No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB Environment

Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB Environment

The two-node cluster environment includes the AC (VRRP) and RADIUS server two-node clusters. Deploying two-node clusters on WLANs improve network reliability.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus Agile Controller-Campus V100R002C10
WLAN AC AC6605 V200R006C20
Access switch S2750EI V200R008C00
Aggregation switch S5720HI V200R008C00
Core switch S7700 V200R008C00

Networking Requirements

To meet service requirements, a company needs to deploy an identity authentication system to implement access control for all employees who attempt to connect to the enterprise network in wireless mode. Only authenticated users can connect to the enterprise network.

The company has the following requirements:
  • The network must be reliable because all employees need to connect to the wireless network for work and Internet access.
  • A unified identity authentication mechanism is used to authenticate all terminals accessing the enterprise network and deny access to the enterprise network and Internet from unauthorized terminals.
Figure 4-98 Networking diagram

Requirement Analysis

Based on user requirements, networking design is performed as follows:
  • Reliability
    • AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively. A VRRP group is configured between AC1 and AC2, and HSB is used to determine the active and standby ACs.
    • A VRRP group is configured between S7700A and S7700B to improve reliability.
    • Eth-Trunks are used to connect aggregation switches and access switches, ACs and core switches, and ACs.
    • The Agile Controller-Campus is deployed in 1+2 (one SM + two SCs) mode to ensure reliability of the authentication server.
  • Internetworking

    The aggregation switch is configured as a DHCP server to assign IP addresses to APs. Core switches serve as DHCP servers to assign IP addresses to employees and guests.

VLAN Plan

Table 4-133 VLAN plan

VLAN ID

Function

100

mVLAN for APs

101

Service VLAN for employees

103

Egress VLAN for core switches

104

VLAN for communication between ACs

Network Data Plan

Table 4-134 Network data plan

Item

No.

Interface Number

Eth-Trunk

VLAN

IP address

Description

Access switch S2750EI

(1)

GE0/0/1

-

100 and 101

-

Connected to the AP in the employee area

(2)

GE0/0/4

-

100 and 101

-

Connected to the AP in the guest area

(3)

GE0/0/2 and GE0/0/3

Eth-Trunk1

100 and 101

-

Connected to the aggregation switch S5720HI

Aggregation switch S5720HI

(4)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100 and 101

VLANIF 100: 172.18.10.4/16

Connected to the access switch S2750EI

Gateway for APs

(5)

GE0/0/3 and GE0/0/4

Eth-Trunk2

100 and 101

-

Connected to the core switch S7700A

(6)

GE0/0/5 and GE0/0/6

Eth-Trunk3

100 and 101

-

Connected to the core switch S7700B

S7700A (Active)

(7)

GE1/0/1 and GE1/0/2

Eth-Trunk1

100 and 101

VLANIF 101: 172.19.10.2/24

Connected to the aggregation switch S5720HI

(8)

GE1/0/3 and GE1/0/4

Eth-Trunk2

100 and 101

VLANIF 100: 172.18.10.5/24

Connected to AC1

(9)

GE1/0/5

-

103

VLANIF 103: 172.22.20.1/24

Connected to the egress router

S7700B (Standby)

(10)

GE1/0/1 and GE1/0/2

Eth-Trunk1

100 and 101

VLANIF 101: 172.19.10.3/24

Connected to the aggregation switch S5720HI

(11)

GE1/0/3 and GE1/0/4

Eth-Trunk2

100 and 101

VLANIF 100: 172.18.10.6/24

Connected to AC2

(12)

GE1/0/5

-

103

VLANIF 103: 172.23.20.1/24

Connected to the egress router

AC1 (Active)

(13)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100

VLANIF 100: 172.18.10.2/24

Connected to the core switch S7700A

(14)

GE0/0/3 and GE0/0/4

Eth-Trunk2

104

VLANIF 104: 10.10.11.1/24

Connected to AC2

AC2 (Standby)

(15)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100

VLANIF 100: 172.18.10.3/24

Connected to the core switch S7700B

(16)

GE0/0/3 and GE0/0/4

Eth-Trunk2

104

VLANIF 104: 10.10.11.2/24

Connected to AC1

Virtual addresses of ACs

-

-

-

-

172.18.10.1/24

Connected to the Agile Controller-Campus

Virtual addresses of S7700s

-

-

-

-

172.19.10.1/24

Gateway for employees

Server

SM + SC

172.22.10.2

-

SC

172.22.10.3

-

DNS server

172.22.10.4

-

Internal server

172.22.10.5

-

Service Data Plan

Table 4-135 Service data plan

Item

Data

Description

AC

Number of the ACL for employees' post-authentication domain: 3001

SSID of the employee area: employee

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

RADIUS authentication server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1812
  • Shared key: Admin@123
  • The Service Controller of the Agile Controller-Campus provides RADIUS server function; therefore, IP addresses of the authentication server, accounting server, and authorization server are all the IP address of the Service Controller.
  • Configure a RADIUS accounting server to obtain user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as those of the authentication server and accounting server.
RADIUS accounting server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1813
  • Shared key: Admin@123
  • Accounting interval: 15 minutes
RADIUS authorization server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Shared key: Admin@123

Agile Controller-Campus

IP address: 172.18.10.1

-

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

It must be the same as the RADIUS shared key configured on the AC.

  • Account: tony
  • Password: Admin@123

-

Post-authentication domain for employees

Internal servers and Internet

-

Prerequisites

You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A and S7700B, respectively.

Configuration Roadmap

NOTE:

The active and standby nodes do no synchronize VRRP HSB configurations. Therefore, all operations must be performed on both the active and standby nodes.

  1. Configure the access switch, aggregation switch, core switches, and ACs to ensure network connectivity and reliability.
  2. Configure VRRP and HSB on core switches.
  3. Configure VRRP and HSB on ACs.
  4. Configure a RADIUS server template, authentication, accounting, and authorization schemes in the template, and wireless 802.1X authentication on each AC.
  5. Add ACs on the SM and set parameters to ensure that the Agile Controller-Campus can communicate properly with the ACs.
  6. Add an authorization result and an authorization rule to grant permission to employees after they are successfully authenticated.

Procedure

  1. [Device] Configure the access switch S2750EI to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S2700
    [S2700] vlan batch 100 101   //Create VLAN 100 and VLAN 101 in a batch.
    [S2700] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to an AP.
    [S2700-GigabitEthernet0/0/1] port link-type trunk  //Change the link type of gigabitethernet0/0/1 to trunk.
    [S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100  //Set the default VLAN of gigabitethernet0/0/1 to VLAN 100.
    [S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101  //Add gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
    [S2700-GigabitEthernet0/0/1] quit
    [S2700] interface gigabitethernet 0/0/4  //Enter the view of the interface connected to another AP.
    [S2700-GigabitEthernet0/0/4] port link-type trunk  //Change the link type of gigabitethernet0/0/4 to trunk.
    [S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100  //Set the default VLAN of gigabitethernet0/0/4 to VLAN 100.
    [S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101  //Add gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
    [S2700-GigabitEthernet0/0/4] quit
    

    # Create Eth-Trunk 1, and add GE0/0/2 and GE0/0/3 to Eth-Trunk 1.

    [S2700] interface eth-trunk 1  //Create Eth-Trunk 1.
    [S2700-Eth-Trunk1] quit
    [S2700] interface gigabitethernet 0/0/2  //Add gigabitethernet0/0/2 to Eth-Trunk 1.
    [S2700-GigabitEthernet0/0/2] eth-trunk 1
    [S2700-GigabitEthernet0/0/2] quit
    [S2700] interface gigabitethernet 0/0/3  //Add gigabitethernet0/0/3 to Eth-Trunk 1.
    [S2700-GigabitEthernet0/0/3] eth-trunk 1
    [S2700-GigabitEthernet0/0/3] quit

    # Add Eth-Trunk 1 to VLANs.

    [S2700] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch.
    [S2700-Eth-Trunk1] port link-type trunk  //Change the link type of Eth-Trunk 1 to trunk.
    [S2700-Eth-Trunk1] port trunk allow-pass vlan 100 101  //Add Eth-Trunk 1 to VLAN 100 and VLAN 101.
    [S2700-Eth-Trunk1] undo port trunk allow-pass vlan 1
    [S2700-Eth-Trunk1] quit
    [S2700] quit
    <S2700> save  //Save the configuration.

  2. [Device] Configure the aggregation switch S5720HI to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S5720HI
    [S5720HI] dhcp enable   //Enable the DHCP service.
    [S5720HI] vlan batch 100 101   //Create VLAN 100 and VLAN 101 in a batch.
    [S5720HI] interface vlanif 100  //Enter the view of VLANIF 100.
    [S5720HI-Vlanif100] ip address 172.18.10.4 24  //Configure an IP address for VLANIF 100 as the APs' gateway.
    [S5720HI-Vlanif100] dhcp select interface
    [S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3  //Exclude IP addresses in use from the DHCP address pool.
    [S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
    [S5720HI-Vlanif100] quit

    # Create Eth-Trunk 1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 1.

    [S5720HI] interface eth-trunk 1
    [S5720HI-Eth-Trunk1] quit
    [S5720HI] interface gigabitethernet 0/0/1
    [S5720HI-GigabitEthernet0/0/1] eth-trunk 1
    [S5720HI-GigabitEthernet0/0/1] quit
    [S5720HI] interface gigabitethernet 0/0/2
    [S5720HI-GigabitEthernet0/0/2] eth-trunk 1
    [S5720HI-GigabitEthernet0/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S5720HI] interface eth-trunk 1  //Enter the view of the interface connected to the access switch S2700.
    [S5720HI-Eth-Trunk1] port link-type trunk
    [S5720HI-Eth-Trunk1] port trunk allow-pass vlan 100 101
    [S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
    [S5720HI-Eth-Trunk1] quit

    # Create Eth-Trunk 2, and add GE0/0/3 and GE0/0/4 to Eth-Trunk 2.

    [S5720HI] interface eth-trunk 2
    [S5720HI-Eth-Trunk2] quit
    [S5720HI] interface gigabitethernet 0/0/3
    [S5720HI-GigabitEthernet0/0/3] eth-trunk 2
    [S5720HI-GigabitEthernet0/0/3] quit
    [S5720HI] interface gigabitethernet 0/0/4
    [S5720HI-GigabitEthernet0/0/4] eth-trunk 2
    [S5720HI-GigabitEthernet0/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S5720HI] interface eth-trunk 2  //Enter the view of the interface connected to the core switch S7700A.
    [S5720HI-Eth-Trunk2] port link-type trunk
    [S5720HI-Eth-Trunk2] port trunk allow-pass vlan 100 101
    [S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
    [S5720HI-Eth-Trunk2] quit

    # Create Eth-Trunk 3, and add GE0/0/5 and GE0/0/6 to Eth-Trunk 3.

    [S5720HI] interface eth-trunk 3
    [S5720HI-Eth-Trunk3] quit
    [S5720HI] interface gigabitethernet 0/0/5
    [S5720HI-GigabitEthernet0/0/5] eth-trunk 3
    [S5720HI-GigabitEthernet0/0/5] quit
    [S5720HI] interface gigabitethernet 0/0/6
    [S5720HI-GigabitEthernet0/0/6] eth-trunk 3
    [S5720HI-GigabitEthernet0/0/6] quit

    # Add Eth-Trunk 3 to VLANs.

    [S5720HI] interface eth-trunk 3  //Enter the view of the interface connected to the core switch S7700B.
    [S5720HI-Eth-Trunk3] port link-type trunk
    [S5720HI-Eth-Trunk3] port trunk allow-pass vlan 100 101
    [S5720HI-Eth-Trunk3] undo port trunk allow-pass vlan 1
    [S5720HI-Eth-Trunk3] quit
    [S5720HI] quit
    <S5720HI> save  //Save the configuration.

  3. [Device] Configure the core switch S7700A to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S7700A
    [S7700A] vlan batch 100 101 103   //Create VLAN 100, VLAN 101, and VLAN 103 in a batch.

    # Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

    [S7700A] interface eth-trunk 1
    [S7700A-Eth-Trunk1] quit
    [S7700A] interface gigabitethernet 1/0/1
    [S7700A-GigabitEthernet1/0/1] eth-trunk 1
    [S7700A-GigabitEthernet1/0/1] quit
    [S7700A] interface gigabitethernet 1/0/2
    [S7700A-GigabitEthernet1/0/2] eth-trunk 1
    [S7700A-GigabitEthernet1/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S7700A] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch S5720HI.
    [S7700A-Eth-Trunk1] port link-type trunk
    [S7700A-Eth-Trunk1] port trunk allow-pass vlan 100 101
    [S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
    [S7700A-Eth-Trunk1] quit
    [S7700A] dhcp enable
    [S7700A] interface vlanif 101  //Enter the view of VLANIF 101.
    [S7700A-Vlanif101] ip address 172.19.10.2 24  //Configure an IP address for VLANIF 101 for communicating with VLANIF 101 on S7700B.
    [S7700A-Vlanif101] dhcp select interface  //Configure DHCP for VLANIF 101 so that the IP address of VLANIF 101 can be configured as the gateway for employees.
    [S7700A-Vlanif101] dhcp server dns-list 172.22.10.4  //Configure the DNS server address.
    [S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1  //Exclude IP addresses in use from the DHCP address pool.
    [S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.3
    [S7700A-Vlanif101] quit

    # Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

    [S7700A] interface eth-trunk 2
    [S7700A-Eth-Trunk2] quit
    [S7700A] interface gigabitethernet 1/0/3
    [S7700A-GigabitEthernet1/0/3] eth-trunk 2
    [S7700A-GigabitEthernet1/0/3] quit
    [S7700A] interface gigabitethernet 1/0/4
    [S7700A-GigabitEthernet1/0/4] eth-trunk 2
    [S7700A-GigabitEthernet1/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S7700A] interface eth-trunk 2  //Enter the view of the interface connected to AC1.
    [S7700A-Eth-Trunk2] port link-type trunk
    [S7700A-Eth-Trunk2] port trunk allow-pass vlan 100 101
    [S7700A-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [S7700A-Eth-Trunk2] quit
    [S7700A] interface vlanif 100  //Enter the view of VLANIF 100.
    [S7700A-Vlanif100] ip address 172.18.10.5 24  //Configure an IP address for VLANIF 100 for communicating with AC1.
    [S7700A-Vlanif100] quit
    

    # Configure an IP address for the interface connecting to the egress router.

    [S7700A] interface gigabitethernet 1/0/5  //Enter the view of the interface connected to the egress router.
    [S7700A-GigabitEthernet1/0/5] port link-type trunk
    [S7700A-GigabitEthernet1/0/5] port trunk pvid vlan 103
    [S7700A-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
    [S7700A-GigabitEthernet1/0/5] quit
    [S7700A] interface vlanif 103
    [S7700A-Vlanif103] ip address 172.22.20.1 24
    [S7700A-Vlanif103] quit
    [S7700A] ip route-static 0.0.0.0 0 172.22.20.2
    [S7700A] quit
    <S7700A> save  //Save the configuration.

  4. [Device] Configure the core switch S7700B to ensure network connectivity.

    <HUAWEI> system-view
    [HUAWEI] sysname S7700B
    [S7700B] vlan batch 100 101 103   //Create VLAN 100, VLAN 101, and VLAN 103 in a batch.

    # Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

    [S7700B] interface eth-trunk 1
    [S7700B-Eth-Trunk1] quit
    [S7700B] interface gigabitethernet 1/0/1
    [S7700B-GigabitEthernet1/0/1] eth-trunk 1
    [S7700B-GigabitEthernet1/0/1] quit
    [S7700B] interface gigabitethernet 1/0/2
    [S7700B-GigabitEthernet1/0/2] eth-trunk 1
    [S7700B-GigabitEthernet1/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S7700B] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch S5720HI.
    [S7700B-Eth-Trunk1] port link-type trunk
    [S7700B-Eth-Trunk1] port trunk allow-pass vlan 100 101
    [S7700B-Eth-Trunk1] undo port trunk allow-pass vlan 1
    [S7700B-Eth-Trunk1] quit
    [S7700B] dhcp enable
    [S7700B] interface vlanif 101  //Enter the view of VLANIF 101.
    [S7700B-Vlanif101] ip address 172.19.10.3 24  //Configure an IP address for VLANIF 101 for communicating with VLANIF 101 on S7700A.
    [S7700B-Vlanif101] dhcp select interface  //Configure DHCP for VLANIF 101 so that the IP address of VLANIF 101 can be configured as the gateway for employees.
    [S7700B-Vlanif101] dhcp server dns-list 172.22.10.4  //Configure the DNS server address.
    [S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2  //Exclude IP addresses in use from the DHCP address pool.
    [S7700B-Vlanif101] quit

    # Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

    [S7700B] interface eth-trunk 2
    [S7700B-Eth-Trunk2] quit
    [S7700B] interface gigabitethernet 1/0/3
    [S7700B-GigabitEthernet1/0/3] eth-trunk 2
    [S7700B-GigabitEthernet1/0/3] quit
    [S7700B] interface gigabitethernet 1/0/4
    [S7700B-GigabitEthernet1/0/4] eth-trunk 2
    [S7700B-GigabitEthernet1/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S7700B] interface eth-trunk 2  //Enter the view of the interface connected to AC2.
    [S7700B-Eth-Trunk2] port link-type trunk
    [S7700B-Eth-Trunk2] port trunk allow-pass vlan 100 101 
    [S7700B-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [S7700B-Eth-Trunk2] quit
    [S7700B] interface vlanif 100  //Enter the view of VLANIF 100.
    [S7700B-Vlanif100] ip address 172.18.10.6 24  //Configure an IP address for VLANIF 100 for communicating with AC2.
    [S7700B-Vlanif100] quit
    

    # Configure an IP address for the interface connecting to the egress router.

    [S7700B] interface gigabitethernet 1/0/5  //Enter the view of the interface connected to egress router.
    [S7700B-GigabitEthernet1/0/5] port link-type trunk
    [S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
    [S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
    [S7700B-GigabitEthernet1/0/5] quit
    [S7700B] interface vlanif 103
    [S7700B-Vlanif103] ip address 172.23.20.1 24
    [S7700B-Vlanif103] quit
    [S7700B] ip route-static 0.0.0.0 0 172.23.20.2
    [S7700B] quit
    <S7700B> save  

  5. [Device] Configure VRRP groups on core switches (S7700s).

    # On VLANIF 101 of S7700A, create VRRP group 1, set the priority of S7700A in the VRRP group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP group 1 as the employee gateway address.

    <S7700A> system-view
    [S7700A] interface vlanif 101
    [S7700A-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
    [S7700A-Vlanif101] vrrp vrid 1 priority 120
    [S7700A-Vlanif101] vrrp vrid 1 preempt-mode timer delay 20
    [S7700A-Vlanif101] quit

    # On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the VRRP group to 100.

    <S7700B> system-view
    [S7700B] interface vlanif 101
    [S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
    [S7700B-Vlanif101] quit

  6. [Device] Configure the ACs to ensure network connectivity.

    # On AC1, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-Trunk 2.

    <AC6605> system-view
    [AC6605] sysname AC1
    [AC1] vlan batch 100 101 104
    [AC1] interface eth-trunk 1
    [AC1-Eth-Trunk1] port link-type trunk
    [AC1-Eth-Trunk1] port trunk allow-pass vlan 100
    [AC1-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2    //Add GE0/0/1 and GE0/0/2 connected to the core switch S7700A to Eth-Trunk 1.
    [AC1-Eth-Trunk1] quit
    [AC1] interface eth-trunk 2
    [AC1-Eth-Trunk2] port link-type trunk
    [AC1-Eth-Trunk2] port trunk allow-pass vlan 104
    [AC1-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4  //Add GE0/0/3 and GE0/0/4 connected to AC2 to Eth-Trunk 2.
    [AC1-Eth-Trunk2] quit
    

    # Configure an IP address for AC1 to communicate with other NEs.

    [AC1] interface vlanif 104
    [AC1-Vlanif104] ip address 10.10.11.1 24  //Configure an IP address for VLANIF 104 for communicating with AC2 and transmitting backup data.
    [AC1-Vlanif104] quit
    [AC1] interface vlanif 100
    [AC1-Vlanif100] ip address 172.18.10.2 24 
    [AC1-Vlanif100] quit
    

    # Configure a default route for AC1 so that packets are forwarded to core switches by default.

    [AC1] ip route-static 0.0.0.0 0 172.18.10.5

    # On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-Trunk 2.

    <AC6605> system-view
    [AC6605] sysname AC2
    [AC2] vlan batch 100 101 104
    [AC2] interface eth-trunk 1
    [AC2-Eth-Trunk1] port link-type trunk
    [AC2-Eth-Trunk1] port trunk allow-pass vlan 100
    [AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2  //Add GE0/0/1 and GE0/0/2 connected to the core switch S7700B to Eth-Trunk 1.
    [AC2-Eth-Trunk1] quit
    [AC2] interface eth-trunk 2
    [AC2-Eth-Trunk2] port link-type trunk
    [AC2-Eth-Trunk2] port trunk allow-pass vlan 104
    [AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4  //Add GE0/0/3 and GE0/0/4 connected to AC1 to Eth-Trunk 2.
    [AC2-Eth-Trunk2] quit
    

    # Configure an IP address for AC2 to communicate with other NEs.

    [AC2] interface vlanif 104
    [AC2-Vlanif104] ip address 10.10.11.2 24  //Configure an IP address for VLANIF 104 for communicating with AC1 and transmitting backup data.
    [AC2-Vlanif104] quit
    [AC2] interface vlanif 100
    [AC2-Vlanif100] ip address 172.18.10.3 24 
    [AC2-Vlanif100] quit
    

    # Configure a default route for AC2 so that packets are forwarded to core switches by default.

    [AC2] ip route-static 0.0.0.0 0 172.18.10.6

  7. [Device] Configure VRRP on AC1 to implement AC HSB.

    # Set the recovery delay of a VRRP group to 30 seconds.

    [AC1] vrrp recover-delay 30
    

    # Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to 120 and preemption delay to 1200s.

    [AC1] interface vlanif 100
    [AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1  //Configure a virtual IP address for the management VRRP group.
    [AC1-Vlanif100] vrrp vrid 1 priority 120  //Set the priority of AC1 in the VRRP group.
    [AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200  //Set the preemption delay for AC1 in the VRRP group.
    [AC1-Vlanif100] admin-vrrp vrid 1  //Configure vrid 1 as the mVRRP group.
    [AC1-Vlanif100] quit
    

    # Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of HSB service 0.

    [AC1] hsb-service 0
    [AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-data-port 10241 peer-data-port 10241
    [AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
    [AC1-hsb-service-0] quit

    # Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP group.

    [AC1] hsb-group 0
    [AC1-hsb-group-0] bind-service 0
    [AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
    [AC1-hsb-group-0] quit
    

    # Bind the NAC service to the HSB group.

    [AC1] hsb-service-type access-user hsb-group 0

    # Bind the WLAN service to the HSB group.

    [AC1] hsb-service-type ap hsb-group 0

    # Bind the DHCP service to the HSB group.

    [AC1] hsb-service-type dhcp hsb-group 0

    # Enable HSB.

    [AC1] hsb-group 0
    [AC1-hsb-group-0] hsb enable
    [AC1-hsb-group-0] quit

  8. [Device] Configure VRRP on AC2 to implement AC HSB.

    # Set the recovery delay of a VRRP group to 30 seconds.

    [AC2] vrrp recover-delay 30
    

    # Create a management VRRP group on AC2.

    [AC2] interface vlanif 100
    [AC2-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1  //Configure a virtual IP address for the management VRRP group.
    [AC2-Vlanif100] admin-vrrp vrid 1  //Configure vrid 1 as the mVRRP backup group.
    [AC2-Vlanif100] quit
    

    # Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of HSB service 0.

    [AC2] hsb-service 0
    [AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-data-port 10241 peer-data-port 10241
    [AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
    [AC2-hsb-service-0] quit

    # Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP group.

    [AC2] hsb-group 0
    [AC2-hsb-group-0] bind-service 0
    [AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
    [AC2-hsb-group-0] quit
    

    # Bind the NAC service to the HSB group.

    [AC2] hsb-service-type access-user hsb-group 0

    # Bind the WLAN service to the HSB group.

    [AC2] hsb-service-type ap hsb-group 0

    # Bind the DHCP service to the HSB group.

    [AC2] hsb-service-type dhcp hsb-group 0

  9. [Device] Enable HSB on AC2.

    # Enable HSB.

    [AC2] hsb-group 0
    [AC2-hsb-group-0] hsb enable
    [AC2-hsb-group-0] quit

  10. [Device] Verify the VRRP configuration.

    # After the configurations are complete, run the display vrrp command on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

    [AC1] display vrrp
      Vlanif100 | Virtual Router 1
        State : Master
        Virtual IP : 172.18.10.1
        Master IP : 172.18.10.2
        PriorityRun : 120
        PriorityConfig : 120
        MasterPriority : 120
        Preempt : YES   Delay Time : 1200 s
        TimerRun : 1 s
        TimerConfig : 1 s
        Auth type : NONE
        Virtual MAC : 0000-5e00-0101
        Check TTL : YES
        Config type : admin-vrrp
        Backup-forward : disabled
        Create time : 2005-07-31 01:25:55 UTC+08:00
        Last change time : 2005-07-31 02:48:22 UTC+08:00
                                                                                    
    
    [AC2] display vrrp
      Vlanif100 | Virtual Router 1
        State : Backup
        Virtual IP : 172.18.10.1
        Master IP : 172.18.10.2
        PriorityRun : 100
        PriorityConfig : 100
        MasterPriority : 120
        Preempt : YES   Delay Time : 0 s
        TimerRun : 1 s
        TimerConfig : 1 s
        Auth type : NONE
        Virtual MAC : 0000-5e00-0101
        Check TTL : YES
        Config type : admin-vrrp
        Backup-forward : disabled
        Create time : 2005-07-31 02:11:07 UTC+08:00
        Last change time : 2005-07-31 03:40:45 UTC+08:00
    

    # Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status. The value of the Service State field is Connected, indicating that the active and standby HSB channels have been established.

    [AC1] display hsb-service 0
    Hot Standby Service Information:
    ----------------------------------------------------------
      Local IP Address       : 10.10.11.1
      Peer IP Address        : 10.10.11.2
      Source Port            : 10241
      Destination Port       : 10241
      Keep Alive Times       : 2
      Keep Alive Interval    : 1
      Service State          : Connected
      Service Batch Modules  : 
    ----------------------------------------------------------
    
    [AC2] display hsb-service 0
    Hot Standby Service Information:
    ----------------------------------------------------------
      Local IP Address       : 10.10.11.2
      Peer IP Address        : 10.10.11.1
      Source Port            : 10241
      Destination Port       : 10241
      Keep Alive Times       : 2
      Keep Alive Interval    : 1
      Service State          : Connected
      Service Batch Modules  : 
    ----------------------------------------------------------
    

    # Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.

    [AC1] display hsb-group 0
    Hot Standby Group Information:                                                  
    ----------------------------------------------------------                      
      HSB-group ID                : 0                                               
      Vrrp Group ID               : 1                                               
      Vrrp Interface              : Vlanif100                                       
      Service Index               : 0                                               
      Group Vrrp Status           : Master                                          
      Group Status                : Active                                          
      Group Backup Process        : Realtime                                        
      Peer Group Device Type      : AC6605                                          
      Peer Group Software Version : V200R006C20           
      Group Backup Modules        : Access-user                                     
                                    AP
                                    DHCP                                            
    ----------------------------------------------------------  
    [AC2] display hsb-group 0
    Hot Standby Group Information:                                                  
    ----------------------------------------------------------                      
      HSB-group ID                : 0                                               
      Vrrp Group ID               : 1                                               
      Vrrp Interface              : Vlanif100                                       
      Service Index               : 0                                               
      Group Vrrp Status           : Backup                                          
      Group Status                : Inactive                                        
      Group Backup Process        : Realtime                                        
      Peer Group Device Type      : AC6605                                          
      Peer Group Software Version : V200R006C20           
      Group Backup Modules        : Access-user                                     
                                    DHCP                                            
                                    AP                                              
    ----------------------------------------------------------  

  11. [Device] On the ACs, configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template. In this way, the ACs can communicate with the RADIUS server.

    # On AC1, configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

    [AC1] radius-server template radius_template
    [AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source ip-address 172.18.10.1 weight 80  //Configure a primary RADIUS authentication server with a higher weight than that of the secondary authentication server. 
    Set the authentication port to 1812 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source ip-address 172.18.10.1 weight 40  //Configure a secondary RADIUS authentication server with a lower weight than that of the primary authentication server. 
    Set the authentication port to 1812 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-address 172.18.10.1 weight 80  //Configure a primary RADIUS accounting server with a higher weight than that of the secondary accounting server to obtain user login and logout information. 
    Set the accounting port to 1813 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-address 172.18.10.1 weight 40  //Configure a secondary RADIUS accounting server with a lower weight than that of the primary accounting server to obtain user login and logout information. 
    Set the accounting port to 1813 and the source IP address to communicate with the RADIUS server to 172.16.10.1.
    [AC1-radius-radius_template] radius-server shared-key cipher Admin@123  //Configure a shared key for the RADIUS server.
    [AC1-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.
    [AC1-radius-radius_template] quit
    [AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. 
    Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server. 
    [AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. 
    //Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server.
    //The access control device can process CoA/DM Request packets initiated by the Agile Controller-Campus only after the authorization servers are configured. 
    //Authentication servers and authorization servers must have a one-to-one mapping, that is, the number of authentication servers and authorization servers must be the same. 
    //If not, the Agile Controller-Campus will fail to kick some users offline.
    [AC1] aaa
    [AC1-aaa] authentication-scheme auth_scheme
    [AC1-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
    [AC1-aaa-authen-auth_scheme] quit
    [AC1-aaa] accounting-scheme acco_scheme
    [AC1-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS. 
    //The RADIUS accounting scheme must be used so that the RADIUS server can maintain account state information such as login/logout information and force users to go offline.
    [AC1-aaa-accounting-acco_scheme] accounting realtime 15  //Set the real-time accounting interval to 15 minutes.
    [AC1-aaa-accounting-acco_scheme] quit
    [AC1-aaa] quit
    NOTE:

    The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

    Table 4-136 Accounting interval

    User Quantity

    Real-Time Accounting Interval

    1 to 99

    3 minutes

    100 to 499

    6 minutes

    500 to 999

    12 minutes

    ≥ 1000

    ≥ 15 minutes

    # Check whether a user can use a RADIUS template for authentication. (User name test and password Admin_123 have been configured on the RADIUS server.)

    [AC1] test-aaa test Admin_123 radius-template radius_template pap
    Info: Account test succeed.

    # On AC2, configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template. The RADIUS authentication configuration of AC2 is the same as that of AC1 and is not provided here.

  12. [Device] Configure APs to go online on AC1 and AC2. The following uses AC1 as an example.

    # Create an AP group to which APs with the same configuration can be added.

    [AC1] wlan
    [AC1-wlan-view] ap-group name ap-group1
    [AC1-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC1-wlan-view] regulatory-domain-profile name domain1
    [AC1-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC1-wlan-regulatory-domain-prof-domain1] quit
    [AC1-wlan-view] ap-group name ap-group1
    [AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC1-wlan-ap-group-ap-group1] quit
    [AC1-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC1] capwap source ip-address 172.18.10.1
    

    # Import the AP offline on the AC and add the AP to the AP group ap-group1.

    [AC1] wlan
    [AC1-wlan-view] ap auth-mode mac-auth
    [AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC1-wlan-ap-0] ap-name ap_0
    [AC1-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
    [AC1-wlan-ap-0] quit
    [AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
    [AC1-wlan-ap-1] ap-name ap_1
    [AC1-wlan-ap-1] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
    [AC1-wlan-ap-1] quit
    [AC1-wlan-view] quit
    

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC1] display ap all
    Total AP information:
    nor  : normal          [2]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    0    60de-4476-e360 ap_0 ap_group  172.18.10.254 AP6010DN-AGN    nor   0   10S
    1    60de-4476-e380 ap_1 ap_group  172.18.10.253 AP6010DN-AGN    nor   0   20S
    -------------------------------------------------------------------------------------
    Total: 2

  13. [Device] Configure wireless 802.1X authentication on AC1. The 802.1X authentication configuration of AC2 is the same as that of AC1 and is not provided here.

    The following figure shows the process of configuring wireless 802.1X authentication.

    1. Configure an access profile.

      NOTE:

      An access profile defines the 802.1X authentication protocol and packet processing parameters. By default, EAP authentication is used.

      [AC1] dot1x-access-profile name acc_dot1x
      [AC1-dot1x-access-profile-acc_dot1x] quit

    2. Configure an authentication profile.

      Specify the user access mode in the authentication profile through the access profile. Bind the RADIUS authentication scheme, accounting scheme, and server template to the authentication profile so that RADIUS authentication is used.

      [AC1] authentication-profile name auth_dot1x
      [AC1-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
      [AC1-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
      [AC1-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
      [AC1-authentication-profile-auth_dot1x] radius-server radius_template
      [AC1-authentication-profile-auth_dot1x] quit

    3. Set wireless 802.1X authentication parameters.

      # Create the security profile security_dot1x and set the security policy in the profile.

      [AC1] wlan
      [AC1-wlan-view] security-profile name security_dot1x
      [AC1-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
      [AC1-wlan-sec-prof-security_dot1x] quit

      # Create the SSID profile wlan-ssid and set the SSID name to employee.

      [AC1-wlan-view] ssid-profile name wlan-ssid
      [AC1-wlan-ssid-prof-wlan-ssid] ssid employee
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC1-wlan-ssid-prof-wlan-ssid] quit

      # Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLAN, and apply the security, SSID, and authentication profiles to the VAP profile.

      [AC1-wlan-view] vap-profile name wlan-vap
      [AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward  //Configure direct forwarding
      [AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
      [AC1-wlan-vap-prof-wlan-vap] security-profile security_dot1x
      [AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
      [AC1-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
      [AC1-wlan-vap-prof-wlan-vap] quit

      # Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile to radio 0 and radio 1 of the AP.

      [AC1-wlan-view] ap-group name ap-group1
      [AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
      [AC1-wlan-ap-group-ap-group1] quit
      [AC1-wlan-view] quit

  14. [Device] Configure resources accessible to users after successful authentication on AC1 and AC2. In this example, all resources are configured as accessible after successful authentication.

    [AC1] acl 3001  
    [AC1-acl-adv-3001] rule 1 permit ip  
    [AC1-acl-adv-3001] quit

  15. [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile Controller-Campus to manage the AC.
    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Configure parameters for the AC.

      Parameter

      Value

      Description

      Name

      AC

      -

      IP address

      172.18.10.1

      Virtual IP address of the AC.

      Authentication key

      Admin@123

      It must be the same as the shared key of the RADIUS authentication server configured on the AC.

      Accounting key

      Admin@123

      It must be the same as the shared key of the RADIUS accounting server configured on the AC.

      Real-time accounting interval (minute)

      15

      It must be the same as the real-time accounting interval configured on the AC.

    4. Click OK.
  16. Configure authentication and authorization.
    1. Optional: Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule, and modify the default authentication rule or create an authentication rule.

      By default, an authentication rule takes effect only on the local data source. If a third-party data source such as AD data source is used, modify the default authentication rule or create an authentication rule, and select the authentication data source correctly.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and add an authorization ACL.

      The ACL number must be the same as that configured on the authentication control device.

    3. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and bind the authorization result to specify resources accessible to users after successful authentication.

Verification

Item

Expected Result

Employee authentication

  • Use a mobile phone to associate with the SSID employee, and enter an AD domain user name and password.
  • After successful authentication, you can access Internet resources successfully.
  • Run the display access-user and display access-user user-id user-id commands on AC1 to view detailed online user information.
  • Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view RADIUS logs.

AC1 power-off

Services are automatically switched to AC2, without affecting employee authentication. The process is not detected by user terminals.

SC power-off

After the network cable of an Service Controller, employees are re-authenticated and go online. Their access rights are normal.

Summary and Suggestions

  • The authentication key and accounting key must be kept consistent on the ACs and Agile Controller-Campus.

  • Authorization rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition of a user matches a rule, the Agile Controller-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.

  • The RADIUS accounting function is configured on the ACs to enable the Agile Controller-Campus to obtain online user information by exchanging accounting packets with the AC. The Agile Controller-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 91221

Downloads: 460

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next