setup process
You must configure and maintain WLAN features and functions in different profiles. These WLAN profiles include Legal Domain Profile, Radio Profile, VAP Profile, AP System Profile, AP Wired Port Profile, WIDS Profile, WDS Profile, and Mesh Profile. When configuring WLAN services, you must configure the relevant parameters in the WLAN profiles and associate the profiles to the AP or AP group. The settings are then automatically pushed to the access points and take effect. WLAN profiles can refer to each other. Therefore, you must know the relationships between the profiles before configuring them. For more information on profile relationships and the basic process of setting them up, seeConfiguration process WLAN service.
network requirements
As it is shown inFigure 16-17, an AC in a company connects to the AP through the access switch SwitchA. The company implements WLANWifito provide employees access to the wireless network. The AC acts as a DHCP server to assign IP addresses on the 10.23.101.0/24 network segment to wireless users.
Since the WLAN is open to users, there are potential security risks to corporate information if access control is not configured for the WLAN. To provide network access only to specific STAs, an enterprise must authenticate the STAs and then the users who provide services to the STAs. The MAC + 802.1X authentication function can meet this requirement by authenticating wireless users through a RADIUS server.
Figure 16-18Network scheme to configure MAC + 802.1X authentication
Step-by-step configuration plan
- Configure basic WLAN services on the AC so that the AC can communicate with upstream and downstream devices and the AP can connect to the Internet.
- Configure RADIUS authentication parameters.
- Configure a MAC access profile to manage MAC access control parameters.
- Configure an 802.1X access profile to manage 802.1X access control settings.
- Configure an authentication profile to manage NAC settings.
- Configure the WLAN service and associate a security policy profile and an authentication profile with a VAP profile to control access from the STAs.
Tabla 16-9data plan
Gentle | Facts |
|---|---|
RADIUS authentication parameters | RADIUS authentication system name: radius_huawei RADIUS server template name: radius_huawei
AAA domain: huawei.com |
MAC Access Profile |
|
802.1X Access Profile |
|
Authentication profile |
|
DHCP server | The AC acts as a DHCP server to assign IP addresses to the AP and STA. |
IP address pool for the AP | 10.23.100.2 a 10.23.100.254/24 |
IP address aggregation for STA | 10.23.101.2 a 10.23.101.254/24 |
AC source interface IP address | VLANIF 100: 10.23.100.1/24 |
PA group |
|
Regulatory domain profile |
|
perfil SSID |
|
security profile |
|
VAP profile |
|
configuration notes
No ACK mechanism is provided for transmitting multicast packets on air interfaces. Also, wireless connections are unstable. To ensure stable transmission of multicast packets, they are usually sent at low speeds. If a large number of such multicast packets are sent from the network side, the air interfaces may become overloaded. It is recommended to configure multicast packet suppression to reduce the impact of a large number of low-speed multicast packets on the wireless network. Be careful when setting the speed limit. Otherwise, multicast services may be affected.
- In direct forwarding mode, it is recommended to configure multicast packet suppression on the interfaces of the switches connected to the access points.
- In tunnel forwarding mode, it is recommended to configure multicast packet suppression in the CA traffic profiles.
For more information on configuring traffic suppression, seeHow do I configure multicast packet suppression to reduce the impact of a large number of low-speed multicast packets on my wireless network?.
Configure port isolation on the interfaces of devices directly connected to an AP. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets can be generated on the VLAN, clogging the network and degrading the user experience.
In tunnel forwarding mode, the management VLAN and the service VLAN cannot be the same. Only management VLAN packets are sent between the AC and the AP. Packets from the service VLAN are not allowed between the AC and the AP.
- As of V200R021C00, when configuring the source CAPWAP interface or source address, the system checks the security related settings, including PSK for DTLS encryption, PSK for DTLS encryption between ACs, username and password for connect to the access point and password to connect to the offline global management VAP, the configuration can only be successful if both are present. Otherwise, the system will ask you to complete the setup first.
- Starting with V200R021C00, DTLS encryption is enabled by default for CAPWAP control tunnels on the AC. After enabling this function, an AP cannot connect when it is added. In this case, you must enable CAPWAP DTLS non-authentication (capwap dtls activation without ID) for the access point so that the access point can obtain a security credential. Disable this feature after the access point is connected to the Internet (undo enable capwap dtls without id) to prevent unauthorized access points from connecting.
Procedure
- Set the NAC mode to AC Integration so that users can connect to the network successfully.
<HUAWEI>system view[HUAWEI]unified mode authentication
If the NAC mode is changed from traditional to unified, the unified mode will take effect after you save the settings and reboot the device.
- Configure SwitchA and AC so that the AP and AC can send CAPWAP packets.
# Add GE0/0/1 connecting SwitchA to AP to control VLAN 100 and add GE0/0/2 connecting SwitchA to AC using the same VLAN.
system view[HUAWEI]switchA system name[SwitchA]vlan-lots 100[SwitchA]interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1]trunk as port link[SwitchA-GigabitEthernet0/0/1]trunk port pvid vlan 100[SwitchA-GigabitEthernet0/0/1]trunk port allow-pass vlan 100[SwitchA-GigabitEthernet0/0/1]I leave[SwitchA]interface gigabitethernet 0/0/2[SwitchA-GigabitEthernet0/0/2]trunk as port link[SwitchA-GigabitEthernet0/0/2]trunk port allow-pass vlan 100[SwitchA-GigabitEthernet0/0/2]I leave # Add GE1/0/1 connecting CA to SwitchA with VLAN 100.
[HUAWEI]AC system name[AFTER CHRIST]vlan-lots 100 101[AFTER CHRIST]koppelGigabit Ethernet1/0/1[AFTER CHRIST-Gigabit Ethernet1/0/1]trunk as port link[AFTER CHRIST-Gigabit Ethernet1/0/1]trunk port allow-pass vlan 100[AFTER CHRIST-Gigabit Ethernet1/0/1]I leave
- Configure the AC to communicate with the upstream device.
Configure the CA uplink interfaces to transparently forward packets from the service VLANs as needed and communicate with the upstream device.
(Video) What is Huawei Wired and Wireless Convergence Feature for S Series Switches?# Add the upstream interface of CA GE1/0/2 to service VLAN 101.
[AFTER CHRIST]koppelGigabit Ethernet1/0/2[AFTER CHRIST-Gigabit Ethernet1/0/2]trunk as port link[AFTER CHRIST-Gigabit Ethernet1/0/2]trunk port allow-pass vlan 101[AFTER CHRIST-Gigabit Ethernet1/0/2]I leave
- Configure the AC to act as a DHCP server to assign IP addresses to the AP and STA.
# Configure the AC as a DHCP server to assign an IP address to the AP from the IP address pool in VLANIF 100 and assign IP addresses to STAs from the IP address pool in VLANIF 101.
Configure the DNS server as required. Common methods are as follows:
- In the interface address pool scripts, enter thisdhcp server dns list IP adressCommand &<1-8> in the VLANIF interface view.
- In the global address pool scripts, enter theyour list IP adressCommand &<1-8> in IP address pool view.
[AFTER CHRIST]habilitar dhcp[AFTER CHRIST]vlanif interface 100[AC-Vlanif100]IP address 10.23.100.1 24[AC-Vlanif100]dhcp selection interface[AC-Vlanif100]I leave[AFTER CHRIST]vlanif interface 101[AC-Vlanif101]IP address 10.23.101.1 24[AC-Vlanif101]dhcp selection interface[AC-Vlanif101]I leave
- Configure a route from the AC to the RADIUS server (assume the IP address of the main device connected to the AC is 10.23.101.2).
[AFTER CHRIST]static IP route 10.23.200.1 255.255.255.0 10.23.101.2
- Set up the access point to connect to the Internet.
# Create an AP group and add the AP to the AP group.
[AFTER CHRIST]Wifi[AC Wi-Fi Display]ap-group name ap-group1[ac-wlan-ap-group-ap-group1]I leave
# Create a legal domain profile, set the AC country code in the profile, and apply the profile to the AP group.
[AC Wi-Fi Display]regulation-domain-profile-domain-name1[AC-wlan-regular-domain-domain1]cn country code[AC-wlan-regular-domain-domain1]I leave[AC Wi-Fi Display]ap-group name ap-group1[ac-wlan-ap-group-ap-group1]regulatory-domain-profile-domain1Warning: This configuration change will erase the channel and power settings of the radios and may reboot the access points.Continuity? [But]:i [ac-wlan-ap-group-ap-group1]I leave[AC Wi-Fi Display]I leave# Configure the source interface of the AC.
[AFTER CHRIST]capwap bronin interface vlanif 100
# Import the offline access points to the AC and add the access points to the access point groupapplication group 1. Configure a name for the access point based on where the access point is deployed so that you can identify where the access point is deployed by its name. This example assumes that the MAC address of the access point is 00e0-fc12-e360 and that the access point is deployed in area 1. Give the access point a namearea_1.
The default AP authentication mode is MAC address authentication. If the default settings are kept, you do not need to run the programap auth-modus mac-authcommand.
In this example, theAirEngine8760-X1-PROit is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AFTER CHRIST]Wifi[AC Wi-Fi Display]ap auth-modus mac-auth[AC Wi-Fi Display]ap-id 0 ap-mac 00e0-fc12-e360[AC-wlan-ap-0]ap-name area_1[AC-wlan-ap-0]ap-group ap-group1Warning: This action may reset the access point. If the country code is changed, the radio channel, power and antenna gain settings will be deleted. Or should I continue? [But]:i [AC-wlan-ap-0]I leave[AC Wi-Fi Display]I leave# After enabling the hotspot, run itshow everythingCommand to verify the status of the AP. As theStandsthe field appearsstill, AP went online.
[AFTER CHRIST]show everything
Total information AP: none : normal [1] Additional information : Additional information P : insufficient power ------------------------------ - -------------------------------------------------- -------------------------------------------------- ----------------------------------------------- --- -------- MAC ID Group Name IP Type STA Status Uptime ExtraInfo ------------------ -------- --- --- -------- ------------------------------------ ------ ---------- ---- ------------------------------ ------ -------------------- -------------------0 00e0-fc76- e360 area_1 ap-group1 10.23 .100.254AirEngine8760-X1-PROstill0 10S - -------------------------------------------------------- ----- --------------------------------------------- ----- - ----Total: 1 - Configure a RADIUS server template and a RADIUS authentication scheme.
Make sure that the RADIUS server's IP address, port number, and shared key are configured correctly and are the same as those of the RADIUS server.
# Configure a RADIUS server template.
[AFTER CHRIST]Radius-Server-Template Radius_Huawei[AC-radio-radio_huawei]Radius server authentication 10.23.200.1 1812;[AC-radio-radio_huawei]shared radio server key encryptionYsHsjx_202206[AC-radio-radio_huawei]I leave# Configure a RADIUS authentication scheme.
[AFTER CHRIST]ah[AC-aaa]radius_huawei authentication scheme[ AC-aaa-verification-radius_huawei]package authentication function[ AC-aaa-verification-radius_huawei]I leave
# Create an AAA domain and configure the RADIUS server template and authentication scheme.
[AC-aaa]domain huawei.com[AC-aaa-domein-huawei.com]radius_huawei radio server[AC-aaa-domein-huawei.com]radius_huawei authentication scheme[AC-aaa-domein-huawei.com]I leave[AC-aaa]I leave
- Configure MAC access profilem1.
In a MAC access profile, a MAC address without dashes (-) is used as the username and password for MAC address authentication.
[AFTER CHRIST]mac-access-profile name m1[AC-mac-access-profile-m1]I leave
- Configure an 802.1X access profile to manage 802.1X access control settings.
# Create the 802.1X access profilewlan-punto1x.
[AFTER CHRIST]dot1x access profile name wlan-dot1x
# Set the authentication mode to EAP relay.
[ac-dot1x-acceso-perfil-wlan-dot1x]dot1x eap authentication method[ac-dot1x-acceso-perfil-wlan-dot1x]I leave
- Configuring the authentication profilep1.
[AFTER CHRIST]authentication profile name p1[AC-p1 Authentication Profile]dot1x access wlan-dot1x profile[AC-p1 Authentication Profile]mac m1 access profile[AC-p1 Authentication Profile]domain access huawei.com mac-authen force[AC-p1 Authentication Profile]I leave
- Configure the WLAN service parameters.
# Create a security profilewifi securityand set the security policy in the profile.
[AFTER CHRIST]Wifi[AC Wi-Fi Display]security profile name wlan-security[AC-wlan-sec-prof-wlan-beveiliging]security wpa2 dot1x aes[AC-wlan-sec-prof-wlan-beveiliging]I leave
# Create SSID profilewlan-ssidand set the SSID name toWifi.
[AC Wi-Fi Display]ssid-profielnaam wlan-ssid[AC-wlan-ssid-prof-wlan-ssid]ssid wifi[AC-wlan-ssid-prof-wlan-ssid]I leave
# Create a VAP profilewifi-vap, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC Wi-Fi Display]vap profile name wlan-vap[AC-wlan-vap-prof-wlan-vap]front tunnel[AC-wlan-vap-prof-wlan-vap]service-vlan vlan-id 101[AC-wlan-vap-prof-wlan-vap]wlan security profile[AC-wlan-vap-prof-wlan-vap]ssid-perfil wlan-ssid[AC-wlan-vap-prof-wlan-vap]authentication profile p1[AC-wlan-vap-prof-wlan-vap]I leave
# VAP profile connectionwifi-vapin the AP group and apply the profile to radio 0 and radio 1 of the AP.
[AC Wi-Fi Display]ap-group name ap-group1[ac-wlan-ap-group-ap-group1]vap-wlan profile-vap wlan 1 radio 0[ac-wlan-ap-group-ap-group1]vap-wlan profile-vap wlan 1 radio 1[ac-wlan-ap-group-ap-group1]I leave
- Set channels and power for AP radios.
The automatic channel and power calibration functions are enabled by default. Manual channel and power adjustments only apply when these two features are disabled. The channel and power settings for the AP radios in this example are for reference only. In real world scenarios, configure channels and power for AP radios based on AP country codes and network planning results.
# Disable radio 0's auto channel calibration and power-up functions, and set the channel and power-up for radio 0.
[AC Wi-Fi Display]ap-id 0[AC-wlan-ap-0]radio 0[AC-wlan-radio-0/0]disable automatic channel selection calibration[AC-wlan-radio-0/0]calibrate disable auto-txpower-select[AC-wlan-radio-0/0]20mhz canal 6Warning: This action may cause service interruption. Continuity? [But]i [AC-wlan-radio-0/0]erp 127[AC-wlan-radio-0/0]I leave# Disable auto channel calibration and power for radio 1 and set the channel and power for radio 1.
[AC-wlan-ap-0]station 1[AC-wlan-radio-0/1]disable automatic channel selection calibration[AC-wlan-radio-0/1]calibrate disable auto-txpower-select[AC-wlan-radio-0/1]canal 20mhz 149Warning: This action may cause service interruption. Continuity? [But]i [AC-wlan-radio-0/1]erp 127[AC-wlan-radio-0/1]I leave[AC-wlan-ap-0]I leave - Check the settings.
The WLAN with the SSIDWifiis available for STA. Enterprise-provided STAs can successfully authenticate in MAC mode and then authenticate using 802.1X. STAs are not identified by business failure authentication.
configuration files
- SwitchA configuration file
#sysname SwitchA#vlan batch 100#interface GigabitEthernet0/0/1 bad link type trunk port trunk pvid vlan 100 trunk port allow-pass vlan 100#interface GigabitEthernet0/0/2 port link-type trunk trunk port trunk allow-pass vlan # ergård
ac configuration file
# sysname AC#vlan lot 100 to 101#authentication-profile name p1 dot1x-access-profile wlan-dot1x mac-access-profile m1 access-domain huawei.com mac-authen force#dhcp enable#radius-server radius radius shared encryption server key %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%# radio server authentication 10.23.200.1 1812 weight 80#aaa domain authentication radiation_huaweius an authentication scheme of radio .com radio_radio from huawei server radio_huawei#interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface#interface Vlanif101 ip address select 10.23.500.25 ce GigabitEthernet1/0/1 gateway port type trunk port trunk allow-pass vlan 100#interface Port GigabitEthernet1/ 0/2 link-type trunk port trunk allow-pass vlan 101#ip route-static 10.23.200.0 255.255.255.0 10.23.101.2 # capwap Security profilename0 interfacewlan wlan-security security wpa2 dot1x aes ssid profile-name wlan-ssid ssid wlan -net vap- profile-name wlan-vap direct mode tunnel-service-vlan vlan-id 101 ssid profile wlan-ssid security profile security-wlan profile-authentication p1 regulatory-main -profile-name domain1 ap -group-name ap -group1 regulatory- domain profile domain1 radio 0 vap-wlan-profile-vap wlan 1 radio 1 vap-wlan-profile-vap wlan 1 ap-id 0 ap-mac 00e0-fc12-e360 ap-name area_1 radio 0 channel 20mhz 6 eirp 127 calibrate disable auto channel select calibrate auto-txpower-select disable radio 1 channel 20mhz 149 eirp 127 calibrate auto toxdisablet -access-profile-name dot1x_access_profile #mac-access-profile-name m1 #return