-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward  //Configure direct forwarding for guests.
    [AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
    [AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
    [AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
    [AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
    [AC1-wlan-vap-prof-wlan-vap-guest] quit

    # Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of the AP.

    [AC1-wlan-view] ap-group name ap_group
    [AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for employees.
    [AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for employees.
    [AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for guests.
    [AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for guests.
    [AC1-wlan-ap-group-ap_group] quit
    

    Set WLAN service parameters on AC2, which are the same as those on AC1.

    Set WLAN service parameters on AC3.

    The WLAN service configurations on the standby AC must contain all the configurations on the active ACs. In this example, the active ACs have the same WLAN service configurations, so the configurations on AC3 must be the same as those on AC1 or AC2.

    # Create the security profile security_portal and set the security policy in the profile.

    [AC3] wlan
    [AC3-wlan-view] security-profile name security_portal
    [AC3-wlan-sec-prof-security_portal] quit

    # Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to employee and guest respectively.

    [AC3-wlan-view] ssid-profile name wlan-ssid-employee
    [AC3-wlan-ssid-prof-wlan-ssid-employee] ssid employee
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC3-wlan-ssid-prof-wlan-ssid-employee] quit
    [AC3-wlan-view] ssid-profile name wlan-ssid-guest
    [AC3-wlan-ssid-prof-wlan-ssid-guest] ssid guest
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC3-wlan-ssid-prof-wlan-ssid-guest] quit

    # Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data forwarding mode and service VLANs, and apply the security, SSID, and authentication profiles to the VAP profiles.

    [AC3-wlan-view] vap-profile name wlan-vap-employee
    [AC3-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward  //Configure direct forwarding for employees.
    [AC3-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
    [AC3-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
    [AC3-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
    [AC3-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal  //Bind the authentication profile.
    [AC3-wlan-vap-prof-wlan-vap-employee] quit
    [AC3-wlan-view] vap-profile name wlan-vap-guest
    [AC3-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward  //Configure direct forwarding for guests.
    [AC3-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
    [AC3-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
    [AC3-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
    [AC3-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
    [AC3-wlan-vap-prof-wlan-vap-guest] quit

    # Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of the AP.

    [AC3-wlan-view] ap-group name ap_group
    [AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for employees.
    [AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for employees.
    [AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for guests.
    [AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for guests.
    [AC3-wlan-ap-group-ap_group] quit
    

  8. [Device] Enable N+1 backup on AC1, AC2, and AC3.

    # On AC1, configure the global and individual priorities of the active AC1 and configure an IP address for the standby AC3 so that the ACs work in N+1 backup mode.
    NOTE:
    AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same, the AC that connects to more APs is the active AC. If the ACs can connect to the same number of APs, the AC that connects to more STAs is the active AC. If the ACs can connect to the same number of STAs, the AC with a smaller IP address is the active AC.
    [AC1] wlan
    [AC1-wlan-view] ac protect protect-ac 172.18.10.3  //Configure an IP address for the standby AC.
    Warning: Operation successful. It will take effect after AP reset.
    [AC1-wlan-view] ac protect priority 6  //Configure the global priority of the active AC1.
    Warning: Operation successful. It will take effect after AP reset.
    [AC1-wlan-view] ap-system-profile name ap-system1  //Create an AP system profile and enter this profile view.
    [AC1-wlan-ap-system-prof-ap-system1] priority 3  //Configure the individual priority of the active AC1.
    Warning: This action will take effect after resetting AP. 
    [AC1-wlan-ap-system-prof-ap-system1] quit
    [AC1-wlan-view] ap-group name ap_group
    [AC1-wlan-ap-group-ap_group] ap-system-profile ap-system1  //Bind the AP system profile to the AP group.
    [AC1-wlan-ap-group-ap_group] quit
    
    # On AC2, configure the global and individual priorities of the active AC2 and configure an IP address for the standby AC3 so that the ACs work in N+1 backup mode.
    [AC2] wlan
    [AC2-wlan-view] ac protect protect-ac 172.18.10.3  //Configure an IP address for the standby AC.
    Warning: Operation successful. It will take effect after AP reset.
    [AC2-wlan-view] ac protect priority 6  //Configure the global priority of the active AC2.
    Warning: Operation successful. It will take effect after AP reset.
    [AC2-wlan-view] ap-system-profile name ap-system1  //Create an AP system profile and enter this profile view.
    [AC2-wlan-ap-system-prof-ap-system1] priority 3  //Configure the individual priority of the active AC2.
    Warning: This action will take effect after resetting AP.
    [AC2-wlan-ap-system-prof-ap-system1] quit
    [AC2-wlan-view] ap-group name ap_group
    [AC2-wlan-ap-group-ap_group] ap-system-profile ap-system1  //Bind the AP system profile to the AP group.
    [AC2-wlan-ap-group-ap_group] quit
    
    # On AC3, configure IP addresses for active ACs and configure the global priority of the standby AC3 so that the ACs work in N+1 backup mode.
    [AC3] wlan
    [AC3-wlan-view] ac protect priority 5
    Warning: Operation successful. It will take effect after AP reset.   
    [AC3-wlan-view] ap-system-profile name ap-system1  //Create an AP system profile and enter this profile view.
    [AC3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 172.18.10.1
    Warning: This action will take effect after resetting AP.
    [AC3-wlan-ap-system-prof-ap-system1] quit
    [AC3-wlan-view] ap-system-profile name ap-system2  //Create an AP system profile and enter this profile view.
    [AC3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 172.18.10.2
    Warning: This action will take effect after resetting AP. 
    [AC3-wlan-ap-system-prof-ap-system2] quit
    [AC3-wlan-view] ap-id 0
    [AC3-wlan-ap-0] ap-system-profile ap-system1
    [AC3-wlan-ap-0] quit
    [AC3-wlan-view] ap-id 1
    [AC3-wlan-ap-1] ap-system-profile ap-system2
    [AC3-wlan-ap-1] quit
    
    # On AC1, enable N+1 backup and restart all APs to make the function take effect.
    NOTE:
    By default, N+1 backup is enabled. To restart all APs, run the ap-reset all command on AC1 and AC2. After the APs are restarted, N+1 backup starts to take effect.
    [AC1-wlan-view] undo ac protect enable  //Enable the N+1 backup function.
    [AC1-wlan-view] ap-reset all
    Warning: Reset AP(s), continue?[Y/N]:y
    # On AC2, enable N+1 backup and restart all APs to make the function take effect.
    [AC2-wlan-view] undo ac protect enable
    [AC2-wlan-view] ap-reset all
    Warning: Reset AP(s), continue?[Y/N]:y
    # Enable revertive switchover and N+1 backup on AC3.
    [AC3-wlan-view] undo ac protect restore disable  //Enable the global revertive switching function.
    [AC3-wlan-view] undo ac protect enable
    [AC3-wlan-view] ap-reset all
    Warning: Reset AP(s), continue?[Y/N]:y

  9. [Agile Controller-Campus] Add AC1 to the Service Manager to enable the Agile Controller-Campus to manage the AC.
    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Configure parameters for AC1.

      Parameter

      Value

      Description

      Name

      AC1

      -

      IP address

      172.18.10.1

      The AC1 interface with this IP address must be able to communicate with the Service Controller.

      Standby device IP address

      172.18.10.3

      It is used for AC3 to communicate with the Agile Controller-Campus.

      Authentication/Accounting key

      Admin@123

      [AC1-radius-radius_template] radius-server shared-key cipher Admin@123

      Authorization key

      Admin@123

      [AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123

      Real-time accounting interval (minute)

      15

      [AC1-aaa-accounting-acco_scheme] accounting realtime 15

      Port

      2000

      This is the port that the AC uses to communicate with the Portal server. Retain the default value.

      Portal key

      Admin@123

      [AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123

      Access terminal IP list

      172.19.10.1/16;172.20.10.1/16

      You need to add the IP addresses of all the terminals that go online through Portal authentication to the access terminal IP list. After the Portal server receives the account and password submitted by an end user, it searches for an access control device based on the terminal's IP address and allows the terminal to go online from the target access control device. If the IP address pool of the access control device does not include the terminal IP address, the Portal server cannot find an access control device to grant network access permission to the terminal, causing the terminal login failure.

      Enable heartbeat between access device and Portal server

      Selected

      When a Portal server is unavailable, services can be switched to the standby Portal server.

      The Portal server can send heartbeat packets to the access device only when Enable heartbeat between access device and Portal server is selected and the Portal server's IP address has been added to Portal server IP list. The access device then periodically detects heartbeat packets of the Portal server to determine the Portal server status and synchronize user information from the Portal server. The server-detect and user-sync commands must have been configured in the Portal server view on the access device.

      Portal server IP list

      172.22.10.2;172.22.10.3

    4. Click OK.
    5. Click Add again and set parameters of AC2.

  10. [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile Controller-Campus can authorize users through the SSIDs.
    1. Choose Policy > Permission Control > Policy Element > SSID.
    2. Click Add and add SSIDs for employees and guests.

      The SSIDs must be the same as those configured on the AC.

  11. [Agile Controller-Campus] Configure authorization results and rules to grant different access rights to employees and guests after they are successfully authenticated.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and add authorization ACLs for employees and guests.

      The ACL numbers must be the same as those configured on the authentication control device.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and bind the authorization result to specify resources accessible to employees and guests after successful authentication.

    3. Modify the default authorization rule by changing the authorization result to Deny Access.

      Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click on the right of Default Authorization Rule. Change the value of Authorization Result to Deny Access.

Verification

If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration must be completed for the browser. Otherwise, the Portal authentication page cannot be displayed.
  1. Choose Tools > Internet Options.
  2. Select options related to Use TLS on the Advanced tab.



  3. Click OK.

Item

Expected Result

Employee authentication

  • User account tony (employee account) can only access the Agile Controller-Campus server and DNS server before authentication.
  • When the employee connects to the Wi-Fi hotspot employee using a computer and attempts to visit the Internet, the default authentication page is pushed to the user. After the employee enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the user tony is online.
  • On the Service Manager, choose Resource > User > Online User Management. The user tony is displayed in the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log. You can see the RADIUS authentication log for the user tony.

Guest authentication

  • User account susan (guest account) can only access the Agile Controller-Campus server and DNS server before authentication.
  • When the guest connects to the Wi-Fi hotspot guest using a mobile phone and attempts to visit the Internet, the guest authentication page is pushed to the user. After the guest enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • User account susan cannot access internal servers of the company.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the user susan is online.
  • On the Service Manager, choose Resource > User > Online User Management. The user susan is displayed in the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log. You can see the RADIUS authentication log for the user susan.

AC1 and AC2 power-off

Services are automatically switched to AC3, and employees and guests are offline. Employees and guests are re-authenticated and go online, and their access rights are normal.

SC power-off

After the network cable of an Service Controller, employees and guests are re-authenticated and go online. Their access rights are normal.

Summary and Suggestions

  • The authentication key, accounting key, and Portal key must be kept consistent on the AC and Agile Controller-Campus. The accounting interval set on the Agile Controller-Campus must also be the same as those on the AC.

  • Authorization rules or Portal page push rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition or Portal push condition of a user matches a rule, the Agile Controller-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.

  • The RADIUS accounting function is configured on the AC to enable the Agile Controller-Campus to obtain online user information by exchanging accounting packets with the AC. The Agile Controller-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 50764

Downloads: 1687

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next