本部分支机构,Central AC组网,分支终端本地转发,所有终端统一到总部认证。
分支AC、AP由总部统一管理,本部AC宕机不影响分支已有业务运行。
IMC-------(2)-S5800-(36)---------(2)-WX5540H-(7)---------(2)-WX3010H-X-(4)--------WA4320-ACN-B
Ip规划:
IMC:192.168.21.15 /24 网关:192.168.21.100
S5800:version 5.20, Release 1211
VLAN 2:192.168.21.100 /24 VLAN 10:10.0.0.10 /24
WX5540H: version 7.1.064, Release 5117P14
VLAN 10:10.0.0.11 /24 VLAN 1:1.1.1.1 /24
WX3010H-X:version 7.1.064, Release 5117P14
VLAN 1:1.1.1.2 /24 VLAN2:2.2.2.2 24(DHCP) VLAN 11:11.11.11.11(DHCP)
vlan 1
vlan 10 to 11
wlan service-template 11
ssid IRF
vlan 11
client forwarding-location ap //本地转发
client-security authentication-location central-ac //central ac集中认证
akm mode psk
preshared-key pass-phrase cipher $c$3$E6i3YUU+XaT2yxV0h0H1+GOZPb/yHCUX69h1
cipher-suite ccmp
security-ie rsn
portal enable method direct //服务模板下发portal
portal domain zzc
portal bas-ip 10.0.0.11
portal apply web-server zzc
service-template enable
interface Vlan-interface1 //与local ac直连地址
ip address 1.1.1.1 255.255.255.0
interface Vlan-interface10 //与服务器通信地址
ip address 10.0.0.11 255.255.255.0
interface GigabitEthernet1/0/2 //与S5800互联端口
port link-type trunk
port trunk permit vlan 1 10 to 12
interface GigabitEthernet1/0/7 //与local ac直连端口
snmp-agent
snmp-agent local-engineid 800063A2803897D60A814800000001
snmp-agent community read du
snmp-agent community write private
snmp-agent community read public //snmp参数
ip route-static 0.0.0.0 0 10.0.0.10 //与IMC互通路由
radius scheme zzc
primary authentication 192.168.21.15
primary accounting 192.168.21.15
key authentication cipher $c$3$n1kPuwa9taMOYf3nYHHElTrNGr94LQ==
key accounting cipher $c$3$ayObl4qXt3iSq4/oY1VrM14eG1w1rg==
user-name-format without-domain
nas-ip 10.0.0.11 //imc服务器radius方案
domain zzc
authentication portal radius-scheme zzc
authorization portal radius-scheme zzc
accounting portal radius-scheme zzc //isp认证域
portal host-check enable //portal认证用户信息检查,用检查取客户端地址
portal web-server zzc //配置portal服务器重定向地址
url http://192.168.21.15:8080/portal/
url-parameter userip source-address //要求认证携带客户端参数:源地址
#
portal server zzc //配置portal服务器
ip 192.168.21.15 key cipher $c$3$3+U3J+sBiSS5EqRUef2Y49rtWUBYOQ==
wlan ap b model WA4320-ACN-B
serial-id 210235A1PRC15B000023
description sis this
map-configuration cfa0:/zzc.txt //下发本地转发map文件
control-address enable //使能二次注册
control-address ip 2.2.2.1 //指定二次注册local ac地址
vlan 1
radio 1
radio disable
radio 2
radio enable
service-template 11 //绑定服务模板
module 1
gigabitethernet 1
wlan local-ac name 3010h model WX3010H-X //配置local ac模板 注册使用
serial-id 210235A1VVC165000005
Local 3010H主要配置vlan 1 //注册到central ac VLAN(必须)
VLAN 2 //ap注册vlan
vlan 11 //客户端vlan
dhcp server ip-pool 2
gateway-list 2.2.2.2
network 2.2.2.0 mask 255.255.255.0
#
dhcp server ip-pool 11
gateway-list 11.11.11.1
network 11.11.11.0 mask 255.255.255.0
#
interface Vlan-interface1 //与central ac直连地址,并使能nat功能
ip address 1.1.1.2 255.255.255.0
nat outbound 2000
#
interface Vlan-interface2
ip address 2.2.2.2 255.255.255.0
#
interface Vlan-interface11
ip address 11.11.11.1 255.255.255.0
interface Smartrate-Ethernet1/0/2 //与central ac直连端口
interface Smartrate-Ethernet1/0/4 //AP上线端口
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 11
port trunk pvid vlan 2
ip route-static 0.0.0.0 0 1.1.1.1 //静态路由
acl basic 2000 //ACL
rule 0 permit
#
wlan local-ac enable //使能分层ac功能的local ac角色
#
wlan central-ac ip 1.1.1.1 //指定central ac地址
S58主要配置vlan 2
#
vlan 10
interface Vlan-interface2 //与imc互联地址
ip address 192.168.21.100 255.255.255.0
#
interface Vlan-interface10 //与ac互联地址
ip address 10.0.0.10 255.255.255.0
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2
interface GigabitEthernet1/0/36 //与ac互联端口
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
IMC配置
1、 添加ac资源(管理到AC)
2、 添加接入设备:
3、 添加IP地址组:
4、 添加portal设备:
5、 改portal设备添加端口组并引用IP地址组:
6、 添加接入策略:
7、 添加接入服务:
8、 添加接入用户:
验证效果:
Imc上查看在线用户:
终端查看获取地址:
LocalAC注册到central ac时版本不一致时需要到AC上同步版本,所以可以将同版本的local ac版本上传至central ac本地或者直接将local ac版本升级;
实验过程中出现终端认证通过之后无法ping通网关地址11.11.11.11 ,经排查是AP未转发ping报文,后来研发定位为改地址为内部微信认证使用隐藏地址,不可以作为业务使用,修改为其他网关地址解决:
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作