No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring WeChat Authentication Using a Built-in Portal Server

Example for Configuring WeChat Authentication Using a Built-in Portal Server

Networking Requirements

As shown in Figure 4-40, the AC of a shop directly connects to an AP. The shop deploys a WLAN wlan-net to provide wireless network access for consumers. The AC functions as a DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

To improve its brand popularity and image, the shop allows consumers to connect to the open Wi-Fi network using WeChat. Users can obtain access to the Internet by WeChat authentication, without the need to enter a user name or password.

Figure 4-40 Networking diagram for configuring WeChat authentication using a built-in Portal server

Configuration Roadmap

  1. Configure basic WLAN services so that the AC can communicate with upstream and downstream network devices, and the AP can go online.
  2. Set the AAA authentication mode to none.
  3. Configure a Portal access profile for the built-in Portal server to manage Portal access control parameters.
  4. Configure the social media authentication server.
  5. Configure WeChat authentication for WeChat users.
  6. Configure an authentication profile to manage NAC configuration.
  7. Configure WLAN service parameters, and bind a security policy profile and the authentication profile to a VAP profile to control access of STAs.

Data Plan

Item

Data

Portal access profile
  • Name: portal1
  • The built-in Portal server is used.
    • IP address of the built-in portal server: 10.1.1.1/24
    • HTTP port number: 1025
WeChat authentication profile
  • WeChat public account ID: wxappid123
  • WeChat public account key: huawei@123
  • The AC automatically obtains shop information from the WeChat server. Parameter settings of the WeChat server are:
    • PKI domain: pki-wechat
    • Default domain name: api.weixin.qq.com
    • SSL policy name and type: ssl-wechat and client
    • Default port number: 443
DNS server IP address: 10.23.200.2
Authentication-free rule profile
  • Name: default_free_rule
  • Authentication-free resource: IP address of the DNS server (10.23.200.2)
Authentication profile
  • Name: p1
  • Bound profile and authentication scheme: Portal access profile portal1 and authentication scheme wechat
DHCP server The AC functions as a DHCP server to assign IP addresses to the AP and STAs.
IP address pool for the AP: 10.23.100.2 to 10.23.100.254/24
IP address pool for STAs 10.23.101.2 to 10.23.101.254/24
IP address of the AC's source interface VLANIF 100: 10.23.100.1/24
AP group
  • Name: ap-group1
  • Bound profiles: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: open system authentication
VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Bound profiles: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

Procedure

  1. Configure the AC to enable exchange of CAPWAP packets between the AP and AC.

    # Add AC interface GE0/0/1 to VLAN 100 (management VLAN).

    NOTE:

    In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs will be able to directly communicate at Layer 2.

    In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

    <AC6605> system-view
    [AC6605] sysname AC
    [AC] vlan batch 100 101
    [AC] interface gigabitethernet 0/0/1
    [AC-GigabitEthernet0/0/1] port link-type trunk
    [AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
    [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
    [AC-GigabitEthernet0/0/1] quit
    

  2. Configure the AC to communicate with upper-layer network devices.

    # Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).

    [AC] interface gigabitethernet 0/0/2
    [AC-GigabitEthernet0/0/2] port link-type trunk
    [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
    [AC-GigabitEthernet0/0/2] quit
    

  3. Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.

    # Configure the AC as a DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

    [AC] dhcp enable
    [AC] interface vlanif 100
    [AC-Vlanif100] ip address 10.23.100.1 24
    [AC-Vlanif100] dhcp select interface
    [AC-Vlanif100] quit
    [AC] interface vlanif 101
    [AC-Vlanif101] ip address 10.23.101.1 24
    [AC-Vlanif101] dhcp select interface
    [AC-Vlanif101] dhcp server dns-list 10.23.200.2
    [AC-Vlanif101] quit
    

  4. Configure a route from the AC to the server area (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2).

    [AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
    

  5. Configure the AP to go online.

    # Create an AP group and add the AP to the AP group.

    [AC] wlan
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] quit
    

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
    [AC-wlan-regulate-domain-domain1] country-code cn
    [AC-wlan-regulate-domain-domain1] quit
    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AC-wlan-ap-group-ap-group1] quit
    [AC-wlan-view] quit
    

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100
    
    # Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-e360 and the AP is deployed in area 1. Name the AP area_1.
    NOTE:

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP6010DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AC] wlan
    [AC-wlan-view] ap auth-mode mac-auth
    [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
    [AC-wlan-ap-0] ap-name area_1
    [AC-wlan-ap-0] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AC-wlan-ap-0] quit
    [AC-wlan-view] quit
    

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

    [AC] display ap all
    Total AP information:
    nor  : normal          [1]
    Extra information:
    P  : insufficient power supply
    --------------------------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
    --------------------------------------------------------------------------------------------------
    0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S         -
    --------------------------------------------------------------------------------------------------
    Total: 1

  6. Configure an AAA scheme.

    [AC] aaa
    [AC-aaa] authentication-scheme wechat
    [AC-aaa-authen-wechat] authentication-mode none
    Warning: The configured authentication modes include none authentication, and so
     security risks exist. Continue?[Y/N]y
    [AC-aaa-authen-wechat] quit
    [AC-aaa] quit
    

  7. Configure the Portal access profile portal1.

    # Enable the built-in Portal server function.

    [AC] interface loopback 1
    [AC-LoopBack1] ip address 10.1.1.1 24
    [AC-LoopBack1] quit
    [AC] portal local-server ip 10.1.1.1
    [AC] portal local-server http port 1025

    # Create the Portal access profile portal1 and configure it to use the built-in Portal server and WeChat authentication function.

    [AC] portal-access-profile name portal1
    [AC-portal-access-profile-portal1] portal local-server enable
    [AC-portal-access-profile-portal1] portal local-server wechat
    [AC-portal-access-profile-portal1] quit

  8. Configure the social media authentication server. For details, see Agile Controller-Campus Product Documentation - Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).
  9. Configure WeChat authentication.

    # Configure the WeChat account.

    [AC] portal local-server wechat-authen
    [AC-wechat-authen] public-account appid wxappid123 appsecret huawei@123
    [AC-wechat-authen] quit
    

    # Enable dynamic domain name resolution.

    [AC] dns resolve
    [AC] dns server 10.23.200.2
    

    # Disable certificate authentication for the SSL server.

    [AC] pki realm pki-wechat
    [AC-pki-realm-pki-wechat] quit
    [AC] ssl policy ssl-wechat type client
    [AC-ssl-policy-ssl-wechat] pki-realm pki-wechat
    [AC-ssl-policy-ssl-wechat] undo server-verify enable
    [AC-ssl-policy-ssl-wechat] quit
    

    # Configure the AC to automatically obtain shop information from the WeChat server.

    [AC] portal local-server wechat-authen
    [AC-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
    [AC-wechat-authen] polling-time 4800
    [AC-wechat-authen] quit
    

  10. Configure an authentication-free rule profile. (By default, you are permitted to access the WeChat server.)

    [AC] free-rule-template name default_free_rule
    [AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
    [AC-free-rule-default_free_rule] quit
    

  11. Configure the authentication profile p1.

    [AC] authentication-profile name p1
    [AC-authentication-profile-p1] portal-access-profile portal1
    [AC-authentication-profile-p1] free-rule-template default_free_rule
    [AC-authentication-profile-p1] authentication-scheme wechat
    [AC-authentication-profile-p1] quit

  12. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open system.

    [AC] wlan
    [AC-wlan-view] security-profile name wlan-security
    [AC-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid
    [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AC-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap
    [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
    [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AC-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AC-wlan-vap-prof-wlan-vap] quit
    

    # Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
    [AC-wlan-ap-group-ap-group1] quit
    

  13. Set channels and power for the AP radios.

    NOTE:

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The channel and power configuration for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for AP radios based on country codes of APs and network planning results.

    # Disable automatic channel and power calibration functions of radio 0, and configure the channel and power for radio 0.
    [AC-wlan-view] ap-id 0
    [AC-wlan-ap-0] radio 0
    [AC-wlan-radio-0/0] calibrate auto-channel-select disable
    [AC-wlan-radio-0/0] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/0] eirp 127
    [AC-wlan-radio-0/0] quit
    # Disable automatic channel and power calibration functions of radio 1, and configure the channel and power for radio 1.
    [AC-wlan-ap-0] radio 1
    [AC-wlan-radio-0/1] calibrate auto-channel-select disable
    [AC-wlan-radio-0/1] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/1] channel 20mhz 149
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-radio-0/1] eirp 127
    [AC-wlan-radio-0/1] quit
    [AC-wlan-ap-0] quit

  14. Verify the configuration.

    • After the configuration is complete, STAs can discover the wireless network with the SSID wlan-net.

    • STAs can be assigned IP addresses after they associate with the wireless network.

    • When a user opens WeChat, the Portal authentication page is displayed automatically on the STA. After the user can be authenticated, the user can connect to the Internet.

Configuration Files

AC configuration file

#
 sysname AC
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
vlan batch 100 to 101
#
authentication-profile name p1
 portal-access-profile portal1
 free-rule-template default_free_rule
 authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#   
dhcp enable
#
pki realm pki-wechat
#  
ssl policy ssl-wechat type client
 pki-realm pki-wechat
 undo server-verify enable
#
free-rule-template name default_free_rule                                                                                           
 free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0                                                                          
# 
portal-access-profile name portal1
 portal local-server enable
 portal local-server wechat
#
aaa
 authentication-scheme wechat
  authentication-mode none
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 10.23.200.2 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface LoopBack1
 ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#  
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
   calibrate auto-channel-select disable
   calibrate auto-txpower-select disable
  radio 1
   channel 20mhz 149
   eirp 127
   calibrate auto-channel-select disable
   calibrate auto-txpower-select disable
#
portal local-server wechat-authen
 public-account appid wxappid123 appsecret %^%#/]:uVmjLj%zfx+%f5$*-6uV>6e8W`$ZT"iEq)zNY%^%#
 polling-time 4800
 wechat-server-ip ssl-policy ssl-wechat
#
return
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 90470

Downloads: 458

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next