No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Configuring a CSS for Core Switches to Ensure Their Reliability

  1. Configure two S12700s to form a CSS.

    1. Install CSS cards for S12700_A and S12700_B and connect CSS cables. The two S12700s form a CSS. For details on CSS setup, search for Stack & SVF Assistant at https://e.huawei.com.
    2. Check the cluster status and verify that the S12700 CSS is successfully set up.

Configuring the Access Switch, Aggregation Switch, and AC to Ensure Network Connectivity

# Configure S5700_A so that APs can communicate with the AC.

<HUAWEI> system-view 
[HUAWEI] sysname S5700_A
[S5700_A] vlan batch 700 701 800 
[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] description Connect to AP_1
[S5700_A-GigabitEthernet0/0/1] port link-type trunk
[S5700_A-GigabitEthernet0/0/1] port trunk pvid vlan 800
[S5700_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 700 701 800
[S5700_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/1] port-isolate enable 
[S5700_A-GigabitEthernet0/0/1] stp edged-port enable
[S5700_A-GigabitEthernet0/0/1] quit
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] description Connect to AP_2
[S5700_A-GigabitEthernet0/0/2] port link-type trunk
[S5700_A-GigabitEthernet0/0/2] port trunk pvid vlan 800
[S5700_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 700 701 800
[S5700_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/2] port-isolate enable 
[S5700_A-GigabitEthernet0/0/2] stp edged-port enable
[S5700_A-GigabitEthernet0/0/2] quit
[S5700_A] interface gigabitethernet 0/0/3
[S5700_A-GigabitEthernet0/0/3] description Connect to S7700_1/0/3
[S5700_A-GigabitEthernet0/0/3] port link-type trunk
[S5700_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 700 701 800
[S5700_A-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/3] quit
# (Optional) Configure the multicast packet suppression function. Configure a traffic policy on the interface of an access switch connecting to an AP to control the rate of forwarding multicast packets.
[S5700_A] traffic classifier huawei
[S5700_A-classifier-huawei] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-ff00-0000 //The multicast MAC address and mask are used as examples, which may be different from the actual configurations.
[S5700_A-classifier-huawei] quit
[S5700_A] traffic behavior huawei
[S5700_A-behavior-huawei] statistic enable
[S5700_A-behavior-huawei] car cir 100 //Adjust the CIR value according to actual conditions. In a scenario where central APs connect to an access switch, you need to set a greater CIR value.
[S5700_A-behavior-huawei] quit
[S5700_A] traffic policy huawei
[S5700_A-policy-huawei] classifier huawei behavior huawei
[S5700_A-policy-huawei] quit
[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] traffic-policy huawei outbound
[S5700_A-GigabitEthernet0/0/1] traffic-policy huawei inbound
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] traffic-policy huawei outbound
[S5700_A-GigabitEthernet0/0/2] traffic-policy huawei inbound

If multicast services are planned on the network, the multicast packet suppression function does not need to be configured.

# Add GE1/0/3 connecting the S7700 to S5700_A, S12700_A, and S12700_B to VLANs 800 and 730.

<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] vlan batch 700 701 800
[S7700] interface Eth-Trunk 1
[S7700-Eth-Trunk1] description Connect to S12700_Eth-Trunk1 
[S7700-Eth-Trunk1] port link-type trunk 
[S7700-Eth-Trunk1] port trunk allow-pass vlan 700 701 800 
[S7700-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[S7700-Eth-Trunk1] quit
[S7700] interface gigabitethernet 1/0/3
[S7700-GigabitEthernet1/0/3] description Connect to S5700_A_0/0/3
[S7700-GigabitEthernet1/0/3] port link-type trunk
[S7700-GigabitEthernet1/0/3] port trunk allow-pass vlan 700 701 800
[S7700-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/3] quit
[S7700] interface gigabitethernet 1/0/17
[S7700-GigabitEthernet1/0/17] eth-trunk 1
[S7700-GigabitEthernet1/0/17] quit
[S7700] interface gigabitethernet 2/0/18
[S7700-GigabitEthernet2/0/18] eth-trunk 1
[S7700-GigabitEthernet2/0/18] quit

# Add interfaces of S12700_A and S12700_B connected to the S7700, AC_1, and AC_2 to VLANs 700, 701 and 800.

<HUAWEI> system-view 
[HUAWEI] sysname CSS 
[CSS] vlan batch 700 701 800 
[CSS] interface Eth-Trunk 1
[CSS-Eth-Trunk1] description Connect to S7700_Eth-Trunk1 
[CSS-Eth-Trunk1] port link-type trunk 
[CSS-Eth-Trunk1] port trunk allow-pass vlan 700 701 800
[CSS-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[CSS-Eth-Trunk1] quit
[CSS] interface gigabitethernet 1/1/0/19
[CSS-GigabitEthernet1/1/0/19] eth-trunk 1
[CSS-GigabitEthernet1/1/0/19] quit 
[CSS] interface gigabitethernet 1/1/0/20
[CSS-GigabitEthernet1/1/0/20] description Connect to AC_1_0/0/24 
[CSS-GigabitEthernet1/1/0/20] port link-type trunk 
[CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 700 701 800 
[CSS-GigabitEthernet1/1/0/20] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet1/1/0/20] quit 
[CSS] interface gigabitethernet 2/1/0/22
[CSS-GigabitEthernet2/1/0/22] eth-trunk 1
[CSS-GigabitEthernet2/1/0/22] quit 
[CSS] interface gigabitethernet 2/1/0/23 
[CSS-GigabitEthernet2/1/0/23] description Connect to AC_2_0/0/24 
[CSS-GigabitEthernet2/1/0/23] port link-type trunk 
[CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 700 701 800 
[CSS-GigabitEthernet2/1/0/23] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet2/1/0/23] quit

# Add interfaces of AC_1 and AC_2 connected to S12700_A and S12700_B to VLANs 700, 701, and 800.

<AC6805> system-view
[AC6805] sysname AC_1
[AC_1] vlan batch 700 701 800
[AC_1] interface gigabitethernet 0/0/24
[AC_1-GigabitEthernet0/0/24] description Connect to S12700_A_1/1/0/20
[AC_1-GigabitEthernet0/0/24] port link-type trunk
[AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 700 701 800
[AC_1-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1
[AC_1-GigabitEthernet0/0/24] quit
<AC6805> system-view
[AC6805] sysname AC_2
[AC_2] vlan batch 700 701 800
[AC_2] interface gigabitethernet 0/0/24
[AC_2-GigabitEthernet0/0/24] description Connect to S12700_B_2/1/0/23
[AC_2-GigabitEthernet0/0/24] port link-type trunk
[AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 700 701 800
[AC_2-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1
[AC_2-GigabitEthernet0/0/24] quit

Configuring the ACs as DHCP Servers to Assign IP Addresses to APs and an External DHCP Server to Assign IP Addresses to STAs

  1. Configure AC_1 and AC_2 as DHCP servers to assign IP addresses to APs.

    [AC_1] dhcp enable 
[AC_1] interface vlanif 800 
[AC_1-Vlanif800] ip address 10.128.1.2 255.255.255.0 
[AC_1-Vlanif800] dhcp select interface 
[AC_1-Vlanif800] dhcp server excluded-ip-address 10.128.1.1 10.128.1.3
[AC_1-Vlanif800] quit
    [AC_2] dhcp enable 
[AC_2] interface vlanif 800 
[AC_2-Vlanif800] ip address 10.128.1.3 255.255.255.0 
[AC_2-Vlanif800] dhcp select interface 
[AC_2-Vlanif800] dhcp server excluded-ip-address 10.128.1.1 10.128.1.3
[AC_2-Vlanif800] quit

  2. Configure S7700 as a DHCP relay agent.

    [S7700] vlan batch 700 701 820 
[S7700] dhcp enable
[S7700] interface vlanif 700 
[S7700-Vlanif700] ip address 10.129.1.2 255.255.240.0 
[S7700-Vlanif700] dhcp select relay 
[S7700-Vlanif700] dhcp relay server-ip 172.16.1.252 //Configure IP address 172.16.1.252 for the external DHCP server
[S7700-Vlanif700] quit
[S7700] interface vlanif 701 
[S7700-Vlanif701] ip address 10.130.1.2 255.255.240.0 
[S7700-Vlanif701] dhcp select relay 
[S7700-Vlanif701] dhcp relay server-ip 172.16.1.252 //Configure IP address 172.16.1.252 for the external DHCP server
[S7700-Vlanif701] quit

  3. Configure links from S12700_A and S12700_B to the external DHCP server to allow packets from VLAN 700 and 701 to pass through.

    [CSS] interface gigabitethernet 1/1/0/21 
[CSS-GigabitEthernet1/1/0/21] description Connect to Router_0/0/29 
[CSS-GigabitEthernet1/1/0/21] port link-type trunk 
[CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 700 701 
[CSS-GigabitEthernet1/1/0/21] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet1/1/0/21] quit 
[CSS] interface gigabitethernet 2/1/0/18
[CSS-GigabitEthernet2/1/0/18] description Connect to Router_0/0/30 
[CSS-GigabitEthernet2/1/0/18] port link-type trunk 
[CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 700 701 
[CSS-GigabitEthernet2/1/0/18] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet2/1/0/18] quit

Configuring VRRP HSB

  1. Configure HSB connectivity between AC_1 and AC_2.

    # Add GE0/0/23 connecting AC_1 to AC_2 to VLAN 810.
    [AC_1] vlan batch 810 
[AC_1] interface gigabitethernet 0/0/23
[AC_1-GigabitEthernet0/0/23] description Connect to AC_2_0/0/23 
[AC_1-GigabitEthernet0/0/23] port link-type trunk 
[AC_1-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 
[AC_1-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 
[AC_1-GigabitEthernet0/0/23] quit 
[AC_1] interface vlanif 810 
[AC_1-Vlanif810] ip address 10.1.1.253 30
[AC_1-Vlanif810] quit
    # Add GE0/0/23 connecting AC_2 to AC_1 to VLAN 810.
    [AC_2] vlan batch 810 
[AC_2] interface gigabitethernet 0/0/23
[AC_2-GigabitEthernet0/0/23] description Connect to AC_1_0/0/23 
[AC_2-GigabitEthernet0/0/23] port link-type trunk 
[AC_2-GigabitEthernet0/0/23] port trunk allow-pass vlan 810 
[AC_2-GigabitEthernet0/0/23] undo port trunk allow-pass vlan 1 
[AC_2-GigabitEthernet0/0/23] quit 
[AC_2] interface vlanif 810 
[AC_2-Vlanif810] ip address 10.1.1.254 30
[AC_2-Vlanif810] quit

  2. Configure VRRP on AC_1 to implement AC HSB.

    # Set the delay in recovering the VRRP group to 60s.
    [AC_1] vrrp recover-delay 60
    # Create mVRRP group 1 on AC_1. Set the priority of AC_1 in the mVRRP group to 120 and the preemption delay to 1200s.
    [AC_1] interface vlanif 800 
[AC_1-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 
[AC_1-Vlanif800] vrrp vrid 1 priority 120 
[AC_1-Vlanif800] vrrp vrid 1 preempt-mode timer delay 1200 
[AC_1-Vlanif800] admin-vrrp vrid 1 //Configure VRRP group 1 as the mVRRP group.
[AC_1-Vlanif800] quit
    # Create HSB service 0 on AC_1. Configure IP addresses and port numbers for the active and standby channels.
    [AC_1] hsb-service 0 
[AC_1-hsb-service-0] service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241
[AC_1-hsb-service-0] quit
    # Create HSB group 0 on AC_1, and bind HSB service 0 and mVRRP group 1 to HSB group 0.
    [AC_1] hsb-group 0 
[AC_1-hsb-group-0] bind-service 0 
[AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 800 
[AC_1-hsb-group-0] quit
    # Bind services to HSB group 0.
    [AC_1] hsb-service-type access-user hsb-group 0 //Bind the NAC service to HSB group 0
[AC_1] hsb-service-type ap hsb-group 0  //Specify the HSB type for WLAN service backup.
[AC_1] hsb-service-type dhcp hsb-group 0 //Bind DHCP servers to HSB group 0.
[AC_1] hsb-group 0 
[AC_1-hsb-group-0] hsb enable 
[AC_1-hsb-group-0] quit

  3. Configure VRRP on AC_2 to implement AC HSB.

    # Set the delay in recovering the VRRP group to 60s.
    [AC_2] vrrp recover-delay 60
    # Create mVRRP group 1 on AC_2.
    [AC_2] interface vlanif 800 
[AC_2-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 
[AC_2-Vlanif800] admin-vrrp vrid 1 //Configure VRRP group 1 as the mVRRP group.
[AC_2-Vlanif800] quit
    # Create HSB service 0 on AC_2. Configure IP addresses and port numbers for the active and standby channels.
    [AC_2] hsb-service 0 
[AC_2-hsb-service-0] service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241
[AC_2-hsb-service-0] quit
    # Create HSB group 0 on AC_2, and bind HSB service 0 and mVRRP group 1 to HSB group 0.
    [AC_2] hsb-group 0 
[AC_2-hsb-group-0] bind-service 0 
[AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 800 
[AC_2-hsb-group-0] quit

    # Bind WLAN services on AC_2 to HSB group 0.

    [AC_2] hsb-service-type access-user hsb-group 0 //Bind the NAC service to HSB group 0.
[AC_2] hsb-service-type ap hsb-group 0  //Specify the HSB type for WLAN service backup.
[AC_2] hsb-service-type dhcp hsb-group 0 //Bind DHCP servers to HSB group 0.

Configuring a RADIUS Server Template on the AC, and Configuring Authentication, Accounting, and Authorization Servers in the Template, So That the AC Can Communicate with the RADIUS Server

  1. Configure AC_1 and AC_2 to communicate with the RADIUS server.

    # Add GE0/0/24 of AC_1 connected to S12700_A to VLAN 820.
    [AC_1] vlan batch 820
[AC_1] interface gigabitethernet 0/0/24
[AC_1-GigabitEthernet0/0/24] port trunk allow-pass vlan 820
[AC_1-GigabitEthernet0/0/24] quit
[AC_1] interface vlanif 820
[AC_1-Vlanif820] ip address 172.16.1.2 24
[AC_1-Vlanif820] quit
    # Add GE0/0/24 of AC_2 connected to S12700_B to VLAN 820.
    [AC_2] vlan batch 820
[AC_2] interface gigabitethernet 0/0/24
[AC_2-GigabitEthernet0/0/24] port trunk allow-pass vlan 820
[AC_2-GigabitEthernet0/0/24] quit
[AC_2] interface vlanif 820
[AC_2-Vlanif820] ip address 172.16.1.3 24
[AC_2-Vlanif820] quit
    # Create member VRRP group 2 on AC_1 and bind member VRRP group 2 to mVRRP group 1.
    [AC_1] interface vlanif 820
[AC_1-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 
[AC_1-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
[AC_1-Vlanif820] quit
    # Create member VRRP group 2 on AC_2 and bind member VRRP group 2 to mVRRP group 1.
    [AC_2] interface vlanif 820
[AC_2-Vlanif820] vrrp vrid 2 virtual-ip 172.16.1.1 
[AC_2-Vlanif820] vrrp vrid 2 track admin-vrrp interface Vlanif 800 vrid 1 unflowdown
[AC_2-Vlanif820] quit

  2. Configure S12700_A, S12700_B, and the RADIUS server to communicate with AC_1 and AC_2.

    [CSS] vlan batch 820
[CSS] interface gigabitethernet 1/1/0/20 
[CSS-GigabitEthernet1/1/0/20] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet1/1/0/20] quit 
[CSS] interface gigabitethernet 1/1/0/21
[CSS-GigabitEthernet1/1/0/21] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet1/1/0/21] quit 
[CSS] interface gigabitethernet 2/1/0/23
[CSS-GigabitEthernet2/1/0/23] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet2/1/0/23] quit 
[CSS] interface gigabitethernet 2/1/0/18
[CSS-GigabitEthernet2/1/0/18] port trunk allow-pass vlan 820 
[CSS-GigabitEthernet2/1/0/18] quit

  3. Create and configure a RADIUS server template, and AAA schemes

    # Create and configure the RADIUS server template radius_huawei.
    [AC_1] radius-server template radius_huawei 
[AC_1-radius-radius_huawei] radius-server authentication 172.16.1.254 1812 weight 80 //Configure an authentication server.
[AC_1-radius-radius_huawei] radius-server accounting 172.16.1.254 1813 weight 80 //Configure an accounting server.
[AC_1-radius-radius_huawei] radius-server shared-key cipher huawei@123 
[AC_1-radius-radius_huawei] radius-server timeout 1
[AC_1-radius-radius_huawei] quit
[AC_1] radius-server source ip-address 172.16.1.1

    For a large or busy network, you are advised to configure the minimum RADIUS retransmission timeout period as much as possible. A long timeout period occupies system resources, and a smaller timeout period can improve the processing capability of the AC.

    The default retransmission timeout period for wireless users is 5s. If more than eight authentication server IP addresses are configured in the RADIUS server template or 802.1X authentication is used, you are advised to set the timeout period to 1s to improve network processing efficiency.

    # Create a RADIUS authorization server.

    [AC_1] radius-server authorization 172.16.1.254 shared-key cipher huawei@123  //V200R021C00 and later versions, you must run the radius-server authorization server-source command to configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.
    # Create the AAA authentication scheme radius_huawei and set the authentication mode to RADIUS.
    [AC_1] aaa 
[AC_1-aaa] authentication-scheme radius_huawei 
[AC_1-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to RADIUS.
[AC_1-aaa-authen-radius_huawei] quit
[AC_1-aaa] accounting-scheme radius_huawei 
[AC_1-aaa-accounting-radius_huawei] accounting-mode radius //Set the accounting mode to RADIUS.
[AC_1-aaa-accounting-radius_huawei] accounting realtime 15 //Enable real-time accounting and set the accounting interval to 15 minutes.
[AC_1-aaa-accounting-radius_huawei] quit
[AC_1-aaa] quit
    A shorter real-time accounting interval requires higher performance of network devices and the RADIUS server. Set a real-time accounting interval based on the user quantity. The following table lists the recommended real-time accounting intervals for different user quantities.
    Table 4-139 Recommended real-time accounting intervals for different user quantities

    User Quantity

    Real-Time Accounting Interval (Minutes)

    1-99

    3

    100-499

    6

    500-999

    12

    ≥1000

    ≥15

  4. Configure the source IP address for communication with the RADIUS server in the system view of AC_2. Other RADIUS configurations on AC_2 will be synchronized from AC_1 using the wireless configuration synchronization function.

    [AC_2] radius-server source ip-address 172.16.1.1

Configuring MAC Address-prioritized Portal Authentication on the ACs

  1. Configure a URL profile and set the redirection URL for the Portal server. Specify parameters in the URL, which include the SSID with which users associate and the original URL that users access.

    [AC_1] url-template name huawei 
[AC_1-url-template-huawei] url http://172.16.1.254:8080/portal 
[AC_1-url-template-huawei] url-parameter ssid ssid redirect-url url 
[AC_1-url-template-huawei] quit

  2. Configure a Portal server template.

    [AC_1] web-auth-server huawei 
[AC_1-web-auth-server-huawei] server-ip 172.16.1.254   //Configure the Portal server address.
[AC_1-web-auth-server-huawei] shared-key cipher huawei@123  //Configure a shared key.
[AC_1-web-auth-server-huawei] port 50200 //Configure the Portal server port number.
[AC_1-web-auth-server-huawei] url-template huawei 
[AC_1-web-auth-server-huawei] quit
[AC_1] web-auth-server source-ip 172.16.1.1

  3. Create a Portal access profile named wlan_net.

    [AC_1] portal-access-profile name wlan_net
[AC_1-portal-access-profile-wlan_net] web-auth-server huawei direct 
[AC_1-portal-access-profile-wlan_net] quit

  4. Create a MAC access profile named mac.

    [AC_1] mac-access-profile name mac 
[AC_1-mac-access-profile-mac] quit

  5. Create an authentication-free rule profile.

    [AC_1] free-rule-template name default_free_rule 
[AC_1-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.253 mask 32 //Configure IP address 172.16.1.253 for the DNS server.
[AC_1-free-rule-default_free_rule] quit

  6. Create a Portal authentication profile named wlan_net_portal_auth.

    [AC_1] authentication-profile name wlan_net_portal_auth
[AC_1-authentication-profile-wlan_net_portal_auth] mac-access-profile mac
[AC_1-authentication-profile-wlan_net_portal_auth] portal-access-profile wlan_net
[AC_1-authentication-profile-wlan_net_portal_auth] free-rule-template default_free_rule 
[AC_1-authentication-profile-wlan_net_portal_auth] authentication-scheme radius_huawei 
[AC_1-authentication-profile-wlan_net_portal_auth] accounting-scheme radius_huawei 
[AC_1-authentication-profile-wlan_net_portal_auth] radius-server radius_huawei 
[AC_1-authentication-profile-wlan_net_portal_auth] quit

  7. Configure the source IP address for communication with the Portal server in the system view of AC_2. Other Portal configurations on AC_2 will be synchronized from AC_1 using the wireless configuration synchronization function.

    [AC_2] radius-server source ip-address 172.16.1.1

Configure 802.1X authentication on the ACs.

  1. Create an 802.1X access profile named huawei.

    [AC_1] dot1x-access-profile name huawei
[AC_1-dot1x-access-profile-huawei] quit

  2. Create an 802.1X authentication profile named wlan_net_dot1x_auth.

    [AC_1] authentication-profile name wlan_net_dot1x_auth
[AC_1-authentication-profile-wlan_net_dot1x_auth] dot1x-access-profile huawei
[AC_1-authentication-profile-wlan_net_dot1x_auth] authentication-scheme radius_huawei
[AC_1-authentication-profile-wlan_net_dot1x_auth] accounting-scheme radius_huawei
[AC_1-authentication-profile-wlan_net_dot1x_auth] radius-server radius_huawei
[AC_1-authentication-profile-wlan_net_dot1x_auth] quit

  3. Other 802.1X configurations on AC_2 will be synchronized from AC_1 using the wireless configuration synchronization function.

Configuring WLAN Services on the ACs to Meet Wireless Access Requirements in the Offices

  1. Configure LLDP.

    # Configure LLDP on the AC.

    To view the Layer 2 link status between network devices and analyze the network topology, enable LLDP. To view the Layer 2 link status between APs and access switches or analyze the network topology, enable WLAN LLDP. WLAN LLDP can be enabled in the system view and the AP wired port link profile view. The AP sends or receives LLDP packets only when the two switches are enabled. By default, the two switches are enabled.

    [AC_1] lldp enable
[AC_1] wlan
[AC_1-wlan-view] ap lldp enable
[AC_1-wlan-view] port-link-profile name default 
[AC_1-wlan-port-link-prof-default] lldp enable
[AC_1-wlan-port-link-prof-default] quit
[AC_1-wlan-view] quit

    # Configure LLDP on access switches.

    After LLDP is configured, the device can analyze powered devices (PDs). When LLDP is disabled, the device can detect and classify PDs only by analyzing the current and resistance between the device and PDs. Compared with current and resistance analysis, the LLDP function provides a more comprehensive and accurate analysis. After LLDP is enabled in the system view, all interfaces are enabled with LLDP.

    [S5700_A] lldp enable

  2. Create VLANs on AC_1 and enable DHCP snooping.

    [AC_1] dhcp snooping enable
[AC_1] vlan 700 
[AC_1-vlan700] description wlan_net 
[AC_1-vlan700] dhcp snooping enable
[AC_1-vlan700] quit 
[AC_1] vlan 701 
[AC_1-vlan701] description wlan_net 
[AC_1-vlan701] dhcp snooping enable
[AC_1-vlan701] quit
[AC_1] vlan 800 
[AC_1-vlan800] description AP-management-vlan 
[AC_1-vlan800] quit

  3. Configure WLAN services on AC_1.

    # Configure the source IP address for the CAPWAP tunnel.

    [AC_1] capwap source ip-address 10.128.1.1

    # Create an AP group on AC_1 to which the APs with the same configuration can be added. The following example describes how to add AP_1 to an AP group. Other APs can be added using the same method.

    [AC_1] wlan
[AC_1-wlan-view] ap-group name wlan_net 
[AC_1-wlan-ap-group-wlan_net] quit  
[AC_1-wlan-view] ap auth-mode mac-auth 
[AC_1-wlan-view] ap-id 1 ap-mac 60de-4476-e360 
[AC_1-wlan-ap-1] ap-group wlan_net 
Warning: This operation maybe cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]y  
[AC_1-wlan-ap-1] ap-name AP_1 
Warning: This operation may cause AP reset. Continue? [Y/N]:y 
[AC_1-wlan-ap-1] quit
[AC_1-wlan-view] quit

    # Configure other AP groups based on planning.

    # Create a security profile and configure a security policy. Set the security policy to open system authentication.

    [AC_1] wlan 
[AC_1-wlan-view] security-profile name open 
[AC_1-wlan-sec-prof-open] security open
[AC_1-wlan-sec-prof-open] quit

    # Create security profile dot1x and configure a security policy.

    [AC_1-wlan-view] security-profile name dot1x
[AC_1-wlan-sec-prof-dot1x] security wpa2 dot1x aes
[AC_1-wlan-sec-prof-dot1x] quit

    # Create an SSID profile for guests and another for employees. Enable 802.11r in the SSID profile where 802.1X authentication is enabled.

    [AC_1-wlan-view] ssid-profile name wlan_net_portal_auth
[AC_1-wlan-ssid-prof-wlan_net_portal_auth] ssid wlan_net_portal_auth
[AC_1-wlan-ssid-prof-wlan_net_portal_auth] quit
[AC_1-wlan-view] ssid-profile name wlan_net_dot1x_auth
[AC_1-wlan-ssid-prof-wlan_net_dot1x_auth] ssid wlan_net_dot1x_auth
[AC_1-wlan-ssid-prof-wlan_net_dot1x_auth] dot11r enable
[AC_1-wlan-ssid-prof-wlan_net_dot1x_auth] quit

    # Enable Layer 2 user isolation in traffic profile wlan_net.

    [AC_1-wlan-view] traffic-profile name wlan_net
[AC_1-wlan-traffic-prof-wlan_net] user-isolate l2
[AC_1-wlan-traffic-prof-wlan_net] quit

    # Create a VAP profile for common guests, configure the service data forwarding mode and service VLAN 700, reference the security profile, SSID profile, and authentication profile, and enable strict STA IP address learning through DHCP, IPSG, and dynamic ARP inspection. 

    [AC_1-wlan-view] vap-profile name wlan_net_portal_auth
[AC_1-wlan-vap-prof-wlan_net_portal_auth] service-vlan vlan-id 700 
[AC_1-wlan-vap-prof-wlan_net_portal_auth] security-profile open 
[AC_1-wlan-vap-prof-wlan_net_portal_auth] traffic-profile wlan_net
[AC_1-wlan-vap-prof-wlan_net_portal_auth] ssid-profile wlan_net_portal_auth
[AC_1-wlan-vap-prof-wlan_net_portal_auth] authentication-profile wlan_net_portal_auth
[AC_1-wlan-vap-prof-wlan_net_portal_auth] ip source check user-bind enable 
[AC_1-wlan-vap-prof-wlan_net_portal_auth] arp anti-attack check user-bind enable
[AC_1-wlan-vap-prof-wlan_net_portal_auth] learn-client-address dhcp-strict
[AC_1-wlan-vap-prof-wlan_net_portal_auth] quit

    The prerequisites for running the ip source check user-bind enable command are as follows:

    As the IP packet check is based on the binding table:

    • The dynamic DHCP snooping binding table has been generated for DHCP users.
    • The static binding table has been configured manually for users using static IP addresses.

    The prerequisites for running the learn-client-address dhcp-strict command are as follows:

    • The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP profile view.
    • STA IP address learning has been enabled using the undo learn-client-address { ipv4 | ipv6 } disable command.

    # Create a VAP profile for enterprise employees, configure the service data forwarding mode and service VLAN 701, reference the security profile, SSID profile, and authentication profile, and enable strict STA IP address learning through DHCP, IPSG, and dynamic ARP inspection. 

    [AC_1-wlan-view] vap-profile name wlan_net_dot1x_auth
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] service-vlan vlan-id 701 
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] security-profile dot1x 
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] traffic-profile wlan_net
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] ssid-profile wlan_net_dot1x_auth
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] authentication-profile wlan_net_dot1x_auth
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] ip source check user-bind enable 
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] arp anti-attack check user-bind enable
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] learn-client-address dhcp-strict
[AC_1-wlan-vap-prof-wlan_net_dot1x_auth] quit

    # Create a radio profile on AC_1. By default, the RTS-CTS operation mode is rts-cts, while the RTS-CTS alarm threshold is 1400 bytes.

    [AC_1-wlan-view] radio-2g-profile name 2G 
[AC_1-wlan-radio-2g-prof-2G] rts-cts-mode rts-cts //Specify the RTS-CTS mode in the radio profile.
[AC_1-wlan-radio-2g-prof-2G] rts-cts-threshold 1400 //Set the RTS-CTS threshold in the radio profile.
[AC_1-wlan-radio-2g-prof-2G] quit 
[AC_1-wlan-view] radio-5g-profile name 5G 
[AC_1-wlan-radio-5g-prof-5G] rts-cts-mode rts-cts 
[AC_1-wlan-radio-5g-prof-5G] rts-cts-threshold 1400
[AC_1-wlan-radio-5g-prof-5G] quit

    # Bind VAP profile wlan_net to the AP group and apply the VAP profile configuration to radios 0 and 1 of the AP.

    [AC_1-wlan-view] ap-group name wlan_net
[AC_1-wlan-ap-group-wlan_net] vap-profile wlan_net_portal_auth wlan 1 radio all
[AC_1-wlan-ap-group-wlan_net] vap-profile wlan_net_dot1x_auth wlan 2 radio all 
[AC_1-wlan-ap-group-wlan_net] radio 0 
[AC_1-wlan-group-radio-wlan_net/0] radio-2g-profile 2G 
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC_1-wlan-group-radio-wlan_net/0] quit
[AC_1-wlan-ap-group-wlan_net] radio 1 
[AC_1-wlan-group-radio-wlan_net/1] radio-5g-profile 5G 
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC_1-wlan-group-radio-wlan_net/1] quit 
[AC_1-wlan-ap-group-wlan_net] quit 
[AC_1-wlan-view] quit

  4. Configure WLAN services on AC_2.

    # Enable LLDP on AC_2.

    [AC_2] lldp enable
[AC_2] wlan
[AC_2-wlan-view] ap lldp enable
[AC_2-wlan-view] quit

    # Create VLANs on AC_2 and enable DHCP snooping.

    [AC_2] dhcp snooping enable
[AC_2] vlan 700 
[AC_2-vlan700] description wlan_net 
[AC_2-vlan700] dhcp snooping enable
[AC_2-vlan700] quit 
[AC_2] vlan 701 
[AC_2-vlan701] description wlan_net 
[AC_2-vlan701] dhcp snooping enable
[AC_2-vlan701] quit
[AC_2] vlan 800 
[AC_2-vlan800] description AP-management-vlan 
[AC_2-vlan800] quit

    # Configure the source IP address for the CAPWAP tunnel.

    [AC_2] capwap source ip-address 10.128.1.1

  5. # Enable two-node HSB on AC_2.

    [AC_2] hsb-group 0 
[AC_2-hsb-group-0] hsb enable 
[AC_2-hsb-group-0] quit

Configuring Wireless Configuration Synchronization

  1. Configure wireless configuration synchronization on AC_1.

    [AC_1] wlan
[AC_1-wlan-view] master controller
[AC_1-master-controller] master-redundancy peer-ip ip-address 10.1.1.254 local-ip ip-address 10.1.1.253 psk H@123456
[AC_1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800
[AC_1-master-controller] quit
[AC_1-wlan-view] quit

  2. Configure wireless configuration synchronization on AC_2.

    [AC_2] wlan
[AC_2-wlan-view] master controller
[AC_2-master-controller] master-redundancy peer-ip ip-address 10.1.1.253 local-ip ip-address 10.1.1.254 psk H@123456
[AC_2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800
[AC_2-master-controller] quit
[AC_2-wlan-view] quit

  3. Run the display sync-configuration status command to check the wireless configuration synchronization status. The Status field is displayed as cfg-mismatch. Manually trigger wireless configuration synchronization from the master AC to the backup master AC. Wait until the backup master AC is restarted.

    [AC_1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version        Status                           Last synced
----------------------------------------------------------------------------------------------------
10.1.1.254    Backup  AC6805          V200R010C00    cfg-mismatch(config check fail)  -
----------------------------------------------------------------------------------------------------
Total: 1
[AC_1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti
nue? [Y/N]:y

Adding the ACs to the Service Manager of Agile Controller-Campus and Configuring Parameters to Ensure That Agile Controller-Campus Can Communicate with the ACs

Choose Resource > Device > Device Management and click Add to add an AC.

Parameter

Description

IP Address

Virtual IP address of VLANIF 820: 172.16.1.1

RADIUS authentication & accounting keys

Same as that configured using the radius-server shared-key cipher huawei@123 command in the RADIUS server template

Real-time accounting interval

Same as that configured using the accounting realtime15 command in the accounting scheme

Portal key

Same as that configured using the shared-key cipher huawei@123 command in the Portal server template

IP addresses of access STAs

Same as the IP address pool for STAs

Adding an Authorization Result and Authorization Rule to Grant Access Control Permissions to Users After They Are Successfully Authenticated

  1. Wireless access users are authenticated and authorized using the default rules. By default, they can access all resources after they are successfully authenticated.

    Choose Policy > Permission Control > Authentication & Authorization to change the authentication and authorization rule.

  2. (Optional) Choose Policy > Permission Control > Page Customization > Page Customization to define a push page. If no push page is defined, the default page is used.
  3. (Optional) Choose Policy > Permission Control > Page Customization > Portal Page PushRule to configure a page push rule. Page pushing rules are matched based on priority. If the priority is not set, pages are pushed based on default rules.
  4. Choose System > Terminal Configuration > Global Parameters and enable MAC address-prioritized Portal authentication.

Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 369332

Downloads: 2545

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :