无线接入控制器(AC和FIT AP) V200R010C00 配置指南(命令行)
配置802.1X认证的广域认证逃生示例
组网需求
如图25-13所示,企业总部与分支之间跨越广域网,其中AC与RADIUS服务器部署在总部、AP部署在分支,报文采用直接转发方式。由于广域网络的不稳定,管理员希望减小分支设备对总部的依赖。在广域网络正常、AC与AP连接正常的情况下,分支STA穿越广域网,通过总部AC在RADIUS服务器上集中进行802.1X认证;在广域网络中断、AC与AP断链时,分支用户仍能够802.1X认证上线。
数据规划
项目 | 数据 |
---|---|
RADIUS认证参数 |
RADIUS认证方案名称:radius_huawei RADIUS计费方案名称:scheme1 RADIUS服务器模板名称:radius_huawei,其中:
|
802.1X接入模板 |
|
认证模板 |
|
分支AP组 |
|
AP管理VLAN | VLAN100 |
STA业务VLAN | VLAN 101 |
DHCP服务器 | Switch作为AP的DHCP服务器为AP和STA分配IP地址。 |
AP地址池 | 10.23.10.2~10.23.10.254/24 |
STA地址池 | 10.23.11.2~10.23.11.254/24 |
AP的网关 | 10.23.10.1 |
STA的网关 | 10.23.11.1 |
AC源接口 | VLANIF100:10.23.100.1/24 |
AP组 |
|
域管理模板 |
|
SSID模板 |
|
安全模板 |
|
VAP模板 |
|
配置思路
- 配置Switch作为DHCP服务器,为AP和STA分配IP地址。
- 配置AC:
- 配置AC与其他设备互通。
- 配置AP上线。
- 配置RADIUS认证参数。
- 配置802.1X接入模板,管理802.1X接入控制参数。
- 配置认证模板,管理NAC认证的相关配置。
- 配置WLAN业务参数,在VAP模板下绑定安全策略模板和认证模板等,对访问WLAN网络的STA进行接入控制。
- 配置分支AP组,实现AC将接入认证相关的配置下发到AP。配置内容包括:
- 配置认证方式为本地认证。
- 配置本地用户和用户接入类型。
- 配置内置RADIUS服务器。
配置前请保证AC与RADIUS服务器之间、分支与总部之间已完成网络互通的相关配置。
操作步骤
- 配置Switch作为DHCP服务器为STA和AP分配IP地址。
# 配置Switch的接口GE0/0/1加入VLAN100和VLAN101,GE0/0/2加入VLAN100和VLAN101,并创建接口VLANIF100、VLANIF101。
<AC6605> system-view [AC6605] sysname Switch [Switch] vlan batch 100 101 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type trunk [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 [Switch-GigabitEthernet0/0/2] quit
# 在Switch上配置VLANIF100使用接口地址池为AP分配IP地址。
[Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 10.23.10.1 255.255.255.0 [Switch-Vlanif100] dhcp select interface [Switch-Vlanif100] dhcp server option 43 sub-option 3 ascii 10.23.100.1 [Switch-Vlanif100] quit
# 在Switch上配置VLANIF101使用接口地址池为STA分配IP地址。
[Switch] interface vlanif 101 [Switch-Vlanif101] ip address 10.23.11.1 255.255.255.0 [Switch-Vlanif101] dhcp select interface [Switch-Vlanif101] quit
- 配置AC与其他设备互通
<AC6605> system-view [AC6605] sysname AC [AC] vlan batch 100 101 [AC] interface gigabitethernet 0/0/1 [AC-GigabitEthernet0/0/1] port link-type trunk [AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [AC-GigabitEthernet0/0/1] quit [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.23.100.1 24 [AC-Vlanif100] quit
- 配置AP上线
具体操作步骤请参见配置旁挂二层组网隧道转发示例中的“配置AP上线”。
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。[AC-wlan-view] quit [AC] display ap all Total AP information: nor : normal [1] ExtraInfo : Extra information P : insufficient power supply -------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S - -------------------------------------------------------------------------------------------------- Total: 1
- 配置RADIUS服务器模板、RADIUS认证方案和RAIUDS计费方案
请确保RADIUS服务器地址、端口号、共享密钥配置正确,并且和RADIUS服务器保持一致。
# 配置RADIUS服务器模板。
[AC] radius-server template radius_huawei [AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812 [AC-radius-radius_huawei] radius-server accounting 10.23.200.1 1813 [AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123 [AC-radius-radius_huawei] quit
# 配置RADIUS方式的认证方案。
[AC] aaa [AC-aaa] authentication-scheme radius_huawei [AC-aaa-authen-radius_huawei] authentication-mode radius [AC-aaa-authen-radius_huawei] quit
# 配置RADIUS方式的计费方案。
[AC-aaa] accounting-scheme scheme1 [AC-aaa-accounting-scheme1] accounting-mode radius [AC-aaa-accounting-scheme1] accounting realtime 15 [AC-aaa-accounting-scheme1] quit [AC-aaa] quit
以设备与Agile Controller-Campus对接为例,计费功能并非真实意义上的计算费用,而是通过计费报文维护终端的在线信息。
accounting realtime命令用来配置实时计费间隔。实时计费间隔的取值对设备和RADIUS服务器的性能有要求,实时计费间隔的取值越小,对设备和RADIUS服务器的性能就越高。请根据用户数设置实时计费间隔。
- 配置802.1X接入模板“d1”
[AC] dot1x-access-profile name d1 [AC-dot1x-access-profile-d1] dot1x authentication-method eap [AC-dot1x-access-profile-d1] quit
- 配置认证模板“p1”
[AC] authentication-profile name p1 [AC-authentication-profile-p1] dot1x-access-profile d1 [AC-authentication-profile-p1] authentication-scheme radius_huawei [AC-authentication-profile-p1] accounting-scheme scheme1 [AC-authentication-profile-p1] radius-server radius_huawei [AC-authentication-profile-p1] quit
- 配置WLAN业务参数
# 创建名为“wlan-net”的安全模板,并配置安全策略。
[AC] wlan [AC-wlan-view] security-profile name wlan-net [AC-wlan-sec-prof-wlan-net] security wpa2 dot1x aes [AC-wlan-sec-prof-wlan-net] quit
# 创建名为“wlan-net”的SSID模板,并配置SSID名称为“wlan-net”。[AC-wlan-view] ssid-profile name wlan-net [AC-wlan-ssid-prof-wlan-net] ssid wlan-net [AC-wlan-ssid-prof-wlan-net] quit
# 创建名为“wlan-net”的VAP模板,开启CAPWAP断链允许新用户上线功能,配置业务数据转发模式、业务VLAN,并且引用安全模板、SSID模板和认证模板。[AC-wlan-view] vap-profile name wlan-net [AC-wlan-vap-prof-wlan-net] keep-service enable allow new-access [AC-wlan-vap-prof-wlan-net] forward-mode direct-forward [AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [AC-wlan-vap-prof-wlan-net] security-profile wlan-net [AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net [AC-wlan-vap-prof-wlan-net] authentication-profile p1 [AC-wlan-vap-prof-wlan-net] quit
- 配置分支AP组
# 创建名为“g1”的分支AP组,并将AP加入分支AP组“g1”。
[AC-wlan-view] branch-group name g1 [AC-wlan-branch-group-g1] ap-id 0 Warning: This operation may cause AP reset. Continue? [Y/N]:y
# 配置分支AP组的认证方式为本地认证。
[AC-wlan-branch-group-g1] quit [AC-wlan-view] quit [AC] aaa [AC-aaa] authentication-scheme s1 [AC-aaa-authen-s1] authentication-mode local [AC-aaa-authen-s1] quit [AC-aaa] quit [AC] wlan [AC-wlan-view] branch-group name g1 [AC-wlan-branch-group-g1] authentication-scheme s1
# 配置分支AP组内的本地用户和用户接入类型。
[AC-wlan-branch-group-g1] local-user test1 password cipher Huawei@123 [AC-wlan-branch-group-g1] local-user test2 password cipher Huawei@123 [AC-wlan-branch-group-g1] local-user test1 service-type 8021x [AC-wlan-branch-group-g1] local-user test2 service-type 8021x
# 配置内置RADIUS服务器。
举例中配置的CA证书、本地证书和私钥文件仅为示例,实际配置中请根据实际情况,配置符合实际要求的CA证书、本地证书和私钥文件。[AC-wlan-branch-group-g1] local-eap-server authentication eap-method eap-peap eap-ttls eap-tls [AC-wlan-branch-group-g1] local-eap-server authentication certificate ca format pem filename caserver.pem [AC-wlan-branch-group-g1] local-eap-server authentication certificate local format pem filename serverlocal.pem [AC-wlan-branch-group-g1] local-eap-server authentication private-key format pem filename server.pem password Huawei@123 [AC-wlan-branch-group-g1] load-authentication-file
- AC与AP连接正常的情况下,在AC设备上Telnet登录到AP设备,查看AC上VAP模板下的配置是否成功下发到AP设备
# 在AP设备上,执行命令display authentication-profile configuration,可以看到认证模板“p1”已下发到AP设备上。
<AP> display authentication-profile configuration ------------------------------------------------------------------------------- ID Auth-profile name ------------------------------------------------------------------------------- 0 default_authen_profile 1 dot1x_authen_profile 2 mac_authen_profile 3 portal_authen_profile 4 macportal_authen_profile 5 p1 ------------------------------------------------------------------------------- Total 6, printed 6
# 在AP设备上,执行命令display dot1x-access-profile configuration,可以看到802.1X接入模板已下发到AP设备上。
<AP> display dot1x-access-profile configuration ------------------------------------------------------------------------------- ID Dot1x-Access-Profile Name ------------------------------------------------------------------------------- 0 dot1x_access_profile 1 d1 ------------------------------------------------------------------------------- Total: 2 printed: 2.
<AP> display dot1x-access-profile configuration name d1 Profile Name : d1 Authentication method : EAP Re-authen : Disable Client-no-response authorize : - Max retry value : 2 Reauthen Period : 3600s Client Timeout : 5s Bound authentication profile : p1
- AC与AP连接正常的情况下,在AC设备上Telnet登录到AP设备,查看AC上分支AP组下的配置是否成功下发到AP设备
# 在AP设备上,执行命令display authentication-scheme,可以看到认证模板“flex_default”已下发到AP设备上。
认证方案下发到AP上后,名称自动修改为“flex_default”,并且默认绑定到default域下。
<AP> display authentication-scheme ------------------------------------------------------------------- Authentication-scheme-name Authentication-method ------------------------------------------------------------------- default Local flex_default Local ------------------------------------------------------------------- Total of authentication scheme: 3
# 在AP设备上,执行命令display local-user,可以看到本地用户test1和test2已下发到AP设备上。
<AP> display local-user ---------------------------------------------------------------------------- User-name State AuthMask AdminLevel ---------------------------------------------------------------------------- test1 A X 0 test2 A X 0 ---------------------------------------------------------------------------- Total 2 user(s)
- AC与AP断链的情况下,通过AP上的串口登录到AP设备上,在AP设备上查看用户是否上线成功。
# 在AP设备上,执行命令display access-user,可以看到本地用户test1和test2已上线。
<AP> display access-user ------------------------------------------------------------------------------ UserID Username IP address MAC Status ------------------------------------------------------------------------------ 6 test1 10.23.11.163 e005-c5fa-b829 Success 7 test2 10.23.12.158 0046-4b74-68c0 Success ------------------------------------------------------------------------------ Total: 2, printed: 2
<AP> display access-user user-id 6 Basic: User ID : 6 User name : test1 Domain-name : default User MAC : e005-c5fa-b829 User IP address : 10.23.11.163 User vpn-instance : - User IPv6 address : - User access Interface : Wlan-Bss1 User vlan event : Success QinQVlan/UserVlan : 0/8 User vlan source : user request User access time : 2014/04/14 19:52:29 User accounting session ID : Huawei04007000000010d****3000036 Terminal Device Type : 802.1x AP name : area_1 Radio ID : 0 AP MAC : 60de-4476-e360 SSID : wlan-net Online time : 59(s) AAA: User authentication type : 802.1x authentication Current authentication method : Local Current authorization method : - Current accounting method : None
配置文件
Switch的配置文件
# sysname Switch # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.23.10.1 255.255.255.0 dhcp select interface dhcp server option 43 sub-option 3 ascii 10.23.100.1 # interface Vlanif101 ip address 10.23.11.1 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 # return
- AC的配置文件
# sysname AC # vlan batch 100 to 101 # authentication-profile name p1 dot1x-access-profile d1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # dhcp enable # radius-server template radius_huawei radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%# radius-server authentication 10.23.200.1 1812 weight 80 radius-server accounting 10.23.200.1 1813 weight 80 # aaa authentication-scheme radius_huawei authentication-mode radius authentication-scheme s1 accounting-scheme scheme1 accounting-mode radius accounting realtime 15 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # capwap source interface vlanif100 # wlan security-profile name wlan-net security wpa2 dot1x aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 keep-service enable allow new-access ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 branch-group name g1 local-eap-server authentication certificate local format pem filename serverlocal.pem local-eap-server authentication certificate ca format pem filename caserver.pem local-eap-server authentication private-key format pem filename server.pem password %^%#p*3QFnV0nYY~74I=h!3XgyoT!Hs[u~34$CIkk@CL%^%# local-eap-server authentication eap-method eap-peap eap-tls eap-ttls authentication-scheme s1 local-user test1 password cipher %^%#V,~'NYd79%mW}|=6k*S>|'s9BPZwOSO.r541}2['%^%# local-user test1 service-type 8021x local-user test2 password cipher %^%#fvXqP&/_7M4qG+E9R2CPqq\DUp].>8!twMW}LG49%^%# local-user test2 service-type 8021x ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # dot1x-access-profile name d1 # return