WLAN Typical Configuration Examples (V200)

Example for Configuring Layer 2 External Portal Authentication (Using HTTPS)

Networking Requirements

An enterprise uses HTTPS for Portal authentication.

As shown in Figure 4-26, an AC in an enterprise directly connects to an AP. The enterprise deploys the WLAN wlan-net to provide wireless network access for employees. The AC functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

The AC and employees' STAs communicate at Layer 2. To reduce network security risks, you can deploy Layer 2 Portal authentication on the AC. The AC works with the RADIUS server (integrated with the Portal server) to implement access control on employees who attempt to connect to the enterprise network, meeting the enterprise's security requirements.

Figure 4-26 Networking diagram for configuring Layer 2 external Portal authentication

Configuration Roadmap

Configure basic WLAN services so that the AC can communicate with upper-layer and lower-layer devices and the AP can go online.
Configure RADIUS authentication parameters.
Configure a URL template, and configure the URL to the Portal server and the parameters carried in the URL.
Configure a Portal server template.
Configure a Portal access profile and configure Layer 2 Portal authentication.
Configure an authentication-free rule profile so that the AC allows packets to the DNS server to pass through.
Configure an authentication profile to manage NAC configuration.
Configure WLAN service parameters, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.

Data Plan

Item	Data
RADIUS authentication parameters	Name of the RADIUS authentication scheme: radius_huawei Name of the RADIUS accounting scheme: scheme1 Name of the RADIUS server template: radius_huawei IP address: 10.23.200.1 Authentication port number: 1812 Accounting port number: 1813 Shared key: YsHsjx_202206
SSL policy	Name: huawei PKI domain: default
URL template	Name: url1 Redirect URL: https://10.23.200.1:8445/portal Parameters carried in the URL: login-url (the identification keyword is switch_url, the URL is https://10.23.101.1:8443)
Portal server template	Name: abc IP address: 10.23.200.1 Bound template: URL template url1
Portal access profile	Name: portal1 Bound template: Portal server template abc
Authentication-free rule profile	Name: default_free_rule Authentication-free resource: IP address of the DNS server (10.23.200.2), Gateway address of the STA (10.23.101.1)
Authentication profile	Name: p1 Bound profiles and authentication schemes: Portal access profile portal1, RADIUS server template radius_huawei, RADIUS authentication scheme radius_huawei, RADIUS accounting scheme scheme1, and authentication-free rule profile default_free_rule
DHCP server	The AC functions as the DHCP server to assign IP addresses to the AP and STAs.
IP address pool for the AP	10.23.100.2 to 10.23.100.254/24
IP address pool for the STAs	10.23.101.2 to 10.23.101.254/24
IP address of the AC's source interface	VLANIF 100: 10.23.100.1/24
AP group	Name: ap-group1 Bound profile: VAP profile wlan-vap and regulatory domain profile domain1
Regulatory domain profile	Name: domain1 Country code: CN
SSID profile	Name: wlan-ssid SSID name: wlan-net
Security profile	Name: wlan-security Security policy: Open
VAP profile	Name: wlan-vap Forwarding mode: tunnel forwarding Service VLAN: VLAN 101 Bound profile: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

Procedure

Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).

In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs will be able to directly communicate at Layer 2.

In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
```
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/3
```

Configure the AC to communicate with upper-layer network devices.

# Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).

[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit

Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.

# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF 101.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit

Configure a route from the AC to the server area (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2).
```
[AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
```

Configure the AP to go online.

# Create an AP group and add the AP to the AP group.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]:y  
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. This example assumes that the AP's MAC address is 00e0-fc76-e360 and the AP is deployed in area 1. Name the AP area_1.

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP to go offline and then online. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-0] quit
[AC-wlan-view] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

[AC] display ap all
Total AP information: 
nor  : normal          [1] 
ExtraInfo : Extra information 
P    : insufficient power supply 
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type                 State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AirEngine8760-X1-PRO nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 11

Configure a RADIUS server template, and a RADIUS authentication scheme.

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

# Configure a RADIUS server template.
```
[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
[AC-radius-radius_huawei] radius-server accounting 10.23.200.1 1813
[AC-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
```
# Modifying the Value of a RADIUS Attribute.
```
[AP-radius-radius_huawei] radius-server attribute translate
[AP-radius-radius_huawei] radius-attribute set Framed-MTU 1000
[AP-radius-radius_huawei] quit
```
When the Access-Challenge packet sent by the RADIUS server contains EAP information longer than 1200 bytes, the terminal may fail to receive the EAP Request/Challenge packet. In this case, you can run this command to set attribute-name to Framed-MTU and reduce the value of the Framed-MTU attribute in the authentication request packet sent by the device to the RADIUS server. The default value of the Framed-MTU attribute is 1500. You can change it to 1000.

# Configure a RADIUS authentication scheme.
```
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] quit
```
# Configure a RADIUS accounting scheme.
```
[AC-aaa] accounting-scheme scheme1
[AC-aaa-accounting-scheme1] accounting-mode radius
[AC-aaa-accounting-scheme1] accounting realtime 15
[AC-aaa-accounting-scheme1] quit
[AC-aaa] quit
```
- In this example, the device is connected to the Agile Controller-Campus. The accounting function is not implemented for accounting purposes, and is used to maintain terminal online information through accounting packets.
- The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the user quantity.
User Quantity

Real-Time Accounting Interval

1-99

3 minutes

100-499

6 minutes

500-999

12 minutes

≥ 1000

≥ 15 minutes
Configure a URL template.
```
[AC] url-template name url1
[AC-url-template-url1] url https://10.23.200.1:8445/portal
[AC-url-template-url1] url-parameter login-url ac_url https://10.23.101.1:8443
[AC-url-template-url1] quit
```
The login-url parameter is used by terminals to send account information to the device. If a Portal server does not support the login URL setting, you need to run the url-parameter command with the login-url parameter specified, so that terminals can send the login URL to the Portal server. In the URL specified by the login-url parameter, the IP address is the AC's local IP address (permitted in the authentication-free rule profile to ensure Layer 3 reachability between terminals and the AC), and the port number is that specified using the portal web-authen-server https command (8443 by default).

User Quantity	Real-Time Accounting Interval
1-99	3 minutes
100-499	6 minutes
500-999	12 minutes
≥ 1000	≥ 15 minutes

Configure the HTTPS protocol for Portal authentication.

If the HTTPS protocol is used for Portal authentication, you need to configure an SSL policy.

[AC] ssl policy huawei type server
[AC-ssl-policy-huawei] pki-realm default
[AC-ssl-policy-huawei] quit
[AC] http secure-server ssl-policy huawei
[AC] portal web-authen-server https ssl-policy huawei  
[AC] portal web-authen-server server-source all-interface   //In V200R021C00 and later versions, you must use the portal web-authen-server server-source command to configure the local gateway address used by the device to receive and respond to the packets sent by the user terminals. Otherwise, the Portal interconnection function cannot be used.
[AC] web-auth-server abc
[AC-web-auth-server-abc] protocol http
[AC-web-auth-server-abc] quit

Configure a Portal server template.

Ensure that the Portal server IP address, URL address, and port number, are configured correctly and are the same as those on the Portal server.
```
[AC] web-auth-server abc  
[AC-web-auth-server-abc] server-ip 10.23.200.1 10.23.101.1
[AC-web-auth-server-abc] url-template url1
[AC-web-auth-server-abc] quit
```

Configure the Portal access profile portal1 and configure Layer 2 Portal authentication.

[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] web-auth-server abc direct
[AC-portal-access-profile-portal1] quit

Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
[AC-free-rule-default_free_rule] free-rule 2 destination ip 10.23.101.1 mask 24
[AC-free-rule-default_free_rule] quit

Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authentication-profile-p1] portal-access-profile portal1
[AC-authentication-profile-p1] free-rule-template default_free_rule
[AC-authentication-profile-p1] authentication-scheme radius_huawei
[AC-authentication-profile-p1] accounting-scheme scheme1
[AC-authentication-profile-p1] radius-server radius_huawei
[AC-authentication-profile-p1] quit

Configure WLAN service parameters.

# Create security profile wlan-security and set the security policy in the profile.

[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit

# Create SSID profile wlan-ssid and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit

# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

Verify the configuration.
- The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
- The STAs obtain IP addresses when they successfully associate with the WLAN.
- When a user opens the browser and attempts to access the network, the user is automatically redirected to the authentication page provided by the Portal server. After entering the correct user name and password on the page, the user can access the network.

Configuration Files

AC configuration file

#
 sysname AC
#
 http secure-server ssl-policy huawei                                           
# 
vlan batch 100 to 101
#
authentication-profile name p1
 portal-access-profile portal1
 free-rule-template default_free_rule
 authentication-scheme radius_huawei
 accounting-scheme scheme1
 radius-server radius_huawei
#
portal web-authen-server https ssl-policy huawei
portal web-authen-server server-source all-interface                    
#   
dhcp enable
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
 radius-server authentication 10.23.200.1 1812 weight 80
 radius-server accounting 10.23.200.1 1813 weight 80
#
ssl policy huawei type server                                                   
 pki-realm default                                                              
#
free-rule-template name default_free_rule                                                                                           
 free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0
 free-rule 2 destination ip 10.23.101.1 mask 255.255.255.0                                                                          
# 
url-template name url1
 url https://10.23.200.1:8445/portal
 url-parameter login-url ac_url https://10.23.101.1:8443
# 
web-auth-server abc
 server-ip 10.23.200.1
 url-template url1
 protocol http
#
portal-access-profile name portal1
 web-auth-server abc direct
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 accounting-scheme scheme1
  accounting-mode radius
  accounting realtime 15
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 10.23.200.2 
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#  
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 ap-mac 00e0-fc76-e360
  ap-name area_1
  ap-group ap-group1
#
return

Networking Requirements
Configuration Roadmap
Data Plan

Translation

Favorite

Download

Update Date：2025-06-30

Document ID：EDOC1100300932

Downloads：4830

Average rating：5.0Points

Digital Signature File

digtal sigature tool