WX系列AC本地portal实现终端账号SSID绑定典型配置
一、 组网需求
无线控制器本地portal认证,为满足特定账号访问特定网络的需求,需要对SSID与账号之间建立绑定关系。WX3010E无线控制器、WA2610H-GN无线接入点、无线便携机。
二、 组网图
二、 配置步骤
#
version 5.20, Release 3507P22
#
sysname WX3010E
#
domain default enable system
#
telnet server enable
#
port-security enable
#
portal server local ip 2.1.1.1 server-type imc
portal free-rule 0 source ip any destination ip 8.8.8.8 mask 255.255.255.255
portal free-rule 1 source interface Bridge-Aggregation1 destination any
portal local-server http
#
oap management-ip 192.168.0.101 slot 0
#
password-recovery enable
#
vlan 1
#
vlan 2 to 100
#
domain 123
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool ap
network 10.1.1.0 mask 255.255.255.0
gateway-list 10.1.1.1
#
dhcp server ip-pool sta
network 2.1.1.0 mask 255.255.255.0
gateway-list 2.1.1.1
dns-list 8.8.8.8
#
user-group system
group-attribute allow-guest
#
local-user 123
password cipher $c$3$pRM0WKwHI9tYwduRnBAnYvSjvC0InQ==
authorization-attribute level 3
authorization-attribute user-profile h3c123
service-type portal
local-user 456
password cipher $c$3$h3gN6OHs8UlDPsPc+hjhyEi+5WIk1g==
authorization-attribute level 3
authorization-attribute user-profile h3c456
service-type portal
local-user admin
password cipher $c$3$YRktVPOdvU6DLIWGy8vT5aUr1zRtqaaJ
authorization-attribute level 3
service-type telnet
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-template 1 clear
ssid 000000
bind WLAN-ESS 1
service-template enable
#
wlan service-template 2 clear
ssid 000001
bind WLAN-ESS 2
service-template enable
#
wlan ap-group default-ap
#
wlan ap-group default_group
ap ap1
#
user-profile h3c123
wlan permit-ssid 000000
user-profile h3c456
wlan permit-ssid 000001
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface2
ip address 2.1.1.1 255.255.255.0
portal server local method direct
portal domain system
#
interface Vlan-interface10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface WLAN-ESS1
port access vlan 2
#
interface WLAN-ESS2
port access vlan 2
#
wlan ap ap1 model WA2610H-GN id 2
serial-id 219801A0FH9136Q00266
radio 1
service-template 1
service-template 2
radio enable
#
dhcp enable
#
user-profile h3c123 enable
user-profile h3c456 enable
#
arp-snooping enable
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
user privilege level 3
三、 配置关键点
#配置本地portal认证
portal server local ip 2.1.1.1 server-type imc
portal free-rule 0 source ip any destination ip 8.8.8.8 mask 255.255.255.255
portal free-rule 1 source interface Bridge-Aggregation1 destination any
portal local-server http
# 创建user-profile
user-profile h3c123
wlan permit-ssid 000000
user-profile h3c456
wlan permit-ssid 000001
# 创建portal本地用户名密码,并绑定user-profile
local-user 123
password cipher $c$3$pRM0WKwHI9tYwduRnBAnYvSjvC0InQ==
authorization-attribute level 3
authorization-attribute user-profile h3c123
service-type portal
local-user 456
password cipher $c$3$h3gN6OHs8UlDPsPc+hjhyEi+5WIk1g==
authorization-attribute level 3
authorization-attribute user-profile h3c456
service-type portal
# 使能user-profile
user-profile h3c123 enable
user-profile h3c456 enable
四、 结果验证
STA接入SSID 000000时,在认证过程中,使用账号123可以通过认证,使用账号456认证失败;而STA接入SSID 000001时,使用账号123认证失败,使用账号456认证通过。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作