[All About Switches - Configuration Examples] Example for Configuring Free Mobil

Latest reply: Aug 23, 2016 19:51:54 4822 3 2 0
 

Free Mobility Overview

In an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. The application of mobile office and BYOD technologies brings frequent changes of users' physical locations and IP addresses. Therefore, the original network control solution based on physical ports and IP addresses cannot ensure consistency of network access experience. For example, the network access policy of a user does not change when the user's physical location changes.

The free mobility solution allows a user to obtain the same network access policy regardless of the user's location and IP address changes in an agile network.

The switches must be associated with Agile Controllers in the free mobility solution. An administrator only needs to uniformly deploy network access policies on Agile Controllers for users, and deliver the policies to all associated switches. After that, a user can obtain the same access policy no matter how the user's physical location and IP address change.

Configuration Notes

l   Free mobility is supported only in NAC unified mode.

l   The following table lists the products and versions supporting the free mobility solution.

Product Type

Product Name

Version

RADIUS server

Agile Controller

V100R001C00

Portal server

Agile Controller

V100R001C00

Access switch

Common switches supporting 802.1X authentication. The S2750 is taken as an example.

V200R006C00 and later versions

Core switch

Agile switches supporting native AC, such as the S12700.

V200R006C00 and later versions

 

The following table lists the mapping between switches and APs. The AP7110DN-AGN is taken as an example.

Software Version

Product Model

AP Model and Version

V200R006C00

S12700

V200R005C00:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, and AP7110SN-GN

V200R007C00

S12700

V200R005C10:

AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, and AP8130DN

V200R005C20:

AP7030DE and AP9330DN

 

l   If the core switch has been associated with an Agile Controller and has free mobility configured, perform the following steps to delete historical data and reconfigure the core switch.

1.         Run the undo group-policy controller command in the system view to disable free mobility and disconnect the switch from the Agile Controller.

2.         Run the undo acl all command to delete the access control policy.

3.         Run the undo ucl-group ip all command to delete IP addresses bound to security groups.

4.         Run the undo ucl-group all command to delete security groups.

5.         Return to the user view and run the save command. The system automatically deletes the configured version number.

Networking Requirements

Employees in an enterprise connect to the network in wired and wireless modes and are authenticated using 802.1X or Portal authentication.

The employees do not work in fixed locations and want to obtain the same rights after being authenticated regardless of their access locations.

Figure 1-1 Networking

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1324797-1

 

Requirement ***ysis

As shown in Figure 1-1, the agile core switch S12700 (supporting native AC) functions as the authentication point and the access switch is a common switch.

You can configure 802.1X authentication and Portal authentication on the core switch so that wired and wireless users can connect to the network after being authenticated by the core switch.

You can configure free mobility so that users have the same rights and experience regardless of their access locations.

Network Data Plan

Table 1-1 Network data plan

Item

Data

Description

VLAN plan

ID: 11

IP address: 192.168.11.254/24

The core switch uses this VLAN to communicate with the Agile Controller.

ID: 12

IP address: 192.168.12.254/24

The core switch uses this VLAN to manage APs.

ID: 13

IP address: 192.168.13.254/24

The core switch uses this VLAN to provide wireless access services.

ID: 14

IP address: 192.168.14.254/24

The core switch uses this VLAN to provide wired access services.

Core switch (S12700)

Interface number: GE1/0/11

IDs of allowed VLANs: 11

This interface allows packets from planned VLANs to pass through.

Interface number: GE1/0/12

IDs of allowed VLANs: 12, 14

This interface allows packets from the wired access service VLAN and APs' management VLAN to pass through.

Access switch

Interface number: GE0/0/1

IDs of allowed VLANs: 12, 14

This interface connects to GE1/0/12 on the core switch S12700.

Interface number: GE0/0/3

ID of allowed VLAN: 14

This interface provides wired access and allows packets from the wired access service VLAN to pass through.

Interface number: GE0/0/5

IDs of allowed VLANs: 12

This interface provides wireless access and allows packets from the APs' management VLAN to pass through.

Server

Agile Controller: 192.168.11.1

The Service Manager (SM) and Service Controller (SC) are installed on the same server. The SC functions as both the RADIUS server and Portal server.

Email server 1: 192.168.11.100

Email server 2: 192.168.11.101

-

DNS server: 192.168.11.200

 

Service Data Plan

Table 1-2 Service data plan

Item

Data

Description

Core switch (S12700)

RADIUS authentication server:

l IP address: 192.168.11.1

l Port number: 1812

l RADIUS shared key: Admin@123

l The SC of the Agile Controller integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the SC's IP address.

l Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. On the Agile Controller, the fixed RADIUS authentication and accounting port numbers are 1812 and 1813 respectively, and the fixed Portal server port number is 50200.

RADIUS accounting server:

l IP address: 192.168.11.1

l Port number: 1813

l RADIUS shared key: Admin@123

l Accounting interval: 15 minutes

Portal server:

l IP address: 192.168.11.1

l Port number: 50200

l Shared key: Admin@123

XMPP password: Admin@123

The configuration is the same as that on the Agile Controller.

Agile Controller

Core switch's IP address: 192.168.11.254

This IP address is the IP address of VLANIF 11.

RADIUS parameters:

l Device: Huawei Quidway series

l RADIUS authentication key: Admin@123

l RADIUS accounting key: Admin@123

l Real-time accounting interval: 15 minutes

The configuration is the same as that on the core switch.

Portal parameters:

l Port number: 2000

l Portal key: Admin@123

l IP addresses of access terminals

Wireless terminal: 192.168.13.0/24

Wired terminal: 192.168.14.0/24

XMPP password: Admin@123

The configuration is the same as that on the core switch.

Department:

Employee

Assume that the department Employee exists under ROOT. Configure free mobility for the department Employee in this example.

Security group:

Employee_Group

Email server:

l Email server 1: 192.168.11.100

l Email server 2: 192.168.11.101

Use fast authorization to authorize the security group Employee_Group to the employee department.

Post-authentication domain

Email servers

Employees can access the email servers after being authenticated.

Pre-authentication domain

DNS server

Employees can send domain names to the DNS server for resolution before being authenticated.

 

Configuration Roadmap

Configure the core switch.

1.         Switch the NAC configuration mode to unified mode.

2.         Configure interfaces and VLANs, and enable the DHCP server function.

3.         Configure parameters for interconnection with the RADIUS server.

4.         Configure parameters for interconnection with the Portal server.

5.         Configure the access authentication point for fixed PCs.

6.         Configure an authentication-free rule.

7.         Configure AC system parameters to provide wireless access.

8.         Configure XMPP parameters for interconnection with the Agile Controller and enable free mobility.

Configure the access switch.

1.         Configure interfaces and VLANs to implement network communication.

2.         Configure the switch to transparently transmit 802.1X packets.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1324797-2

In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1X authentication, configure the access switch to transparently transmit 802.1X packets (EAP packets in this example because EAP mode is used).

Configure the Agile Controller.

1.         Configure RADIUS, Portal, and XMPP parameters, and add the core switch.

2.         Configure security groups Employee_Group and Email_Server to indicate users and resources, respectively.

3.         Use fast authorization to authorize the security group Employee_Group to the employee department. Employees are mapped to the security group Employee_Group after being authenticated.

4.         Configure an access control policy to allow Employee_Group to access Email_Server.

                             

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

johnston78
Created Jun 18, 2015 10:33:58 Helpful(1) Helpful(1)

If you are looking for offsite backup plan, then check out this software Ahsay software. Ahsay provides us High Speed. 100% Restorable. Totally Rebrandable. Affordable Pricing. And more features, for more information...http://www.ahsay.com/jsp/en/home/index.jsp?pageContentKey=ahsay_products_overview&r=1d

  • x
  • convention:

All_About_Switch
Official Created May 28, 2015 05:57:23 Helpful(1) Helpful(1)

Procedure

                               Step 1     Configure the core switch.

1.         Switch the NAC configuration mode to unified mode.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687111-1

You must switch the NAC configuration mode to unified mode on a switch with the free mobility function configured. The unified mode takes effect after the switch restarts.

<HUAWEI> system-view
[HUAWEI] sysname S12700
[S12700] authentication unified-mode
[S12700] quit
<S12700> save

2.         Configure interfaces and VLANs, and enable the DHCP server function.

<S12700> system-view
[S12700] vlan batch 11 to 14
[S12700] interface vlanif 11    //Configure the interface as the source interface for communication with the Agile Controller.
[S12700-Vlanif11] ip address 192.168.11.254 255.255.255.0
[S12700-Vlanif11] quit
[S12700] dhcp enable                                 //Enable DHCP.
[S12700] interface vlanif 12    //Configure the management VLAN for APs.
[S12700-Vlanif12] ip address 192.168.12.254 255.255.255.0
[S12700-Vlanif12] dhcp select interface    //Enable the DHCP server function to allow the switch to allocate IP addresses to APs.
[S12700-Vlanif12] quit
[S12700] interface vlanif 13                                 //Configure the wireless access service VLAN.
[S12700-Vlanif13] ip address 192.168.13.254 255.255.255.0
[S12700-Vlanif13] dhcp select interface                                 //Enable the DHCP server function to allow the switch to allocate IP addresses to mobile terminals.
[S12700-Vlanif13] dhcp server dns-list 192.168.11.200
[S12700-Vlanif13] quit
[S12700] interface vlanif 14                                  //Configure the wired access service VLAN.
[S12700-Vlanif14] ip address 192.168.14.254 255.255.255.0
[S12700-Vlanif14] dhcp select interface                                 //Enable the DHCP server function to allow the switch to allocate IP addresses to fixed PCs.
[S12700-Vlanif14] dhcp server dns-list 192.168.11.200
[S12700-Vlanif14] quit
[S12700] interface gigabitEthernet 1/0/11
[S12700-GigabitEthernet1/0/11] port link-type trunk
[S12700-GigabitEthernet1/0/11] port trunk allow-pass vlan 11
[S12700-GigabitEthernet1/0/11] quit
[S12700] interface gigabitEthernet 1/0/12
[S12700-GigabitEthernet1/0/12] port link-type trunk
[S12700-GigabitEthernet1/0/12] port trunk allow-pass vlan 12 14
[S12700-GigabitEthernet1/0/12] quit

3.         Configure parameters for interconnection with the RADIUS server.

 
[S12700] radius-server template policy    //Create the RADIUS server template policy.
[S12700-radius-policy] radius-server authentication 192.168.11.1 1812    //Configure an IP address for the RADIUS authentication server and set the authentication port number to 1812.
[S12700-radius-policy] radius-server accounting 192.168.11.1 1813        //Configure an IP address for the accounting server and set the accounting port number to 1813.
[S12700-radius-policy] radius-server shared-key cipher Admin@123                   //Configure a RADIUS shared key.
[S12700-radius-policy] quit
[S12700] aaa
[S12700-aaa] authentication-scheme auth    //Create the authentication scheme auth.
[S12700-aaa-authen-auth] authentication-mode radius    //Set the authentication mode to RADIUS.
[S12700-aaa-authen-auth] quit
[S12700-aaa] accounting-scheme acco    //Create the accounting scheme acco.
[S12700-aaa-accounting-acco] accounting-mode radius    //Set the accounting mode to RADIUS.
[S12700-aaa-accounting-acco] accounting realtime 15    //Set the accounting interval to 15 minutes.
[S12700-aaa-accounting-acco] quit
[S12700-aaa] domain default    //Enter the domain default and bind the RADIUS server template, authentication scheme, and accounting scheme to the domain.
[S12700-aaa-domain-default] radius-server policy
[S12700-aaa-domain-default] authentication-scheme auth
[S12700-aaa-domain-default] accounting-scheme acco
[S12700-aaa-domain-default] quit
[S12700-aaa] quit

4.         Configure parameters for interconnection with the Portal server.

 
[S12700] url-template name huawei    //Create a URL template.
[S12700-url-template-huawei] url http://192.168.11.1:8080/portal    //Specified the URL of the Portal authentication page pushed to users.
[S12700-url-template-huawei] quit
[S12700] web-auth-server policy     //Create the Portal server profile policy.
[S12700-web-auth-server-policy] server-ip 192.168.11.1    //Specify the IP address of the Portal server.
[S12700-web-auth-server-policy] port 50200               //Specify the port number of the Portal server. When the Agile Controller functions as the Portal server, the port number is fixed to 50200.
[S12700-web-auth-server-policy] shared-key cipher Admin@123    //Configure a Portal shared key.
[S12700-web-auth-server-policy] url-template huawei     //Bind the URL template.
[S12700-web-auth-server-policy] quit

5.         Configure GE1/0/12 as the access authentication point for fixed PCs.

[S12700] interface gigabitEthernet 1/0/12
[S12700-GigabitEthernet1/0/12] authentication dot1x portal   //Configure combined authentication of 802.1X authentication and Portal authentication.
[S12700-GigabitEthernet1/0/12] dot1x authentication-method eap   //Configure EAP mode for 802.1X authentication.
[S12700-GigabitEthernet1/0/12] web-auth-server policy direct   //Configure Layer 2 Portal authentication for the profile.
[S12700-GigabitEthernet1/0/12] domain name default force   //Configure the domain default as the forcible authentication domain for users who go online from this interface.
[S12700-GigabitEthernet1/0/12] quit

6.         Configure an authentication-free rule so that APs can go online and clients can access the DNS server.

[S12700] authentication free-rule 1 destination ip 192.168.11.200 mask 24 source ip any
[S12700] authentication free-rule 2 source vlan 12

7.         Configure system parameters of the AC (S12700 in this example) to implement wireless access.

1.         Configure the AC's country code, ID, and carrier ID.

[S12700] wlan ac-global country-code cn
[S12700] wlan ac-global ac id 1 carrier id other

8.         Configure VLANIF 12 as the AC's source interface.

[S12700] capwap source interface vlanif 12

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687111-2

l  In V200R006 and earlier versions, run the wlan ac source interface vlanif 12 command in the WLAN view.

l  In V200R007 and later versions, run the capwap source interface vlanif 12 command in the system view.

9.         Manage APs on the AC and check the ID corresponding to AP7110DN-AGN. The obtained AP's MAC address is dcd2-fc04-b4c0.

[S12700] display ap-type all      //Check supported AP types.
  All AP types information:                                                                                                          
  ------------------------------------------------------------------------------                                                    
  ID     Type                                                                                                                        
  ------------------------------------------------------------------------------                                                    
  17     AP6010SN-GN                                                                                                                 
  19     AP6010DN-AGN                                                                                                               
  21     AP6310SN-GN                                                                                                                 
  23     AP6510DN-AGN                                                                                                               
  25     AP6610DN-AGN                                                                                                                
  27     AP7110SN-GN                                                                                                                
  28     AP7110DN-AGN                                                                                                                
  29     AP5010SN-GN                                                                                                                
  30     AP5010DN-AGN                                                                                                               
  31     AP3010DN-AGN                                                                                                                
  33     AP6510DN-AGN-US                                                                                                            
  34     AP6610DN-AGN-US                                                                                                             
  35     AP5030DN                                                                                                                   
  36     AP5130DN                                                                                                                    
  37     AP7030DE                                                                                                                   
  38     AP2010DN                                                                                                                    
  39     AP8130DN                                                                                                                   
  40     AP8030DN                                                                                                                    
  42     AP9330DN                                                                                                                   
  ------------------------------------------------------------------------------                                                    
  Total number: 19

[S12700] wlan
[S12700-wlan-view] ap-auth-mode mac-auth      //Set the AP authentication mode to MAC address authentication.
[S12700-wlan-view] ap id 1 type-id 28 mac dcd2-fc04-b4c0    //Add APs to the AC based on the AP type ID and MAC address.
[S12700-wlan-ap-1] quit
[S12700-wlan-view] ap-region id 10    //Create an AP domain.
[S12700-wlan-ap-region-10] quit
[S12700-wlan-view] ap id 1
[S12700-wlan-ap-1] region-id 10      //Add APs to the AP domain.
[S12700-wlan-ap-1] quit

[S12700-wlan-view] display ap all    //After APs are powered on, the command output shows that the AP state field displays normal.
  All AP(s) information:                                                 
  Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]       
  Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
  ------------------------------------------------------------------------------
  AP    AP                    AP              Profile   AP              AP      
                                              /Region                           
  ID    Type                  MAC             ID        State           Sysname 
  ------------------------------------------------------------------------------
  1     AP7110DN-AGN          dcd2-fc04-b4c0    0/10    normal          ap-1
  ------------------------------------------------------------------------------
  Total number: 1,printed: 1

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687111-3

Adjusting the radio channel and power of an AP may lead to parameter adjustment of another AP. To quicken adjustment, minimize the impact, and reduce the workload, you are advised to divide all the APs accessing the same AC into several regions. The impact of adjustment on an AP is limited within the local region.

10.      Configure WLAN service parameters.

[S12700-wlan-view] wmm-profile name wmm id 1    //Create the WMM profile wmm.
[S12700-wlan-wmm-prof-wmm] quit
[S12700-wlan-view] radio-profile name radio id 31    //Create the radio profile radio.
[S12700-wlan-radio-prof-radio] wmm-profile name wmm     //Bind the WMM profile.
[S12700-wlan-radio-prof-radio] quit
[S12700-wlan-view] quit
[S12700] interface wlan-ess 32    //Create the WLAN-ESS interface 32 for Portal authentication.
[S12700-Wlan-Ess32] port trunk allow-pass vlan 13
[S12700-Wlan-Ess32] quit
[S12700] interface wlan-ess 33    //Create the WLAN-ESS interface 33 for 802.1X authentication.
[S12700-Wlan-Ess33] port trunk allow-pass vlan 13
[S12700-Wlan-Ess33] quit
[S12700] wlan
[S12700-wlan-view] security-profile name portal_security id 32    //Create the security profile portal_security.
[S12700-wlan-sec-prof-portal_security] quit
[S12700-wlan-view] security-profile name dot1x_security id 33    //Create the security profile dot1x_security and configure security parameters.
[S12700-wlan-sec-prof-dot1x_security] security-policy wpa2
[S12700-wlan-sec-prof-dot1x_security] wpa2 authentication-method dot1x encryption-method ccmp
[S12700-wlan-sec-prof-dot1x_security] quit
[S12700-wlan-view] traffic-profile name traffic id 1    //Create the traffic profile traffic.
[S12700-wlan-traffic-prof-traffic] quit
[S12700-wlan-view] service-set name portal_test id 32    //Create the service set portal_test, and bind the WLAN-ESS interface, security profile, and traffic profile to the service set.
[S12700-wlan-service-set-portal_test] ssid portal_test
[S12700-wlan-service-set-portal_test] wlan-ess 32
[S12700-wlan-service-set-portal_test] security-profile id 32
[S12700-wlan-service-set-portal_test] traffic-profile name traffic
[S12700-wlan-service-set-portal_test] service-vlan 13           //Configure the wireless access service VLAN.
[S12700-wlan-service-set-portal_test] forward-mode tunnel    //Set the data forwarding mode of the server to tunnel forwarding.
[S12700-wlan-service-set-portal_test] quit
[S12700-wlan-view] service-set name dot1x_test id 33     //Create the service set dot1x_test, and bind the WLAN-ESS interfaces, security profile, and traffic profile to the service set.
[S12700-wlan-service-set-dot1x_test] ssid dot1x_test
[S12700-wlan-service-set-dot1x_test] wlan-ess 33
[S12700-wlan-service-set-dot1x_test] security-profile id 33
[S12700-wlan-service-set-dot1x_test] traffic-profile name traffic
[S12700-wlan-service-set-dot1x_test] service-vlan 13
[S12700-wlan-service-set-dot1x_test] forward-mode tunnel    //Set the data forwarding mode of the server to tunnel forwarding.
[S12700-wlan-service-set-dot1x_test] quit
[S12700-wlan-view] quit

11.      Configure Portal authentication and 802.1X authentication on WLAN-ESS interfaces.

[S12700] interface wlan-ess 32
[S12700-Wlan-Ess32] domain name default force
[S12700-Wlan-Ess32] authentication portal
[S12700-Wlan-Ess32] web-auth-server policy direct
[S12700-Wlan-Ess32] quit
[S12700] interface wlan-ess 33
[S12700-Wlan-Ess33] domain name default force
[S12700-Wlan-Ess33] authentication dot1x
[S12700-Wlan-Ess33] dot1x authentication-method eap
[S12700-Wlan-Ess33] quit

12.      Configure a VAP to provide Portal authentication and 802.1X authentication.

[S12700] wlan
[S12700-wlan-view] ap 1 radio 0
[S12700-wlan-radio-1/0] radio-profile id 31
[S12700-wlan-radio-1/0] service-set id 32
[S12700-wlan-radio-1/0] service-set id 33
[S12700-wlan-radio-1/0] quit
[S12700-wlan-view] commit ap 1
[S12700-wlan-view] quit

13.      Configure XMPP parameters for interconnection with the Agile Controller and enable free mobility.

[S12700] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254    //The value of src-ip is the IP address of VLANIF 11.
[S12700] quit
<S12700> save

                               Step 2     Configure the access switch.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687111-4

In this example, an access switch exists between users and the core switch functioning as the authentication point, and transparently transmits packets. To ensure that users can pass 802.1X authentication, configure the access switch to transparently transmit 802.1X packets (EAP packets in this example because EAP mode is used).

<HUAWEI> system-view
[HUAWEI] sysname l2switch
[l2switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
[l2switch] vlan batch 12 14
[l2switch] interface gigabitEthernet 0/0/1
[l2switch-GigabitEthernet0/0/1] port link-type trunk
[l2switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 12 14
[l2switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/1] bpdu enable
[l2switch-GigabitEthernet0/0/1] quit
[l2switch] interface gigabitEthernet 0/0/3              //Wired access interface
[l2switch-GigabitEthernet0/0/3] port link-type access
[l2switch-GigabitEthernet0/0/3] port default vlan 14
[l2switch-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/3] bpdu enable
[l2switch-GigabitEthernet0/0/3] quit
[l2switch] interface gigabitEthernet 0/0/5            //Wireless access interface
[l2switch-GigabitEthernet0/0/5] port link-type access
[l2switch-GigabitEthernet0/0/5] port default vlan 12
[l2switch-GigabitEthernet0/0/5] l2protocol-tunnel user-defined-protocol 802.1x enable
[l2switch-GigabitEthernet0/0/5] bpdu enable
[l2switch-GigabitEthernet0/0/5] quit
[l2switch] quit
<l2switch> save

  • x
  • convention:

All_About_Switch
Official Created May 28, 2015 06:00:25 Helpful(1) Helpful(1)

                               Step3 Configure the Agile Controller.

1.         Add the core switch.

1.         Choose Resource > Device > Device Management.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-1

2.         Click XMPP.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-2

3.         Click OK. The switch's Status is [All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-3 and Synchronization Status is Success.

4.         On the core switch, check the switch's communication status with the Agile Controller.

[S12700] display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1 

5.         Configure security groups Employee_Group and Email_Server to indicate users and resources, respectively.

1.         Choose Policy > Permission Control > Security Group > Security Group Management.

6.         Click Add and create Employee_Group.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-4

7.         Repeat the preceding step to create the security group Email_Server.

8.         Click [All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-5 next to Email_Server and bind IP addresses of email servers.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-6

9.         Click Global Deployment to deploy the security groups on the entire network.

10.      Use fast authorization to authorize the security group Employee_Group to the employee department. Employees are mapped to the security group Employee_Group after being authenticated.

1.         Choose Policy > Permission Control > Quick Authorization.

11.      Map the employee department to Employee_Group and click OK.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-7

12.      Configure an access control policy to allow Employee_Group to access Email_Server.

1.         Choose Policy > Free Mobility > Permission Control.

13.      Click Add.

[All About Switches - Configuration Examples] Example for Configuring Free Mobil-1687181-8

14.      Click OK and Global Deployment.

After the access control policy is successfully deployed, you can run the following commands on the core switch to view deployment information.

?       display ucl-group all: displays security groups.

?       display acl all: displays the access control policy.

                               Step 2     Verify the configuration.

Users using accounts in the employee department can access email servers after passing 802.1X or Portal authentication regardless of their access locations.

----End

Configuration Files

l   Configuration file of the core switch

#
sysname S12700
#
vlan batch 11 to 14
#
wlan ac-global carrier id other ac id 1
#
group-policy controller 192.168.11.1 password %^%#(K2]5P#C6'97.pR(gFv$K$KbGYN}R1Y76~K^;AP&%^%# src-ip 192.168.11.254
#
dhcp enable
#
radius-server template policy
 radius-server shared-key cipher %^%#teXm2B&.1O0:cj$OWPq7@!Y\!%}dC3Br>p,}l\L.%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
#
url-template name huawei
 url http://192.168.11.1:8080/portal
#
web-auth-server policy
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#SQn,Cr"c;M&{#(R^:;P3F_H$3f3sr$C9%*G7R|u3%^%#
 url-template huawei
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain default
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0
#
interface Vlanif12
 ip address 192.168.12.254 255.255.255.0
 dhcp select interface
#
interface Vlanif13
 ip address 192.168.13.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface Vlanif14
 ip address 192.168.14.254 255.255.255.0
 dhcp select interface
 dhcp server dns-list 192.168.11.200
#
interface GigabitEthernet1/0/11
 port link-type trunk
 port trunk allow-pass vlan 11
#
interface GigabitEthernet1/0/12
 port link-type trunk
 port trunk allow-pass vlan 12 14
 domain name default force
 authentication dot1x portal
 web-auth-server policy direct
 dot1x authentication-method eap
#
interface Wlan-Ess32
 port trunk allow-pass vlan 13
 domain name default force
 authentication portal
 web-auth-server policy direct
#
interface Wlan-Ess33
 port trunk allow-pass vlan 13
 domain name default force                                                                                                           
 authentication dot1x                                                                                                               
 dot1x authentication-method eap                                                                                                     
#
authentication free-rule 1 destination ip 192.168.11.200 mask 255.255.255.0 source ip any
authentication free-rule 2 source vlan 12
#
capwap source interface vlanif12
#
wlan
 ap-region id 10
 ap id 1 type-id 28 mac dcd2-fc04-b4c0
  region-id 10
 wmm-profile name wmm id 1
 traffic-profile name traffic id 1
 security-profile name portal_security id 32
 security-profile name dot1x_security id 33
  security-policy wpa2
 service-set name portal_test id 32
  forward-mode tunnel
  wlan-ess 32
  ssid portal_test
  traffic-profile id 1
  security-profile id 32
  service-vlan 13
 service-set name dot1x_test id 33
  forward-mode tunnel
  wlan-ess 33
  ssid dot1x_test
  traffic-profile id 1
  security-profile id 33
  service-vlan 13
 radio-profile name radio id 31
  wmm-profile id 1
 ap 1 radio 0
  radio-profile id 31
  service-set id 32 wlan 1
  service-set id 33 wlan 2
 wlan work-group default
#
return

l   Configuration file of the access switch

#
sysname l2switch
#
vlan batch 12 14
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 12 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 14
 l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 12
 l2protocol-tunnel user-defined-protocol 802.1x enable
#




★★★Summary★★★ All About Huawei Switch Features and Configurations

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login