- Table of Contents
-
- 05-Comware 9 CLI-based configuration examples (AC+fit AP deployment)
- 01-HTTPS Login Configuration Examples
- 02-SSH Configuration Examples
- 03-License Management Configuration Examples
- 04-AP Association with the AC at Layer 2 Configuration Examples
- 05-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 06-Auto AP Configuration Examples
- 07-AP Association with the AC at Layer 3 Configuration Examples
- 08-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 09-WEP Encryption Configuration Examples
- 10-PSK Encryption Configuration Examples
- 11-WPA3-SAE PSK Encryption Configuration Examples
- 12-WLAN Access (IPv6) Configuration Examples
- 13-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 14-Scheduled Configuration Deployment by AP Group Configuration Examples
- 15-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 16-Service Template and Radio Binding Configuration Examples
- 17-Scheduled WLAN Access Services Configuration Examples
- 18-Local Portal Authentication Configuration Examples
- 19-HTTPS-Based Local Portal Authentication Configuration Examples
- 20-Remote Portal Authentication Configuration Examples
- 21-Local Portal Authentication through LDAP Server Configuration Examples
- 22-Local Portal Auth and SSID-based Auth Page Pushing Configuration Examples
- 23-Local Portal MAC-Trigger Authentication Configuration Examples
- 24-Portal MAC-Trigger Authentication Configuration Examples
- 25-Local Forwarding Mode and Local Portal MAC-Trigger Auth Configuration Examples
- 26-Local Portal Authentication (IPv6) Configuration Examples
- 27-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 28-Remote Portal Authentication (IPv6) Configuration Examples
- 29-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 30-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 31-Portal Fail-Permit Configuration Examples
- 32-Local MAC Authentication Configuration Examples
- 33-Remote MAC Authentication Configuration Examples
- 34-Transparent Auth Through Remote MAC and Portal Auth Configuration Examples
- 35-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples
- 36-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 37-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 38-Local MAC-And-802.1X Authentication Configuration Examples
- 39-Local 802.1X Authentication Configuration Examples
- 40-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 41-Remote 802.1X Authentication Configuration Examples
- 42-Remote 802.1X Authentication (IPv6) Configuration Examples
- 43-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 44-802.1X Auth with ACL Assignment Through IMC Server Configuration Examples
- 45-802.1X Auth with User Profile Assignment Through IMC Server Configuration Examples
- 46-EAD Authentication Configuration Examples
- 47-EAD Authentication (IPv6) Configuration Examples
- 48-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 49-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 50-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 51-Local Forwarding Configuration Examples
- 52-Wired Port Local Forwarding through Wireless Terminator Configuration Examples
- 53-Remote AP Configuration Examples
- 54-Downlink VLAN Management for Fit-Mode APs Configuration Examples
- 55-WIPS Configuration Examples
- 56-WIPS Countermeasures Against All SSIDs Configuration Examples
- 57-IP Source Guard (IPv4) Configuration Examples
- 58-IP Source Guard (IPv6) Configuration Examples
- 59-Dual-Link Backup Configuration Examples
- 60-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Configuration Examples
- 61-Dual-Link Backup OAuth-Based Portal Authentication in Local Forwarding Configuration Examples
- 62-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples
- 63-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 64-Dual-Link Backup Remote Portal Authentication in Local Forwarding Configuration Examples
- 65-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples
- 66-Dual-Link Backup Remote Portal Authentication in Centralized Forwarding Configuration Examples
- 67-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples
- 68-Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding Configuration Examples
- 69-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 70-Remote 802.1X Authentication on a Dual-Link AC Backup Network Configuration Examples
- 71-Remote MAC Authentication on a Dual-Link AC Backup Network Configuration Examples
- 72-WLAN Probe Configuration Examples
- 73-Multicast Optimization Configuration Examples
- 74-Client Rate Limiting Configuration Examples
- 75-Inter-AC Roaming Configuration Examples
- 76-Inter-AC Roaming (IPv6) Configuration Examples
- 77-Inter-AC Roaming in Local Forwarding Mode Configuration Examples
- 78-H3C Access Controllers Cooperative Roaming for 802.11v Clients Configuration Examples
- 79-WLAN Load Balancing Configuration Examples
- 80-Static Blacklist Configuration Examples
- 81-Client Quantity Control Configuration Examples
- 82-AP License Synchronization Configuration Examples
- 83-BLE Module iBeacon Transmission Configuration Examples
- 84-Medical RFID Tag Management Configuration Examples
- 85-iBeacon Management Configuration Examples
- 86-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 87-Mesh Link Establishment Between Fit APs Configuration Examples
- 88-Auto-DFS and Auto-TPC Configuration Examples
- 89-AP Image Downloading Configuration Examples
- 90-Dual-Uplink Interfaces Configuration Guide
- 91-Internal-to-External Access Through NAT Configuration Examples
- 92-Layer 2 Static Aggregation Configuration Examples
- 93-Layer 2 Multicast Configuration Examples
- 94-Static VLAN Allocation Configuration Examples
- 95-URL Redirection Configuration Examples
- 96-IPv6 URL Redirection Configuration Examples
- Related Documents
-
Title | Size | Download |
---|---|---|
69-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples | 526.09 KB |
|
H3C Access Controllers |
Dual-Link Backup Remote Portal MAC-Trigger Authentication in Centralized Forwarding Configuration Examples |
|
|
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Introduction
The following information provides an example for configuring remote portal MAC-trigger authentication with centralized forwarding.
Prerequisites
The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of AAA, portal, WLAN access, and WLAN high availability.
Example: Configuring remote portal MAC-trigger authentication for dual-link AC backup and centralized forwarding
Network configuration
As shown in Figure 1, the AP and the client obtain IP addresses from the DHCP server. The IMC server acts as the portal authentication server, portal Web server, and RADIUS server.
Configure the devices to meet the following requirements:
· The AP associates with both ACs and the two ACs to back up each other. When the master AC (AC 1) fails, the backup AC (AC 2) takes over, and the AP can provide services correctly through the backup AC.
· Before passing portal authentication, the client can access only the portal Web server. After passing the authentication, the client can access other network resources.
· The client can access network resources through any Layer 2 ports in its access VLAN without re-authentication.
· The IMC server can dynamically modify user authorization information and log off clients.
Analysis
· To allow an authenticated user to access network resources on any Layer 2 ports in its access VLAN without re-authentication, you must enable the portal roaming feature.
· To allow the RADIUS server to modify user authorization information and log off users, enable the RADIUS session-control feature.
· To avoid allocation failures of dynamic authorization information during client association, configure RADIUS DAE.
· For dual-link backup to operate correctly, you must configure manual AP or auto AP settings on both ACs. This ensures that the AP can establish CAPWAP tunnels with both ACs.
Restrictions and guidelines
When you configure remote portal MAC-trigger authentication for dual-link AC backup and centralized forwarding, follow these restrictions and guidelines:
· Use the actual serial ID of an AP to uniquely identify that AP.
· Make sure the portal authentication server type, portal Web server type, and MAC binding server type configured on the ACs are the same as the actual server type. This example uses a China Mobile server.
· URLs redirected from the ACs to the portal Web server do not carry parameters by default. You can configure the parameters to carry as needed.
· To avoid possible authentication failure caused by frequent logins and logouts of portal clients in a short time, disable the Rule ARP entry feature.
· If you configure manual APs, make sure the manual APs configured on the two ACs have the same AP name and identifier (serial ID or MAC address).
· Make sure the two ACs are of the same version.
· Some clients are enabled with MAC randomization by default, which might cause seamless roaming failures. As a best practice, disable MAC randomization.
Procedures
Configuring AC 1
1. Configure AC interfaces:
# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.
<AC1> system-view
[AC1] vlan 100
[AC1-vlan100] quit
[AC1] interface vlan-interface 100
[AC1-Vlan-interface100] ip address 2.2.1.1 24
[AC1-Vlan-interface100] quit
# Create VLAN 200. This VLAN will be used for wireless client access.
[AC1] vlan 200
[AC1-vlan200] quit
[AC1] interface vlan-interface 200
[AC1-Vlan-interface200] ip address 2.2.2.1 24
[AC1-Vlan-interface200] quit
# Configure GigabitEthernet1/0/1 that connects AC 1 to the switch as a trunk port, and assign it to VLAN 100 and VLAN 200.
[AC1] interface gigabitethernet 1/0/1
[AC1-GigabitEthernet1/0/1] port link-type trunk
[AC1-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC1-GigabitEthernet1/0/1] quit
2. Create a static route to the IMC server.
[AC1] ip route-static 173.18.4.0 255.255.255.0 2.2.2.100
3. Configure wireless services:
# Create service template st1 and enter its view.
[AC1] wlan service-template st1
# Specify the SSID as service.
[AC1-wlan-st-st1] ssid service
# Assign clients coming online through the service template to VLAN 200.
[AC1-wlan-st-st1] vlan 200
# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.
[AC1-wlan-st-st1] akm mode psk
[AC1-wlan-st-st1] preshared-key pass-phrase simple 12345678
# Specify the cipher suite as CCMP and the security IE as RSN.
[AC1-wlan-st-st1] cipher-suite ccmp
[AC1-wlan-st-st1] security-ie rsn
# Configure the AC to forward client traffic. (Skip this step if the client data traffic forwarder is the AC by default.)
[AC1-wlan-st-st1] client forwarding-location ac
[AC1-wlan-st-st1] quit
4. Configure the AP:
|
NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice. |
# Create AP office, and specify the AP name and serial ID.
[AC1] wlan ap office model WA6320
[AC1-wlan-ap-office] serial-id 219801A28N819CE0002T
[AC1-wlan-ap-office] quit
# Create AP group group1 and add AP office to AP group group1.
[AC1] wlan ap-group group1
[AC1-wlan-ap-group-group1] ap office
# Set the AP connection priority to 7.
[AC1-wlan-ap-group-group1] priority 7
# Specify AC 2 as the backup AC for AC 1. Set the backup AC address as the IP address of VLAN-interface 100 on AC 2.
[AC1-wlan-ap-group-group1] backup-ac ip 2.2.1.2
# Enable master CAPWAP tunnel preemption.
[AC1-wlan-ap-group-group1] wlan tunnel-preempt enable
# Bind service template st1 to radio 2 in AP group group1.
[AC1-wlan-ap-group-group1] ap-model WA6320
[AC1-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# Enable radio 2.
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC1-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
[AC1-wlan-ap-group-group1-ap-model-WA6320] quit
[AC1-wlan-ap-group-group1] quit
5. Configure a RADIUS scheme:
# Create RADIUS scheme rs1.
[AC1] radius scheme rs1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[AC1-radius-rs1] primary authentication 173.18.4.100
[AC1-radius-rs1] primary accounting 173.18.4.100
# Specify shared keys for RADIUS authentication and accounting.
[AC1-radius-rs1] key authentication simple radius
[AC1-radius-rs1] key accounting simple radius
# Configure AC 1 to remove the ISP domain name from the usernames sent to the RADIUS servers.
[AC1-radius-rs1] user-name-format without-domain
[AC1-radius-rs1] nas-ip 2.2.2.1
[AC1-radius-rs1] quit
# Enable RADIUS session-control.
[AC1] radius session-control enable
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
[AC1] radius dynamic-author server
# Specify the DAC as 173.18.4.100. Set the shared key to radius in plaintext form for secure communication between the DAS and DAC.
[AC1-radius-da-server] client ip 173.18.4.100 key simple radius
[AC1-radius-da-server] quit
6. Configure the authentication domain:
# Create domain dm1 and enter its view.
[AC1] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.
[AC1-isp-dm1] authentication portal radius-scheme rs1
[AC1-isp-dm1] authorization portal radius-scheme rs1
[AC1-isp-dm1] accounting portal radius-scheme rs1
# Set the client idle timeout to 15 minutes and set the minimum threshold to 1024 bytes for clients in ISP domain dm1.
[AC1-isp-dm1] authorization-attribute idle-cut 15 1024
[AC1-isp-dm1] quit
7. Configure portal authentication:
# Create the portal authentication server newpt, specify the server IP address as 173.18.4.100, and set the destination UDP port number to 50100 for the AC to send unsolicited portal packets to the portal authentication server.
[AC1] portal server newpt
[AC1-portal-server-newpt] ip 173.18.4.100 key simple newpt
[AC1-portal-server-newpt] port 50100
# Specify the portal authentication server type as CMCC.
[AC1-portal-server-newpt] server-type cmcc
[AC1-portal-server-newpt] quit
# Configure the URL for the portal Web server newpt as http://173.18.4.100:8080/portal.
[AC1] portal web-server newpt
[AC1-portal-websvr-newpt] url http://173.18.4.100:8080/portal
# Configure URL parameters ssid, wlanuserip, and wlanacname for the portal Web server. The three parameters are required by CMCC.
[AC1-portal-websvr-newpt] url-parameter ssid ssid
[AC1-portal-websvr-newpt] url-parameter wlanuserip source-address
[AC1-portal-websvr-newpt] url-parameter wlanacname value AC
# Specify the portal Web server type as CMCC.
[AC1-portal-websvr-newpt] server-type cmcc
[AC1-portal-websvr-newpt] quit
# Configure an IPv4-based portal-free rule to permit portal Web server traffic.
[AC1] portal free-rule 0 destination ip 173.18.4.100 24
# Configure an IPv4-based portal-free rule to permit traffic from the aggregate interface.
[AC1] portal free-rule 1 source interface Bridge-Aggregation 1
# Configure IPv4-based portal-free rules to permit DNS server traffic.
[AC1] portal free-rule 2 destination ip any udp 53
[AC1] portal free-rule 3 destination ip any tcp 53
# Enable intra-VLAN roaming for portal users.
[AC1] portal roaming enable
# Disable the Rule ARP entry feature for portal clients.
[AC1] undo portal refresh arp enable
# Enable direct IPv4 portal authentication for service template st1.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal enable method direct
# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.
[AC1-wlan-st-st1] portal domain dm1
# Specify portal Web server newpt as the backup portal Web server on service template st1 for portal authentication.
[AC1-wlan-st-st1] portal apply web-server newpt
[AC1-wlan-st-st1] quit
8. Configure MAC-based quick portal authentication:
# Create the MAC binding server mts and enter its view.
[AC1] portal mac-trigger-server mts
# Specify the IP address of the MAC binding server as 173.18.4.100.
[AC1-portal-mac-trigger-server-mts] ip 173.18.4.100
# Specify the MAC binding server type as CMCC.
[AC1-portal-mac-trigger-server-mts] server-type cmcc
[AC1-portal-mac-trigger-server-mts] quit
# Specify the MAC binding server mts on service template st1.
[AC1] wlan service-template st1
[AC1-wlan-st-st1] portal apply mac-trigger-server mts
# Specify the portal BAS-IP as 2.2.2.1.
[AC1-wlan-st-st1] portal bas-ip 2.2.2.1
# Enable the service template.
[AC1-wlan-st-st1] service-template enable
[AC1-wlan-st-st1] quit
Configuring AC 2
1. Configure AC interfaces:
# Create VLAN 100 and VLAN-interface 100. Assign the VLAN interface an IP address. The AC will use this IP address to establish a CAPWAP tunnel with the AP.
<AC2> system-view
[AC2] vlan 100
[AC2-vlan100] quit
[AC2] interface vlan-interface 100
[AC2-Vlan-interface100] ip address 2.2.1.2 24
[AC2-Vlan-interface100] quit
# Create VLAN 200. This VLAN will be used for wireless client access.
[AC2] vlan 200
[AC2-vlan200] quit
[AC2] interface vlan-interface 200
[AC2-Vlan-interface200] ip address 2.2.2.2 24
[AC2-Vlan-interface200] quit
# Configure GigabitEthernet1/0/1 that connects AC 2 to the switch as a trunk port, and assign it to VLAN 100 and VLAN 200.
[AC2] interface gigabitethernet 1/0/1
[AC2-GigabitEthernet1/0/1] port link-type trunk
[AC2-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC2-GigabitEthernet1/0/1] quit
2. Create a static route to the IMC server.
[AC2] ip route-static 173.18.4.0 255.255.255.0 2.2.2.100
3. Configure wireless services:
# Create service template st1 and enter its view.
[AC2] wlan service-template st1
# Specify the SSID as service.
[AC2-wlan-st-st1] ssid service
# Assign clients coming online through the service template to VLAN 200.
[AC2-wlan-st-st1] vlan 200
# Specify the AKM mode as PSK, and configure the preshared key as 12345678 in plain text.
[AC2-wlan-st-st1] akm mode psk
[AC2-wlan-st-st1] preshared-key pass-phrase simple 12345678
# Specify the cipher suite as CCMP and the security IE as RSN.
[AC2-wlan-st-st1] cipher-suite ccmp
[AC2-wlan-st-st1] security-ie rsn
# Configure the AC to forward client traffic. (Skip this step if the client data traffic forwarder is the AC by default.)
[AC2-wlan-st-st1] client forwarding-location ac
[AC2-wlan-st-st1] quit
4. Configure the AP:
|
NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice. |
# Create AP office, and specify the AP name and serial ID.
[AC2] wlan ap office model WA6320
[AC2-wlan-ap-office] serial-id 219801A28N819CE0002T
[AC2-wlan-ap-office] quit
# Create AP group group1 and add AP office to AP group group1.
[AC2] wlan ap-group group1
[AC2-wlan-ap-group-group1] ap office
# Set the AP connection priority to 5.
[AC2-wlan-ap-group-group1] priority 5
# Specify AC 1 as the backup AC for AC 2.
[AC2-wlan-ap-group-group1] backup-ac ip 2.2.1.1
# Enable master CAPWAP tunnel preemption.
[AC2-wlan-ap-group-group1] wlan tunnel-preempt enable
# Bind service template st1 to radio 2 in AP group group1.
[AC2-wlan-ap-group-group1] ap-model WA6320
[AC2-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template st1
# Enable radio 2.
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC2-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
[AC2-wlan-ap-group-group1-ap-model-WA6320] quit
[AC2-wlan-ap-group-group1] quit
5. Configure a RADIUS scheme:
# Create RADIUS scheme rs1.
[AC2] radius scheme rs1
# Specify the IP addresses of the primary authentication and accounting RADIUS servers.
[AC2-radius-rs1] primary authentication 173.18.4.100
[AC2-radius-rs1] primary accounting 173.18.4.100
# Specify shared keys for RADIUS authentication and accounting.
[AC2-radius-rs1] key authentication simple radius
[AC2-radius-rs1] key accounting simple radius
# Configure AC 2 to remove the ISP domain name from the usernames sent to the RADIUS servers.
[AC2-radius-rs1] user-name-format without-domain
[AC2-radius-rs1] nas-ip 2.2.2.2
[AC2-radius-rs1] quit
# Enable RADIUS session-control.
[AC2] radius session-control enable
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
[AC2] radius dynamic-author server
# Specify the DAC as 173.18.4.100. Set the shared key to radius in plaintext form for secure communication between the DAS and DAC.
[AC2-radius-da-server] client ip 173.18.4.100 key simple radius
[AC2-radius-da-server] quit
6. Configure the authentication domain:
# Create domain dm1 and enter its view.
[AC2] domain dm1
# Configure the domain to use RADIUS scheme rs1 for authentication, authorization, and accounting.
[AC2-isp-dm1] authentication portal radius-scheme rs1
[AC2-isp-dm1] authorization portal radius-scheme rs1
[AC2-isp-dm1] accounting portal radius-scheme rs1
# Set the client idle timeout to 15 minutes and set the minimum threshold to 1024 bytes for clients in ISP domain dm1.
[AC2-isp-dm1] authorization-attribute idle-cut 15 1024
[AC2-isp-dm1] quit
7. Configure portal authentication:
# Create the portal authentication server newpt, specify the server IP address as 173.18.4.100, and set the destination UDP port number to 50100 for the AC to send unsolicited portal packets to the portal authentication server.
[AC2] portal server newpt
[AC2-portal-server-newpt] ip 173.18.4.100 key simple newpt
[AC2-portal-server-newpt] port 50100
# Specify the portal authentication server type as CMCC.
[AC2-portal-server-newpt] server-type cmcc
[AC2-portal-server-newpt] quit
# Configure the URL for the portal Web server newpt as http://173.18.4.100:8080/portal.
[AC2] portal web-server newpt
[AC2-portal-websvr-newpt] url http://173.18.4.100:8080/portal
# Configure URL parameters ssid, wlanuserip, and wlanacname for the portal Web server. The three parameters are required by CMCC.
[AC2-portal-websvr-newpt] url-parameter ssid ssid
[AC2-portal-websvr-newpt] url-parameter wlanuserip source-address
[AC2-portal-websvr-newpt] url-parameter wlanacname value AC
# Specify the portal Web server type as CMCC.
[AC2-portal-websvr-newpt] server-type cmcc
[AC2-portal-websvr-newpt] quit
# Configure an IPv4-based portal-free rule to permit portal Web server traffic.
[AC2] portal free-rule 0 destination ip 173.18.4.100 24
# Configure an IPv4-based portal-free rule to permit traffic from the aggregate interface.
[AC2] portal free-rule 1 source interface Bridge-Aggregation 1
# Configure IPv4-based portal-free rules to permit DNS server traffic.
[AC2] portal free-rule 2 destination ip any udp 53
[AC2] portal free-rule 3 destination ip any tcp 53
# Enable intra-VLAN roaming for portal users.
[AC2] portal roaming enable
# Disable the Rule ARP entry feature for portal clients.
[AC2] undo portal refresh arp enable
# Enable direct IPv4 portal authentication for service template st1.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal enable method direct
# Configure the authentication domain for IPv4 portal users as dm1 on service template st1.
[AC2-wlan-st-st1] portal domain dm1
# Specify portal Web server newpt as the backup portal Web server on service template st1 for portal authentication.
[AC2-wlan-st-st1] portal apply web-server newpt
[AC2-wlan-st-st1] quit
8. Configure MAC-based quick portal authentication:
# Create the MAC binding server mts and enter its view.
[AC2] portal mac-trigger-server mts
# Specify the IP address of the MAC binding server as 173.18.4.100.
[AC2-portal-mac-trigger-server-mts] ip 173.18.4.100
# Specify the MAC binding server type as CMCC.
[AC2-portal-mac-trigger-server-mts] server-type cmcc
[AC2-portal-mac-trigger-server-mts] quit
# Specify the MAC binding server mts on service template st1.
[AC2] wlan service-template st1
[AC2-wlan-st-st1] portal apply mac-trigger-server mts
# Specify the portal BAS-IP as 2.2.2.2.
[AC2-wlan-st-st1] portal bas-ip 2.2.2.2
# Enable the service template.
[AC2-wlan-st-st1] service-template enable
[AC2-wlan-st-st1] quit
Configuring the switch
# Create VLAN 100 for forwarding CAPWAP tunnel traffic between AC and AP.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
# Create VLAN 200 for forwarding client traffic.
[Switch] vlan 200
[Switch-vlan200] quit
# Create VLAN 2 for connecting to the IMC server.
[Switch] vlan 2
[Switch-vlan2] quit
# Add the interface that connects the switch to the IMC server to VLAN 2. (Details not shown.)
# Configure the interface that connects the switch to the DHCP server. (Details not shown.)
# Configure GigabitEthernet 1/0/1 that connects the switch to AC 1 as a trunk port, and assign it to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/3 that connects the switch to AC 2 as a trunk port, and assign it to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/3] quit
# Configure GigabitEthernet 1/0/2 that connects the switch to the AP as an access port, and assign it to VLAN 100.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# Enable PoE.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# Assign an IP address to VLAN-interface 200.
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 2.2.2.100 255.255.255.0
[Switch-Vlan-interface200] quit
# Assign an IP address to VLAN-interface 2. This address will be used as the gateway address for the IMC server.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 173.18.4.101 255.255.255.0
[Switch-Vlan-interface2] quit
Configuring the IMC server
In this example, the IMC server runs IMC PLAT 7.1 (E0303p13), IMC EIA 7.1 (F0302p08), and IMC EIP 7.1 (F0302p08).
The IMC server configuration is the same for AC 1 and AC 2, except for the AC IP address. This section configures AC 1 as an example. Refer to AC 1 configuration when you configure AC 2 and remember to change the IP address setting for AC 2.
Configure the RADIUS server to add access devices
1. Log in to IMC and click the User tab.
2. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
3. Click Add.
The Add Access Device page opens.
4. In the Access Configuration area, configure the following parameters:
¡ Enter radius in the Shared Key and Confirm Shared Key fields.
¡ Use the default values for other parameters.
5. In the Device List area, click Select or Add Manually to add the AC 1 at 2.2.2.1 as an access device.
6. Click OK.
Figure 2 Adding an access device
Configure the portal server
1. Configure portal authentication:
a. Click the User tab.
b. Select User Access Policy > Portal Service > Server from the navigation tree to open the portal server configuration page.
c. Configure the portal server parameters as needed.
This example uses the default settings.
d. Click OK.
Figure 3 Portal authentication server configuration
2. Configure the IP address group:
a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page.
b. Click Add to open the page as shown in Figure 4.
c. Enter the IP group name. In this example, the name is Portal_user.
d. Enter the start IP address and end IP address of the IP group.
Make sure the client IP address is in the IP group.
e. Select a service group.
This example uses the default group Ungrouped.
f. Select Normal from the Action list.
g. Click OK.
Figure 4 Adding an IP address group
3. Add a portal device:
a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page.
b. Click Add to open the page as shown in Figure 5.
c. Enter the device name. In this example, the name is NAS.
d. Specify the version as Portal 2.0.
e. Enter the IP address (2.2.2.1) of the AC's interface connected to the client.
f. Set whether to support the portal server heartbeat and user heartbeat functions.
In this example, select No for both Support Server Heartbeat and Support User Heartbeat.
g. Enter the key, which must be the same as that configured on the AC.
h. Select Directly Connected from the Access Method list.
i. Use the default settings for other parameters.
j. Click OK.
Figure 5 Adding a portal device
4. Associate the portal device with the IP address group:
a. As shown in Figure 6,
click the Port Group Information Management icon for the device to
open the port group configuration page.
b. Click Add to open the page as shown in Figure 7.
c. Enter the port group name. In this example, the name is group.
d. Select the configured IP address group.
The IP address used by the user to access the network must be within this IP address group.
e. Select Supported for Transparent Authentication.
f. Use the default settings for other parameters.
g. Click OK.
h. From the navigation tree, select Intelligent Portal Management > User Management > Users.
5. Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to make the configurations take effect.
Configuring the MAC binding server
1. Add an access policy:
a. Select User Access Policy > Access Policy from the navigation tree to open the access policy page.
b. Click Add to open the page as shown in Figure 8.
c. Enter the access policy name. In this example, the name is AccessPolicy.
d. Select Ungrouped from the service group list.
e. Use the default settings for other parameters.
f. Click OK.
Figure 8 Adding an access policy
2. Add an access service:
a. Select User Access Policy > Access Service from the navigation tree to open the access service page.
b. Click Add to open the page as shown in Figure 9.
c. Enter the service name. In this example, the service name is MAC_server.
d. Select the Transparent Authentication on Portal Endpoints option.
e. Use the default settings for other parameters.
f. Click OK.
Figure 9 Adding an access service
3. Add an access user:
a. Select Access User > All Access Users from the navigation tree to open the access user page.
b. Click Add to open the page as shown in Figure 10.
c. Select or add an access user. In this example, the account name is client.
d. Set the password. In this example, the password is wireless.
e. Specify the number of limited online clients.
f. Retain the default settings for other parameters.
g. Select the configured service.
h. Click OK.
Figure 10 Adding an access user
4. Configure system parameters:
a. Select User Access Policy > Service Parameters > System Settings from the navigation tree to open the system settings page.
b. Click the Configure
icon for User Endpoint Settings to open the page as shown in Figure 11.
c. Enable Transparent MAC Authentication.
d. Select whether to enable transparent portal authentication on non-smart devices.
In this example, select Enable for Non-Terminal Authentication.
e. Click OK.
f. Click the Configure
icon for Endpoint Aging Time to open the page as shown in Figure 12.
g. Set the endpoint aging time as needed.
This example uses the default value.
Figure 11 Configuring user endpoint settings
Figure 12 Setting the endpoint aging time
5. Select User Access Policy > Service Parameters > Validate System Configuration from the navigation tree to make the configurations take effect.
Verifying the configuration
# Make the AP come online.
# Verify that the AP first associates with AC 1. Shut down VLAN-interface 100 on AC 1, wait 3 minutes, and verify that the AP associates with AC 2 and the AP state on AC 2 is R/M.
[AC2] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 10
Remaining APs: 9
Total AP licenses: 10
Local AP licenses: 10
Server AP licenses: 0
Remaining Local AP licenses: 9
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/M WA6320 219801A28N819CE0002T
# Bring up VLAN-interface 100 on AC 1. Verify that the AP state becomes R/M on AC 1 and R/B on AC 2.
[AC1] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 10
Remaining APs: 9
Total AP licenses: 10
Local AP licenses: 10
Server AP licenses: 0
Remaining Local AP licenses: 9
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/M WA6320 219801A28N819CE0002T
[AC2] display wlan ap all
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 10
Remaining APs: 9
Total AP licenses: 10
Local AP licenses: 10
Server AP licenses: 0
Remaining Local AP licenses: 10
Sync AP licenses: 0
AP information
State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad
C = Config, DC = DataCheck, R = Run, M = Master, B = Backup
AP name APID State Model Serial ID
office 1 R/B WA6320 219801A28N819CE0002T
# Display MAC binding server configuration.
[AC1] display portal mac-trigger-server name mts
Portal mac trigger server name: mts
Version : 1.0
Server type : CMCC
IP : 173.18.4.100
Port : 50100
VPN instance : Not configured
Aging time : 300 seconds
Free-traffic threshold : 0 bytes
NAS-Port-Type : Not configured
Binding retry times : 3
Binding retry interval : 1 seconds
Authentication timeout : 3 minutes
A user can perform portal authentication through a Web browser. Before passing the authentication, the user can access only the authentication page http://173.18.4.100:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
For the first portal authentication, the user is required to enter the username and password.
# Display portal user information.
[AC1] display portal user all
Total portal users: 1
Username: Client
AP name: office
Radio ID: 2
SSID: service
Portal server: newpt
State: Online
VPN instance: N/A
MAC IP VLAN Interface
0021-6330-0933 2.2.2.3 200 WLAN-BSS1/0/3
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Configuration files
· AC 1:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.1
portal apply web-server newpt
portal apply mac-trigger-server mts
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
ip route-static 173.18.4.0 24 2.2.2.100
#
radius session-control enable
#
radius scheme rs1
primary authentication 173.18.4.100
primary accounting 173.18.4.100
key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==
key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==
user-name-format without-domain
nas-ip 2.2.2.1
#
radius dynamic-author server
client ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
#
domain dm1
authorization-attribute idle-cut 15 1024
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
portal free-rule 0 destination ip 173.18.4.0 255.255.255.0
portal free-rule 1 source interface Bridge-Aggregation 1
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
#
portal web-server newpt
url http://173.18.4.100:8080/portal
server-type cmcc
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server newpt
ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
server-type cmcc
#
portal mac-trigger-server mts
ip 173.18.4.100
server-type cmcc
#
wlan ap-group group1
priority 7
wlan tunnel-preempt enable
backup-ac ip 2.2.1.2
ap office
ap-model WA6320
radio 1
radio 2
radio enable
service-template st1
#
wlan ap office model WA6320
serial-id 219801A28N819CE0002T
#
· AC 2:
#
vlan 100
#
vlan 200
#
wlan service-template st1
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$oLf6pOZ6bxrf25nodjOJKYEfnZ6g6ErccHyQ
cipher-suite ccmp
security-ie rsn
portal enable method direct
portal domain dm1
portal bas-ip 2.2.2.2
portal apply web-server newpt
portal apply mac-trigger-server mts
service-template enable
#
interface Vlan-interface100
ip address 2.2.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
ip route-static 173.18.4.0 16 2.2.2.100
#
radius session-control enable
#
radius scheme rs1
primary authentication 173.18.4.100
primary accounting 173.18.4.100
key authentication cipher $c$3$Sqgqz7lDs4XPnethmAgyAKVlke7qwEkYbQ==
key accounting cipher $c$3$4J/JBRGwqB4F213furJMkB6JWYXBFjWE6g==
user-name-format without-domain
nas-ip 2.2.2.2
#
radius dynamic-author server
client ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
#
domain dm1
authorization-attribute idle-cut 15 1024
authentication portal radius-scheme rs1
authorization portal radius-scheme rs1
accounting portal radius-scheme rs1
#
portal free-rule 0 destination ip 173.18.4.0 255.255.255.0
portal free-rule 1 source interface Bridge-Aggregation 1
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
#
portal web-server newpt
url http://173.18.4.100:8080/portal
server-type cmcc
url-parameter ssid ssid
url-parameter wlanacname value AC
url-parameter wlanuserip source-address
#
portal server newpt
ip 173.18.4.100 key cipher $c$3$AkTEB7OgMYnCqsfDeplhoAgXUek/rVrLZw==
server-type cmcc
#
portal mac-trigger-server mts
ip 173.18.4.100
server-type cmcc
#
wlan ap-group group1
priority 5
wlan tunnel-preempt enable
backup-ac ip 2.2.1.1
ap office
ap-model WA6320
radio 1
radio 2
radio enable
service-template st1
#
wlan ap office model WA6320
serial-id 219801A28N819CE0002T
#
· Switch:
#
vlan 2
#
vlan 100
#
vlan 200
#
interface Vlan-interface2
ip address 173.18.4.101 255.255.255.0
#
interface Vlan-interface200
ip address 2.2.2.100 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 1 100 200
#
interface GigabitEthernet1/0/2
port link-type access
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan 1 100 200
#
Related documentation
· User Access and Authentication Command Reference in H3C Access Controllers Command References
· User Access and Authentication Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN Access Command Reference in H3C Access Controllers Command References
· WLAN Access Configuration Guide in H3C Access Controllers Configuration Guides
· WLAN High Availability Command Reference in H3C Access Controllers Command References
· WLAN High Availability Configuration Guide in H3C Access Controllers Configuration Guides