Example for Configuring Layer 2 External IPv6 Portal Authentication

Procedure

1. Configure the AC to enable exchange of CAPWAP packets between the AP and AC.

   # Add AC interface GE0/0/1 to VLAN 100 (management VLAN).

   In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs will be able to directly communicate at Layer 2.

   In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

   <HUAWEI> system-view
   [HUAWEI] sysname AC
   [AC] vlan batch 100 101
   [AC] interface gigabitethernet 0/0/1
   [AC-GigabitEthernet0/0/1] port link-type trunk
   [AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
   [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
   [AC-GigabitEthernet0/0/1] quit
   [AC] interface gigabitethernet 0/0/3

2. Configure the AC to communicate with upper-layer network devices.

   # Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).

   [AC] interface gigabitethernet 0/0/2
   [AC-GigabitEthernet0/0/2] port link-type trunk
   [AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
   [AC-GigabitEthernet0/0/2] quit

3. Configure the AC as a DHCP server to assign IP addresses to STAs and the AP.

   # Configure the AC as a DHCP server to assign an IP address to the AP from the IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF 101.

   [AC] dhcp enable
   [AC] dhcpv6 pool pool1 
   [AC-dhcpv6-pool-pool1] address prefix fc00:2::/112
   [AC-dhcpv6-pool-pool1] quit
   [AC] dhcpv6 pool pool2 
   [AC-dhcpv6-pool-pool2] address prefix fc00:3::/112
   [AC-dhcpv6-pool-pool2] dns-server FC00:1::2
   [AC-dhcpv6-pool-pool2] quit
   [AC] ipv6
   [AC] interface vlanif 100
   [AC-Vlanif100] ipv6 enable
   [AC-Vlanif100] ipv6 address fc00:2::1 112
   [AC-Vlanif100] dhcpv6 server pool1 
   [AC-Vlanif100] undo ipv6 nd ra halt 
   [AC-Vlanif100] ipv6 nd autoconfig managed-address-flag
   [AC-Vlanif100] ipv6 nd autoconfig other-flag
   [AC-Vlanif100] quit
   [AC] interface vlanif 101
   [AC-Vlanif101] ip address 10.23.101.1 24
   [AC-Vlanif101] ipv6 enable
   [AC-Vlanif101] ipv6 address fc00:3::1 112
   [AC-Vlanif101] dhcpv6 server pool2 
   [AC-Vlanif101] undo ipv6 nd ra halt 
   [AC-Vlanif101] ipv6 nd autoconfig managed-address-flag
   [AC-Vlanif101] ipv6 nd autoconfig other-flag
   [AC-Vlanif101] quit

4. Configure a route from the AC to the server zone (the following assumes that the IPv4 and IPv6 addresses of the upstream device connected to the AC are 10.23.101.2 and FC00:3::2).

   [AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
   [AC] ipv6 route-static fc00:1:: 112 fc00:3::2

5. Configure the AP to go online.

   # Create an AP group to add APs with the same configurations to this AP group.

   [AC] wlan
   [AC-wlan-view] ap-group name ap-group1
   [AC-wlan-ap-group-ap-group1] quit

   # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

   [AC-wlan-view] regulatory-domain-profile name domain1
   [AC-wlan-regulate-domain-domain1] country-code cn
   [AC-wlan-regulate-domain-domain1] quit
   [AC-wlan-view] ap-group name ap-group1
   [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
   Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
   [AC-wlan-ap-group-ap-group1] quit
   [AC-wlan-view] quit

   # Configure the AC's source interface.

   [AC] capwap source interface vlanif 100

   # Import the AP offline on the AC and add the AP to the AP group ap-group1. The following assumes that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on its deployment location, so that you can know where it is deployed based on its name. If it is in area 1, name it area_1.

   The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

   In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.

   [AC] wlan
   [AC-wlan-view] ap auth-mode mac-auth
   [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
   [AC-wlan-ap-0] ap-name area_1
   [AC-wlan-ap-0] ap-group ap-group1
   Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
   [AC-wlan-ap-0] quit
   [AC-wlan-view] quit

6. Configure a RADIUS server template, a RADIUS authentication scheme, and a RADIUS accounting scheme.

   Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

   # Configure a RADIUS server template.

   [AC] radius-server template radius_huawei
   [AC-radius-radius_huawei] radius-server authentication fc00:1::1 1812
   [AC-radius-radius_huawei] radius-server accounting fc00:1::1 1813
   [AC-radius-radius_huawei] radius-server shared-key cipher Example@123
   [AC-radius-radius_huawei] quit

   # Configure a RADIUS authentication scheme.

   [AC] aaa
   [AC-aaa] authentication-scheme radius_huawei
   [AC-aaa-authen-radius_huawei] authentication-mode radius
   [AC-aaa-authen-radius_huawei] quit

   # Configure a RADIUS accounting scheme.

   [AC-aaa] accounting-scheme scheme1
   [AC-aaa-accounting-scheme1] accounting-mode radius
   [AC-aaa-accounting-scheme1] accounting realtime 15
   [AC-aaa-accounting-scheme1] quit
   [AC-aaa] quit

   • In this example, the AC and the Agile Controller-Campus are interconnected. The accounting function is not provided for accounting purposes, and is only used to maintain terminal online information through accounting packets.

   • The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the user quantity.

   User Quantity	Real-Time Accounting Interval
   1-99	3 minutes
   100-499	6 minutes
   500-999	12 minutes
   ≥ 1000	≥ 15minutes

7. Configure a Portal server template.

   Ensure that the Portal server IP address, URL, port number, and shared key are configured correctly and are the same as those on the Portal server.

   [AC] web-auth-server abc  
   [AC-web-auth-server-abc] server-ip 10.23.200.1
   [AC-web-auth-server-abc] server-ip ipv6 fc00:1::1 
   [AC-web-auth-server-abc] shared-key cipher Admin@123
   [AC-web-auth-server-abc] port 50200
   [AC-web-auth-server-abc] url http://[FC00:1::1]:8445/portal
   [AC-web-auth-server-abc] quit

8. Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.

   [AC] portal-access-profile name portal1
   [AC-portal-access-profile-portal1] web-auth-server abc direct
   [AC-portal-access-profile-portal1] quit

9. Configure an authentication-free rule profile.

   [AC] acl ipv6 number 3001
   [AC-acl6-adv-3001] rule 5 permit ipv6 destination fc00:1::2 112
   [AC-acl6-adv-3001] quit
   [AC] free-rule-template name default_free_rule
   [AC-free-rule-default_free_rule] free-rule acl ipv6 3001
   [AC-free-rule-default_free_rule] quit

10. Configure the authentication profile p1.

    [AC] authentication-profile name p1
    [AC-authentication-profile-p1] portal-access-profile portal1
    [AC-authentication-profile-p1] free-rule-template default_free_rule
    [AC-authentication-profile-p1] authentication-scheme radius_huawei
    [AC-authentication-profile-p1] accounting-scheme scheme1
    [AC-authentication-profile-p1] radius-server radius_huawei
    [AC-authentication-profile-p1] quit

11. Configure WLAN service parameters.
    # Enable the function of processing IPv6 services for STAs.

    [AC-wlan-view] sta-ipv6-service enable

    # Create the security profile wlan-security and configure a security policy in the profile.

    [AC] wlan
    [AC-wlan-view] security-profile name wlan-security
    [AC-wlan-sec-prof-wlan-security] security open
    [AC-wlan-sec-prof-wlan-security] quit

    # Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid
    [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AC-wlan-ssid-prof-wlan-ssid] quit

    # Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap
    [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
    [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AC-wlan-vap-prof-wlan-vap] authentication-profile p1
    [AC-wlan-vap-prof-wlan-vap] quit

    # Bind the VAP profile wlan-vap to the AP group and apply the profile to radios 0 and 1 of APs.

    [AC-wlan-view] ap-group name ap-group1
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
    [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
    [AC-wlan-ap-group-ap-group1] quit

12. Configure channels and power for the AP radios.

    The automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when the two functions are disabled. The channel and power settings for the AP radios in this example are for reference only. In practice, configure the channel and power of AP radios based on the actual country code and network planning.

    # Disable the automatic channel and power calibration functions of the AP radio 0 and configure its channel and power.

    [AC-wlan-view] ap-id 0
    [AC-wlan-ap-0] radio 0
    [AC-wlan-radio-0/0] calibrate auto-channel-select disable
    [AC-wlan-radio-0/0] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/0] channel 20mhz 6
    Warning: This action may cause service interruption. Continue?[Y/N]y 
    [AC-wlan-radio-0/0] eirp 127
    [AC-wlan-radio-0/0] quit

    # Disable the automatic channel and power calibration functions of the AP radio 1 and configure its channel and power.

    [AC-wlan-ap-0] radio 1
    [AC-wlan-radio-0/1] calibrate auto-channel-select disable
    [AC-wlan-radio-0/1] calibrate auto-txpower-select disable
    [AC-wlan-radio-0/1] channel 20mhz 149
    Warning: This action may cause service interruption. Continue?[Y/N]y 
    [AC-wlan-radio-0/1] eirp 127
    [AC-wlan-radio-0/1] quit
    [AC-wlan-ap-0] quit
    [AC-wlan-view] quit

13. Verifying the Configuration

    • After the preceding configuration is complete, the WLAN with the SSID wlan-net is available for STAs.

    • STAs obtain IP addresses when they successfully associate with the WLAN.
    • When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.