No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Wireless 802.1X Authentication

Example for Configuring Wireless 802.1X Authentication

This section describes how to configure wireless 802.1X authentication for mobile terminals to access networks.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus Agile Controller-Campus V100R002C10
WLAN AC AC6605 V200R006C20
Access switch S2750EI V200R008C00
Aggregation switch S5720HI V200R008C00

Networking Requirements

A company maintains user accounts and organizations on the AD server, and wants to provide wireless access for mobile office in its campus. Wireless 802.1X authentication can be used to ensure security.

Authenticated users can access Internet resources.

Figure 4-93 Networking diagram

Data Plan

Table 4-116 Wireless VLAN plan

VLAN ID

Function

10

mVLAN for wireless access

100

Service VLAN for wireless access

Table 4-117 Wireless network data plan

Item

Data

Description

Access switch S2750EI

GE 0/0/2

VLAN 10

The uplink and downlink interfaces allow packets only from the mVLAN to pass through. The service VLAN is encapsulated in the packets tagged with the mVLAN ID.

GE 0/0/3

VLAN 10

Aggregation switch S5720HI

GE 0/0/1

VLAN 10

This downlink interface allows packets only from the mVLAN to pass through. The service VLAN is encapsulated in the packets tagged with the mVLAN ID.

GE 0/0/2

VLAN 100

This uplink interface allows packets only from the service VLAN to pass through.

GE 0/0/3

VLAN 10 and VLAN 100

The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

AC6605

GE 0/0/1

VLAN 10 and VLAN 100

VLANIF 10: 10.10.10.254/24

The AC communicates with the uplink device through the service VLAN and with the downlink device through the mVLAN.

Gateway for APs.

Core router

GE 1/0/1

172.16.21.254/24

Gateway for end users.

Server
  • Agile Controller-Campus: 192.168.11.10
  • AD server: 192.168.11.100
-
Table 4-118 802.1X service data plan

Item

Data

Description

RADIUS

  • RADIUS server: Agile Controller-Campus server
  • Authentication key: Admin@123
  • Accounting key: Admin@123
  • Real-time accounting interval: 15 minutes
  • Authentication port: 1812
  • Accounting port: 1813

The access control device and Agile Controller-Campus function as the RADIUS client and server respectively. The authentication, authorization, and accounting keys and the accounting interval must be the same on the access control device and Agile Controller-Campus.

The Agile Controller-Campus functioning as the RADIUS server uses ports 1812 and 1813 for authentication and accounting respectively.

Pre-authentication domain

Agile Controller-Campus server

-

Post-authentication domain

Internet

-

Configuration Roadmap

To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be used to forward packets between the AC and APs.

  1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch, and AC to ensure network connectivity.
  2. Set RADIUS interconnection parameters and wireless access service parameters on the AC to implement wireless 802.1X authentication.
  3. Add the AC on the Agile Controller-Campus, and configure authentication and authorization.
NOTE:

In this example, AD accounts have been synchronized to the basic configuration on the Agile Controller-Campus.

In this example, the gateway for end users is deployed on the core router. If the gateway for end users is deployed on the AC, you only need to configure dhcp select interface in the service VLAN on the AC.

This example provides only configurations of the AC, aggregation switch, and access switch.

Procedure

  1. [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
    1. Configure the access switch.

      <HUAWEI> system-view
      [HUAWEI] sysname S2700
      [S2700] vlan 10   
      [S2700-vlan10] quit   
      [S2700] interface gigabitethernet 0/0/3  
      [S2700-GigabitEthernet0/0/3] port link-type trunk
      [S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
      [S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
      [S2700-GigabitEthernet0/0/3] quit
      [S2700] interface gigabitethernet 0/0/2  
      [S2700-GigabitEthernet0/0/2] port link-type trunk
      [S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
      [S2700-GigabitEthernet0/0/2] quit

    2. Configure the aggregation switch.

      <HUAWEI> system-view
      [HUAWEI] sysname S5700
      [S5700] vlan batch 10 100   
      [S5700] interface gigabitethernet 0/0/1  
      [S5700-GigabitEthernet0/0/1] port link-type trunk  
      [S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 
      [S5700-GigabitEthernet0/0/1] quit
      [S5700] interface gigabitethernet 0/0/2  
      [S5700-GigabitEthernet0/0/2] port link-type trunk
      [S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
      [S5700-GigabitEthernet0/0/2] quit
      [S5700] interface gigabitethernet 0/0/3  
      [S5700-GigabitEthernet0/0/3] port link-type trunk
      [S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100  
      [S5700-GigabitEthernet0/0/3] quit

    3. Configure the AC.

      # Configure the AC's interface to allow packets from the service VLAN and mVLAN to pass through.

      <HUAWEI> system-view
      [HUAWEI] sysname AC
      [AC] vlan batch 10 100
      [AC] interface gigabitethernet 0/0/1  
      [AC-GigabitEthernet0/0/1] port link-type trunk
      [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100
      [AC-GigabitEthernet0/0/1] quit

      # Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to the APs. If the AC is used as the gateway for end users, configure the gateway IP address and enable DHCP on the AC's interface in the service VLAN.

      [AC] dhcp enable   
      [AC] interface vlanif 10
      [AC-Vlanif10] ip address 10.10.10.254 24
      [AC-Vlanif10] dhcp select interface
      [AC-Vlanif10] quit

      # Configure the default route with the core router as the next hop.

      [AC] ip route-static 0.0.0.0 0 172.16.21.254

  2. [Device] Configure AP online parameters to enable APs to go online automatically after connecting to a network.

    NOTE:

    If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.

    1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
    2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address for the AC.

    # Create an AP group to which APs with the same configuration can be added.

    [AC] wlan
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
    [AC-wlan-regulatory-domain-prof-domain1] country-code cn
    [AC-wlan-regulatory-domain-prof-domain1] quit
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-ap-group1] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 10  //Configure an mVLAN interface.
    

    # Import the AP offline on the AC and add the AP to the AP group ap-group1. This example assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name area_1
    [AC-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
    [AC-wlan-ap-0] quit
    [AC-wlan-view] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC] display ap all
    Total AP information:
    nor  : normal          [1]
    -------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    -------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN    nor   0   10S
    -------------------------------------------------------------------------------------
    Total: 1

  3. [Device] Configure 802.1X authentication parameters to enable 802.1X authentication.

    The following figure shows the process of configuring wireless 802.1X authentication.

    1. Configure a RADIUS server template, an authentication scheme, and an accounting scheme.

      [AC] radius-server template radius_huawei  
      [AC-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254  
      [AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254
      [AC-radius-radius_template] radius-server shared-key cipher Admin@123
      [AC-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.  
      [AC-radius-radius_template] quit
      [AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123  
      [AC] aaa  
      [AC-aaa] authentication-scheme auth_scheme  //Authentication scheme
      [AC-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
      [AC-aaa-authen-auth_scheme] quit
      [AC-aaa] accounting-scheme acco_scheme  //Accounting scheme
      [AC-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS.
      [AC-aaa-accounting-acco_scheme] accounting realtime 15  
      [AC-aaa-accounting-acco_scheme] quit
      [AC-aaa] quit
      
      NOTE:

      The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

      Table 4-119 Accounting interval

      User Quantity

      Real-Time Accounting Interval

      1 to 99

      3 minutes

      100 to 499

      6 minutes

      500 to 999

      12 minutes

      ≥ 1000

      ≥ 15 minutes

    2. Configure an access profile.

      NOTE:

      An access profile defines the 802.1X authentication protocol and packet processing parameters. By default, EAP authentication is used.

      [AC] dot1x-access-profile name acc_dot1x
      [AC-dot1x-access-profile-acc_dot1x] quit

    3. Configure an authentication profile.

      Specify the user access mode in the authentication profile through the access profile. Bind the RADIUS authentication scheme, accounting scheme, and server template to the authentication profile so that RADIUS authentication is used.

      [AC] authentication-profile name auth_dot1x
      [AC-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
      [AC-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
      [AC-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
      [AC-authentication-profile-auth_dot1x] radius-server radius_template
      [AC-authentication-profile-auth_dot1x] quit

    4. Set wireless 802.1X authentication parameters.

      # Create the security profile security_dot1x and set the security policy in the profile.

      [AC] wlan
      [AC-wlan-view] security-profile name security_dot1x
      [AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
      [AC-wlan-sec-prof-security_dot1x] quit

      # Create the SSID profile wlan-ssid and set the SSID name to dot1x_access.

      [AC-wlan-view] ssid-profile name wlan-ssid
      [AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-ssid-prof-wlan-ssid] quit

      # Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLAN, and apply the security, SSID, and authentication profiles to the VAP profile.

      [AC-wlan-view] vap-profile name wlan-vap
      [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
      Warning: This action may cause service interruption. Continue?[Y/N]y
      [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
      [AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
      [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
      [AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
      [AC-wlan-vap-prof-wlan-vap] quit

      # Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile to radio 0 and radio 1 of the AP.

      [AC-wlan-view] ap-group name ap-group1
      [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
      [AC-wlan-ap-group-ap-group1] quit
      [AC-wlan-view] quit
      

  4. [Device] Configure resources that authenticated users can access.

    The Agile Controller-Campus can authorize authenticated users using static ACL, dynamic ACL, or VLAN. In this example, a static ACL is used.

    [AC] acl 3001  
    [AC-acl-adv-3001] rule 1 permit ip  
    [AC-acl-adv-3001] quit

  5. [Agile Controller-Campus] Add the SC server to the AD domain. (AD domain accounts are used for authentication.)

    If 802.1X authentication using the MSCHAPv2 protocol is performed on AD domain accounts, add the SC server to the AD domain.

    By default, the AnyOffice and the built-in 802.1X client of the operating system use the MSCHAPv2 protocol.

  6. [Agile Controller-Campus] Add an access control device and connect it to the Agile Controller-Campus through RADIUS.

    Choose Resource > Device > Device Management, and add the AC.

    Agile Controller-Campus Parameters

    Command

    Authentication/Accounting key

    radius-server shared-key cipher Admin@123

    Authorization key

    radius-server authorization 192.168.11.10 shared-key cipher Admin@123

    Real-time accounting interval (minute)

    accounting realtime 15

  7. [Agile Controller-Campus] Configure authentication and authorization rules. End users match the rules based on specified conditions.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule, and modify the default authentication rule or create an authentication rule.

      Add the AD server to Data Source. By default, an authentication rule takes effect only on the local data source. If the AD server is added as a data source, AD accounts will fail to be authenticated.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and add an authorization ACL.

      The ACL number must be the same as that configured on the authentication control device.

    3. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and bind the authorization result to specify resources accessible to users after successful authentication.

Verification

  1. Use a mobile phone to associate with the SSID dot1x_access, and enter an AD domain user name and password.
  2. Obtain an IP address on the 172.16.21.0/24 network segment after successful authentication, and access Internet resources using this IP address.
  3. Run the display access-user and display access-user user-id user-id commands on the AC to view detailed online user information.
  4. Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view RADIUS logs.
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 90286

Downloads: 458

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next