Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts) (V200R009C00 and Later Versions)

Latest reply: Aug 8, 2018 17:37:38 2579 2 0 0

 

Overview

An enterprise has deployed an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. Enterprise employees connect to the network through PCs and guests connect to the network through mobile phones. The administrator has created local accounts for the employees so that they can use the local accounts to pass authentication. For guest accounts, the administrator needs to configure the Service Manager to enable guests to complete authentication using GooglePlus, Facebook or Twitter accounts.

Configuration Notes

l   The RADIUS authentication and accounting shared keys and Portal shared key on the switch must be the same as those on the Agile Controller-Campus.

l   Huawei's Agile Controller-Campus functions as the RADIUS server in this example. For the Agile Controller-Campus, the version required is V100R002; V100R003.

l   By default, the switch allows the packets sent to RADIUS and Portal servers to pass through. You do not need to configure an authentication-free rule for the packets on the switch.

l   Service data forwarding modes are classified into tunnel forwarding mode and direct forwarding mode. The tunnel forwarding mode is used in this example.

           In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

           In direct forwarding mode, do not configure the management VLAN and service VLAN to be the same. You are advised to configure port isolation on the switch interface directly connected to the AP. If port isolation is not configured, many broadcast packets will be transmitted in VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.

           In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.

           In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the corresponding product version.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Software Version

Product Model

AP Model and Version

V200R011C10

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN, AP8150DN

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R010C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712, or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

V200R009C00

S5720HI, S7700, S9700

NOTE

For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703 switches are not recommended.

For S9700, you are advised to deploy S9712 or S9706 switches for WLAN services. S9703 switches are not recommended.

V200R007C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN, AP2050DN-E, AP8130DN-W

V200R006C20:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D, R240D

V200R006C10:

AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN, AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN, AP8030DN, AP9330DN, AP4030DN, AP4130DN, AP3030DN, AP2030DN

 

Networking Requirements

In Figure 1-1, a switch functions as the AC and connects to the AP through a PoE switch. The PoE switch provides power for the AP. You can configure WLAN services on the AC to provide wireless access services for users.

Figure 1-1 Networking of a small-scale WLAN

20170323112246328004.png

 

Network Data Plan

Table 1-2 Network data plan

Item

Data

Description

AC DHCP server

192.168.10.1-192.168.10.254/24

IP address pool for APs.

IP address of VLANIF 100: 192.168.10.1

Gateway connected to the AP.

192.168.20.1-192.168.20.254/24

IP address pool for mobile phone users.

IP address of VLANIF 101: 192.168.20.1

Gateway for mobile phone users.

IP address of VLANIF 102: 192.168.30.1

Gateway connected to the Agile Controller-Campus.

Portal server:

l  IP address: 192.168.30.2

l  Port number that the switch uses to process Portal packets: 2000

l  Destination port number in the packets that the switch sends to the Portal server: 50200

l  Portal shared key: Admin@123

l  The service controller (SC) of the Agile Controller-Campus integrates the RADIUS server and Portal server. Therefore, IP addresses of the authentication server, accounting server, and Portal server are the IP address of the Agile Controller-Campus.

l  Configure a RADIUS accounting server to obtain user login and logout information. The port numbers of the authentication server and accounting server must be the same as the authentication and accounting port numbers of the RADIUS server.

RADIUS authentication server:

l  IP address: 192.168.30.2

l  Port number: 1812

l  RADIUS shared key: Admin@123

RADIUS accounting server:

l  IP address: 192.168.30.2

l  Port number: 1813

l  RADIUS shared key: Admin@123

l  Accounting interval: 15 minutes

Agile Controller-Campus

Domain name: access.example.com

Users can also use the domain name to access the Portal server.

IP address: 192.168.30.2

-

Authentication port number: 1812

-

Accounting port number: 1813

-

RADIUS shared key: Admin@123

It must be the same as that configured on the switch.

Port number in the packets received by the Portal server: 50200

-

Portal shared key: Admin@123

It must be the same as that configured on the switch.

AP group

l  Name: ap-group1

l  Referenced profiles: VAP profile wlan-vap and regulatory domain profile domain1

-

Regulatory domain profile

l  Name: domain1

l  Country code: CN

-

SSID profile

l  Name: wlan-ssid

l  SSID name: wlan-net

-

Security profile

l  Name: wlan-security

l  Security policy: open system authentication

-

VAP profile

l  Name: wlan-vap

l  Forwarding mode: tunnel forwarding

l  Service VLAN: VLAN 101

l  Referenced profiles: SSID profile wlan-ssid, security profile wlan-security, and authentication profile p1

-

 

Configuration Roadmap

1.         Configure network connectivity.

2.         Set the NAC mode of the AC to unified.

3.         Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).

4.         Configure Portal authentication.

5.         Configure the AP to go online.

6.         Configure STAs to go online.

7.         Configure the Agile Controller-Campus and social media authentication server.

Procedure

                               Step 1     Configure network connectivity.

# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC to management VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

# On the AC, add GE1/0/1 connected to SwitchA to VLAN 100, add GE1/0/3 connected to the Agile Controller-Campus to VLAN 102, and add GE1/0/2 connected to the Internet to VLAN 101.

<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 102
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet1/0/2] quit

# Configure the AC as a DHCP server based on interface address pools. VLANIF 100 assigns IP addresses to the AP and VLANIF 101 assigns IP addresses to STAs.

[AC] dhcp enable   
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.10.1 24
[AC-Vlanif100] dhcp select interface   
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.20.1 24   
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit

# Configure the gateway address of the Agile Controller-Campus.

[AC] interface vlanif 102
[AC-Vlanif102] ip address 192.168.30.1 24
[AC-Vlanif102] quit

                               Step 2     Set the NAC mode of the AC to unified.

[AC] authentication unified-mode    
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N]y

                               Step 3     Configure parameters for the AC to communicate with the Agile Controller-Campus (RADIUS server).

[AC] radius-server template policy   
[AC-radius-policy] radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1   
[AC-radius-policy] radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1   
[AC-radius-policy] radius-server shared-key cipher Admin@123   
[AC-radius-policy] quit
[AC] aaa   
[AC-aaa] authentication-scheme auth   
[AC-aaa-authen-auth] authentication-mode radius   
[AC-aaa-authen-auth] quit
[AC-aaa] accounting-scheme acco   
[AC-aaa-accounting-acco] accounting-mode radius   
[AC-aaa-accounting-acco] accounting realtime 15   
[AC-aaa-accounting-acco] quit
[AC-aaa] domain portal   
[AC-aaa-domain-portal] authentication-scheme auth   
[AC-aaa-domain-portal] accounting-scheme acco   
[AC-aaa-domain-portal] radius-server policy   
[AC-aaa-domain-portal] quit
[AC-aaa] quit
[AC] domain portal 

                               Step 4     Configure Portal authentication.

# Configure parameters for the AC to communicate with the Agile Controller-Campus (Portal server).

[AC] web-auth-server portal_huawei   
[AC-web-auth-server-portal_huawei] server-ip 192.168.30.2   
[AC-web-auth-server-portal_huawei] source-ip 192.168.30.1   
[AC-web-auth-server-portal_huawei] port 50200   
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123   
[AC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal   
[AC-web-auth-server-portal_huawei] quit
[AC] web-auth-server listening-port 2000   
[AC] portal quiet-period   
[AC] portal quiet-times 5   
[AC] portal timer quiet-period 240  

# Configure a Portal access profile.

[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[AC-portal-acces-profile-web1] quit

# Configure an authentication-free rule profile.

[AC] acl 6000
[AC-acl-ucl-6000] rule 1 permit ip destination fqdn www.googleapis.com   
[AC-acl-ucl-6000] rule 2 permit ip destination fqdn apis.google.com   
[AC-acl-ucl-6000] rule 3 permit ip destination fqdn connect.facebook.net   
[AC-acl-ucl-6000] rule 4 permit ip destination fqdn api.twitter.com   
[AC-acl-ucl-6000] rule 5 permit ip destination fqdn abs.twimg.com   
[AC-acl-ucl-6000] rule 6 permit ip destination fqdn mobile.twitter.com   
[AC-acl-ucl-6000] rule 7 permit ip destination fqdn twitter.com   
[AC] free-rule-template name default_free_rule
[HUAWEI-free-rule-default_free_rule] free-rule acl 6000   
[HUAWEI-free-rule-default_free_rule] quit

# Configure an authentication profile.

[AC] authentication-profile name p1
[AC-authen-profile-p1] portal-access-profile web1   
[AC-authen-profile-p1] free-rule-template default_free_rule   
[AC-authen-profile-p1] quit

# Configure network access rights for users in the post-authentication domain.

[AC] acl 3001   
[AC-acl-adv-3001] rule 1 permit ip   
[AC-acl-adv-3001] quit

# Enable Portal authentication.

[AC] interface vlanif 101
[AC-Vlanif101] authentication-profile p1   
[AC-Vlanif101] quit

                               Step 5     Configure the AP to go online.

# Create an AP group to which the APs with the same configuration can be added.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

# Configure the AC's source interface.

[AC] capwap source interface vlanif 100

# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.

20170323112247254005.jpg

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1. Radio 0 of the AP6010DN-AGN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-0] quit

# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

[AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
-------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN    nor   0   10S
-------------------------------------------------------------------------------------
Total: 1

                               Step 6     Configure STAs to go online.

# Create the security profile wlan-security and set the security policy to open system authentication.

[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security open   
[AC-wlan-sec-prof-wlan-security] quit

# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net   
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit

# Create the VAP profile wlan-vap, configure the service data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel   
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101   
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit

# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

# Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

                               Step 7     Configure the Agile Controller-Campus and social media authentication server. For details, see Agile Controller-Campus Product Documentation - Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter Accounts).

                               Step 8     Verify the configuration.

After completing the configuration, run the display vap ssid wlan-net command. If the Status field displays ON, the VAP has been successfully created on the AP radios.

[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID     BSSID          Status  Auth type     STA   SSID
--------------------------------------------------------------------------------
0     area_1  1    1       60DE-4476-E360 ON      WPA2-PSK      0     wlan-net
-------------------------------------------------------------------------------
Total: 2

Manually search for the WLAN with the SSID wlan-net. After completing the WeChat authentication process as prompted, run the display station ssid wlan-net command on the AC. The command output shows that the user has successfully connected to the WLAN wlan-net.

[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC         AP ID Ap name   Rf/WLAN  Band  Type  Rx/Tx      RSSI  VLAN  IP address
---------------------------------------------------------------------------------
e019-1dc7-1e08  0     area_1    1/1      5G    11n   46/59      -68   101   192.168.20.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1

----End

Configuration Files

l   SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

l   AC configuration file

#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
#
domain portal
#
dhcp enable
#
authentication-profile name p1
 portal-access-profile web1
 free-rule-template default_free_rule
#
radius-server template policy
 radius-server shared-key cipher %^%#v@)#XkYybF19}~4&3(rDX%va0:#G>0MDrOF^B;D+%^%#
 radius-server authentication 192.168.30.2 1812 source ip-address 192.168.30.1 weight 80
 radius-server accounting 192.168.30.2 1813 source ip-address 192.168.30.1 weight 80
#
acl number 3001
 rule 1 permit ip
#
acl number 6000
 rule 1 permit ip destination fqdn www.googleapis.com
 rule 2 permit ip destination fqdn apis.google.com
 rule 3 permit ip destination fqdn connect.facebook.net
 rule 4 permit ip destination fqdn api.twitter.com
 rule 5 permit ip destination fqdn abs.twimg.com
 rule 6 permit ip destination fqdn mobile.twitter.com
 rule 7 permit ip destination fqdn twitter.com
#
free-rule-template name default_free_rule
 free-rule acl 6000
#
web-auth-server portal_huawei
 server-ip 192.168.30.2
 port 50200
 shared-key cipher %^%#vB3l&dt|S!59SdGIdcT"mwAQ!4[#Y-#{IBGbI[l:%^%#
 url http://access.example.com:8080/portal
 source-ip 192.168.30.1
#
portal-access-profile name web1
 web-auth-server portal_huawei direct
#
aaa
 authentication-scheme auth
  authentication-mode radius
 accounting-scheme acco
  accounting-mode radius
  accounting realtime 15
 domain portal
  authentication-scheme auth
  accounting-scheme acco
  radius-server policy
#
interface Vlanif100
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 192.168.20.1 255.255.255.0
 authentication-profile p1
 dhcp select interface
#
interface Vlanif102
 ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 102
#
portal timer quiet-period 240
portal quiet-times 5
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  authentication-profile p1
 regulatory-domain-profile name domain1
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap wlan 1
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
 
return

  • x
  • convention:

user_2790689
Created Mar 23, 2017 07:54:33 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

faysalji
Created Aug 8, 2018 17:37:38 Helpful(0) Helpful(0)

Thanks
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login