WLAN Typical Configuration Examples (V200)
Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users
Service Requirements
Different user groups are used to assign network access permissions to different users when they access the WLAN through 802.1X authentication. Additionally, users' services are not affected during roaming in the coverage area.
Networking Requirements
- AC networking mode: Layer 2 bypass mode
- DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP addresses to APs and STAs, respectively.
- Service data forwarding mode: direct forwarding
- WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 4-32 Networking diagram for configuring user authorization based on user groups
![]()
Data Planning
Table 4-26 AC data planning
Item |
Data |
|---|---|
Management VLAN |
VLAN 100 |
Service VLAN |
VLAN 101 |
AC's source interface |
VLANIF 100: 10.23.100.1/24 |
DHCP servers |
The AC and SwitchB function as DHCP servers to assign IP addresses to APs and STAs, respectively. |
IP address pool for APs |
10.23.100.2–10.23.100.254/24 |
IP address pool for STAs |
10.23.101.2–10.23.101.254/24 |
RADIUS authentication parameters |
|
802.1X access profile |
|
Authentication profile |
|
AP group |
|
Regulatory domain profile |
|
SSID profile |
|
Security profile |
|
VAP profile |
|
User group |
|
Configuration Roadmap
- Configure network connectivity.
- Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
- Configure APs to go online.
- Configure 802.1X authentication and user authorization on the AC.
- Configure third-party server parameters.
The RADIUS shared key configured on the AC must be the same as that configured on the RADIUS server.
Configuration Notes
- No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
- In 802.1X authentication scenarios, EAP packets are control packets and need to be sent to the AC through CAPWAP tunnels. Therefore, the corresponding service VLAN must be created on the AC regardless of whether direct forwarding or tunnel forwarding is used.
Procedure
- Configure network connectivity.# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) both to VLAN 100 and VLAN 101.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 101 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [SwitchA-GigabitEthernet0/0/1] port-isolate enable [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 [SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN 104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the router as the next hop.<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 100 to 104 [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [SwitchB-GigabitEthernet0/0/1] quit [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type trunk [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type trunk [SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103 [SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103 [SwitchB-GigabitEthernet0/0/3] quit [SwitchB] interface gigabitethernet 0/0/4 [SwitchB-GigabitEthernet0/0/4] port link-type trunk [SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104 [SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104 [SwitchB-GigabitEthernet0/0/4] quit [SwitchB] interface vlanif 102 [SwitchB-Vlanif102] ip address 10.23.102.1 24 [SwitchB-Vlanif102] quit [SwitchB] interface vlanif 103 [SwitchB-Vlanif103] ip address 10.23.103.2 24 [SwitchB-Vlanif103] quit [SwitchB] interface vlanif 104 [SwitchB-Vlanif104] ip address 10.23.104.1 24 [SwitchB-Vlanif104] quit [SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# On the AC, add GE0/0/1 to VLAN 100 and VLAN 102, create VLANIF 102, and configure a static route to the RADIUS server.<HUAWEI> system-view [HUAWEI] sysname AC [AC] vlan batch 100 101 102 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 [AC-GigabitEthernet0/0/1] quit [AC] interface vlanif 102 [AC-Vlanif102] ip address 10.23.102.2 24 [AC-Vlanif102] quit [AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure an IP address for GE0/0/1 on the router and configure a static route to the network segment for STAs.<Huawei> system-view [Huawei] sysname Router [Router] interface gigabitethernet 0/0/1 [Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24 [Router-GigabitEthernet0/0/1] quit [Router] ip route-static 10.23.101.0 24 10.23.104.1
- Configure the AC and SwitchB as DHCP servers to assign IP addresses to APs and STAs, respectively.# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs.![]()
Configure the DNS server as required. The common methods are as follows:- In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
- In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
[SwitchB] dhcp enable [SwitchB] interface vlanif 101 [SwitchB-Vlanif101] ip address 10.23.101.1 24 [SwitchB-Vlanif101] dhcp select interface [SwitchB-Vlanif101] quit
- Configure an AP to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default [AC-wlan-regulate-domain-default] country-code cn [AC-wlan-regulate-domain-default] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile default Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# Configure the AC's source interface.
[AC] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to AP group ap-group1. This example assumes that the AP's MAC address is 00e0-fc76-e360. Configure a name for the AP based on the AP's deployment location, so that the AP can be easily located based on its name. For example, if the AP with the MAC address 00e0-fc76-e360 is deployed in area 1, name it area_1.![]()
The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP to go offline and then online. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC-wlan-ap-0] quit# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP goes online successfully.
[AC-wlan-view] display ap all Total AP information:nor : normal [1] ------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------- 0 600e0-fc76-e360area_1 ap-group1 10.23.100.254 AirEngine8760-X1-PRO nor 0 10S -------------------------------------------------------------------------------------------------- Total: 1 - Set the channels and power for AP radios.
![]()
The DCA and TPC functions are enabled by default. With these functions, APs can automatically select the optimal channel and power. Automatic radio calibration is recommended in coverage scenarios other than high-density scenarios. After the service configuration is complete, perform radio calibration immediately.
To configure fixed channels and power, disable automatic radio calibration. The procedure for configuring the fixed channels and power in this example is for reference only. In actual deployment, configure the channels and power for each AP strictly according to the network plan.
For details, see Radio Calibration in WLAN Optimization.
- Configure automatic radio calibration (enabled by default) so that the optimal channel and power are automatically selected for APs.# Enable the DCA and TPC functions of AP radios (enabled by default).
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] radio 0 [AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select enable [AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select enable [AC-wlan-group-radio-ap-group1/0] quit [AC-wlan-ap-group-ap-group1] radio 1 [AC-wlan-group-radio-ap-group1/1] calibrate auto-channel-select enable [AC-wlan-group-radio-ap-group1/1] calibrate auto-txpower-select enable [AC-wlan-group-radio-ap-group1/1] quit [AC-wlan-ap-group-ap-group1] quit
# Manually trigger radio calibration.
[AC-wlan-view] calibrate manual startup Warning: The operation may cause business interruption, Continue? [Y/N]:y
# Radio calibration stops 1 hour after being manually triggered. Set the radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-peak hours, for example, between 00:00 am and 06:00 am. By default, radio calibration starts at 03:00:00 every day.[AC-wlan-view] calibrate enable schedule time 03:00:00
- Configure fixed channels and power.# Disable the DCA and TPC functions.
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] radio 0 [AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable [AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable [AC-wlan-group-radio-ap-group1/0] quit [AC-wlan-ap-group-ap-group1] radio 1 [AC-wlan-group-radio-ap-group1/1] calibrate auto-channel-select disable [AC-wlan-group-radio-ap-group1/1] calibrate auto-txpower-select disable [AC-wlan-group-radio-ap-group1/1] quit [AC-wlan-ap-group-ap-group1] quit
# Configure the channels and power of radio 0 and radio 1 for each AP based on the channels and power of each AP in the network planning.[AC-wlan-view] ap-id 0 [AC-wlan-ap-0] radio 0 [AC-wlan-radio-0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/0] eirp 127 [AC-wlan-radio-0/0] quit [AC-wlan-ap-0] radio 1 [AC-wlan-radio-0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-radio-0/1] eirp 127 [AC-wlan-radio-0/1] quit [AC-wlan-ap-0] quit
- Configure automatic radio calibration (enabled by default) so that the optimal channel and power are automatically selected for APs.
- Configure 802.1X authentication on the AC.
- Configure a user group.
# Configure the user group group1 for the post-authentication domain to allow only user group members to access network resources on the network segment 10.23.200.0/24.
![]()
Configure the RADIUS server to authorize the user group group1 to successfully authenticated employees.
[AC] acl 3001 [AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255 [AC-acl-adv-3001] rule 2 deny ip destination any [AC-acl-adv-3001] quit [AC] user-group group1 [AC-user-group-group1] acl-id 3001 [AC-user-group-group1] quit
- Configure a third-party server.
For details about the configuration method, see the corresponding product manual.
- Verify the configuration.
- The WLAN with the SSID wlan-net is available for STAs.
- The STAs obtain IP addresses after they successfully associate with the WLAN.
- The 802.1X authentication client on a STA can be used for authentication. After the correct user name and password are entered, the STA is successfully authenticated and can access only the resources on the 10.23.200.0/24 network segment. Note that PEAP authentication needs to be configured for the STA.Configuration on the Windows 7 operating system:
- Access the Manage wireless networks page, click Add and select Manually create a network profile. In the dialog box that is displayed, add the SSID wlan-net, and set the authentication mode to WPA2-Enterprise and encryption algorithm to AES. Click Next.
- Click Change connection settings. On the Wireless Network Properties page that is displayed, select the Security tab page and click Settings. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
- On the Wireless Network Properties page, click Advanced settings. On the Advanced settings page that is displayed, select Specify authentication mode, set the identity authentication mode to User authentication, and click OK.
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 100 to 101 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 # return
SwitchB configuration file
# sysname SwitchB # vlan batch 100 to 104 # dhcp enable # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface Vlanif103 ip address 10.23.103.2 255.255.255.0 # interface Vlanif104 ip address 10.23.104.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 102 # interface GigabitEthernet0/0/3 port link-type trunk port trunk pvid vlan 103 port trunk allow-pass vlan 103 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 104 port trunk allow-pass vlan 104 # ip route-static 0.0.0.0 0.0.0.0 10.23.104.2 # return
Router configuration file
# sysname Router # interface GigabitEthernet0/0/1 ip address 10.23.104.2 255.255.255.0 # ip route-static 10.23.101.0 255.255.255.0 10.23.104.1 # return
AC configuration file
# sysname AC # vlan batch 100 102 # authentication-profile name wlan-net dot1x-access-profile wlan-net authentication-scheme wlan-net radius-server wlan-net # dhcp enable # radius-server template wlan-net radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$%^%# radius-server authentication 10.23.103.1 1812 weight 80 # acl number 3001 rule 1 permit ip destination 10.23.200.0 0.0.0.255 rule 2 deny ip # user-group group1 acl-id 3001 # aaa authentication-scheme wlan-net authentication-mode radius # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 102 # ip route-static 10.23.103.0 255.255.255.0 10.23.102.1 # capwap source interface vlanif100 # wlan security-profile name wlan-net security wpa-wpa2 dot1x aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 calibrate auto-channel-select disable calibrate auto-txpower-select disable radio 1 channel 20mhz 149 eirp 127 calibrate auto-channel-select disable calibrate auto-txpower-select disable # dot1x-access-profile name wlan-net # return
Document ID:EDOC1100300932
Views:190668
Downloads:4823
Average rating:5.0Points