No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)

Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)

Networking Requirements

An enterprise uses HTTPS for Portal authentication.

As shown in Figure 4-33, an AC in an enterprise directly connects to an AP. The enterprise deploys the WLAN wlan-net to provide wireless network access for employees. The AC functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

The AC and employees' STAs communicate at Layer 2. To reduce network security risks, you can deploy Layer 2 Portal authentication on the AC. The AC works with the RADIUS server (integrated with the Portal server) to implement access control on employees who attempt to connect to the enterprise network, meeting the enterprise's security requirements.

Figure 4-33 Networking diagram for configuring Layer 2 external Portal authentication

Configuration Roadmap

  1. Configure basic WLAN services so that the AC can communicate with upper-layer and lower-layer devices and the AP can go online.
  2. Configure RADIUS authentication parameters.
  3. Configure a Portal server template.
  4. Configure a Portal access profile and configure Layer 2 Portal authentication.
  5. Configure an authentication-free rule profile so that the AC allows packets to the DNS server to pass through.
  6. Configure an authentication profile to manage NAC configuration.
  7. Configure WLAN service parameters, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.

Data plan

Item

Data

RADIUS authentication parameters

Name of the RADIUS authentication scheme: radius_huawei

Name of the RADIUS accounting scheme: scheme1

Name of the RADIUS server template: radius_huawei

  • IP address: 10.23.200.1
  • Authentication port number: 1812
  • Accounting port number: 1813
  • Shared key: Huawei@123
SSL policy
  • Name: huawei
  • PKI domain: default
Portal server template
  • Name: abc
  • IP address: 10.23.200.1
  • URL address: https://10.23.200.1:8445/portal
  • Portal shared key: Admin@123
Portal access profile
  • Name: portal1
  • Bound template: Portal server template abc
Authentication-free rule profile
  • Name: default_free_rule
  • Authentication-free resource: IP address of the DNS server (10.23.200.2)
Authentication profile
  • Name: p1
  • Bound profile and authentication scheme: Portal access profile portal1, RADIUS server template radius_huawei, RADIUS authentication scheme radius_huawei, RADIUS accounting scheme scheme1,and authentication-free rule profile default_free_rule
DHCP server The AC functions as the DHCP server to assign IP addresses to the AP and STAs.
IP address pool for the AP 10.23.100.2 to 10.23.100.254/24
IP address pool for the STAs 10.23.101.2 to 10.23.101.254/24
IP address of the AC's source interface VLANIF 100: 10.23.100.1/24
AP group
  • Name: ap-group1
  • Bound profile: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: Open
VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Bound profile: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

Procedure

  1. Configure the AC to enable exchange of CAPWAP packets between the AP and AC.

    # Add AC interface GE0/0/1 to VLAN 100 (management VLAN).

    NOTE:

    In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs will be able to directly communicate at Layer 2.

    In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

    <AC6605> system-view
    [AC6605] sysname AC
    [AC] vlan batch 100 101
    [AC] interface gigabitethernet 0/0/1
    [AC-GigabitEthernet0/0/1] port link-type trunk
    [AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
    [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
    [AC-GigabitEthernet0/0/1] quit
    

  2. Configure the AC to communicate with upper-layer network devices.

    # Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).

    [AC] interface gigabitethernet 0/0/2
    [AC-GigabitEthernet0/0/2] port link-type trunk
    [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
    [AC-GigabitEthernet0/0/2] quit
    

  3. Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.

    # Configure the AC as the DHCP server to assign an IP address to the AP from the IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF 101.

    [AC] dhcp enable
    [AC] interface vlanif 100
    [AC-Vlanif100] ip address 10.23.100.1 24
    [AC-Vlanif100] dhcp select interface
    [AC-Vlanif100] quit
    [AC] interface vlanif 101
    [AC-Vlanif101] ip address 10.23.101.1 24
    [AC-Vlanif101] dhcp select interface
    [AC-Vlanif101] dhcp server dns-list 10.23.200.2
    [AC-Vlanif101] quit
    

  4. Configure a route from the AC to the server area (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2).

    [AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
    

  5. Configure the AP to go online.

    # Create an AP group and add the AP to the AP group.

    [AC] wlan
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
    [AC-wlan-regulate-domain-domain1] country-code cn
    [AC-wlan-regulate-domain-domain1] quit
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-ap-group1] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100
    
    # Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-e360 and the AP is deployed in area 1. Name the AP area_1.
    NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP6010DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name area_1
    [AC-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AC-wlan-ap-0] quit
    [AC-wlan-view] quit
    

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

    [AC] display ap all
    Total AP information:
    nor  : normal          [1]
    Extra information:
    P  : insufficient power supply
    --------------------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
    --------------------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S         -
    --------------------------------------------------------------------------------------------------
    Total: 1

  6. Configure a RADIUS server template, and a RADIUS authentication scheme.

    NOTE:

    Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

    # Configure a RADIUS server template.

    [AC] radius-server template radius_huawei
    [AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
    [AC-radius-radius_huawei] radius-server accounting 10.23.200.1 1813
    [AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123
    [AC-radius-radius_huawei] quit

    # Configure a RADIUS authentication scheme.

    [AC] aaa
    [AC-aaa] authentication-scheme radius_huawei
    [AC-aaa-authen-radius_huawei] authentication-mode radius
    [AC-aaa-authen-radius_huawei] quit
    [AC-aaa] quit

    # Configure a RADIUS accounting scheme.

    [AC-aaa] accounting-scheme scheme1
    [AC-aaa-accounting-scheme1] accounting-mode radius
    [AC-aaa-accounting-scheme1] accounting realtime 15
    [AC-aaa-accounting-scheme1] quit
    [AC-aaa] quit
    NOTE:
    • In this example, the device is connected to the Agile Controller-Campus. The accounting function is not implemented for accounting purposes, and is used to maintain terminal online information through accounting packets.

    • The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the user quantity.

    User Quantity Real-Time Accounting Interval
    1-99 3 minutes
    100-499 6 minutes
    500-999 12 minutes
    ≥ 1000 ≥ 15 minutes

  7. Configure the HTTPS protocol for Portal authentication.

    NOTE:

    If the HTTPS protocol is used for Portal authentication, you need to configure an SSL policy.

    [AC] ssl policy huawei type server
    [AC-ssl-policy-huawei] pki-realm default
    [AC-ssl-policy-huawei] quit
    [AC] http secure-server ssl-policy huawei
    [AC] portal web-authen-server https ssl-policy huawei
    [AC] web-auth-server abc
    [AC-web-auth-server-abc] protocol http
    [AC-web-auth-server-abc] quit
    

  8. Configure a Portal server template.

    NOTE:

    Ensure that the Portal server IP address, URL address, port number, and shared key are configured correctly and are the same as those on the Portal server.

    [AC] web-auth-server abc
    [AC-web-auth-server-abc] server-ip 10.23.200.1 10.23.101.1
    [AC-web-auth-server-abc] shared-key cipher Admin@123
    [AC-web-auth-server-abc] url https://10.23.200.1:8445/portal
    [AC-web-auth-server-abc] quit
    

  9. Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.

    [AC] portal-access-profile name portal1
    [AC-portal-access-profile-portal1] web-auth-server abc direct
    [AC-portal-access-profile-portal1] quit

  10. Configure an authentication-free rule profile.

    [AC] free-rule-template name default_free_rule
    [AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
    [AC-free-rule-default_free_rule] quit
    

  11. Configure the authentication profile p1.

    [AC] authentication-profile name p1
    [AC-authentication-profile-p1] portal-access-profile portal1
    [AC-authentication-profile-p1] free-rule-template default_free_rule
    [AC-authentication-profile-p1] authentication-scheme radius_huawei
    [AC-authentication-profile-p1] accounting-scheme scheme1
    [AC-authentication-profile-p1] radius-server radius_huawei
    [AC-authentication-profile-p1] quit

  12. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open system.

    [AC] wlan
    [AC-wlan-view] security-profile name wlan-security
    [AC-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid
    [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AC-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap
    [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
    [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AC-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AC-wlan-vap-prof-wlan-vap] quit
    

    # Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
    [AC-wlan-ap-group-ap-group1] quit
    

  13. Set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of radio 0, and configure the channel and power for radio 0.
    [AC-wlan-view] ap-id 0
    [AC-wlan-ap-0] radio 0
    [AC-wlan-radio-0/0] calibrate auto-channel-select disable
    [AC-wlan-radio-0/0] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/0] eirp 127
    [AC-wlan-radio-0/0] quit
    # Disable automatic channel and power calibration functions of radio 1, and configure the channel and power for radio 1.
    [AC-wlan-ap-0] radio 1
    [AC-wlan-radio-0/1] calibrate auto-channel-select disable
    [AC-wlan-radio-0/1] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/1] channel 20mhz 149
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/1] eirp 127
    [AC-wlan-radio-0/1] quit
    [AC-wlan-ap-0] quit

  14. Verify the configuration.

    • The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.

    • The STAs obtain IP addresses when they successfully associate with the WLAN.
    • When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.

Configuration Files

AC configuration file

#
 sysname AC
#
 http secure-server ssl-policy huawei                                           
# 
vlan batch 100 to 101
#
authentication-profile name p1
 portal-access-profile portal1
 free-rule-template default_free_rule
 authentication-scheme radius_huawei
 accounting-scheme scheme1
 radius-server radius_huawei
#
portal web-authen-server https ssl-policy huawei                     
#   
dhcp enable
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
 radius-server authentication 10.23.200.1 1812 weight 80
 radius-server accounting 10.23.200.1 1813 weight 80
#
ssl policy huawei type server                                                   
 pki-realm default                                                              
#
free-rule-template name default_free_rule                                                                                           
 free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0                                                                          
# 
web-auth-server abc
 server-ip 10.23.200.1 10.23.101.1
 shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
 url https://10.23.200.1:8445/portal
 protocol http
#
portal-access-profile name portal1
 web-auth-server abc direct
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme scheme1
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 10.23.200.2 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#  
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 rrm-profile name default
  calibrate auto-channel-select disable
  calibrate auto-txpower-select disable
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
  radio 1
   channel 20mhz 149
   eirp 127
#
return
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 90535

Downloads: 458

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next