No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Wireless Network Access Using a Terminal Running the Android, iOS, or Windows OS (Dual SSID Scenario)

Example for Configuring Wireless Network Access Using a Terminal Running the Android, iOS, or Windows OS (Dual SSID Scenario)

Before accessing a network in wireless mode using a terminal running the Android, iOS, or Windows OS, you need to associate the terminal with the initialization SSID to download the network configuration tool or configuration file. After the terminal automatically completes network configuration, the user can access the network through 802.1X.

Involved Products and Versions

Item

Product

Version

AP

AP6010DN-AGN

V200R006C20

AC

AC6605

V200R006C20

Portal server

RADIUS server

Agile Controller-Campus

V100R003C20

Windows CA server Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Enterprise

Networking Requirements

To ensure network access security, an enterprise requests users to pass 802.1X certificate authentication before they access the network. To access the network through 802.1X certificate authentication, users need to complete complex configurations on terminals.

The Boarding deployment scheme simplifies operations and enables user terminals to automatically complete configurations. As shown in Figure 1-5, the Boarding deployment scheme provides two SSIDs. One is used for initializing the network and uses Portal authentication. The other one is used for service access and uses 802.1X authentication.

When accessing a network, a user needs to associate with the initialization SSID first to download the network configuration tool or configuration file. After the configuration is automatically completed on the terminal, the user is automatically associated with the service access SSID to access the network through 802.1X.

Figure 1-5  Networking diagram

Data Planning

Table 1-13  Network data planning

Item

Data

AC

Interface number: GE 0/0/1

VLAN: 100

IP address of VLANIF 100: 192.168.3.2/24

Interface number: GE 0/0/2

VLANs: 100, 101, and 102

IP address of VLANIF 101: 10.20.210.254/24

IP address of VLANIF 102: 10.20.211.254/24

Router

IP address of the interface connected to the AC: 192.168.3.254/24

Agile Controller-Campus (Portal server and RADIUS server)

192.168.1.210

Windows CA server

192.168.1.211

Table 1-14  Service data planning

Item

Data

VLAN

VLAN 100: Management VLAN

VLAN 101: Portal service VLAN

VLAN 102: 802.1X service VLAN

DHCP

The AC functions as the DHCP server to allocate IP addresses for APs and terminals from the following address pools:

  • IP address pool for APs: 192.168.3.0/24
  • Portal service IP address pool for terminals: 10.20.210.0/24
  • 802.1X service IP address pool for terminals: 10.20.211.0/24

Pre-authentication domain

Patch server: 192.168.1.200

Post-authentication domain

192.168.2.0/24

Authentication and accounting key, authorization key, and Portal key Admin@123
Accounting interval (minutes) 15

Configuration Roadmap

  1. Configure network interworking and enable APs to go online on the AC.
  2. Configure a RADIUS server template and 802.1X authentication on the AC.
  3. Configure Portal authentication on the AC.
  4. Configure post-authentication domain resources on the AC for users to access after passing authentication.
  5. Configure the Boarding on the Agile Controller-Campus.
  6. Configure authentication and authorization on the Agile Controller-Campus.

Procedure

  1. Optional: Deploy the Windows CA server.

    For details, see Deploying a CA Certificate Server.

  2. [Device] Configure network interworking and enable APs to go online.
    1. In this example, tunnel forwarding is used between the AC and APs. Configure the downlink interface on the AC to allow packets from the management VLAN to pass through.

      <AC6605> system-view
      [AC6605] sysname AC
      [AC] vlan batch 100 to 102
      [AC] interface gigabitethernet 0/0/1
      [AC-GigabitEthernet0/0/1] port link-type trunk
      [AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
      [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
      [AC-GigabitEthernet0/0/1] quit

    2. Configure the uplink interface on the AC to allow packets from VLAN 100, VLAN 101, and VLAN 102 to pass through so that the AC can communicate with upper-layer network devices.

      [AC] interface gigabitethernet 0/0/2
      [AC-GigabitEthernet0/0/2] port link-type trunk
      [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
      [AC-GigabitEthernet0/0/2] quit

    3. Configure IP addresses for VLANIF interfaces, and configure the AC to function as the DHCP server to allocate IP addresses for APs, Portal services, and 802.1X services.

      [AC] dhcp enable
      [AC] interface vlanif 100
      [AC-Vlanif100] ip address 192.168.3.2 255.255.255.0
      [AC-Vlanif100] dhcp select interface
      [AC-Vlanif100] quit
      [AC] interface vlanif 101
      [AC-Vlanif101] ip address 10.20.210.254 255.255.255.0
      [AC-Vlanif101] dhcp select interface
      [AC-Vlanif101] quit
      [AC] interface vlanif 102
      [AC-Vlanif102] ip address 10.20.211.254 255.255.255.0
      [AC-Vlanif102] dhcp select interface
      [AC-Vlanif102] quit

    4. Configure the default route, with the next hop pointing to the IP address of the router interface.

      [AC] ip route-static 0.0.0.0 0.0.0.0 192.168.3.254

    5. Configure the APs to go online.

      NOTE:

      If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.

      1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
      2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the AC.

      # Create the AP group to which the APs with the same configuration can be added.

      [AC] wlan
      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] quit

      # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

      [AC-wlan-view] regulatory-domain-profile name domain1
      [AC-wlan-regulatory-domain-prof-domain1] country-code cn
      [AC-wlan-regulatory-domain-prof-domain1] quit
      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
      Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y 
      [AC-wlan-ap-group-ap-group1] quit
      [AC-wlan-view] quit

      # Configure the AC's source interface.

      [AC] capwap source interface vlanif 100

      # Import the APs offline on the AC. Add APs to AP group ap-group1. Configure names for the APs based on the APs' deployment locations, so that you can know where the APs are deployed from their names. For example, if the AP with MAC address 60de-4474-9640 is deployed in area 1, name the AP area_1.

      NOTE:

      The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

      In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.

      [AC] wlan
      [AC-wlan-view] ap auth-mode mac-auth
      [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
      [AC-wlan-ap-0] ap-name area_1
      [AC-wlan-ap-0] ap-group ap-group1
      Warning: This operation maybe cause AP reset, Whether to continue? [Y/N]y 
      [AC-wlan-ap-0] quit
      

      # After an AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

      [AC-wlan-view] display ap all
      Total AP information:
      nor  : normal          [1]
      ---------------------------------------------------------------------------------------
      ID   MAC            Name   Group     IP            Type            State STA Uptime
      ---------------------------------------------------------------------------------------
      0    60de-4476-e360 area_1 ap-group1 192.168.3.200 AP6010DN-AGN    nor   0   5M:2S
      ---------------------------------------------------------------------------------------
      Total: 1
      

    6. Define post-authentication resources in an ACL with the same number as that specified in the authorization result on the Agile Controller-Campus.

      [AC] acl 3001
      [AC-acl-adv-3001] rule 1 permit ip destination 192.168.2.0 0.0.0.255   //Post-authentication domain resources
      [AC-acl-adv-3001] rule 2 deny ip
      [AC-acl-adv-3001] quit

  3. [Device] Configure a RADIUS server template and 802.1X authentication.
    1. Configure a RADIUS server template, as well as authentication and accounting schemes.

      [AC] radius-server template radius_huawei   //RADIUS server template
      [AC-radius-radius_huawei] radius-server authentication 192.168.1.210 1812 source ip-address 192.168.3.2
      [AC-radius-radius_huawei] radius-server accounting 192.168.1.210 1813 source ip-address 192.168.3.2
      [AC-radius-radius_huawei] radius-server shared-key cipher Admin@123
      [AC-radius-radius_huawei] quit
      [AC] radius-server authorization 192.168.1.210 shared-key cipher Admin@123
      [AC] aaa
      [AC-aaa] authentication-scheme auth_scheme      //RADIUS authentication scheme
      [AC-aaa-authen-auth_scheme] authentication-mode radius
      [AC-aaa-authen-auth_scheme] quit
      [AC-aaa] accounting-scheme acc_scheme         //RADIUS accounting scheme
      [AC-aaa-accounting-acc_scheme] accounting-mode radius 
      [AC-aaa-accounting-acc_scheme] accounting realtime 15 
      [AC-aaa-accounting-acc_scheme] quit
      [AC-aaa] quit

    2. Configure the 802.1X access profile dot1x_access.

      NOTE:

      By default, an 802.1X access profile uses the EAP authentication mode. The authentication protocol must be the same as that configured in the authentication rule on the Agile Controller-Campus.

      [AC] dot1x-access-profile name dot1x_access
      [AC-dot1x-access-profile-dot1x_access] quit

    3. Configure the authentication profile dot1x_auth, and import the authentication scheme, accounting scheme, and RADIUS server template.

      [AC] authentication-profile name dot1x_auth
      [AC-authentication-profile-dot1x_auth] dot1x-access-profile dot1x_access
      [AC-authentication-profile-dot1x_auth] authentication-scheme auth_scheme
      [AC-authentication-profile-dot1x_auth] accounting-scheme acc_scheme
      [AC-authentication-profile-dot1x_auth] radius-server radius_huawei
      [AC-authentication-profile-dot1x_auth] quit

    4. Configure WLAN service parameters.

      # Create security profile dot1x-security and set the security policy in the profile. A security policy must be configured for 802.1X authentication. The default open system authentication is not allowed.

      [AC] wlan 
      [AC-wlan-view] security-profile name dot1x-security 
      [AC-wlan-sec-prof-dot1x-security] security wpa2 dot1x aes 
      [AC-wlan-sec-prof-dot1x-security] quit

      # Create the SSID profile dot1x-ssid, and set the SSID name to 802.1X.

      [AC-wlan-view] ssid-profile name dot1x-ssid
      [AC-wlan-ssid-prof-dot1x-ssid] ssid 802.1X
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-ssid-prof-dot1x-ssid] quit

      # Create the VAP profile dot1x-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

      [AC-wlan-view] vap-profile name dot1x-vap
      [AC-wlan-vap-prof-dot1x-vap] forward-mode tunnel
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-vap-prof-dot1x-vap] service-vlan vlan-id 102
      [AC-wlan-vap-prof-dot1x-vap] security-profile dot1x-security
      [AC-wlan-vap-prof-dot1x-vap] ssid-profile dot1x-ssid
      [AC-wlan-vap-prof-dot1x-vap] authentication-profile dot1x_auth
      [AC-wlan-vap-prof-dot1x-vap] quit

      # Bind the VAP profile dot1x-vap to an AP group and apply the profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] vap-profile dot1x-vap wlan 1 radio all
      [AC-wlan-ap-group-ap-group1] quit

  4. [Device] Configure Portal authentication.
    1. Configure a URL template to specify the URL of the pushed page and user terminal's MAC address.

      NOTE:

      If terminals running the iOS system need to be registered or claimed missing, the url-parameter user-mac usermac command must be configured. This command is not required in other cases. Terminals running the iOS system do not initiate Portal authentication when downloading configuration files, so they are redirected to the Portal pushed page, but cannot send terminals' MAC addresses through Portal login packets.

      [AC] url-template name url_temp
      [AC-url-template-url_temp] url http://192.168.1.210:8080/portal
      [AC-url-template-url_temp] url-parameter user-mac usermac
      [AC-url-template-url_temp] quit

    2. Configure a Portal server profile and specify information about the Portal server.

      [AC] web-auth-server portal_server
      [AC-web-auth-server-portal_server] server-ip 192.168.1.210
      [AC-web-auth-server-portal_server] source-ip 192.168.3.2
      [AC-web-auth-server-portal_server] port 50200
      [AC-web-auth-server-portal_server] shared-key cipher Admin@123
      [AC-web-auth-server-portal_server] url-template url_temp
      [AC-web-auth-server-portal_server] quit
      

    3. Configure the Portal access profile portal_access.

      [AC] portal-access-profile name portal_access
      [AC-portal-access-profile-portal_access] web-auth-server portal_server direct
      [AC-portal-access-profile-portal_access] quit

    4. Configure an authentication-free rule profile. Add the resources (patch server) that users can access before authentication to the profile.

      [AC] free-rule-template name default_free_rule
      [AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.1.200 mask 32
      [AC-free-rule-default_free_rule] quit

    5. Configure the authentication profile portal_auth.

      [AC] authentication-profile name portal_auth
      [AC-authentication-profile-portal_auth] portal-access-profile portal_access
      [AC-authentication-profile-portal_auth] free-rule-template default_free_rule
      [AC-authentication-profile-portal_auth] authentication-scheme auth_scheme
      [AC-authentication-profile-portal_auth] authentication-scheme acc_scheme
      [AC-authentication-profile-portal_auth] radius-server radius_huawei
      [AC-authentication-profile-portal_auth] quit

    6. Configure WLAN service parameters.

      # Create security profile portal-security and set the security policy in the profile. By default, the security policy is open system. Use the default security policy for Portal authentication.

      [AC] wlan
      [AC-wlan-view] security-profile name portal-security
      [AC-wlan-sec-prof-portal-security] quit
      

      # Create the SSID profile portal-ssid, and set the SSID name to Portal.

      [AC-wlan-view] ssid-profile name portal-ssid
      [AC-wlan-ssid-prof-portal-ssid] ssid Portal
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-ssid-prof-portal-ssid] quit

      # Create the VAP profile portal-vap, configure the data forwarding mode and service VLANs, and apply the security profile and SSID profile to the VAP profile.

      [AC-wlan-view] vap-profile name portal-vap
      [AC-wlan-vap-prof-portal-vap] forward-mode tunnel
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-vap-prof-portal-vap] service-vlan 101
      [AC-wlan-vap-prof-portal-vap] security-profile portal-security
      [AC-wlan-vap-prof-portal-vap] ssid-profile Portal
      [AC-wlan-vap-prof-portal-vap] authentication-profile portal_auth
      [AC-wlan-vap-prof-portal-vap] quit
      

      # Bind the VAP profile to an AP group and apply the VAP profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] vap-profile portal-vap wlan 2 radio all
      [AC-wlan-ap-group-ap-group1] quit

  5. [Agile Controller-Campus] Configure the Boarding to enable the automatic configuration for 802.1X on user terminals.

    Choose Policy > Permission Control > Boarding Management > Quick Start to perform configurations according to the wizard.

    1. Configure the network access policy and specify 802.1X access parameters.

      The 802.1X network access parameters are the same as those on the AC. The commands used to configure key parameters on the AC are as follows:

      • Security mode: security wpa2 dot1x aes
      • Encryption mode: security wpa2 dot1x aes
      • SSID: ssid 802.1X

    2. Upload a CA certificate for verification when a user certificate is used for authentication and when the Agile Controller-Campus applies for a user certificate from the Windows CA server.

    3. Configure the SCEP certificate server to apply for user certificates from the Windows CA server.

    4. Optional: Configure OCSP to check the revocation status of user certificates online. The revoked user certificates cannot be used. You are advised to use OCSP. If OCSP is not configured, you can choose System > External Authentication > Certificate Management to configure CRL synchronization or manually upload a CRL to check the certificate revocation status.

    5. Customize a Portal page.

      The Agile Controller-Campus provides the default Portal page. The administrator can modify the default Portal page or add a Portal page.

      If the version of the network configuration tool needs to be updated, choose Policy > Permission Control > Page Cunstomization > Page Customization Material to upload the latest version.

      • Android: A Portal authentication page needs to be customized, containing the download link of the network configuration tool (in the format of *.apk).
      • iOS: A Portal authentication page needs to be customized so that users can enter the account and password for authentication on the page. An authentication success page needs to be customized to provide the download link of the network configuration file (in the format of *.mobileconfig).
      • Windows: A Portal authentication page needs to be customized, containing the download link of the network configuration tool (in the format of *.exe).

    6. Configure Portal page push policies. Different Portal pages are pushed to terminals running different OSs to provide proper network configuration tools or configuration files.

      Configure Portal page push policies for terminals running the Android OS, iOS, and Windows OS. Set the following parameters and use the default settings for other parameters.

      • Android
        • Name: Android
        • Push different pages based on terminal OS: Android
        • Pushed page: Android_en
      • iOS
        • Name: iOS
        • Push different pages based on terminal OS: iOS
        • Pushed page: iOS_en
        NOTE:

        In Dual SSID Scenario, it cannot support the pushed page of new ios boarding portal for the iOS system.

      • Windows
        • Name: Windows
        • Push different pages based on terminal OS: Windows PC
        • Pushed page: Windows_en

  6. [Agile Controller-Campus] Add an access control device and connect it to the Agile Controller-Campus through RADIUS.

    Choose Resource > Device > Device Management to add an AC.

    The commands used to configure parameters on the AC are as follows:

    • Authentication/Accounting key: radius-server shared-key cipher Admin@123
    • Authorization key: radius-server authorization 192.168.1.210 shared-key cipher Admin@123
    • Real-time accounting interval: accounting realtime 15
    • Portal key: shared-key cipher Admin@123

  7. [Agile Controller-Campus] Configure authentication and authorization. After completing 802.1X network configurations, users can obtain permission based on the configured authentication and authorization rules.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule to configure an authentication rule.

      This example uses the default authentication rule that contains all authentication protocols. Modify the default authentication rule and add the CA root certificate to Data Source.

      If a non-local data source is used for synchronization, such as the AD/LDAP server, modify the default authentication rule or create an authentication rule.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result to configure authorization using an ACL.

      The ACL number 3001 set in the ACL Number/AAA User Group area is the same as that configured on the AC.

    3. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule to configure an authorization rule.

      Set Authorization Result to Post-authentication domain configured in the preceding step. Use the default settings for other parameters.

Verification

  • Terminals running the Android OS
    1. After a terminal associates with the Portal wireless network, the terminal can access the patch server specified in the free-rule command. If the terminal access other websites, the terminal is redirected to the Portal authentication page for Android terminals.
    2. Download the network configuration tool (in the format of *.apk) on the Portal authentication page and install the tool.
    3. Enter the account and password on the network configuration tool and click Config. The configuration for 802.1X authentication will be automatically completed. The terminal is automatically connected to the 802.1X wireless network and you can access post-authentication domain resources.
  • Terminals running the iOS
    1. Connect the terminal to the Portal wireless network and access a web page. You are redirected to the Portal authentication page configured for terminals running the iOS.
    2. Enter the account and password on the Portal authentication page for identity authentication.
    3. After the identity authentication succeeds, the Portal authentication success page is automatically displayed. Download the configuration file in the format of *.mobileconfig.
    4. After the configuration file is installed, the system automatically completes configuration for 802.1X authentication. After manually connecting the terminal to the 802.1X wireless network, you can access post-authentication domain resources.
  • Terminals running the Windows OS
    1. Connect the terminal to the Portal wireless network and access a web page. You are redirected to the Portal authentication page configured for terminals running the Windows OS.
    2. Download the network configuration tool (in the format of *.exe) on the Portal authentication page and install the tool.
    3. Enter the account and password on the network configuration tool and click Config. The configuration for 802.1X authentication will be automatically completed. The terminal is automatically connected to the 802.1X wireless network and you can access post-authentication domain resources.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 50706

Downloads: 1685

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next