SupportDocumentationSwitchesCampus SwitchS3700&S5700&S6700Configuration & CommissioningConfiguration Guide

S5700 and S6700 V200R022C10 Configuration Guide - Free Mobility

Example for Deploying the Free Mobility Function for Users' Physical Location Change

Example for Deploying the Free Mobility Function for Users' Physical Location Change

Networking Requirements

Employees in an enterprise connect to the network in wired and wireless modes and are authenticated using 802.1X or Portal authentication.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Figure 1-8 Networking

Requirement Analysis

As shown in Figure 1-8, the agile core switch coreswitch functions as the authentication point and the access switch is a common switch.

You can configure 802.1X authentication and Portal authentication on the core switch so that wired and wireless users can connect to the network after being authenticated by the core switch.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Network Data Plan

Table 1-2 Network data plan

Item

Data

Description

VLAN plan

ID: 11

VLANIF11 IP address: 192.168.11.254/24

The core switch uses this VLAN to communicate with the Agile Controller-Campus.

ID: 12

VLANIF12 IP address: 192.168.12.254/24

The core switch uses this VLAN to manage APs.

ID: 13

VLANIF13 IP address: 192.168.13.254/24

The core switch uses this VLAN to provide wireless access services.

ID: 14

VLANIF14 IP address: 192.168.14.254/24

The core switch uses this VLAN to provide wired access services.

Core switch (coreswitch)

Interface number: GE1/0/11

IDs of allowed VLANs: 11

Interface for interworking with the server. IDs of allowed VLANs: 11

Interface number: GE1/0/12

IDs of allowed VLANs: 12, 14

This interface allows packets from the wired access service VLAN and APs' management VLAN to pass through.

Access switch

Interface number: GE0/0/1

IDs of allowed VLANs: 12, 14

This interface connects to GE1/0/12 on the core switch (coreswitch).

Interface number: GE0/0/3

IDs of allowed VLANs: 14

This interface provides wired access and allows packets from the wired access service VLAN to pass through.

Interface number: GE0/0/5

IDs of allowed VLANs: 12

This interface provides wireless access and allows packets from the APs' management VLAN to pass through.

Server

Agile Controller-Campus: 192.168.11.1

The Service Manager (SM) and Service Controller (SC) are installed on the same server. The SC functions as both the RADIUS server and Portal server.

Email server: 192.168.11.100

-

Video server: 192.168.11.110

-

DNS server: 192.168.11.200

Service Data Plan

Table 1-3 Service data plan

Item

Data

Description

Core switch (coreswitch)
RADIUS authentication server:
  • IP address: 192.168.11.1
  • Port number: 1812
  • RADIUS shared key: YsHsjx_202207
  • The SC of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the SC's IP address.
  • Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. On the Agile Controller-Campus, the fixed RADIUS authentication and accounting port numbers are 1812 and 1813 respectively, and the fixed Portal server port number is 50200.
RADIUS accounting server:
  • IP address: 192.168.11.1
  • Port number: 1813
  • RADIUS shared key: YsHsjx_202207
  • Accounting interval: 15 minutes
Portal server:
  • IP address: 192.168.11.1
  • Port number: 50200
  • Shared key: YsHsjx_202207

XMPP password: YsHsjx_202207

The configuration is the same as that on the Agile Controller-Campus.

Agile Controller-Campus

Core switch's IP address: 192.168.11.254

This IP address is the IP address of VLANIF 11.
RADIUS parameters:
  • Device: Huawei S series
  • RADIUS authentication key: YsHsjx_202207
  • RADIUS accounting key: YsHsjx_202207
  • RADIUS authorization key: YsHsjx_202207
  • Real-time accounting interval: 15 minutes

The configuration is the same as that on the core switch.
Portal parameters:
  • Port number: 2000
  • Portal key: YsHsjx_202207
  • IP addresses of access terminals

    Wireless terminal: 192.168.13.0/24

    Wired terminal: 192.168.14.0/24

XMPP password: YsHsjx_202207

The configuration is the same as that on the core switch.

Account:

Employees:
  • User name: staff
  • Password: YsHsjx_2022073
Guests:
  • User name: guest
  • Password: YsHsjx_2022074

Use fast authorization to authorize the security group Employee_Group to the staff.

Use fast authorization to authorize the security group Guest_Group to the guest.

Security group:

Employee_Group

Guest_Group

Email server: 192.168.11.100

Video server: 192.168.11.110

Pre-authentication domain

DNS server

Employees can send domain names to the DNS server for resolution before being authenticated.

Post-authentication domain

Email servers, video server

After passing authentication, employees can access the mail server and video server. You can improve bandwidth for employees to access the video server.

After passing authentication, guests cannot access the mail server and can only access the video server. You can reduce bandwidth for guests to access the video server.

Configuration Roadmap

Configure the core switch.

  1. Switch the NAC configuration mode to unified mode.
  2. Configure interfaces and VLANs, and enable the DHCP server function.
  3. Configure parameters for interconnection with the RADIUS server.
  4. Configure parameters for interconnection with the Portal server.
  5. Configure the access authentication point for fixed PCs.
  6. Configure an authentication-free rule.
  7. Configure AC system parameters to provide wireless access.
  8. Configure XMPP parameters for interconnection with the Agile Controller-Campus and enable free mobility.

Configure the access switch.

  1. Configure interfaces and VLANs to implement network communication.
  2. Configure the switch to transparently transmit 802.1X packets.
    In this example, a Layer 2 switch exists between the core switch and users. To ensure that users can pass 802.1X authentication, you must configure the EAP packet transparent transmission function on the Layer 2 switch.
    • Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view on the Layer 2 switch to configure it to transparently transmit EAP packets.
    • On the Layer 2 switch, run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the downlink interface connecting to users and the uplink interface connecting to the core switch to enable the Layer 2 protocol tunneling function.

Configure the Agile Controller-Campus.

  1. Configure RADIUS, Portal, and XMPP parameters, and add the core switch.
  2. Configure two groups: employee group and guest group, and two security groups: mail server and video server.
  3. Authorize the employee group to employees and guest group to guests. After passing authentication, employees are added to the employee group and guests are added to the guest group.
  4. Configure an access control policy. The policy allows the employee group to access the mail and video servers, and improves the bandwidth for employees to access the video server. In addition, the policy allows the guest group to access only the video server, and reduces the bandwidth for guests to access the video server. The employee group and guest group are not allowed to access each other.

Procedure

  1. Configure the core switch.
    1. Switch the NAC configuration mode to unified mode.

      You must switch the NAC configuration mode to unified mode on a device with the free mobility function configured. When the switchover occurs, the device will reboot automatically.

      <HUAWEI> system-view
[HUAWEI] sysname coreswitch
[coreswitch] authentication unified-mode

    2. Configure interfaces and VLANs, and enable the DHCP server function.

      [coreswitch] vlan batch 11 to 14
[coreswitch] interface vlanif 11    //Configure the interface as the source interface for communication with the Agile Controller-Campus.
[coreswitch-Vlanif11] ip address 192.168.11.254 255.255.255.0
[coreswitch-Vlanif11] quit
[coreswitch] dhcp enable    //Enable DHCP.
[coreswitch] interface vlanif 12    //Configure the management VLAN for APs.
[coreswitch-Vlanif12] ip address 192.168.12.254 255.255.255.0
[coreswitch-Vlanif12] dhcp select interface     //Enable the DHCP server function to allow the switch to allocate IP addresses to APs.
[coreswitch-Vlanif12] quit
[coreswitch] interface vlanif 13    //Configure the wireless access service VLAN.
[coreswitch-Vlanif13] ip address 192.168.13.254 255.255.255.0
[coreswitch-Vlanif13] dhcp select interface    //Enable the DHCP server function to allow the switch to allocate IP addresses to mobile terminals.
[coreswitch-Vlanif13] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif13] quit
[coreswitch] interface vlanif 14    //Configure the wired access service VLAN.
[coreswitch-Vlanif14] ip address 192.168.14.254 255.255.255.0
[coreswitch-Vlanif14] dhcp select interface    //Enable the DHCP server function to allow the switch to allocate IP addresses to fixed PCs.
[coreswitch-Vlanif14] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif14] quit
[coreswitch] interface gigabitEthernet 1/0/11
[coreswitch-GigabitEthernet1/0/11] port link-type trunk
[coreswitch-GigabitEthernet1/0/11] port trunk allow-pass vlan 11
[coreswitch-GigabitEthernet1/0/11] quit
[coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] port link-type trunk
[coreswitch-GigabitEthernet1/0/12] port trunk allow-pass vlan 12 14
[coreswitch-GigabitEthernet1/0/12] quit

    3. Configure parameters for interconnection with the RADIUS server.

      [coreswitch] radius-server template policy    //Create the RADIUS server template policy.
[coreswitch-radius-policy] radius-server authentication 192.168.11.1 1812    //Configure an IP address for the RADIUS authentication server and set the authentication port number to 1812.
[coreswitch-radius-policy] radius-server accounting 192.168.11.1 1813        //Configure an IP address for the accounting server and set the accounting port number to 1813.
[coreswitch-radius-policy] radius-server shared-key cipher YsHsjx_202207                   //Configure a RADIUS shared key.
[coreswitch-radius-policy] quit
[coreswitch] radius-server authorization 192.168.11.1 shared-key cipher YsHsjx_202207    //Configure the IP address and shared key for the RADIUS authorization server.
[coreswitch] aaa
[coreswitch-aaa] authentication-scheme auth    //Create the authentication scheme auth.
[coreswitch-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
[coreswitch-aaa-authen-auth] quit
[coreswitch-aaa] accounting-scheme acco    //Create the accounting scheme acco.
[coreswitch-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
[coreswitch-aaa-accounting-acco] accounting realtime 15    //Set the accounting interval to 15 minutes.
[coreswitch-aaa-accounting-acco] quit
[coreswitch-aaa] domain default    //Enter the domain default and bind the RADIUS server template, authentication scheme, and accounting scheme to the domain.
[coreswitch-aaa-domain-default] radius-server policy
[coreswitch-aaa-domain-default] authentication-scheme auth
[coreswitch-aaa-domain-default] accounting-scheme acco
[coreswitch-aaa-domain-default] quit
[coreswitch-aaa] quit

    4. Configure parameters for interoperation with the Portal server.

      [coreswitch] url-template name huawei    //Create a URL template.
[coreswitch-url-template-huawei] url http://192.168.11.1:8080/portal    //Specify the URL of the Portal authentication page pushed to users.
[coreswitch-url-template-huawei] quit
[coreswitch] web-auth-server policy    //Create the Portal server template policy.
[coreswitch-web-auth-server-policy] server-ip 192.168.11.1    //Specify the IP address of the Portal server.
[coreswitch-web-auth-server-policy] port 50200    //Specify the port number of the Portal server. When the Agile Controller-Campus functions as the Portal server, the port number is fixed to 50200.
[coreswitch-web-auth-server-policy] shared-key cipher YsHsjx_202206    //Configure a Portal shared key.
[coreswitch-web-auth-server-policy] url-template huawei    //Bind the URL template.
[coreswitch-web-auth-server-policy] quit

    5. Configure NAC.

      1. # Configure the 802.1X access profile d1.

        By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication request packets.

        [coreswitch] dot1x-access-profile name d1
[coreswitch-dot1x-access-profile-d1] dot1x authentication-method eap
[coreswitch-dot1x-access-profile-d1] quit

      2. # Configure the Portal access profile web1.

        [coreswitch] portal-access-profile name web1
[coreswitch-portal-access-profile-web1] web-auth-server policy direct   //Configure Layer 2 Portal authentication.
[coreswitch-portal-access-profile-web1] quit

      3. # Configure the authentication-free rule profile default_free_rule.

        [coreswitch] free-rule-template name default_free_rule
[coreswitch-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.200 mask 24 source ip any    //Ensure that terminal can access the DNS server before being authenticated.
[coreswitch-free-rule-default_free_rule] free-rule 2 source vlan 12    //Ensure that APs can go online.
[coreswitch-free-rule-default_free_rule] quit

      4. # Configure the authentication profile p1 for 802.1X + Portal combined authentication.

        [coreswitch] authentication-profile name p1
[coreswitch-authen-profile-p1] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
[coreswitch-authen-profile-p1] portal-access-profile web1    //Bind the Portal access profile web1.
[coreswitch-authen-profile-p1] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p1] quit

      5. # Configure the authentication profile p_dot1x for 802.1X authentication.

        [coreswitch] authentication-profile name p_dot1x
[coreswitch-authen-profile-p_dot1x] dot1x-access-profile d1    //Bind the 802.1X access profile d1.
[coreswitch-authen-profile-p_dot1x] free-rule-template default_free_rule    //Bind the authentication-free rule profile default_free_rule.
[coreswitch-authen-profile-p_dot1x] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p_dot1x] quit

      6. # Configure the authentication profile p_portal for Portal authentication.

        [coreswitch] authentication-profile name p_portal
[coreswitch-authen-profile-p_portal] portal-access-profile web1    //Bind the Portal access profile web1.
[coreswitch-authen-profile-p_portal] free-rule-template default_free_rule    //Bind the authentication-free rule profile default_free_rule.
[coreswitch-authen-profile-p_portal] access-domain default force    //Configure the domain default as the forcible authentication domain for users who go online through this interface.
[coreswitch-authen-profile-p_portal] quit

    6. Configure GE1/0/12 as the access authentication point for fixed PCs and enable 802.1X + Portal combined authentication.

      [coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] authentication-profile p1    //Bind the authentication profile p1 and enable 802.1X + Portal combined authentication.
[coreswitch-GigabitEthernet1/0/12] quit

    7. Configure the AP to go online.

      1. # Configure the AC's source interface.

        [coreswitch] capwap source interface vlanif 12

      2. # Create the AP group ap-group1.

        [coreswitch] wlan
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] quit

      3. # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

        [coreswitch-wlan-view] regulatory-domain-profile name domain1
[coreswitch-wlan-regulate-domain-domain1] country-code cn
[coreswitch-wlan-regulate-domain-domain1] quit
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]:y  [coreswitch-wlan-ap-group-ap-group1] quit
[coreswitch-wlan-view] quit

      4. # Import an AP offline on the AC. In this example, the AP's MAC address is 60de-4476-e360 and name is area_1.

        [coreswitch] wlan
[coreswitch-wlan-view] ap auth-mode mac-auth
[coreswitch-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[coreswitch-wlan-ap-0] ap-name area_1
[coreswitch-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y  [coreswitch-wlan-ap-0] quit

      5. # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

        [coreswitch-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extrainfo : Extra information
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type                    State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AirEngine8760-X1-PRO    nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

    8. Configure WLAN service parameters.

      1. # Create security profiles wlan-security1 and wlan-security2, and configure security policies. 

        [coreswitch-wlan-view] security-profile name wlan-security1
[coreswitch-wlan-sec-prof-wlan-security1] security open
[coreswitch-wlan-sec-prof-wlan-security1] quit
[coreswitch-wlan-view] security-profile name wlan-security2
[coreswitch-wlan-sec-prof-wlan-security2] security wpa2 dot1x aes
[coreswitch-wlan-sec-prof-wlan-security2] quit

      2. # Create SSID profiles dot1x_test and portal_test, and set the SSID names to dot1x_test and portal_test, respectively.

        [coreswitch-wlan-view] ssid-profile name dot1x_test
[coreswitch-wlan-ssid-prof-dot1x_test] ssid dot1x_test
[coreswitch-wlan-ssid-prof-dot1x_test] quit
[coreswitch-wlan-view] ssid-profile name portal_test
[coreswitch-wlan-ssid-prof-portal_test] ssid portal_test
[coreswitch-wlan-ssid-prof-portal_test] quit

      3. # Create VAP profiles dot1x_test and portal_test, configure the data forwarding mode and service VLANs, and apply the security profiles and SSID profiles to the VAP profiles.

        [coreswitch-wlan-view] vap-profile name dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-dot1x_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-dot1x_test] security-profile wlan-security2    //Bind the security policy profile wlan-security2.
[coreswitch-wlan-vap-prof-dot1x_test] ssid-profile dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] authentication-profile p_dot1x   //Bind the authentication profile p_dot1x.
[coreswitch-wlan-vap-prof-dot1x_test] quit
[coreswitch-wlan-view] vap-profile name portal_test
[coreswitch-wlan-vap-prof-portal_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-portal_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-portal_test] security-profile wlan-security1   //Bind the security policy profile wlan-security1.
[coreswitch-wlan-vap-prof-portal_test] ssid-profile portal_test
[coreswitch-wlan-vap-prof-portal_test] authentication-profile p_portal   //Bind the authentication profile p_portal.
[coreswitch-wlan-vap-prof-portal_test] quit

      4. # Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and radio 1 of the APs.

        [coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] vap-profile dot1x_test wlan 1 radio all
[coreswitch-wlan-ap-group-ap-group1] vap-profile portal_test wlan 2 radio all
[coreswitch-wlan-ap-group-ap-group1] quit

    9. Configure XMPP parameters for interoperation with the Agile Controller-Campus and enable free mobility.

      [coreswitch] group-policy controller 192.168.11.1 password YsHsjx_202206 src-ip 192.168.11.254    //The value of src-ip is the IP address of VLANIF 11.

  2. Configure the access switch.

    In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1X authentication, configure the access switch to transparently transmit 802.1X packets (EAP packets in this example because EAP mode is used).

    <HUAWEI> system-view
[HUAWEI] sysname l2switch
[l2switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[l2switch] vlan batch 12 14
[l2switch] interface gigabitEthernet 0/0/1
[l2switch-GigabitEthernet0/0/1] port link-type trunk
[l2switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 12 14
[l2switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/1] bpdu enable
[l2switch-GigabitEthernet0/0/1] quit
[l2switch] interface gigabitEthernet 0/0/3    //Wired access interface
[l2switch-GigabitEthernet0/0/3] port link-type access
[l2switch-GigabitEthernet0/0/3] port default vlan 14
[l2switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/3] bpdu enable
[l2switch-GigabitEthernet0/0/3] quit
[l2switch] interface gigabitEthernet 0/0/5    //Wireless access interface
[l2switch-GigabitEthernet0/0/5] port link-type access
[l2switch-GigabitEthernet0/0/5] port default vlan 12
[l2switch-GigabitEthernet0/0/5] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/5] bpdu enable
[l2switch-GigabitEthernet0/0/5] quit

  3. Configure the Agile Controller-Campus.
    1. Add the core switch.

      1. Choose Resource > Device > Device Management and click Add.

      2. Click XMPP.

      3. Click OK. The switch's Status is and Synchronization Status is Success.
      4. On the core switch, check the switch's communication status with the Agile Controller-Campus.
        <coreswitch> display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1

    2. Create the staff and guest accounts.

      1. Choose Resource > User Management.
      2. Click Add to create the staff account.

      3. Click Add to create the guest account.

    3. Configure two groups: employee group and guest group, and two security groups: mail server and video server.

      1. Choose Policy > Permission Control > Security Group > Dynamic Security Group Management.
      2. Click Add and create Employee_Group.

      3. Click Add and create Guest_Group.

      4. Choose Static Security Group Management, click Add and create Email_Server.

      5. Click Add and create Video_Server.

      6. Click Global Deployment to deploy the security groups on the entire network.

    4. Authorize the employee group to employees and guest group to guests. After passing authentication, employees are added to the employee group and guests are added to the guest group.

      1. Choose Policy > Permission Control > Quick Authorization.
      2. Map employees to Employee group, set bandwidth, and click OK.

      3. Map guests to Guest group, set bandwidth, and click OK.

    5. Configure an access control policy to allow the employee group to access the mail and video servers and allow the guest group to access only the video server.

      The default policy configuration mode is customized group. If there is no customized group, add a customized group on the device management page first (choose Resource > Device > Device Manager > Free Mobility). You can also change the policy configuration mode to all devices (choose System > Terminal Configuration > Global Parameters > Business accompanying configuration mode).

      1. Choose Policy > Free Mobility > Permission Control.
      2. Click Add.

      3. Click OK and Global Deployment.

        After the access control policy is successfully deployed, you can run the following commands on the core switch to view deployment information.

        • display ucl-group all: displays security groups.
        • display acl all: displays the access control policy.

  4. Save the configuration of Core_SW.

    Choose Resource > Device > Device Management. Click corresponding to Core_SW to save the configuration.

    Saving the configuration is similar to running the save command on the device, which saves all the device configurations (including security groups, access right control policies, and QoS policies deployed on the controller) to the configuration file.

    If security groups, access right control policies, and QoS policies are saved to the device's configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access right control policies, and QoS policies are not deployed on the device.

  5. Verify the configuration.

    After passing 802.1X or Portal authentication anywhere, the employees can access the mail and video servers, and the videos can be smoothly played.

    After passing 802.1X or Portal authentication anywhere, the guests cannot access the mail server but can only access the video server, and the videos may freeze.

Configuration Files

  • Core switch configuration file

    #
sysname coreswitch
#
vlan batch 11 to 14
#
authentication-profile name p1
 dot1x-access-profile d1
 portal-access-profile web1
 access-domain default force
authentication-profile name p_dot1x
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain default force
authentication-profile name p_portal
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain default force
#
group-policy controller 192.168.11.1 password %^%#(K2]5P#C6'97.pR(gFv$K$KbGYN}R1Y76~K^;AP&%^%# src-ip 192.168.11.254
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %^%#teXm2B&.1O0:cj$OWPq7@!Y\!%}dC3Br>p,}l\L.%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
#
radius-server authorization 192.168.11.1 shared-key cipher %^%#FKIlCKv=f(AgM-G~W"}G.C\%;b'3A/zz-EJV;vi*%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.200 mask 255.255.255.0 source ip any
 free-rule 2 source vlan 12
#
url-template name huawei
 url http://192.168.11.1:8080/portal
#
web-auth-server policy
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#SQn,Cr"c;M&{#(R^:;P3F_H$3f3sr$C9%*G7R|u3%^%#
 url-template huawei
#
portal-access-profile name web1
 web-auth-server policy direct
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain default
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0
#
interface Vlanif12
 ip address 192.168.12.254 255.255.255.0
 dhcp select interface
#
interface Vlanif13
 ip address 192.168.13.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface Vlanif14
 ip address 192.168.14.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface GigabitEthernet1/0/11
 port link-type trunk
 port trunk allow-pass vlan 11
#
interface GigabitEthernet1/0/12
 port link-type trunk
 port trunk allow-pass vlan 12 14
 authentication-profile p1
#
capwap source interface vlanif12
#
wlan
 security-profile name wlan-security1
  security open
 security-profile name wlan-security2
  security wpa2 dot1x aes
 ssid-profile name dot1x_test
  ssid dot1x_test
 ssid-profile name portal_test
  ssid portal_test
 vap-profile name dot1x_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile dot1x_test
  security-profile wlan-security2
  authentication-profile p_dot1x
 vap-profile name portal_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile portal_test
  security-profile wlan-security1
  authentication-profile p_portal
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                               
  radio 1                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                               
  radio 2                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
 wlan work-group default
#
dot1x-access-profile name d1
#
return

  • Configuration file of the access switch

    #
sysname l2switch
#
vlan batch 12 14
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 12 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 12
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
return