Login
- Table of Contents
-
- 05-Comware 9 CLI-based configuration examples (AC+fit AP deployment)
- 01-HTTPS Login Configuration Examples
- 02-SSH Configuration Examples
- 03-License Management Configuration Examples
- 04-AP Association with the AC at Layer 2 Configuration Examples
- 05-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 06-Auto AP Configuration Examples
- 07-AP Association with the AC at Layer 3 Configuration Examples
- 08-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 09-WEP Encryption Configuration Examples
- 10-PSK Encryption Configuration Examples
- 11-WPA3-SAE PSK Encryption Configuration Examples
- 12-WLAN Access (IPv6) Configuration Examples
- 13-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 14-Scheduled Configuration Deployment by AP Group Configuration Examples
- 15-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 16-Service Template and Radio Binding Configuration Examples
- 17-Scheduled WLAN Access Services Configuration Examples
- 18-Local Portal Authentication Configuration Examples
- 19-HTTPS-Based Local Portal Authentication Configuration Examples
- 20-Remote Portal Authentication Configuration Examples
- 21-Local Portal Authentication through LDAP Server Configuration Examples
- 22-Local Portal Auth and SSID-based Auth Page Pushing Configuration Examples
- 23-Local Portal MAC-Trigger Authentication Configuration Examples
- 24-Portal MAC-Trigger Authentication Configuration Examples
- 25-Local Forwarding Mode and Local Portal MAC-Trigger Auth Configuration Examples
- 26-Local Portal Authentication (IPv6) Configuration Examples
- 27-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 28-Remote Portal Authentication (IPv6) Configuration Examples
- 29-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 30-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 31-Portal Fail-Permit Configuration Examples
- 32-Local MAC Authentication Configuration Examples
- 33-Remote MAC Authentication Configuration Examples
- 34-Transparent Auth Through Remote MAC and Portal Auth Configuration Examples
- 35-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples
- 36-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 37-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 38-Local MAC-And-802.1X Authentication Configuration Examples
- 39-Local 802.1X Authentication Configuration Examples
- 40-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 41-Remote 802.1X Authentication Configuration Examples
- 42-Remote 802.1X Authentication (IPv6) Configuration Examples
- 43-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 44-802.1X Auth with ACL Assignment Through IMC Server Configuration Examples
- 45-802.1X Auth with User Profile Assignment Through IMC Server Configuration Examples
- 46-EAD Authentication Configuration Examples
- 47-EAD Authentication (IPv6) Configuration Examples
- 48-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 49-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 50-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 51-Local Forwarding Configuration Examples
- 52-Wired Port Local Forwarding through Wireless Terminator Configuration Examples
- 53-Remote AP Configuration Examples
- 54-Downlink VLAN Management for Fit-Mode APs Configuration Examples
- 55-WIPS Configuration Examples
- 56-WIPS Countermeasures Against All SSIDs Configuration Examples
- 57-IP Source Guard (IPv4) Configuration Examples
- 58-IP Source Guard (IPv6) Configuration Examples
- 59-Dual-Link Backup Configuration Examples
- 60-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Configuration Examples
- 61-Dual-Link Backup OAuth-Based Portal Authentication in Local Forwarding Configuration Examples
- 62-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples
- 63-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 64-Dual-Link Backup Remote Portal Authentication in Local Forwarding Configuration Examples
- 65-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples
- 66-Dual-Link Backup Remote Portal Authentication in Centralized Forwarding Configuration Examples
- 67-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples
- 68-Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding Configuration Examples
- 69-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 70-Remote 802.1X Authentication on a Dual-Link AC Backup Network Configuration Examples
- 71-Remote MAC Authentication on a Dual-Link AC Backup Network Configuration Examples
- 72-WLAN Probe Configuration Examples
- 73-Multicast Optimization Configuration Examples
- 74-Client Rate Limiting Configuration Examples
- 75-Inter-AC Roaming Configuration Examples
- 76-Inter-AC Roaming (IPv6) Configuration Examples
- 77-Inter-AC Roaming in Local Forwarding Mode Configuration Examples
- 78-H3C Access Controllers Cooperative Roaming for 802.11v Clients Configuration Examples
- 79-WLAN Load Balancing Configuration Examples
- 80-Static Blacklist Configuration Examples
- 81-Client Quantity Control Configuration Examples
- 82-AP License Synchronization Configuration Examples
- 83-BLE Module iBeacon Transmission Configuration Examples
- 84-Medical RFID Tag Management Configuration Examples
- 85-iBeacon Management Configuration Examples
- 86-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 87-Mesh Link Establishment Between Fit APs Configuration Examples
- 88-Auto-DFS and Auto-TPC Configuration Examples
- 89-AP Image Downloading Configuration Examples
- 90-Dual-Uplink Interfaces Configuration Guide
- 91-Internal-to-External Access Through NAT Configuration Examples
- 92-Layer 2 Static Aggregation Configuration Examples
- 93-Layer 2 Multicast Configuration Examples
- 94-Static VLAN Allocation Configuration Examples
- 95-URL Redirection Configuration Examples
- 96-IPv6 URL Redirection Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 67-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples | 410.90 KB |
|
|
|
H3C Access Controllers |
|
Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding |
|
Configuration Examples |
|
|
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Introduction
The following information provides an example for configuring OAuth-based portal authentication in a dual-link backup network enabled with centralized forwarding.
Prerequisites
The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of WLAN high availability, AAA, portal, and WLAN access.
Example: Configuring OAuth-based portal authentication for dual-link AC backup and centralized forwarding
Network configuration
As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as the portal authentication server, portal Web server, and RADIUS server.
Configure the devices to meet the following requirements:
· Before passing portal authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources.
· The AC forwards all the client traffic.
· The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.
· The IMC server can dynamically modify user authorization information and log off clients.
Analysis
· To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, you must enable the portal roaming feature.
· To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.
· To allow the RADIUS server to modify user authorization information and log off users, enable the RADIUS session-control feature.
· For dual-link backup to operate correctly, you must configure manual AP or auto AP settings on both ACs. This ensures that the AP can establish CAPWAP tunnels with both ACs.
· For MAC-trigger authentication to use Oauth, you must execute the cloud-binding enable command.
Restrictions and guidelines
When you configure OAuth-based portal authentication for dual-link AC backup and centralized forwarding, follow these restrictions and guidelines:
· Use the actual serial ID of an AP to uniquely identify that AP.
· If you configure manual APs, make sure the manual APs configured on the two ACs have the same AP name and identifier (serial ID or MAC address).
· For portal-free rules to take effect, you must configure DNS on the ACs.
· Some clients are enabled with MAC randomization by default, which might cause seamless roaming failures. As a best practice, disable MAC randomization.
Procedures
Configuring AC 1
1. Configure AC interfaces:
# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.
<AC1> system-view
[AC1] vlan 100
[AC1-vlan100] quit
[AC1] interface vlan-interface 100
[AC1-Vlan-interface100] ip address 2.2.1.1 24
[AC1-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. This VLAN will be used for wireless client access.
[AC1] vlan 200
[AC1-vlan200] quit
[AC1] interface vlan-interface 200
[AC1-Vlan-interface200] ip address 2.2.2.1 24
[AC1-Vlan-interface200] quit
# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port, and assign it to VLAN 1, VLAN 100, and VLAN 200.
[AC1] interface gigabitethernet 1/0/1
[AC1-GigabitEthernet1/0/1] port link-type trunk
[AC1-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC1-GigabitEthernet1/0/1] quit
2. Configure a static route to the IMC server.
[AC1] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100
3. Configure DNS server settings. (Details not shown.)
4. Configure wireless services:
# Create service template st1 and enter its view.
[AC1] wlan service-template st1
# Specify the SSID as service.
[AC1-wlan-st-st1] ssid service
# Assign clients coming online through the service template to VLAN 200.
[AC1-wlan-st-st1] vlan 200
# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.
[AC1-wlan-st-st1] akm mode psk
[AC1-wlan-st-st1] preshared-key pass-phrase simple 12345678
# Specify the cipher suite as CCMP and the security IE as RSN.
[AC1-wlan-st-st1] cipher-suite ccmp
[AC1-wlan-st-st1] security-ie rsn
# Configure the AC to forward client traffic. (Skip this step if the client data traffic forwarder is the AC by default.)
[AC1-wlan-st-st1] client forwarding-location ac
[AC1-wlan-st-st1] quit
5. Configure the AP:
|
|
NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice. |
# Create an AP named office, and specify the AP model and serial ID.
[AC1] wlan ap office model WA6320
[AC1-wlan-ap-office] serial-id 219801A28N819CE0002T
[AC1-wlan-ap-office] quit
# Create AP group group1 and add AP office to AP group group1.
[AC1] wlan ap-group group1
[AC1-wlan-ap-group-group1] ap office
# Set the AP connection priority to 7.
[AC1-wlan-ap-group-group1] priority 7
# Specify AC 2 as the backup AC for AC 1. Set the backup AC address as the IP address of VLAN-interface 100 on AC 2.
[AC1-wlan-ap-group-group1] backup-ac ip 2.2.1.2
# Enable master CAPWAP tunnel preemption.
[AC1-wlan-ap-group-group1] wlan tunnel-preempt enable
# Bind service template st1 to radio 2 in AP group group1.
[AC1-wlan-ap-group-group1] ap-model WA6320
[AC1-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# Enable radio 2.
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
[AC1-wlan-ap-group-group1-ap-model-WA6320] quit
[AC1-wlan-ap-group-group1] quit
6. Configure portal authentication:
# Create domain dm1 and enter its view.
[AC1] domain dm1
# Configure the authentication, authorization, and accounting methods as none for portal users.
[AC1-isp-dm1] authentication portal none
[AC1-isp-dm1] authorization portal none
[AC1-isp-dm1] accounting portal none
[AC1-isp-dm1] quit
# Create a portal Web server named newpt, specify the server's URL as http://192.168.0.111/wsmAuth/protocol, and specify the server type as OAuth.
[AC1] portal web-server newpt
[AC1-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol
[AC1-portal-websvr-newpt] server-type oauth
# Enable the optimized captive-bypass feature for iOS users.
[AC1-portal-websvr-newpt] captive-bypass ios optimize enable
[AC1-portal-websvr-newpt] quit
# Create an HTTP-based local portal Web service and enter its view.
[AC1] portal local-web-server http
[AC1-portal-local-websvr-http] quit
# Configure destination-based portal-free rule to permit traffic to the DNS server.
[AC1] portal free-rule 2 destination ip any udp 53
[AC1] portal free-rule 3 destination ip any tcp 53
# Configure portal safe-redirect to reduce the workload of the authentication server.
[AC1] portal safe-redirect enable
[AC1] portal safe-redirect method get post
[AC1] portal safe-redirect user-agent CaptiveNetworkSupport
[AC1] portal safe-redirect user-agent MicroMessenger
[AC1] portal safe-redirect user-agent Mozilla
[AC1] portal safe-redirect user-agent WeChat
[AC1] portal safe-redirect user-agent iPhone
[AC1] portal safe-redirect user-agent micromessenger
# Specify the NAS-ID. Make sure the NAS-ID is the same as the ID in file iMC\client\conf\wiportal\conf.properties.
[AC1] wlan global-configuration
[AC1-wlan-global-configuration] nas-id wiportal
[AC1-wlan-global-configuration] quit
# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.
[AC1] portal oauth user-sync interval 60
# Configure a destination-based portal-free rule: specify the rule number as 0 and IP address as 192.168.0.111. This rule allows users to reach the portal Web server.
[AC1] portal free-rule 0 destination ip 192.168.0.111 32
# Configure a destination-based portal-free rule: specify the rule number as 1 and IP address as 2.2.2.1. This rule allows users to reach AC 1.
[AC1] portal free-rule 1 destination ip 2.2.2.1 32
# Configure a destination-based portal-free rule: specify the rule number as 4 and IP address as 2.2.2.2. This rule allows users to reach AC 2.
[AC1] portal free-rule 4 destination ip 2.2.2.2 32
# Enable intra-VLAN roaming for portal users.
[AC1] portal roaming enable
# Disable the Rule ARP entry feature for portal clients.
[AC1] undo portal refresh arp enable
# Enable RADIUS session control.
[AC1] radius session-control enable
# Enable direct IPv4 portal authentication for service template st1.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal enable method direct
# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.
[AC1-wlan-st-st1] portal domain dm1
# Apply portal Web server newpt to service template st1.
[AC1-wlan-st-st1] portal apply web-server newpt
# Enable portal temporary pass and set the temporary pass period to 300 seconds.
[AC1-wlan-st-st1] portal temp-pass period 300 enable
# On the service template, configure the BAS-IP attribute as 2.2.2.1 for portal packets sent to the portal authentication server.
[AC1-wlan-st-st1] portal bas-ip 2.2.2.1
7. Configure MAC-based quick portal authentication:
# Create MAC binding server mts and enter its view.
[AC1] portal mac-trigger-server mts
# Specify the IP address of the MAC binding server as 192.168.0.111.
[AC1-portal-mac-trigger-server-mts] ip 192.168.0.111
# Enable cloud MAC-trigger authentication.
[AC1-portal-mac-trigger-server-mts] cloud-binding enable
[AC1-portal-mac-trigger-server-mts] quit
# Specify MAC binding server mts on service template st.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal apply mac-trigger-server mts
# Enable the service template.
[AC1–wlan-st-st1] service-template enable
[AC1-wlan-st-st1] quit
Configuring AC 2
1. Configure AC interfaces:
# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.
<AC2> system-view
[AC2] vlan 100
[AC2-vlan100] quit
[AC2] interface vlan-interface 100
[AC2-Vlan-interface100] ip address 2.2.1.2 24
[AC2-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 200. Assign the VLAN interface an IP address. This VLAN will be used for wireless client access.
[AC2] vlan 200
[AC2-vlan200] quit
[AC2] interface vlan-interface 200
[AC2-Vlan-interface200] ip address 2.2.2.2 24
[AC2-Vlan-interface200] quit
# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port, and assign it to VLAN 1, VLAN 100, and VLAN 200.
[AC2] interface gigabitethernet 1/0/1
[AC2-GigabitEthernet1/0/1] port link-type trunk
[AC2-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC2-GigabitEthernet1/0/1] quit
2. Configure a static route to the IMC server.
[AC2] ip route-static 192.168.0.0 255.255.0.0 2.2.2.100
3. Configure DNS server settings. (Details not shown.)
4. Configure wireless services:
# Create service template st1 and enter its view.
[AC2] wlan service-template st1
# Specify the SSID as service.
[AC2-wlan-st-st1] ssid service
# Assign clients coming online through the service template to VLAN 200.
[AC2-wlan-st-st1] vlan 200
# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.
[AC2-wlan-st-st1] akm mode psk
[AC2-wlan-st-st1] preshared-key pass-phrase simple 12345678
# Specify the cipher suite as CCMP and the security IE as RSN.
[AC2-wlan-st-st1] cipher-suite ccmp
[AC2-wlan-st-st1] security-ie rsn
# Configure the AC to forward client traffic. (Skip this step if the client data traffic forwarder is the AC by default.)
[AC2-wlan-st-st1] client forwarding-location ac
[AC2-wlan-st-st1] quit
5. Configure the AP:
|
|
NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice. |
# Create an AP named office, and specify the AP model and serial ID.
[AC2] wlan ap office model WA6320
[AC2-wlan-ap-office] serial-id 219801A28N819CE0002T
[AC2-wlan-ap-office] quit
# Create AP group group1 and add AP office to AP group group1.
[AC2] wlan ap-group group1
[AC2-wlan-ap-group-group1] ap office
# Set the AP connection priority to 6.
[AC2-wlan-ap-group-group1] priority 6
# Specify AC 1 as the backup AC for AC 2. Set the backup AC address as the IP address of VLAN-interface 100 on AC 1.
[AC2-wlan-ap-group-group1] backup-ac ip 2.2.1.1
# Enable master CAPWAP tunnel preemption.
[AC2-wlan-ap-group-group1] wlan tunnel-preempt enable
# Bind service template st1 to radio 2 in AP group group1.
[AC2-wlan-ap-group-group1] ap-model WA6320
[AC2-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# Enable radio 2.
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
[AC2-wlan-ap-group-group1-ap-model-WA6320] quit
[AC2-wlan-ap-group-group1] quit
6. Configure portal authentication:
# Create domain dm1 and enter its view.
[AC2] domain dm1
# Configure the authentication, authorization, and accounting methods as none for portal users.
[AC2-isp-dm1] authentication portal none
[AC2-isp-dm1] authorization portal none
[AC2-isp-dm1] accounting portal none
[AC2-isp-dm1] quit
# Create a portal Web server named newpt, specify the server's URL as http://192.168.0.111/wsmAuth/protocol, and specify the server type as OAuth.
[AC2] portal web-server newpt
[AC2-portal-websvr-newpt] url http://192.168.0.111:8080/wsmAuth/protocol
[AC2-portal-websvr-newpt] server-type oauth
# Enable the optimized captive-bypass feature for iOS users.
[AC2-portal-websvr-newpt] captive-bypass ios optimize enable
[AC2-portal-websvr-newpt] quit
# Create an HTTP-based local portal Web service and enter its view.
[AC2] portal local-web-server http
[AC2-portal-local-websvr-http] quit
# Configure destination-based portal-free rule to permit traffic to the DNS server.
[AC2] portal free-rule 2 destination ip any udp 53
[AC2] portal free-rule 3 destination ip any tcp 53
# Configure portal safe-redirect to reduce the workload of the authentication server.
[AC2] portal safe-redirect enable
[AC2] portal safe-redirect method get post
[AC2] portal safe-redirect user-agent CaptiveNetworkSupport
[AC2] portal safe-redirect user-agent MicroMessenger
[AC2] portal safe-redirect user-agent Mozilla
[AC2] portal safe-redirect user-agent WeChat
[AC2] portal safe-redirect user-agent iPhone
[AC2] portal safe-redirect user-agent micromessenger
# Specify the NAS-ID. Make sure the NAS-ID is the same as the ID in file iMC\client\conf\wiportal\conf.properties.
[AC2] wlan global-configuration
[AC2-wlan-global-configuration] nas-id wiportal
[AC2-wlan-global-configuration] quit
# Set the user synchronization interval to 60 seconds for portal authentication using OAuth.
[AC2] portal oauth user-sync interval 60
# Configure a destination-based portal-free rule: specify the rule number as 0 and IP address as 192.168.0.111. This rule allows users to reach the portal Web server.
[AC2] portal free-rule 0 destination ip 192.168.0.111 24
# Configure a destination-based portal-free rule: specify the rule number as 1 and IP address as 2.2.2.1. This rule allows users to reach AC 1.
[AC2] portal free-rule 1 destination ip 2.2.2.1 32
# Configure a destination-based portal-free rule: specify the rule number as 4 and IP address as 2.2.2.2. This rule allows users to reach AC 2.
[AC2] portal free-rule 4 destination ip 2.2.2.2 32
# Enable intra-VLAN roaming for portal users.
[AC2] portal roaming enable
# Disable the Rule ARP entry feature for portal clients.
[AC2] undo portal refresh arp enable
# Enable RADIUS session control.
[AC2] radius session-control enable
# Enable direct IPv4 portal authentication for service template st1.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal enable method direct
# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.
[AC2-wlan-st-st1] portal domain dm1
# Apply portal Web server newpt to service template st1.
[AC2-wlan-st-st1] portal apply web-server newpt
# Enable portal temporary pass and set the temporary pass period to 300 seconds.
[AC2-wlan-st-st1] portal temp-pass period 300 enable
# On the service template, configure the BAS-IP attribute as 2.2.2.1 for portal packets sent to the portal authentication server.
[AC2-wlan-st-st1] portal bas-ip 2.2.2.2
7. Configure MAC-based quick portal authentication:
# Create MAC binding server mts and enter its view.
[AC2] portal mac-trigger-server mts
# Specify the IP address of the MAC binding server as 192.168.0.111.
[AC2-portal-mac-trigger-server-mts] ip 192.168.0.111
# Enable cloud MAC-trigger authentication.
[AC2-portal-mac-trigger-server-mts] cloud-binding enable
[AC2-portal-mac-trigger-server-mts] quit
# Specify MAC binding server mts on service template st.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal apply mac-trigger-server mts
# Enable the service template.
[AC2–wlan-st-st1] service-template enable
[AC2-wlan-st-st1] quit
Configuring the switch
# Create VLAN 100 for forwarding CAPWAP tunnel traffic between AC and AP.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
# Create VLAN 200 for forwarding client traffic.
[Switch] vlan 200
[Switch-vlan200] quit
# Create VLAN 2 for forwarding client traffic.
[Switch] vlan 2
[Switch-vlan2] quit
# Add the interface that connects the switch to the IMC server to VLAN 2. (Details not shown.)
# Configure GigabitEthernet 1/0/1 that connects the switch to AC 1 as a trunk port, and assign it to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 that connects the switch to AC 2 as a trunk port, and assign it to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 that connects the switch to the AP as an access port, and assign the interface to VLAN 100.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port access vlan 100
# Enable PoE on GigabitEthernet 1/0/3.
[Switch-GigabitEthernet1/0/3] poe enable
[Switch-GigabitEthernet1/0/3] quit
# Configure GigabitEthernet 1/0/4 that connects the switch to the DHCP server as a trunk port, and assign the interface to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/4] quit
# Assign an IP address to VLAN-interface 2.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.0.100 255.255.255.0
[Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 200.
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0
[Switch-Vlan-interface200] quit
Configuring the DHCP server
# Configure GigabitEthernet 1/0/1 that connects the server to the switch as a trunk port, and assign the interface to VLAN 100 and VLAN 200.
[DHCP] interface gigabitethernet 1/0/1
[DHCP-GigabitEthernet1/0/1] port link-type trunk
[DHCP-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DHCP-GigabitEthernet1/0/1] quit
# Assign an IP address to VLAN-interface 100.
[DHCP] interface vlan-interface 100
[DHCP-Vlan-interface100] ip address 2.2.1.200 255.255.255.0
[DHCP-Vlan-interface100] quit
# Assign an IP address to VLAN-interface 200.
[DHCP] interface vlan-interface 200
[DHCP-Vlan-interface200] ip address 2.2.2.200 255.255.255.0
[DHCP-Vlan-interface200] quit
# Enable DHCP.
[DHCP] dhcp enable
# Create a DHCP address pool named VLAN100, specify the DHCP server as the gateway, and exclude AC and DHCP server addresses from dynamic allocation. The server will use this address pool to assign address to the AP.
[DHCP] dhcp server ip-pool VLAN100
[DHCP-dhcp-pool-vlan100] network 2.2.1.0 mask 255.255.255.0
[DHCP-dhcp-pool-vlan100] forbidden-ip 2.2.1.1 2.2.1.2
[DHCP-dhcp-pool-vlan100] quit
# Create a DHCP address pool named VLAN200, specify the switch as the gateway, specify the DNS server address as 8.8.8.8, and exclude AC and DHCP server addresses from dynamic allocation. The server will use this address pool to assign address to the client.
[DHCP] dhcp server ip-pool VLAN200
[DHCP-dhcp-pool-vlan200] gateway-list 2.2.2.100
[DHCP-dhcp-pool-vlan200] network 2.2.2.0 mask 255.255.255.0
[DHCP-dhcp-pool-vlan200] dns-list 8.8.8.8
[DHCP-dhcp-pool-vlan200] forbidden-ip 2.2.2.100 2.2.2.1 2.2.2.2
[DHCP-dhcp-pool-vlan200] quit
Configuring the IMC server
In this example, the IMC server runs IMC PLAT 7.3 (E0605) and IMC IPM 7.3 (E0516).
To configure the IMC server:
1. Add an access user:
a. Log in to IMC and click the Service tab.
b. From the navigation tree, select Intelligent Portal Management > User Management > Users.
c. Click Add to open the Add User page.
d. Enter username Client and password admin@123.
e. Use the default settings for other parameters.
f. Click OK.
Figure 2 Adding an access user
2. Add an authentication page template:
a. From the navigation tree, select Intelligent Portal Management > Page Template List.
b. Click Add to open the Add Theme page.
c. Enter template name theme in the Theme Name field.
d. Use the default settings for other parameters.
e. Click OK to open the page for editing the template.
Figure 3 Adding an authentication page template
f. On the theme page, click
the Authentication icon 
in
the Basic Controls area.
g. Click Edit in authentication edit area, select Other and Account in the Authentication Method area, click OK, and then click Save Page.
h. Use the default settings for other configuration.
i. Click Confirm Release.
3. Add an authentication policy:
a. From the navigation tree, select Intelligent Portal Management > Authentication Policies.
b. Click Add to open the Add Authentication Policy page.
c. Enter authentication policy name policy1, and select theme from the Page Template list.
d. Select a transparent authentication period to enable portal transparent authentication (MAC-trigger authentication).
e. Use the default settings for other parameters.
f. Click OK.
Figure 5 Adding an authentication policy
4. Add a site:
a. From the navigation tree, select Intelligent Portal Management > Site Management.
b. Click Add to open the Add Site page.
c. Enter the site name, the site address, the expected number of clients to be supported, and the telephone number.
d. Click OK.
Figure 6 Adding a site
e. In the Associated APs area, click Add to associate an AP.
f. Enter the serial number and MAC address of the AP.
g. Click OK.
Figure 7 Adding an AP
i. In the Bind Authentication Policy area, click Add to bind the AP to an authentication policy.
j. Select authentication policy policy1.
k. Use the default settings for other parameters.
l. Click OK.
Figure 8 Binding the AP to an authentication policy
Verifying the configuration
# Make the AP come online.
# Verify that the AP state is R/M on AC 1 and R/B on AC 2.
<AC1> display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 10
Remaining APs: 9
Total AP licenses: 10
Local AP licenses: 10
Server AP licenses: 0
Remaining Local AP licenses: 9
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/M WA6320 219801A28N819CE0002T
<AC2> display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 10
Remaining APs: 9
Total AP licenses: 10
Local AP licenses: 10
Server AP licenses: 0
Remaining Local AP licenses: 10
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/B WA6320 219801A28N819CE0002T
# Verify that all Web requests are redirected to the portal authentication page (http://192.168.0.111:8080/portal) before you pass portal authentication, and you can access Internet resources after being authenticated.
# View online port user information generated on the ACs. This example displays the command output on AC 1.
[AC1] display portal user all
Total portal users: 1
Username:client
AP name: office
Radio ID: 2
SSID: service
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
d4bb-c85b-9d3f 2.2.2.3 200 WLAN-BSS1/0/4
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
# Delete portal users from AC 1. Verify that the client can still access the external network.
# Verify that a portal user still exists on AC 1 but the username is the MAC address of the client.
[AC1] display portal user all
Total portal users: 1
Username: D4:BB:C8:5B:9D:3F
AP name: office
Radio ID: 2
SSID: service
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
d4bb-c85b-9d3f 2.2.2.3 200 WLAN-BSS1/0/4
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Configuration files
· AC 1:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.1
portal apply web-server newpt
portal apply mac-trigger-server mts
portal temp-pass period 300 enable
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.1 255.255.255.0
#
interface gigabitethernet 1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
ip route-static 192.168.0.0 16 2.2.2.100
#
radius session-control enable
#
domain dm1
authentication portal none
authorization portal none
accounting portal none
#
portal free-rule 0 destination ip 192.168.0.111 255.255.255.255
portal free-rule 1 destination ip 2.2.2.1 255.255.255.255
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
portal free-rule 4 destination ip 2.2.2.2 255.255.255.255
portal safe-redirect enable
portal safe-redirect method get post
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent iPhone
portal safe-redirect user-agent micromessenger
#
portal web-server newpt
url http://192.168.0.111:8080/wsmAuth/protocol
captive-bypass ios optimize enable
service-type oauth
#
portal local-web-server http
#
portal mac-trigger-server mts
ip 192.168.0.111
cloud-binding enable
#
wlan ap-group group1
priority 7
wlan tunnel-preempt enable
backup-ac ip 2.2.1.2
ap office
ap-model WA6320
radio 1
radio 2
radio enable
service-template st1
#
wlan ap office model WA6320
serial-id 219801A28N819CE0002T
#
· AC 2:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.2
portal apply web-server newpt
portal apply mac-trigger-server mts
portal temp-pass period 300 enable
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.2 255.255.255.0
#
interface gigabitethernet 1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
ip route-static 192.168.0.0 16 2.2.2.100
#
radius session-control enable
#
domain dm1
authentication portal none
authorization portal none
accounting portal none
#
portal free-rule 0 destination ip 192.168.0.111 255.255.255.255
portal free-rule 1 destination ip 2.2.2.1 255.255.255.255
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
portal free-rule 4 destination ip 2.2.2.2 255.255.255.255
portal safe-redirect enable
portal safe-redirect method get post
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent iPhone
portal safe-redirect user-agent micromessenger
#
portal web-server newpt
url http://192.168.0.111:8080/wsmAuth/protocol
captive-bypass ios optimize enable
service-type oauth
#
portal local-web-server http
#
portal mac-trigger-server mts
ip 192.168.0.111
cloud-binding enable
#
wlan ap-group group1
priority 6
wlan tunnel-preempt enable
backup-ac ip 2.2.1.1
ap office
ap-model WA6320
radio 1
radio 2
radio enable
service-template st1
#
wlan ap office model WA6320
serial-id 219801A28N819CE0002T
#
· Switch:
#
vlan 2
#
vlan 100
#
vlan 200
#
interface Vlan-interface2
ip address 192.168.0.100 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 1 100 200
#
interface GigabitEthernet1/0/3
port link-type access
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 1 100 200
#
· DHCP server:
#
vlan 100
#
vlan 200
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
interface vlan-interface 100
ip address 2.2.1.200 255.255.255.0
#
interface vlan-interface 200
ip address 2.2.2.200 255.255.255.0
#
dhcp enable
#
dhcp server ip-pool vlan100
network 2.2.1.0 mask 255.255.255.0
forbidden-ip 2.2.1.1
forbidden-ip 2.2.1.2
#
dhcp server ip-pool vlan200
gateway-list 2.2.2.100
network 2.2.2.0 mask 255.255.255.0
dns-list 8.8.8.8
forbidden-ip 2.2.2.1
forbidden-ip 2.2.2.2
forbidden-ip 2.2.2.100
#
Related documentation
· User Access and Authentication Command Reference in H3C Access Controllers Command References
· User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN Access Command Reference in H3C Access Controllers Command References
· WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN High Availability Command Reference in H3C Access Controllers Command References
· WLAN High Availability Configuration Guide in H3C Access Controllers Configuration Guides
