H3C WX系列AC本地MAC认证下发user-profile典型配置案例
一、 组网需求:
WX系列AC、FIT AP、FAT AP、便携机(安装有无线网卡)。
二、 组网图:
上图配置举例中的AC使用的是WX5004无线控制器(IP地址为192.168.1.1/24)。Client和AP通过DHCP服务器(IP地址为192.168.1.1/24)获取IP地址。AC与AP通过以太网线直连,客户端无线接入。
三、 特性简介:
MAC地址认证是一种基于端口和MAC地址对用户的网络访问权限进行控制的认证方法,它不需要用户安装任何客户端软件。设备在首次检测到用户的MAC地址以后,即启动对该用户的认证操作。认证过程中,也不需要用户手动输入用户名或者密码。在MAC认证过程中通过下发user-profile实现用户接入特定的AP组。
四、 设备配置:
_ ver H3C Comware Platform Software
Comware Software, Version 5.20, Release 2308P10
Comware Platform Software Version COMWAREV500R002B96D323
H3C WX5004 Software Version V200R003B96D123
Copyright (c) 2004-2012 Hangzhou H3C Tech. Co., Ltd. All rights reserved.
Compiled Aug 17 2012 14:38:16, RELEASE SOFTWARE
H3C WX5004 uptime is 0 week, 0 day, 16 hours, 59 minutes
H3C WX5004 with 1 RMI XLR 716 800MHz Processor
1024M bytes DDR2
4M bytes Flash Memory
Config Register points to FLASH
259M bytes CFCard Memory
Hardware Version is Ver.B
CPLD Version is 010
Basic Bootrom Version is 1.10
Extend Bootrom Version is 1.13
[Subslot 0]EWPXM1EXPA0 Hardware Version is Ver.B
#
version 5.20, Release 2308P10
#
sysname WX5004
#
domain default enable system
#
telnet server enable
#
port-security enable
#
mac-authentication domain system
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool vlan1
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.1
expired day 0 hour 2
#
dhcp server ip-pool vlan2
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.1
expired day 0 hour 2
#
user-group system
group-attribute allow-guest
#
local-user 0c771a5027b7
password simple 0c771a5027b7
authorization-attribute level 3
authorization-attribute user-profile h3c
service-type lan-access
local-user 5cac4c918140
password simple 5cac4c918140
authorization-attribute level 3
service-type lan-access
local-user admin
password cipher $c$3$AuF7b+i09ifHBB6uQtGc14bJIr4v15uE
authorization-attribute level 3
service-type telnet
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 clear
ssid H3C
bind WLAN-ESS 1
service-template enable
#
wlan ap-group 1
ap ap1
#
user-profile h3c
wlan permit-ap-group 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface Ten-GigabitEthernet1/0/5
#
interface WLAN-ESS1
port access vlan 2
port-security port-mode mac-authentication
#
wlan ap ap1 model WA2620i-AGN id 1
serial-id 219801A0CNC124004764
radio 1
radio 2
service-template 1
#
wlan ap ap2 model WA2620 id 2
serial-id 219801A0D1C123023703
radio 1
radio 2
service-template 1
radio enable
#
undo info-center logfile enable
#
dhcp server forbidden-ip 192.168.1.1
dhcp server forbidden-ip 192.168.2.1
#
dhcp enable
#
user-profile h3c enable
#
arp-snooping enable
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
五、 配置关键点:
# 配置AP组,在AP组内添加允许接入的AP列表
[WX5004]wlan ap-group 1
[WX5004-ap-group1]ap ap1
# 配置基于MAC认证用户的user-profile,添加允许接入的AP组,并使能user-profile
[WX5004]user-profile h3c
[WX5004-user-profile-h3c]wlan permit-ap-group 1
[WX5004-user-profile-h3c]quit
[WX5004]user-profile h3c enable
#创建local-user并调用user-profile
[WX5004]local-user 0c771a5027b7
[WX5004-luser-0c771a5027b7]password simple 0c771a5027b7
[WX5004-luser-0c771a5027b7]authorization-attribute level 3
[WX5004-luser-0c771a5027b7]authorization-attribute user-profile h3c
[WX5004-luser-0c771a5027b7]service-type lan-access
[WX5004]local-user 5cac4c918140
[WX5004-luser-5cac4c918140] password simple 5cac4c918140
[WX5004-luser-5cac4c918140] authorization-attribute level 3
[WX5004-luser-0c771a5027b7]service-type lan-access
#
六、 结果验证:
1、将AP1加入ap-group 1中,AP2不加入ap-group 1中。STA1(MAC地址为0c77-1a50-27b7)接入WLAN网络时调用user-profile h3c,STA2(MAC地址为5cac-4c91-8140)接入WLAN网络时不调用user-profile h3c。
2、当STA1、STA2尝试接入AP2时,由于AP2未加入ap-group 1中,STA1调用user-profile h3c,所以STA1只能通过AP1接入WLAN网络,而STA2能够通过AP1、AP2接入WLAN网络。
AP1下STA接入情况:
dis wlan client Total Number of Clients : 2
Client Information
SSID: H3C
---------------------------------------------------------------------
MAC Address User Name APID/RID IP Address VLAN
---------------------------------------------------------------------
0c77-1a50-27b7 0c771a5027b7 1 /2 192.168.2.3 2
5cac-4c91-8140 5cac4c918140 1 /2 192.168.2.2 2
---------------------------------------------------------------------
dis wlan client verbose Total Number of Clients : 2
Client Information
---------------------------------------------------------------------
MAC Address : 0c77-1a50-27b7
User Name : 0c771a5027b7
AID : 2
AP Name : ap1
Radio Id : 2
SSID : H3C
BSSID : 5866-ba6b-f2d0
Port : WLAN-DBSS1:5
VLAN : 2
State : Running
Power Save Mode : Sleep
Wireless Mode : 11gn
Channel Band-width : 20MHz
SM Power Save Enable : Enabled
SM Power Save Mode : Static
Short GI for 20MHz : Not Supported
Short GI for 40MHz : Not Supported
Support MCS Set : 0,1,2,3,4,5,6,7
BLOCK ACK-TID 0 : BOTH
BLOCK ACK-TID 1 : OUT
QoS Mode : WMM
Listen Interval (Beacon Interval) : 15
RSSI : 53
Rx/Tx Rate : 65/39
Client Type : PRE-RSNA
Authentication Method : Open System
AKM Method : None
4-Way Handshake State : -NA-
Group Key State : -NA-
Encryption Cipher : Clear
Roam Status : Normal
Roam Count : 0
Up Time (hh:mm:ss) : 00:00:13
---------------------------------------------------------------------
Client Information
---------------------------------------------------------------------
MAC Address : 5cac-4c91-8140
User Name : 5cac4c918140
AID : 1
AP Name : ap1
Radio Id : 2
SSID : H3C
BSSID : 5866-ba6b-f2d0
Port : WLAN-DBSS1:5
VLAN : 2
State : Running
Power Save Mode : Active
Wireless Mode : 11gn
Channel Band-width : 20MHz
SM Power Save Enable : Disabled
Short GI for 20MHz : Not Supported
Short GI for 40MHz : Not Supported
Support MCS Set : 0,1,2,3,4,5,6,7
BLOCK ACK-TID 0 : BOTH
QoS Mode : WMM
Listen Interval (Beacon Interval) : 1
RSSI : 81
Rx/Tx Rate : 58.5/39
Client Type : PRE-RSNA
Authentication Method : Open System
AKM Method : None
4-Way Handshake State : -NA-
Group Key State : -NA-
Encryption Cipher : Clear
Roam Status : Intra-AC roam association
Roam Count : 1
Up Time (hh:mm:ss) : 00:00:30
---------------------------------------------------------------------
AP2下STA接入情况:
dis wlan client Total Number of Clients : 1
Client Information
SSID: H3C
---------------------------------------------------------------------
MAC Address User Name APID/RID IP Address VLAN
---------------------------------------------------------------------
5cac-4c91-8140 5cac4c918140 2 /2 192.168.2.2 2
---------------------------------------------------------------------
dis wlan client ver Total Number of Clients : 1
Client Information
---------------------------------------------------------------------
MAC Address : 5cac-4c91-8140
User Name : 5cac4c918140
AID : 1
AP Name : ap2
Radio Id : 2
SSID : H3C
BSSID : 5866-ba5e-c6f0
Port : WLAN-DBSS1:3
VLAN : 2
State : Running
Power Save Mode : Active
Wireless Mode : 11gn
Channel Band-width : 20MHz
SM Power Save Enable : Disabled
Short GI for 20MHz : Not Supported
Short GI for 40MHz : Not Supported
Support MCS Set : 0,1,2,3,4,5,6,7
BLOCK ACK-TID 0 : BOTH
BLOCK ACK-TID 1 : OUT
QoS Mode : WMM
Listen Interval (Beacon Interval) : 1
RSSI : 72
Rx/Tx Rate : 65/39
Client Type : PRE-RSNA
Authentication Method : Open System
AKM Method : None
4-Way Handshake State : -NA-
Group Key State : -NA-
Encryption Cipher : Clear
Roam Status : Normal
Roam Count : 0
Up Time (hh:mm:ss) : 00:01:21
---------------------------------------------------------------------
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作