No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples for AAA

Configuration Examples for AAA

Example for Configuring RADIUS Authentication and Accounting

Networking Requirements

As shown in Figure 25-62, a Fat AP of an enterprise provides wireless Internet access service and functions as a DHCP server to allocate IP addresses to users.

The remote authentication on Fat AP is described as follows:
  • The RADIUS server will authenticate access users for Fat AP. If RADIUS authentication fails, local authentication is used.

  • The RADIUS server at 192.168.10.2/24 functions as the primary authentication and accounting server. The RADIUS server at 192.168.10.3/24 functions as the secondary authentication and accounting server. The default authentication port and accounting port are 1812 and 1813.

Figure 25-62  Networking diagram of RADIUS authentication and accounting

Configuration Roadmap
  1. Configure the Fat AP and upstream device to implement Layer 2 interconnection.
  2. Configure the Fat AP as a DHCP server to assign IP addresses to STAs from an IP address pool of an interface.
  3. Configure RADIUS AAA for 802.1X users.
    1. Configure a RADIUS server template.
    2. Configure an authentication scheme and an accounting scheme.
    3. Configure the 802.1X access profile.
    4. Configure the authentication profile.
  4. Configure WLAN service parameters so that STAs can access the WLAN. This example uses default configuration parameters.
NOTE:

Ensure that the Fat AP and the RADIUS server have reachable routes to each other and the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Procedure

  1. Configure the Fat AP to communicate with the upstream device.

    NOTE:

    Configure Fat AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add Fat AP uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the Fat AP as a DHCP server to allocate IP addresses to STAs.

    # Configure the Fat AP as the DHCP server to allocate an IP address to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 192.168.10.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit

  3. Configure RADIUS AAA for common 802.1X users.
    1. Configure a RADIUS server template.

      # Configure a RADIUS template shiva.

      [AP] radius-server template shiva

      # Configure the master/backup algorithm on the RADIUS server.

      [AP-radius-shiva] radius-server algorithm master-backup
      

      # Configure the IP address and port numbers of the primary RADIUS authentication and accounting server.

      [AP-radius-shiva] radius-server authentication 192.168.10.2 1812 weight 80
      [AP-radius-shiva] radius-server accounting 192.168.10.2 1813 weight 80

      # Configure the IP address and port numbers of the secondary RADIUS authentication and accounting server.

      [AP-radius-shiva] radius-server authentication 192.168.10.3 1812 weight 40
      [AP-radius-shiva] radius-server accounting 192.168.10.3 1813 weight 40

      # Set the key and retransmission count for the RADIUS server.

      NOTE:

      Ensure that the shared key in the RADIUS server template is the same as the settings on the RADIUS server.

      [AP-radius-shiva] radius-server shared-key cipher Huawei@2012
      [AP-radius-shiva] radius-server retransmit 2
      [AP-radius-shiva] quit

    2. Configure authentication and accounting schemes.

      # Create an authentication scheme auth. In the authentication scheme, the system performs RADIUS authentication first, and performs local authentication if RADIUS authentication fails.

      [AP] aaa
      [AP-aaa] authentication-scheme auth
      [AP-aaa-authen-auth] authentication-mode radius local
      [AP-aaa-authen-auth] quit

      # Configure the accounting scheme abc that uses RADIUS accounting and the policy that the device is kept online when accounting fails.

      [AP-aaa] accounting-scheme abc
      [AP-aaa-accounting-abc] accounting-mode radius
      [AP-aaa-accounting-abc] accounting start-fail online
      [AP-aaa-accounting-abc] quit

    3. Configure the 802.1X access profile d1.

      [AP] dot1x-access-profile name d1
      [AP-dot1x-access-profile-d1] quit

    4. Configure the authentication profile p1.

      [AP] authentication-profile name p1
      [AP-authentication-profile-p1] dot1x-access-profile d1
      [AP-authentication-profile-p1] authentication-scheme auth
      [AP-authentication-profile-p1] accounting-scheme abc
      [AP-authentication-profile-p1] radius-server shiva
      [AP-authentication-profile-p1] quit

  4. Configure WLAN service parameters.
    1. Configure Fat AP system parameters.

      # Configure the country code.

      [AP] wlan
      [AP-wlan-view] country-code cn
      

    2. Configure WLAN service parameters.

      # Create security profile wlan-security and set the security policy in the profile.

      [AP-wlan-view] security-profile name wlan-security
      [AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
      [AP-wlan-sec-prof-wlan-security] quit
      

      # Create SSID profile wlan-ssid and set the SSID name to test.

      [AP-wlan-view] ssid-profile name wlan-ssid
      [AP-wlan-ssid-prof-wlan-ssid] ssid test
      [AP-wlan-ssid-prof-wlan-ssid] quit
      

      # Create VAP profile wlan-vap, set the service VLAN, and apply the security profile, SSID profile and authentication profile to the VAP profile.

      [AP-wlan-view] vap-profile name wlan-vap
      [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
      [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
      [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
      [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
      [AP-wlan-vap-prof-wlan-vap] quit
      [AP-wlan-view] quit
      

    3. Configure a VAP.

      [AP] interface wlan-radio0/0/0
      [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
      [AP-Wlan-Radio0/0/0] quit
      [AP] quit
      

  5. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  6. Verify the configuration.

    # Run the display radius-server configuration template template-name command on Fat AP, and you can see that the configuration of the RADIUS server template meets the requirements.

    <AP> display radius-server configuration template shiva
      ------------------------------------------------------------------------------
      Server-template-name          :  shiva
      Protocol-version              :  standard
      Traffic-unit                  :  B
      Shared-secret-key             :  %^%#og"b#'|hV,:%0E12K7!2VOGbYd(Ps.(&p.Fx65PM%^%#
      Group-filter                  :  class    
      Timeout-interval(in second)   :  5
      Retransmission                :  2
      EndPacketSendTime             :  0
      Dead time(in minute)          :  5
      Domain-included               :  NO
      NAS-IP-Address                :  0.0.0.0
      Calling-station-id MAC-format :  xxxx-xxxx-xxxx
      Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
      Service-type                  :  -  
      Server algorithm              :  master-backup 
      Detect-interval(in second)    :  60
      Authentication Server 1       :  10.10.10.2     Port:1812  Weight:80  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Authentication Server 2       :  10.10.10.3     Port:1812  Weight:40  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Accounting Server     1       :  10.10.10.2     Port:1813  Weight:80  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      Accounting Server     2       :  10.10.10.3     Port:1813  Weight:40  [UP]
                                       Vrf:- LoopBack:NULL Vlanif:NULL
                                       Source IP: ::
      ------------------------------------------------------------------------------ 

Configuration Files

AP configuration file

#
 sysname AP
#
 vlan batch 101
#
authentication-profile name p1                                                  
 dot1x-access-profile d1  
 authentication-scheme auth
 accounting-scheme abc
 radius-server shiva
#                                                                               
dot1x-access-profile name d1                                                    
#
 dhcp enable
#
radius-server template shiva
 radius-server shared-key cipher %^%#og"b#'|hV,:%0E12K7!2VOGbYd(Ps.(&p.Fx65PM%^%#
 radius-server authentication 192.168.10.2 1812 weight 80
 radius-server authentication 192.168.10.3 1812 weight 40
 radius-server accounting 192.168.10.2 1813 weight 80
 radius-server accounting 192.168.10.3 1813 weight 40
 radius-server retransmit 2
#
aaa
 authentication-scheme auth
  authentication-mode radius local
 accounting-scheme abc
  accounting-mode radius
  accounting start-fail online 
#
interface Vlanif101
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
wlan
 security-profile name wlan-security
  security wpa2 dot1x aes
 ssid-profile name wlan-ssid
  ssid test
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
#
interface Wlan-Radio0/0/0
 vap-profile wlan-vap wlan 2
 channel 20mhz 6
 calibrate auto-channel-select disable
 calibrate auto-txpower-select disable
#
return

Example for Configuring HWTACACS Authentication, Accounting, and Authorization

Networking Requirements

For the network shown in Figure 25-63, the customer requirements are as follows:

  • The HWTACACS server will authenticate access users for AP. If HWTACACS authentication fails, local authentication is used.
  • The HWTACACS server will authorize access users for AP. If HWTACACS authorization fails, local authorization is used.
  • HWTACACS accounting is used by AP for access users.
  • Real-time accounting is performed every 3 minutes.
  • The IP addresses of primary and secondary HWTACACS servers are 10.7.66.66/24 and 10.7.66.67/24, respectively. The port number for authentication, accounting, and authorization is 49.
Figure 25-63  Networking diagram of HWTACACS authentication, accounting, and authorization

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an HWTACACS server template.
  2. Configure authentication, authorization, and accounting schemes.
  3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and accounting scheme to a domain.
NOTE:
  • Ensure that the devices are routable before the configuration.
  • Ensure that the shared key in the HWTACACS server template is the same as the settings on the HWTACACS server.

  • If the HWTACACS server does not accept the user name containing the domain name, run the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view to configure the device to send packets that do not contain the domain name to the HWTACACS server.

  • After the domain is set to the global default domain, and the user name of a user carries the domain name or does not carry any domain name, the user uses AAA configuration information in the global default domain.
  • After the undo hwtacacs-server user-name domain-included command is run, the device changes only the user name format in the sent packet, and the domain to which the user belongs is not affected. For example, after this command is run, the user with the user name user@huawei.com still uses AAA configuration information in the domain named huawei.com.

Procedure

  1. Enable HWTACACS.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] hwtacacs enable
    
    NOTE:

    By default, HWTACACS is enabled. If the HWTACACS settings are not modified, you can skip this step.

  2. Configure an HWTACACS server template.

    # Create an HWTACACS server template named ht.

    [AP] hwtacacs-server template ht

    # Set the IP addresses and port numbers for the primary HWTACACS authentication, authorization, and accounting servers.

    [AP-hwtacacs-ht]  hwtacacs-server authentication 10.7.66.66 49
    [AP-hwtacacs-ht] hwtacacs-server authorization 10.7.66.66 49
    [AP-hwtacacs-ht] hwtacacs-server accounting 10.7.66.66 49

    # Set the IP addresses and port numbers for the secondary HWTACACS authentication, authorization, and accounting servers.

    [AP-hwtacacs-ht] hwtacacs-server authentication 10.7.66.67 49 secondary
    [AP-hwtacacs-ht] hwtacacs-server authorization 10.7.66.67 49 secondary
    [AP-hwtacacs-ht] hwtacacs-server accounting 10.7.66.67 49 secondary

    # Set the shared key for the HWTACACS server.

    NOTE:

    Ensure that the shared key in the HWTACACS server template is the same as that set on the HWTACACS server.

    [AP-hwtacacs-ht] hwtacacs-server shared-key cipher Huawei@2012
    [AP-hwtacacs-ht] quit

  3. Configure authentication, authorization, and accounting schemes.

    # Create an authentication scheme named l-h. Configure the authentication scheme to use HWTACACS authentication as the active authentication mode and local authentication as the backup.

    [AP] aaa
    [AP-aaa] authentication-scheme l-h
    [AP-aaa-authen-l-h] authentication-mode hwtacacs local
    [AP-aaa-authen-l-h] quit

    # Create an authorization scheme named hwtacacs. Configure the authorization scheme to use HWTACACS authorization as the active authorization mode and local authorization as the backup.

    [AP-aaa] authorization-scheme hwtacacs
    [AP-aaa-author-hwtacacs] authorization-mode hwtacacs local
    [AP-aaa-author-hwtacacs] quit

    # Create an accounting scheme named hwtacacs, and configure the accounting scheme to use the HWTACACS accounting mode. Configure a policy for the device to keep users online upon accounting-start failures.

    [AP-aaa] accounting-scheme hwtacacs
    [AP-aaa-accounting-hwtacacs] accounting-mode hwtacacs
    [AP-aaa-accounting-hwtacacs] accounting start-fail online

    # Set the real-time accounting interval to 3 minutes.

    [AP-aaa-accounting-hwtacacs] accounting realtime 3
    [AP-aaa-accounting-hwtacacs] quit

  4. Create a domain named huawei, and apply the authentication scheme l-h, authorization scheme hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.

    [AP-aaa] domain huawei
    [AP-aaa-domain-huawei] authentication-scheme l-h
    [AP-aaa-domain-huawei] authorization-scheme hwtacacs
    [AP-aaa-domain-huawei] accounting-scheme hwtacacs
    [AP-aaa-domain-huawei] hwtacacs-server ht
    [AP-aaa-domain-huawei] quit
    [AP-aaa] quit
    

  5. Configure local authentication.

    [AP] aaa
    [AP-aaa] local-user user1 password irreversible-cipher Huawei@123
    [AP-aaa] local-user user1 service-type http
    [AP-aaa] local-user user1 privilege level 15
    [AP-aaa] quit
    

  6. Configure the global default domain for administrations.

    [AP] domain huawei admin

  7. Verify the configuration.

    # Run the display hwtacacs-server template command on AP to verify the HWTACACS server template configuration.

    [AP] display hwtacacs-server template ht
      ---------------------------------------------------------------------------   
      HWTACACS-server template name   : ht                                          
      Primary-authentication-server   : 10.7.66.66:49:-                             
      Primary-authorization-server    : 10.7.66.66:49:-                             
      Primary-accounting-server       : 10.7.66.66:49:-                             
      Secondary-authentication-server : 10.7.66.67:49:-                             
      Secondary-authorization-server  : 10.7.66.67:49:-                             
      Secondary-accounting-server     : 10.7.66.67:49:-                             
      Third-authentication-server     : -:0:-                                       
      Third-authorization-server      : -:0:-                                       
      Third-accounting-server         : -:0:-                                       
      Current-authentication-server   : 10.7.66.66:49:-                             
      Current-authorization-server    : 10.7.66.66:49:-                             
      Current-accounting-server       : 10.7.66.66:49:-                             
      Source-IP-address               : -                                           
      Source-IPv6-address             : ::                                          
      Shared-key                      : ****************                            
      Quiet-interval(min)             : 5                                           
      Response-timeout-Interval(sec)  : 5                                           
      Domain-included                 : Original                                    
      Traffic-unit                    : B                                           
      ---------------------------------------------------------------------------  

    # Run the display domain command on AP to verify the domain configuration.

    [AP] display domain name huawei  
      Domain-name                     : huawei                                      
      Domain-index                    : 2                                         
      Domain-state                    : Active                                      
      Authentication-scheme-name      : l-h                                         
      Accounting-scheme-name          : hwtacacs                                    
      Authorization-scheme-name       : hwtacacs                                    
      Service-scheme-name             : -                                           
      RADIUS-server-template          : default                                     
      HWTACACS-server-template        : ht                                          
      User-group                      : -                                           
      Push-url-address                : -  

Configuration Files

AP configuration file

#
 sysname AP
#
domain huawei admin
#
hwtacacs-server template ht
 hwtacacs-server authentication 10.7.66.66
 hwtacacs-server authentication 10.7.66.67 secondary
 hwtacacs-server authorization 10.7.66.66
 hwtacacs-server authorization 10.7.66.67 secondary
 hwtacacs-server accounting 10.7.66.66
 hwtacacs-server accounting 10.7.66.67 secondary 
 hwtacacs-server shared-key cipher %^%#0%i9M.C!T$8iTn7Ig-4V8GTgK[gwp3b6;k=caxl-%^%#
#
aaa
 authentication-scheme l-h
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
  accounting realtime 3
  accounting start-fail online 
 domain huawei
  authentication-scheme l-h
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server ht
 local-user user1 password irreversible-cipher $1a$+:!j;\;$Z!$&%}p%ctzj"W`GM;APoC=XPLB=L-vJG3-'3Dhyci;$
 local-user user1 privilege level 15                                                       
 local-user user1 service-type http
#
return 

Example for Configuring Default Domain-based User Management

Networking Requirements

As shown in Figure 25-64, a Fat AP of an enterprise provides wireless Internet access service and functions as a DHCP server to allocate IP addresses to users.

The enterprise administrator wants to allow users to log in without entering the domain name. Common 802.1X users can access the network and obtain corresponding rights after they pass the RADIUS authentication and administrative users can log in and manage the users after they pass the local authentication on the Fat AP.

Figure 25-64  Networking diagram for configuring default domain-based user management
Configuration Roadmap
  1. Configure the AP and upstream device to implement Layer 2 interconnection.
  2. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address pool of an interface.
  3. Configure an authentication and accounting scheme and apply it to the default domain default to authenticate common access users. In this example, the common user name does not contain the domain name and the common users use 802.1X or Portal authentication.
  4. Configure an authentication and accounting scheme and apply it to the default domain default_admin to authenticate administrative users. In this example, the administrative user name does not contain the domain name and the administrative users log in through Telnet, SSH, or FTP.
  5. Configure WLAN service parameters so that STAs can access the WLAN.
NOTE:

Ensure that the Fat AP and the RADIUS server have reachable routes to each other and the RADIUS server IP address, port number, and shared key in the RADIUS server template are configured correctly and are the same as those on the RADIUS server.

Ensure that you have configured a user on the RADIUS server. In this example, the user name is test1 and the password is 123456.

Procedure

  1. Configure the AP to communicate with the upstream device.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add AP uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to allocate IP addresses to STAs.

    # Configure the AP as the DHCP server to allocate an IP address to STAs from the IP address pool on VLANIF 101.

    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 192.168.10.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit

  3. Configure RADIUS AAA for common 802.1X users.

    # Create and configure a RADIUS server template rd1.

    [AP] radius-server template rd1
    [AP-radius-rd1] radius-server authentication 192.168.10.2 1812
    [AP-radius-rd1] radius-server accounting 192.168.10.2 1813
    [AP-radius-rd1] radius-server shared-key cipher hello
    [AP-radius-rd1] radius-server retransmit 2
    [AP-radius-rd1] quit

    # Create an authentication scheme abc and accounting scheme abc, and set the authentication mode and accounting mode to RADIUS.

    [AP] aaa
    [AP-aaa] authentication-scheme abc
    [AP-aaa-authen-abc] authentication-mode radius
    [AP-aaa-authen-abc] quit
    [AP-aaa] accounting-scheme abc
    [AP-aaa-accounting-abc] accounting-mode radius
    [AP-aaa-accounting-abc] quit

    # Test the connection between the Fat AP and the RADIUS server. (A test user account has been configured on the RADIUS server, with the user name test1 and the password 123456.)

    [AP-aaa] test-aaa test1 123456 radius-template rd1
    Info: Account test succeed.

    # Bind the authentication scheme abc, accounting scheme abc, and RADIUS server template rd1 to the default domain default.

    [AP-aaa] domain default
    [AP-aaa-domain-default] authentication-scheme abc
    [AP-aaa-domain-default] accounting-scheme abc
    [AP-aaa-domain-default] radius-server rd1
    [AP-aaa-domain-default] quit
    [AP-aaa] quit

    # Configure the 802.1X access profile d1.

    [AP] dot1x-access-profile name d1
    [AP-dot1x-access-profile-d1] quit

    # Configure the authentication profile p1.

    [AP] authentication-profile name p1
    [AP-authentication-profile-p1] dot1x-access-profile d1
    [AP-authentication-profile-p1] access-domain default
    [AP-authentication-profile-p1] authentication-scheme abc
    [AP-authentication-profile-p1] accounting-scheme abc
    [AP-authentication-profile-p1] radius-server rd1
    [AP-authentication-profile-p1] quit

    # Set the global default domain for common users to default. After common users enter their user names in the format of user@default, the device performs AAA authentication on these users in the default domain. If a user name does not contain a domain name or the domain name does not exist, the device authenticates the common user in the default common domain.

    [AP] domain default

  4. Configure the administrative user test to use local authentication and authorization.

    # Configure Telnet users to use the AAA authentication mode when logging in to the device through the VTY user interface.

    [AP] telnet server enable
    [AP] user-interface vty 0 14
    [AP-ui-vty0-14] authentication-mode aaa
    [AP-ui-vty0-14] quit
    

    # Create a local user test and set the password to admin@12345 and the user level to 3.

    [AP] aaa
    [AP-aaa] local-user test password irreversible-cipher admin@12345 privilege level 3

    # Configure the user test to log in through Telnet.

    [AP-aaa] local-user test service-type telnet

    # Enable locking of the local account, set the retry interval to 5 minutes, limit the authentication failure times to 3, and set the account locking interval to 5 minutes.

    [AP-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

    # Configure the authentication scheme auth and set the authentication mode to local.

    [AP-aaa] authentication-scheme auth
    [AP-aaa-authen-auth] authentication-mode local
    [AP-aaa-authen-auth] quit

    # Configure the authorization scheme autho and set the authorization mode to local.

    [AP-aaa] authorization-scheme autho
    [AP-aaa-author-autho] authorization-mode local
    [AP-aaa-author-autho] quit

    # Configure a domain default_admin and apply the authentication scheme auth and authorization scheme autho to the domain.

    [AP-aaa] domain default_admin
    [AP-aaa-domain-default_admin] authentication-scheme auth
    [AP-aaa-domain-default_admin] authorization-scheme autho
    [AP-aaa-domain-default_admin] quit
    [AP-aaa] quit
    

    # Set the global default domain for administrative users to default_admin. After administrative users enter their user names in the format of user@default_admin, the device performs AAA authentication on these users in the default_admin domain. If a user name does not contain a domain name or the domain name does not exist, the device authenticates the administrative user in the default administrative domain.

    [AP] domain default_admin admin

  5. Configure WLAN service parameters.
    1. Configure AP system parameters.

      # Configure the country code.

      [AP] wlan
      [AP-wlan-view] country-code cn
      

    2. Configure WLAN service parameters.

      # Create security profile wlan-security and set the security policy in the profile.

      [AP-wlan-view] security-profile name wlan-security
      [AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
      [AP-wlan-sec-prof-wlan-security] quit
      

      # Create SSID profile wlan-ssid and set the SSID name to test.

      [AP-wlan-view] ssid-profile name wlan-ssid
      [AP-wlan-ssid-prof-wlan-ssid] ssid test
      [AP-wlan-ssid-prof-wlan-ssid] quit
      

      # Create VAP profile wlan-vap, set the service VLAN, and apply the security profile, SSID profile and authentication profile to the VAP profile.

      [AP-wlan-view] vap-profile name wlan-vap
      [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
      [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
      [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
      [AP-wlan-vap-prof-wlan-vap] authentication-profile p1
      [AP-wlan-vap-prof-wlan-vap] quit
      [AP-wlan-view] quit
      

    3. Configure a VAP.

      [AP] interface wlan-radio0/0/0
      [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
      [AP-Wlan-Radio0/0/0] quit
      

  6. Configure a VAP and set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.
    [AP-wlan-view] quit
    [AP] interface wlan-radio0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable
    [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable
    [AP-Wlan-Radio0/0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-Wlan-Radio0/0/0] eirp 127
    [AP-Wlan-Radio0/0/0] quit
    

  7. Verify the configuration.

    • # The WLAN with the SSID test is available for STAs after the configuration is complete.
    • # The STAs obtain IP addresses when they successfully associate with the WLAN.
    • # Use 802.1X authentication on the STA and enter the user name and password. After the STA authentication succeeds, the STA can access the Internet. Configure the STA based on the configured authentication mode PEAP.
      • Configuration on the Windows XP operating system:

        1. On the Association tab page of the Wireless network properties dialog box, add the SSID test, set the authentication mode to WPA2, and the encryption algorithm to AES.
        2. On the Authentication tab page, set EAP type to PEAP and click Properties. In the dialog box that is displayed, deselect Validate server certificate and click Configure.... In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.
      • Configuration on the Windows 7 operating system:

        1. Access the Manage wireless networks page, click Add and select Manually create a network profile. In the dialog box that is displayed, add the SSID test, set the authentication mode to WPA2-Enterprise, and the encryption algorithm to AES, and click Next.
        2. Scan SSIDs and double-click the SSID test. On the Security tab page, set EAP type to PEAP and click Settings. In the dialog box that is displayed, deselect Validate server certificate and click Configure.... In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.

    # After STAs go online, run the display access-user domain default command on the AP to view the users in the default domain.

    <AP> display access-user domain default
     ------------------------------------------------------------------------------ 
     UserID Username                IP address       MAC            Status          
     ------------------------------------------------------------------------------ 
     21     test1                   -                00e0-4c97-31f6 Success         
     ------------------------------------------------------------------------------

    # The network administrator can log in to the Fat AP from the NMS through Telnet. After entering the user name test and password admin@12345, the network administrator can run the display access-user domain default command on the Fat AP to view the users in the default_admin domain.

    <AP> display access-user domain default_admin
     ------------------------------------------------------------------------------ 
     UserID Username                IP address       MAC            Status          
     ------------------------------------------------------------------------------ 
     4      test                    172.168.254.204  -              Success         
     ------------------------------------------------------------------------------

Configuration Files

Fat AP configuration file

#
 sysname AP
#
 vlan batch 101
#
authentication-profile name p1                                                  
 dot1x-access-profile d1
#                                                                               
dot1x-access-profile name d1                                                    
#
 dhcp enable
#
radius-server template rd1
 radius-server shared-key cipher %^%#A^>]"w02e"1n9r>)W$GVe1V>$.:MyEIny(1)lZi.%^%#
 radius-server authentication 192.168.10.2 1812 weight 80
 radius-server accounting 192.168.10.2 1813 weight 80
 radius-server retransmit 2
#
aaa
 authentication-scheme auth
 authentication-scheme abc
  authentication-mode radius
 authorization-scheme autho
 accounting-scheme abc
  accounting-mode radius
 domain default
  authentication-scheme abc
  accounting-scheme abc
  radius-server rd1
 domain default_admin
  authentication-scheme auth
  authorization-scheme autho
 local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
 local-user test password irreversible-cipher %^%#U(L}F3X.G-Hxc;)^LkV)it)Z1;&k\$3E9OJKKF'.[P`;Xa^*h@\*EoPoGwEH%^%#
 local-user test privilege level 3
 local-user test service-type telnet
#
interface Vlanif101
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
user-interface vty 0 14
 authentication-mode aaa
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
wlan
 security-profile name wlan-security
  security wpa2 dot1x aes
 ssid-profile name wlan-ssid
  ssid test
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
#
interface Wlan-Radio0/0/0
 vap-profile wlan-vap wlan 2
 channel 20mhz 6
 calibrate auto-channel-select disable
 calibrate auto-txpower-select disable
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117670

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next