配置AC
实现扫描二维码连网场景,在AC上需要配置MAC认证,且需要为Wi-Fi设置密码。
要求AC的版本必须为V200R007C10及以上版本。
- 配置RADIUS对接参数。
[AC] radius-server template radius_template [AC-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254 [AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254 [AC-radius-radius_template] radius-server shared-key cipher Admin@123 [AC-radius-radius_template] radius-server user-name original //设备向RADIUS服务器发送的用户名为用户原始输入的用户名 [AC-radius-radius_template] quit [AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123 [AC] aaa [AC-aaa] authentication-scheme auth_scheme //认证方案 [AC-aaa-authen-auth_scheme] authentication-mode radius //认证方案必须为RADIUS [AC-aaa-authen-auth_scheme] quit [AC-aaa] accounting-scheme acco_scheme //计费方案 [AC-aaa-accounting-acco_scheme] accounting-mode radius //计费方案为RADIUS [AC-aaa-accounting-acco_scheme] accounting realtime 15 [AC-aaa-accounting-acco_scheme] quit [AC-aaa] quit
- 配置MAC认证。# 配置接入模板。MAC接入模板中,MAC认证用户的用户名和密码默认均为不带分隔符“-”的MAC地址。
[AC] mac-access-profile name mac [AC-mac-access-profile-mac] quit
# 配置认证模板。
认证模板通过接入模板指定用户接入方式;绑定RADIUS认证的认证方案、计费方案和服务器模板指定使用RADIUS认证。
[AC] authentication-profile name mac [AC-authentication-profile-mac] mac-access-profile mac [AC-authentication-profile-mac] authentication-scheme auth_scheme [AC-authentication-profile-mac] accounting-scheme acco_scheme [AC-authentication-profile-mac] radius-server radius_template [AC-authentication-profile-mac] quit
- 配置认证后域。
[AC] acl 3002 [AC-acl-adv-3002] rule 1 permit ip [AC-acl-adv-3002] quit
- 配置AP并上线。
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] quit
# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulatory-domain-prof-domain1] country-code cn [AC-wlan-regulatory-domain-prof-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# 配置AC的源接口。
[AC] capwap source interface vlanif 10
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为area_1。
[AC] wlan [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation maybe cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurati ons of the radio, Whether to continue? [Y/N]y [AC-wlan-ap-0] quit [AC-wlan-view] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC] display ap all Total AP information: nor : normal [1] ------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S ------------------------------------------------------------------------------------- Total: 1
- 配无线MAC业务参数,为Wi-Fi设置密码,SSID和密码必须与在微信公众平台上添加密码型设备时配置的一致,其中SSID名称或者SSID密码必须有一项以WX开头。
# 创建名为“security_mac”的安全模板,并配置安全策略。
[AC] wlan [AC-wlan-view] security-profile name security_mac [AC-wlan-sec-prof-security_mac] security wpa2 psk pass-phrase Admin123Admin123 aes //配置安全策略为WPA2+PSK+AES方式,微信公众平台只支持WPA2+PSK+AES的加密方式,此密码必须与微信公众平台中添加密码型设备时配置的SSID对应的密码相同 [AC-wlan-sec-prof-security_mac] quit
# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“WXcontroller12”。
[AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid WXcontroller12 Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-ssid-prof-wlan-ssid] quit
# 创建名为“wlan-vap”的VAP模板,配置业务数据转发模式、业务VLAN,并且引用安全模板、SSID模板和认证模板。
[AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] forward-mode tunnel Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100 [AC-wlan-vap-prof-wlan-vap] security-profile security_mac [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid [AC-wlan-vap-prof-wlan-vap] authentication-profile mac [AC-wlan-vap-prof-wlan-vap] quit
# 配置AP组引用VAP模板,AP上射频0和射频1都使用VAP模板“wlan-vap”的配置。
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap-guest wlan 1 radio 0 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap-guest wlan 1 radio 1 [AC-wlan-ap-group-ap-group1] quit