No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples for NAC

Configuration Examples for NAC

Example for Configuring 802.1X Authentication (AAA in RADIUS Mode)

Networking Requirements

As shown in Figure 25-83, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that users can access the enterprise network anywhere and anytime.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's high security requirements, configure a WPA security policy, 802.1X authentication, and secure AES encryption mode. The RADIUS server authenticates identities of STAs.

Figure 25-83  Networking diagram for configuring 802.1X authentication
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure AP system parameters, including the country code.
  3. Configure RADIUS authentication parameters.
  4. Configure an 802.1X access profile to manage 802.1X access control parameters.
  5. Configure an authentication profile to manage NAC configuration.
  6. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to assign IP addresses to STAs.

    # Configure the DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit
    

  3. Configure a route from the AP to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AP is 10.23.101.2.).

    [AP] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
    

  4. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  5. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AP] radius-server template radius_huawei
    [AP-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AP-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AP-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AP] aaa
    [AP-aaa] authentication-scheme radius_huawei
    [AP-aaa-authen-radius_huawei] authentication-mode radius
    [AP-aaa-authen-radius_huawei] quit
    [AP-aaa] quit

  6. Configure the 802.1X access profile d1.

    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [AP] dot1x-access-profile name d1
    [AP-dot1x-access-profile-d1] quit

  7. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] dot1x-access-profile d1
    [AP-authentication-profile-p1] authentication-scheme radius_huawei
    [AP-authentication-profile-p1] radius-server radius_huawei
    [AP-authentication-profile-p1] quit

  8. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  9. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  10. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  11. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
    • A user can use the 802.1X authentication client on an STA for authentication. After entering the correct user name and password, the user is successfully authenticated and can access resources on the intranet. You need to configure the 802.1X authentication client based on the configured authentication mode peap.
      • Configuration in the Windows XP operating system:

        1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-net, and set the authentication mode to WPA2 and encryption mode to AES.
        2. On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.
      • Configuration in the Windows 7 operating system:

        1. Access the Manage wireless networks page, click Add and select Manually create a network profile. In the dialog box that is displayed, add SSID wlan-net, set the authentication mode to WPA2-Enterprise and encryption mode to AES, and click Next.
        2. Scan SSIDs and double-click SSID wlan-net. On the Security tab page, set EAP type to PEAP and click Settings. In the dialog box that is displayed, deselect Validate server certificate and click Configure. In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name p1
     dot1x-access-profile d1
     authentication-scheme radius_huawei
     radius-server radius_huawei
    #
    dot1x-access-profile name d1
    #
    dhcp enable
    #
    radius-server template radius_huawei
     radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
     radius-server authentication 10.23.200.1 1812 weight 80
    #
    aaa
     authentication-scheme radius_huawei
      authentication-mode radius
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
    # 
    wlan
     security-profile name wlan-security
      security wpa2 dot1x aes
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return

Example for Configuring MAC Address Authentication (AAA in RADIUS Mode)

Networking Requirements

As shown in Figure 25-84, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that users can access the enterprise network anywhere and anytime.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's security requirements, configure MAC address authentication to authenticate dumb terminals such as wireless network printers and wireless phones that cannot have an authentication client installed. MAC addresses of terminals are used as user information and sent to the RADIUS server for authentication. When users connect to the WLAN, authentication is not required.

Figure 25-84  Networking diagram for configuring MAC address authentication
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure AP system parameters, including the country code.
  3. Configure RADIUS authentication parameters.
  4. Configure a MAC access profile to manage MAC access control parameters.
  5. Configure an authentication profile to manage NAC configuration.
  6. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to assign IP addresses to STAs.

    # Configure the DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit
    

  3. Configure a route from the AP to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AP is 10.23.101.2.).

    [AP] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
    

  4. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  5. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AP] radius-server template radius_huawei
    [AP-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AP-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AP-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AP] aaa
    [AP-aaa] authentication-scheme radius_huawei
    [AP-aaa-authen-radius_huawei] authentication-mode radius
    [AP-aaa-authen-radius_huawei] quit
    [AP-aaa] quit

  6. Configure the MAC access profile m1.

    NOTE:

    In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

    [AP] mac-access-profile name m1
    [AP-mac-access-profile-m1] quit

  7. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] mac-access-profile m1
    [AP-authentication-profile-p1] authentication-scheme radius_huawei
    [AP-authentication-profile-p1] radius-server radius_huawei
    [AP-authentication-profile-p1] quit

  8. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open authentication.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  9. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  10. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  11. Verify the configuration.

    After dumb terminals associate with the WLAN, authentication is performed automatically. Users can directly access the network after the authentication succeeds.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name p1
     mac-access-profile m1
     authentication-scheme radius_huawei
     radius-server radius_huawei
    #
    mac-access-profile name m1
    #
    dhcp enable
    #
    radius-server template radius_huawei
     radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
     radius-server authentication 10.23.200.1 1812 weight 80
    #
    aaa
     authentication-scheme radius_huawei
      authentication-mode radius
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    ip route-static 10.23.200.0 255.255.255.0 10.23.101.2 
    #  
    wlan
     security-profile name wlan-security
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return

Example for Configuring MAC Address Authentication (AAA in Local Mode)

Networking Requirements

As shown in Figure 25-85, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that its employees can access the enterprise network anywhere and anytime.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's security requirements, configure MAC address authentication to authenticate dumb terminals such as wireless network printers and wireless phones that cannot have an authentication client installed, and use the local authentication mode to authenticate identities of STAs.

Figure 25-85  Networking diagram for configuring MAC address authentication
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure the AP's system parameters, including the country code.
  3. Configure AAA local authentication, including the local user, authentication scheme, and authentication domain.
  4. Configure a MAC access profile to manage MAC access control parameters.
  5. Configure an authentication profile to manage NAC configuration.
  6. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  3. Configure local authentication.

    # Configure the local authentication scheme a1.

    [AP] aaa
    [AP-aaa] authentication-scheme a1
    [AP-aaa-authen-a1] authentication-mode local
    [AP-aaa-authen-a1] quit

    # Configure the user name, password, and service type of the local user. (When AAA local authentication is used for MAC address authentication users, the service type of the local user is not matched and checked.)

    [AP-aaa] local-user 000b-09d4-8828 password cipher Huawei@123
    [AP-aaa] local-user 000b-09d4-8828 service-type 8021x
    [AP-aaa] quit

  4. Configure the MAC access profile m1.

    NOTE:
    When AAA local authentication and authorization are used, the user name and password for MAC address authentication must be the same as those of the AAA local user. In this example, the user name of the local user is the terminal's MAC address and the password is Huawei@123.
    [AP] mac-access-profile name m1
    [AP-mac-access-profile-m1] mac-authen username macaddress format with-hyphen password cipher Huawei@123
    [AP-mac-access-profile-m1] quit

  5. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] mac-access-profile m1
    [AP-authentication-profile-p1] authentication-scheme a1
    [AP-authentication-profile-p1] quit

  6. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open authentication.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  7. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  8. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  9. Verify the configuration.

    After dumb terminals associate with the WLAN, authentication is performed automatically. Users can directly access the network after the authentication succeeds.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name p1
     mac-access-profile m1
     authentication-scheme a1
    #
    mac-access-profile name m1
     mac-authen username macaddress format with-hyphen password cipher %^%#PW~_5m;sAFFI.cEB"%^@6@4$96ds_5+O'28+d3:A%^%# 
    #
    dhcp enable
    #
    aaa
     authentication-scheme a1
     local-user 000b-09d4-8828 password cipher %^%#UOqb<rt$CW%80lUOh;xKLN;s~^Icp!s7MZ.8(Y|5%^%#
     local-user 000b-09d4-8828 privilege level 0
     local-user 000b-09d4-8828 service-type 8021x
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    wlan
     security-profile name wlan-security
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return

Example for Configuring External Portal Authentication

Networking Requirements

As shown in Figure 25-86, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that users can access the enterprise network anywhere and anytime.

To ensure network security, the enterprise needs to deploy an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network.

Figure 25-86  Networking diagram for configuring External Portal authentication
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure AP system parameters, including the country code.
  3. Configure RADIUS authentication parameters.
  4. Configure a Portal server profile.
  5. Configure a Portal access profile to manage access control parameters for Portal authentication users.
  6. Configure an authentication-free rule profile so that the AP allows packets to the DNS server to pass through.
  7. Configure an authentication profile to manage NAC configuration.
  8. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to assign IP addresses to STAs.

    # Configure the DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] dhcp server dns-list 10.23.200.2
    [AP-Vlanif101] quit
    

  3. Configure a route from the AP to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AP is 10.23.101.2.).

    [AP] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
    

  4. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  5. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AP] radius-server template radius_huawei
    [AP-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AP-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AP-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AP] aaa
    [AP-aaa] authentication-scheme radius_huawei
    [AP-aaa-authen-radius_huawei] authentication-mode radius
    [AP-aaa-authen-radius_huawei] quit
    [AP-aaa] quit

  6. Configure a Portal server profile.

    [AP] web-auth-server abc
    [AP-web-auth-server-abc] server-ip 10.23.200.1
    [AP-web-auth-server-abc] shared-key cipher Admin@123
    [AP-web-auth-server-abc] port 50200 
    [AP-web-auth-server-abc] url https://10.23.200.1:8443/webauth
    [AP-web-auth-server-abc] quit

  7. Configure the Portal access profile portal1.

    [AP] portal-access-profile name portal1
    [AP-portal-access-profile-portal1] web-auth-server abc direct
    [AP-portal-access-profile-portal1] quit

  8. Configure an authentication-free rule profile.

    [AP] free-rule-template name default_free_rule
    [AP-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
    [AP-free-rule-default_free_rule] quit
    

  9. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] portal-access-profile portal1
    [AP-authentication-profile-p1] free-rule-template default_free_rule
    [AP-authentication-profile-p1] authentication-scheme radius_huawei
    [AP-authentication-profile-p1] radius-server radius_huawei
    [AP-authentication-profile-p1] quit

  10. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open authentication.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  11. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  12. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  13. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.

    • The STAs obtain IP addresses when they successfully associate with the WLAN.
    • When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name p1
     portal-access-profile portal1
     free-rule-template default_free_rule
     authentication-scheme radius_huawei
     radius-server radius_huawei
    #
    dhcp enable
    #
    radius-server template radius_huawei                                                                                                
     radius-server shared-key cipher %^%#Ug1l9V#SI(JTFp+*)J7<%CUQB(74-4vSIKO!x:NI%^%#                                                   
     radius-server authentication 10.23.200.1 1812 weight 80                                                                            
    #
    free-rule-template name default_free_rule                                                                                           
     free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0                                                                          
    # 
    web-auth-server abc                                                                                                                 
     server-ip 10.23.200.1                                                                                                              
     port 50200                                                                                                                         
     shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#                                                                 
     url https://10.23.200.1:8443/webauth                                                                                               
    #
    portal-access-profile name portal1                                                                                                  
     web-auth-server abc direct                                                                                                         
    #
    aaa
     authentication-scheme radius_huawei                                                                                                
      authentication-mode radius
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
     dhcp server dns-list 10.23.200.2 
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    ip route-static 10.23.200.0 255.255.255.0 10.23.101.2                                                 
    #  
    wlan
     security-profile name wlan-security
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return

Example for Configuring Built-in Portal Authentication

Networking Requirements

As shown in Figure 25-87, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that its employees can access the enterprise network anywhere and anytime.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's security requirements and save costs, configure built-in Portal authentication and use the RADIUS server to authenticate identities of STAs.

Figure 25-87  Networking diagram for configuring built-in Portal authentication
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure the AP's system parameters, including the country code.
  3. Configure RADIUS authentication parameters.
  4. Configure a Portal access profile for the built-in Portal server to manage Portal access control parameters.
  5. Configure an authentication-free rule profile so that the AP allows packets to the DNS server to pass through.
  6. Configure an authentication profile to manage NAC configuration.
  7. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to assign IP addresses to STAs.

    # Configure the DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] dhcp server dns-list 10.23.200.2
    [AP-Vlanif101] quit
    

  3. Configure a route from the AP to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AP is 10.23.101.2.).

    [AP] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
    

  4. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  5. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AP] radius-server template radius_huawei
    [AP-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AP-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AP-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AP] aaa
    [AP-aaa] authentication-scheme radius_huawei
    [AP-aaa-authen-radius_huawei] authentication-mode radius
    [AP-aaa-authen-radius_huawei] quit
    [AP-aaa] quit

  6. Configure the Portal access profile portal1.

    # Load certificates and the RSA key pair.

    NOTE:
    The local certificate abc_local.pem, CA certificate abc_ca.pem, and RSA key pair privatekey.pem have been requested, obtained, and uploaded to the storage medium of the device. If multiple CA certificates are requested, perform the same operation to load the certificates to the memory of the device. When privatekey.pem is generated, the key is Huawei@123.
    [AP] pki realm abc
    [AP-pki-realm-abc] quit 
    [AP] pki import-certificate local realm abc pem filename abc_local.pem
    [AP] pki import-certificate ca realm abc pem filename abc_ca.pem
    [AP] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
    

    # Configure the SSL policy sslserver and load the digital certificate.

    [AP] ssl policy sslserver type server
    [AP-ssl-policy-sslserver] pki-realm abc
    [AP-ssl-policy-sslserver] version tls1.0 tls1.1 tls1.2
    [AP-ssl-policy-sslserver] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
    [AP-ssl-policy-sslserver] quit
    [AP] http secure-server ssl-policy sslserver
    [AP] http secure-server enable
    

    # Check the configuration of the SSL policy. The status of the CA and local certificates must be loaded.

    [AP] display ssl policy sslserver
    ------------------------------------------------------------------------------
      Policy name                            :   sslserver                             
      Policy ID                              :   2                                
      Policy type                            :   Server                            
      Cipher suite                           :   rsa_aes_128_sha256 rsa_aes_256_sha256 
      PKI realm                              :   abc
      Version                                :   tls1.0 tls1.1 tls1.2  
      Cache number                           :   32                                
      Time out(second)                       :   3600                              
      Server certificate load status         :   loaded                            
      CA certificate chain load status       :   loaded                            
      SSL renegotiation status               :   enable
      Bind number                            :   1                                 
      SSL connection number                  :   0                                 
      ------------------------------------------------------------------------------
    

    # Enable the built-in Portal server function.

    [AP] interface loopback 1
    [AP-LoopBack1] ip address 10.1.1.1 24
    [AP-LoopBack1] quit
    [AP] portal local-server ip 10.1.1.1
    [AP] portal local-server https ssl-policy sslserver port 400

    # Create the Portal access profile portal1 and configure it to use the built-in Portal server.

    [AP] portal-access-profile name portal1
    [AP-portal-access-profile-portal1] portal local-server enable
    [AP-portal-access-profile-portal1] quit

  7. Configure an authentication-free rule profile.

    [AP] free-rule-template name default_free_rule
    [AP-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
    [AP-free-rule-default_free_rule] quit
    

  8. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] portal-access-profile portal1
    [AP-authentication-profile-p1] free-rule-template default_free_rule
    [AP-authentication-profile-p1] authentication-scheme radius_huawei
    [AP-authentication-profile-p1] radius-server radius_huawei
    [AP-authentication-profile-p1] quit

  9. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open authentication.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  10. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  11. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  12. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.

    • The STAs obtain IP addresses when they successfully associate with the WLAN.
    • When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #                                                                               
     http secure-server ssl-policy sslserver                                        
     http server enable 
    #
    portal local-server ip 10.1.1.1
    portal local-server https ssl-policy sslserver port 400
    #
    vlan batch 101
    #
    authentication-profile name p1
     portal-access-profile portal1
     free-rule-template default_free_rule
     authentication-scheme radius_huawei
     radius-server radius_huawei
    #
    dhcp enable
    #
    radius-server template radius_huawei                                                                                                
     radius-server shared-key cipher %^%#Ug1l9V#SI(JTFp+*)J7<%CUQB(74-4vSIKO!x:NI%^%#                                                   
     radius-server authentication 10.23.200.1 1812 weight 80 
    #                                                                               
    pki realm abc                                                                   
     pki import-certificate local realm abc pem filename abc_local.pem
     pki import-certificate ca realm abc pem filename abc_ca.pem
     pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
    #                                                                               
    ssl policy sslserver type server                                                
     pki-realm abc                                                                  
     version tls1.0 tls1.1 tls1.2                                                   
     ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256  
    #
    free-rule-template name default_free_rule                                                                                           
     free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0                                                                          
    # 
    portal-access-profile name portal1
     portal local-server enable
    #
    aaa
     authentication-scheme radius_huawei                                                                                                
      authentication-mode radius
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
     dhcp server dns-list 10.23.200.2 
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    ip route-static 10.23.200.0 255.255.255.0 10.23.101.2                                                                               
    # 
    wlan
     security-profile name wlan-security
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return

Example for Configuring WeChat Authentication Using a Built-in Portal Server (Central AP)

Networking Requirements

As shown in Figure 25-88, the central AP of a shop directly connects to an RU. The shop deploys a WLAN wlan-net to provide wireless network access for consumers. The central AP functions as a DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

To improve its brand popularity and image, the shop allows consumers to connect to the open Wi-Fi network using WeChat. Users can obtain access to the Internet by simply following the WeChat public account of the shop, without the need to enter a user name or password.

Figure 25-88  Networking diagram for configuring WeChat authentication using a built-in Portal server
Configuration Roadmap
  1. Configure basic WLAN services so that the central AP can communicate with upstream and downstream network devices, and the RU can go online.
  2. Set the AAA authentication mode to none.
  3. Configure a Portal access profile for the built-in Portal server to manage Portal access control parameters.
  4. Configure WeChat authentication for WeChat users.
  5. Configure an authentication profile to manage NAC configuration.
  6. Configure WLAN service parameters, and bind a security policy profile and the authentication profile to a VAP profile to control access of STAs.
Data Plan

Item

Data

Portal access profile
  • Name: portal1
  • The built-in Portal server is used.
    • IP address of the built-in portal server: 10.1.1.1/24
    • HTTP port number: 1025
WeChat authentication profile
  • WeChat public account ID: wxappid123
  • WeChat public account key: huawei@123
  • The central AP automatically obtains shop information from the WeChat server. Parameter settings of the WeChat server are:
    • PKI domain: pki-wechat
    • Default domain name: api.weixin.qq.com
    • SSL policy name and type: ssl-wechat and client
    • Default port number: 443
DNS server IP address: 10.23.200.2
Authentication profile
  • Name: p1
  • Bound profile and authentication scheme: Portal access profile portal1 and authentication scheme wechat
DHCP server The central AP functions as a DHCP server to assign IP addresses to the RU and STAs.
IP address pool for the RU: 10.23.100.2 to 10.23.100.254/24
IP address pool for STAs 10.23.101.2 to 10.23.101.254/24
AP group
  • Name: ap-group1
  • Bound profiles: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: open system authentication
VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Bound profiles: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

Procedure

  1. Configure the central AP so that the RU and central AP can transmit CAPWAP packets.

    # Configure the central AP: add interface GE0/0/1 to management VLAN 100.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 100 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk pvid vlan 100
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the central AP to communicate with the upstream device.

    NOTE:

    Configure central AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add central AP uplink interface GE0/0/24 to service VLAN 101.

    [AP] interface gigabitethernet 0/0/24
    [AP-GigabitEthernet0/0/24] port link-type trunk
    [AP-GigabitEthernet0/0/24] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/24] quit
    

  3. Configure the central AP as a DHCP server to assign IP addresses to the RU and STAs.

    # Configure the central AP as a DHCP server to allocate an IP address to the RU from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 100
    [AP-Vlanif100] ip address 10.23.100.1 24
    [AP-Vlanif100] dhcp select interface
    [AP-Vlanif100] quit
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] dhcp server dns-list 10.23.200.2
    [AP-Vlanif101] quit
    

  4. Configure a route from the central AP to the server area (Assume that the IP address of the upper-layer device connected to the central AP is 10.23.101.2).

    [AP] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
    

  5. Configure the RU to go online.

    # Create an AP group and add the RU to the AP group.

    [AP] wlan
    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the central AP country code in the profile, and apply the profile to the AP group.

    [AP-wlan-view] regulatory-domain-profile name domain1
    [AP-wlan-regulate-domain-domain1] country-code cn
    [AP-wlan-regulate-domain-domain1] quit
    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AP-wlan-ap-group-ap-group1] quit
    [AP-wlan-view] quit
    

    # Configure the management VLAN for RUs connected to the central AP.

    [AP] management-vlan 100
    
    # Import the RU offline on the central AP and add the RU to AP group ap-group1. Assume that the RU's MAC address is 60de-4476-e360. Configure a name for the RU based on the RU's deployment location, so that you can know where the RU is deployed from its name. For example, name the RU area_1 if it is deployed in Area 1.
    NOTE:

    The default RU authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the R240D is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AP] wlan
    [AP-wlan-view] ap auth-mode mac-auth
    [AP-wlan-view] ap-id 1 ap-mac 60de-4476-e360
    [AP-wlan-ap-1] ap-name area_1
    [AP-wlan-ap-1] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AP-wlan-ap-1] quit
    

    # After the RU is powered on, run the display ap all command to check the RU state. If the State field is displayed as nor, the RU goes online normally.

    [AP-wlan-view] display ap all
    Total AP information:
    nor  : normal          [1]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    1    60de-4476-e360 area_1 ap-group1 10.23.100.254 R240D           nor   0   10S
    -------------------------------------------------------------------------------------
    Total: 1

  6. Configure an AAA scheme.

    [AP-wlan-view] quit
    [AP] aaa
    [AP-aaa] authentication-scheme wechat
    [AP-aaa-authen-wechat] authentication-mode none
    Warning: The configured authentication modes include none authentication, and so
     security risks exist. Continue?[Y/N]y
    [AP-aaa-authen-wechat] quit
    [AP-aaa] quit
    

  7. Configure the Portal access profile portal1.

    # Enable the built-in Portal server function.

    [AP] interface loopback 1
    [AP-LoopBack1] ip address 10.1.1.1 24
    [AP-LoopBack1] quit
    [AP] portal local-server ip 10.1.1.1
    [AP] portal local-server http port 1025

    # Create the Portal access profile portal1 and configure it to use the built-in Portal server and WeChat authentication function.

    [AP] portal-access-profile name portal1
    [AP-portal-access-profile-portal1] portal local-server enable
    [AP-portal-access-profile-portal1] portal local-server wechat
    [AP-portal-access-profile-portal1] quit

  8. Configure WeChat authentication.

    # Configure the WeChat account.

    [AP] portal local-server wechat-authen
    [AP-wechat-authen] public-account appid wxappid123 appsecret huawei@123
    [AP-wechat-authen] quit
    

    # Enable dynamic domain name resolution.

    [AP] dns resolve
    [AP] dns server 10.23.200.2
    

    # Disable certificate authentication for the SSL server.

    [AP] pki realm pki-wechat
    [AP-pki-realm-pki-wechat] quit
    [AP] ssl policy ssl-wechat type client
    [AP-ssl-policy-ssl-wechat] pki-realm pki-wechat
    [AP-ssl-policy-ssl-wechat] undo server-verify enable
    [AP-ssl-policy-ssl-wechat] quit
    

    # Configure the central AP to automatically obtain shop information from the WeChat server.

    [AP] portal local-server wechat-authen
    [AP-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
    [AP-wechat-authen] polling-time 4800
    [AP-wechat-authen] quit
    

  9. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] portal-access-profile portal1
    [AP-authentication-profile-p1] authentication-scheme wechat
    [AP-authentication-profile-p1] quit

  10. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open system.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    

    # Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the RU.

    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
    [AP-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
    [AP-wlan-ap-group-ap-group1] quit
    

  11. Set channels and power for the RU radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the RU radios in this example is for reference only. In actual scenarios, configure channels and power for RU radios based on country codes of RUs and network planning results.

    # Disable automatic channel and power calibration functions of radio 0, and configure the channel and power for radio 0.
    [AP-wlan-view] ap-id 1
    [AP-wlan-ap-1] radio 0
    [AP-wlan-radio-1/0] calibrate auto-channel-select disable
    [AP-wlan-radio-1/0] calibrate auto-txpower-select disable
    [AP-wlan-radio-1/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-wlan-radio-1/0] eirp 127
    [AP-wlan-radio-1/0] quit
    # Disable automatic channel and power calibration functions of radio 1, and configure the channel and power for radio 1.
    [AP-wlan-ap-1] radio 1
    [AP-wlan-radio-1/1] calibrate auto-channel-select disable
    [AP-wlan-radio-1/1] calibrate auto-txpower-select disable
    [AP-wlan-radio-1/1] channel 20mhz 149
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-wlan-radio-1/1] eirp 127
    [AP-wlan-radio-1/1] quit
    [AP-wlan-ap-1] quit

  12. Verify the configuration.

    • After the configuration is complete, STAs can discover the wireless network with the SSID wlan-net.

    • STAs can be assigned IP addresses after they associate with the wireless network.

    • When a user opens WeChat, the Portal authentication page is displayed automatically on the STA. After the user can be authenticated, the user can connect to the Internet.

Configuration Files

Central AP configuration file

#
 sysname AP
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
vlan batch 100 to 101
#
authentication-profile name p1
 portal-access-profile portal1
 authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#   
dhcp enable
#
pki realm pki-wechat
#  
ssl policy ssl-wechat type client
 pki-realm pki-wechat
 undo server-verify enable
#
portal-access-profile name portal1
 portal local-server enable
 portal local-server wechat
#
aaa
 authentication-scheme wechat
  authentication-mode none
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 10.23.200.2 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface LoopBack1
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#  
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 1 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
   calibrate auto-channel-select disable
   calibrate auto-txpower-select disable
  radio 1
   channel 20mhz 149
   eirp 127
   calibrate auto-channel-select disable
   calibrate auto-txpower-select disable
#
portal local-server wechat-authen
 public-account appid wxappid123 appsecret %^%#]nHP,($dh,m]H1']Y](2w-"J<b-(,15y0y,HA6^>%^%#
 polling-time 4800
 wechat-server-ip ssl-policy ssl-wechat
#
return

Example for Configuring a User Group for Authorization

Networking Requirements

As shown in Figure 25-89, a Fat AP in an enterprise connects to the intranet in wired mode and connects to STAs in wireless mode. The enterprise needs to deploy WLAN services for mobile office so that its employees can access the enterprise network anywhere and anytime.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's high security requirements, configure 802.1X authentication and use the RADIUS server to authenticate identities of employees in the marketing department. In addition, the RADIUS server uses a user group for authorization and grants network access rights to authenticated employees. The employees then can access the issue tracking system to analyze and handle customer service requests.

Figure 25-89  Networking diagram for configuring a User Group for Authorization
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the AP to communicate with upper-layer and lower-layer devices.
  2. Configure the AP's system parameters, including the country code.
  3. Configure RADIUS authentication parameters.
  4. Configure an 802.1X access profile to manage 802.1X access control parameters.
  5. Configure a user group to grant network access rights to employees in the post-authentication domain.
  6. Configure an authentication profile to manage NAC configuration.
  7. Configure a VAP so that STAs can access the WLAN.

Procedure

  1. Configure the AP to communicate with upper-layer network devices.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upstream network devices.

    # Add the AP's uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to assign IP addresses to STAs.

    # Configure the DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit
    

  3. Configure a route from the AP to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AP is 10.23.101.2.).

    [AP] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2
    

  4. Configure AP system parameters.

    # Configure the AP's country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    [AP-wlan-view] quit
    

  5. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AP] radius-server template radius_huawei
    [AP-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AP-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AP-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AP] aaa
    [AP-aaa] authentication-scheme radius_huawei
    [AP-aaa-authen-radius_huawei] authentication-mode radius
    [AP-aaa-authen-radius_huawei] quit
    [AP-aaa] quit

  6. Configure the 802.1X access profile d1.

    NOTE:

    By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

    [AP] dot1x-access-profile name d1
    [AP-dot1x-access-profile-d1] quit

  7. Configure the user group group1 that corresponds to the post-authentication domain.

    NOTE:
    Configure the RADIUS server to authorize the user group group1 to authenticated employees.
    [AP] acl 3001
    [AP-acl-adv-3001] rule 1 permit ip destination 10.23.101.3 0
    [AP-acl-adv-3001] rule 2 deny ip destination any
    [AP-acl-adv-3001] quit
    [AP] user-group group1
    [AP-user-group-group1] acl-id 3001
    [AP-user-group-group1] quit

  8. Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] dot1x-access-profile d1
    [AP-authentication-profile-p1] authentication-scheme radius_huawei
    [AP-authentication-profile-p1] radius-server radius_huawei
    [AP-authentication-profile-p1] quit

  9. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile.

    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the service VLAN, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  10. Configure VAPs.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] quit
    

  11. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  12. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
    • After a user's STA associates with the WLAN, the user can enter the correct user name and password on the 802.1X client page, and access the issue tracking system.

Configuration Files
  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name p1
     dot1x-access-profile d1
     authentication-scheme radius_huawei
     radius-server radius_huawei
    #
    dot1x-access-profile name d1
    #
    dhcp enable
    #
    radius-server template radius_huawei
     radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
     radius-server authentication 10.23.200.1 1812 weight 80
    #
    acl number 3001
     rule 1 permit ip destination 10.23.101.3 0
     rule 2 deny ip
    #
    user-group group1
     acl-id 3001
    #
    aaa
     authentication-scheme radius_huawei
      authentication-mode radius
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
    #  
    wlan
     security-profile name wlan-security
      security wpa2 dot1x aes
     ssid-profile name wlan-ssid
      ssid wlan-net
     vap-profile name wlan-vap
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      authentication-profile p1
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
     calibrate auto-channel-select disable
     calibrate auto-txpower-select disable
    #
    return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118170

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next