Huawei Wireless Access Controllers V200R003C00 Web Platform Configuration Guide-Example for Configuring 802.1x Authentication

18.7 Example for Configuring 802.1x Authentication

Networking Requirements

As shown in Figure 18-7, an enterprise connects the AC to the aggregation switch in bypass mode to manage the AP in centralized manner and provide a WLAN with the SSID huawei so that users can access the network anywhere at any time. The AC functions as the DHCP server to assign IP addresses to the AP and STA.

Due to openness of the WLAN, there are security risks. To meet requirements for high security, 802.1x authentication is used and the RADIUS server authenticates identities of STAs, and the WPA2 security policy is used to provide the more secure CCMP encryption mode.

Figure 18-7 Networking for configuring 802.1x authentication
9c9834d0eeb94c5598262863e6d5a7b9

Data Preparation

Item	Data
Management VLAN for the AP	VLAN 100
Service VLAN for STAs	VLAN 101
DHCP server	The AC functions as the DHCP server for the AP and STAs.
IP address pool for the AP	192.168.100.2 to 192.168.100.254/24
IP address pool for STAs	192.168.101.3 to 192.168.101.254/24 DNS: 8.8.8.8 Address that cannot be assigned: 192.168.101.2 of Router
AC ID/Country code	0/CN
AC's source interface	VLANIF 100
WLAN radio profile	Name: radio WMM profile: wmm
WLAN service set	Name: huawei SSID: huawei WLAN ESS interface: WLAN-ESS1 Security profile: security Traffic profile: traffic Data forwarding mode: tunnel forwarding
AP's gateway	VLANIF 100: 192.168.100.1
STA's gateway	VLANIF 101: 192.168.101.1
STA user name and password	User name: huawei Password: huawei123 Authentication scheme: huawei Authentication domain: huawei
RADIUS server	Server template: huawei IP address: 192.168.102.1 Port number: 1812 Shared key: huawei123

Configuration Roadmap

The configuration roadmap is as follows:

Use the configuration wizard to configure the AP to go online on the AC. Configure a management VLAN and a service VLAN.
Configure a DNS server address in the DHCP address pool of the service VLAN to provide the DNS service for the STA.
Configure a static route so that the AC forwards the packet to the router after receiving the packet from the STA.
Configure a RADIUS authentication scheme, reference the scheme in an AAA domain, and enable 802.1x authentication.
Use the configuration wizard to configure the WLAN service and deliver the WLAN service to the AP.

Procedure

Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 (the default VLAN of GE0/0/1).
# On the aggregation switch, add GE0/0/1 and GE0/0/2 to the management VLAN 100, and add GE0/0/2 and GE0/0/3 to the service VLAN 101.
# Assign an IP address 192.168.101.2 to GE0/0/1 on Router and configure the router as the default gateway for the AC.
# Configure a RADIUS server, configure a user name and password, and set the shared key to huawei123.
Configure the AP to go online on the AC.
1. Choose Configuration Wizard > Configuration Wizard > AP Online Configuration Wizard. The AP Online Configuration Wizard page is displayed.
2. Configure the Ethernet interface.
  # On the Configure Ethernet Interface page, click next to GigabitEthernet0/0/1 to add the interface to VLAN 100 and VLAN 101 in tagged mode.
3. Configure virtual interfaces.
  # Click Create on the Configure Virtual Interface page. The Create Virtual Interfacepage is displayed.
  # Configure an IP address 192.168.100.1/24 for VLANIF 100.
  
  # Configure an IP address 192.168.101.1/24 for VLANIF101.
  # Click Next.
4. Configure DHCP.
  # Click Create on the Configure DHCP page. The Create IP Pool page is displayed.
  # Configure an IP address pool for VLANIF 100.
  
  # Configure an IP address pool for VLANIF 101. Specify that the IP address 192.168.101.2 in this address pool cannot be automatically assigned to STAs.
  
  # Click Next.
5. Configure the AC.
6. Confirm the settings.
  On the Confirm Settings page, confirm that the settings are correct and then click Finish.
Configure DNS.
# Choose IP Service > DHCP > IP Pool and click next to Vlanif101 in IP Pool List to configure the DNS server address for the STA.
Configure a static route.
# Choose IP Service > Route > Static Route Configuration to create a static route.
Configure RADIUS authentication.
# Choose Security Management > AAA > AAA Schemes to create an authentication scheme.
# Click the RADIUS Setting tab page to create a server template and set the shared key to the same as that configured on the RADIUS server.
# Configure an authentication server.
# Click the Domain Management tab page to create a domain, and then bind the authentication scheme and RADIUS server template to the domain.
Enable 802.1x authentication globally.
# Choose Security Management > 802.1X Authentication > Global 802.1X Authentication Configuration to enable 802.1x authentication, and click Apply.
Configure the WLAN service.
1. Choose Configuration Wizard > Configuration Wizard > WLAN Configuration Wizard. The WLAN Configuration Wizard page is displayed.
2. Select Common WLAN Service and click Next.
3. Add the AP.
  # Click Create on the Configure AP page. The Create AP page is displayed.
  # Set AP type to AP6010DN-AGN and MAC address to 60de-4476-e360 on the Create AP page to add the AP.
  
  Select the AP and click Next.
4. Configure the radio.
  # Select 2.4 GHz.
  # Create a radio profile named radio. Create a WMM profile named wmm and use the default settings in the profile.
  
  # Click Next.
5. Configure the WLAN service.
  # On the Configure WLAN Service page, click Create to create a service set.
  
  # Create a traffic profile named traffic.
  
  # Create a security profile named security.
  
  # Create an ESS interface.
  
  # Select the created security profile, traffic profile, ESS interface, click Advanced, and set Forwarding mode to Tunnel.
  
  # Click OK and then click Next.
6. Confirm the settings.
  # Confirm that the settings are correct, and then click Finish. In the message that is displayed, confirm that the configuration is to be delivered to the AP.
Verify the configuration.
1. The WLAN with the SSID huawei is available for the STA.
2. Use 802.1x authentication on the STA. Windows7 is used as an example.
  1. Choose Start > Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks, click Add, and select Manually create a network profile.
  2. Set the parameters and click Next.
  3. Click Change connection settings.
  4. Click Settings.
  5. Deselect Validate server certificate and click Configure. Deselect Automatically use my Windows and click OK.
  6. Click in the task bar and connect to the wireless network with the SSID huawei. The Network Authentication dialog box is displayed. Enter the user name huawei and password huawei123, and click OK.
  7. The network state changes to Connected.
3. The STA can associate with the WLAN and obtain an IP address 192.168.101.x/24. The gateway can be pinged.
4. Choose Terminal Management > Terminal Management > STA Management. You can see that the STA goes online successfully and obtains an IP address.