No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN Product Interoperation Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Wireless MAC Address Authentication

Example for Configuring Wireless MAC Address Authentication

This section describes how to configure wireless MAC address authentication for dumb terminals such as IP phones, printers, and cameras to access networks in wireless mode.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus Agile Controller-Campus V100R002C10
WLAN AC AC6605 V200R006C20
Access switch S2750EI V200R008C00
Aggregation switch S5720HI V200R008C00

Networking Requirements

As shown in Figure 1-4, dumb terminals such as printers and IP phones in the confidential service office of a company associate with the AP through the mac_access SSID, and connect to the intranet through the access switch S2750EI, aggregation switch S5720HI, and core router. If unauthorized terminals access the intranet, the business system of the company may be attacked or key information may leak. The administrator requests to control network access permission of users on the AC to ensure intranet security. In addition, the AC functions as a DHCP server to assign IP addresses on the 10.10.10.0/24 network segment to APs, and centrally manages all users.

To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be used to forward packets between the AC and APs.

AnyOffice cannot be installed on dumb terminals such as printers and IP phones in the confidential service office. Therefore, wireless MAC address authentication can be used so that the AC can send MAC addresses of the terminals as user information to the RADIUS server for authentication.

Figure 1-4  Networking of MAC address authentication

Data Plan

Table 1-9  Wireless VLAN plan

VLAN ID

Function

10

mVLAN for wireless access

100

Service VLAN for wireless access

Table 1-10  Wireless network data plan

Item

Data

Description

Access switch S2750EI

GE0/0/2

VLAN 10

The uplink and downlink interfaces allow packets only from the mVLAN to pass through. The service VLAN is encapsulated in the packets tagged with the mVLAN ID.

GE0/0/3

VLAN 10

Aggregation switch S5720HI

GE0/0/1

VLAN 10

This downlink interface allows packets only from the mVLAN to pass through. The service VLAN is encapsulated in the packets tagged with the mVLAN ID.

GE0/0/2

VLAN 100

This uplink interface allows packets only from the service VLAN to pass through.

GE0/0/3

VLAN 10 and VLAN 100

The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

AC6605

GE0/0/1

VLAN 10 and VLAN 100

VLANIF 10: 10.10.10.254/24

The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

Gateway for APs.

Core router

GE1/0/1

172.16.21.254/24

Gateway for dumb terminals

Server
  • DNS server: 192.168.11.1
  • Agile Controller-Campus: 192.168.11.10
-
Table 1-11  Service data plan for wireless MAC address authentication

Item

Data

Description

RADIUS

  • RADIUS server: Agile Controller-Campus server
  • Authentication key: Admin@123
  • Accounting key: Admin@123
  • Real-time accounting interval: 15 minutes
  • Authentication port: 1812
  • Accounting port: 1813

The access control device and Agile Controller-Campus function as the RADIUS client and server respectively. The authentication, authorization, and accounting keys and the accounting interval must be the same on the access control device and Agile Controller-Campus.

The Agile Controller-Campus functioning as the RADIUS server uses ports 1812 and 1813 for authentication and accounting respectively.

Pre-authentication domain

DNS server and Agile Controller-Campus

-

Post-authentication domain

Internet

-

Configuration Roadmap

  1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch, and AC to ensure network connectivity.
  2. Set RADIUS interconnection parameters and MAC address authentication parameters on the AC to implement wireless MAC address authentication.
  3. Add the AC on the Agile Controller-Campus, and configure authentication and authorization.
NOTE:

In this example, the gateway for dumb terminals is deployed on the core router. If the gateway for dumb terminals is deployed on the AC, you only need to configure dhcp select interface in the service VLAN on the AC.

This example provides only configurations of the AC, aggregation switch, and access switch.

Procedure

  1. [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
    1. Configure the access switch.

      <HUAWEI> system-view
      [HUAWEI] sysname S2700
      [S2700] vlan 10   
      [S2700-vlan10] quit   
      [S2700] interface gigabitethernet 0/0/3  
      [S2700-GigabitEthernet0/0/3] port link-type trunk
      [S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
      [S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
      [S2700-GigabitEthernet0/0/3] quit
      [S2700] interface gigabitethernet 0/0/2  
      [S2700-GigabitEthernet0/0/2] port link-type trunk
      [S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
      [S2700-GigabitEthernet0/0/2] quit

    2. Configure the aggregation switch.

      <HUAWEI> system-view
      [HUAWEI] sysname S5700
      [S5700] vlan batch 10 100   
      [S5700] interface gigabitethernet 0/0/1  
      [S5700-GigabitEthernet0/0/1] port link-type trunk  
      [S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 
      [S5700-GigabitEthernet0/0/1] quit
      [S5700] interface gigabitethernet 0/0/2  
      [S5700-GigabitEthernet0/0/2] port link-type trunk
      [S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
      [S5700-GigabitEthernet0/0/2] quit
      [S5700] interface gigabitethernet 0/0/3  
      [S5700-GigabitEthernet0/0/3] port link-type trunk
      [S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100  
      [S5700-GigabitEthernet0/0/3] quit

    3. Configure the AC.

      # Configure the AC's interface to allow packets from the service VLAN and mVLAN to pass through.

      <HUAWEI> system-view
      [HUAWEI] sysname AC
      [AC] vlan batch 10 100
      [AC] interface gigabitethernet 0/0/1  
      [AC-GigabitEthernet0/0/1] port link-type trunk
      [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100
      [AC-GigabitEthernet0/0/1] quit

      # Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to the APs. If the AC is used as the gateway for dumb terminals, configure the gateway IP address and enable DHCP on the AC's interface in the service VLAN.

      [AC] dhcp enable   
      [AC] interface vlanif 10
      [AC-Vlanif10] ip address 10.10.10.254 24
      [AC-Vlanif10] dhcp select interface
      [AC-Vlanif10] quit

      # Configure the default route with the core router as the next hop.

      [AC] ip route-static 0.0.0.0 0 172.16.21.254

  2. [Device] Configure AP online parameters to enable APs to go online automatically after connecting to a network.

    NOTE:

    If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.

    1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
    2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the AC.

    # Create an AP group to which APs with the same configuration can be added.

    [AC] wlan
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
    [AC-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC-wlan-regulatory-domain-prof-domain1] quit
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-ap-group1] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 10  //Configure an mVLAN interface.
    

    # Import the AP offline on the AC and add the AP to the AP group ap-group1. This example assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name area_1
    [AC-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
    [AC-wlan-ap-0] quit
    [AC-wlan-view] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC] display ap all
    Total AP information:
    nor  : normal          [1]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN    nor   0   10S
    -------------------------------------------------------------------------------------
    Total: 1

  3. [Device] Configure MAC address authentication parameters to enable MAC address authentication for dumb terminals.

    The following figure shows the process of configuring wireless MAC address authentication.

    1. Configure a RADIUS server template, an authentication scheme, and an accounting scheme.

      [AC] radius-server template radius_huawei  
      [AC-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254  
      [AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254
      [AC-radius-radius_template] radius-server shared-key cipher Admin@123
      [AC-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.  
      [AC-radius-radius_template] quit
      [AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123  
      [AC] aaa  
      [AC-aaa] authentication-scheme auth_scheme  //Authentication scheme
      [AC-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
      [AC-aaa-authen-auth_scheme] quit
      [AC-aaa] accounting-scheme acco_scheme  //Accounting scheme
      [AC-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS.
      [AC-aaa-accounting-acco_scheme] accounting realtime 15  
      [AC-aaa-accounting-acco_scheme] quit
      [AC-aaa] quit
      
      NOTE:

      The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

      Table 1-12  Accounting interval

      User Quantity

      Real-Time Accounting Interval

      1 to 99

      3 minutes

      100 to 499

      6 minutes

      500 to 999

      12 minutes

      ≥ 1000

      ≥ 15 minutes

    2. Configure an access profile.

      NOTE:
      In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for MAC address authentication.
      [AC] mac-access-profile name mac
      [AC-mac-access-profile-mac] quit

    3. Configure an authentication profile.

      Specify the user access mode in the authentication profile through the access profile. Bind the RADIUS authentication scheme, accounting scheme, and server template to the authentication profile so that RADIUS authentication is used.

      [AC] authentication-profile name mac
      [AC-authentication-profile-mac] mac-access-profile mac
      [AC-authentication-profile-mac] authentication-scheme auth_scheme
      [AC-authentication-profile-mac] accounting-scheme acco_scheme
      [AC-authentication-profile-mac] radius-server radius_template
      [AC-authentication-profile-mac] quit

    4. Set wireless MAC authentication parameters.

      # Create the security profile security-mac and set the security policy in the profile.

      [AC] wlan
      [AC-wlan-view] security-profile name security-mac
      [AC-wlan-sec-prof-security-mac] quit

      # Create the SSID profile wlan-ssid and set the SSID name to mac-access.

      [AC-wlan-view] ssid-profile name wlan-ssid
      [AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-ssid-prof-wlan-ssid] quit

      # Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLAN, and apply the security, SSID, and authentication profiles to the VAP profile.

      [AC-wlan-view] vap-profile name wlan-vap
      [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
      [AC-wlan-vap-prof-wlan-vap] security-profile security-mac
      [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
      [AC-wlan-vap-prof-wlan-vap] authentication-profile mac
      [AC-wlan-vap-prof-wlan-vap] quit

      # Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
      [AC-wlan-ap-group-ap-group1] quit

  4. [Agile Controller-Campus] Add an access control device and connect it to the Agile Controller-Campus through RADIUS.

    Choose Resource > Device > Device Management, and add the AC.

    Agile Controller-Campus Parameters

    Command

    Authentication/Accounting key

    radius-server shared-key cipher Admin@123

    Authorization key

    radius-server authorization 192.168.11.10 shared-key cipher Admin@123

    Real-time accounting interval (minute)

    accounting realtime 15

  5. [Agile Controller-Campus] Configure authentication and authorization rules. End users match the rules based on specified conditions.
    1. Add authentication rules.

      # Choose Policy > Permission Control > Authentication and Authorization > Authentication Rule.

      # Click Add.

      # Set the parameters of authentication rules.
      • Service Type: MAC Bypass Authentication Service



      # Click OK.

    2. Add the devices that require MAC authentication.

      # Choose Resource > Terminal > Terminal List.

      # Select the first node in the Device Group list and click Add in the right-side window to create a device group for MAC authentication, such as device group MAC.

      # Select MAC in the Device Group list. On the Device List tab page in the right-side window, click Add and enter the MAC address of the device, such as 00-11-22-33-44-55.



      # Click OK.

      # Repeat the preceding steps to add all devices that require MAC authentication to device group MAC. The Agile Controller-Campus supports batch import of device MAC addresses. For details, see Example in Configuring MAC Address Authentication.

    3. Add authorization rules.

      # Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.

      # Click Add.

      # Set the parameters of authorization rules.
      • Service Type: MAC Bypass Authentication Service
      • Terminal Group: MAC
      • Authorization Result: Permit Access

      # Click OK.

      # Repeat the preceding operations to create authorization rules. If MAC authentication is not performed for the device that attempts to access the network, the device is not allowed to access the network.

Result

  • After the configuration is complete, run the display mac-authen command on the AC to view the MAC address authentication configuration.
  • After a dumb terminal associates with the WLAN with the SSID mac_access, the AC automatically obtains the dumb terminal's MAC address as the user name and password for authentication. After successful authentication, the dumb terminal can access the Internet.
  • After the dumb terminal goes online, run the display access-user access-type mac-authen command on the AC to view information about the online MAC address authentication user.
  • Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view RADIUS logs.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000113779

Views: 50703

Downloads: 1685

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next