No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Appendix

Appendix

Customizing Pages

This section describes how to customize registration page, authentication page, authentication success page, and user notice page for guests.

Context

To ensure that a page has an elegant appearance and high security, an administrator must be capable of page editing and image processing.

Based on the screen size, terminal devices are classified into mobile phones and computers. When you customize a page for mobile phones, the compact and simple style, small pictures, and short texts are recommended because mobile phones have small screen size. As computers have large screen size and can carry more information than mobile phones, you can use large pictures and relatively long texts during page customization. You need to customize pages for mobile phones and computers if an enterprise allows guests to access the network using mobile phones and computers (laptops and tablet computers).

Page customization supports multiple languages, including simplified Chinese, English, traditional Chinese, Germany, Spanish, French, and Portuguese by default. If the default language templates do not meet your needs, you can add language templates. For details, see Example: Adding Language Templates.

The Service Manager provides pre-defined page templates that are frequently used. You can choose Policy > Permission Control > Page Customization > Authentication & Registration Template to locate the templates. Administrators can select their desired page style or modify the style of the templates.

The registration page, authentication page, authentication success page, and user notice page make up a set of guest pages.

Procedure

  1. Choose Policy > Permission Control > Page Customization > Page Customization.
  2. Select one page template, and click Create Page.
  3. Set parameters for the customized page and click OK.
  4. Customize pages for mobile phones and PCs.
  5. Click Test and Publish.

    A customization page can be used by guests only after the page is released. The save to draft function only saves a customization page on the Service Manager.

    After you click Publish, the system automatically saves the customization page.

Defining a Redirection Rule for the Portal Page

After customizing authentication and registration pages for guests, the administrator defines a redirection rule for the Portal page to ensure that the guests can access the corresponding authentication and registration page.

Prerequisites

The authentication or registration page has been customized.

Context

If guests use different authentication and registration pages, configure a unified Portal page http://server-ip:8080/portal or http://agilecontroller.huawei.com:8080/portal for all users. The Agile Controller-Campus automatically redirects the Portal page to the authentication or registration page based on the defined redirection rule.

The URL using the domain name is recommended for safer and faster. However, you need to configure the mapping between the domain name agilecontroller.huawei.com and the server IP address on the DNS server in advance.

The Agile Controller-Campus supports redirection based on the following authentication information:
  • IP address of the terminal to be authenticated.
  • Information about the access device to be authenticated, for example, MAC address or SSID.

    This information is obtained from the HTTP parameter in the user authentication data.

    The redirection rule needs to be associated with the access device. For details, see Table 4-149.

  • Terminal's operating system type for authentication.
  • Account type for authentication.

    You need to configure the authentication-free function for WeChat accounts and select the corresponding option for public QR codes.

The redirection rules are prioritized. The rule with the highest priority is preferentially matched with the user authentication data. If all configured rules are mismatched, the default rule is used.

Procedure

  1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
  2. Click Add.
  3. Set push rule related parameters.

    Table 4-149 Push rule related parameters

    Parameter

    Description

    Name

    Indicates the name of a Portal page push rule.

    Push conditions

    Specifies the condition for pushing Portal pages, including the time, terminal's IP address segment, self-defined parameter, terminal's operating system type, and account type.

    Self-defined parameters must be the same as those parameters carried in the URL configured on the AC by running the url-parameter command. The command format on the AC is as follows: url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | redirect-url redirect-url-value } *
    • ac-ip ac-ip-value: specifies the AC IP address carried in the URL. If required, set ac-ip-value to acip.
    • ac-mac ac-mac-value: specifies the AC MAC address carried in the URL and sets the parameter name.
    • ap-ip ap-ip-value: specifies the AP IP address carried in the URL and sets the parameter name.
    • ap-mac ap-mac-value: specifies the AP MAC address carried in the URL. If required, set ap-mac-value to apmac.
    • ssid ssid-value: specifies the SSID that users associate with carried in the URL. If required, set ssid-value to ssid.
    • sysname sysname-value: specifies the device system name carried in the URL and sets the parameter name.
    • user-ipaddress user-ipaddress-value: specifies the user IP address carried in the URL. If required, set user-ipaddress-value to userip.
    • user-mac user-mac-value: specifies the user MAC address carried in the URL. If required, set user-mac-value to usermac.
    • redirect-url redirect-url-value: specifies the original URL that a user accesses carried in the URL. If required, set redirect-url-value to url.

    For example, if the url-parameter ssid ssid command is configured on the AC, you must set ssid-value to ssid. If users connect to the network through the SSID example, you must set Customized parameters to ssid=example.

    NOTE:
    • For WeChat authentication and public QR code authentication, you must set a value for redirect-url.
    • For WeChat authentication-free, you need to set values for redirect-url and user-mac.
    • In scenarios where guests follow WeChat public account to access Wi-Fi, ssid, redirect-url, and user-mac are mandatory.
    • In area-based guest management scenarios, configure ac-ip, ap-mac, or user-ipaddress based on the device bound to each area.
    • When configure URL parameters in the URL template view on the AC, do not run the parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } * command to modify symbols in the URL. If you modify the symbols in the URL, URL resolution on the Agile Controller-Campus may fail, leading to an interconnection failure.

    Push page

    Select a page customized in Customizing Pages.

    First page to push

    Specifies the page to be pushed to a guest for the first time.

    URL

    Use the default value.

    Page displayed after successful authentication

    • No redirect: The authentication success page is displayed after the authentication succeeds.
    • Redirect to the specified address: A specified page is displayed after the authentication succeeds. Set the URL to be switched to in Address.
    • Continue to visit the original page: The original page that the user requests is displayed after the authentication succeeds. You need to configure the url-parameter redirect-url url command in the URL template on the AC or switch. For details, see How Do I Continue to Access the Original Page After Successful Portal Authentication?.

    Description

    -

  4. Click OK.

Example

Configure three redirection rules for the Portal page.

Redirection Rule

Redirected to

Priority (Smaller Value, Higher Priority)

Terminal device type: Android mobile phone

Authentication page A

1

Self-defined parameter: network

Authentication page B

2

Terminal's IP address segment: 10.10.10.10-10.10.10.50

Authentication page C

3

Default rule

Default page

N

A guest uses a laptop to connect to the wireless network network. The laptop's IP address is 10.10.10.20. The guest accesses http://server-ip:8080/portal or or http://agilecontroller.huawei.com:8080/portal and then is redirected to authentication page B for authentication.

Example: Adding Language Templates

Language templates are used to specify languages of GUI elements such as page titles, buttons, and expressions on pages such as the self-service page, authentication page, registration page, authentication success page, registration success page, and user notice page. By default, the Agile Controller-Campus provides the following language templates: Chinese, English, traditional Chinese, German, French, Spanish and Portuguese. You can add language templates if the default language templates cannot satisfy your demands.

Procedure

  1. Choose Policy > Permission Control > Page Customization > Language Template to create a language template for basic self-service information.

  2. Choose Policy > Permission Control > Page Customization > Page Customization to customize the page containing this language template.

    When you customize an authentication success page, the page must contain the Self-help Service button.

  3. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule to create a Portal page push rule and choose the page customized in the preceding step as the page to be pushed.

  4. Enter http://IP address of the Portal authentication server:8080/portal in the address box of a web browser to visit the self-service page and check whether the GUI elements are displayed in the language configured in the language template.

Configuring MAC Address Authentication

This section describes operations and precautions for configuring MAC address authentication.

Scenario Description

MAC address authentication controls terminal network access permission based on the device interface and terminal MAC address. When a terminal connects to the network, the access control device automatically detects the terminal MAC address and sends the MAC address as the account and password to the RADIUS server for identity authentication. The RADIUS server instructs the access control device to grant network access permission to the end user only after the user identity is verified on the RADIUS server. MAC address authentication applies to scenarios where dumb terminals such as printers and IP phones cannot be authenticated using user names and passwords or scenarios where only terminal MAC addresses but not user names and passwords need to be verified due to special requirements. These terminals cannot trigger identity authentication and need to wait until the access control device sends authentication requests to the RADIUS server to connect to the network.

Task Overview

Procedure

  1. Configure the access control device.

    • Function

      In MAC address authentication, the access control device sends authentication requests to the RADIUS server. Therefore, configurations related to RADIUS authentication must be performed on the access control device.

    • Entrance

      Log in to the CLI of the access control device through the console port or using SSH.

    • Key configuration description

      See configuration examples for MAC address authentication.

  2. Add the access control device on the Agile Controller-Campus.

    • Function

      The Agile Controller-Campus can work with the access control device only after the device is added to the Agile Controller-Campus and interconnection parameters on the Agile Controller-Campus and device are the same.

    • Entrance

      Choose Resource > Device > Device Management.

    • Key configuration description
      • Authentication/Accounting key: The value is the same as the value configured using the radius-server shared-key command in the RADIUS template.
      • Authorization key: The value is the same as the value configured using the radius-server authorization 172.18.1.1 shared-key cipher Admin@123 command in the system view.
      • Real-time accounting interval: The value is the same as the value configured using the accounting realtime command in the accounting template.

  3. Add terminals to be authenticated using MAC address authentication.

    • Function

      In MAC address authentication, the identity of a terminal is verified using the terminal MAC address. The terminal can be authenticated only after it is manually added to the terminal list.

    • Entrance
      1. Choose Resource > Terminal > Terminal List.
      2. In the Device Group list, choose the first node and click Add on the right to add a device group to be authenticated using MAC address authentication.
      3. In the Device Group list, click the created device group and add terminals to be authenticated using MAC address authentication on the right.
        • Add terminals one by one.

          Click the Device List tab to add the terminals one by one.

        • Add terminals in a batch.

          Click the Device Group List tab and click Import to add the terminals in a batch.

    • Key configuration description

      Parameter

      Description

      Terminal Type

      • Unknown type: default value, indicating temporarily un-identified devices. The Agile Controller-Campus needs to continue to identify such devices.
      • Fixed terminal: wired access devices, such as desktop computers.
      • Mobile terminal: wireless access devices, such as tablets.
      • Dumb terminal: devices that provide fewer functions than PCs, do not have processors or disks, and need to connect to hosts to process services, such as printers and VoIP phones.

      Statically Assigned Policy

      • Enable: The Agile Controller-Campus identifies devices using only the policies set in Matched Policy. If you know the device types, you can statically assign policies to enhance the device identification ratio and accuracy.
      • Disable: The Agile Controller-Campus automatically selects policies to identify devices. Disable is the default value and applies when you do not know the device types.

        The Agile Controller-Campus matches the collected device information with the rules in the rule database. If the device matches a rule, the Agile Controller-Campus queries all identification policies that contain this rule and evaluates a score for each policy based on the device information. The highest score is the identification result.

      Matched Policy

      You need to set a name for the policy when Statically Assigned Policy is enabled. Resource > Terminal > Identification Policy displays all policy names.

      User-Defined Device Group

      • Enable: The Agile Controller-Campus adds devices to device groups. If you know the device types, you can set the User-Defined Device Group parameter to accurately add devices to groups.
      • Disable: The Agile Controller-Campus automatically identifies device types and adds the devices to groups. Disable is the default value and applies when you do not know the device types.

      Device Group

      You need to set a name for the group when User-Defined Device Group is enabled. Resource > Terminal > Terminal List displays all group names.

      XMPP server IP

      The three parameters apply in the following scenario: Terminals connect to a network through MAC address authentication, and a switch functions as the DHCP server to allocate IP addresses to the terminals. The administrator requires that the switch allocates a fixed IP address to each authenticated terminal. To achieve this purpose, the administrator creates a binding between MAC addresses and IP addresses on the Agile Controller-Campus, which delivers the binding relationships to the switch through XMPP.

      Specifies the IP address of the gateway to which terminals connect. These parameters are available only when the switch functions as the DHCP server.

      Pool type and Pool name must be the same as those configured on the switch.
      • If Pool type is set to Interface pool, enter vlanifport number.
      • If Pool type is set to Global pool, enter the name of the global address pool.

      For details, see Example for Configuring MAC and IP Address Binding for Dumb Terminals and Deploying Them in Centralized Mode.

      Pool type

      Pool name

  4. Configure an authentication rule.

    • Function

      In MAC address authentication, users do not need to enter their user names and passwords for authentication. The service type used in MAC address authentication differs from that used in common authentication modes. Therefore, the default authentication rule cannot be used and an authentication rule needs to be configured separately.

    • Entrance

      Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.

    • Key configuration description

      Choose MAC Bypass Authentication Service for Service Type.

  5. Configure an authorization rule.

    • Function

      The Agile Controller-Campus grants network access permission to terminals using an authorization rule. The default authorization rule does not apply to MAC address authentication and an authorization rule needs to be configured separately.

    • Entrance

      Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.

    • Key configuration description
      • When adding an authorization rule, choose MAC Bypass Authentication Service for Service Type.
      • According to the rule priority, the Agile Controller-Campus matches terminal access information with authorization conditions of the authorization rule. When access information about a terminal matches all authorization conditions of an authorization rule, the Agile Controller-Campus grants permission defined by the authorization result of the authorization rule to the terminal.

  6. A terminal accesses the network.

    After a terminal connects to the network, authentication is performed automatically. After passing the authentication, the terminal can access resources in the post-authentication domain.

    After the terminal is authenticated successfully:
    • Run the display access-user command on the device. Online information about the terminal MAC address is displayed.
    • On the Service Manager, choose Resource > User > Online User Management. Online information about the terminal is displayed.
    • On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS authentication logs of the terminal are displayed.
    If the terminal fails to be authenticated, create a common account on the Agile Controller-Campus, log in to the device, and run the test-aaa user-name user-password radius-template template-name pap command to test whether the account can pass RADIUS authentication.
    • If the system displays the message "Info: Account test succeed", indicating that the account can pass RADIUS authentication, the fault occurs in the access authentication phase. Check the network connection between the terminal and the access control device.
    • If the system displays the message "Error: Account test time out", indicating that the account cannot pass RADIUS authentication, the fault occurs in the RADIUS authentication phase. Check whether interconnection parameter configurations of the RADIUS server on the Agile Controller-Campus are consistent with those on the access control device.

    The test aaa command can only test whether users can pass RADIUS authentication and the interaction process of RADIUS accounting is not involved. Therefore, after running the test aaa command, you can view RADIUS logs but cannot view user online information on the Agile Controller-Campus.

Example

The following example describes how to import MAC address authentication terminals in a batch.
  • How to Fill in the Excel File When You Do Not Know Device Details

    When you do not know the device details, fill in only the MAC address and device group and enter Device Group List in Unknown Device List.



  • How to Fill in the Excel File When You Know Device Details

    When you know the device details, you can manually configure an identification policy to enhance the identification ratio and accuracy. The Agile Controller-Campus identifies the device based on the configured identification policy.

    In this case, specify Endpoint MAC, set Statically Assigned Policy to Enable, enter the name of the identification policy in Matched Policy, and enter Device Group List in Unknown Device List. The Agile Controller-Campus automatically adds the device to a device group.



  • How to Fill in the Excel File When You Manually Add the Device to a Specified Device Group

    By default, the Agile Controller-Campus classifies devices into groups based on the device types. You can also manually add a device to a specified device group.

    In this case, specify Endpoint MAC, set User-Defined Device Group to Enable, and enter the name of a specific device group in Device Group List.



  • How to Fill in the Excel File When You Need to Mark the Device Access Location
  • You can use the IP address and connected interface of a device to rapidly locate the device when a fault occurs.

    In this case, specify Endpoint MAC, Access Device IP Address, and Access Device Port and enter Device Group List in Unknown Device List.



Example for Configuring MAC and IP Address Binding for Dumb Terminals and Deploying Them in Centralized Mode

A MAC address and IP address binding table of dumb terminals can be configured on the Agile Controller-Campus. The Agile Controller-Campus delivers the binding table to a switch and the switch assigns IP addresses to the terminals based on their MAC addresses.

Involved Products and Versions

Product Type

Product Name

Version

Access switch

S3700

V200R008C00 and later versions

Aggregation switch

S12700

V200R009C00 and later versions

RADIUS server

Agile Controller-Campus

V100R002C00SPC105 or V100R003C10

Networking Requirements
A public security bureau wants to build a dedicated camera network without an independent DHCP server for controlling access of cameras in its jurisdiction area. The public security bureau has the following requirements:
  • The Agile Controller-Campus manages the MAC address and IP address binding table of cameras and delivers the table to a switch. The switch functioning as the DHCP server then dynamically assigns IP addresses to the cameras based on their MAC addresses.
  • Access of cameras configured with static IP addresses is prohibited.
  • Cameras are not allowed to move across police stations. If the IP address of a camera assigned based on its MAC address is not in the network segment of the local gateway, communication between the camera and the local gateway is prohibited.
Figure 4-102 Network diagram
NOTE:

The switch configuration of police station A is used as an example, which is the same as that of police station B.

Data Plan
Table 4-150 Network data plan for devices

Item

Data

Description

Agile Controller-Campus

IP address: 172.18.1.2

-

Aggregation switch (S12708)

GE1/0/1

VLAN: 10

IP address of VLANIF interface 10: 192.168.1.1/16

Camera gateway, which is connected to access switches.

GE1/0/2

VLAN: 100

IP address of VLANIF interface 100: 172.18.1.1/24

Connected to the Agile Controller-Campus.

Access switch (S3700)

GE0/0/1

VLAN: 10

Connected to cameras.

GE0/0/2

VLAN: 10

Connected to an aggregation switch.

Table 4-151 Service data plan for devices

Item

Data

Wired RADIUS

  • Authentication server IP address: 172.18.1.2

  • Authentication server port number: 1812

  • Shared key of the RADIUS server: Admin@123

  • Accounting server port number: 1813
  • Shared key of the RADIUS server: Admin@123
  • Accounting interval: 15 minutes
  • Authentication domain: mac

ACL number of the post-authentication domain

3001

Table 4-152 Service data plan for the Agile Controller-Campus

Item

Data

Terminal group

Police station A

Switch IP address

172.18.1.1

RADIUS authentication key

Admin@123

RADIUS accounting key

Admin@123

Prerequisites

The access switch, aggregation switch, and Agile Controller-Campus server can communicate with each other.

Procedure

  1. Configure the aggregation switch.
    1. Create VLANs and configure the allowed VLANs on the interfaces to ensure network connectivity.

      <HUAWEI> system-view
      [HUAWEI] sysname S12700
      [S12700] dhcp enable   //Enable the DHCP service.
      [S12700] vlan batch 10 100   //Create VLAN 10 and VLAN 100.
      [S12700] interface gigabitethernet 1/0/1  //Enter the view of the interface connected to the access switch.
      [S12700-GigabitEthernet1/0/1] port link-type trunk  //Change the link type of gigabitethernet1/0/1 to trunk.
      [S12700-GigabitEthernet1/0/1] port trunk pvid vlan 10  //Set the default VLAN of gigabitethernet1/0/1 to VLAN 10.
      [S12700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
      [S12700-GigabitEthernet1/0/1] quit
      [S12700] interface vlanif 10
      [S12700-Vlanif10] ip address 192.168.1.1 255.255.0.0
      [S12700-Vlanif10] dhcp select interface
      [S12700-Vlanif10] quit
      [S12700] interface gigabitethernet 1/0/2  //Enter the view of the interface connected to the Agile Controller-Campus.
      [S12700-GigabitEthernet1/0/2] port link-type access
      [S12700-GigabitEthernet1/0/2] port default vlan 100
      [S12700-GigabitEthernet1/0/2] quit
      [S12700] interface vlanif 100
      [S12700-Vlanif100] ip address 172.18.1.1 255.255.255.0
      [S12700-Vlanif100] quit
      [S12700] quit
      <S12700> save  //Save the configuration.

    2. Set parameters for connecting to the RADIUS server.

      [S12700] radius-server template policy  //Create a RADIUS server template.
      [S12700-radius-policy] radius-server authentication 172.18.1.2 1812 source ip-address 172.18.1.1  //Configure the IP address and port number for the RADIUS authentication server.
      [S12700-radius-policy] radius-server accounting 172.18.1.2 1813 source ip-address 172.18.1.1  //Configure an IP address and a port number for the RADIUS accounting server.
      [S12700-radius-policy] radius-server shared-key cipher Admin@123  //Configure a shared key for the RADIUS server.
      [S12700-radius-policy] quit
      [S12700] radius-server authorization 172.18.1.2 shared-key cipher Admin@123  //Configure an IP address for the RADIUS authorization server and the same shared key as that of the RADIUS authentication and accounting servers.
      
      [S12700] aaa  //Enter the AAA view.
      [S12700-aaa] authentication-scheme auth  //Configure an authentication scheme.
      [S12700-aaa-authen-auth] authentication-mode radius  //Set the authentication scheme to RADIUS. When the switch works with the Agile Controller-Campus, and the Service Controller functions as the RADIUS server, the authentication scheme must be set to RADIUS.
      [S12700-aaa-authen-auth] quit
      [S12700-aaa] accounting-scheme acco  //Configure an accounting scheme.
      [S12700-aaa-accounting-acco] accounting-mode radius  //Set the accounting scheme to RADIUS. The RADIUS accounting scheme must be used so that the RADIUS server can maintain account state information such as login/logout information and force users to go offline.
      [S12700-aaa-accounting-acco] accounting realtime 15  //Set the real-time accounting interval to 15 minutes. In applications, set the real-time accounting interval based on the number of users on your network by referring to Table 4-153.
      [S12700-aaa-accounting-acco] quit
      [S12700-aaa] domain mac  //Configure a domain, and bind the accounting scheme, accounting scheme, and RADIUS server template to the domain.
      [S12700-aaa-domain-portal] authentication-scheme auth
      [S12700-aaa-domain-portal] accounting-scheme acco
      [S12700-aaa-domain-portal] radius-server policy
      [S12700-aaa-domain-portal] quit
      [S12700-aaa] quit
      [S12700] authentication unified-mode  //Switch the NAC mode to unified. A switch works in unified mode by default. After switching the NAC mode to unified, the administrator must save the configuration and restart the switch to make the new mode take effect.
      NOTE:

      NAC supports the common configuration mode and unified configuration mode. Compared with the common mode, the unified mode has the following advantages:

      • The command lines are easy to understand and the format design meets user requirements.
      • Similar concepts are deleted from function design and configuration logic is simpler.

      Considering advantages of the unified mode, you are advised to deploy NAC in unified mode.

      NOTE:
      The accounting realtime command sets the real-time accounting interval. A short real-time charging interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity. Table 4-153 lists the recommended real-time accounting intervals for different user quantities.
      Table 4-153 Accounting interval

      User Quantity

      Real-Time Accounting Interval

      1 to 99

      3 minutes

      100 to 499

      6 minutes

      500 to 999

      12 minutes

      More than 1000

      More than 15 minutes

    3. Configure MAC address authentication.

      [S12700] mac-access-profile name m1  //Configure a MAC access profile. In the profile, both the default user name and password are the terminal MAC address without the delimiter (-).
      [S12700-mac-access-profile-m1] quit
      [S12700] authentication-profile name p1  //Configure an authentication profile.
      [S12700-authen-profile-p1] mac-access-profile m1  //Bind the authentication profile to the MAC access profile.
      [S12700-authen-profile-p1] access-domain mac force  //In the authentication profile, specify the domain mac as the forcible authentication domain.
      [S12700-authen-profile-p1] authentication mode multi-authen  //Set the user access mode on an interface to multi-authen.
      [S12700-authen-profile-p1] quit
      [S12700] interface gigabitethernet 1/0/1
      [S12700-GigabitEthernet1/0/1] authentication-profile p1  //Enable MAC address authentication on the interface.
      [S12700-GigabitEthernet1/0/1] quit
      

    4. Set XMPP interworking parameters. The MAC address and IP address binding table configured on the Agile Controller-Campus is delivered to the switch using the XMPP protocol.

      [S12700] group-policy controller 172.18.1.2 password Admin@123 src-ip 172.18.1.1   //Set XMPP interworking parameters.
      [S12700] quit
      <S12700> save
      

  2. Configure the access switch.
    1. Create VLANs and configure the allowed VLANs on the interfaces to ensure network connectivity.

      # Create VLAN 10.
      <HUAWEI> system-view
      [HUAWEI] sysname S3700
      [S3700] vlan 10
      # Configure the interface connected to users as an access interface and add the interface to VLAN 10.
      [S3700] interface gigabitethernet 0/0/1
      [S3700-GigabitEthernet0/0/1] port link-type access
      [S3700-GigabitEthernet0/0/1] port default vlan 10 
      [S3700-GigabitEthernet0/0/1] quit
      

      # Configure the interface connected to the upstream network as a trunk interface and configure the interface to allow VLAN 10 packets to pass.

      [S3700] interface gigabitethernet 0/0/2
      [S3700-GigabitEthernet0/0/2] port link-type trunk
      [S3700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
      [S3700-GigabitEthernet0/0/2] quit
      

    2. Configure DHCP snooping and IPSG to prevent access of cameras configured with static IP addresses.

      [S3700] dhcp enable  //Enable the DHCP function.
      [S3700] dhcp snooping enable  //In the system view, enable the DHCP snooping function.
      [S3700] vlan 10
      [S3700-Vlanif10] dhcp snooping enable  //Enable the DHCP snooping function in VLAN 10.
      [S3700-Vlanif10] ip source check user-bind enable  //Enable IP packet check function in VLAN 10.
      [S3700-Vlanif10] ip source check user-bind check-item ip-address mac-address  //Configure IP packet check items.
      [S3700-Vlanif10] quit
      <S3700> save

  3. Add devices on the Agile Controller-Campus and set RADIUS authentication and XMPP parameters.

    RADIUS is used for MAC address authentication of cameras. XMPP is used for delivering the MAC address and IP address binding table to the DHCP server (S12700). The parameter settings on the Agile Controller-Campus must be the same as those on the devices.

    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Set RADIUS authentication and XMPP parameters.

      Parameter

      Value

      Description

      Name

      SW

      -

      IP address

      172.18.1.1

      Specifies the IP address of the access control device for communicating with the Agile Controller-Campus.

      Authentication key

      Admin@123

      The value must be the same as the RADIUS shared key set on the access control device.

      Accounting key

      Admin@123

      The value must be the same as the RADIUS shared key set on the access control device.

      Real-time accounting interval (minute)

      15

      The value must be the same as the accounting interval set on the access control device.

      Configuration mode

      Manual

      -

      Password

      Admin@123

      The value must be the same as password specified when you set XMPP parameters on the access control device.

    4. Click OK.
  4. Add a terminal group, add cameras to the device list of the terminal group, and deliver terminal information to the switch.
    1. Choose Resource > Terminal > Terminal List.
    2. Choose the root node Device Group in the navigation tree, and click Add on the right pane to add a terminal group.
    3. Click the new terminal group in the navigation tree, and click the Device List tab to add terminals.

      Parameter

      Value

      Description

      MAC Address

      12-34-56-65-56-05

      Specifies the MAC address of a camera. Set this parameter based on the site requirements.

      IP Address

      192.168.1.5

      Specifies the IP address to be assigned to a camera.

      Access Device

      172.18.1.1

      Specifies the IP address of the access control device for communicating with the Agile Controller-Campus.

      XMPP server IP

      172.18.1.1

      Specifies the IP address of a device that communicates with the Agile Controller-Campus through XMPP.

      Pool type

      Interface pool

      -

      Pool name

      vlanif10

      Terminals obtain IP addresses from this pool.

      NOTE:

      If a large number of cameras need to be added, you can click Import on the Device Group List tab page to download a template. Enter camera information in the template and import the template to the Agile Controller-Campus.

    4. On the Device List tab page, choose Deploy All or Deploy Selected from the Deploy drop-down list box to deliver MAC address and IP address binding table to the switch.

      When the deployment is successful, you can view the delivered configuration on the access control device.

  5. Add an authentication rule to deny access from cameras connecting to the network from a remote police station.
    1. Choose Policy > Permission Control > Authentication & Authorization > Authentication Rule.
    2. Click Add.

      Parameter

      Value

      Description

      Name

      MAC authentication

      -

      Service Type

      MAC Bypass Authentication Service

      Set Service Type to MAC Bypass Authentication Service because dumb terminals use MAC address authentication.

      Access Parameter

      Select Device IP Address.

      Dumb terminals are bound to the access control device to prevent them from moving between police stations.

    3. Click OK.
  6. Add an authorization rule for cameras to access the network.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.
    2. Click Add.

      Parameter

      Value

      Description

      Name

      MAC authentication

      -

      Service Type

      MAC Bypass Authentication Service

      Set this parameter to MAC Bypass Authentication Service for dumb terminals.

      Terminal Group

      Police station A

      Specifies the terminal group that is allowed to access the network.

      Authorization Result

      Permit Access

      Cameras meeting the authorization condition can access the network.

    3. Click OK.
  7. Change the authorization result in the default authorization rule to Deny Access.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule.
    2. Click next to Default Authorization Rule.
    3. Set Authorization Result to Deny Access.

Verification
  1. When a camera passes MAC address bypass authentication, you can view information about the camera on the Online User page. The account is the camera's MAC address, and the terminal IP address is the IP address bound to the camera's MAC address.

    If authentication fails, locate the cause in RADIUS logs and rectify the fault with recommended actions.

  2. When a static IP address is configured for a camera, the camera is authenticated successfully but cannot access the network.
  3. When a camera of police station A is connected to an interface of the access switch of police station B, MAC address authentication of the camera fails.
  4. When a camera of police station A is connected to another interface of the access switch of police station A, MAC address authentication of the camera succeeds and the camera can access the network.

Deploying a CA Certificate Server

To use 802.1X certificate authentication, a CA certificate server must be deployed in advance.

A Windows CA certificate server supports only Windows Server 2012 Enterprise or Windows Server 2012 R2 Enterprise.

Online Video

You are advised to check the CA certificate server deployment according to the following flowchart.

1 2 3 4 5 6 7 8
  1. Open a browser and enter https://Server-IP/certsrv, where Server-IP indicates the IP address of the CA certificate server.

    If the following page is displayed after login using the AD domain account administrator and its password, the CA server functions properly. Otherwise, delete and then add the CA component again.

  2. On Certification Authority, right-click the root certificate. In the displayed dialog box, click the Extensions tab and check extended fields CDP and AIA.
    • CDP: Include in the CDP extension of issued certificates must be selected for LDAP and HTTP.
    • AIA: The two options in the red box must be selected for the OCSP URL.

  3. Open a browser and enter https://Server-IP/certsrv/mscep_admin, where Server-IP indicates the IP address of the CA certificate server.

    If the following page is displayed after login using the AD domain account administrator and its password, the SCEP and HTTPS settings are correct.

    If the page is displayed in HTTP mode but cannot be displayed in HTTPS mode, check whether HTTPS is bound to the certificate, and whether the correct root certificate is selected. Select the certificate the same as the full computer name for SSL certificate.

    If the page cannot be displayed in HTTP mode, check whether Network Device Enrollment Service is Installed.

  4. The SCEP template must contain the Client Authentication field. Otherwise, end users may fail the authentication. If the SCEP template does not contain the Client Authentication field, correct the settings based on the video instruction.

  5. In the registries, set the SCEP template name and disable EnforcePassword.

    Find entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP, and set their values to the SCEP template name.

    Registry modification takes effect only after the operating system is restarted.

    Set EnforcePassword to 0.

  6. Check the permission settings in the SCEP and OCSP templates. If the settings are incorrect, correct them based on the video instruction.

  7. Check whether the SCEP and OCSP templates are issued. If SCEP and OCSP templates are not in the list, issue the templates based on the video instruction.

  8. Choose Start > Administrative Tools > Online Responder Management to check whether OCSP is in working state. If not, delete ocsp_test and create it again based on the video instruction.

  9. The properties of the revocation configuration and the random number and signature of the Agile Controller-Campus must have the relationship shown in the following figure:

Server Certificate Importing Tool

The server certificate importing tool is used to replace the default authentication certificate of the Tomcat server and portal server. The Tomcat server or portal server certificate is used for establishing a reliable communication channel between the Tomcat server and Web browser. To enable the server to support the Internet Explorer 6 that is used on Windows XP operating system, the SHA1 encryption mode is used for certificate signature by default. If the browser versions with later than the Internet Explorer 6 are used, the SHA256 encryption mode is recommended, which is more secure.

Prerequisites

The Service Manager and Service Controller have been installed.

Context

  • If the Service Manager and Service Controller are installed on the same hardware server, both Tomcat server certificate and Portal server certificate are replaced after you run the server certificate importing tool.
  • If the Service Manager and Service Controller are installed on different hardware servers, run the server certificate importing tool on the server where the Service Manager is installed to replace the Tomcat server certificate, and run the tool on the server where the Service Controller is installed to replace the Portal server certificate.

Procedure

  1. Log in to the server where the Service Manager or Service Controller is installed.

    • Windows

      Log in to the server using an administrator account.

    • Linux

      Log in to the server using a root account.

  2. Start the server certificate importing tool.

    • Windows

      Access the installation directory of the Agile Controller-Campus, which is D:\Agile Controller by default. Change the installation directory according to the actual situation. Double-click Upload Certificate.bat to start the certificate importing tool.

    • Linux
      1. Run the chmod /opt/755 **.jks command to add read and write permissions to certificate files, so that the certificate importing tool can normally obtain certificate files. In this command, opt specifies the directory for saving a certificate file and 755 **.jks specifies the certificate name. You need to replace them with the actual directory and file name respectively.
      2. Run the su - controller command to switch to the controller user.
      3. Run the cd /opt/AgileController command to access the installation directory of the Agile Controller-Campus. /opt/AgileController is the default installation directory of the Agile Controller-Campus. Change the installation directory according to the actual situation.
      4. Run the ll command to check whether the Upload Certificate.sh file exists in the installation directory of the Agile Controller-Campus.

        If so, continue to perform the following steps. If not, check whether the installation directory of the Agile Controller-Campus is correct.

      5. Run the sh Upload Certificate.sh command to start the certificate importing tool.

  3. Click Backup. Select a path for storing the default server certificates and then click Open.

  4. After the certificates are backed up successfully, click OK.

  5. Click Browse. Select the path for storing the certificate and enter the Certificate Password.
  6. Click Upload to replace the default server certificate.
  7. Restart the Service Manager and Service Controller services after successful upload to make new certificates take effect.

    NOTE:

    After a Portal server certificate is uploaded, you can only access the Portal server by the domain name using the HTTPS protocol, and the domain name must be the same as that used during server certificate application.

Rollback Operation

If the default certificate of a server is replaced, perform the following operations to revert back to the default one:

  1. Click Browse. Select the path for storing the default certificate of the server to be reverted back. and then enter the Certificate Password.
  2. Click Upload to revert back to the default server certificate.
  3. Restart the Service Manager and Service Controller services after successful upload to make the default certificate take effect.

How Do I Continue to Access the Original Page After Successful Portal Authentication?

Question

How do I continue to access the original page after successful Portal authentication?

Answer

When forcible switching is disabled, the web browser switches an authenticated end user to the URL requested before the authentication. The AC sends the URL to the Portal server, which parses the URL to obtain the specific URL. For example, an end user wants to access http://bbs.example.com. After you specify the URL address parameter (url) on the AC, the Portal server receives http://Portal server IP address:8080/portal?url=http://bbs.example.com, and the web browser pushes http://bbs.example.com to the authenticated end user.

To access the original page after successful Portal authentication, you need to perform the following configurations on both the AC and Agile Controller-Campus.

  • Configuration on the AC

    When configuring the Portal server on the AC, configure the AC to send the URL that the user accesses as the parameter to the Portal server.
    <AC> system-view
    [AC] url-template name myurl
    [AC-url-template-myurl] url http://192.168.1.203:8080/portal
    [AC-url-template-myurl]  url-parameter redirect-url url
    #The Portal server obtains the URL to be switched to based on the url parameter. The AC must send the URL that the user accesses as the parameter to the Portal server. Do not change the parameter name url.
    [AC-url-template-myurl] quit
    
    
    [AC] web-auth-server portal
    [AC-web-auth-server-portal] server-ip 10.1.1.1
    [AC-web-auth-server-portal] port 50200
    [AC-web-auth-server-portal] shared-key simple Admin@123
    [AC-web-auth-server-portal] url-template myurl
    
    [AC-web-auth-server-portal] quit
    [AC] interface vlanif 30
    [AC-Vlanif30] web-auth-server portal direct

  • Configuration on the Agile Controller-Campus V100R002C00

    When configuring the Portal page push rule on the Agile Controller-Campus, set Page displayed after successful authentication to Continue to visit the original page.

  • Configuration on the Agile Controller-Campus V100R001C00

    When configuring the Portal page push rule on the Agile Controller-Campus, choose Policy > Permission Control > Page Customization > Page Customization, and set URL Field Name to url.



What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?

Question

What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?

Answer
  1. Ensure that the GPRS modem driver is compatible with the operating system (Microsoft Windows Server 2008, Microsoft Windows Server 2012 or SUSE Linux 11 SP3, SUSE Linux 12 SP2) of the server to be connected.
  2. Obtain the baud rate (data transmission rate) of the GPRS modem.
    NOTE:

    Refer to the Product Documentation of the GPRS modem or consult the GPRS modem's technical support engineer.

  3. Use the serial cable or USB cable to connect the GPRS modem to the server.
    NOTE:
    • If the GPRS modem provides a console port, use the serial cable to connect to the GPRS modem to the server with the Service Manager installed.
    • If the GPRS modem provides a USB to serial converter, use the USB cable to connect to the GPRS modem to the server with the Service Manager installed and install the USB driver for the GPRS modem on the server.
  4. Configure the baud rate (data transmission rate) of the server to be connected to ensure that the rate is the same as that of the SMS modem.
    • Windows
      1. Choose Start > Administrative Tools > Computer Management.
      2. On the Computer Management page, choose System Tools > Device Manager.
      3. In Ports (COM&LPT), right-click Communications Port (COM1) or Communications Port (COM2) according to the console port of the SMS modem and choose Properties.

      4. Click the Port Settings tab and check the baud rate. If the default baud rate differs from that of the GPRS modem, change the baud rate based on the GPRS modem's baud rate.

    • Linux

      In the Linux operating system, the console port identifier is ttyS*. Generally, ttyS0 matches the console port COM1 and ttyS1 matches the console port COM2 in the Windows operating system. Perform the operation based on the console port to which the GPRS modem connects.

      When configuring a communication port on the Agile Controller-Campus, ensure that the port is in the /dev/ttyS0 format.

      1. Log in to the Linux operating system using the root account.
      2. Run the ls -lrt /dev/ttyS* command and view the console port to which the GPRS modem connects.

        Determine the console port to which the GPRS modem connects based on the time when the GPRS modem is connected to the server port.

      3. Run the stty -a -F /dev/ttyS0 command and view the baud rate of the console port.

        The port ttyS0 is used as an example. You need to replace it with the actual port connected to the GPRS modem.

      If the baud rate is different from that of the GPRS modem, change the baud rate based on that of the GPRS modem.
      1. Run the stty -F console port speed baud rate command to change the baud rate of the console port.
        For example, you can run the stty -F /dev/ttyS0 speed 115200 command to change the baud rate of the console port ttyS0 to 115200.
        stty -F /dev/ttyS0 speed 115200   //Change the baud rate of the console port ttyS0 to 115200.
        9600   //Display the baud rate before the change.
      2. Run the stty -F /dev/ttyS0 command to check whether the baud rate has been changed.

Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 90595

Downloads: 458

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next