- Table of Contents
-
- 05-Comware 9 CLI-based configuration examples (AC+fit AP deployment)
- 01-HTTPS Login Configuration Examples
- 02-SSH Configuration Examples
- 03-License Management Configuration Examples
- 04-AP Association with the AC at Layer 2 Configuration Examples
- 05-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 06-Auto AP Configuration Examples
- 07-AP Association with the AC at Layer 3 Configuration Examples
- 08-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 09-WEP Encryption Configuration Examples
- 10-PSK Encryption Configuration Examples
- 11-WPA3-SAE PSK Encryption Configuration Examples
- 12-WLAN Access (IPv6) Configuration Examples
- 13-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 14-Scheduled Configuration Deployment by AP Group Configuration Examples
- 15-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 16-Service Template and Radio Binding Configuration Examples
- 17-Scheduled WLAN Access Services Configuration Examples
- 18-Local Portal Authentication Configuration Examples
- 19-HTTPS-Based Local Portal Authentication Configuration Examples
- 20-Remote Portal Authentication Configuration Examples
- 21-Local Portal Authentication through LDAP Server Configuration Examples
- 22-Local Portal Auth and SSID-based Auth Page Pushing Configuration Examples
- 23-Local Portal MAC-Trigger Authentication Configuration Examples
- 24-Portal MAC-Trigger Authentication Configuration Examples
- 25-Local Forwarding Mode and Local Portal MAC-Trigger Auth Configuration Examples
- 26-Local Portal Authentication (IPv6) Configuration Examples
- 27-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 28-Remote Portal Authentication (IPv6) Configuration Examples
- 29-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 30-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 31-Portal Fail-Permit Configuration Examples
- 32-Local MAC Authentication Configuration Examples
- 33-Remote MAC Authentication Configuration Examples
- 34-Transparent Auth Through Remote MAC and Portal Auth Configuration Examples
- 35-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples
- 36-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 37-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 38-Local MAC-And-802.1X Authentication Configuration Examples
- 39-Local 802.1X Authentication Configuration Examples
- 40-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 41-Remote 802.1X Authentication Configuration Examples
- 42-Remote 802.1X Authentication (IPv6) Configuration Examples
- 43-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 44-802.1X Auth with ACL Assignment Through IMC Server Configuration Examples
- 45-802.1X Auth with User Profile Assignment Through IMC Server Configuration Examples
- 46-EAD Authentication Configuration Examples
- 47-EAD Authentication (IPv6) Configuration Examples
- 48-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 49-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 50-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 51-Local Forwarding Configuration Examples
- 52-Wired Port Local Forwarding through Wireless Terminator Configuration Examples
- 53-Remote AP Configuration Examples
- 54-Downlink VLAN Management for Fit-Mode APs Configuration Examples
- 55-WIPS Configuration Examples
- 56-WIPS Countermeasures Against All SSIDs Configuration Examples
- 57-IP Source Guard (IPv4) Configuration Examples
- 58-IP Source Guard (IPv6) Configuration Examples
- 59-Dual-Link Backup Configuration Examples
- 60-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Configuration Examples
- 61-Dual-Link Backup OAuth-Based Portal Authentication in Local Forwarding Configuration Examples
- 62-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples
- 63-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 64-Dual-Link Backup Remote Portal Authentication in Local Forwarding Configuration Examples
- 65-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples
- 66-Dual-Link Backup Remote Portal Authentication in Centralized Forwarding Configuration Examples
- 67-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples
- 68-Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding Configuration Examples
- 69-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 70-Remote 802.1X Authentication on a Dual-Link AC Backup Network Configuration Examples
- 71-Remote MAC Authentication on a Dual-Link AC Backup Network Configuration Examples
- 72-WLAN Probe Configuration Examples
- 73-Multicast Optimization Configuration Examples
- 74-Client Rate Limiting Configuration Examples
- 75-Inter-AC Roaming Configuration Examples
- 76-Inter-AC Roaming (IPv6) Configuration Examples
- 77-Inter-AC Roaming in Local Forwarding Mode Configuration Examples
- 78-H3C Access Controllers Cooperative Roaming for 802.11v Clients Configuration Examples
- 79-WLAN Load Balancing Configuration Examples
- 80-Static Blacklist Configuration Examples
- 81-Client Quantity Control Configuration Examples
- 82-AP License Synchronization Configuration Examples
- 83-BLE Module iBeacon Transmission Configuration Examples
- 84-Medical RFID Tag Management Configuration Examples
- 85-iBeacon Management Configuration Examples
- 86-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 87-Mesh Link Establishment Between Fit APs Configuration Examples
- 88-Auto-DFS and Auto-TPC Configuration Examples
- 89-AP Image Downloading Configuration Examples
- 90-Dual-Uplink Interfaces Configuration Guide
- 91-Internal-to-External Access Through NAT Configuration Examples
- 92-Layer 2 Static Aggregation Configuration Examples
- 93-Layer 2 Multicast Configuration Examples
- 94-Static VLAN Allocation Configuration Examples
- 95-URL Redirection Configuration Examples
- 96-IPv6 URL Redirection Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
35-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples | 360.56 KB |
|
H3C Access Controllers |
Remote AP, Remote Portal, and MAC-Trigger Authentication |
Configuration Examples |
|
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring remote AP, remote portal, and MAC-trigger authentication
Editing a configuration file for the AP
Introduction
The following information provides examples for configuring remote AP, remote portal, and MAC-trigger authentication.
Prerequisites
The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of AAA, portal, WLAN, and remote AP.
Example: Configuring remote AP, remote portal, and MAC-trigger authentication
Network configuration
As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as a portal authentication server, a portal Web server, a MAC binding server, and a RADIUS server.
Configure the devices to meet the following requirements:
· The AC provides direct portal authentication for the client. Before passing the authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources. If the client goes offline and then attempts to come online again, the client does not need to enter the username and password.
· The client can visit resources in the external network without authentication when the amount of its traffic is less than 1024000 bytes. When the amount of the client's traffic reaches 1024000 bytes, the AC triggers portal MAC-based quick authentication for the client.
· The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.
· After the AP is disconnected from the AC, the client can access the network without authentication.
· The RADIUS server can dynamically change user authorization information or forcibly disconnect users.
· The AP forwards the client traffic locally.
Analysis
For the client to access network resources through any Layer 2 ports in its access VLAN without re-authentication, enable portal roaming.
For the RADIUS server to dynamically change the user authorization information or forcibly disconnect users, enable the RADIUS session-control feature.
To use GigabitEthernet 1/0/1 on the AP to forward client traffic, edit a .txt configuration file and upload the file to the AC.
To ensure that dynamic user authorization information can be correctly assigned to users after they come online, enable the RADIUS DAS feature.
Restrictions and guidelines
· Use the serial ID labeled on the AP's rear panel to specify an AP.
· Make sure the types of the portal authentication server, portal Web server, and MAC binding server specified on the AC are the same as those actually used. (This example uses CMCC servers.)
· By default, the URL of the portal Web server to which the AC redirects portal users does not carry any parameters. You can add parameters to be carried in the URL as needed.
· If portal authentication is enabled on a VLAN interface, the AC can forward client traffic. If portal authentication is enabled on a service template, both the AC and the AP can forward client traffic. (In this example, portal authentication is enabled on a service template and the AP forwards client traffic locally.)
· The remote AP feature takes effect only when the AP forwards the client traffic locally.
· In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, enable wireless client validity check on the AC.
· If a portal client logs out and then tries to come online frequently in a short time, the client will fail portal authentication. To avoid this problem, disable the Rule ARP entry feature for portal clients.
· Some endpoints by default use random MAC addresses. For transparent MAC authentication to take effect on such an endpoint, disable the endpoint from using a random MAC address.
· As a best practice, use the plaintext form or PSK encryption for traffic if the AP acts as both an authenticator and a forwarder.
Procedures
Configuring IMC
This example uses the IMC server to describe the RADIUS server, portal server, and MAC binding server configuration. The IMC server runs on IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).
Configuring the RADIUS server
Add the AC to IMC as an access device:
1. Log in to IMC and click the User tab.
2. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
3. Click Add to open the page as shown in Figure 2.
4. In the Access Configuration area, configure the parameters as follows:
¡ Set the shared key to radius, which must be the same as that on the AC.
¡ Use the default values for other parameters.
5. In the Device List area, click Add Manually to open the Add Access Device Manually page. Enter 2.2.2.1 in the Start IP field and then click OK.
6. Click OK.
Figure 2 Adding the AC as an access device
Configuring the portal server
1. Configure the portal authentication service:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Portal Service > Server to open the portal server configuration page, as shown in Figure 3.
c. Configure the portal server parameters as needed.
This example uses the default values.
d. Click OK.
Figure 3 Portal authentication server configuration
2. Configure an IP address group:
a. From the navigation tree, select User Access Policy > Portal Service > IP Group.
b. Click Add to open the page as shown in Figure 4.
c. Enter the IP group name.
d. Enter the start IP address and end IP address of the IP group.
Make sure the client IP address is in the IP group.
e. Select a service group.
This example uses the default value Ungrouped.
f. From the Action list, select Normal.
g. Click OK.
Figure 4 Adding an IP address group
3. Add a portal device:
a. From the navigation tree, select User Access Policy > Portal Service > Device.
b. Click Add to open the page as shown in Figure 5.
c. Enter the device name.
d. Select CMCC 1.0 for Version.
e. Enter the IP address of the AC's interface connected to the client.
f. Set whether to support the portal server heartbeat and user heartbeat functions.
In this example, select No for both Support Server Heartbeat and Support User Heartbeat.
g. Enter the key, which must be the same as that configured on the AC.
h. Select Directly Connected for Access Method.
i. Use the default settings for other parameters.
j. Click OK.
Figure 5 Adding a portal device
4. Associate the portal device with the IP address group:
a. As shown in Figure 6, click the Port Group icon in the Operation field for device NAS to open the port group configuration page.
b. Click Add to open the page as shown in Figure 7.
c. Enter the port group name.
d. Select the configured IP address group.
The IP address used by the user to access the network must be within this IP address group.
e. Select Supported for Transparent Authentication.
f. Use the default settings for other parameters.
g. Click OK.
5. From the navigation tree, select User Access Policy > Service Parameters > Validate System Configuration to validate the configuration.
Configuring the MAC binding server
1. Add an access policy:
a. From the navigation tree, select User Access Policy > Access Policy.
b. Click Add to open the page as shown in Figure 8.
c. Enter the access policy name.
d. Select a service group.
This example uses the default value Ungrouped.
e. Use the default settings for other parameters.
f. Click OK.
Figure 8 Adding an access policy
2. Add an access service:
a. From the navigation tree, select User Access Policy > Access Service.
b. Click Add to open the page as shown in Figure 9.
c. Enter the service name.
d. Select the Transparent Authentication on Portal Endpoints option.
e. Use the default settings for other parameters.
f. Click OK.
Figure 9 Adding an access service
3. Add an access user:
a. From the navigation tree, select Access User > Access User.
b. Click Add to open the page as shown in Figure 10.
c. Select an existing access user or click Add User to add a new access user.
d. Enter the account name.
e. Set the password.
f. Select access service MAC_server.
g. Use the default settings for other parameters.
h. Click OK.
Figure 10 Adding an access user
4. Configure system parameters:
a. From the navigation tree, select User Access Policy > Service Parameters > System Settings.
b. Click the Configure icon for User Endpoint Settings to open the page as shown in Figure 11.
c. Select whether to enable transparent portal authentication on non-smart devices.
In this example, select Enable for Non-Terminal Authentication.
d. Click OK.
Figure 11 Configuring user endpoint settings
e. Click the Configure icon for Endpoint Aging Time to open the page as shown in Figure 12.
f. Set the endpoint aging time as needed.
This example uses the default value.
g. Click OK.
Figure 12 Setting the endpoint aging time
5. From the navigation tree, select User Access Policy > Service Parameters > Validate to make the configuration take effect.
Editing a configuration file for the AP
# Create a .txt configuration file named map.txt.
# Enter the following content in the file.
System-view
vlan 200
interface gigabitethernet1/0/1
port trunk permit vlan 200
# Upload the file to the AC.
Configuring the AC
1. Configure interfaces on the AC:
# Create VLAN 100 and VLAN-interface 100, and assign an IP address to the VLAN interface. The AC will use this IP address to establish a CAPWAP tunnel with the AP.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 2.2.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 200, and assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 2.2.2.1 24
[AC-Vlan-interface200] quit
# Configure GigabitEthernet 1/0/1 (the port connected to the switch) as a trunk port and assign the port to VLANs 100 and 200.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure a static route to the IMC server:
[AC] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100
3. Configure a WLAN service:
# Create a service template named st1 and enter its view.
[AC] wlan service-template st1
# Set the SSID of service template st1 to service.
[AC-wlan-st-st1] ssid service
# Assign clients coming online through service template st1 to VLAN 200.
[AC-wlan-st-st1] vlan 200
# Set the PSK AKM mode and configure simple character string of 12345678 as the PSK.
[AC-wlan-st-st1] akm mode psk
[AC-wlan-st-st1] preshared-key pass-phrase simple 12345678
# Set the CCMP cipher suite for frame encryption and enable the RSN IE in beacon and probe responses.
[AC-wlan-st-st1] cipher-suite ccmp
[AC-wlan-st-st1] security-ie rsn
# Use APs to forward client data traffic from VLAN 200. If APs forward client data traffic by default, skip this step.
[AC–wlan-st-st1] client forwarding-location ap vlan 200
# Enable client association at APs and specify APs as authenticators to ensure that new endpoints can come online successfully.
[AC-wlan-st-st1] client association-location ap
[AC-wlan-st-st1] client-security authentication-location ap
[AC-wlan-st-st1] quit
4. Configure AP settings:
IMPORTANT: In a large-scale network, configure AP groups as a best practice. |
# Create an AP named office with model WA6320 and set its serial ID to 219801A28N819CE0002T.
[AC] wlan ap office model WA6320
[AC-wlan-ap-office] serial-id 219801A28N819CE0002T
[AC-wlan-ap-office] quit
# Create AP group group1 and create an AP grouping rule by AP names to add AP office to AP group group1.
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap office
# Enable remote AP.
[AC-wlan-ap-group-group1] hybrid-remote-ap enable
# Deploy configuration file map.txt to APs with model WA632 in AP group group1.
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] map-configuration map.txt
# Bind service template st1 to radio 2 in AP group group1.
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# Enable radio 2.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
[AC-wlan-ap-group-group1-ap-model-WA6320] quit
[AC-wlan-ap-group-group1] quit
5. Configure a RADIUS scheme:
# Create a RADIUS scheme named rs1 and enter its view.
[AC] radius scheme rs1
# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
[AC-radius-rs1] primary authentication 192.168.0.111
[AC-radius-rs1] primary accounting 192.168.0.111
[AC-radius-rs1] key authentication simple radius
[AC-radius-rs1] key accounting simple radius
# Configure the AC to remove the domain name from the usernames sent to the RADIUS servers.
[AC-radius-rs1] user-name-format without-domain
# Configure the source IP address for outgoing RADIUS packets as 2.2.2.1.
[AC-radius-rs1] nas-ip 2.2.2.1
[AC-radius-rs1] quit
# Enable RADIUS session-control.
[AC] radius session-control enable
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
[AC] radius dynamic-author server
# Specify a session-control client with IP address 192.168.0.111 and shared key radius in plaintext form.
[AC-radius-da-server] client ip 192.168.0.111 key simple radius
[AC-radius-da-server] quit
6. Configure an authentication domain:
# Create an ISP domain named dm1 and enter its view.
[AC] domain dm1
# Configure the authentication and authorization methods as RADIUS and the accounting method as none in the ISP domain.
[AC-isp-dm1] authentication portal radius-scheme rs1
[AC-isp-dm1] authorization portal radius-scheme rs1
[AC-isp-dm1] accounting portal none
# Set the idle timeout period to 15 minutes and the minimum traffic that must be generated in the idle timeout period to 1024 bytes.
[AC-isp-dm1] authorization-attribute idle-cut 15 1024
[AC-isp-dm1] quit
7. Configure portal authentication:
# Create a portal authentication server.
[AC] portal server newpt
[AC-portal-server-newpt] ip 192.168.0.111 key simple 123456
[AC-portal-server-newpt] port 50100
# Specify CMCC as the type of portal authentication server newpt.
[AC-portal-server-newpt] server-type cmcc
[AC-portal-server-newpt] quit
# Specify http://192.168.0.111:8080/portal as the URL of portal Web server newpt.
[AC] portal web-server newpt
[AC-portal-websvr-newpt] url http://192.168.0.111:8080/portal
# Configure the portal redirection URL to carry the ssid, wlanuserip, and wlanacname parameters, and their values are the wireless SSID, the user's IP address, and the AC's name (required by a CMCC portal Web server).
[AC-portal-websvr-newpt] url-parameter ssid ssid
[AC-portal-websvr-newpt] url-parameter wlanuserip source-address
[AC-portal-websvr-newpt] url-parameter wlanacname value AC
# Specify CMCC as the type of portal Web server newpt.
[AC-portal-websvr-newpt] server-type cmcc
[AC-portal-websvr-newpt] quit
# Configure a portal-free rule numbered 0 to allow portal users to access the portal Web server (whose IP address is 192.168.0.111) without authentication.
[AC] portal free-rule 0 destination ip 192.168.0.111 24
# Configure a portal-free rule to permit traffic from aggregate interface 1.
[AC] portal free-rule 1 source interface Bridge-Aggregation 1
# Configure destination-based portal-free rules to permit traffic destined for the DNS server.
[AC] portal free-rule 2 destination ip any udp 53
[AC] portal free-rule 3 destination ip any tcp 53
# Enable portal roaming.
[AC] portal roaming enable
# Disable the Rule ARP entry feature for portal clients.
[AC] undo portal refresh arp enable
# Enable validity check on wireless portal clients.
[AC] portal host-check enable
# Enable direct portal authentication on service template st1.
[AC] wlan service-template st1
[AC-wlan-st-st1] portal enable method direct
# Specify ISP domain dm1 as the portal authentication domain.
[AC-wlan-st-st1] portal domain dm1
# Specify portal Web server newpt on service template st1 for portal authentication.
[AC-wlan-st-st1] portal apply web-server newpt
[AC-wlan-st-st1] quit
8. Configure MAC-trigger authentication (portal MAC-based quick authentication):
# Create a MAC binding server named mts and enter its view.
[AC] portal mac-trigger-server mts
# Specify 192.168.0.111 as the IP address of MAC binding server mts.
[AC-portal-mac-trigger-server-mts] ip 192.168.0.111
# Specify CMCC as the type of MAC binding server mts.
[AC- mac-trigger-server-mts] server-type cmcc
[AC-portal-mac-trigger-server-mts] quit
# Specify MAC binding server mts on service template st1.
[AC] wlan service-template st1
[AC-wlan-st-st1] portal apply mac-trigger-server mts
# Configure the source IP address for outgoing portal packets as 2.2.2.1.
[AC-wlan-st-st1] portal bas-ip 2.2.2.1
# Enable service template st1.
[AC-wlan-st-st1] service-template enable
[AC-wlan-st-st1] quit
Configuring the switch
# Create VLAN 100. The switch will use this VLAN to forward traffic on the CAPWAP tunnel between the AC and the AP.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
# Create VLAN 200. The switch will use this VLAN to forward client traffic.
[Switch] vlan 200
[Switch-vlan200] quit
# Create VLAN 2. The switch will use this VLAN to connect to the IMC server.
[Switch] vlan 2
[Switch-vlan2] quit
# Configure GigabitEthernet 1/0/1(the port connected to the AC) as a trunk port and assign the port to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 (the port connected to the AP) as a trunk port and assign the port to VLAN 100 and VLAN 200. Set the PVID of the port to VLAN 100.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/2] port trunk pvid vlan 100
# Enable PoE on GigabitEthernet 1/0/2.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 (the port connected to the IMC server) as an access port and assign the access port to VLAN 2.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port access vlan 2
[Switch-GigabitEthernet1/0/3] quit
# Assign an IP address to VLAN-interface 200.
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0
[Switch-Vlan-interface200] quit
# Assign an IP address to VLAN-interface 2.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0
[Switch-Vlan-interface2] quit
Verifying the configuration
# Display information about MAC binding server mts.
[AC] display portal mac-trigger-server name mts
Portal mac trigger server name: mts
Version : 1.0
Server type : CMCC
IP : 192.168.0.111
Port : 50100
VPN instance : Not configured
Aging time : 300 seconds
Free-traffic threshold : 0 bytes
NAS-Port-Type : Not configured
Binding retry times : 3
Binding retry interval : 1 seconds
Authentication timeout : 3 minutes
Excluded attribute list : 1
Local-binding : Disabled
Local-binding aging-time : 12 hours
AAA-fail nobinding : Disabled
A user can perform portal authentication through a Web browser. Before passing portal authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing portal authentication, the user can access other network resources.
For the first portal authentication, the user is required to enter the username and password. When the user goes offline and then accesses the network again, the user does not need to enter the authentication username and password.
# Display information about all portal users.
[AC] display portal user all
Total portal users: 1
Username: Client
AP name: office
Radio ID: 2
SSID: service
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0021-6330-0933 2.2.2.2 200 WLAN-BSS1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Configuration files
· AC:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client association-location ap
client forwarding-location ap vlan 200
client-security authentication-location ap
akm mode psk
preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.1
portal apply web-server newpt
portal apply mac-trigger-server mts
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
ip route-static 192.168.0.0 16 2.2.2.100
#
radius session-control enable
#
radius scheme rs1
primary authentication 192.168.0.111
primary accounting 192.168.0.111
key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==
key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==
user-name-format without-domain
nas-ip 2.2.2.1
#
radius dynamic-author server
client ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
#
domain dm1
authorization-attribute idle-cut 15 1024
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal none
#
portal host-check enable
portal free-rule 0 destination ip 192.168.0.0 255.255.255.0
portal free-rule 1 source interface Bridge-Aggregation 1
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
#
portal roaming enable
undo portal refresh arp enable
#
portal web-server newpt
url http://192.168.0.111:8080/portal
server-type cmcc
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server newpt
ip 192.168.0.111
server-type cmcc
#
portal mac-trigger-server mts
ip 192.168.0.111 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
server-type cmcc
#
wlan ap-group group1
ap office
hybrid-remote-ap enable
ap-model WA6320
map-configuration flash:/map.txt
radio 1
radio 2
radio enable
service-template st1
#
wlan ap office model WA6320
serial-id 219801A28N819CE0002T
#
· Switch:
#
vlan 2
#
vlan 100
#
vlan 200
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 1 100 200
port trunk pvid vlan 100
poe enable
#
interface GigabitEthernet1/0/3
port link-type access
port access vlan 2
#
Related documentation
· AP and WT Management Command Reference in H3C Access Controllers Command References
· AP and WT Management Configuration Guide in H3C Access Controllers Configuration Guides
· User Access and Authentication Command Reference in H3C Access Controllers Command References
· User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN Access Command Reference in H3C Access Controllers Command References
· WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides