Example for Deploying the Free Mobility Function for Users' Physical Location Change (V200R009 and later versions)

Created: Mar 23, 2017 11:27:29Latest reply: Mar 23, 2017 15:55:11 1907 1 0 0

 

Free Mobility Overview

In an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes in an agile network.

The switches must be associated with Agile Controller-Campuss in the free mobility solution. An administrator only needs to uniformly deploy network access policies on Agile Controller-Campuss for users, and deliver the policies to all associated switches. After that, a user can obtain the same access policy no matter how the user's physical location and IP address change.

Configuration Notes

l   Free mobility is supported only in NAC unified mode.

l   In this example, the agile Agile Controller-Campus runs V100R003C00.

l   The following table lists the applicable products and versions.

Table 1-1 Applicable products and versions

Version

Model

V200R009C00 and later versions:

Supported only by the S5720HI, S7700, and S9700

 

l   If the core switch has been associated with an Agile Controller-Campus and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

a.         Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the AAgile Controller-Campus.

b.         Run the undo acl all command to delete the access control policy.

c.         Run the undo ucl-group ip all command to delete IP addresses bound to security groups.

d.         Run the undo ucl-group all command to delete security groups.

e.         Return to the user view and run the save command. The system automatically deletes the configured version number.

Networking Requirements

Employees in an enterprise connect to the network in wired and wireless modes and are authenticated using 802.1x or Portal authentication.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Figure 1-1 Networking

20170323112622202004.png

 

Requirement Analysis

As shown in Figure 1-1, the agile core switch coreswitch (supporting native AC) functions as the authentication point and the access switch is a common switch.

You can configure 802.1x authentication and Portal authentication on the core switch so that wired and wireless users can connect to the network after being authenticated by the core switch.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Network Data Plan

Table 1-2 Network data plan

Item

Data

Description

VLAN plan

ID: 11

VLANIF11 IP address: 192.168.11.254/24

The core switch uses this VLAN to communicate with the Agile Controller-Campus.

ID: 12

VLANIF12 IP address: 192.168.12.254/24

The core switch uses this VLAN to manage APs.

ID: 13

VLANIF13 IP address: 192.168.13.254/24

The core switch uses this VLAN to provide wireless access services.

ID: 14

VLANIF14 IP address: 192.168.14.254/24

The core switch uses this VLAN to provide wired access services.

Core switch (coreswitch)

Interface number: GE1/0/11

IDs of allowed VLANs: 11

IDs of allowed VLANs: 11, 12, 13, and 14

Interface number: GE1/0/12

IDs of allowed VLANs: 12, 14

This interface allows packets from the wired access service VLAN and APs' management VLAN to pass through.

Access switch

Interface number: GE0/0/1

IDs of allowed VLANs: 12, 14

This interface connects to GE1/0/12 on the core switch (coreswitch).

Interface number: GE0/0/3

IDs of allowed VLANs: 14

This interface provides wired access and allows packets from the wired access service VLAN to pass through.

Interface number: GE0/0/5

IDs of allowed VLANs: 12

This interface provides wireless access and allows packets from the APs' management VLAN to pass through.

Server

Agile Controller-Campus: 192.168.11.1

The Service Manager (SM) and Service Controller (SC) are installed on the same server. The SC functions as both the RADIUS server and Portal server.

Email server: 192.168.11.100

-

Video server: 192.168.11.110

-

DNS server: 192.168.11.200

 

Service Data Plan

Table 1-3 Service data plan

Item

Data

Description

Core switch (coreswitch)

RADIUS authentication server:

l  IP address: 192.168.11.1

l  Port number: 1812

l  RADIUS shared key: Admin@123

l  The SC of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the SC's IP address.

l  Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. On the Agile Controller-Campus, the fixed RADIUS authentication and accounting port numbers are 1812 and 1813 respectively, and the fixed Portal server port number is 50200.

RADIUS accounting server:

l  IP address: 192.168.11.1

l  Port number: 1813

l  RADIUS shared key: Admin@123

l  Accounting interval: 15 minutes

Portal server:

l  IP address: 192.168.11.1

l  Port number: 50200

l  Shared key: Admin@123

XMPP password: Admin@123

The configuration is the same as that on the Agile Controller-Campus.

Agile Controller-Campus

Core switch's IP address: 192.168.11.254

This IP address is the IP address of VLANIF 11.

RADIUS parameters:

l  Device: Huawei S series

l  RADIUS authentication key: Admin@123

l  RADIUS accounting key: Admin@123

l  RADIUS authorization key: Admin@123

l  Real-time accounting interval: 15 minutes

The configuration is the same as that on the core switch.

Portal parameters:

l  Port number: 2000

l  Portal key: Admin@123

l  IP addresses of access terminals

Wireless terminal: 192.168.13.0/24

Wired terminal: 192.168.14.0/24

XMPP password: Admin@123

The configuration is the same as that on the core switch.

Account:

Employees:

l  User name: staff

l  Password: Huawei@123

Guests:

l  User name: guest

l  Password: Guest@123

Use fast authorization to authorize the security group Employee_Group to the staff.

Use fast authorization to authorize the security group Guest_Group to the guest.

Security group:

Employee_Group

Guest_Group

Email server: 192.168.11.100

Video server: 192.168.11.110

Pre-authentication domain

DNS server

Employees can send domain names to the DNS server for resolution before being authenticated.

Post-authentication domain

Email servers, video server

After passing authentication, employees can access the mail server and video server. You can improve bandwidth for employees to access the video server.

After passing authentication, guests cannot access the mail server and can only access the video server. You can reduce bandwidth for guests to access the video server.

 

Configuration Roadmap

Configure the core switch.

1.         Switch the NAC configuration mode to unified mode.

2.         Configure interfaces and VLANs, and enable the DHCP server function.

3.         Configure parameters for interconnection with the RADIUS server.

4.         Configure parameters for interconnection with the Portal server.

5.         Configure the access authentication point for fixed PCs.

6.         Configure an authentication-free rule.

7.         Configure AC system parameters to provide wireless access.

8.         Configure XMPP parameters for interconnection with the Agile Controller-Campus and enable free mobility.

Configure the access switch.

1.         Configure interfaces and VLANs to implement network communication.

2.         Configure the switch to transparently transmit 802.1x packets.

20170323112623560005.jpg

In this example, the LAN switch exists between the access switch Switch and users. To ensure that users can pass 802.1x authentication, you must configure the EAP packet transparent transmission function on the LAN switch.

l  Method 1: The S5700 is used as an example of the LAN switch. Perform the following operations:

l  Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002 command in the system view of the LAN switch to configure the LAN switch to transparently transmit EAP packets.

1.     Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface connecting to users and the interface connecting to the access switch to enable the Layer 2 protocol transparent transmission function.

l  Method 2: This method is recommended when a large number of users exist or high network performance is required. Only the S5720EI, S5720HI, and S6720EI support this method.

l  Run the following commands in the system view:

l  undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0

l  bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE

l  bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF

l  bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC

l  bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8

1.     (This step is mandatory when you switch from method 1 to method 2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to delete the configuration of transparent transmission of 802.1x protocol packets.

Configure the Agile Controller-Campus.

1.         Configure RADIUS, Portal, and XMPP parameters, and add the core switch.

2.         Configure two groups: employee group and guest group, and two security groups: mail server and video server.

3.         Authorize the employee group to employees and guest group to guests. After passing authentication, employees are added to the employee group and guests are added to the guest group.

4.         Configure an access control policy. The policy allows the employee group to access the mail and video servers, and improves the bandwidth for employees to access the video server. In addition, the policy allows the guest group to access only the video server, and reduces the bandwidth for guests to access the video server. The employee group and guest group are not allowed to access each other.

Procedure

                               Step 1     Configure the core switch.

1.         Switch the NAC configuration mode to unified mode.

20170323112623560005.jpg

You must switch the NAC configuration mode to unified mode on a device with the free mobility function configured. When the switchover occurs, the device will reboot automatically.

<HUAWEI> system-view
[HUAWEI] sysname coreswitch
[coreswitch] authentication unified-mode

2.         Configure interfaces and VLANs, and enable the DHCP server function.

[coreswitch] vlan batch 11 to 14
[coreswitch] interface vlanif 11    
[coreswitch-Vlanif11] ip address 192.168.11.254 255.255.255.0
[coreswitch-Vlanif11] quit
[coreswitch] dhcp enable                                 
[coreswitch] interface vlanif 12    
[coreswitch-Vlanif12] ip address 192.168.12.254 255.255.255.0
[coreswitch-Vlanif12] dhcp select interface    
[coreswitch-Vlanif12] quit
[coreswitch] interface vlanif 13                                 
[coreswitch-Vlanif13] ip address 192.168.13.254 255.255.255.0
[coreswitch-Vlanif13] dhcp select interface                                  
[coreswitch-Vlanif13] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif13] quit
[coreswitch] interface vlanif 14                                  
[coreswitch-Vlanif14] ip address 192.168.14.254 255.255.255.0
[coreswitch-Vlanif14] dhcp select interface                                 
[coreswitch-Vlanif14] dhcp server dns-list 192.168.11.200
[coreswitch-Vlanif14] quit
[coreswitch] interface gigabitEthernet 1/0/11
[coreswitch-GigabitEthernet1/0/11] port link-type trunk
[coreswitch-GigabitEthernet1/0/11] port trunk allow-pass vlan 11
[coreswitch-GigabitEthernet1/0/11] quit
[coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] port link-type trunk
[coreswitch-GigabitEthernet1/0/12] port trunk allow-pass vlan 12 14
[coreswitch-GigabitEthernet1/0/12] quit

3.         Configure parameters for interconnection with the RADIUS server.

[coreswitch] radius-server template policy    
[coreswitch-radius-policy] radius-server authentication 192.168.11.1 1812    
[coreswitch-radius-policy] radius-server accounting 192.168.11.1 1813        
[coreswitch-radius-policy] radius-server shared-key cipher Admin@123                   
[coreswitch-radius-policy] quit
[coreswitch] radius-server authorization 192.168.11.1 shared-key cipher Admin@123    
[coreswitch] aaa
[coreswitch-aaa] authentication-scheme auth    
[coreswitch-aaa-authen-auth] authentication-mode radius    
[coreswitch-aaa-authen-auth] quit
[coreswitch-aaa] accounting-scheme acco    
[coreswitch-aaa-accounting-acco] accounting-mode radius    
[coreswitch-aaa-accounting-acco] accounting realtime 15    
[coreswitch-aaa-accounting-acco] quit
[coreswitch-aaa] domain default    
[coreswitch-aaa-domain-default] radius-server policy
[coreswitch-aaa-domain-default] authentication-scheme auth
[coreswitch-aaa-domain-default] accounting-scheme acco
[coreswitch-aaa-domain-default] quit
[coreswitch-aaa] quit

4.         Configure parameters for interconnection with the Portal server.

[coreswitch] url-template name huawei    
[coreswitch-url-template-huawei] url http://192.168.11.1:8080/portal    
[coreswitch-url-template-huawei] quit
[coreswitch] web-auth-server policy     
[coreswitch-web-auth-server-policy] server-ip 192.168.11.1    
[coreswitch-web-auth-server-policy] port 50200               
[coreswitch-web-auth-server-policy] shared-key cipher Admin@123    
[coreswitch-web-auth-server-policy] url-template huawei     
[coreswitch-web-auth-server-policy] quit

5.         Configure NAC.

a.         # Configure the 802.1x access profile d1.

20170323112623560005.jpg

By default, an 802.1x access profile uses the EAP authentication mode. Ensure that the RADIUS server supports EAP; otherwise, the server cannot process 802.1x authentication request packets.

[coreswitch] dot1x-access-profile name d1
[coreswitch-dot1x-access-profile-d1] quit

b.         # Configure the Portal access profile web1.

[coreswitch] portal-access-profile name web1
[coreswitch-portal-acces-profile-web1] web-auth-server policy direct   
[coreswitch-portal-acces-profile-web1] quit

c.         # Configure the authentication-free rule profile default_free_rule.

[coreswitch] free-rule-template name default_free_rule
[coreswitch-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.200 mask 24 source ip any    
[coreswitch-free-rule-default_free_rule] free-rule 2 source vlan 12    
[coreswitch-free-rule-default_free_rule] quit

d.         # Configure the authentication profile p1 for 802.1x + Portal combined authentication.

[coreswitch] authentication-profile name p1
[coreswitch-authen-profile-p1] dot1x-access-profile d1     
[coreswitch-authen-profile-p1] portal-access-profile web1    
[coreswitch-authen-profile-p1] access-domain default force    
[coreswitch-authen-profile-p1] quit

e.         # Configure the authentication profile p_dot1x for 802.1x authentication.

[coreswitch] authentication-profile name p_dot1x
[coreswitch-authen-profile-p_dot1x] dot1x-access-profile d1    
[coreswitch-authen-profile-p_dot1x] free-rule-template default_free_rule    
[coreswitch-authen-profile-p_dot1x] access-domain default force    
[coreswitch-authen-profile-p_dot1x] quit

f.          # Configure the authentication profile p_portal for Portal authentication.

[coreswitch] authentication-profile name p_portal
[coreswitch-authen-profile-p_portal] portal-access-profile web1    
[coreswitch-authen-profile-p_portal] free-rule-template default_free_rule    
[coreswitch-authen-profile-p_portal] access-domain default force    
[coreswitch-authen-profile-p_portal] quit

6.         Configure GE1/0/12 as the access authentication point for fixed PCs and enable 802.1x + Portal combined authentication.

[coreswitch] interface gigabitEthernet 1/0/12
[coreswitch-GigabitEthernet1/0/12] authentication-profile p1    
[coreswitch-GigabitEthernet1/0/12] quit

7.         Configure the AP to go online.

a.         # Configure the AC's source interface.

[coreswitch] capwap source interface vlanif 12

b.         # Create the AP group ap-group1.

[coreswitch] wlan
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] quit

c.         # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[coreswitch-wlan-view] regulatory-domain-profile name domain1
[coreswitch-wlan-regulate-domain-domain1] country-code cn
[coreswitch-wlan-regulate-domain-domain1] quit
[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[coreswitch-wlan-ap-group-ap-group1] quit
[coreswitch-wlan-view] quit

d.         # Import an AP offline on the AC. In this example, the AP's MAC address is 60de-4476-e360 and name is area_1.

[coreswitch] wlan
[coreswitch-wlan-view] ap auth-mode mac-auth
[coreswitch-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[coreswitch-wlan-ap-0] ap-name area_1
[coreswitch-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[coreswitch-wlan-ap-0] quit

e.         # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

[coreswitch-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 1

8.         Configure WLAN service parameters.

a.         # Create security profiles wlan-security1 and wlan-security2, and configure security policies. By default, the security policy is open system authentication in open mode.

[coreswitch-wlan-view] security-profile name wlan-security1
[coreswitch-wlan-sec-prof-wlan-security1] quit
[coreswitch-wlan-view] security-profile name wlan-security2
[coreswitch-wlan-sec-prof-wlan-security2] security wpa2 dot1x aes
[coreswitch-wlan-sec-prof-wlan-security2] quit

b.         # Create SSID profiles dot1x_test and portal_test, and set the SSID names to dot1x_test and portal_test, respectively.

[coreswitch-wlan-view] ssid-profile name dot1x_test
[coreswitch-wlan-ssid-prof-dot1x_test] ssid dot1x_test
Warning: This action may cause service interruption. Continue?[Y/N]y
[coreswitch-wlan-ssid-prof-dot1x_test] quit
[coreswitch-wlan-view] ssid-profile name portal_test
[coreswitch-wlan-ssid-prof-portal_test] ssid portal_test
Warning: This action may cause service interruption. Continue?[Y/N]y
[coreswitch-wlan-ssid-prof-portal_test] quit

c.         # Create VAP profiles dot1x_test and portal_test, configure the data forwarding mode and service VLANs, and apply the security profiles and SSID profiles to the VAP profiles.

[coreswitch-wlan-view] vap-profile name dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-dot1x_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-dot1x_test] security-profile wlan-security2    
[coreswitch-wlan-vap-prof-dot1x_test] ssid-profile dot1x_test
[coreswitch-wlan-vap-prof-dot1x_test] authentication-profile p_dot1x   
[coreswitch-wlan-vap-prof-dot1x_test] quit
[coreswitch-wlan-view] vap-profile name portal_test
[coreswitch-wlan-vap-prof-portal_test] forward-mode tunnel
[coreswitch-wlan-vap-prof-portal_test] service-vlan vlan-id 13
[coreswitch-wlan-vap-prof-portal_test] security-profile wlan-security1   
[coreswitch-wlan-vap-prof-portal_test] ssid-profile portal_test
[coreswitch-wlan-vap-prof-portal_test] authentication-profile p_portal   
[coreswitch-wlan-vap-prof-portal_test] quit

d.         # Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and radio 1 of the APs.

[coreswitch-wlan-view] ap-group name ap-group1
[coreswitch-wlan-ap-group-ap-group1] vap-profile dot1x_test wlan 1 radio all
[coreswitch-wlan-ap-group-ap-group1] vap-profile portal_test wlan 2 radio all
[coreswitch-wlan-ap-group-ap-group1] quit

9.         Commit the configuration.

[coreswitch-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
[coreswitch-wlan-view] quit

10.      Configure XMPP parameters for interconnection with the Agile Controller-Campus and enable free mobility.

[coreswitch] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254    
[coreswitch] quit
<coreswitch> save

                               Step 2     Configure the access switch.

20170323112623560005.jpg

In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1x authentication, configure the access switch to transparently transmit 802.1x packets (EAP packets in this example because EAP mode is used).

<HUAWEI> system-view
[HUAWEI] sysname l2switch
[l2switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[l2switch] vlan batch 12 14
[l2switch] interface gigabitEthernet 0/0/1
[l2switch-GigabitEthernet0/0/1] port link-type trunk
[l2switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 12 14
[l2switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/1] bpdu enable
[l2switch-GigabitEthernet0/0/1] quit
[l2switch] interface gigabitEthernet 0/0/3              
[l2switch-GigabitEthernet0/0/3] port link-type access
[l2switch-GigabitEthernet0/0/3] port default vlan 14
[l2switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/3] bpdu enable
[l2switch-GigabitEthernet0/0/3] quit
[l2switch] interface gigabitEthernet 0/0/5             
[l2switch-GigabitEthernet0/0/5] port link-type access
[l2switch-GigabitEthernet0/0/5] port default vlan 12
[l2switch-GigabitEthernet0/0/5] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/5] bpdu enable
[l2switch-GigabitEthernet0/0/5] quit
[l2switch] quit
<l2switch> save

                               Step 3     Configure the Agile Controller-Campus.

1.         Add the core switch.

a.         Choose Resource > Device > Device Management and click Add.

20170323112624639006.png

b.         Click XMPP.

20170323112624405007.png

c.         Click OK. The switch's Status is 20170323112625371008.png and Synchronization Status is Success.

d.         On the core switch, check the switch's communication status with the Agile Controller-Campus.

<coreswitch> display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1 

2.         Create the staff and guest accounts.

a.         Choose Resource > User Management.

b.         Click Add to create the staff account.

20170323112626151009.png

c.         Click Add to create the guest account.

20170323112627688010.png

3.         Configure two groups: employee group and guest group, and two security groups: mail server and video server.

a.         Choose Policy > Permission Control > Security Group > Dynamic Security Group Management.

b.         Click Add and create Employee_Group.

20170323112628885011.png

c.         Click Add and create Guest_Group.

20170323112629484012.png

d.         Choose Static Security Group Management, click Add and create Email_Server.

20170323112630556013.png

e.         Click Add and create Video_Server.

20170323112630285014.png

f.          Click Global Deployment to deploy the security groups on the entire network.

4.         Authorize the employee group to employees and guest group to guests. After passing authentication, employees are added to the employee group and guests are added to the guest group.

a.         Choose Policy > Permission Control > Quick Authorization.

b.         Map employees to Employee group, set bandwidth, and click OK.

20170323112631874015.png

c.         Map guests to Guest group, set bandwidth, and click OK.

20170323112632358016.png

5.         Configure an access control policy to allow the employee group to access the mail and video servers and allow the guest group to access only the video server.

20170323112623560005.jpg

The default policy configuration mode is customized group. If there is no customized group, add a customized group on the device management page first (choose Resource > Device > Device Manager > Free Mobility). You can also change the policy configuration mode to all devices (choose System >  Terminal Configuration > Global Parameters > Business accompanying configuration mode).

a.         Choose Policy > Free Mobility > Permission Control.

b.         Click Add.

20170323112633320017.png

20170323112634633018.png

20170323112635605019.png

20170323112635890020.png

20170323112636410021.png

c.         Click OK and Global Deployment.

After the access control policy is successfully deployed, you can run the following commands on the core switch to view deployment information.

n   display ucl-group all: displays security groups.

n   display acl all: displays the access control policy.

                               Step 4     Save the configuration of Core_SW.

Choose Resource > Device > Device Management. Click 20170323112637586022.png corresponding to Core_SW to save the configuration.

20170323112623560005.jpg

Saving the configuration is similar to running the save command on the device, which saves all the device configurations (including security groups, access right control policies, and QoS policies deployed on the controller) to the configuration file.

If security groups, access right control policies, and QoS policies are saved to the device's configuration file, these configurations can be directly restored from the configuration file after the device restarts, and do not need to be requested from the controller. Otherwise, user authentication fails after the device restarts because security groups, access right control policies, and QoS policies are not deployed on the device.

                               Step 5     Verify the configuration.

After passing 802.1x or Portal authentication anywhere, the employees can access the mail and video servers, and the videos can be smoothly played.

After passing 802.1x or Portal authentication anywhere, the guests cannot access the mail server but can only access the video server, and the videos may freeze.

----End

Configuration Files

l   Core switch configuration file

#
sysname coreswitch
#
vlan batch 11 to 14
#
authentication-profile name p1
 dot1x-access-profile d1
 portal-access-profile web1
 access-domain default force
authentication-profile name p_dot1x
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain default force
authentication-profile name p_portal
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain default force
#
group-policy controller 192.168.11.1 password %^%#(K2]5P#C6'97.pR(gFv$K$KbGYN}R1Y76~K^;AP&%^%# src-ip 192.168.11.254
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %^%#teXm2B&.1O0:cj$OWPq7@!Y\!%}dC3Br>p,}l\L.%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
#
radius-server authorization 192.168.11.1 shared-key cipher %^%#FKIlCKv=f(AgM-G~W"}G.C\%;b'3A/zz-EJV;vi*%^%#
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.200 mask 255.255.255.0 source ip any
 free-rule 2 source vlan 12
#
url-template name huawei
 url http://192.168.11.1:8080/portal
#
web-auth-server policy
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#SQn,Cr"c;M&{#(R^:;P3F_H$3f3sr$C9%*G7R|u3%^%#
 url-template huawei
#
portal-access-profile name web1
 web-auth-server policy direct
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain default
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0
#
interface Vlanif12
 ip address 192.168.12.254 255.255.255.0
 dhcp select interface
#
interface Vlanif13
 ip address 192.168.13.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface Vlanif14
 ip address 192.168.14.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface GigabitEthernet1/0/11
 port link-type trunk
 port trunk allow-pass vlan 11
#
interface GigabitEthernet1/0/12
 port link-type trunk
 port trunk allow-pass vlan 12 14
 authentication-profile p1
#
capwap source interface vlanif12
#
wlan
 security-profile name wlan-security1
 security-profile name wlan-security2
  security wpa2 dot1x aes
 ssid-profile name dot1x_test
  ssid dot1x_test
 ssid-profile name portal_test
  ssid portal_test
 vap-profile name dot1x_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile dot1x_test
  security-profile wlan-security2
  authentication-profile p_dot1x
 vap-profile name portal_test
  forward-mode tunnel
  service-vlan vlan-id 13
  ssid-profile portal_test
  security-profile wlan-security1
  authentication-profile p_portal
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                                
  radio 1                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2                                                
  radio 2                                                                       
   vap-profile dot1x_test wlan 1                                                
   vap-profile portal_test wlan 2
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
 wlan work-group default
#
dot1x-access-profile name d1
#
return

l   Configuration file of the access switch

#
sysname l2switch
#
vlan batch 12 14
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 12 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 12
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
return

  • x
  • convention:

user_2790689     Created Mar 23, 2017 15:55:11 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top