SupportDocumentationWLANACAC6000Configuration & CommissioningConfiguration Examples

WLAN Typical Configuration Examples (V200)

Example for Configuring Navi AC + Built-in Portal Authentication for Local Users

Example for Configuring Navi AC + Built-in Portal Authentication for Local Users

Service Requirements

When deploying a WLAN, an enterprise needs to provide wireless access for both employees and guests. The Navi AC networking allows guest traffic to be directed to the specified access control point in the DMZ for centralized management, therefore isolating access of employees and guests. Employees can access intranet servers, and their traffic is forwarded within the enterprise intranet. Guest traffic is forwarded through a CAPWAP tunnel to the DMZ where the guest users are assigned IP addresses and authenticated in built-in Portal authentication mode.

Networking Requirements

  • AC networking: Layer 3 connectivity is configured between the local and Navi ACs.
  • Guest service data forwarding mode: Data is centralized to the Navi AC through a CAPWAP tunnel for forwarding.
  • Built-in Portal authentication is performed for guest traffic.
Figure 4-34 Navi AC networking diagram

Data Planning

Table 4-28 Data planning

Item

Data

Data planning on the Navi AC
  • CAPWAP source address: 10.23.101.3
  • DHCP server: The Navi AC functions as a DHCP server to assign IP addresses to APs and STAs.
  • VAP profile
    • Name: navi-ac
    • Service VLAN: VLAN 100
    • Management VLAN: VLAN 101
    • Data forwarding mode: tunnel
    • SSID profile: ssid1, in which the SSID is guest
    • WLAN ID: 8
    • Security profile: security-prof
    • Authentication profile: auth-prof
  • Security profile: security-prof
    • Security policy: Open
  • Portal access profile
    • Name: portal-access-navi
    • The built-in Portal server is used:

      IP address of the built-in Portal server: 10.1.1.1/24

      TCP port number used by HTTP: 20001

  • Authentication-free rule profile
    • Name: default_free_rule
    • Authentication-free resource: DNS server address (10.23.200.2)
  • Authentication profile
    • Name: auth-prof
    • Referenced profiles and authentication scheme: Portal access profile portal-access-navi, authentication-free rule profile default_free_rule, and authentication scheme auth-scheme
  • Authentication scheme
    • Name: auth-scheme
    • Authentication scheme: local authentication

Data planning on the local AC
  • CAPWAP source address: 10.23.102.3
  • VAP profile
    • Name: navi-ac
    • Service VLAN: VLAN 100
    • Data forwarding mode: tunnel
    • SSID profile: ssid1, in which the SSID is guest
    • Type: service-navi
    • WLAN ID of the Navi AC: 8
    • Security profile: security-prof
    • Authentication profile: auth-prof
  • AP group to which the VAP profile is bound: group1
  • Security profile: security-prof
    • Security policy: Open
  • Portal server template
    • Name: web-auth-server
    • IP address: 10.1.1.1 (IP address of the built-in server on the Navi AC)
    • Bound URL profile: url-template
  • URL profile
    • Name: url-template
    • URL: http://10.1.1.1:20001/index.html
  • Portal access profile
    • Name: portal-access-local
    • Bound template: Portal server template web-auth-server
  • Authentication-free rule profile
    • Name: default_free_rule
    • Authentication-free resource: DNS server address (10.23.200.2)
  • Authentication profile
    • Name: auth-prof
    • Bound profiles: Portal access profile portal-access-local and authentication-free rule profile default_free_rule

Configuration Roadmap

  1. On the Navi AC, create and configure a DHCP server and a VAP profile, enable the Navi AC function, specify a local AC, enable service VLAN check on the Navi AC, and bind the VAP profile to the local AC.
  2. On the local AC, specify the Navi AC, create and configure a VAP profile (the same as that on the Navi AC), and bind the VAP profile to the AP group.
  3. Configure built-in Portal authentication for local users on the Navi AC.
    1. Configure local authentication parameters.
    2. Configure a Portal access profile for the built-in Portal server to manage Portal access control parameters.
    3. Configure an authentication-free rule profile to enable the AC to permit packets destined for the DNS server.
    4. Configure an authentication profile to manage built-in Portal authentication configurations.
  4. Configure external Portal authentication on the local AC.
    1. Configure a URL redirected to the built-in Portal server on the Navi AC.
    2. Set the IP address of the Portal server to the same as that of the built-in Portal server on the Navi AC.

Configuration Prerequisites

  • The network is reachable between the local and Navi ACs.
  • Configure a source interface or source address for both the Navi AC and local AC.
  • Add APs on the local AC.
  • Configure DTLS encryption of inter-AC tunnels for both the Navi AC and local AC.

Configuration Notes

  • The local AC and Navi AC require the same authorization parameters, including the ACL number, VLAN, user group, and service scheme.
  • In the built-in Portal authentication scenario where Navi ACs work in VRRP HSB mode:
    • The IP address of the built-in Portal server on the Navi AC must be set to the VRRP virtual IP address (for example, VRRP_VIP), and the port number must be set to Port (as an example).
    • The IP address of the Portal server on the local AC must be to VRRP_VIP, and the URL must be set to http://VRRP_VIP:Port/index.html.
  • Ensure that the DNS server IP address is permitted in the authentication-free rule profile.
  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

  • From V200R021C00, when the CAPWAP source interface or source address is configured, the system checks whether security-related configurations exist, including the PSK for DTLS encryption, PSK for DTLS encryption between ACs, user name and password for logging in to the AP, and password for logging in to the global offline management VAP, the configuration can be successful only when both of them exist. Otherwise, the system prompts you to complete the configuration first.
  • From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels on the AC by default. After this function is enabled, an AP will fail to go online when it is added. In this case, you need to enable CAPWAP DTLS non-authentication (capwap dtls no-auth enable) for the AP so that the AP can obtain a security credential. After the AP goes online, disable this function (undo capwap dtls no-auth enable) to prevent unauthorized APs from going online.

Procedure

  1. On the Navi AC, create and configure DHCP servers and a VAP profile, enable the Navi AC function, specify a local AC, and bind the VAP profile to the local AC.
    1. Configure DHCP servers to assign IP addresses to APs and STAs.

      [Navi_AC] dhcp enable
[Navi_AC] interface vlanif 100
[Navi_AC-Vlanif100] ip address 10.23.100.3 24
[Navi_AC-Vlanif100] dhcp select interface
[Navi_AC-Vlanif100] quit
[Navi_AC] interface vlanif 101
[Navi_AC-Vlanif101] ip address 10.23.101.3 24
[Navi_AC-Vlanif101] dhcp select interface
[Navi_AC-Vlanif101] quit

    2. On the Navi AC, create and configure a VAP profile.

      [Navi_AC] wlan
[Navi_AC-wlan-view] ssid-profile name ssid1
[Navi_AC-ssid-prof-ssid1] ssid guest
[Navi_AC-ssid-prof-ssid1] quit
[Navi_AC-wlan-view] vap-profile name navi-ac
[Navi_AC-vap-prof-navi-ac] ssid-profile ssid1
[Navi_AC-vap-prof-navi-ac] service-vlan vlan-id 100
[Navi_AC-vap-prof-navi-ac] forward-mode tunnel
[Navi_AC-vap-prof-navi-ac] navi-ac service-vlan-check enable
[Navi_AC-vap-prof-navi-ac] quit

    3. Enable the Navi AC function.

      [Navi_AC-wlan-view] navi-ac enable
Warning: Enabling this function will degrade the forwarding performance of the device. Continue? [Y/N]:y

    4. Specify a local AC and bind the VAP profile to the local AC.

      [Navi_AC-wlan-view] navi-ac
[Navi_AC-wlan-view-navi-ac] local-ac ac-id 1 ip-address 10.23.102.3 description LocalAC1
[Navi_AC-wlan-view-navi-local-ac-1] vap-profile navi-ac wlan 8

  2. On the local AC, specify the Navi AC, create and configure a VAP profile (the same as that on the Navi AC), and bind the VAP profile to the AP group.
    1. Create a service VLAN.

      [Local_AC] vlan 100
[Local_AC-vlan100] quit

      To prevent network loops, do not allow packets from the service VLAN to pass through the interfaces on the local AC.

    2. Specify the Navi AC.

      [Local_AC] wlan
[Local_AC-wlan-view] navi-ac ac-id 1 ip-address 10.23.101.3 description NaviAC

    3. On the local AC, create and configure a VAP profile.

      [Local_AC-wlan-view] ssid-profile name ssid1
[Local_AC-ssid-prof-ssid1] ssid guest
[Local_AC-ssid-prof-ssid1] quit
[Local_AC-wlan-view] vap-profile name navi-ac
[Local_AC-vap-prof-navi-ac] ssid-profile ssid1
[Local_AC-vap-prof-navi-ac] service-vlan vlan-id 100
[Local_AC-vap-prof-navi-ac] forward-mode tunnel
[Local_AC-vap-prof-navi-ac] type service-navi navi-ac-id 1 navi-wlan-id 8 
 //The value of navi-wlan-id must be the same as the value of wlan-id in the vap-profile profile-name wlan wlan-id command executed in the local AC view on the Navi AC.
[Local_AC-vap-prof-navi-ac] quit

    4. Bind the VAP profile to the AP group.

      [Local_AC-wlan-view] ap-group name group1
[Local_AC-wlan-ap-group-group1] vap-profile navi-ac wlan 2 radio all  //The WLAN ID in this command does not need to be the same as the value of navi-wlan-id.

  3. Configure built-in Portal authentication for local users on the Navi AC.
    1. Configure local authentication parameters.

      # Configure the local authentication scheme auth-scheme.

      [Navi_AC] aaa
[Navi_AC-aaa] authentication-scheme auth-scheme
[Navi_AC-aaa-authen-auth-scheme] authentication-mode local
[Navi_AC-aaa-authen-auth-scheme] quit

      # Configure the user name, password, and service type of the local user.

      [Navi_AC-aaa] local-user guest password cipher YsHsjx_202206
[Navi_AC-aaa] local-user guest service-type web
[Navi_AC-aaa] quit

    2. Configure the Portal access profile portal-access-local.

      # Enable the built-in Portal server function.

      [Navi_AC] interface loopback 1
[Navi_AC-LoopBack1] ip address 10.1.1.1 24
[Navi_AC-LoopBack1] quit
[Navi_AC] portal local-server ip 10.1.1.1
[Navi_AC] portal local-server http port 20001

      # Create the Portal access profile portal-access-navi and enable the built-in Portal server function.

      [Navi_AC] portal-access-profile name portal-access-navi
[Navi_AC-portal-access-profile-portal-access-navi] portal local-server enable
[Navi_AC-portal-access-profile-portal-access-navi] quit

    3. Configure an authentication-free rule profile to enable the AC to permit packets destined for the DNS server.

      [Navi_AC] free-rule-template name default_free_rule
[Navi_AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 32
[Navi_AC-free-rule-default_free_rule] quit

    4. Configure an authentication profile to manage built-in Portal authentication configurations. Configure a security profile and set the policy to open.

      [Navi_AC] authentication-profile name auth-prof
[Navi_AC-authentication-profile-auth-prof] portal-access-profile portal-access-navi
[Navi_AC-authentication-profile-auth-prof] free-rule-template default_free_rule
[Navi_AC-authentication-profile-auth-prof] authentication-scheme auth-scheme
[Navi_AC-authentication-profile-auth-prof] quit
[Navi_AC] wlan
[Navi_AC-wlan-view] security-profile name security-prof 
[Navi_AC-sec-prof-security-prof] security open
[Navi_AC-sec-prof-security-prof] quit
[Navi_AC-wlan-view] vap-profile name navi-ac
[Navi_AC-vap-prof-navi-ac] security-profile security-prof 
[Navi_AC-vap-prof-navi-ac] authentication-profile auth-prof  
Warning: This action may cause service interruption. Continue?[Y/N]y   
Info: This operation may take a few seconds, please wait.done.

  4. Configure external Portal authentication on the local AC.
    1. Configure a URL redirected to the built-in Portal server on the Navi AC.

      # Configure the URL of the Portal authentication page. When a STA attempts to access a website before successful authentication, the AC redirects the request to the Portal server.

      [Local_AC] url-template name url-template
[Local_AC-url-template-url-template] url http://10.1.1.1:20001/index.html
[Local_AC-url-template-url-template] url-parameter ssid ssid redirect-url url 
[Local_AC-url-template-url-template] quit

      In this example, HTTP is used for Portal authentication. In scenarios requiring high security, HTTPS can be used to provide Portal authentication.

    2. Set the IP address of the Portal server to the same as that of the built-in Portal server on the Navi AC.

      # Configure a Portal server template.

      [Local_AC] portal web-authen-server server-source all-interface  //In V200R021C00 and later versions, you must run the portal web-authen-server server-source or server-source command to configure the local gateway address for receiving and responding to packets from the Portal server, so as to ensure successful Portal interconnection.
[Local_AC] web-auth-server web-auth-server
[Local_AC-web-auth-server-web-auth-server] server-ip 10.1.1.1
[Local_AC-web-auth-server-web-auth-server] url-template url-template
[Local_AC-web-auth-server-web-auth-server] quit

      # Create the Portal access profile and set the IP address of the Portal server to the same as that of the built-in Portal server on the Navi AC.

      [Local_AC] portal-access-profile name portal-access-local
[Local_AC-portal-access-profile-portal-access-local] web-auth-server web-auth-server direct
[Local_AC-portal-access-profile-portal-access-local] quit

      # Configure an authentication-free rule profile to enable the AC to permit packets destined for the DNS server.

      [Local_AC] free-rule-template name default_free_rule
[Local_AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 32
[Local_AC-free-rule-default_free_rule] quit

      # Configure an authentication profile to manage built-in Portal authentication configurations. Configure a security profile and set the policy to open.

      [Local_AC] authentication-profile name auth-prof
[Local_AC-authentication-profile-auth-prof] portal-access-profile portal-access-local
[Local_AC-authentication-profile-auth-prof] free-rule-template default_free_rule
[Local_AC-authentication-profile-auth-prof] quit
[Local_AC] wlan
[Local_AC-wlan-view] security-profile name security-prof 
[Local_AC-sec-prof-security-prof] security open
[Local_AC-sec-prof-security-prof] quit
[Local_AC-wlan-view] vap-profile name navi-ac
[Local_AC-vap-prof-navi-ac] security-profile security-prof 
[Local_AC-vap-prof-navi-ac] authentication-profile auth-prof  
Warning: This action may cause service interruption. Continue?[Y/N]y   
Info: This operation may take a few seconds, please wait.done.

  5. On the STA gateway, configure a route to the Portal server address. The configuration is not provided in this example.
  6. Verify the configuration.
    • Associate a STA with the WLAN. When the user attempts to access the network on a browser, the user is automatically redirected to the authentication page provided by the Portal server. After the user enters the correct user name and password on the page, the STA is authenticated successfully and can access the network.
    • Run the display station all command on the local AC to check access STA information.
      [Local_AC] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
--------------------------------------------------------------------------------------------------------------------------------------
STA MAC          AP ID Ap name           Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address       SSID               Status   AC ID
--------------------------------------------------------------------------------------------------------------------------------------
00e0-fc78-0a7d   0     00e0-fc76-e360    1/2      5G    11ax  573/573    -17   100   192.168.183.195  guest              Normal   1
--------------------------------------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1 6G: 0
    • Run the display access-user command on the Navi AC to check access STA information.
      [Navi_AC] display access-user
 ------------------------------------------------------------------------------------------------------
 UserID  Username               IP address                               MAC            Status
 ------------------------------------------------------------------------------------------------------
 196629  guest                  192.168.183.195                          00e0-fc78-0a7d Success
 ------------------------------------------------------------------------------------------------------
 Total: 1, printed: 1
[Navi_AC] display access-user user-id 196629

Basic:
  User ID                         : 196629
  User name                       : guest   
  User MAC                        : 00e0-fc78-0a7d 
  User IP address                 : 192.168.183.195
  User vpn-instance               : -
  User IPv6 address               : -
  User access Interface           : Wlan-Dbss17496
  User vlan event                 : Success
  QinQVlan/UserVlan               : 0/100
  User vlan source                : user request
  User access time                : 2023/05/26 17:59:25
  User accounting session ID      : AirEngi000000000018313e****0300011
  User accounting mult session ID : 942533EE1D86FCB3BC780A7D64708****F5EDB45
  User access type                : WEB
  AP name                         : 00e0-fcee-1d86
  Radio ID                        : 0
  AP MAC                          : 00e0-fcee-1d86
  SSID                            : guest 
  Online time                     : 148(s)
  Web-server IP address           : 10.1.1.1
  User Group Priority             : 0

AAA:
  User authentication type        : WEB authentication
  Current authentication method   : Local
  Current authorization method    : -
  Current accounting method       : None

Configuration Files

  • Navi AC configuration file

    #
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.3 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.3 255.255.255.0
 dhcp select interface
#
portal local-server ip 10.1.1.1
portal local-server http port 20001
#  
authentication-profile name auth-prof
 portal-access-profile portal-access-navi
 free-rule-template default_free_rule
 authentication-scheme auth-scheme
#  
free-rule-template name default_free_rule 
 free-rule 1 destination ip 10.23.200.2 mask 255.255.255.255 
# 
portal-access-profile name portal-access-navi  
 portal local-server enable  
#  
aaa 
 authentication-scheme auth-scheme  
  authentication-mode local  
 local-user guest password cipher %^%#2P[q%mo}.J|oi5DU/bc2^P]X9ZLnqVa\!CF45_g!%^%#  
 local-user guest privilege level 0  
 local-user guest service-type web   
#  
interface LoopBack1 
 ip address 10.1.1.1 255.255.255.0   
#
wlan
 security-profile name security-prof
  security open
 ssid-profile name ssid1
  ssid guest
 vap-profile name navi-ac
  forward-mode tunnel
  service-vlan vlan-id 100
  ssid-profile ssid1
  security-profile security-prof   
  authentication-profile auth-prof
  navi-ac service-vlan-check enable 
 navi-ac enable
 navi-ac
  local-ac ac-id 1 ip-address 10.23.102.3 description LocalAC1
   vap-profile navi-ac wlan 8
#
return

  • Local AC configuration file

    #
vlan batch 100
#
authentication-profile name auth-prof
 portal-access-profile portal-access-local
 free-rule-template default_free_rule
#
free-rule-template name default_free_rule 
 free-rule 1 destination ip 10.23.200.2 mask 255.255.255.255 
#
portal web-authen-server server-source all-interface
#
url-template name url-template
 url http://10.1.1.1:20001/index.html
 url-parameter ssid ssid redirect-url url 
#
web-auth-server web-auth-server
 server-ip 10.1.1.1
 port 50100
 url-template url-template
#
portal-access-profile name portal-access-local
 web-auth-server web-auth-server direct
#
wlan
 security-profile name security-prof
  security open
 ssid-profile name ssid1
  ssid guest
 vap-profile name navi-ac
  forward-mode tunnel
  service-vlan vlan-id 100
  ssid-profile ssid1
  security-profile security-prof   
  authentication-profile auth-prof
  type service-navi navi-ac-id 1 navi-wlan-id 8
 ap-group name group1
  radio 0
   vap-profile navi-ac wlan 2
  radio 1
   vap-profile navi-ac wlan 2
  radio 2
   vap-profile navi-ac wlan 2
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group group1
 navi-ac ac-id 1 ip-address 10.23.101.3 description NaviAC
#
return
Translation
Favorite
Download
Update Date:2025-06-30
Document ID:EDOC1100300932
Views:191047
Downloads:4830
Average rating:5.0Points

Related Documents

Digital Signature File

digtal sigature tool