Configuring the MAC address authentication to control the access of wireless office devices

3834 0 0 0

This post refers to an example for configuring the MAC address authentication to control the access of  wireless office devices (V200R009C00 and later versions).


MAC Address Authentication on the Wireless Side Overview

Portal authentication is also called web authentication. Generally, Portal authentication websites are also called Portal websites. When users go online, they must be authenticated on Portal websites. The users can use network resources only after they pass the authentication. A user can access a known Portal authentication website and enter a user name and password for authentication. This mode is called active authentication. If a user attempts to access other external networks through HTTP, the device forcibly redirects the user to the Portal authentication website for Portal authentication. This mode is called forcible authentication.

Configuration Notes

l   The Cisco Identity Services Engine (ISE) in 2.0.0.306 functions as the RADIUS server in this example.

l   In the service data forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

l   If direct forwarding is used, configure port isolation on the interface directly connects to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   Configure the management VLAN and service VLAN:

           In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel, and then forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded as long as the network between the AC and APs is added to the management VLAN and service VLAN and the network between the AC and upper-layer network is added to the service VLAN.

           In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between APs and upper-layer network is added to the service VLAN.

l   No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.

           In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.

           In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Software Version

Product Model

AP Model and Version

V200R011C10

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN, AP8150DN

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R010C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R009C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

 

Networking Requirements

As shown in Figure 1-1, an AC in an enterprise is connected to the AP through access switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network access for employees. The AC functions as the DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.

Because the WLAN is open to users, there are potential security risks to enterprise information if no access control is configured for the WLAN. To meet the enterprise's security requirements, configure MAC address authentication to authenticate dumb terminals such as wireless network printers and wireless phones that cannot have an authentication client installed. MAC addresses of terminals are used as user information and sent to the RADIUS server for authentication. When users connect to the WLAN, authentication is not required.

Figure 1-1 Networking diagram for configuring MAC address authentication on the wireless side

20170323142132403004.png

 

Data Planning

Table 1-2 Data plan

Item

Data

RADIUS authentication parameters

Name of the RADIUS authentication scheme: radius_huawei

Name of the RADIUS server template: radius_huawei

l  IP address: 10.23.200.1

l  Authentication port number: 1812

l  Shared key: Huawei@123

AAA domain: huawei.com

MAC access profile

l  Name: m1

l  User name and password for MAC address authentication: MAC addresses without hyphens (-)

Authentication profile

l  Name: p1

l  Bound profile: MAC access profile m1

l  Forcible authentication domain: huawei.com

DHCP server

The AC functions as the DHCP server to assign IP addresses to the AP and STAs.

IP address pool for the AP

10.23.100.2 to 10.23.100.254/24

IP address pool for the STAs

10.23.101.2 to 10.23.101.254/24

IP address of the AC's source interface

VLANIF 100: 10.23.100.1/24

AP group

l  Name: ap-group1

l  Bound profile: VAP profile wlan-vap and regulatory domain profile domain1

Regulatory domain profile

l  Name: domain1

l  Country code: CN

SSID profile

l  Name: wlan-ssid

l  SSID name: wlan-net

Security profile

l  Name: wlan-security

l  Security policy: Open

VAP profile

l  Name: wlan-vap

l  Forwarding mode: tunnel forwarding

l  Service VLAN: VLAN 101

l  Bound profile: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

 

Configuration Roadmap

1.         Configure basic WLAN services on the AC so that the AC can communicate with downstream and upstream devices and APs can go online.

2.         Configure RADIUS authentication parameters on the AC.

3.         On the AC, configure a MAC access profile to manage MAC access control parameters.

4.         On the AC, configure an authentication profile to manage the NAC configuration.

5.         On the AC, configure WLAN service parameters, and bind a security policy profile and an authentication profile to a VAP profile to control access from STAs.

6.         On the ISE server, configure authentication device information, user information, and MAC address authentication function to implement device access, user access, and MAC address authentication.

Procedure

                               Step 1     Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.

# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2 that connects SwitchA to the AC to the same VLAN.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit

                               Step 2     Configure the AC to communicate with the upstream device.

20170323142133630005.jpg

Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

# Add AC uplink interface GE1/0/2 to service VLAN 101.

[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit

                               Step 3     Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.

# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

[AC] dhcp enable 
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface 
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit

                               Step 4     Configure a route from the AC to the RADIUS server (Assume that the IP address of the upper-layer device connected to the AC is 10.23.101.2).

[AC] ip route-static 10.23.200.1 255.255.255.0 10.23.101.2

                               Step 5     Configure the AP to go online.

# Create an AP group and add the AP to the AP group.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.

20170323142133630005.jpg

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 1

                               Step 6     Configure RADIUS authentication.

1.         Configure a RADIUS server template, an AAA authentication scheme, and domain information.

20170323142133630005.jpg

Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are the same as those on the RADIUS server.

The STA sends its MAC address as the user name to the RADIUS server for authentication, so the AC needs to be disabled from adding a domain name to the user name (default setting).

# Configure a RADIUS server template.

[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.23.200.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123   
[AC-radius-radius_huawei] calling-station-id mac-format hyphen-split mode2  
[AC-radius-radius_huawei] radius-attribute set service-type 10  
[AC-radius-radius_huawei] quit

# Configure a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit

# Create an AAA domain and configure the RADIUS server template and authentication scheme.

[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit

2.         Globally configure user names in MAC address authentication without the delimiter "-" (default setting).

3.         Test whether a STA can be authenticated using RADIUS authentication. In MAC address authentication, STA's MAC address is used as the user name and password.

[AC] test-aaa 001122334455 001122334455 radius-template radius_huawei
Info: Account test succeed.

                               Step 7     Configure the MAC access profile m1.

20170323142133630005.jpg

In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit

                               Step 8     Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] access-domain huawei.com mac-authen force
[AC-authen-profile-p1] quit

                               Step 9     Configure WLAN service parameters.

# Create security profile wlan-security and set the security policy in the profile. By default, the security policy is open system.

[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] quit

# Create SSID profile wlan-ssid and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit

# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

                            Step 10     Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

                            Step 11     Configure the ISE server.

# Log in to the ISE server.

1.         Enter the access address of the ISE server in the address bar, which is in the format of https://ISE-IP. ISE-IP is the IP address of the ISE server.

2.         On the displayed page, enter the user name and password to log in to the ISE server.

# Create user account information. Choose Administration > Identity Management > Identities, and click Endpoints. In the pane on the right side, click Add to add MAC addresses.

20170323142134304006.png

 

# Add AC information so that the ISE can interwork with the AC. Choose Administration > Network Resources > Network Devices. In the pane on the right side, click Add to add AC information.

Parameter

Value

Remarks

Name

AC

-

IP Address

10.23.100.1/32

The IP address of the AC must be accessible from the ISE server.

Shared Secret

Huawei@123

The value must be the same as the RADIUS server key configured on the AC.

 

20170323142135370007.png

 

# Configure allowed authentication and encryption protocols. Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols, and click Add to configure allowed authentication and encryption protocols. MAC address authentication uses the PAP authentication protocol.

20170323142136056008.png

 

# Configure authentication and authorization policies. Choose Policy > Authentication. Policy Type can be set to Simple or Rule-based. In this example, set it to Simple. Then, bind the user information and allowed authentication protocols configured in previous steps to the authentication policy.

20170323142137043009.png

 

                            Step 12     Verify the configuration.

l   The WLAN with SSID wlan-net is available for STAs connected to the AP.

l   After the WLAN function is enabled on wireless devices, they can access the WLAN and provide public services.

l   After the STA connects to the WLAN, authentication is performed automatically. You can directly access the WLAN.

----End

Configuration Files

l   Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

l   AC configuration file

#
 sysname AC
#
vlan batch 100 to 101
#
authentication-profile name p1
 mac-access-profile m1
 access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server template radius_huawei
 radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
 radius-server authentication 10.23.200.1 1812 weight 80
 calling-station-id mac-format hyphen-split mode2
 radius-attribute set service-type 10
#
mac-access-profile name m1
#
aaa
 authentication-scheme radius_huawei
  authentication-mode radius
 domain huawei.com
  authentication-scheme radius_huawei
  radius-server radius_huawei
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#  
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 ap-mac 60de-4476-e360
  ap-name area_1
  ap-group ap-group1
#
return


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login