WA1208E与MA5200F、CAMS配合实现Portal认证+WEP加密功能的典型配置(1)
适用WA1208E版本:E1101版本
适用WA1208E型号:WA1208E-G / WA1208E-DG / WA1208E-AG / WA1208E-AGP
适用MA5200F版本:Version 2.10 RELEASE 7135 (SIMPLE)
适用CAMS版本:2.10-R0121 P03
一、组网需求
WA1208E、二层交换机、MA5200F、CAMS服务器、便携机(安装有11b/g无线网卡和Windows无线客户端)
二、组网图
无线客户端设置为自动获取IP地址方式
CAMS服务器的IP地址为192.168.0.100,网关为192.168.0.2
MA5200F的interface Ethernet1与CAMS连接,接口地址为192.168.0.2
MA5200F的interface Ethernet2与二层交换机连接
MA5200F中采用本地IP地址池为客户端分配地址
WA1208E的IP地址为192.168.1.50
SSID的名称为h3c-web,WEP加密的密码为12345
三、WA1208E的配置
WA1208E的配置步骤如下:
[H3C] ssid h3c-web
New ssid!
[H3C-ssid-h3c-web] encryption suite wep
[H3C-ssid-h3c-web] encryption wep-default-key-id 1
[H3C] interface Wireless-access 2/1
[H3C-Wireless-access2/1] bind ssid h3c-web
[H3C-Wireless-access2/1] access uplayer
[H3C] interface vlan 1
[H3C-Vlan-interface1] ip address 192.168.1.50 255.255.255.0 immediate
WA1208E的完整配置如下:
#
sysname H3C
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
accounting
domain system
radius-scheme system
access-limit disable
state active
idle-cut disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key h3c
local-user admin
password simple wa1208
service-type telnet level 3
service-type web level 2
#
config-file-auto-save-period set 30
cpu-performance-alarm-limit set 100
config-file-auto-save-mode-open
#
web-server max-user-number 5
web-server port 80
#
interface Aux0/0
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.1.50 255.255.255.0 immediate
#
interface Ethernet0/1
#
ssid h3c-web
bind domain system
encryption suite wep 5
#
ssid wa1208e
bind domain system
#
radio module 1
channel 149
encryption wep 1 wep40 ascii 12345
encryption wep 2 wep104 ascii 123456789abcd
encryption wep 3 wep104 ascii h3ch3ch3ch3cw
encryption wep 4 wep40 ascii 1208e
#
radio module 2
channel 11
encryption wep 1 wep40 ascii 12345
encryption wep 2 wep104 ascii 123456789abcd
encryption wep 3 wep104 ascii h3ch3ch3ch3cw
encryption wep 4 wep40 ascii 1208e
#
interface Wireless-access1/1
bind ssid wa1208e
access uplayer
#
interface Wireless-access1/2
#
interface Wireless-access1/3
#
interface Wireless-access1/4
#
interface Wireless-access2/1
bind ssid h3c-web
access uplayer
#
interface Wireless-access2/2
#
interface Wireless-access2/3
#
interface Wireless-access2/4
#
interface Wds1/5
#
interface Wds1/6
#
interface Wds1/7
#
interface Wds1/8
#
interface Wds1/9
#
interface Wds1/10
#
interface Wds1/11
#
interface Wds1/12
#
interface Wds1/13
#
interface Wds1/14
#
interface Wds1/15
#
interface Wds1/16
#
interface Wds1/17
#
interface Wds1/18
#
interface Wds1/19
#
interface Wds1/20
#
interface Wds2/5
#
interface Wds2/6
#
interface Wds2/7
#
interface Wds2/8
#
interface Wds2/9
#
interface Wds2/10
#
interface Wds2/11
#
interface Wds2/12
#
interface Wds2/13
#
interface Wds2/14
#
interface Wds2/15
#
interface Wds2/16
#
interface Wds2/17
#
interface Wds2/18
#
interface Wds2/19
#
interface Wds2/20
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
四、MA5200F的配置
MA5200F的配置步骤如下:
1、创建名为dhcplocal的地址池
[MA5200F] ip pool dhcplocal local
[MA5200F-ip-pool- dhcplocal] gateway 192.168.1.254 255.255.255.0
[MA5200F-ip-pool- dhcplocal] section 0 192.168.1.100 192.168.1.200
2、新建认证方案auth1和计费方案acc1
[MA5200F] aaa
[MA5200F-aaa] authentication-scheme auth1
[MA5200F-aaa-authen-auth1] authentication-mode radius
[MA5200F] aaa
[MA5200F-aaa] accounting-scheme acct1
[MA5200F-aaa-accounting-acct1] accounting-mode radius
3、配置radius认证服务器
[MA5200F] radius-server group radius1
[MA5200F-radius-radius1] radius-server authentication 192.168.0.100 1812
[MA5200F-radius-radius1] radius-server accounting 192.168.0.100 1813
[MA5200F-radius-radius1] radius-server key h3c
[MA5200F-radius-radius1] radius-server type portal
4、配置web认证服务器
[MA5200F] web-auth-server 192.168.0.100 key h3c
5、配置认证前的域default0
[MA5200F-aaa-domain-default0] ip-pool first dhcplocal
[MA5200F-aaa-domain-default0] ucl-group 1
[MA5200F-aaa-domain-default0] web-server 192.168.0.100
[MA5200F-aaa-domain-default0] web-server url http://192.168.0.100/portal
6、配置认证时的域isp
[MA5200F] aaa
[MA5200F-aaa] domain isp
[MA5200F-aaa-domain-isp] authentication-scheme auth1
[MA5200F-aaa-domain-isp] accounting-scheme acct1
[MA5200F-aaa-domain-isp] radius-server group radius1
[MA5200F-aaa-domain-isp] eap-end chap
7、配置系统的ACL策略
[MA5200F] acl number 3000 match-order auto
[MA5200F-acl-adv-3000] rule user-net permit ip source 1 destination
192.168.0.100 0
[MA5200F-acl-adv-3000] rule net-user permit ip source 192.168.0.100 0
destination 1
[MA5200F-acl-adv-3000] rule user-net deny ip source 1
[MA5200F] access-group 3000
8、配置VLAN端口
[MA5200F] portvlan ethernet 2 vlan 0 2
[MA5200F-ethernet2-2-vlan0-1] access-type layer2-subscriber
[MA5200F-ethernet2-2-vlan0-1] default-domain authentication isp
[MA5200F-ethernet2-2-vlan0-1] authentication-method web
9、配置上行接口
[MA5200F] portvlan ethernet 1 vlan 0 1
[MA5200F-ethernet1-1-vlan0-0] access-type interface
[MA5200F] interface Ethernet 1.0
[MA5200F-Ethernet1.0] ip address 192.168.0.2 255.255.255.0
MA5200F的完整配置如下:
#
version 7135
sysname MA5200F
#
system language-mode english
#
web-auth-server version v2
web-auth-server 192.168.0.100 port 50100 key h3c
#
radius-server group radius1
radius-server key h3c
radius-server authentication 192.168.0.100 1812
radius-server accounting 192.168.0.100 1813
radius-server type portal
undo radius-server user-name domain-included
radius-server traffic-unit kbyte
radius-server group login
#
undo trap-statistics 70f2000
undo trap-statistics 70f2001
undo trap-statistics 70f2002
undo trap-statistics 70f2003
undo trap-statistics 70f2004
undo trap-statistics 70f2005
undo trap-statistics 70f2008
undo trap-statistics 70f2009
undo trap-statistics 70f200c
undo trap-statistics 70f200d
undo trap-statistics 70f200e
undo trap-statistics 70f200f
undo trap-statistics 70f2017
undo trap-statistics 70f2018
undo trap-statistics 70f201c
undo trap-statistics 70f201d
undo trap-statistics 7032000
undo trap-statistics 7032001
undo trap-statistics 7032002
#
interface Ethernet1
#
interface Ethernet1.0
ip address 192.168.0.2 255.255.255.0
#
interface Ethernet2
#
interface Ethernet3
#
interface Ethernet4
#
interface Ethernet5
#
interface Ethernet6
#
interface Ethernet7
#
interface Ethernet8
#
interface Ethernet9
#
interface Ethernet10
#
interface Ethernet11
#
interface Ethernet12
#
interface Ethernet13
#
interface Ethernet14
#
interface Ethernet15
#
interface Ethernet16
#
interface Ethernet17
#
interface Ethernet18
#
interface Ethernet19
#
interface Ethernet20
#
interface Ethernet21
#
interface Ethernet22
#
interface Ethernet23
#
interface Ethernet24
#
interface GigabitEthernet25
#
interface GigabitEthernet26
#
interface NULL0
#
interface LoopBack0
#
interface Nm-Ethernet0
#
acl number 3000 match-order auto
rule 1 net-user permit ip source 192.168.0.100 0 destination 1
rule 0 user-net permit ip source 1 destination 192.168.0.100 0
rule 4 user-net deny ip source 1
#
l2tp-group 1
#
ip pool dhcplocal local
gateway 192.168.1.254 255.255.255.0
section 0 192.168.1.100 192.168.1.200
#
dot1x-template 1
#
aaa
authentication-scheme auth1
accounting-scheme acct1
domain default0
web-server 192.168.0.100
web-server url http://192.168.0.100/portal
ucl-group 1
ip-pool dhcplocal
domain isp
authentication-scheme auth1
accounting-scheme acct1
radius-server group radius1
eap-end chap
#
local-aaa-server
local-accounting alarm-threshold flash 100
#
access-group 3000
#
user-interface con 0
user-interface vty 0 4
#
portvlan ethernet 1 vlan 0 1
access-type interface
portvlan ethernet 2 vlan 0 2
access-type layer2-subscriber
default-domain authentication isp
authentication-method web
#
return
五、CAMS的相关配置
1、在CAMS系统的“系统管理>>系统配置>>接入设备配置>>增加配置项”中进行如下图所示配置。
·保证MA5200F的IP地址在配置的初始IP地址和结束IP地址的范围内(如192.168.0.2在192.168.0.1 - 192.168.0.254的范围内)。
·保证共享密钥中的配置与MA5200F的radius-server中的配置一致(如本例中为h3c)。
·保证端口列表中的配置与MA5200F的radius-server中的配置一致(如本例中为1812,1813)。
2、在CAMS系统的“服务管理>>服务配置>>增加服务”中进行如下图所示配置。(本例中使用的服务名为serv1)
3、在CAMS系统的“用户管理>>帐户用户>>用户开户”中进行如下图所示配置。(本例中帐户名为test,密码为test,选择相应的服务serv1)
4、在CAMS系统中PORTAL组件的相关配置如下:
PORTAL服务器信息如下图所示。
服务器IP地址:192.168.0.100
PORTAL主页:http://192.168.0.100/portal
设备信息如下图所示。
IP地址:192.168.0.2 (与MA5200F的IP地址一致)
密钥:h3c (与MA5200F中web-auth-server的配置一致)
IP地址组信息如下图所示。
设备端口组信息如下图所示。
六、无线客户端的相关设置
1、在Windows无线客户端中选择连接SSID h3c-web,根据提示输入密码12345。客户端连接成功后会自动获取IP地址,如下图所示。
2、在IE浏览器中输入http://192.168.0.100,将出现以下认证页面。
3、在出现的认证页面中输入用户名和密码,通过认证后将出现以下提示。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作