No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB Environment

Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB Environment

This example illustrates how to configure Portal authentication on a hot standby (HSB) wireless network. VRRP-enabled ACs, RADIUS servers, and Portal servers on the network are deployed in HSB mode, improving network reliability.

Involved Products and Versions

Product Type

Product Name

Version

Agile Controller-Campus

Agile Controller-Campus

V100R002C10

WLAN AC

AC6605

V200R006C20

Access switch

S2750EI

V200R008C00

Aggregation switch

S5720HI

V200R008C00

Core switch

S7700

V200R008C00

Networking Requirements

A company has about 2000 employees and needs to deploy an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network.

The company has the following requirements:
  • The authentication operations must be simple. The authentication system only performs access authorization and does not require any client software on user terminals.
  • A unified identity authentication mechanism is used to authenticate all terminals attempting to connect to the campus network and deny access from unauthorized terminals.
  • Employees and guests access the campus network using different SSIDs.
  • Employees can connect only to the DNS server and Agile Controller-Campus of the company before authentication, and can connect to both the intranet and Internet after being authenticated.
  • Guests can connect only to the DNS server and Agile Controller-Campus of the company before authentication, and can connect only to the Internet after being authenticated.
  • Two ACs, two core switches, and two Agile Controller-Campus servers are deployed in HSB mode to improve network reliability.
Figure 4-98 Networking of Portal authentication for wireless users in HSB mode

Requirement Analysis

The company has no specific requirement on terminal security check and requires simple operations, without a need to install authentication clients on wireless terminals. Considering the networking and requirements of the company, Portal authentication can be used on the campus network.

Based on user requirements, networking design is performed as follows:
  • Reliability
    • AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively. A VRRP group is configured between AC1 and AC2, and HSB is used to determine the active and standby ACs.
    • A VRRP group is configured between S7700A and S7700B to improve reliability.
    • Eth-Trunks are used to connect aggregation switches and access switches, ACs and core switches, and ACs.
    • The Agile Controller-Campus is deployed in 1+2 (one SM + two SCs) mode to ensure reliability of the authentication server.
  • Internetworking
    • The aggregation switch is configured as a DHCP server to assign IP addresses to APs. Core switches serve as DHCP servers to assign IP addresses to employees and guests.
  • Data traffic forwarding mode

    Data packets of employees and guests are forwarded in local and tunnel modes, respectively. Authentication packets of employees and guests are forwarded both in tunnel mode.

  • Services
    • Employees and guests are all authenticated on the web pages pushed by the Portal server. You need to configure different ACL rules on the ACs to control access rights of employees and guests.
    • Different SSIDs need to be configured for employees and guests so that different authentication pages can be pushed to them based on their SSIDs.

VLAN Plan

Table 4-117 VLAN plan

VLAN ID

Function

100

mVLAN for APs

101

Service VLAN for employees

102

Service VLAN for guests

103

Egress VLAN for core switches

104

VLAN for communication between ACs

Network Data Plan

Table 4-118 Network data plan

Item

No.

Interface Number

Eth-Trunk

VLAN

IP address

Description

Access switch S2750EI

(1)

GE0/0/1

-

100 and 101

-

Connected to the AP in the employee area

(2)

GE0/0/4

-

100 and 101

-

Connected to the AP in the guest area

(3)

GE0/0/2 and GE0/0/3

Eth-Trunk1

100 and 101

-

Connected to the aggregation switch S5720HI

Aggregation switch S5720HI

(4)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100 and 101

VLANIF 100: 172.18.10.4/24

Connected to the access switch S2750EI

Gateway for APs

(5)

GE0/0/3 and GE0/0/4

Eth-Trunk2

100 and 101

-

Connected to the core switch S7700A

(6)

GE0/0/5 and GE0/0/6

Eth-Trunk3

100 and 101

-

Connected to the core switch S7700B

S7700A (Active)

(7)

GE1/0/1 and GE1/0/2

Eth-Trunk1

100 and 101

VLANIF 101: 172.19.10.2/24

Connected to the aggregation switch S5720HI

(8)

GE1/0/3 and GE1/0/4

Eth-Trunk2

100, 101, and 102

VLANIF 100: 172.18.10.5/24

VLANIF 102: 172.20.10.2/24

Connected to AC1

(9)

GE1/0/5

-

103

VLANIF 103: 172.22.20.1/24

Connected to the egress router

S7700B (Standby)

(10)

GE1/0/1 and GE1/0/2

Eth-Trunk1

100 and 101

VLANIF 101: 172.19.10.3/24

Connected to the aggregation switch S5720HI

(11)

GE1/0/3 and GE1/0/4

Eth-Trunk2

100, 101, and 102

VLANIF 100: 172.18.10.6/24

VLANIF 102: 172.20.10.3/24

Connected to AC2

(12)

GE1/0/5

-

103

VLANIF 103: 172.23.20.1/24

Connected to the egress router

AC1 (Active)

(13)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100

VLANIF 100: 172.18.10.2/24

Connected to the core switch S7700A

(14)

GE0/0/3 and GE0/0/4

Eth-Trunk2

104

VLANIF 104: 10.10.11.1/24

Connected to AC2

AC2 (Standby)

(15)

GE0/0/1 and GE0/0/2

Eth-Trunk1

100

VLANIF 100: 172.18.10.3/24

Connected to the core switch S7700B

(16)

GE0/0/3 and GE0/0/4

Eth-Trunk2

104

VLANIF 104: 10.10.11.2/24

Connected to AC1

Virtual addresses of ACs

-

-

-

-

172.18.10.1/24

Connected to the Agile Controller-Campus

Virtual address 1 of S7700s

-

-

-

-

172.19.10.1/24

Gateway for employees

Virtual address 2 of S7700s

-

-

-

-

172.20.10.1/24

Gateway for guests

Server

SM + SC (RADIUS server 1 + Portal server 1)

172.22.10.2

-

SC (RADIUS server 2 + Portal server 2)

172.22.10.3

-

DNS server

172.22.10.4

-

Internal server

172.22.10.5

-

Service Data Plan

Table 4-119 Service data plan

Item

Data

Description

AC

Number of the ACL for employees' post-authentication domain: 3001

SSID of the employee area: employee

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.

Number of the ACL for guests' post-authentication domain: 3002

SSID of the guest area: guest

You need to enter this ACL number when configuring authorization rules and results on the Agile Controller-Campus.
RADIUS authentication server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1812
  • Shared key: Admin@123
  • The Service Controller of the Agile Controller-Campus provides RADIUS server and Portal server functions; therefore, IP addresses of the authentication server, accounting server, authorization server, and Portal server are all the IP address of the Service Controller.
  • Configure a RADIUS accounting server to obtain user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as those of the authentication server and accounting server.
RADIUS accounting server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number: 1813
  • Shared key: Admin@123
  • Accounting interval: 15 minutes
RADIUS authorization server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Shared key: Admin@123
Portal server:
  • Primary IP address: 172.22.10.2
  • Secondary IP address: 172.22.10.3
  • Port number that the AC uses to listen on Portal protocol packets: 2000
  • Destination port number in the packets that the AC sends to the Portal server: 50200
  • Shared key: Admin@123
  • Encryption key for the URL parameters that the AC sends to the Portal server: Admin@123

Agile Controller-Campus

Host name1: access1.example.com

Host name2: access2.example.com

Users can use the domain name to access the Portal server.

Authentication port: 1812

-

Accounting port: 1813

-

RADIUS shared key: Admin@123

It must be the same as the RADIUS shared key configured on the AC.

Port number of the Portal server: 50200

-

Portal key: Admin@123

It must be the same as the Portal key configured on the AC.
Department: Employee
  • Account: tony
  • Password: Admin@123
Department: Guest
  • Account: susan
  • Password: Admin@123

Department Employee, employee account tony, and guest account susan have been created on the Agile Controller-Campus.

Pre-authentication domain

SM + SC1 (RADIUS server + Portal server), SC2 (RADIUS server + Portal server), and DNS server

-

Post-authentication domain for employees

Internal servers and Internet

-

Post-authentication domain for guests

Internet

-

Prerequisites

You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A and S7700B, respectively.

Configuration Roadmap

  1. Configure the access switches, aggregation switch, core switches, and ACs to implement interworking on the network.
  2. On the ACs, configure a RADIUS server template, configure authentication, accounting, and authorization schemes in the template, and specify the IP addresses of Portal servers. In this way, the ACs can communicate with RADIUS servers and Portal servers.
  3. Configure wireless configuration synchronization on the AC.
  4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the Agile Controller-Campus can manage the ACs.
  5. Add authorization results and rules to grant different access rights to employees and guests after they are successfully authenticated.

Procedure

  1. [Device] Configure the access switch S2750EI to ensure network connectivity.

    <HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101   //Create VLAN 100 and VLAN 101 in a batch.
[S2700] interface gigabitethernet 0/0/1  //Enter the view of the interface connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk  //Change the link type of gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100  //Set the default VLAN of gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101  //Add gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/4  //Enter the view of the interface connected to another AP.
[S2700-GigabitEthernet0/0/4] port link-type trunk  //Change the link type of gigabitethernet0/0/4 to trunk.
[S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100  //Set the default VLAN of gigabitethernet0/0/4 to VLAN 100.
[S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101  //Add gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/4] quit

    # Create Eth-Trunk 1, and add GE0/0/2 and GE0/0/3 to Eth-Trunk 1.

    [S2700] interface eth-trunk 1  //Create Eth-Trunk 1.
[S2700-Eth-Trunk1] quit
[S2700] interface gigabitethernet 0/0/2  //Add gigabitethernet0/0/2 to Eth-Trunk 1.
[S2700-GigabitEthernet0/0/2] eth-trunk 1
[S2700-GigabitEthernet0/0/2] quit
[S2700] interface gigabitethernet 0/0/3  //Add gigabitethernet0/0/3 to Eth-Trunk 1.
[S2700-GigabitEthernet0/0/3] eth-trunk 1
[S2700-GigabitEthernet0/0/3] quit

    # Add Eth-Trunk 1 to VLANs.

    [S2700] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch.
[S2700-Eth-Trunk1] port link-type trunk  //Change the link type of Eth-Trunk 1 to trunk.
[S2700-Eth-Trunk1] port trunk allow-pass vlan 100 101  //Add Eth-Trunk 1 to VLAN 100 and VLAN 101.
[S2700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S2700-Eth-Trunk1] quit
[S2700] quit
<S2700> save  //Save the configuration.

  2. [Device] Configure the aggregation switch S5720HI to ensure network connectivity.

    <HUAWEI> system-view
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable   //Enable the DHCP service.
[S5720HI] vlan batch 100 101   //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100  //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24  //Configure an IP address for VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3  //Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit

    # Create Eth-Trunk 1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 1.

    [S5720HI] interface eth-trunk 1
[S5720HI-Eth-Trunk1] quit
[S5720HI] interface gigabitethernet 0/0/1
[S5720HI-GigabitEthernet0/0/1] eth-trunk 1
[S5720HI-GigabitEthernet0/0/1] quit
[S5720HI] interface gigabitethernet 0/0/2
[S5720HI-GigabitEthernet0/0/2] eth-trunk 1
[S5720HI-GigabitEthernet0/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S5720HI] interface eth-trunk 1  //Enter the view of the interface connected to the access switch S2700.
[S5720HI-Eth-Trunk1] port link-type trunk
[S5720HI-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk1] quit

    # Create Eth-Trunk 2, and add GE0/0/3 and GE0/0/4 to Eth-Trunk 2.

    [S5720HI] interface eth-trunk 2
[S5720HI-Eth-Trunk2] quit
[S5720HI] interface gigabitethernet 0/0/3
[S5720HI-GigabitEthernet0/0/3] eth-trunk 2
[S5720HI-GigabitEthernet0/0/3] quit
[S5720HI] interface gigabitethernet 0/0/4
[S5720HI-GigabitEthernet0/0/4] eth-trunk 2
[S5720HI-GigabitEthernet0/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S5720HI] interface eth-trunk 2  //Enter the view of the interface connected to the core switch S7700A.
[S5720HI-Eth-Trunk2] port link-type trunk
[S5720HI-Eth-Trunk2] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk2] quit

    # Create Eth-Trunk 3, and add GE0/0/5 and GE0/0/6 to Eth-Trunk 3.

    [S5720HI] interface eth-trunk 3
[S5720HI-Eth-Trunk3] quit
[S5720HI] interface gigabitethernet 0/0/5
[S5720HI-GigabitEthernet0/0/5] eth-trunk 3
[S5720HI-GigabitEthernet0/0/5] quit
[S5720HI] interface gigabitethernet 0/0/6
[S5720HI-GigabitEthernet0/0/6] eth-trunk 3
[S5720HI-GigabitEthernet0/0/6] quit

    # Add Eth-Trunk 3 to VLANs.

    [S5720HI] interface eth-trunk 3  //Enter the view of the interface connected to the core switch S7700B.
[S5720HI-Eth-Trunk3] port link-type trunk
[S5720HI-Eth-Trunk3] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk3] undo port trunk allow-pass vlan 1
[S5720HI-Eth-Trunk3] quit
[S5720HI] quit
<S5720HI> save  //Save the configuration.

  3. [Device] Configure the core switch S7700A to ensure network connectivity.

    <HUAWEI> system-view
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 to 103   //Create VLAN 100, VLAN 101, VLAN 102, and VLAN 103 in a batch.

    # Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

    [S7700A] interface eth-trunk 1
[S7700A-Eth-Trunk1] quit
[S7700A] interface gigabitethernet 1/0/1
[S7700A-GigabitEthernet1/0/1] eth-trunk 1
[S7700A-GigabitEthernet1/0/1] quit
[S7700A] interface gigabitethernet 1/0/2
[S7700A-GigabitEthernet1/0/2] eth-trunk 1
[S7700A-GigabitEthernet1/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S7700A] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch S5720HI.
[S7700A-Eth-Trunk1] port link-type trunk
[S7700A-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A-Eth-Trunk1] quit
[S7700A] dhcp enable
[S7700A] interface vlanif 101  //Enter the view of VLANIF 101.
[S7700A-Vlanif101] ip address 172.19.10.2 24  //Configure an IP address for VLANIF 101 for communicating with VLANIF 101 on S7700B.
[S7700A-Vlanif101] dhcp select interface  //Configure DHCP for VLANIF 101 so that the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700A-Vlanif101] dhcp server dns-list 172.22.10.4  //Configure the DNS server address.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1  //Exclude IP addresses in use from the DHCP address pool.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.3
[S7700A-Vlanif101] quit

    # Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

    [S7700A] interface eth-trunk 2
[S7700A-Eth-Trunk2] quit
[S7700A] interface gigabitethernet 1/0/3
[S7700A-GigabitEthernet1/0/3] eth-trunk 2
[S7700A-GigabitEthernet1/0/3] quit
[S7700A] interface gigabitethernet 1/0/4
[S7700A-GigabitEthernet1/0/4] eth-trunk 2
[S7700A-GigabitEthernet1/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S7700A] interface eth-trunk 2  //Enter the view of the interface connected to AC1.
[S7700A-Eth-Trunk2] port link-type trunk
[S7700A-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A-Eth-Trunk2] quit
[S7700A] interface vlanif 100  //Enter the view of VLANIF 100.
[S7700A-Vlanif100] ip address 172.18.10.5 24  //Configure an IP address for VLANIF 100 for communicating with AC1.
[S7700A-Vlanif100] quit
[S7700A] interface vlanif 102  //Enter the view of VLANIF 102.
[S7700A-Vlanif102] ip address 172.20.10.2 24  //Configure an IP address for VLANIF 102 for communicating with VLANIF 102 on S7700B.
[S7700A-Vlanif102] dhcp select interface  //Configure DHCP for VLANIF 102 so that the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700A-Vlanif102] dhcp server dns-list 172.22.10.4
[S7700A-Vlanif102] dhcp server excluded-ip-address 172.20.10.1
[S7700A-Vlanif102] dhcp server excluded-ip-address 172.20.10.3
[S7700A-Vlanif102] quit

    # Configure an IP address for the interface connecting to the egress router.

    [S7700A] interface gigabitethernet 1/0/5  //Enter the view of the interface connected to the egress router.
[S7700A-GigabitEthernet1/0/5] port link-type trunk
[S7700A-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700A-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700A-GigabitEthernet1/0/5] quit
[S7700A] interface vlanif 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A-Vlanif103] quit
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
<S7700A> save  //Save the configuration.

  4. [Device] Configure the core switch S7700B to ensure network connectivity.

    <HUAWEI> system-view
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 to 103   //Create VLAN 100, VLAN 101, VLAN 102, and VLAN 103 in a batch.

    # Create Eth-Trunk 1, and add GE1/0/1 and GE1/0/2 to Eth-Trunk 1.

    [S7700B] interface eth-trunk 1
[S7700B-Eth-Trunk1] quit
[S7700B] interface gigabitethernet 1/0/1
[S7700B-GigabitEthernet1/0/1] eth-trunk 1
[S7700B-GigabitEthernet1/0/1] quit
[S7700B] interface gigabitethernet 1/0/2
[S7700B-GigabitEthernet1/0/2] eth-trunk 1
[S7700B-GigabitEthernet1/0/2] quit

    # Add Eth-Trunk 1 to VLANs.

    [S7700B] interface eth-trunk 1  //Enter the view of the interface connected to the aggregation switch S5720HI.
[S7700B-Eth-Trunk1] port link-type trunk
[S7700B-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700B-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700B-Eth-Trunk1] quit
[S7700B] dhcp enable
[S7700B] interface vlanif 101  //Enter the view of VLANIF 101.
[S7700B-Vlanif101] ip address 172.19.10.3 24 //Configure an IP address for VLANIF 101 for communicating with VLANIF 101 on S7700A.
[S7700B-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700B-Vlanif101] dhcp server dns-list 172.22.10.4  //Configure the DNS server address.
[S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2  //Exclude IP addresses in use from the DHCP address pool.
[S7700B-Vlanif101] quit

    # Create Eth-Trunk 2, and add GE1/0/3 and GE1/0/4 to Eth-Trunk 2.

    [S7700B] interface eth-trunk 2
[S7700B-Eth-Trunk2] quit
[S7700B] interface gigabitethernet 1/0/3
[S7700B-GigabitEthernet1/0/3] eth-trunk 2
[S7700B-GigabitEthernet1/0/3] quit
[S7700B] interface gigabitethernet 1/0/4
[S7700B-GigabitEthernet1/0/4] eth-trunk 2
[S7700B-GigabitEthernet1/0/4] quit

    # Add Eth-Trunk 2 to VLANs.

    [S7700B] interface eth-trunk 2  //Enter the view of the interface connected to AC2.
[S7700B-Eth-Trunk2] port link-type trunk
[S7700B-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
[S7700B-Eth-Trunk2] undo port trunk allow-pass vlan 1
[S7700B-Eth-Trunk2] quit
[S7700B] interface vlanif 100  //Enter the view of VLANIF 100.
[S7700B-Vlanif100] ip address 172.18.10.6 24  //Configure an IP address for VLANIF 100 for communicating with AC2.
[S7700B-Vlanif100] quit
[S7700B] interface vlanif 102  //Enter the view of VLANIF 102.
[S7700B-Vlanif102] ip address 172.20.10.3 24//Configure an IP address for VLANIF 102 for communicating with VLANIF 102 on S7700A.
[S7700B-Vlanif102] dhcp select interface//Configure DHCP for VLANIF 102 so that the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700B-Vlanif102] dhcp server dns-list 172.22.10.4
[S7700B-Vlanif102] dhcp server excluded-ip-address 172.20.10.1 172.20.10.2
[S7700B-Vlanif102] quit

    # Configure an IP address for the interface connecting to the egress router.

    [S7700B] interface gigabitethernet 1/0/5  //Enter the view of the interface connected to egress router.
[S7700B-GigabitEthernet1/0/5] port link-type trunk
[S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700B-GigabitEthernet1/0/5] quit
[S7700B] interface vlanif 103
[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B-Vlanif103] quit
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save  //Save the configuration.

  5. [Device] Configure VRRP groups on core switches (S7700s).

    # On VLANIF 101 of S7700A, create VRRP group 1, set the priority of S7700A in the VRRP group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP group 1 as the employee gateway address.

    <S7700A> system-view
[S7700A] interface vlanif 101
[S7700A-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700A-Vlanif101] vrrp vrid 1 priority 120
[S7700A-Vlanif101] vrrp vrid 1 preempt-mode timer delay 20
[S7700A-Vlanif101] quit

    # On VLANIF 102 of S7700A, create VRRP group 2, set the priority of S7700A in the VRRP group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP group 2 as the guest gateway address.

    [S7700A] interface vlanif 102
[S7700A-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700A-Vlanif102] vrrp vrid 1 priority 120
[S7700A-Vlanif102] vrrp vrid 1 preempt-mode timer delay 20
[S7700A-Vlanif102] quit
[S7700A] quit
<S7700A> save  //Save the configuration.

    # On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the VRRP group to 100.

    <S7700B> system-view
[S7700B] interface vlanif 101
[S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700B-Vlanif101] quit

    # On VLANIF 102 of S7700B, create VRRP group 2 and set the priority of S7700B in the VRRP group to 100.

    [S7700B] interface vlanif 102
[S7700B-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700B-Vlanif102] quit
[S7700B] quit
<S7700B> save  //Save the configuration.

  6. [Device] Configure the ACs to ensure network connectivity.

    # On AC1, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-Trunk 2.

    <AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101 102 104
[AC1] interface eth-trunk 1
[AC1-Eth-Trunk1] port link-type trunk
[AC1-Eth-Trunk1] port trunk allow-pass vlan 100
[AC1-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2 connected to the core switch S7700A to Eth-Trunk 1.
[AC1-Eth-Trunk1] quit
[AC1] interface eth-trunk 2
[AC1-Eth-Trunk2] port link-type trunk
[AC1-Eth-Trunk2] port trunk allow-pass vlan 104
[AC1-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4 connected to AC2 to Eth-Trunk 2.
[AC1-Eth-Trunk2] quit

    # Configure an IP address for AC1 to communicate with other NEs.

    [AC1] interface vlanif 104
[AC1-Vlanif104] ip address 10.10.11.1 24 //Configure an IP address for VLANIF 104 for communicating with AC2 and transmitting backup data.
[AC1-Vlanif104] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 172.18.10.2 24 
[AC1-Vlanif100] quit

    # Configure a default route for AC1 so that packets are forwarded to core switches by default.

    [AC1] ip route-static 0.0.0.0 0 172.18.10.5

    # On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-Trunk 2.

    <AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 102 104
[AC2] interface eth-trunk 1
[AC2-Eth-Trunk1] port link-type trunk
[AC2-Eth-Trunk1] port trunk allow-pass vlan 100
[AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2 connected to the core switch S7700B to Eth-Trunk 1.
[AC2-Eth-Trunk1] quit
[AC2] interface eth-trunk 2
[AC2-Eth-Trunk2] port link-type trunk
[AC2-Eth-Trunk2] port trunk allow-pass vlan 104
[AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4 connected to AC1 to Eth-Trunk 2.
[AC2-Eth-Trunk2] quit

    # Configure an IP address for AC2 to communicate with other NEs.

    [AC2] interface vlanif 104
[AC2-Vlanif104] ip address 10.10.11.2 24 //Configure an IP address for VLANIF 104 for communicating with AC1 and transmitting backup data.
[AC2-Vlanif104] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.3 24 
[AC2-Vlanif100] quit

    # Configure a default route for AC2 so that packets are forwarded to core switches by default.

    [AC2] ip route-static 0.0.0.0 0 172.18.10.6

  7. [Device] Configure the AP to go online.

    # Create an AP group to which APs with the same configuration can be added.

    [AC1] wlan
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit

    # Configure the AC's source interface.

    [AC1] capwap source ip-address 172.18.10.1

    # Import the AP offline on the AC and add the AP to the AP group. This example assumes that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are 60de-4476-e360 and 60de-4476-e380 respectively.

    [AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will, clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y 
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP has gone online properly.

    [AC1] display ap all
Total AP information:
nor  : normal          [2]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 ap_0 ap_group  172.18.10.254 AP6010DN-AGN    nor   0   20S
1    60de-4476-e380 ap_1 ap_group  172.18.10.253 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 2

  8. [Device] Configure interconnection parameters for the AC and RADIUS server as well as the AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.

    # On AC1, configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

    [AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 weight 80  //Configure a primary RADIUS authentication server with a higher weight than that of the secondary authentication server. Authentication port 1812.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 weight 40  //Configure a secondary RADIUS authentication server with a lower weight than that of the primary authentication server. Authentication port 1812.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 weight 80  //Configure a primary RADIUS accounting server with a higher weight than that of the secondary accounting server to obtain user login and logout information. Accounting port 1813.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 weight 40  //Configure a secondary RADIUS accounting server with a lower weight than that of the primary accounting server to obtain user login and logout information. Accounting port 1813.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123  //Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original  //Configure the AC to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server source ip-address 172.18.10.1  //Configure the AC to use 172.18.10.1 to communicate with the RADIUS server.
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server. V200R021C00 and later versions, you must run the radius-server authorization server-source command to configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123  //Configure a RADIUS authorization server so that the RADIUS server can deliver authorization rules to the AC. V200R021C00 and later versions, you must run the radius-server authorization server-source command to configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.
//Set the shared key to Admin@123, which must be the same as that of the authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the Agile Controller-Campus only after the authorization servers are configured. 
//Authentication servers and authorization servers must have a one-to-one mapping, that is, the number of authentication servers and authorization servers must be the same. 
//If not, the Agile Controller-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius  //Set the authentication scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius  //Set the accounting scheme to RADIUS. 
//The RADIUS accounting scheme must be used so that the RADIUS server can maintain account state information such as login/logout information and force users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15  //Set the real-time accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit

    The accounting realtime command sets the real-time accounting interval. A short real-time accounting interval requires high performance of the device and RADIUS server. Set a real-time accounting interval based on the user quantity.

    Table 4-120 Accounting interval

    User Quantity

    Real-Time Accounting Interval

    1 to 99

    3 minutes

    100 to 499

    6 minutes

    500 to 999

    12 minutes

    ≥ 1000

    ≥ 15 minutes

    # Check whether a user can use a RADIUS template for authentication. (User name test and password Admin_123 have been configured on the RADIUS server.)

    [AC1] test-aaa test Admin_123 radius-template radius_template pap
Info: Account test succeed.
    # Configure Portal authentication for AC1.

    1. Configure the URL of the primary Portal authentication page. When a user attempts to access a website before authentication, the AC redirects the website to the primary Portal server.

      You are advised to configure the URL using a domain name to ensure secure and fast page pushing. Before configuring the URL using a domain name, you must first configure the mapping between the domain name and IP address of the Agile Controller-Campus server on the DNS server.

      [AC1] url-template name huawei1
[AC1-url-template-huawei1] url http://access1.example.com:8080/portal  //access1.example.com is the host name of the primary Portal server.

    2. Configure parameters carried in the URL, which must be the same as those on the authentication server.

      [AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url  //Specify the names of the parameters included in the URL. The parameter names must the same as those on the authentication server. 
//This first ssid indicates that the URL contains the SSID field, and the second ssid indicates the parameter name. 
//For example, after ssid ssid is configured, the URL redirected to the user contains sid=guest, where ssid indicates the parameter name, and guest indicates the SSID with which the user associates. 
//The second SSID represents the transmitted parameter name only and cannot be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the Portal server to specify to which URL users' access request will be redirected.
[AC1-url-template-huawei1] quit

    3. Configure the URL of the secondary Portal authentication page. When the primary Portal server is unavailable, the AC redirects the website that a user attempts to access to the secondary Portal server.

      [AC1] url-template name huawei2
[AC1-url-template-huawei2] url http://access2.example.com:8080/portal  //access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1-url-template-huawei2] quit

    4. Specify the port number used to process Portal protocol packets. The default port number is 2000. If you change the port number on the AC, set the same port number when you add this AC to the Agile Controller-Campus.

      [AC1] web-auth-server listening-port 2000

    5. Configure a primary Portal server template, including configuring the IP address and port number of the primary Portal server.

      Set the destination port number in the packets sent to the Portal server to 50200. The Portal server accepts packets with destination port 50200, but the AC uses port 50100 to send packets to the Portal server by default. Therefore, you must change the port number to 50200 on the AC so that the AC can communicate with the Portal server.

      [AC1] web-auth-server source-ip 172.18.10.1  //Configure an IP address for the device to communicate with the Portal server. 
[AC1] web-auth-server portal_huawei1  //In V200R021C00 and later versions, you must use the web-auth-server server-source or server-source command to configure the local gateway address used by the device to receive and respond to the packets sent by the Portal server. Otherwise, the Portal interconnection function cannot be used.
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2  //Configure an IP address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200  //Set the destination port number in the packets sent to the Portal server to 50200.

    6. Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server. In addition, enable the AC to transmit encrypted URL parameters to the Portal server.

      [AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123  //Configure the shared key used to communicate with the Portal server, which must be the same as that on the Portal server.
[AC1-web-auth-server-portal_huawei1] url-template huawei1  //Bind the URL template to the Portal server profile.

    7. Enable the Portal server detection function.

      After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation to allow the administrator to obtain the real-time Portal server status. The detection interval cannot be shorter than 15s, and the recommended value is 100s. The AC only supports Portal server detection but not Portal escape.

      [AC1-web-auth-server-portal_huawei1] server-detect interval 100 max-times 5 critical-num 0 action log

    8. Configure a secondary Portal server template, including configuring the IP address, port number, and shared key of the secondary Portal server.

      [AC1] web-auth-server portal_huawei2  //In V200R021C00 and later versions, you must use the web-auth-server server-source or server-source command to configure the local gateway address used by the device to receive and respond to the packets sent by the Portal server. Otherwise, the Portal interconnection function cannot be used.
[AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3  //Configure an IP address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
[AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5 critical-num 0 action log
[AC1-web-auth-server-portal_huawei2] quit

    # Enable the Portal authentication quiet period function. With this function enabled, the AC drops packets of an authentication user during the quiet period if the user fails Portal authentication for the specified number of times in 60 seconds. This function protects the AC from overloading caused by frequent authentication.

    [AC1] portal quiet-period
[AC1] portal quiet-times 5  //Set the maximum number of authentication failures in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240  //Set the quiet period to 240 seconds.

    # Create a Portal access profile, and bind the Portal server template to it.

    [AC1] portal-access-profile name acc_portal  //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1 portal_huawei2 direct  //Configure the primary and secondary Portal server templates used by the Portal access profile. If the network between end users and the AC is a Layer 2 network, configure the direct mode; if the network is a Layer 3 network, configure the layer3 mode.
[AC1-portal-access-profile-acc_portal] quit

    # Configure pre-authentication and post-authentication access rules for employees and guests.

    [AC1] free-rule-template name default_free_rule 
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask 255.255.255.255  //Configure a Portal authentication-free rule to allow users to connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
    [AC1] acl 3001  //Configure the post-authentication domain for employees, including the intranet and Internet.
[AC1-acl-adv-3001]  rule 5 permit ip
[AC1-acl-adv-3001]  quit
[AC1] acl 3002  //Configure the post-authentication domain for guests, including the Internet.
[AC1-acl-adv-3002]  rule 5 deny ip destination 172.22.10.5 0  //172.22.10.5 is the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002]  rule 10 permit ip
[AC1-acl-adv-3002]  quit
    # Configure an authentication profile.
    [AC1] authentication-profile name auth_portal
[AC1-authentication-profile-auth_portal] portal-access-profile acc_portal
[AC1-authentication-profile-auth_portal] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_portal] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_portal] radius-server radius_template
[AC1-authentication-profile-auth_portal] free-rule-template default_free_rule
[AC1-authentication-profile-auth_portal] quit

    # Enable terminal type awareness to allow the AC1 to send the option fields containing the terminal type in DHCP packets to the authentication server. In this way, the authentication server can push the correct Portal authentication pages to users based on their terminal types.

    [AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60

    # Enable terminal type awareness to allow the AC2 to send the option fields containing the terminal type in DHCP packets to the authentication server. In this way, the authentication server can push the correct Portal authentication pages to users based on their terminal types.

    [AC2] dhcp snooping enable 
[AC2] device-sensor dhcp option 12 55 60

    # In the AC2 system view, configure a source IP address for the device to communicate with the RADIUS server and Portal server. Other RADIUS and Portal configurations on AC2 are synchronized through the wireless configuration synchronization function.

    [AC2] radius-server source ip-address 172.18.10.1 
[AC2] web-auth-server source-ip 172.18.10.1

  9. [Device] Set WLAN service parameters on AC1.

    # Create the security profile security_portal and set the security policy in the profile.

    [AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit

    # Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to employee and guest respectively.

    [AC1-wlan-view] ssid-profile name wlan-ssid-employee
[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit

    # Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data forwarding mode and service VLANs, and apply the security, SSID, and authentication profiles to the VAP profiles.

    [AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward  //Configure direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal  //Bind the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel  //Configure tunnel forwarding for guests.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit

    # Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of the AP.

    [AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0  //Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1  //Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] quit

  10. [Device] Configure VRRP on AC1 to implement AC HSB.

    # Set the recovery delay of a VRRP group to 30 seconds.

    [AC1] vrrp recover-delay 30

    # Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to 120 and preemption delay to 1200s.

    [AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP address for the management VRRP group.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.
[AC1-Vlanif100] quit

    # Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of HSB service 0.

    [AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

    # Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP group.

    [AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

    # Bind the NAC service to the HSB group.

    [AC1] hsb-service-type access-user hsb-group 0

    # Bind the WLAN service to the HSB group.

    [AC1] hsb-service-type ap hsb-group 0

    # Bind the DHCP service to the HSB group.

    [AC1] hsb-service-type dhcp hsb-group 0

    # Enable HSB.

    [AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

  11. [Device] Configure VRRP on AC2 to implement AC HSB.

    # Set the recovery delay of a VRRP group to 30 seconds.

    [AC2] vrrp recover-delay 30

    # Create a management VRRP group on AC2

    [AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP address for the management VRRP group.
[AC2-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP backup group.
[AC2-Vlanif100] quit

    # Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of HSB service 0.

    [AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

    # Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP group.

    [AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

    # Bind the NAC service to the HSB group.

    [AC2] hsb-service-type access-user hsb-group 0

    # Bind the WLAN service to the HSB group.

    [AC2] hsb-service-type ap hsb-group 0

    # Bind the DHCP service to the HSB group.

    [AC2] hsb-service-type dhcp hsb-group 0

    # Enable HSB.

    [AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

  12. [Device] Verify the VRRP configuration.

    # After the configurations are complete, run the display vrrp command on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

    [AC1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 172.18.10.1
    Master IP : 172.18.10.2
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 1200 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 01:25:55 UTC+08:00
    Last change time : 2005-07-31 02:48:22 UTC+08:00
                                                                                

    [AC2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Backup
    Virtual IP : 172.18.10.1
    Master IP : 172.18.10.2
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 02:11:07 UTC+08:00
    Last change time : 2005-07-31 03:40:45 UTC+08:00

    # Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status. The value of the Service State field is Connected, indicating that the active and standby HSB channels have been established.

    [AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.10.11.1
  Peer IP Address        : 10.10.11.2
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
----------------------------------------------------------

    [AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.10.11.2
  Peer IP Address        : 10.10.11.1
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
----------------------------------------------------------

    # Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.

    [AC1] display hsb-group 0
Hot Standby Group Information:                                                  
----------------------------------------------------------                      
  HSB-group ID                : 0                                               
  Vrrp Group ID               : 1                                               
  Vrrp Interface              : Vlanif100                                       
  Service Index               : 0                                               
  Group Vrrp Status           : Master                                          
  Group Status                : Active                                          
  Group Backup Process        : Realtime                                        
  Peer Group Device Type      : AC6605                                          
  Peer Group Software Version : V200R006C20           
  Group Backup Modules        : Access-user                                     
                                AP
                                DHCP                                            
----------------------------------------------------------  
    [AC2] display hsb-group 0
Hot Standby Group Information:                                                  
----------------------------------------------------------                      
  HSB-group ID                : 0                                               
  Vrrp Group ID               : 1                                               
  Vrrp Interface              : Vlanif100                                       
  Service Index               : 0                                               
  Group Vrrp Status           : Backup                                          
  Group Status                : Inactive                                        
  Group Backup Process        : Realtime                                        
  Peer Group Device Type      : AC6605                                          
  Peer Group Software Version : V200R006C20           
  Group Backup Modules        : Access-user                                     
                                DHCP                                            
                                AP                                              
----------------------------------------------------------

  13. Configure the private WLAN configuration on AC2.

    # Configure the source address of AC2.

    [AC2] capwap source ip-address 172.18.10.1

    1. Configuring Wireless Configuration Synchronization in VRRP Hot Backup Scenarios.

      # Configure wireless configuration synchronization on AC1.

      [AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.10.11.2 local-ip ip-address 10.10.11.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit

      # Configure wireless configuration synchronization on AC2.

      [AC2] wlan
[AC2-wlan-view] master controller
[AC2-master-controller] master-redundancy peer-ip ip-address 10.10.11.1 local-ip ip-address 10.10.11.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC2-master-controller] quit
[AC2-wlan-view] quit

    2. Manually Triggering Wireless Configuration Synchronization.

      # Run the display sync-configuration status command to check the wireless configuration synchronization status. The command output shows that the status is cfg-mismatch. The wireless configuration needs to be manually synchronized from the master AC to the backup master AC. Wait until the Backup Master AC is restarted.

      [AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version        Status                           Last synced
----------------------------------------------------------------------------------------------------
10.10.11.2    Backup  AC6605          V200R008C10    cfg-mismatch(config check fail)  -
----------------------------------------------------------------------------------------------------
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti
nue? [Y/N]:y

  14. Check the wireless configuration synchronization.

    # Run the display sync-configuration status command on AC1 and AC2 to check the wireless configuration synchronization status. If the status is up, the wireless configuration synchronization function is normal.

    [AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version              Status        Last synced
-----------------------------------------------------------------------------------------
10.10.11.2    Backup  AC6605          V200R008C10          up       2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1
[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version              Status        Last synced
-----------------------------------------------------------------------------------------
10.10.11.1    Master  AC6605          V200R008C10          up       2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1

  15. [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile Controller-Campus to manage the AC.
    1. Choose Resource > Device > Device Management.
    2. Click Add.
    3. Configure parameters for the AC.

      Parameter

      Value

      Description

      Name

      AC

      -

      IP address

      172.18.10.1

      The AC interface with this IP address must be able to communicate with the Service Controller.

      Enable RADIUS

      Select

      -

      Authentication/Accounting key

      Admin@123

      [AC1-radius-radius_template] radius-server shared-key cipher Admin@123

      Authorization key

      Admin@123

      [AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123

      Real-time accounting interval (minute)

      15

      [AC1-aaa-accounting-acco_scheme] accounting realtime 15

      Enable Portal

      Select

      -

      Port

      2000

      This is the port that the AC uses to communicate with the Portal server. Retain the default value.

      Portal key

      Admin@123

      [AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123

      Access terminal IPv4 list

      172.20.0.0/24;172.21.0.0/24

      You need to add the IP addresses of all the terminals that go online through Portal authentication to the access terminal IP list. After the Portal server receives the account and password submitted by an end user, it searches for an access control device based on the terminal's IP address and allows the terminal to go online from the target access control device. If the IP address pool of the access control device does not include the terminal IP address, the Portal server cannot find an access control device to grant network access permission to the terminal, causing the terminal login failure.

      Enable heartbeat between access device and Portal server

      Selected

      When detecting that the primary Portal server is unavailable, the access device automatically connects to the secondary Portal server.

      The Portal server can send heartbeat packets to the access device only when Enable heartbeat between access device and Portal server is selected and the Portal server's IP address has been added to Portal server IP list. The access device then periodically detects heartbeat packets of the Portal server to determine the Portal server status and synchronize user information from the Portal server. The server-detect and user-sync commands must have been configured in the Portal server view on the access device.

      Portal server IP list

      172.22.10.2;172.22.10.3

      -

    4. Click OK.
  16. [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile Controller-Campus can authorize users through the SSIDs.
    1. Choose Policy > Permission Control > Policy Element > SSID.
    2. Click Add and add SSIDs for employees and guests.

      The SSIDs must be the same as those configured on the AC.

  17. [Agile Controller-Campus] Configure authorization results and rules to grant different access rights to employees and guests after they are successfully authenticated.
    1. Choose Policy > Permission Control > Authentication and Authorization > Authorization Result, and add authorization ACLs for employees and guests.

      The ACL numbers must be the same as those configured on the authentication control device.

    2. Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule, and bind the authorization result to specify resources accessible to employees and guests after successful authentication.

    3. Modify the default authorization rule by changing the authorization result to Deny Access.

      Choose Policy > Permission Control > Authentication and Authorization > Authorization Rule and click on the right of Default Authorization Rule. Change the value of Authorization Result to Deny Access.

Verification

If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration must be completed for the browser. Otherwise, the Portal authentication page cannot be displayed.
  1. Choose Tools > Internet Options.
  2. Select options related to Use TLS on the Advanced tab.



  3. Click OK.

Item

Expected Result

Employee authentication
  • User account tony (employee account) can only access the Agile Controller-Campus server and DNS server before authentication.
  • When the employee connects to the Wi-Fi hotspot employee using a computer and attempts to visit the Internet, the default authentication page is pushed to the user. After the employee enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the user tony is online.
  • On the Service Manager, choose Resource > User > Online User Management. The user tony is displayed in the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log. You can see the RADIUS authentication log for the user tony.

Guest authentication
  • User account susan (guest account) can only access the Agile Controller-Campus server and DNS server before authentication.
  • When the guest connects to the Wi-Fi hotspot guest using a mobile phone and attempts to visit the Internet, the guest authentication page is pushed to the user. After the guest enters the correct user name and password, the authentication succeeds and the requested web page is displayed automatically.
  • User account susan cannot access internal servers of the company.
  • After the authentication succeeds, run the display access-user command on the AC. The command output shows that the user susan is online.
  • On the Service Manager, choose Resource > User > Online User Management. The user susan is displayed in the list of online users.
  • On the Service Manager, choose Resource > User > RADIUS Log. You can see the RADIUS authentication log for the user susan.

AC1 power-off

Services are automatically switched to AC2, without affecting employee and guest authentication. The process is not detected by user terminals.

SC power-off

After the network cable of a Service Controller is removed, employees and guests are re-authenticated and go online. Their access rights are normal.

Summary and Suggestions

  • The authentication key, accounting key, and Portal key must be kept consistent on the ACs and Agile Controller-Campus. The accounting interval set on the Agile Controller-Campus must also be the same as those on the ACs.

  • Authorization rules or Portal page push rules are matched in descending order of priority (ascending order of rule numbers). If the authorization condition or Portal push condition of a user matches a rule, the Agile Controller-Campus does not check the subsequent rules. Therefore, it is recommended that you set higher priorities for the rules defining more precise conditions and set lower priorities for the rules defining fuzzy conditions.

  • The RADIUS accounting function is configured on the ACs to enable the Agile Controller-Campus to obtain online user information by exchanging accounting packets with the AC. The Agile Controller-Campus does not support the real accounting function. If accounting is required, use a third-party accounting server.
Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 280288

Downloads: 2225

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :