Overview
An enterprise has deployed an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. Enterprise employees connect to the network through PCs and guests connect to the network through mobile phones. The administrator has created local accounts for the employees so that they can use the local accounts to pass authentication. For guest accounts, the administrator needs to configure the Service Manager to enable guests to complete authentication using GooglePlus, Facebook or Twitter accounts.
Configuration Notes
l The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus.
l Huawei's Agile Controller-Campus functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R002; V100R003.
l By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.
l Service data forwarding modes are classified into tunnel forwarding mode and direct forwarding mode. The tunnel forwarding mode is used in this example.
− In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
− In direct forwarding mode, do not configure the management VLAN and service VLAN to be the same. You are advised to configure port isolation on the switch interface directly connected to the AP. If port isolation is not configured, many broadcast packets will be transmitted in VLANs or WLAN users on different APs can directly communicate at Layer 2.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
− In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
− In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.
l The following table lists applicable products and versions.
Table 1-1 Applicable products and versions
Software Version | Product Model | AP Model and Version |
V200R011C10 | S5720HI, S7700, S9700 NOTE For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended. For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended. | V200R007C20: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN, AP8150DN V200R007C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W V200R006C20: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D V200R006C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN |
V200R010C00 | S5720HI, S7700, S9700 NOTE For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended. For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended. | V200R007C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W V200R006C20: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D V200R006C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN |
V200R009C00 | S5720HI, S7700, S9700 NOTE For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended. For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended. | V200R007C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W V200R006C20: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D V200R006C10: AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN |
Networking Requirements
In Figure 1-1, a switch functions as the AC and connects to the AP through a PoE switch. The PoE switch provides power for the AP. You can configure WLAN services on the AC to provide wireless access services for users.
Figure 1-1 Networking of a small-scale WLAN
Network Data Plan
Table 1-2 Network data plan
Item | Data | Description |
AC DHCP server | 192.168.10.1-192.168.10.254/24 | IP address pool for APs. |
IP address of VLANIF 100: 192.168.10.1 | Gateway connected to the AP. | |
192.168.20.1-192.168.20.254/24 | IP address pool for mobile phone users. | |
IP address of VLANIF 101: 192.168.20.1 | Gateway for mobile phone users. | |
IP address of VLANIF 102: 192.168.30.1 | Gateway connected to the Agile Controller-Campus. | |
Portal server: l IP address: 192.168.30.2 l Port number that the switch uses to process Portal packets: 2000 l Destination port number in the packets that the switch sends to the Portal server: 50200 l Portal shared key: Admin@123 | l The service controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the IP address of the Agile Controller-Campus. l Configure a RADIUS accounting server to obtain user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server. | |
RADIUS authentication server: l IP address: 192.168.30.2 l Port number: 1812 l RADIUS shared key: Admin@123 | ||
RADIUS accounting server: l IP address: 192.168.30.2 l Port number: 1813 l RADIUS shared key: Admin@123 l Accounting interval: 15 minutes | ||
Agile Controller-Campus | Domain name: access.example.com | Users can also use the domain name to access the Portal server. |
IP address: 192.168.30.2 | - | |
Authentication port number: 1812 | - | |
Accounting port number: 1813 | - | |
RADIUS shared key: Admin@123 | It must be the same as that configured on the switch. | |
Port number in the packets received by the Portal server: 50200 | - | |
Portal shared key: Admin@123 | It must be the same as that configured on the switch. | |
AP group | l Name: ap-group1 l Referenced profiles: VAP profile wlan-vap and regulatory domain profile domain1 | - |
Regulatory domain profile | l Name: domain1 l Country code: CN | - |
SSID profile | l Name: wlan-ssid l SSID name: wlan-net | - |
Security profile | l Name: wlan-security l Security policy: open system authentication | - |
VAP profile | l Name: wlan-vap l Forwarding mode: tunnel forwarding l Service VLAN: VLAN 101 l Referenced profiles: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1 | - |
Configuration Roadmap
1. Configure network connectivity.
2. Set the NAC mode of the AC to unified.
3. Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).
4. Configure Portal authentication.
5. Configure the AP to go online.
6. Configure STAs to go online.
7. Configure the Agile Controller-Campus and social media authentication server.
Procedure
Step 1 Configure network connectivity.
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to management VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# On the AC, add GE1/0/1 connected to SwitchA to VLAN 100, add GE1/0/3 connected to the Agile Controller-Campus to VLAN 102, and add GE1/0/2 connected to the Internet to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit
# Configure the AC as a DHCP server based on interface address pools. VLANIF 100 assigns IP addresses to the AP and VLANIF 101 assigns IP addresses to STAs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.20.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Configure the gateway address of the Agile Controller-Campus.
[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.30.1 24
[AC-Vlanif102] quit
Step 2 Set the NAC mode of the AC to unified.
[AC] authentication unified-mode
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N]y
Step 3 Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).
[AC] radius-server template policy
[AC-radius-policy] radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1
[AC-radius-policy] radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1
[AC-radius-policy] radius-server shared-key cipher Admin@123
[AC-radius-policy] quit
[AC] aaa
[AC-aaa] authentication-scheme auth
[AC-aaa-authen-auth] authentication-mode radius
[AC-aaa-authen-auth] quit
[AC-aaa] accounting-scheme acco
[AC-aaa-accounting-acco] accounting-mode radius
[AC-aaa-accounting-acco] accounting realtime 15
[AC-aaa-accounting-acco] quit
[AC-aaa] domain portal
[AC-aaa-domain-portal] authentication-scheme auth
[AC-aaa-domain-portal] accounting-scheme acco
[AC-aaa-domain-portal] radius-server policy
[AC-aaa-domain-portal] quit
[AC-aaa] quit
[AC] domain portal
Step 4 Configure Portal authentication.
# Configure parameters for the AC to communicate with the Agile Controller-Campus (Portal server).
[AC] web-auth-server portal_huawei
[AC-web-auth-server-portal_huawei] server-ip 192.168.30.2
[AC-web-auth-server-portal_huawei] source-ip 192.168.30.1
[AC-web-auth-server-portal_huawei] port 50200
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123
[AC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal
[AC-web-auth-server-portal_huawei] quit
[AC] web-auth-server listening-port 2000
[AC] portal quiet-period
[AC] portal quiet-times 5
[AC] portal timer quiet-period 240
# Configure a Portal access profile.
[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[AC-portal-acces-profile-web1] quit
# Configure an authentication-free rule profile.
[AC] acl 6000
[AC-acl-ucl-6000] rule 1 permit ip destination fqdn www.googleapis.com
[AC-acl-ucl-6000] rule 2 permit ip destination fqdn apis.google.com
[AC-acl-ucl-6000] rule 3 permit ip destination fqdn connect.facebook.net
[AC-acl-ucl-6000] rule 4 permit ip destination fqdn api.twitter.com
[AC-acl-ucl-6000] rule 5 permit ip destination fqdn abs.twimg.com
[AC-acl-ucl-6000] rule 6 permit ip destination fqdn mobile.twitter.com
[AC-acl-ucl-6000] rule 7 permit ip destination fqdn twitter.com
[AC] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule acl 6000
[HUAWEI-free-rule-default_free_rule] quit
# Configure an authentication profile.
[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] quit
# Configure network access rights for users in the post-authentication domain.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip
[AC-acl-adv-3001] quit
# Enable Portal authentication.
[AC] interface vlanif 101
[AC-Vlanif101] authentication-profile p1
[AC-Vlanif101] quit
Step 5 Configure the AP to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Configure the AC's source interface.
[AC] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
Step 6 Configure STAs to go online.
# Create the security profile wlan-security and set the security policy to open system authentication.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open
[AC-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Commit the configuration.
[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
Step 7 Configure the Agile Controller-Campus and social media authentication server. For details, see Agile Controller-Campus Product Documentation - Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).
Step 8 Verify the configuration.
After completing the configuration, run the display vap ssid wlan-net command. If the Status field displays ON, the VAP has been successfully created on the AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 1 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Manually search for the WLAN with the SSID wlan-net. After completing the WeChat authentication process as prompted, run the display station ssid wlan-net command on the AC. The command output shows that the user has successfully connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101 192.168.20.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name p1
portal-access-profile web1
free-rule-template default_free_rule
#
domain portal
#
dhcp enable
#
authentication-profile name p1
portal-access-profile web1
free-rule-template default_free_rule
#
radius-server template policy
radius-server shared-key cipher %^%#v@)#XkYybF19}~4&3(rDX%va0:#G>0MDrOF^B;D+%^%#
radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1 weight 80
radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1 weight 80
#
acl number 3001
rule 1 permit ip
#
acl number 6000
rule 1 permit ip destination fqdn www.googleapis.com
rule 2 permit ip destination fqdn apis.google.com
rule 3 permit ip destination fqdn connect.facebook.net
rule 4 permit ip destination fqdn api.twitter.com
rule 5 permit ip destination fqdn abs.twimg.com
rule 6 permit ip destination fqdn mobile.twitter.com
rule 7 permit ip destination fqdn twitter.com
#
free-rule-template name default_free_rule
free-rule acl 6000
#
web-auth-server portal_huawei
server-ip 192.168.30.2
port 50200
shared-key cipher %^%#vB3l&dt|S!59SdGIdcT"mwAQ!4[#Y-#{IBGbI[l:%^%#
url http://access.example.com:8080/portal
source-ip 192.168.30.1
#
portal-access-profile name web1
web-auth-server portal_huawei direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain portal
authentication-scheme auth
accounting-scheme acco
radius-server policy
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 192.168.20.1 255.255.255.0
authentication-profile p1
dhcp select interface
#
interface Vlanif102
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 102
#
portal timer quiet-period 240
portal quiet-times 5
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
★★★Summary★★★ All About Huawei Switch Features and Configurations
If you have any problems, please post them in our Community. We are happy to solve them for you!