• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 全部
  • 全部
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
高级搜索

H3C AC remote MAC+remote Portal+MAC senseless authentication typical configuration example (V7)

2021-06-07 Published
  • 0关注
  • 0收藏,523浏览
粉丝:1人 关注:0人

Network Topology

As shown in Figure, AP and Client obtain IP address through DHCP server. iMC acts as both Portal Authentication Server and Portal Web Server, RADIUS server, and requires.

- Remote MAC authentication for wireless users.

- AC uses Portal authentication in a direct way.

- The server needs to dynamically modify the user authorization information or force the user to go offline.

Configuration Steps

1. Configure the Server.


Omission


2. Configure the AC.


(1) Configure the interface of the AC

 

# Create VLAN 100 and its corresponding VLAN interface and configure an IP address for the interface. the AP will obtain this IP address to establish a CAPWAP tunnel with the AC.

 

<AC> system-view

 

[AC] vlan 100

 

[AC-vlan100] quit

 

[AC] interface vlan-interface 100

 

[AC-Vlan-interface100] ip address 2.2.1.1 24

 

[AC-Vlan-interface100] quit

 

# Create VLAN 200 and its corresponding VLAN interface, and configure the IP address for the interface. client will use this VLAN to access the wireless network.

 

[AC] vlan 200

 

[AC-vlan200] quit

 

[AC] interface vlan-interface 200

 

[AC-Vlan-interface200] ip address 2.2.2.1 24

 

[AC-Vlan-interface200] quit

 

# Configure the attribute of interface GigabitEthernet1/0/1, which is connected to the Switch, to be Trunk, allowing VLAN 1, VLAN 100, and VLAN 200 to pass.

 

[AC] interface gigabitethernet 1/0/1

 

[AC-GigabitEthernet1/0/1] port link-type trunk

 

[AC-GigabitEthernet1/0/1] port trunk permit vlan 1 100 200

 

[AC-GigabitEthernet1/0/1] quit

 

(2) Configure static routes

 

# Configure a static route to the iMC server.

 

[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100

 

(3) Configure the wireless service

 

# Create wireless service template st1 and enter wireless service template view.

 

[AC] wlan service-template st1

 

# Configure the SSID as service.

 

[AC-wlan-st-st1] ssid service

 

# Configure the wireless service template VLAN to be 200.

 

[AC-wlan-st-st1] vlan 200

 

[AC-wlan-st-st1] quit

 

# Create an AP, configure the AP name to office, select WA4320i-ACN for model name, and configure serial number 219801A0CNC138011454.

 

[AC] wlan ap office model WA4320i-ACN

 

[AC-wlan-ap-office] serial-id 219801A0CNC138011454

 

# Enter Radio 2 view.

 

[AC-wlan-ap-office] radio 2

 

# Bind the wireless service template st1 to radio 2 and turn on the RF.

 

[AC-wlan-ap-office-radio-2] service-template st1

 

[AC-wlan-ap-office-radio-2] radio enable

 

[AC-wlan-ap-office-radio-2] quit

 

[AC-wlan-ap-office] quit

 

(4) Configure the RADIUS scheme

 

# Create a RADIUS scheme with the name rs1 and enter this scheme view.

 

[AC] radius scheme rs1

 

# Configure the primary authentication and primary billing server of the RADIUS scheme and its communication key.

 

[AC-radius-rs1] primary authentication 192.168.0.111

 

[AC-radius-rs1] primary accounting 192.168.0.111

 

[AC-radius-rs1] key authentication simple radius

 

[AC-radius-rs1] key accounting simple radius

 

# Configure that the username sent to the RADIUS server does not carry the ISP domain name.

 

[AC-radius-rs1] user-name-format without-domain

 

# Configure the source IP address to be used for sending RADIUS messages to 2.2.2.1.

 

[AC-radius-rs1] nas-ip 2.2.2.1

 

[AC-radius-rs1] quit

 

# Enable the RADUIS session control function.

 

[AC] radius session-control enable

 

# Enable the RADIUS DAE service and enter RADIUS DAE server view.

 

[AC] radius dynamic-author server

 

# Set the IP address of the RADIUS DAE client to 192.168.0.111, and the shared key used to interact with the RADIUS DAE client for DAE messages is plaintext radius.

 

[AC-radius-da-server] client ip 192.168.0.111 key simple radius

 

[AC-radius-da-server] quit

 

(5) Configure the authentication domain dm2

 

# Create an ISP domain named dm2 and enter its view.

 

[AC] domain dm2

 

# Configure the authentication, authorization, and billing scheme for the lan-access user as RADIUS scheme rs1

 

[AC-isp-dm2] authentication lan-access radius-scheme rs1

 

[AC-isp-dm2] authorization lan-access radius-scheme rs1

 

[AC-isp-dm2] accounting lan-access radius-scheme rs1

 

[AC-isp-dm2] quit

 

(6) Configure the authentication domain dm1

 

# Create an ISP domain named dm1 and enter its view.

 

[AC] domain dm1

 

# Configure the AAA authentication method as RADIUS for the Portal user.

 

[AC-isp-dm1] authentication portal radius-scheme rs1

 

# Configure the AAA authorization method as RADIUS for the Portal user.

 

[AC-isp-dm1] authorization portal radius-scheme rs1

 

# Configure the AAA billing method to none for the Portal user, no billing.

 

[AC-isp-dm1] accounting portal none

 

# Specify that the idle cutoff time for users under ISP domain dm1 is 15 minutes, and the traffic generated during the idle cutoff time is 1024 bytes.

 

[AC-isp-dm1] authorization-attribute idle-cut 15 1024

 

[AC-isp-dm1] quit

 

(7) Configuring Portal Authentication

 

# Configure the Portal authentication server with the name newpt, IP address 192.168.0.111, and port 50100 for listening to Portal messages.

 

[AC] portal server newpt

 

[AC-portal-server-newpt] ip 192.168.0.111 key simple portal

 

[AC-portal-server-newpt] port 50100

 

# Configure the Portal authentication server type as CMCC.

 

[AC-portal-server-newpt] server-type cmcc

 

[AC-portal-server-newpt] quit

 

# Configure the URL of the Portal Web server as http://192.168.0.111:8080/portal.

 

[AC] portal web-server newpt

 

[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal

 

# Configure the URL of the Portal Web server that the device redirects to the user to carry the parameters ssid, wlanuserip and wlanacname, whose values are the SSID of the AP, the IP address of the user and the AC name respectively (these three parameters are mandatory when interfacing with China Mobile).

 

[AC-portal-websvr-newpt] url-parameter ssid ssid

 

[AC-portal-websvr-newpt] url-parameter wlanuserip source-address

 

[AC-portal-websvr-newpt] url-parameter wlanacname value AC

 

# Configure the Portal Web server type as CMCC.

 

[AC-portal-websvr-newpt] server-type cmcc

 

[AC-portal-websvr-newpt] quit

 

# Configure a Portal free authentication rule based on IPv4 address with number 0 and destination address 192.168.0.111 to release traffic accessing the Portal Web server so that users can access the Portal Web server normally.

 

[AC] portal free-rule 0 destination ip 192.168.0.111 24

 

# Configure a no-authentication rule from the aggregation port to any in order to release traffic coming from the aggregation port.

 

[AC] portal free-rule 1 source interface Bridge-Aggregation 1

 

# Enable the wireless Portal roaming feature.

 

[AC] portal roaming enable

 

# Disable the wireless Portal client ARP table entry solidification function.

 

[AC] undo portal refresh arp enable

 

# Enable the wireless Portal client legitimacy check function.

 

[AC] portal host-check enable

 

# Enable direct mode Portal authentication on wireless service template st1.

 

[AC] wlan service-template st1

 

[AC-wlan-st-st1] portal enable method direct

 

# Configure the incoming Portal user to use the authentication domain as dm1.

 

[AC-wlan-st-st1] portal domain dm1

 

# Reference Portal Web server newpt on wireless service template st1.

 

[AC-wlan-st-st1] portal apply web-server newpt

 

# Configure the source address for portal messages to be sent on wireless service template st1.

 

[AC-wlan-st-st1] portal bas-ip 2.2.2.1

 

[AC-wlan-st-st1] quit

 

(8) Configure MAC authentication

 

# Configure MAC authentication and configure to ignore MAC address authentication results.

 

[AC-wlan-st-st1] client-security authentication-mode mac

 

[AC-wlan-st-st1] client-security ignore-authentication

 

[AC-wlan-st-st1] mac-authentication domain dm2

 

# Enable the wireless service template.

 

[AC-wlan-st-st1] service-template enable

 

[AC-wlan-st-st1] quit

 

3. Configure Switch


# Create VLAN 100 for forwarding traffic within the CAPWAP tunnel between the AC and the AP.

<Switch> system-view

 

[Switch] vlan 100

 

[Switch-vlan100] quit

# Create VLAN 200 for forwarding Client wireless packets.

 

[Switch] vlan 200

 

[Switch-vlan200] quit

 

# Create VLAN 2.

 

[Switch] vlan 2

 

[Switch-vlan2] quit

 

# Configure the GigabitEthernet 1/0/1 interface that the Switch connects to the AC with the attribute Trunk to allow VLAN 100 and VLAN 200 to pass.

 

[Switch] interface gigabitethernet 1/0/1

 

[Switch-GigabitEthernet1/0/1] port link-type trunk

 

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

 

[Switch-GigabitEthernet1/0/1] quit

 

# Configure the GigabitEthernet1/0/2 interface attribute of the Switch connected to the AP to be Access and allow VLAN 100 to pass.

 

[Switch] interface gigabitethernet 1/0/2

 

[Switch-GigabitEthernet1/0/2] port link-type access

 

[Switch-GigabitEthernet1/0/2] port access vlan 100

 

# Enable the PoE function.

 

[Switch-GigabitEthernet1/0/2] poe enable

 

[Switch-GigabitEthernet1/0/2] quit

 

# Configure the GigabitEthernet1/0/3 interface attribute of the Switch connected to the iMC server as Access and allow VLAN 2 to pass.

 

[Switch] interface gigabitethernet 1/0/3

 

[Switch-GigabitEthernet1/0/3] port link-type access

 

[Switch-GigabitEthernet1/0/3] port access vlan 2

 

[Switch-GigabitEthernet1/0/3] quit

 

# Configure the IP address of the VLAN 200 interface.

 

[Switch] interface vlan-interface 200

 

[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0

 

[Switch-Vlan-interface200] quit

 

# Configure the IP address of the VLAN 2 interface.

[Switch] interface vlan-interface 2

 

[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0

 

[Switch-Vlan-interface2] quit


Key Configuration

[AC-wlan-st-st1] client-security authentication-mode mac

[AC-wlan-st-st1] client-security ignore-authentication

0 comments

No comments

Add Comments:

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作