Example for Configuring 802.1x Authentication to Control Access of Wireless STAs(V200R009C00 and later versions)

Created: Mar 23, 2017 11:34:08Latest reply: May 25, 2019 18:02:00 2828 2 0 0

 

802.1x Authentication on the Wireless Side Overview

802.1x is a port-based network access control protocol and 802.1x authentication is one of NAC authentication modes. 802.1x authentication ensures security of enterprise intranets.

802.1x authentication ensures high security; however, it requires that 802.1x client software be installed on user terminals, resulting in inflexible network deployment. Another two NAC authentication methods have their advantages and disadvantages: MAC address authentication does not require client software installation, but MAC addresses must be registered on an authentication server. Portal authentication also does not require client software installation and provides flexible deployment, but it has low security.

As a result, 802.1x authentication is applied to scenarios with new networks, centralized user distribution, and strict information security requirements.

Configuration Notes

l   The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

l   In the service data forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

l   If direct forwarding is used, configure port isolation on the interface directly connects to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   Configure the management VLAN and service VLAN:

           In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel, and then forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded as long as the network between the AC and APs is added to the management VLAN and service VLAN and the network between the AC and upper-layer network is added to the service VLAN.

           In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between APs and upper-layer network is added to the service VLAN.

l   No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.

           In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.

           In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Software Version

Product Model

AP Model and Version

V200R011C10

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN, AP8150DN

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R010C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R009C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

 

Networking Requirements

As shown in Figure 1-1, an enterprise's AC connects to the egress gateway (Router) and RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID wlan-net is available for employees to access network resources. The gateway also functions as a DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs. The AC controls and manages STAs.

Because the WLAN is open to users, there are potential security risks to enterprise information if no security policy is configured for the WLAN. The enterprise requires high information security, so a WPA2 security policy using 802.1x authentication and AES encryption is configured. The RADIUS server authenticates STA identities. The AC must be configured to function as an EAP relay, so the AC supports 802.1x authentication.

Figure 1-1 Networking diagram for configuring 802.1X authentication

20170323113319626004.png

 

Data Planning

Table 1-2 Data planning

Item

Data

Management VLAN

VLAN 100

Service VLAN

VLAN 101

Source interface on the AC

VLANIF 100: 10.23.100.1/24

SwitchA VLAN

VLAN 100

DHCP server

l  IP address that the AC assigns to the AP: 10.23.100.2-10.23.100.254/24

l  IP addresses that Router assigns to STAs: 10.23.101.2-10.23.101.254/24

l  IP address of DNS server: 8.8.8.8

Gateway for the AP

VLANIF 100: 10.23.100.1/24

Gateway for STAs

VLANIF 101: 10.23.101.1/24

RADIUS authentication parameters

l  Name of the RADIUS server template: radius_huawei

l  IP address: 10.23.103.1

l  Authentication port number: 1812

l  Shared key: huawei@123

l  Authentication scheme: radius_huawei

l  AAA domain: huawei.com

802.1X access profile

l  Name: wlan-dot1x

l  Authentication mode: EAP

Authentication profile

l  Name: wlan-authentication

l  Referenced profile: 802.1X access profile wlan-dot1x

l  Forcible authentication domain: huawei.com

AP group

l  Name: ap-group1

l  Referenced profile: VAP profile wlan-vap and regulatory domain profile domain1

Regulatory domain profile

l  Name: domain1

l  Country code: CN

SSID profile

l  Name: wlan-ssid

l  SSID name: wlan-net

Security profile

l  Name: wlan-security

l  Security policy: WPA2-802.1X-AES

VAP profile

l  Name: wlan-vap

l  Forwarding mode: tunnel forwarding

l  Service VLAN: VLAN 101

l  Referenced profile: SSID profile wlan-ssid, security profile wlan-security, and authentication profile wlan-authentication

 

Table 1-3 Data planning on the ISE server

Configuration Item

Data

Department

R&D department

Access user

Account: A-123

Password: Huawei123

AC IP address

AC: 10.23.100.1

RADIUS authentication key

123456

 

Configuration Roadmap

1.         Configure the AC to communicate with APs and upper-layer network devices.

2.         On the AC, configure the AC to assign an IP address to the AP and the router to assign IP addresses to STAs.

3.         Configure RADIUS authentication parameters on the AC.

4.         On the AC, configure an 802.1x access profile to manage 802.1x access control parameters.

5.         On the AC, configure an authentication profile, bind the 802.1x access profile to the authentication profile, and configure a forcible authentication domain for users.

6.         On the AC, configure the APs to go online.

7.         On the AC, configure WLAN service parameters, set the security policy to WPA2-802.1X-AES, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.

8.         On the ISE server, configure authentication device information, user information, and 802.1x authentication function to implement device access, user access, and MAC address-based 802.1x authentication.

Procedure

                               Step 1     Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.

# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2 that connects SwitchA to the AC to the same VLAN.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit

                               Step 2     Configure the AC to communicate with the upstream device.

# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.

[AC] vlan batch 101 102 103
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] interface vlanif 103
[AC-Vlanif103] ip address 10.23.103.2 24
[AC-Vlanif103] quit

# Add GE1/0/2 that connects the AC to the Router to VLAN 102.

[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/2] quit

# Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.

[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk pvid vlan 103
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 103
[AC-GigabitEthernet1/0/3] quit

# On the AC, configure a static route.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.102.1

                               Step 3     Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to STAs.

# Configure the AC to assign an IP address to the AP from an interface address pool.

[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit

# Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the DHCP relay agent.

[AC] interface vlanif 101
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.102.1
[AC-Vlanif101] quit

# Configure the Router as a DHCP server to assign IP addresses to STAs from a global address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network segment of the global address pool is 10.23.101.0/24.

<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] dns-list 8.8.8.8
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit
[Router] vlan batch 102
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.1 24
[Router-Vlanif102] dhcp select global
[Router-Vlanif102] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 102
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.102.2

                               Step 4     Configure RADIUS authentication parameters.

20170323113319551005.jpg

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

# Configure a RADIUS server template.

[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.23.103.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher huawei@123   
[AC-radius-radius_huawei] quit

# Configure a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit

# Create an AAA domain and configure the RADIUS server template and authentication scheme.

[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit

20170323113319551005.jpg

If the domain name huawei.com is configured, you need to add the domain name when entering the user name.

# Test whether a STA can be authenticated using RADIUS authentication. A user name A-123@huawei.com and password 123456 have been configured on the RADIUS server.

[AC] test-aaa A-123@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.

                               Step 5     Configure an 802.1X access profile to manage 802.1X access control parameters.

# Create the 802.1X access profile wlan-dot1x.

[AC] dot1x-access-profile name wlan-dot1x

# Set the authentication mode to EAP relay.

[AC-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-dot1x] quit

                               Step 6     Configure an authentication profile named wlan-authentication, apply the 802.1X access profile, and configure a forcible authentication domain.

[AC] authentication-profile name wlan-authentication
[AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force
[AC-authen-profile-wlan-authentication] quit

                               Step 7     Configure the AP to go online.

# Create an AP group and add the AP to the AP group.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.

20170323113319551005.jpg

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 1

                               Step 8     Configure WLAN service parameters.

# Create security profile wlan-security and set the security policy in the profile.

[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-security] quit

# Create SSID profile wlan-ssid and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit

# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

                               Step 9     Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

                            Step 10     Configure the ISE server.

# Log in to the ISE server.

1.         Enter the access address of the ISE server in the address bar, which is in the format of https://ISE-IP. ISE-IP is the IP address of the ISE server.

2.         On the displayed page, enter the user name and password to log in to the ISE server.

# Create department information. Choose Administration > Identity Management > Groups. In the pane on the right side, click Add and then create an Identity Group named R&D department.

20170323113320996006.png

 

# Create user account information. Choose Administration > Identity Management > Identities. In the pane on the right side, click Add and add the user account and password to R&D department.

20170323113321194007.png

 

# Add AC information so that the ISE can interwork with the AC. Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add to add AC information.

Parameter

Value

Remarks

Name

AC

-

IP Address

10.23.100.1/32

The IP address of the AC must be accessible from the ISE server.

Shared Secret

Huawei@123

The value must be the same as the RADIUS server key configured on the AC.

 

20170323113322192008.png

 

# Configure allowed authentication and encryption protocols. Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols, and click Add to configure allowed authentication and encryption protocols. In this example, the default configuration is used. That is, PAP, CHAP, and EAP are allowed.

20170323113323451009.png

 

# Configure authentication and authorization policies. Choose Policy > Authentication. Policy Type can be set to Simple or Rule-based. In this example, set it to Simple. Then, bind the user information and allowed authentication protocols configured in previous steps to the authentication policy.

20170323113324417010.png

 

                            Step 11     Verify the configuration.

l   The WLAN with SSID wlan-net is available for STAs connected to the AP.

l   The wireless PC obtains an IP address after it associates with the WLAN.

l   Use the 802.1x authentication client on a STA and enter the correct user name and password. The STA is authenticated and can access the WLAN. You must configure the client for PEAP authentication.

           Configuration on the Windows XP operating system:

i.          On the Association tab page of the Wireless network properties dialog box, add SSID wlan-net, set the authentication mode to WPA2, and encryption algorithm to AES.

ii.        On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.

           Configuration on the Windows 7 operating system:

i.          Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID wlan-net. Set the authentication mode to WPA2-Enterprise, and encryption algorithm to AES. Click Next.

ii.        Click Change connection settings. On the Wireless Network Properties page that is displayed, select the Security tab page and click Settings. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. On the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.

iii.      On the Wireless Network Properties page, click Advanced settings. On the Advanced settings page that is displayed, select Specify authentication mode, set the identity authentication mode to User authentication, and click OK.

----End

Configuration Files

l   Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

l   Router configuration file

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
 gateway-list 10.23.101.1
 network 10.23.101.0 mask 255.255.255.0
 dns-list 8.8.8.8
#
interface Vlanif102
 ip address 10.23.102.1 255.255.255.0
 dhcp select global
#
interface GigabitEthernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 102
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return

l   AC configuration file

#
sysname AC
#
vlan batch 100 to 103
#
authentication-profile name wlan-authentication
 dot1x-access-profile wlan-dot1x
 access-domain huawei.com dot1x force
#
dhcp enable
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$%^%#
 radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 domain huawei.com
  authentication-scheme radius_huawei
  radius-server radius_huawei
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 10.23.102.1
#
interface Vlanif102
 ip address 10.23.102.2 255.255.255.0
#
interface Vlanif103
 ip address 10.23.103.2 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 102
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk pvid vlan 103
 port trunk allow-pass vlan 103
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
  security wpa2 dot1x aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile wlan-authentication
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
dot1x-access-profile name wlan-dot1x
#
return

This post was last edited by 交换机在江湖 at 2017-05-31 17:12.
  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:56:06 Helpful(0) Helpful(0)

good
  • x
  • convention:

ViktorG  Visitor   Created May 25, 2019 18:02:00 Helpful(0) Helpful(0)

  • x
  • convention:

Take care and have a great day!
Viktor

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top