Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

----------------------------------------------
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
-----------------------------------------------------------------------------------
-----------

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
-----------------------------------------------------------------------------------
--------------
Configure the AC to communicate with the network devices

# Add GE0/0/1 on the AC to VLAN 100 and VLAN 101.

<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit

-----------------------------------------------------------------------------------
-------------------

Configure the DHCP servers to assign IP addresses to APs and STAs.

# On the AC, configure VLANIF 100 to assign IP addresses to APs.

[AC] dhcp enable

[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] dhcp server dns-server 8.8.8.8
[AC-Vlanif100] dhcp server gatway-list 192.168.100.1
[AC-Vlanif100] quit

-----------------------------------------------------------------------------------
-----------
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

-----------------------------------------------------------------------------------
----
Configure a route from the AC to DNS server.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2

-----------------------------------------------------------------------------------
----------
Configure an AP to go online.
# Create an AP group to which the APs with the same configuration can be added.

[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
-----------------------------------------------------------------------------------
-----------------------
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.

[AC-wlan-view] regulatory-domain-profile name default

[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
-----------------------------------------------------------------------------------
--------------------------------
# Configure the AC's source interface.
[AC] capwap source interface vlanif 100

-----------------------------------------------------------------------------------
--------------------------

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that
the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the
AP's deployment location, so that you can know where the AP is deployed from its
name. For example, name the AP area_1 if it is deployed in Area 1.

The default AP authentication mode is MAC address authentication. If the default

settings are retained, you do not need to run the ap auth-mode mac-auth command.

In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio)
and radio 1 (5 GHz radio).

[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
-----------------------------------------------------------------------------------
-----------------

# After the AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply

ID MAC Name Group IP Type State STA Uptime

ExtraInfo

0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S

-

Total: 1
-----------------------------------------------------------------------------------
--------------------------
Configure local authentication.
# Configure the local authentication scheme wlan-net.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode local
[AC-aaa-authen-wlan-net] quit
-----------------------------------------------------------------------------------
--------------------------

# Configure the user name, password, and service type of the local user.
[AC-aaa] local-user guest password cipher guest@123
[AC-aaa] local-user guest service-type web
[AC-aaa] quit

-----------------------------------------------------------------------------------
----------------

Configure SSL policy default_policy and load a digital certificate.

# Load certificates and the RSA key pair.

The local certificate abc_local.pem, CA certificate abc_ca.pem,

and RSA key pair privatekey.pem have been requested,
obtained, and uploaded to the storage medium of the device. If multiple CA
certificates are requested,
perform the same operation to load the certificates to the memory of the device.
When privatekey.pem is generated, the key is Huawei@123.

[AC] pki realm abc

[AC-pki-realm-abc] quit
[AC] pki import-certificate local realm abc pem filename abc_local.pem
[AC] pki import-certificate ca realm abc pem filename abc_ca.pem
[AC] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123

-----------------------------------------------------------------------------------
-----------------

# Configure the SSL policy default_policy and load the digital certificate.

[AC] ssl policy default_policy type server

[AC-ssl-policy-default_policy] pki-realm abc
[AC-ssl-policy-default_policy] version tls1.0 tls1.1 tls1.2
[AC-ssl-policy-default_policy] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
[AC-ssl-policy-default_policy] quit
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable

-----------------------------------------------------------------------------------
--------------------

# Check the configuration of the SSL policy. The status of the CA and local
certificates must be loaded.

[AC] display ssl policy default_policy

------------------------------------------------------------------------------
Policy name : default_policy

Policy ID : 2
Policy type : Server
Cipher suite : rsa_aes_128_sha256 rsa_aes_256_sha256
PKI realm : abc
Version : tls1.0 tls1.1 tls1.2
Cache number : 32
Time out(second) : 3600
Server certificate load status : loaded
CA certificate chain load status : loaded
SSL renegotiation status : enable
Bind number : 1
SSL connection number : 0
-----------------------------------------------------------------------------------
------------------------------------------------------------------------------
Configure the Portal access profile wlan-net
# Enable the built-in Portal server function.

[AC] interface loopback 1

[AC-LoopBack1] ip address 10.1.1.1 24
[AC-LoopBack1] quit
[AC] portal local-server ip 10.1.1.1
[AC] portal local-server https ssl-policy default_policy port 20000

-----------------------------------------------------------------------------------
-------

# Create the Portal access profile wlan-net and configure it to use the built-in
Portal server.

[AC] portal-access-profile name wlan-net

[AC-portal-access-profile-wlan-net] portal local-server enable
[AC-portal-access-profile-wlan-net] quit

-----------------------------------------------------------------------------------
-------------------

Configure an authentication-free rule profile to allow users to access the DNS

server before authentication.

[AC] free-rule-template name default_free_rule

[AC-free-rule-default_free_rule] free-rule 1 destination ip 8.8.8.8 mask 32
[AC-free-rule-default_free_rule] quit
Configure the authentication profile wlan-net.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] quit

-----------------------------------------------------------------------------------
--------------------------

Configure WLAN service parameters.

# Create security profile wlan-net and set the security policy in the profile. By
default, the security policy is open system.

[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit

-----------------------------------------------------------------------------------
---------------------------

# Create SSID profile wlan-net and set the SSID name to wlan-net.

[AC-wlan-view] ssid-profile name wlan-net

[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit

-----------------------------------------------------------------------------------
--------------------------

# Create VAP profile wlan-net, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to
the VAP profile.

[AC-wlan-view] vap-profile name wlan-net

[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit

-----------------------------------------------------------------------------------
--------------------------
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.

[AC-wlan-view] ap-group name ap-group1

[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
-----------------------------------------------------------------------------------
-----------------------------
Verify the configuration.
The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
The STAs obtain IP addresses when they successfully associate with the WLAN.
When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server.
After entering the correct user name and password on the page, the user can access
the network