No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FATAP and Cloud AP V200R009C00 Web-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the RADIUS Server and AP to Deliver User Group Rights to Users

Example for Configuring the RADIUS Server and AP to Deliver User Group Rights to Users

Service Requirements

If enterprise employees can access the Internet without restriction, enterprise information is threatened. To disable STA1 in department A from accessing the RADIUS server and employees in department A from communicating with each other, users can configure the RADIUS server and AP to deliver user group rights to users.

Networking Requirements

  • DHCP deployment mode: The AP functions as a DHCP server to assign IP addresses to STAs.
Figure 2-8  Configuring the RADIUS server and AP to deliver user group rights to users

Data Planning

Table 2-4  AP data planning
Item Data

Service VLAN for STAs

VLAN 101

DHCP server

The AP functions as a DHCP server to assign IP addresses to STAs.

IP address pool for STAs

10.23.101.3-10.23.101.254/24

DNS: 8.8.8.8

Address that cannot be assigned: 10.23.101.2 (IP address of the router)

SSID profile

  • Name: wlan-net

  • SSID name: wlan-net

Security profile

  • Name: wlan-net

  • Security policy: WPA-WPA2 802.1X+AES

  • Password: a1234567

Authentication profile

  • Name: wlan-net

  • Referenced profile: 802.1X profile wlan-net, RADIUS Server profile wlan-net and authentication scheme wlan-net

VAP profile

  • Name: wlan-net

  • Service VLAN: VLAN 101

  • Referenced profile: SSID profile wlan-net and security profile wlan-net

STA's gateway

VLANIF 101: 10.23.101.1

STA user name and password

  • User name: huawei
  • Password: huawei123

RADIUS server

  • IP address: 10.23.102.1
  • Port number: 1812
  • Shared key: huawei123

FTP server

IP address: 10.23.103.1

QoS profile

Name: huawei

User group

  • Name: huawei
  • Bound ACL number: 3002
  • Bound QoS profile: huawei

Configuration Roadmap

The configuration roadmap is as follows:
  1. Use the WLAN configuration wizard to configure WLAN services. Configure 802.1X and RADIUS authentication and set RADIUS server parameters.
  2. Configure a DNS server address in the DHCP address pool of the service VLAN to provide the DNS service for the STA.
  3. Configure a static route so that the AP forwards the packet to the router after receiving the packet from the STA.
  4. Configure the user group.
  5. Connect STAs to the WLAN to verify the configuration.

Procedure

  1. Configure the switches and router.

    # Add GE0/0/1 and GE0/0/3 on the aggregation switch to VLAN 101.

    # Assign an IP address 10.23.101.2/24 to GE1/0/0 on Router and configure the router as the default gateway for the AP.

    # Configure a RADIUS server, configure a user name and password, and set the shared key to huawei123.

  2. Configure WLAN services.
    1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
    2. Configure Wi-Fi signals.

      # Click Create. The Basic Information page is displayed.

      # Configure basic information about an SSID.

      # Click Next. The IP and Rate page is displayed.

      # Set IP address parameters.

      # Click Finish.

    3. Configure Internet connection parameters.

      # Click Next. The Configure Internet Connection page is displayed.

      # Add an interface to VLAN 101 in tagged mode.
      NOTE:

      If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs. As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs communicate with the AP through this interface. You can use the default IP address of the AP to log in to the web platform. If you need to use the default IP address to log in to the web platform, do not delete VLAN 1.



      # Click Finish.

  3. Configure DNS.

    NOTE:
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.

    1. Choose Configuration > IP Service > DHCP > DHCP Address Pool. In Address Pool List, click Vlanif101. The Modify DHCP Address Pool page is displayed.
    2. Configure the DNS server address for the STA and click OK.

  4. Configure a static route.
    1. Choose Configuration > IP Service > Route. The Route page is displayed.
    2. Click Create in Static Route Configuration Table.



    3. Click OK.
  5. Configure user group rights.
    1. Create ACL 3002 that denies access to the FTP server 10.23.103.1/24.

      # Choose Configuration > Security > ACL > Advanced ACL Settings. The Advanced ACL Settings page is displayed.

      # Click Create. In the Create Advanced ACL page that is displayed, set the ACL name to ACL3002 and number to 3002, and click OK.

      # Click Add Rule and add a rule.



      # Click OK.

    2. Create the QoS profile huawei, and set the rate limits of uplink and downlink traffic to 3 Mbit/s and 5 Mbit/s respectively.

      # Choose Configuration > Security > User Group > QoS Profile. The QoS Profile page is displayed.

      # Click Create. On the Create QoS Profile page that is displayed, set parameters.



      # Click OK.

    3. Create the user group huawei, and bind ACL 3002 and QoS profile huawei to the user group, and enable intra-group and inter-group isolation.

      # Choose Configuration > Security > User Group > User Group. The User Group page is displayed.

      # Click Create. On the Create User Group page that is displayed, set parameters.



      # Click OK.

    4. Bind the user group huawei to the authentication profile wlan-net.

      # Choose Configuration > Security > AAA > Authentication Profile. The Authentication Profile page is displayed.

      # Click wlan-net, select the user group huawei on the parameter setting page of the authentication profile

      # Click Apply. In the dialog box that is displayed, click OK.

  6. Verify the configuration.
    1. The WLAN with the SSID wlan-net is available.
    2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its gateway address is 10.23.101.1.



    3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see that STAs go online properly and obtain IP addresses.
    4. Two users go online and they cannot ping each other.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1100035626

Views: 11437

Downloads: 432

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next