18.9 Example for Configuring Portal Authentication
Networking Requirements
As shown in Figure 18-9, an enterprise connects the AC to the aggregation switch in bypass mode to manage the AP in centralized manner and provide a WLAN with the SSID huawei so that users can access the network anywhere at any time. The AC functions as the DHCP server to assign IP addresses to the AP and STA.
The WLAN authentication client cannot be installed on wireless devices providing public services, such as wireless printers and phones, so use MAC address authentication. The RADIUS server authenticates wireless devices using their MAC addresses. No authentication is required when STAs access the WLAN, facilitating the use of WLAN services.
Data Preparation
| Item | Data |
|---|---|
| Management VLAN for the AP | VLAN 100 |
| Service VLAN for STAs | VLAN 101 |
| DHCP server | The AC functions as the DHCP server for the AP and STAs. |
| IP address pool for the AP | 192.168.100.2 to 192.168.100.254/24 |
| IP address pool for STAs | 192.168.101.3 to 192.168.101.254/24 DNS: 8.8.8.8 Address that cannot be assigned: 192.168.101.2 of Router |
| AC ID/Country code | 0/CN |
| AC's source interface | VLANIF 100 |
| WLAN radio profile | Name: radio WMM profile: wmm |
| WLAN service set | Name: huawei SSID: huawei WLAN ESS interface: WLAN-ESS1 Security profile: security Traffic profile: traffic Data forwarding mode: tunnel forwarding |
AP's gateway | VLANIF 100: 192.168.100.1 |
STA's gateway | VLANIF 101: 192.168.101.1 |
STA user name and password |
|
RADIUS server |
|
Portal server |
|
Configuration Roadmap
Use the configuration wizard to configure the AP to go online on the AC. Configure a management VLAN and a service VLAN.
Configure a DNS server address in the DHCP address pool of the service VLAN to provide the DNS service for the STA.
Configure a static route so that the AC forwards the packet to the router after receiving the packet from the STA.
Configure a RADIUS authentication scheme, reference the scheme in an AAA domain, and enable Portal authentication.
Use the configuration wizard to configure the WLAN service and deliver the WLAN service to the AP.
Procedure
Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 (the default VLAN of GE0/0/1).
# On the aggregation switch, add GE0/0/1 and GE0/0/2 to the management VLAN 100, and add GE0/0/2 and GE0/0/3 to the service VLAN 101.
# Assign an IP address 192.168.101.2 to GE0/0/1 on Router and configure the router as the default gateway for the AC.
# Configure a RADIUS server, configure a user name and password, and set the shared key to huawei123.
# Configure a Portal server and set the port number and shared key to provide the web authentication page.
Configure the AP to go online on the AC.
Choose Configuration Wizard > Configuration Wizard > AP Online Configuration Wizard. The AP Online Configuration Wizard page is displayed.
Configure the Ethernet interface.
# On the Configure Ethernet Interface page, click
next to GigabitEthernet0/0/1 to add the interface to VLAN 100 and VLAN 101 in tagged mode.Configure virtual interfaces.
# Click Create on the Configure Virtual Interface page. The Create Virtual Interfacepage is displayed.
# Configure an IP address 192.168.100.1/24 for VLANIF 100.
# Configure an IP address 192.168.101.1/24 for VLANIF101.
# Click Next.
Configure DHCP.
# Click Create on the Configure DHCP page. The Create IP Pool page is displayed.
# Configure an IP address pool for VLANIF 100.
# Configure an IP address pool for VLANIF 101. Specify that the IP address 192.168.101.2 in this address pool cannot be automatically assigned to STAs.
# Click Next.
Configure the AC.
Confirm the settings.
On the Confirm Settings page, confirm that the settings are correct and then click Finish.
Configure DNS.
# Choose IP Service > DHCP > IP Pool and click
next to Vlanif101 in IP Pool List to configure the DNS server address for the STA.Configure a static route.
# Choose IP Service > Route > Static Route Configuration to create a static route.
Configure RADIUS authentication.
# Choose Security Management > AAA > AAA Schemes to create an authentication scheme.
# Click the RADIUS Setting tab page to create a server template and set the shared key to the same as that configured on the RADIUS server.
# Configure an authentication server.
# Click the Domain Management tab page to create a domain, and then bind the authentication scheme and RADIUS server template to the domain.
Configure a Portal server.
# Choose Security Management > Portal Authentication > External Portal Server to create a Portal authentication server.
# Choose Interface Management > VLAN > VLANIF and click
to modify the service interface VLANIF 101, and configure Portal authentication.Configure the WLAN service.
Choose Configuration Wizard > Configuration Wizard > WLAN Configuration Wizard. The WLAN Configuration Wizard page is displayed.
Select Common WLAN Service and click Next.
Add the AP.
# Click Create on the Configure AP page. The Create AP page is displayed.
# Set AP type to AP6010DN-AGN and MAC address to 60de-4476-e360 on the Create AP page to add the AP.
Select the AP and click Next.
Configure the radio.
# Select 2.4 GHz.
# Create a radio profile named radio. Create a WMM profile named wmm and use the default settings in the profile.
# Click Next.
Configure the WLAN service.
# On the Configure WLAN Service page, click Create to create a service set.
# Create a traffic profile named traffic.
# Create a security profile named security.
# Create an ESS interface.
# Select the created security profile, traffic profile, ESS interface, click Advanced, and set Forwarding mode to Tunnel.
# Click OK and then click Next.
Confirm the settings.
# Confirm that the settings are correct, and then click Finish. In the message that is displayed, confirm that the configuration is to be delivered to the AP.
Verify the configuration.
The WLAN with the SSID huawei is available for the STA.
The STA can associate with the WLAN and obtain an IP address 192.168.101.x/24 and its gateway address is 192.168.101.1.
Choose Terminal Management > Terminal Management > STA Management. You can see that the STA goes online successfully and obtains an IP address.
When you open the browser on the STA, you are redirected to the Portal authentication page. After you enter the correct user name and password and are successfully authenticated, you can access the Internet.
next to GigabitEthernet0/0/1 to add the interface to VLAN 100 and VLAN 101 in tagged mode.
From group: WLAN
This is what I want to talk about/share with you today, thank you!
