如所示,总部通过一台传统AC作为Central AC,分支采用融合AC作为Local AC,Local AC负责管理和接入本地AP和无线客户端。用户的认证授权则由总部Central AC负责,数据流量由AP转发。
具体应用需求如下:
·
·
·
(1)
#普通AC,配置Local AC模板设置角色为Central AC
<AC> system-view
[AC]wlan local-ac name localac1 model WX2540H
#原设备为Local AC角色,去使能Local AC,配置Local AC模板切换角色为Central AC
<AC> system-view
[AC]
[AC]undo wlan local-ac enable
This operation will delete AC hierarchy settings for the local AC. Continue? [Y/
N]:y
[AC]wlan local-ac name localac1 model WX2540H
(2) 设置设备角色为Local AC
#普通AC,使能Local AC功能设置角色为Local AC
[AC]wlan local-ac enable
#原设备为Central AC角色,删除所有Local AC模板,使能Local AC功能切换角色为Local AC
[AC]undo wlan local-ac name localac1
[AC]wlan local-ac enable
# 使用文本文档编辑AP的配置文件,将配置文件命名为map.txt,并将配置文件上传到AC存储介质上。配置文件内容和格式如下:
system-view
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
(1) 配置接口
# 创建VLAN11及其接口,用来与Local AC建立管理通道。
<Central AC> system-view
[Central AC] vlan 11
[Central AC-vlan11] quit
[Central AC] interface vlan-interface 11
[Central AC-Vlan-interface11] ip address 11.1.1.3 16
[Central AC-Vlan-interface11] quit
(2) 配置Central AC管理的Local AC
# 创建名称为3510h-1的Local AC,并进入Local AC视图。
[Central AC] wlan local-ac name 3510h-1 model WX3510H
# 配置Local AC的序列号。
[Central AC-wlan-local-ac-3510h-1] serial-id 210235A1JNB166000078
[Central AC-wlan-local-ac-3510h-1] quit
(3)
· 配置RADIUS方案
# 创建RADIUS方案imc并进入其视图。
[Central AC] radius scheme imc
# 设置主认证RADIUS服务器的IP地址8.1.1.231。
[Central AC-radius-imc] primary authentication 8.1.1.231
# 设置主计费RADIUS服务器的IP地址8.1.1.231。
[Central AC-radius-imc] primary accounting 8.1.1.231
# 设置系统与认证RADIUS服务器交互报文时的共享密钥为12345678。
[Central AC-radius-imc] key authentication simple 12345678
# 设置系统与计费RADIUS服务器交互报文时的共享密钥为12345678。
[Central AC-radius-imc] key accounting simple 12345678
# 设置发送给RADIUS服务器的用户名不携带域名。
[Central AC-radius-imc] user-name-format without-domain
# 设置设备发送RADIUS报文时使用的源IP地址8.183.1.61。
[Central AC-radius-imc] nas-ip 8.183.1.61
[Central AC-radius-imc] quit
· 配置认证域
# 创建imc域并进入其视图。
[Central AC] domain imc
# 为DOT1X用户配置认证方案为RADIUS方案,方案名为imc。
[Central AC-isp-imc] authentication lan-access radius-scheme imc
# 为DOT1X用户配置授权方案为RADIUS方案,方案名为imc。
[Central AC-isp-imc] authorization lan-access radius-scheme imc
# 为DOT1X用户配置计费方案为RADIUS方案,方案名为imc。
[Central AC-isp-imc] accounting lan-access radius-scheme imc
[Central AC-isp-imc] quit
(4)
#配置802.1X认证方式为EAP
[Central AC]dot1x authentication-method eap
(5) 配置Dot1x服务模板
#创建无线服务模板1。
[Central AC]wlan service-template 1
[Central AC -wlan-st-1]ssid qucf-dot1x
#配置DOT1X认证点为Central AC,转发点为AP
[Central AC -wlan-st-1]client-security authentication-location central-ac
[Central AC -wlan-st-1]client forwarding-location ap
#配置用户认证方式为802.1X,ISP域为imc,AKM模式为802.1X,加密套件为CCMP,安全IE为RSN
[Central AC -wlan-st-1]akm mode dot1x
[Central AC -wlan-st-1]cipher-suite ccmp
[Central AC -wlan-st-1]security-ie rsn
[Central AC -wlan-st-1]client-security authentication-mode dot1x
[Central AC -wlan-st-1]dot1x domain imc
#使能服务模板
[Central AC -wlan-st-1]service-template enable
(6) 配置AP模板
# 创建手工AP,名称为ap1,配置序列号为210235A1SVC15C000028。
[Central AC] wlan ap ap1 model WA5620i-ACN
[Central AC-wlan-ap-ap1] serial-id 210235A1SVC15C000028
# 指定AP的配置文件。
[Central AC-wlan-ap-ap1] map-configuration cfa0:/map.txt
# 开启二次发现AC功能。
[Central AC-wlan-ap-ap1] control-address enable
# 手动指定Local AC的IP地址。
[Central AC-wlan-ap-ap1] control-address ip 11.1.1.104
# 将无线服务模板1绑定到Radio 1接口。
[Central AC-wlan-ap-ap1] radio 1
[Central AC-wlan-ap-ap1-radio-1] radio enable
[Central AC-wlan-ap-ap1-radio-1] service-template 1 vlan 20
[Central AC-wlan-ap-ap1-radio-1] quit
(1) 开启Local AC功能
# 开启Local AC功能。
<Local AC> system-view
[Local AC] wlan local-ac enable
# 指定Central AC的IP地址。
[Local AC] wlan central-ac ip 11.1.1.3
# 指定与Central AC建立管理通道的VLAN。
[Local AC] wlan local-ac capwap source-vlan 11
(2)
# 开启DHCP服务。
[Local AC] dhcp enable
# 配置地址池,为AP分配IP地址。
[Local AC] dhcp server ip-pool ap
[Local AC-dhcp-pool-ap] gateway-list 12.0.0.1
[Local AC-dhcp-pool-ap] network 12.0.0.0 mask 255.255.0.0
# 通过option43选项指定AC地址为Central AC地址。
[Local AC-dhcp-pool-ap] option 43 hex 80070000010b010101
[Local AC-dhcp-pool-ap] quit
# 配置地址池,为客户端分配IP地址。
[Local AC] dhcp server ip-pool client
[Local AC-dhcp-pool-ap] gateway-list 20.0.0.1
[Local AC-dhcp-pool-ap] network 20.0.0.0 mask 255.255.0.0
[Local AC-dhcp-pool-ap] quit
(3)
# 创建VLAN11及其接口,Local AC通过此接口上线到Central AC。
[Local AC] vlan 11
[Local AC-vlan11] quit
[Local AC] interface Vlan-interface11
[Local AC-Vlan-interface11] ip address 11.1.1.104 255.255.0.0
[Local AC-Vlan-interface11] quit
# 创建VLAN12及其接口,用于AP上线。
[Local AC] vlan 12
[Local AC-vlan12] quit
[Local AC] interface Vlan-interface12
[Local AC-Vlan-interface12] ip address 12.0.0.1 255.255.0.0
[Local AC-Vlan-interface12] dhcp server apply ip-pool ap
[Local AC-Vlan-interface12] quit
# 创建VLAN20及其接口,用于无线客户端上线。
[Local AC] vlan 20
[Local AC-vlan20] quit
[Local AC] interface Vlan-interface20
[Local AC-Vlan-interface20] ip address 20.0.0.1 255.255.0.0
[Local AC-Vlan-interface20] dhcp server apply ip-pool client
[Local AC-Vlan-interface20] quit
# 在Central AC上可以查看到Local AC是R/M状态,说明Local AC已在Central AC上线。
[Central AC]display wlan local-ac name 3510h-1
Local AC Information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run
AC name ACID State Model Serial ID
3510h-1 1 R/M WX3510H 210235A1JNB166000078
# 在Central AC上可以查看到AP是R/M状态,说明Local AC已经通过二次发现与Central AC建立管理通道。
[Central AC]display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 6144
Remaining APs: 6143
Total AP licenses: 128
Local AP licenses: 128
Server AP licenses: 0
Remaining Local AP licenses: 127
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
ap1 4 R/M WA5620i-ACN 210235A1SVC15C000028
# 在Central AC上可以查看到AP已经连接到Local AC。
[Central AC]display wlan ap-distribution all
Central AC Slot 1 Total Number of APs: 0
Local AC 3510h-1 Total Number of APs: 1
AP name AP ID AP IP AC IP
ap1 4 12.0.0.2 12.0 0.1
# 在Central AC上可以查看到无线客户端已经上线。
[Central AC]display wlan client
Total number of clients: 1
MAC address User name AP name RID IP address VLAN
e49a-dc71-a162 N/A ap1 1 20.0.0.2 20
# 在Central AC上可以查看到用户已经DOT1X认证成功。
[Central AC] dis dot1x connection
Total connections: 1
User MAC address : e49a-dc71-a162
AP name : ap1
Radio ID : 1
SSID : qucf-dot1x
BSSID : 3891-d59a-7960
Username : qucf-1x
Authentication domain : imc
IPv4 address : 20.0.0.2
Authentication method : EAP
Initial VLAN : 20
Authorization VLAN : 20
Authorization ACL number : 3000
Authorization user profile : N/A
Termination action : Default
Session timeout period : 86400 s
Online from : 2018/10/22 11:31:18
Online duration : 0h 2m 12s
·
·
·
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作