Wireless Access Controller (AC and Fit AP) V200R022C10 CLI-based Configuration Guide

Wi-Fi CPE Management

Understanding Wi-Fi CPE Management
Configuring Wi-Fi CPE Management
- Configuring a Wi-Fi CPE Management Channel
- Configuring Wi-Fi CPE Instruction Delivery
Examples for Configuring Wi-Fi CPE Management
- Example for Configuring Wi-Fi CPE Management (Without iMaster NCE-Campus, Unionman)
- Example for Configuring Wi-Fi CPE Management (With iMaster NCE-Campus)

Understanding Wi-Fi CPE Management

Basic Concepts

The Wi-Fi CPE management function allows you to remotely manage Wi-Fi CPEs on an AC in a unified manner, including instruction delivery, Wi-Fi CPE version upgrade, and monitoring and O&M.

Traditional Wi-Fi CPE management is faced with the following challenges:

During Wi-Fi CPE service configuration and version upgrade, engineers need to configure each Wi-Fi CPE on site, which is complex and costly.
The mechanism for reporting the Wi-Fi CPE running status and downlink interface status is incomplete, and no unified platform is available for monitoring the Wi-Fi CPE working status.

The Wi-Fi CPE management function can address these challenges. After Wi-Fi CPEs go online, APs report the access and running status of Wi-Fi CPEs to the AC. During configuration and O&M, administrators can deliver instructions to the Wi-Fi CPEs on the AC to perform batch configuration and remote upgrade.

Wi-Fi CPE Onboarding

Wi-Fi CPEs can be centrally managed by an AC only after they go online on the AC. The Wi-Fi CPE onboarding process involves the following steps:

Connect Wi-Fi CPEs to a WLAN and identify them.
Set up Wi-Fi CPE management channels.

Wi-Fi CPE access and identification

A Wi-Fi CPE can access a WLAN in either of the following modes:

iConnect access: When iMaster NCE-Campus is deployed as the RADIUS server, you can configure iConnect terminal authentication to implement plug-and-play of Wi-Fi CPEs. For details about the RADIUS authentication process, see iConnect Terminal Authentication.
Non-iConnect access: If iConnect terminal authentication is not configured, plug-and-play of Wi-Fi CPEs is not supported. In this case, the Wi-Fi CPE access and authentication process is similar to that for common terminals.

A Wi-Fi CPE functions as an iConnect terminal to access the WLAN. The association packet of the Wi-Fi CPE carries iConnect URL information, including the electronic identity of the Wi-Fi CPE (Wi-Fi CPE ID for short). As shown in Figure 20-3, the fields of a Wi-Fi CPE ID comply with the format of the electronic identity of an iConnect terminal. The field indicating the terminal type is fixed to CPE.

Figure 20-3 Composition of a Wi-Fi CPE ID

To distinguish Wi-Fi CPEs from common terminals, APs parse iConnect URL information from association packets and report the information to the AC. The AC identifies Wi-Fi CPEs based on the terminal type field.

After the Wi-Fi CPE successfully accesses the WLAN, you can query Wi-Fi CPE information on the AC.

Wi-Fi CPE management channel setup

A Wi-Fi CPE management channel can be set up between a Wi-Fi CPE and an AP to achieve bidirectional communication based on the UDP protocol. Specifically, through the channel:

The Wi-Fi CPE reports its status to the AC.
The AC delivers service configurations to the Wi-Fi CPE.

After a Wi-Fi CPE is associated with an AP, the AP uses a specific loopback interface to set up a Wi-Fi CPE management channel with the Wi-Fi CPE. The two ends can then communicate with each other based on specified IP addresses and port numbers.

In a dual fed and selective receiving scenario, an AP preferentially selects the 5 GHz radio to set up a Wi-Fi CPE management channel to prevent repeated radio management of the Wi-Fi CPE. If the 5 GHz radio cannot be used, the 2.4 GHz radio is used to set up a management channel.

Wi-Fi CPE Instruction Delivery

The AC delivers instructions to a single Wi-Fi CPE or Wi-Fi CPEs in batches to simplify the Wi-Fi CPE service configuration process. Each Wi-Fi CPE is identified by a unique Wi-Fi CPE ID. One or more Wi-Fi CPE instructions can be delivered at a time, and a unique instruction ID is automatically generated for each instruction.

Figure 20-4 shows the process of delivering an instruction to a Wi-Fi CPE.

Figure 20-4 Process of delivering an instruction to a Wi-Fi CPE

The AC encapsulates the instruction packet with the CAPWAP header and forwards the packet to the AP associated with the target Wi-Fi CPE through the CAPWAP tunnel. The packet contains the IP address of the Wi-Fi CPE, Wi-Fi CPE ID, instruction ID, and instruction in a character string format.
The AP forwards the instruction to the Wi-Fi CPE through the Wi-Fi CPE management channel, starts a timer, and waits for a response. The aging time of the timer varies in different instruction delivery scenarios.
- When a single instruction is delivered, the aging time of the timer corresponding to the instruction is 1 second.
- When multiple instructions are delivered, the aging time of the timer corresponding to each instruction is 2 seconds.
- When an instruction needs to be responded for multiple times, the previous response packet specifies whether there are subsequent response packets and the aging time of the timer.
After receiving the instruction, the Wi-Fi CPE immediately returns a response packet if it supports the instruction. If the Wi-Fi CPE does not support the instruction, it does not respond.
The following provides the supported Wi-Fi CPE functions and command formats:
- Unionman: CLI-based Configuration Delivery Guide for Unified Management of Unionman CPEs
The AP reports the response result of the Wi-Fi CPE to the AC.
- If the AP receives a response packet from the Wi-Fi CPE within the aging time of the timer, the AP encapsulates the response packet with the CAPWAP header and forwards the packet to the AC.
- If the AP does not receive a response packet from the Wi-Fi CPE within the aging time of the timer, the AP considers that the response fails and reports the result to the AC through the CAPWAP tunnel. Then even if the AC receives the instruction execution result later, the AC directly discards the result.
The Wi-Fi CPE executes the instruction and asynchronously sends the instruction execution result to the AP.
After receiving the instruction execution result, the AP encapsulates the result packet with the CAPWAP header and sends the packet to the AC.

Wi-Fi CPE Alarm Reporting

Alarms generated during the running of a Wi-Fi CPE are reported to the AP through the Wi-Fi CPE management channel. Then the AP encapsulates the alarms in a unified format and reports them to the AC.

Wi-Fi CPE alarms cannot be cleared.

Remote Wi-Fi CPE Upgrade

The AC delivers an upgrade instruction to one or more Wi-Fi CPEs, carrying the IP address and user name of an SFTP server. A Wi-Fi CPE is then upgraded as follows:

The Wi-Fi CPE executes the upgrade instruction, downloads the system software package from the SFTP server, and performs the upgrade.
During the upgrade, the Wi-Fi CPE needs to send response packets for multiple times to notify the status. A response packet specifies whether there are subsequent response packets and the maximum waiting time. If the AP does not receive the next response packet within the specified time, the AP considers that the instruction fails to be executed and reports the result to the AC.
After the upgrade is complete, the Wi-Fi CPE sends the upgrade result to the AP, which then reports the result to the AC.

Configuring Wi-Fi CPE Management

Context

On a WLAN with a large number of Wi-Fi CPEs, to reduce management costs caused by local Wi-Fi CPE configurations, you can configure the Wi-Fi CPE management function to implement unified management of Wi-Fi CPEs on the AC.

Configuration Process

Configuring a Wi-Fi CPE Management Channel

Context

Management channels between Wi-Fi CPEs and APs so that the AC can remotely manage the Wi-Fi CPEs and deliver instructions to them.

Pre-configuration Task

Before configuring a Wi-Fi CPE management channel, configure basic WLAN services.

Procedure

Run system-view
The system view is displayed.
Run wlan
The WLAN view is displayed.
Run ap-system-profile name profile-name
The AP system profile view is displayed.

By default, the system provides the AP system profile default.
Run local-management enable
The AP local management function is enabled so that the AP creates a specific IP address for listening to Wi-Fi CPE messages.

By default, the AP local management function is disabled.
(Optional) Run local-management ip-address ip-address { mask | mask-length }
The IP address used for AP local management is set the same as the destination IP address of messages sent by the Wi-Fi CPE.

By default, the IP address for AP local management is 192.168.254.254/32 (Loopback 1023).
(Optional) Run cpe management listen-port port cpe-port cpe-port
The number of the destination port through which the Wi-Fi CPE sends messages is set the same as the number of the port through which the AP listens to Wi-Fi CPE messages, and the number of the source port through which the Wi-Fi CPE sends messages is set the same as the number of the destination port through which the AP sends Wi-Fi CPE messages.

The default port number used by an AP to listen to messages from CPEs is 15440, and the default destination port number of messages sent to CPEs is 15442.
Run quit
Return to the WLAN view.
Run vap-profile name profile-name
The VAP profile view is displayed.
Run iconnect parse-url enable
APs are enabled to parse iConnect URL information in STA association packets.

By default, APs are disabled from parsing iConnect URL information in STA association packets.
Run quit
Return to the WLAN view.
Bind the AP system profile and VAP profile to an AP group or a specified AP.
- Bind the AP system profile and VAP profile to an AP group.
  1. Run the ap-group name group-name command to enter the AP group view.
  2. Run the ap-system-profile profile-name command to bind the AP system profile to the AP group.
    
    By default, the AP system profile default is bound to an AP group.
  3. Run the vap-profile profile-name wlan wlan-id radio { radio-id | all } command to bind the VAP profile to radios.
    
    By default, no VAP profile is bound to a radio.
- Bind the AP system profile and VAP profile to an AP.
  1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
  2. Run the ap-system-profile profile-name command to bind the AP system profile to the AP.
    
    By default, no AP system profile is bound to an AP.
  3. Run the vap-profile profile-name wlan wlan-id radio { radio-id | all } command to bind a VAP profile to radios.
    
    By default, no VAP profile is bound to a radio.

Verifying the Configuration

Run the display ap-system-profile name profile-name command to check whether the AP local management function is enabled and whether the AP local management address, port number used by an AP to listen to messages from Wi-Fi CPEs, and destination port number of messages sent to Wi-Fi CPEs are correctly configured.
Run the display vap-profile name profile-name command to check whether APs are enabled to parse iConnect URL information in STA association packets.

Follow-up Procedure

After the Wi-Fi CPE management function is configured on the AC, log in to the Wi-Fi CPE and connect it to the SSID.

For Unionman models, see Wi-Fi CPE Configuration in Local Mode (Unionman).

Configuring Wi-Fi CPE Instruction Delivery

Context

Wi-Fi CPE management allows you to deliver Wi-Fi CPE instructions to manageable Wi-Fi CPEs in the CLI mode.

The following provides the supported Wi-Fi CPE functions and command formats:

Unionman: CLI-based Configuration Delivery Guide for Unified Management of Unionman CPEs

Pre-configuration Task

Before configuring Wi-Fi CPE instruction delivery, configure a Wi-Fi CPE management channel.

Procedure

Run system-view
The system view is displayed.
Run wlan
The WLAN view is displayed.
Run set-cpe-command { all | ap-group group-name | ap-id ap-id | cpe-id cpe-id } { command-string | sensitive-info command-string }
Instructions are delivered to a specified Wi-Fi CPE.

Examples for Configuring Wi-Fi CPE Management

Example for Configuring Wi-Fi CPE Management (Without iMaster NCE-Campus, Unionman)

Service Requirements

As shown in the following figure, a large number of Wi-Fi CPEs exist on the WLAN. The customer requires unified management and maintenance of Wi-Fi CPEs to reduce management costs caused by local configuration of Wi-Fi CPEs.

Networking Requirements

AC networking mode: Layer 2 networking in inline mode
DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs, Wi-Fi CPEs, and terminals connected to the Wi-Fi CPEs.
Service data forwarding mode: tunnel forwarding

Figure 20-5 Networking diagram for configuring Wi-Fi CPE management (without iMaster NCE-Campus)

Data Planning

Table 20-5 AC data planning

Item	Data
Management VLANs for APs	VLAN100
Service VLAN for STAs	VLAN101
DHCP	The AC functions as a DHCP server to assign IP addresses (10.23.100.2–10.23.100.254/24) to APs. The AC functions as a DHCP server to assign IP addresses (10.23.101.3–10.23.101.254/24) to Wi-Fi CPEs and STAs. The AC functions as a DHCP server to assign IP addresses (10.23.201.3–10.23.201.254/24) to STAs connected to a Wi-Fi CPE.
AC's source interface address	VLANIF 100: 10.23.100.1/24
AP group	Name: ap-group1 Referenced profiles: VAP profile cpe_5g (radio 1) and AP system profile ap-sys
VAP profile	Name: cpe_5g Forwarding mode: tunnel forwarding iConnect URL parsing function: enabled Referenced profiles: SSID profile cpe_5g, security profile wlan-net, and CPE tunnel profile 5g
SSID profile	Name: cpe_5g SSID name: cpe_5g
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: YsHsjx_202206
CPE tunnel profile	Name: 5g PVID VLAN: 201 Allowed VLAN: 201
AP system profile	Name: ap-sys AP local management: enabled

Configuration Roadmap

Configure AP onboarding.
Configure wireless services for Wi-Fi CPE access.
Configure Wi-Fi CPE parameters, and enable the AP local management function and iConnect URL parsing function.
Connect the Wi-Fi CPE to the WLAN locally and configure the AC to manage the Wi-Fi CPE.

Procedure

Configure network devices.

# Add GE0/0/1 and GE0/0/2 on the switch to VLAN 100, and set the PVID of GE0/0/1 to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit

Configure the AC to communicate with other devices on the network.

If the AC and AP are directly connected, set the PVID of the interface connecting the AC to the AP to VLAN 100 (management VLAN).

# On the AC, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 101.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 201
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit

Configure a DHCP server to assign IP addresses to APs, STAs, Wi-Fi CPEs, and terminals connected to the Wi-Fi CPEs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs, VLANIF 101 to assign IP addresses to STAs and Wi-Fi CPEs, and VLANIF 201 to assign IP addresses to STAs connected to the Wi-Fi CPEs.
Configure the DNS server as required. The common methods are as follows:
In the interface address pool scenario, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
In the global address pool scenario, run the dns-list ip-address &<1-8> command in the IP address pool view.
```
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[AC-Vlanif101] quit
[AC] interface vlanif 201
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] dhcp server excluded-ip-address 10.23.201.2
[AC-Vlanif201] quit
```

Configure the AP to go online.

# Create an AP group to which APs requiring the same configuration are added.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the country code for the AC in the profile, and bind the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

In V200R021C00 and later versions, when the CAPWAP source interface or source address is configured, the system checks whether security-related configurations exist, including the PSK for DTLS encryption, PSK for DTLS encryption between ACs, user name and password for logging in to the AP, and password for logging in to the global offline management VAP, the configuration can be successful only when both of them exist. Otherwise, the system prompts you to complete the configuration first.

[AC] capwap source interface vlanif 100
Set the DTLS PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the DTLS inter-controller PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the user name for FIT APs(contains 4-31 plain-text characters, which can only include letters, digits and underlines. And the first character must be a letter):admin

Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48-188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********

Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********

# Enable the function of establishing CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions)

[AC] capwap dtls no-auth enable

From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels on the AC by default. After this function is enabled, an AP will fail to go online when it is added. In this case, you need to enable CAPWAP DTLS non-authentication for the AP so that the AP can obtain a security credential. After the AP goes online, disable this function to prevent unauthorized APs from going online.

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. In this example, the AP is named AP_1.

The default AP authentication mode is MAC address authentication. If the default setting has not been changed, you do not need to run the ap auth-mode mac-auth command.

In this example, the AirEngine 5760-51 is used.

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name AP_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online successfully.

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type                     State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 AP_1   ap-group1 10.23.100.254 AirEngine 5760-51        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

# Disable the function of establishing CAPWAP DTLS sessions in non-authentication mode. (V200R021C00 and later versions)

[AC-wlan-view] quit
[AC] undo capwap dtls no-auth enable
[AC] wlan

Configure channels and power for AP radios.
# Manually configure the channel and power according to the network planning and design requirements. For details, see Scenario-based WLAN Design for Shop Floors.

Configure common WLAN service parameters.

# Create the security profile wlan-net and configure a security policy in the profile.

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to YsHsjx_202206. In actual situations, the security policy must be configured according to service requirements.

[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-wlan-net] quit

# Create the SSID profile cpe_5g and set the SSID name to cpe_5g for the Wi-Fi CPE to go online.

[AC-wlan-view] ssid-profile name cpe_5g
[AC-wlan-ssid-prof-cpe_5g] ssid cpe_5g
[AC-wlan-ssid-prof-cpe_5g] quit

# Create the CPE tunnel profiles 2.4g and 5g, and configure the PVID VLAN and allowed VLAN in the profiles.

[AC-wlan-view] cpe-tunnel-profile name 5g
[AC-wlan-cpe-tunnel-prof-5g] vlan pvid 201
[AC-wlan-cpe-tunnel-prof-5g] vlan allow-pass 201
[AC-wlan-cpe-tunnel-prof-5g] undo vlan allow-pass 1
[AC-wlan-cpe-tunnel-prof-5g] quit

# Create the VAP profile cpe_5g, configure the service data forwarding mode and service VLANs, and apply the security profile, SSID profile, and CPE tunnel profile to the VAP profile.

[AC-wlan-view] vap-profile name cpe_5g
[AC-wlan-vap-prof-cpe_5g] forward-mode tunnel
[AC-wlan-vap-prof-cpe_5g] service-vlan vlan-id 101
[AC-wlan-vap-prof-cpe_5g] security-profile wlan-net
[AC-wlan-vap-prof-cpe_5g] ssid-profile cpe_5g
[AC-wlan-vap-prof-cpe_5g] cpe-tunnel-profile 5g
[AC-wlan-vap-prof-cpe_5g] quit

Configure Wi-Fi CPE management.

# Enable the iConnect URL parsing function in the VAP profile.

[AC-wlan-view] vap-profile name cpe_5g
[AC-wlan-vap-prof-cpe_5g] iconnect parse-url enable
[AC-wlan-vap-prof-cpe_5g] quit

# Enable the AP local management function.

[AC-wlan-view] ap-system-profile name ap-sys
[AC-wlan-ap-system-prof-ap-sys] local-management enable
[AC-wlan-ap-system-prof-ap-sys] quit

# Bind the VAP profile cpe_5g to radio 1 of APs in the AP group and bind the AP system profile to the AP group.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile cpe_5g wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] ap-system-profile ap-sys
[AC-wlan-ap-group-ap-group1] quit

Associate the Wi-Fi CPE with the SSID.

In this example, the Wi-Fi CPE used is Unionman's UNR032H with the software version of V200R022C10.

# Log in to the Wi-Fi CPE.

# Choose Wireless > Others and disable iConnect.

# Choose Wireless > 5G setup. # On the Scan tab page, click Scanning. On the page that is displayed, select the SSID to be connected, and click Next.

# Enter the password and click save.

Verify the configuration.

# Check association information about the Wi-Fi CPE on the AC.

[AC-wlan-view] display cpe all
Rf/WLAN: Radio ID/WLAN ID    
Rx/Tx: link receive rate/link transmit rate(Mbps)   
--------------------------------------------------------------------------------------------------------------------------------------------------------------- 
CPE ID                                        CPE MAC          AP ID Ap name          Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address       SSID   
--------------------------------------------------------------------------------------------------------------------------------------------------------------- 
IC1-UNIONMAN-UNR032H-CPE-321212000001403    00e0-fc12-3450   0    AP_1              1/2      5G    11ax  573/68     -38   20    10.23.100.254     cpe_5g    
--------------------------------------------------------------------------------------------------------------------------------------------------------------- 
Total: 1 2.4G: 0 5G: 1 6G: 0

# Run the display cpe-tunnel remote-station all command on the AC to check information about terminals connected to the Wi-Fi CPE. MAC Address indicates the MAC address of the wired terminal connected to the Wi-Fi CPE.

[AC-wlan-view] display cpe-tunnel remote-station all
Rf/WLAN: Radio ID/WLAN ID
------------------------------------------------------------------------------------------------------------
MAC Address       VLAN    AP ID    Ap name           Rf/WLAN    SSID     CPE MAC          CPE BSSID
------------------------------------------------------------------------------------------------------------
00e0-fc12-3460    201     0        AP_1              1/1        cpe_5g   00e0-fc12-3450   00e0-fc12-3450
------------------------------------------------------------------------------------------------------------
Total: 1

Configuration Files

AC configuration file

#
 sysname AC
#
vlan batch 100 to 101 201
#
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 10.23.101.2
#
interface Vlanif201
 ip address 10.23.201.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 10.23.201.2
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name cpe_5g
  ssid cpe_5g
 cpe-tunnel-profile name 5g
  vlan pvid 201
  undo vlan allow-pass 1
  vlan allow-pass 201
 vap-profile name cpe_5g
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile cpe_5g
  security-profile wlan-net
  iconnect parse-url enable 
  cpe-tunnel-profile 5g
 regulatory-domain-profile name default
 ap-system-profile name ap-sys  
  local-management enable 
 ap-group name ap-group1
  ap-system-profile ap-sys
  radio 0
  radio 1
   vap-profile cpe_5g wlan 1
 ap-id 0 type-id 130 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name AP_1
  ap-group ap-group1
#
return

Example for Configuring Wi-Fi CPE Management (With iMaster NCE-Campus)

Networking Requirements

As shown in Figure 20-6, a large number of Wi-Fi CPEs exist on the WLAN. The customer wants to implement unified management of Wi-Fi CPEs on iMaster NCE-Campus to reduce management costs caused by local configuration of Wi-Fi CPEs.

Figure 20-6 Networking diagram for configuring Wi-Fi CPE management (with iMaster NCE-Campus)

Data Planning

Table 20-6 iMaster NCE-Campus data planning

Item	Data
CA certificate profile	Certificate profile of the root CA: poc-ca-test-root End entity certificate profile: poc-ca-test-sub
TLS certificate	CA name: poccert
Root CA	Name: poccert Bound certificate profile: poc-ca-test-root Associated profile: poc-ca-test-sub
Certificate application	Associated CA name: poccert Certificate profile: poc-ca-test-sub
Certificate policy	CA type: built-in CA
CA protocol and port	Protocol: HTTP Port number: 26801
CA proxy service	CA server: Type: Local CA CA name: pocca Associated CA name: poccert CRL server: Local CA server: pocca
RADIUS server	Type: Built-in RADIUS Key: YsHsjx_202206
SSID	SSID1: mac-first, MAC address authentication, WAC as the authentication device SSID2: 1x-second, 802.1X authentication, WAC as the authentication device
Network access policy	Access mode: 802.1X SSID: SSID for 802.1X authentication
Terminal management	Terminal approval: enabled

Table 20-7 AC data planning

Item	Data
SSID profile	Name: cpe_5g SSID name: cpe_5g
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: YsHsjx_202206
CPE tunnel profile	Name: 5g PVID VLAN: 201 Allowed VLAN: 201
AP system profile	Name: ap-sys AP local management: enabled
RADIUS authentication parameters	RADIUS server template name: radius_template IP address: 192.168.11.10 Authentication port number: 1812 Accounting port number: 1813 Shared key: YsHsjx_202206 Authentication scheme: auth_scheme Accounting scheme: acco_scheme Domain: 1x
Authentication profile	1x Referenced profile and authentication scheme: 802.1X access profile 1x and authentication domain 1x mac Referenced profile and authentication scheme: MAC access profile mac and authentication domain 1x
SSID profile	1x SSID name: 1x-second mac SSID name: mac-first
Security profile	1x Security policy: WPA2-802.1X-AES open Security policy: open
VAP profile	1x Forwarding mode: tunnel forwarding Service VLAN: VLAN 101 Referenced profiles: SSID profile 1x, security profile 1x, and authentication profile 1x mac Forwarding mode: tunnel forwarding Service VLAN: VLAN 102 Referenced profiles: SSID profile mac, security profile open, and authentication profile mac iConnect SSID: enabled
WMI	WMI profile name: abc Destination IP address and port of the WMI server: 192.168.11.10/10032
AP system profile	Name: default AP local management: enabled WMI profile: abc

Configuration Roadmap

Configuration on iMaster NCE-Campus:

Configure the AC to be managed by iMaster NCE-Campus. Configure the Fit AP to go online on the AC. The details are not mentioned here.
Configure a built-in CA server, which is used in this example.
1. Configure a certificate profile.
2. Configure the CA service.
3. Configure Interconnection with a CA server.
4. Configure a certificate policy.
Configure a RADIUS server template. This example uses a built-in RADIUS server.
Configure authentication points. Configure two SSIDs on iMaster NCE-Campus for MAC address authentication and 802.1X authentication.
Configure MAC address authentication and authorization.
Configure 802.1X authentication and authorization.
Configure a network access policy. Select the configured SSIDs as the access policy. You can add the onboarding configuration as required.
Configure terminal management. Enable the terminal approval function, import the MAC address of the Wi-Fi CPE, and approve the access request on iMaster NCE-Campus.

Configuration on the AC:

Set parameters for interconnecting with the RADIUS server.
Configure two SSIDs, which must be the same as those on iMaster NCE-Campus.
Configure WMI for subsequent O&M management of the Wi-Fi CPE.

Configuration Notes

You need to configure dhcp server option 225 for an address pool used to assign IP addresses to Wi-Fi CPEs. For example, in the dhcp server option 225 ascii "icb-ip=xxxx;icb-port=xxx;" configuration, set icb-ip and icb-port to the IP address and port number of iMaster NCE-Campus, respectively. The default value of icb-port is 19008.
The service VLAN on the AC must be able to communicate with iMaster NCE-Campus.

Procedure

Configure the AC to be managed by iMaster NCE-Campus. Configure the Fit AP to go online on the AC. The details are not mentioned here.
Configure a built-in CA server on iMaster NCE-Campus.

In this example, the version of iMaster NCE-Campus is V300R022C00SPC100. The configuration varies depending on the version.
1. Configure a certificate profile.
  # Choose System > Security Management > Certificate Authority Service from the main menu of the service plane.
  
  # Choose PKI Management > Certificate Profile from the navigation pane.
  
  # Click New to create a certificate profile with Certificate Level being Root CA or End entity.
  
  Configure the root CA certificate profile as follows:
  
  Configure the certificate profile of the end entity as follows:
  
  When selecting supported key types, you can select all key types to adapt to different algorithms.
  
  # Click Submit.
2. Bind the root CA to the created certificate profile.
  # Choose PKI Management > CA from the navigation pane and click New to associate the created certificate profile with the root CA. You can also select wizard configuration. This example shows the creation operation.
  
  # Configure basic information and configure the CA certificate. Select the root certificate profile configured in the previous step as the certificate profile.
  
  # Click Next.
  
  # In the associated profile list, select the profile to be associated.
  
  # In the default profile list, select an associated profile as the default profile. Click Next.
  - During certificate application using CMP, if the request carries the profile name parameter, the specified profile is used; if the request does not carry the profile name parameter, the default profile of the CA is used.
  - Only one default profile can be set for a CA.
  # Set Signature algorithm and Certificate profile, and click Submit.
3. Configure the protocol and port number of the CA service.
  # Choose System > Security Management > Certificate Authority Service from the main menu of the service plane.
  
  # In the navigation pane, choose Global Configuration > Port Management. Check whether port 26801 is enabled and whether the corresponding protocol is HTTP.
  
  # If the port is disabled, the system administrator needs to enable HTTP port 26801 on the System > Security Management > Certificate Authority Service > Global Configuration > Port Management page. After the port is enabled, restart the HiSecLiteCA service on the management plane for the setting to take effect.
  
  # In the navigation pane, choose Protocol Configuration > CMP. Change the protocol to HTTP.
  
  # Click Submit.
4. Configure the TLS certificate.
  # Choose System > Security Management > Certificate Authority Service from the main menu.
  
  # Choose Global Configuration > TLS Configuration from the navigation pane.
  
  # Click Certificate Configuration, select the previously configured CA, and click Submit.
  
  # Determine whether to restart the service immediately as prompted.
5. Apply for a certificate.
  # Choose System > Security Management > Certificate Authority Service from the main menu.
  
  In the navigation pane, choose Certificate Application > Certificate Application.
  
  # On the Apply by Basic Info tab page, enter certificate application information, select the certificate profile, enter the common name of the user, and click Submit.
  
  Select the certificate profile of the end entity configured in the previous step.
  
  # After the configuration is complete, you can view the application record in the certificate application list.
6. Configure CA interconnection.
  # Choose System > Security Management > CA Proxy Service from the main menu.
  
  # Click the CA Server Connection tab and select Local CA.
  
  # Click New. In this example, the more secure local CA interconnection mode is used.
  
  # Select a CA that has been created on the Certificate Authority Service page.
  
  # Click Submit.
7. Set CRL server connection parameters.
  # Choose System > Security Management > CA Proxy Service from the O&M plane main menu.
  
  # In the navigation pane, choose CRL Server Connection. Click New.
  
  # Select a local CA server that has been created in the CA proxy service.
  
  # Click Submit.
8. Configure a certificate policy.
  # Choose Admission > Admission Resources > Admission Resources from the main menu. The default CA management mode is third-party CA. Switch to the built-in CA mode.
  
  # On the Policy Configuration tab page, click Add to create a certificate policy.
  
  # Click OK.
  
  # Click the Certificate Encryption Algorithm tab, select a certificate encryption algorithm, and click OK.
Configure a RADIUS server template on iMaster NCE-Campus. In this example, the built-in RADIUS server is used.
# Choose Design > Network Design > Template Management, click the Policy Template tab, and select RADIUS Server.

# Click Create.

# Set the RADIUS name, set Type to Built, and set the key.

# Click OK.
Configure authentication points on iMaster NCE-Campus. Configure two SSIDs on iMaster NCE-Campus for MAC address authentication and 802.1X authentication.
# Choose Provision > Device > Site Configuration from the main menu.

# Select a site from the Site drop-down list in the upper left corner.

# Click the Site Configuration tab.

# Choose WAC > Authentication from the navigation pane. Click Create and configure authentication.
1. For one SSID, set Authentication mode to MAC address authentication, specify the RADIUS server using the template, and add a WAC in the Select Device area.
2. For the other SSID, set Authentication mode to 802.1X authentication, specify the RADIUS server using the template, and add a WAC in the Select Device area.
Configure MAC address authentication and authorization on iMaster NCE-Campus.
# Configure MAC address authentication rules.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authentication Rule from the main menu. Click Create to configure an authentication rule.
  Configure basic information and set the authentication mode to MAC address authentication. Configure matching conditions to match SSIDs for user authentication. Set advanced parameters. Specifically, set Access permission for non-existent accounts to Deny access.
2. Click OK.
# Configure an authorization result for MAC address authentication.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authorization Result from the main menu. Click Create to configure an authorization result.
2. Click OK and apply the authorization result to sites as needed.
In this example, the authorization result Permit Access is the default authorization result, which is bound to all sites and cannot be modified or deleted.

# Configure an authorization rule for MAC address authentication.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authorization Rule from the main menu. Click Create to configure an authorization rule.
  Configure basic information and set the authentication mode to MAC address authentication. Import an authorization result.
2. Click OK.
Configure 802.1X authentication and authorization on iMaster NCE-Campus.
# Configure 802.1X authentication rules.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authentication Rule from the main menu. Click Create to configure an authentication rule.
  Configure basic information and set the authentication mode to User access authentication. Configure matching conditions to match SSIDs for user authentication. Configure authentication information and select all authentication protocols. Set Access permission for non-existent accounts to Continue under Advanced Settings.
2. Click OK.
# Configure an authorization result for 802.1X authentication.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authorization Result from the main menu. Click Create to configure an authorization result.
2. Click OK and apply the authorization result to sites as needed.
In this example, the authorization result Permit Access is the default authorization result, which is bound to all sites and cannot be modified or deleted.

# Configure an authorization rule for 802.1X authentication.
1. Choose Admission > Admission Policy > Authentication and Authorization > Authorization Rule from the main menu. Click Create to configure an authorization rule.
  Configure basic information and set the authentication mode to User access authentication.
  
  Select the only EAP-TLS protocol. Import an authorization result.
2. Click OK.
Configure a network access policy on iMaster NCE-Campus.
# Choose Admission > Admission Policy > Authentication and Authorization > Network Access Policy from the main menu. Click Create. Set Access mode to 802.1X and SSID to the SSID for 802.1X authentication. You can add onboarding configurations as required.

Click OK.
Configure terminal management on iMaster NCE-Campus.
# Choose Admission > Admission Resources > Terminal Management > Terminal Configuration from the main menu. Enable Terminal approval and set Terminal group to Identified/Device/iConnect.

# Choose Admission > Admission Resources > Terminal Management > Terminal Management from the main menu. The Terminal Management page is displayed.

# If a large number of terminals need to be added, you can import them in batches. Click Import, download the template, enter terminal information, and import the modified template.

# After the MAC address list of the Wi-Fi CPEs is imported, view terminal information on the Terminal Management page. Select a terminal and click Approve to approve the terminal. You can enter approval comments and specify the approval expiration time.

Set parameters for interconnecting with the RADIUS server on the AC.

# Configure a RADIUS server template, and configure authentication, accounting, and authorization schemes in the template.

[AC] radius-server template radius_template   
[AC-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254   
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 
[AC-radius-radius_template] radius-server shared-key cipher YsHsjx_202206 
[AC-radius-radius_template] radius-server user-name original  //Configure the AC to send the original username entered by a user to the RADIUS server.
[AC-radius-radius_template] called-station-id wlan-user-format ac-mac include-ssid  //Configure the AC's MAC address and SSID to be encapsulated in the Called-station-id (30) attribute.
[AC-radius-radius_template] quit 
[AC] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206  //In V200R021C00 and later versions, you must also run the radius-server authorization server-source command to configure an IPv4 address for receiving and responding to request packets from the RADIUS authorization server. Otherwise, the RADIUS authorization functions cannot take effect.
[AC] aaa   
[AC-aaa] authentication-scheme auth_scheme  //Configure an authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius  //Set the RADIUS authentication mode in the authentication scheme.
[AC-aaa-authen-auth_scheme] quit 
[AC-aaa] accounting-scheme acco_scheme  //Configure an accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius  //Set the RADIUS accounting mode in the accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting realtime 15   
[AC-aaa-accounting-acco_scheme] quit 
[AC-aaa] domain 1x
[HUAWEI-aaa-domain-1x] authentication-scheme auth_scheme  
[HUAWEI-aaa-domain-1x] accounting-scheme acco_scheme  
[HUAWEI-aaa-domain-1x]  radius-server radius_template   
[AC-aaa] quit

Real-time accounting is configured between the authentication control device and iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent online status information. A shorter real-time accounting interval requires higher performance of the device and RADIUS server. Set the real-time accounting interval based on the number of users.

# Check whether a user can pass RADIUS authentication. (The test user test and password YsHsjx_202206 have been configured on the RADIUS server.)

[AC] test-aaa test YsHsjx_202206 radius-template radius_template pap
Info: Account test succeed.

# Create a MAC access profile.

[AC] mac-access-profile name mac
[AC-mac-access-profile-mac] quit

# Create an 802.1X access profile.

[AC] dot1x-access-profile name 1x
[AC-dot1x-access-profile-1x] quit

# Configure different authentication profiles

[AC] authentication-profile name 1x 
[AC-authentication-profile-1x] dot1x-access-profile 1x 
[AC-authentication-profile-1x] access-domain 1x 
[AC-authentication-profile-1x] quit 
[AC] authentication-profile name mac 
[AC-authentication-profile-mac] mac-access-profile mac 
[AC-authentication-profile-mac] access-domain 1x 
[AC-authentication-profile-mac] quit

Configure two SSIDs on the AC, which must be the same as those on iMaster NCE-Campus.

# Create security profiles and set the security policies to WPA-WPA2+802.1X+AES and open.

[AC] wlan
[AC-wlan-view] security-profile name 1x
[AC-wlan-sec-prof-1x] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-1x] quit
[AC-wlan-view] security-profile name open
[AC-wlan-sec-prof-open] security open
[AC-wlan-sec-prof-open] quit

# Create SSID profiles and set the SSID names to 1x-second and mac-first. The SSID configurations must be the same as those configured on iMaster NCE-Campus.

[AC-wlan-view] ssid-profile name 1x
[AC-wlan-ssid-prof-1x-second] ssid 1x-second
[AC-wlan-ssid-prof-1x-second] quit
[AC-wlan-view] ssid-profile name mac
[AC-wlan-ssid-prof-mac] ssid mac-first
[AC-wlan-ssid-prof-mac-first] quit

# Configure VAP profiles, set the data forwarding modes and service VLANs, and bind the security profiles, SSID profiles, and authentication profiles.

[AC-wlan-view] vap-profile name 1x
[AC-wlan-vap-prof-1x] forward-mode tunnel
[AC-wlan-vap-prof-1x] service-vlan vlan-id 101
[AC-wlan-vap-prof-1x] security-profile 1x
[AC-wlan-vap-prof-1x] ssid-profile 1x
[AC-wlan-vap-prof-1x] authentication-profile 1x
[AC-wlan-vap-prof-1x] quit
[AC-wlan-view] vap-profile name mac
[AC-wlan-vap-prof-mac] forward-mode tunnel
[AC-wlan-vap-prof-mac] service-vlan vlan-id 102
[AC-wlan-vap-prof-mac] security-profile open
[AC-wlan-vap-prof-mac] ssid-profile mac
[AC-wlan-vap-prof-mac] authentication-profile mac
[AC-wlan-vap-prof-mac] iconnect enable
[AC-wlan-vap-prof-mac] quit

# Bind the VAP profiles to the AP group.

Configure WMI for subsequent O&M management of the Wi-Fi CPE on the AC.

[AC] wlan
[AC-wlan-view] wmi-server name abc 
[AC-wlan-wmi-server-prof-abc] server ip-address 192.168.11.10 port 10032
[AC-wlan-wmi-server-prof-abc] quit
[AC-wlan-view] ap-system-profile name default
[AC-wlan-ap-system-prof-default] wmi-server abc index 1 
[AC-wlan-ap-system-prof-default] local-management enable
[AC-wlan-ap-system-prof-default] quit

Power on the Wi-Fi CPE and check whether the Wi-Fi CPE configuration is successfully delivered on iMaster NCE-Campus.
# Choose Monitoring > Monitoring > Monitoring from the main menu. On the Wi-Fi CPE tab page, you can view the online status of the Wi-Fi CPEs.

# Click the Command Delivery Result tab to check whether the wireless CPE commands are successfully delivered.

Understanding Wi-Fi CPE Management
Configuring Wi-Fi CPE Management
- Configuring a Wi-Fi CPE Management Channel
- Configuring Wi-Fi CPE Instruction Delivery
Examples for Configuring Wi-Fi CPE Management
- Example for Configuring Wi-Fi CPE Management (Without iMaster NCE-Campus, Unionman)
- Example for Configuring Wi-Fi CPE Management (With iMaster NCE-Campus)

Translation

Favorite

Download

Update Date：2023-05-09

Document ID：EDOC1100303237

Downloads：1090

Average rating：0.0Points

Digital Signature File

digtal sigature tool

Wireless Access Controller (AC and Fit AP) V200R022C10 CLI-based Configuration Guide

Wi-Fi CPE Management

Understanding Wi-Fi CPE Management

Basic Concepts

Wi-Fi CPE Onboarding

Wi-Fi CPE Instruction Delivery

Wi-Fi CPE Alarm Reporting

Remote Wi-Fi CPE Upgrade

Configuring Wi-Fi CPE Management

Context

Configuration Process

Configuring a Wi-Fi CPE Management Channel

Context

Pre-configuration Task

Procedure

Verifying the Configuration

Follow-up Procedure

Configuring Wi-Fi CPE Instruction Delivery

Context

Pre-configuration Task

Procedure

Examples for Configuring Wi-Fi CPE Management

Example for Configuring Wi-Fi CPE Management (Without iMaster NCE-Campus, Unionman)

Service Requirements

Networking Requirements

Data Planning

Configuration Roadmap

Procedure

Configuration Files

Example for Configuring Wi-Fi CPE Management (With iMaster NCE-Campus)

Networking Requirements

Data Planning

Configuration Roadmap

Configuration Notes

Procedure

Related Documents

Digital Signature File

Share