Overview

An enterprise has deployed an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. Enterprise employees connect to the network through PCs and guests connect to the network through mobile phones. The administrator has created local accounts for the employees so that they can use the local accounts to pass authentication. For guest accounts, the administrator needs to configure the Service Manager to enable guests to complete authentication using GooglePlus, Facebook or Twitter accounts.

Configuration Notes

l   The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus.

l   Huawei's Agile Controller-Campus functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R002; V100R003.

l   By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

l   Service data forwarding modes are classified into tunnel forwarding mode and direct forwarding mode. The tunnel forwarding mode is used in this example.

−           In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

−           In direct forwarding mode, do not configure the management VLAN and service VLAN to be the same. You are advised to configure port isolation on the switch interface directly connected to the AP. If port isolation is not configured, many broadcast packets will be transmitted in VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.

−           In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.

−           In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Networking Requirements

In Figure 1-1, a switch functions as the AC and connects to the AP through a PoE switch. The PoE switch provides power for the AP. You can configure WLAN services on the AC to provide wireless access services for users.

Figure 1-1 Networking of a small-scale WLAN

Network Data Plan

Table 1-2 Network data plan

Configuration Roadmap

1.         Configure network connectivity.

2.         Set the NAC mode of the AC to unified.

3.         Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).

4.         Configure Portal authentication.

5.         Configure the AP to go online.

6.         Configure STAs to go online.

7.         Configure the Agile Controller-Campus and social media authentication server.

Procedure

                               Step 1     Configure network connectivity.

# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to management VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# On the AC, add GE1/0/1 connected to SwitchA to VLAN 100, add GE1/0/3 connected to the Agile Controller-Campus to VLAN 102, and add GE1/0/2 connected to the Internet to VLAN 101.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit

# Configure the AC as a DHCP server based on interface address pools. VLANIF 100 assigns IP addresses to the AP and VLANIF 101 assigns IP addresses to STAs.

[AC] dhcp enable   
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface   
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.20.1 24   
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit

# Configure the gateway address of the Agile Controller-Campus.

[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.30.1 24
[AC-Vlanif102] quit

                               Step 2     Set the NAC mode of the AC to unified.

[AC] authentication unified-mode    
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N]y

                               Step 3     Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).

[AC] radius-server template policy   
[AC-radius-policy] radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1   
[AC-radius-policy] radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1   
[AC-radius-policy] radius-server shared-key cipher Admin@123   
[AC-radius-policy] quit
[AC] aaa   
[AC-aaa] authentication-scheme auth   
[AC-aaa-authen-auth] authentication-mode radius   
[AC-aaa-authen-auth] quit
[AC-aaa] accounting-scheme acco   
[AC-aaa-accounting-acco] accounting-mode radius   
[AC-aaa-accounting-acco] accounting realtime 15   
[AC-aaa-accounting-acco] quit
[AC-aaa] domain portal   
[AC-aaa-domain-portal] authentication-scheme auth   
[AC-aaa-domain-portal] accounting-scheme acco   
[AC-aaa-domain-portal] radius-server policy   
[AC-aaa-domain-portal] quit
[AC-aaa] quit
[AC] domain portal 

                               Step 4     Configure Portal authentication.

# Configure parameters for the AC to communicate with the Agile Controller-Campus (Portal server).

[AC] web-auth-server portal_huawei   
[AC-web-auth-server-portal_huawei] server-ip 192.168.30.2   
[AC-web-auth-server-portal_huawei] source-ip 192.168.30.1   
[AC-web-auth-server-portal_huawei] port 50200   
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123   
[AC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal   
[AC-web-auth-server-portal_huawei] quit
[AC] web-auth-server listening-port 2000   
[AC] portal quiet-period   
[AC] portal quiet-times 5   
[AC] portal timer quiet-period 240  

# Configure a Portal access profile.

[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[AC-portal-acces-profile-web1] quit

# Configure an authentication-free rule profile.

[AC] acl 6000
[AC-acl-ucl-6000] rule 1 permit ip destination fqdn www.googleapis.com   
[AC-acl-ucl-6000] rule 2 permit ip destination fqdn apis.google.com   
[AC-acl-ucl-6000] rule 3 permit ip destination fqdn connect.facebook.net   
[AC-acl-ucl-6000] rule 4 permit ip destination fqdn api.twitter.com   
[AC-acl-ucl-6000] rule 5 permit ip destination fqdn abs.twimg.com   
[AC-acl-ucl-6000] rule 6 permit ip destination fqdn mobile.twitter.com   
[AC-acl-ucl-6000] rule 7 permit ip destination fqdn twitter.com   
[AC] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule acl 6000   
[HUAWEI-free-rule-default_free_rule] quit

# Configure an authentication profile.

[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1   
[AC-authen-profile-p1] free-rule-template default_free_rule   
[AC-authen-profile-p1] quit

# Configure network access rights for users in the post-authentication domain.

[AC] acl 3001   
[AC-acl-adv-3001] rule 1 permit ip   
[AC-acl-adv-3001] quit

# Enable Portal authentication.

[AC] interface vlanif 101
[AC-Vlanif101] authentication-profile p1   
[AC-Vlanif101] quit

                               Step 5     Configure the AP to go online.

# Create an AP group to which the APs with the same configuration can be added.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 1

                               Step 6     Configure STAs to go online.

# Create the security profile wlan-security and set the security policy to open system authentication.

[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open   
[AC-wlan-sec-prof-wlan-security] quit

# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net   
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel   
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101   
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit

# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

# Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

                               Step 7     Configure the Agile Controller-Campus and social media authentication server. For details, see Agile Controller-Campus Product Documentation - Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).

                               Step 8     Verify the configuration.

After completing the configuration, run the display vap ssid wlan-net command. If the Status field displays ON, the VAP has been successfully created on the AP radios.

[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID     BSSID          Status  Auth type     STA   SSID
--------------------------------------------------------------------------------
0     area_1  1    1       60DE-4476-E360 ON      WPA2-PSK      0     wlan-net
-------------------------------------------------------------------------------
Total: 2

Manually search for the WLAN with the SSID wlan-net. After completing the WeChat authentication process as prompted, run the display station ssid wlan-net command on the AC. The command output shows that the user has successfully connected to the WLAN wlan-net.

[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC         AP ID Ap name   Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address
---------------------------------------------------------------------------------
e019-1dc7-1e08  0     area_1    1/1      5G    11n   46/59      -68   101   192.168.20.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1

----End

Configuration Files

l   SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

l   AC configuration file

#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
#
domain portal
#
dhcp enable
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
#
radius-server template policy
 radius-server shared-key cipher %^%#v@)#XkYybF19}~4&3(rDX%va0:#G>0MDrOF^B;D+%^%#
 radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1 weight 80
 radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1 weight 80
#
acl number 3001
 rule 1 permit ip
#
acl number 6000
 rule 1 permit ip destination fqdn www.googleapis.com
 rule 2 permit ip destination fqdn apis.google.com
 rule 3 permit ip destination fqdn connect.facebook.net
 rule 4 permit ip destination fqdn api.twitter.com
 rule 5 permit ip destination fqdn abs.twimg.com
 rule 6 permit ip destination fqdn mobile.twitter.com
 rule 7 permit ip destination fqdn twitter.com
#
free-rule-template name default_free_rule
 free-rule acl 6000
#
web-auth-server portal_huawei
 server-ip 192.168.30.2
 port 50200
 shared-key cipher %^%#vB3l&dt|S!59SdGIdcT"mwAQ!4[#Y-#{IBGbI[l:%^%#
 url http://access.example.com:8080/portal
 source-ip 192.168.30.1
#
portal-access-profile name web1
 web-auth-server portal_huawei direct
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif100
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 192.168.20.1 255.255.255.0
 authentication-profile p1
 dhcp select interface
#
interface Vlanif102
 ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 102
#
portal timer quiet-period 240
portal quiet-times 5
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
 
return