No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Hotspot2.0 Wireless Network

Example for Configuring a Hotspot2.0 Wireless Network

Networking Requirements

On the basis of existing mobile network services, a network service provider (NSP) deploys WLAN access services to provide users with better network experience. However, in traditional WLAN access mode, users need to manually select an SSID, connect their terminals to the SSID, and set authentication information. User experience is therefore poor. To improve user experience, Hotspot2.0 services are deployed to allow users to automatically access the correct network using the SIM card as the identity certificate.

Figure 14-7  Networking diagram for configuring a Hotspot2.0 wireless network

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure network interworking and basic WLAN services. For details on how to configure basic WLAN services, see Example for Configuring Fat AP Layer 2 Networking.
  2. Configure WPA2-802.1x authentication based on the NSP's AAA server information.
  3. Configure the AP to not send downstream broadcast or multicast packets.
  4. Configure Hotspot2.0 services based on the NSP's network information.
Table 14-4  Data planning

Item

Data

DHCP server The AP functions as a DHCP server to assign IP addresses to STAs.
AP's IP address 10.23.101.1/24
IP address pool for STAs

10.23.101.3-10.23.101.254/24

SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: WPA2+802.1X+AES
Authentication profile
  • Name: wlan-dot1x
  • Referenced profile: 802.1x access profile wlan-dot1x
  • Authentication scheme: wlan-authen
Traffic profile
  • Name: wlan-traffic
  • Function: ARP proxy, ND proxy, and forbidding downstream broadcast and multicast packets
Hotspot2.0 profile
  • Name: wlan-hs2
  • Network type: free public network
  • P2P connection: enabled
  • Venue type: coffee shop (venue group code 1 and venue type code 13)
  • HESSID: 60de-4476-e360
  • IP address type availability information: IPv4 and IPv6 addresses available
  • Network authentication type: acceptance of terms and conditions
  • Cellular network information: 46000
  • Network connection capability: allowing HTTP
  • Friendly operator name: mobileA
  • Operating class indication: 81
  • Domain name of the hotspot operator: www.mobileA.com
  • NAI realm: www.mobileA.com
  • Venue name: Coffee
  • Roaming consortium OI: 50-6f-9a
VAP profile
  • Name: wlan-vap
  • Service VLAN: VLAN 101
  • Referenced profile: SSID profile wlan-ssid, security profile wlan-security, traffic profile wlan-traffic, Hotspot2.0 profile wlan-hs2, and authentication profile wlan-dot1x
AAA server
  • AAA type: RADIUS
  • IP address of the authentication server: 10.24.100.1
  • Port number of the authentication server: 1812
  • Shared key of the RADIUS server: Huawei@123
  • Number of retransmissions: 2
  • RADIUS authentication mode: RADIUS authentication first and then local authentication

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression on switch interfaces connected to APs to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected. For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

Procedure

  1. Configure network interworking and basic WLAN services. For details on how to configure basic WLAN services, see Example for Configuring Fat AP Layer 2 Networking. The IP address of the remote device connected to the AP in the uplink direction is 10.23.101.2/24.
  2. Configure WPA2-802.1x authentication.

    # Configure a RADIUS server template.
    <AP> system-view
    [AP] radius-server template wlan-radius
    [AP-radius-wlan-radius] radius-server authentication 10.24.100.1 1812
    [AP-radius-wlan-radius] radius-server shared-key cipher Huawei@123
    [AP-radius-wlan-radius] radius-server retransmit 2
    [AP-radius-wlan-radius] undo radius-server user-name domain-included
    [AP-radius-wlan-radius] quit
    # Configure an AAA authentication scheme and configure the device to use RADIUS authentication preferentially.
    [AP] aaa
    [AP-aaa] authentication-scheme wlan-authen
    [AP-aaa-authen-wlan-authen] authentication-mode radius local
    [AP-aaa-authen-wlan-authen] quit
    [AP-aaa] quit
    # Configure an 802.1x access profile and configure EAP relay authentication for 802.1x users.
    [AP] dot1x-access-profile name wlan-dot1x
    [AP-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap
    [AP-dot1x-access-profile-wlan-dot1x] quit
    # Configure an authentication profile and bind the AAA authentication scheme, RADIUS server template, and 802.1x access profile to the authentication profile.
    [AP] authentication-profile name wlan-dot1x
    [AP-authentication-profile-wlan-dot1x] dot1x-access-profile wlan-dot1x
    [AP-authentication-profile-wlan-dot1x] authentication-scheme wlan-authen
    [AP-authentication-profile-wlan-dot1x] radius-server wlan-radius
    [AP-authentication-profile-wlan-dot1x] quit
    # Configure the WPA2-802.1X-AES security policy.
    [AP] wlan
    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
    [AP-wlan-sec-prof-wlan-security] quit
    # Configure a static route to the RADIUS server.
    [AP] ip route-static 10.24.100.1 32 10.23.101.2
    

  3. Configure the traffic profile to not send downstream broadcast or multicast packets.

    [AP-wlan-view] traffic-profile name wlan-traffic
    [AP-wlan-traffic-prof-wlan-traffic] traffic-optimize arp-proxy enable
    [AP-wlan-traffic-prof-wlan-traffic] traffic-optimize bcmc deny all
    [AP-wlan-traffic-prof-wlan-traffic] quit

  4. Configure Hotspot2.0 services.

    # Configure parameters according to the network information provided by the NSP, and create the Hotspot2.0 profile wlan-hs2. Before binding the profile to the VAP profile, ensure that the VAP profile has referenced the WPA2-802.1X security profile.

    [AP-wlan-view] cellular-network-profile name wlan-hs2
    [AP-wlan-cellular-network-prof-wlan-hs2] plmn-id 46000
    [AP-wlan-cellular-network-prof-wlan-hs2] quit
    [AP-wlan-view] connection-capability-profile name wlan-hs2
    [AP-wlan-co-cap-prof-wlan-hs2] connection-capability tcp-http on
    [AP-wlan-co-cap-prof-wlan-hs2] quit
    [AP-wlan-view] operator-name-profile name wlan-hs2
    [AP-wlan-wlan-op-name-prof-wlan-hs2] operator-friendly-name language-code eng name mobileA
    [AP-wlan-wlan-op-name-prof-wlan-hs2] quit
    [AP-wlan-view] operating-class-profile name wlan-hs2
    [AP-wlan-op-class-prof-wlan-hs2] operating-class-indication 81
    [AP-wlan-op-class-prof-wlan-hs2] quit
    [AP-wlan-view] operator-domain-profile name wlan-hs2
    [AP-wlan-op-domain-prof-wlan-hs2] domain-name www.mobileA.com
    [AP-wlan-op-domain-prof-wlan-hs2] quit
    [AP-wlan-view] nai-realm-profile name wlan-hs2
    [AP-wlan-nai-realm-prof-wlan-hs2]  nai-realm realm-name www.mobileA.com
    [AP-wlan-nai-realm-prof-wlan-hs2] quit
    [AP-wlan-view] venue-name-profile name wlan-hs2
    [AP-wlan-ve-na-prof-wlan-hs2] venue-name language-code eng name Coffee
    [AP-wlan-ve-na-prof-wlan-hs2] quit
    [AP-wlan-view] roaming-consortium-profile name wlan-hs2
    [AP-wlan-ro-co-prof-wlan-hs2] roaming-consortium-oi 50-6f-9a in-beacon
    [AP-wlan-ro-co-prof-wlan-hs2] quit
    [AP-wlan-view] hotspot2-profile name wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] network-type public-free internet-access
    [AP-wlan-hotspot2-prof-wlan-hs2] undo p2p-cross-connect disable
    [AP-wlan-hotspot2-prof-wlan-hs2] venue-type group-code 1 type-code 13
    [AP-wlan-hotspot2-prof-wlan-hs2] hessid 60de-4476-e360
    [AP-wlan-hotspot2-prof-wlan-hs2] ipv4-address-avail available
    [AP-wlan-hotspot2-prof-wlan-hs2] network-authen-type acceptance
    [AP-wlan-hotspot2-prof-wlan-hs2] cellular-network-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] connection-capability-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] operator-name-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] operating-class-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] operator-domain-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] nai-realm-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] venue-name-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] roaming-consortium-profile wlan-hs2
    [AP-wlan-hotspot2-prof-wlan-hs2] quit

  5. Bind the authentication profile, traffic profile and hotspot2.0 profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] authentication-profile wlan-dot1x
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-wlan-vap-prof-wlan-vap] traffic-profile wlan-traffic
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AP-wlan-vap-prof-wlan-vap] hotspot2-profile wlan-hs2
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit

  6. Verify the configuration.

    After the service configuration is complete, run the display vap ssid wlan-net command. If Status in the command output is displayed as ON, the VAPs have been successfully created on AP radios.

    [AP] display vap ssid wlan-net
    WID : WLAN ID
    --------------------------------------------------------------------------------
    AP MAC         RfID WID  SSID     BSSID          Status  Auth type   STA
    --------------------------------------------------------------------------------
    00bc-da3f-e900 0    1    wlan-net 00BC-DA3F-E900 ON  WPA2-802.1X 0
    -------------------------------------------------------------------------------
    Total: 1

    In the AP's coverage area, the STA automatically connects to the WLAN with the SSID wlan-net.

    [AP] display station all
    Rf/WLAN: Radio ID/WLAN ID
    Rx/Tx: link receive rate/link transmit rate(Mbps)
    ------------------------------------------------------------------------------
    STA MAC          Ap name        Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address    SSID
    ------------------------------------------------------------------------------
    14cf-9202-13dc   00bc-da3f-e900 0/2      2.4G  11n   19/13      -63   101   10.23.101.254 wlan-net
    ------------------------------------------------------------------------------
    Total: 1 2.4G: 1 5G: 0

Configuration Files

  • AP configuration file

    #
     sysname AP
    #
    vlan batch 101
    #
    authentication-profile name wlan-dot1x
     dot1x-access-profile wlan-dot1x
     authentication-scheme wlan-authen
     radius-server wlan-radius
    #
    dot1x-access-profile name wlan-dot1x
    #
    dhcp enable
    #
    radius-server template wlan-radius
     radius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!%^%#
     radius-server authentication 10.24.100.1 1812 weight 80
     radius-server retransmit 2
     undo radius-server user-name domain-included
    #
    aaa
     authentication-scheme wlan-authen
      authentication-mode radius local
    #
    interface Vlanif101
     ip address 10.23.101.1 255.255.255.0
     dhcp select interface
     dhcp server excluded-ip-address 10.23.101.2
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 101
    #
    wlan
     traffic-profile name wlan-traffic
      traffic-optimize bcmc deny all
      traffic-optimize arp-proxy enable
     security-profile name wlan-security
      security wpa2 dot1x aes
     ssid-profile name wlan-ssid
      ssid wlan-net
     operating-class-profile name wlan-hs2
      operating-class-indication 81
     roaming-consortium-profile name wlan-hs2
      roaming-consortium-oi 50-6f-9a in-beacon
     cellular-network-profile name wlan-hs2
      plmn-id 46000
     connection-capability-profile name wlan-hs2
      connection-capability tcp-http on
     operator-domain-profile name wlan-hs2
      domain-name www.mobileA.com
     operator-name-profile name wlan-hs2
      operator-friendly-name language-code eng name mobileA
     venue-name-profile name wlan-hs2
      venue-name language-code eng name Coffee
     nai-realm-profile name wlan-hs2
      nai-realm realm-name www.mobileA.com
     hotspot2-profile name wlan-hs2
      hessid 60de-4476-e360
      network-type public-free internet-access
      venue-type group-code 1 type-code 13 
      ipv4-address-avail available
      network-authen-type acceptance
      cellular-network-profile wlan-hs2
      connection-capability-profile wlan-hs2
      operator-name-profile wlan-hs2
      operator-domain-profile wlan-hs2
      venue-name-profile wlan-hs2
      nai-realm-profile wlan-hs2
      operating-class-profile wlan-hs2
      roaming-consortium-profile wlan-hs2
     vap-profile name wlan-vap
      authentication-profile wlan-dot1x
      service-vlan vlan-id 101
      ssid-profile wlan-ssid
      security-profile wlan-security
      traffic-profile wlan-traffic
      hotspot2-profile wlan-hs2
    #
    interface Wlan-Radio0/0/0
     vap-profile wlan-vap wlan 2
     channel 20mhz 6
    #
    ip route-static 10.24.100.1 255.255.255.0 10.23.101.2
    #
    return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118810

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next