WX系列AC+Fit AP Portal认证下发限速(user-profile 限速)
一、组网需求:
WX系列AC、FIT AP、便携机(安装有无线网卡)、iMC(PLAT、UAM)
二、组网图:
典型配置举例中AC使用WX5004无线控制器,版本为R2308P28。AC作为AP网关(Vlan-int2:192.168.2.1/24)并配置DHCP Server为FIT AP分配IP地址,设置互联地址(Vlan-int100:10.153.43.143/24)与iMC进行通信。SW作为Client网关(Vlan-int10:192.168.10.1/24)并配置DHCP Server为Client分配IP地址,设置互联地址(Vlan-int100:10.153.43.148/24)与iMC进行通信。AC作为接入设备对VLAN 10的用户进行Portal认证,iMC的IP地址172.16.100.122提供Portal服务和AAA服务。
三、特性介绍:
AC作为接入设备对无线用户进行Portal认证,无线用户的网关位于上层设备SW上。终端接入无线之后,终端开始配置,。
四、配置信息:
1.AC的配置信息:
#
version 5.20, Release 2308P28
#
sysname AC
#
domain default enable system
#
telnet server enable
#
port-security enable
#
portal server h3c-portal ip 172.16.100.122 key cipher $c$3$uDGtFFtWMQH6VTGbBg3tVMYIv+F00w== url http://172.16.100.122/portal server-type imc
portal free-rule 0 source mac 3822-d6c0-ad73 destination any
#
vlan 1
#
vlan 2
#
vlan 10
#
vlan 100
#
radius scheme portal
server-type extended
primary authentication 172.16.100.122
primary accounting 172.16.100.122
key authentication cipher $c$3$o1jrlBnKIVhr5s6BS5Ck3pV2XGtpFQ==
key accounting cipher $c$3$JvB3TU6DkwokktR2uX/6vl5S+5XWvg==
user-name-format without-domain
#
domain portal
authentication portal radius-scheme portal
authorization portal radius-scheme portal
accounting portal radius-scheme portal
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool pool-ap
network 192.168.2.0 mask 255.255.255.0
gateway-list 192.168.2.1
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$4CSnRqvYBd2xHeUsyDKNVbcG7cL1Q/IT
authorization-attribute level 3
service-type telnet
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 clear
ssid h3c-portal
bind WLAN-ESS 1
service-template enable
#
user-profile test
qos car inbound any cir 2048 cbs 128000 ebs 0
qos car outbound any cir 2048 cbs 128000 ebs 0
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.1 255.255.255.0
#
interface Vlan-interface10
portal server h3c-portal method direct
portal domain portal
portal nas-port-type wireless
portal nas-ip 10.153.43.143
#
interface Vlan-interface100
ip address 10.153.43.143 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface Ten-GigabitEthernet1/0/5
#
interface WLAN-ESS1
port access vlan 10
#
wlan ap ap01 model WA2220-AG id 1
serial-id 210235A29EB092002600
radio 1
service-template 1
radio enable
radio 2
service-template 1
radio enable
#
ip route-static 172.16.100.122 255.255.255.255 10.153.43.100
#
undo info-center logfile enable
#
snmp-agent
snmp-agent local-engineid 800063A2033CE5A684342E
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
#
dhcp enable
#
user-profile test enable
#
arp-snooping enable
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
#
return
2.SW的配置信息:
#
version 5.20, Release 2103
#
sysname SW
#
domain default enable system
#
telnet server enable
#
vlan 1
#
vlan 2
#
vlan 10
#
vlan 100
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool pool-client
network 192.168.10.0 mask 255.255.255.0
gateway-list 192.168.10.1
#
user-group system
group-attribute allow-guest
#
local-user admin
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface100
ip address 10.153.43.148 255.255.255.0
#
interface Ethernet1/0/1
port link-mode bridge
port access vlan 2
poe enable
#
interface Ethernet1/0/23
port link-mode bridge
port access vlan 100
#
interface Ethernet1/0/24
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
ip route-static 172.16.100.122 255.255.255.255 10.153.43.100
#
dhcp server forbidden-ip 192.168.10.254
#
dhcp enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface aux 0
user-interface vty 0 15
#
return
五、主要配置步骤:
1.AC配置:
#创建VLAN,二层端口配置VLAN信息,并配置VLAN接口IP地址。
system-view [AC] vlan 2
[AC –vlan2] quit
[AC] vlan 10
[AC –vlan10] quit
[AC] vlan 100
[AC –vlan100] quit
[AC] interface GigabitEthernet1/0/1
[AC- GigabitEthernet1/0/1] port link-type trunk
[AC- GigabitEthernet1/0/1] port trunk permit vlan all
[AC] interface Vlan-interface2
[AC-Vlan-interface2] ip address 192.168.2.1 255.255.255.0
[AC-Vlan-interface2] quit
[AC] interface Vlan-interface100
[AC-Vlan-interface100] ip address 10.153.43.143 255.255.255.0
[AC-Vlan-interface100] quit
#配置DHCP server。
[AC] dhcp enable
[AC] dhcp server ip-pool pool-ap
[AC- dhcp server ip-pool pool-ap] network 192.168.2.0 mask 255.255.255.0
[AC- dhcp server ip-pool pool-ap] gateway-list 192.168.2.1
[AC- dhcp server ip-pool pool-ap] quit
#使能ARP Snooping功能,命令display wlan client显示无线客户端的IP地址。命令display wlan client显示的无线客户端的IP地址首先从ARP Snooping模块获取,从ARP Snooping模块获取不到时从DHCP Snooping模块获取。从DHCP Snooping模块也获取不到时显示0.0.0.0。
[AC] arp-snooping enable
#配置静态路由。
[AC] ip route-static 172.16.100.122 255.255.255.255 10.153.43.100
#配置WLAN ESS接口。
[AC] interface WLAN-ESS1
[AC-WLAN-ESS1] port access vlan 10
[AC-WLAN-ESS1]quit
#配置service-template服务模板。
[AC] wlan service-template 1 clear
[AC-wlan-st-1] ssid h3c-portal
[AC-wlan-st-1] bind WLAN-ESS 1
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
#配置ap1。
[AC] wlan ap ap01 model WA2220-AG
[AC-wlan-ap-ap01] serial-id 210235A29EB092002600
[AC-wlan-ap-ap01] radio 1
[AC- wlan-ap-ap01-radio-1] service-template 1
[AC- wlan-ap-ap01-radio-1] radio enable
[AC- wlan-ap-ap01-radio-1] quit
[AC-wlan-ap-ap01] radio 2
[AC- wlan-ap-ap01-radio-2 service-template 1
[AC- wlan-ap-ap01-radio-2 radio enable
[AC- wlan-ap-ap01-radio-2 quit
[AC-wlan-ap-ap01] quit
# 配置RADIUS方案,创建名称为portal的RADIUS方案。
[AC] radius scheme portal
#配置RADIUS方案的服务器类型。使用iMC服务器时,RADIUS服务器类型应选择extended。
[AC-radius-portal] server-type extended
#配置RADIUS方案的主认证和主计费服务器及其通信密钥。
[AC-radius-portal] primary authentication 172.16.100.122
[AC-radius-portal] primary accounting 172.16.100.122
[AC-radius-portal] key authentication h3c
[AC-radius-portal] key accounting h3c
#配置发送给RADIUS服务器的用户名不携带ISP域名。
[AC-radius-portal] user-name-format without-domain
[AC-radius-portal] quit
#配置认证域,创建并进入名字为portal的ISP域。
[AC] domain portal
[AC-isp-portal] authentication portal radius-scheme portal
[AC-isp-portal] authorization portal radius-scheme portal
[AC-isp-portal] accounting portal radius-scheme portal
#配置Portal服务器:名称为h3c-portal,IP地址为172.16.100.122,密钥为h3c,URL为http://172.16.100.122/portal。
[AC] portal server h3c-portal ip 172.16.100.122 key h3c url http://172.16.100.122/portal server-type imc
#配置Portal free-rule,允许源MAC 地址为用户网关MAC(3822-d6c0-ad73)的所有流量。
[AC] portal free-rule 0 source mac 3822-d6c0-ad73 destination any
#在与用户相连的接口上使能Portal认证,并配置接入的Portal用户使用认证域portal。
[AC] interface Vlan-interface10
[AC-Vlan-interface10] portal server h3c-portal method direct
[AC-Vlan-interface10] portal domain portal
[AC-Vlan-interface10] portal nas-port-type wireless
[AC-Vlan-interface10] portal nas-ip 10.153.43.143
[AC-Vlan-interface10] quit
#配置SNMP。
[AC] snmp-agent
[AC] snmp-agent community read public
[AC] snmp-agent community write private
[AC] snmp-agent sys-info version all
#配置user-profile策略,在策略中定义终端上下行限速,portal服务器调用策略实现对终端限速。
[AC] user-profile test
[WX6108-AC-user-profile-test] qos car inbound any cir 2048 cbs 128000 ebs 0
[AC-user-profile-test] qos car outbound any cir 2048 cbs 128000 ebs 0
[AC-user-profile-test]quit
[AC]user-profile test enable
2.SW配置:
#创建VLAN,二层端口配置VLAN信息,并配置VLAN接口IP地址。
system-view [SW] vlan 2
[SW –vlan2] quit
[SW] vlan 10
[SW –vlan10] quit
[SW] vlan 100
[SW –vlan100] quit
[SW] interface Ethernet1/0/1
[SW-Ethernet1/0/1] port access vlan 2
[SW-Ethernet1/0/1] poe enable
[SW-Ethernet1/0/1] quit
[SW] interface Ethernet1/0/23
[SW-Ethernet1/0/23] port access vlan 100
[SW-Ethernet1/0/23] quit
[SW] interface Ethernet1/0/24
[SW-Ethernet1/0/24] port link-type trunk
[SW-Ethernet1/0/24] port trunk permit vlan all
[SW-Ethernet1/0/24] quit
[SW] interface Vlan-interface10
[SW-Vlan-interface10] ip address 192.168.10.1 255.255.255.0
[SW-Vlan-interface10] quit
[SW] interface Vlan-interface100
[SW -Vlan-interface100] ip address 10.153.43.148 255.255.255.0
[SW -Vlan-interface100] quit
#配置DHCP server。
[SW] dhcp enable
[SW] dhcp server ip-pool pool-client
[SW- dhcp server ip-pool pool-client] network 192.168.10.0 mask 255.255.255.0
[SW- dhcp server ip-pool pool-client] gateway-list 192.168.10.1
[SW- dhcp server ip-pool pool-client] quit
[SW] dhcp server forbidden-ip 192.168.10.254
#配置静态路由。
[SW] ip route-static 172.16.100.122 255.255.255.255 10.153.43.100
3.iMC配置:
#配置Portal服务器。
登录进入iMC管理平台,选择“业务”页签,点击导航树中的[用户接入管理/Portal服务器管理/服务器配置]菜单项,根据实际组网情况调整参数,本例中使用缺省配置。
#配置IP地址组。
点击导航树中的[Portal服务管理/Portal IP地址组配置]菜单项,进入Portal IP地址组配置页面,在该页面中点击<增加>按钮,进入增加IP地址组配置页面。填写IP地址组名h3c-portal;输入起始地址192.168.10.2和终止地址192.168.10.254。用户主机IP地址必须包含在该IP地址组范围内;选择业务分组,本例中使用缺省的“未分组”;选择IP地址组的类型为“普通”。
# 增加Portal设备。
点击导航树中的[Portal服务管理/Portal设备配置]菜单项,进入Portal设备配置页面,在该页面中点击<增加>按钮,进入增加设备信息配置页面。填写设备名WX5004;IP地址为接入设备AC上与Portal服务器通信的NAS-IP 10.153.43.143;密钥h3c,与接入设备AC上的配置保持一致;组网方式选择直连;其它参数采用缺省值。
# Portal设备关联IP地址组。
在Portal设备配置页面中的设备信息列表中,点击AC设备的<端口组信息管理>链接,进入端口组信息配置页面。
在端口组信息配置页面中点击<增加>按钮,进入增加端口组信息配置页面。填写端口组名h3c-portal;选择IP地址组h3c-portal,用户接入网络时使用的IP地址必须属于所选的IP地址组;其它参数采用缺省值。
#配置接入设备。
选择“资源”页签,点击导航树中的[资源管理/增加设备]菜单项。填写主机名或IP地址 10.153.43.143;根据实际组网情况配置登录方式,并配置SNMP参数、Telnet参数、SSH参数。
选择“业务”页签,点击导航树中的[用户接入管理/接入设备管理/接入设备配置]菜单项。在接入设备列表点击<增加>按钮,进入增加接入设备配置页面。填写共享密钥h3c,与接入设备AC上的配置保持一致。
在设备列表点击<选择>,进入选取设备页面,通过设备IP的精确查询查找设备,并添加为<已选择设备>,点击<确定>。
点击 <确定>完成接入设备的配置。
#服务配置管理。
选择“用户”页签,点击导航树中的[接入策略管理/接入策略管理]菜单项。在服务列表点击<增加>,进入增加服务配置页面,填写服务名,勾选下发User Profile并填入下发策略名称,其它参数采用缺省值。
#配置接入用户。
选择“用户”页签,点击导航树中的[用户管理/增加用户]菜单项。填写用户姓名和证件号码。
点击<增加用户账号>,进入增加接入用户界面,填写账号名和密码,并选择接入服务h3c-portal。
六、结果验证:
(1)查看客户端信息。
[AC]dis wlan client
Total Number of Clients : 1
Client Information
SSID: h3c-portal
--------------------------------------------------------------------------------
MAC Address User Name APID/RID IP Address VLAN
--------------------------------------------------------------------------------
001e-654c-6708 -NA- 2 /1 192.168.10.2 10
--------------------------------------------------------------------------------
(2)进行Portal认证。
(3)设备上终端认证信息:
[WX6108-AC]display connection access-type portal
Index=6 ,Username=portal01@system
MAC=00-1E-65-4C-67-08
IP=192.168.10.2
IPv6=N/A
Total 1 connection(s) matched.
[WX6108-AC]display connection ucibindex 6
Index=6 , Username=portal01@system
MAC=00-1E-65-4C-67-08
IP=192.168.10.2
IPv6=N/A
Access=PORTAL ,AuthMethod=PAP
Port Type=Wireless-802.11,Port Name=Vlan-interface161
Initial VLAN=161, Authorization VLAN=N/A
ACL Group=Disable
User Profile=test
CAR=Disable
Priority=Disable
Start=2013-10-21 14:33:24 ,Current=2013-10-21 14:33:59 ,Online=00h00m34s
Total 1 connection matched.
(4)认证通过后,通过打流测试限速2MBps时,终端下载速度:
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作