01-06 Wired and Wireless User Access Authentication Deployment

6 Wired and Wireless User Access Authentication
Campus Networks Typical Configuration Examples Deployment
6 Wired and Wireless User Access

Authentication Deployment
6.1 Key Points of User Access Authentication Deployment

6.2 Native AC + Free Mobility Solution: Core Switches Function as the
Authentication Point for Wired and Wireless Users
6.3 Native AC + Policy Association Solution: Core Switches Function as the
Authentication Point for Wired and Wireless Users
6.4 Native AC + NAC Solution: Core Switches Function as the Authentication Point
for Wired and Wireless Users
6.5 Native AC + Policy Association Solution: Aggregation Switches Function as the
Authentication Points for Wired and Wireless Users
6.6 Native AC + NAC Solution: Aggregation Switches Function as the
Authentication Points for Wired and Wireless Users
6.7 Native AC + Free Mobility Solution: Parent (Core Switches) in an SVF System
Functions as the Authentication Point
6.8 Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions
as the Authentication Point
6.9 Standalone AC + NAC Solution: Core Switches and ACs Function as the
Authentication Points for Wired and Wireless Users Respectively
6.10 Standalone AC + NAC Solution: Aggregation Switches and ACs Function as
the Authentication Points for Wired and Wireless Users Respectively
6.1 Key Points of User Access Authentication

Deployment
This chapter provides typical examples for deploying user access authentication
based on access controller (AC) deployment solutions, authentication point
locations, and policy-based control solutions.
Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 311

● Authentication point location: The devices that function as user gateways are
typically configured as authentication points. As described in 3 Campus
Network Connectivity Deployment, when the native AC solution is used, you
are advised to deploy a switch that supports the native AC function as the
gateway for both wired and wireless users. When the standalone AC or ACU2
solution is used, you can deploy both wired and wireless gateways on a
switch, or deploy the wired gateway on a switch and the wireless gateway on
a standalone AC or an ACU2. In the examples where the standalone AC
solution is used, the gateway and authentication point for wireless users are
both deployed on a standalone AC or an ACU2.
● Policy-based control solutions: include Network Admission Control (NAC), free
mobility, and policy association. In the policy association solution, aggregation
or core switches are typically deployed as authentication points and access
switches as access points. This solution prevents users connected to the same
access device from communicating with each other before they are
authenticated, and allows administrators to easily obtain online user
information such as the interfaces on which users go online and the VLANs to
which users belong. A standalone AC or an ACU2 does not support the free
mobility solution for wireless users.
● In the following examples, Agile Controller-Campus functions as both the
access authentication server and user data source server.
User access authentication aims to implement user authentication and policy-
based control, which involves the following key nodes:
● Authentication point: a device or node responsible for user access
authentication.
● Access point: a device or node that determines whether a terminal is allowed
to access the network.
● Group policy enforcement point: a device or node that executes group policies
used in free mobility.
Figure 6-1 shows the positions of authentication points and access points when
core switches function as the authentication points for wired and wireless users.

Figure 6-1 Authentication points and access points
Server zone
(including RADIUS
and DNS servers) CORE
Core CSS
layer
Aggregation
layer AGG1 AGG2
Access layer ACC1 ACC2
PC1 AP1 PC2 AP2
Authentication point
Access point
6.2 Native AC + Free Mobility Solution: Core Switches

Function as the Authentication Point for Wired and
Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus
network to implement high network reliability and forwarding of a large amount
of data. In addition, core switches are configured with the native AC function to
manage APs and transmit wireless service traffic on the entire network,
implementing wired and wireless convergence. Aggregation switches set up stacks
to implement device-level backup and increase the interface density and
forwarding bandwidth.
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired and wireless users on the entire network. These
users can access the network only after being authenticated. The specific
requirements are as follows:
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.

● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.
Figure 6-2 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1/1 0 /2
/0/ /1/
2 E2
Eth-Trunk 10 XG Eth-Trunk 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point
Group policy
enforcement point
Device Requirements and Versions

Location Device Device Used in This Version Used in
Requirement Example This Example
Core layer ● Modular switches S12700E V200R019C10

configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
Step Deployment Roadmap Devices Involved
1 Configure authentication, authorization, Core switches (CORE)

and accounting (AAA), including
configuring a RADIUS server template,
AAA schemes, and authentication
domains to enable user authentication,
authorization, and accounting through
RADIUS, as well as configuring
parameters for interconnection between
switches and the RADIUS server.
2 Configure a pre-authentication domain Core switches (CORE)

and a post-authentication domain, so
that users have corresponding rights
before and after being authenticated as
well as when Agile Controller-Campus is
faulty.
3 Configure 802.1X authentication for Core switches (CORE)

employees.
4 Configure MAC address-prioritized Core switches (CORE)

Portal authentication for guests.
5 Enable the free mobility function and Core switches (CORE)

configure XMPP parameters for
interconnection with Agile Controller-
Campus.
6 Configure transparent transmission for Aggregation switches

802.1X packets. (AGG1 and AGG2) and
access switches (ACC1
and ACC2)
7 Log in to Agile Controller-Campus and Agile Controller-Campus

perform the following operations:
1. Configure parameters for
interconnection with CORE, and
configure RADIUS and Portal
parameters.
2. Configure security groups and inter-
group policies.

Data Plan
Table 6-1 Service data plan for core switches

Item VLAN ID Network Segment
Management VLAN for VLAN 20 192.168.20.0/24

APs
Service VLANs for VLAN 30 172.16.30.0/24

wireless users
VLAN 40 172.16.40.0/24
Service VLAN for a wired VLAN 50 172.16.50.0/24

user (PC1)

user (PC2)
VLAN for communication VLAN 1000 192.168.11.254/24

with servers
Table 6-2 Wireless service data plan for core switches

Item Data
AP group ap-group1
Regulatory domain profile domain1
SSID profiles test01, test02
VAP profiles vap1, vap2 (The data forwarding mode in

the VAP profiles is tunnel forwarding.)
Table 6-3 Authentication service data plan for core switches

Item Data
AAA schemes Authentication scheme:

● Name: auth
● Authentication mode: RADIUS
Accounting scheme:
● Name: acco
● Accounting mode: RADIUS

Item Data
RADIUS server ● RADIUS server template name:

tem_rad
● IP address of the authentication
server: 192.168.11.1
● Port number of the authentication
server: 1812
● IP address of the accounting server:
192.168.11.1
● Port number of the accounting
server: 1813
● Accounting interval: 15 minutes
● Authentication and accounting
keys: Admin@123
● Authorization key: Admin@123
Portal server ● Portal server template name:

tem_portal
● IP address: 192.168.11.1
● Port number: 50200
● Shared key: Admin@123
● Portal server detection: enabled
802.1X access profile ● Name: d1

● Authentication mode: EAP
Portal access profile Name: web1
MAC access profile Name: mac1
Pre-authentication domain IP address of the DNS server:

192.168.11.2. Employees and guests
can send domain names to the DNS
server for resolution before being
authenticated.
Table 6-4 Service data plan for Agile Controller-Campus

Item Data
IP address of CORE 192.168.11.254

Item Data
RADIUS parameters ● Device series: Huawei S series

switches
keys: Admin@123
● Real-time accounting interval: 15
minutes
Portal parameters ● Port number: 2000

● Portal key: Admin@123
● IP addresses of access terminals:
Wireless: 192.168.30.0/24
Wired: 192.168.40.0/24
XMPP password Admin@123
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● Password: Guest@123
Security groups ● employee_group

● guest_group
● Email server: 192.168.11.100
● Video server: 192.168.11.110
Post-authentication domains ● Employees can access the mail and

video servers after being
authenticated.
● Guests can access the video server
but not the mail server after they
are authenticated.
● Employees and guests cannot
communicate with each other.
Deployment Precautions
● Free mobility is supported only in NAC unified mode.
● In this example, Agile Controller-Campus runs V100R003C50.
For details about other precautions, see "Licensing Requirements and Limitations for Free
Mobility" in the Product Use Precautions.

Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
User Access Security Policy

Authentication Mode
MAC address authentication Open system authentication

or Portal authentication
802.1X authentication WPA/WPA2-802.1X authentication. WPA2

authentication is used in this example.
For employees who use 802.1X authentication, configure a security policy in

security profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
For guests who use MAC address-prioritized Portal authentication, configure a

security policy in security profile sec2 as follows:
[CORE-wlan-sec-prof-sec2] security open
Step 2 Configure AAA on CORE.

# Configure the RADIUS server template tem_rad and configure parameters for
interconnection between CORE and the RADIUS server. The parameters include the
IP addresses, port numbers, and shared keys of the RADIUS authentication and
accounting servers.
<CORE> system-view
[CORE] radius-server template tem_rad
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813
[CORE-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-radius-tem_rad] quit
# Configure a RADIUS authorization server.

[CORE] radius-server authorization 192.168.11.1 shared-key cipher Huawei@123
# Configure AAA schemes, set the authentication, authorization, and accounting

modes to RADIUS, and set the accounting interval to 15 minutes.
[CORE] aaa
[CORE-aaa] authentication-scheme auth
[CORE-aaa-authen-auth] authentication-mode radius
[CORE-aaa-authen-auth] quit
[CORE-aaa] accounting-scheme acco
[CORE-aaa-accounting-acco] accounting-mode radius
[CORE-aaa-accounting-acco] accounting realtime 15
[CORE-aaa-accounting-acco] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco

[CORE-aaa-domain-huawei.com] radius-server tem_rad

[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
Step 4 Configure 802.1X authentication for employees on CORE.

# Change the NAC mode to unified.
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
# Configure an 802.1X access profile.
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.

[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink

interfaces Eth-Trunk 10 and Eth-Trunk 20.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] authentication-profile p1
[CORE-Eth-Trunk10] quit
# Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
[CORE] wlan
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] authentication-profile p1
[CORE-wlan-vap-prof-vap1] quit
[CORE-wlan-view] quit
Step 5 Configure MAC address-prioritized Portal authentication for guests on CORE.

# Configure Portal server template tem_portal, and set parameters for
interconnection between CORE and the Portal server. The parameters include the
IP address, port number, and shared key of the Portal server.

[CORE] web-auth-server tem_portal

[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1
[CORE-web-auth-server-tem_portal] port 50200 //The Portal server port number is fixed at 50200 when
Agile Controller-Campus functions as the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher Admin@123
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal
[CORE-web-auth-server-tem_portal] quit
# Configure a Portal access profile.

[CORE] portal-access-profile name web1
[CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-portal-acces-profile-web1] quit
# Configure a MAC access profile.

[CORE] mac-access-profile name mac1
[CORE-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.

[CORE-authen-profile-p2] portal-access-profile web1
[CORE-authen-profile-p2] mac-access-profile mac1
forcible domain.
# Configure MAC address-prioritized Portal authentication for guests in the VAP

profile vap2.
[CORE] wlan
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
Step 7 Configure transparent transmission of 802.1X packets on both aggregation and

access switches. The following uses access switch ACC1 (S5735-L) as an example.
The configuration of other switches is similar to that of ACC1.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface eth-trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] quit
Step 8 Configure Agile Controller-Campus.

1. Add a switch.

Table 6-5 Parameter settings on Agile Controller-Campus and CORE

Parameter Configuration Configuration on CORE
on Agile on Agile
Controller- Controller-
Campus Campus
Name CORE -
IP address 192.168.11.254 IP address of VLANIF 1000, which is used

by CORE to communicate with Agile
Controller-Campus
Device series Huawei S -

Series
Authenticati Admin@123 radius-server shared-key cipher

on/ Admin@123
Accounting
key
Authorizatio Admin@123 radius-server authorization 192.168.11.1

n key shared-key cipher Admin@123
Real-time 15 accounting realtime 15

accounting
interval
(minute)
Port 2000 Port 2000 is used by default. You can run

the web-auth-server listening-port port-
number command in the system view to
change the port number.
Portal key Admin@123 shared-key cipher Admin@123
Access 172.16.30.0/24; IP addresses of guests, corresponding to IP

terminal 172.16.40.0/24 address pools on VLANIF 30 and VLANIF
IPv4 list 40
XMPP Admin@123 group-policy controller 192.168.11.1

password password Admin@123 src-ip
192.168.11.254
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.

Figure 6-3 Adding a device

b. Click the XMPP tab and set XMPP parameters.

Figure 6-4 XMPP
c. Click OK, select CORE, and click Synchronize. The communication status
of the switch becomes , and the synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address:
192.168.11.1
Controller port: 5222
Backup controller IP address:
-
Backup controller port:
-
Source IP address:
192.168.11.254
State: working
Connected controller:
master
Device protocol version:

2
Controller protocol version: 2
2. Enable MAC address-prioritized Portal authentication.

a. Choose System > Terminal Configuration > Global Parameters >
Access Management.
b. On the Configure MAC Address-Prioritized Portal Authentication tab
page, enable MAC address-prioritized Portal authentication, and set
Validity period of MAC address (min) to 60.
Figure 6-5 Configuring MAC address-prioritized Portal authentication
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.

Choose Resource > User > User Management. Click Add and create
employee account user1.
Figure 6-6 Adding an account
4. Configure security groups employee_group and guest_group to represent

users, as well as security groups email_server and video_server to represent
resources.
a. Choose Policy > Permission Control > Security Group > Dynamic
Security Group Management.
Click Add and create security group employee_group.

Figure 6-7 Adding dynamic security group employee_group
b. Click Add and create security group guest_group.
Figure 6-8 Adding dynamic security group guest_group

c. Choose Static Security Group Management, click Add, and create

security group email_server.
Figure 6-9 Adding static security group mail_server
d. Click Add and create security group video_server.

Figure 6-10 Adding static security group video_server
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. According to the
following table, bind employees to employee_group and click OK. Then bind
guests to guest_group and click OK.
Table 6-6 Quick authorization

User User Access User Permission >
Informatio Information > Mode Security group
n > User > Location > SSID
Account
Wire user1 - Wired employee_group

d Access
emp
loye
e
user

User User Access User Permission >

Informatio Information > Mode Security group
n > User > Location > SSID
Account
Wire user1 test01 Wireless employee_group

less Access
emp
loye
e
user
Gue user2 test02 - guest_group

st
Figure 6-11 Quick authorization
6. Configure access control policies and perform global deployment.

a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-7.

Table 6-7 Inter-group policies

Sour Destination Destination Destinat Destinati Destinati
ce Group Group ion on Group on Group
Secu email_server video_serve Group employe guest_gr
rity r Any e_group oup
Gro
up
emp Permit Permit Permit N/A Deny

loye
e_gr
oup
gues Deny Permit Permit Deny N/A

t_gr
oup
Figure 6-12 Adding network access rights
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
▪ display ucl-group all: checks security groups.

[CORE] display ucl-group all
ID UCL group
name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
▪ display acl all: checks access control policies.

[CORE] display acl
all

Total nonempty ACL number is

2
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0

rule
Acl's step is
5
Ucl-group ACL Auto_PGM_U2 9997, 4

rules
Acl's step is
5
rule 1 deny ip source ucl-group 2 destination 192.168.11.100
0
rule 2 permit ip source ucl-group 2 destination 192.168.11.110
0
rule 3 deny ip source ucl-group 2 destination ucl-group
1
rule 4 permit ip source ucl-group
2

rules
Acl's step is
5
0
0
2
1
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0

rule
Acl's step is 5
a. Save the configuration of CORE.

Choose Resource > Device > Device Management and click to save
the configuration.
The save operation on Agile Controller-Campus is equivalent to running the save

command on the device, which saves all the device configurations (including
security groups and access control policies configured on Agile Controller-
Campus) to the configuration file.
When security groups and access right control policies are saved to the
configuration file of a device, these configurations can be restored from the
configuration file after the device is restarted, without the need to request
configurations from Agile Controller-Campus. If these configurations are not
saved to the configuration file, user authentication will fail because such
configurations are unavailable after the device is restarted.
----End
Verifying the Deployment

● Run the display access-user username user-name detail command on CORE
to check detailed user login information, such as the authentication mode
(802.1X or Portal), terminal IP address, and security group.
[CORE] display access-user username user1 detail
Basic:

User ID : 49523
User name : user1
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.30.133
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5111
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/08/08 08:45:00
User accounting session ID : CORE00220000000030aa****0104173
User access type : 802.1x
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test01
Online time : 43(s)
Dynamic group index(Effective) : 1
Service Scheme Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Basic:
User ID : 115814
User name : user1
User MAC : 001b-21c4-820f
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20
User access time : 2019/08/08 08:12:29
User accounting session ID : CORE002200000000604e****0304466
Terminal Device Type : Data Terminal
AAA:
User authentication type : 802.1x authentication
Current authorization method :-
------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 52993
User name : user2
User MAC : dc72-9b7e-70a2
User access Interface : Wlan-Dbss5112

User access time : 2019/08/08 08:57:47
User accounting session ID : CORE0022000000004005****0104f01
User access type : WEB
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test02
Online time : 23(s)
Web-server IP address : 192.168.100.10
AAA:
User authentication type : WEB authentication
------------------------------------------------------------------------------
● Choose Resource > User > Online User Management on Agile Controller-
Campus to check the user login information and the security groups to which
users belong.
● Verify that you can access the mail and video servers using the employee
account after passing 802.1X authentication, no matter where the terminals
are located.
Verify that you can access only the video server using the guest account after
passing MAC address-prioritized Portal authentication, no matter where the
terminal is located.
Verify that the employee and guest can communicate with each other.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
mac-access-profile mac1
portal-access-profile web1
ucl-group 1
ucl-group 2
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#

acl name Auto_PGM_OPEN_POLICY 3999

#
acl name Auto_PGM_U9 9997
rule 1 deny ip source ucl-group 9 destination 192.168.11.100 0
rule 2 permit ip source ucl-group 9 destination 192.168.11.110 0
rule 3 deny ip source ucl-group 9 destination ucl-group 8
rule 4 permit ip source ucl-group 9
acl name Auto_PGM_U8 9998
rule 3 deny ip source ucl-group 8 destination ucl-group 9
rule 4 permit ip source ucl-group 8
acl name Auto_PGM_PREFER_POLICY 9999
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60

ip address 172.16.60.1 255.255.255.0

#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
port trunk allow-pass vlan 20 50
authentication-profile p1
#
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
eth-trunk 20
#
port link-type access
port default vlan 1000
#
eth-trunk 20
#
eth-trunk 10
#
traffic-secure inbound acl name Auto_PGM_OPEN_POLICY
traffic-filter inbound acl name Auto_PGM_PREFER_POLICY
traffic-filter inbound acl name Auto_PGM_U8
traffic-filter inbound acl name Auto_PGM_U9
traffic-filter inbound acl 9996
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
ssid-profile name ssid1
ssid test01
ssid test02
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict


forward-mode tunnel
ssid-profile ssid2
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
radio 1
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
● AGG1 configuration file

#
sysname AGG1
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
description connect to CORE
undo port trunk allow-pass vlan 1
l2protocol-tunnel user-defined-protocol 802.1x enable
#
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
mad detect mode direct
#
eth-trunk 30
#
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#

eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return
● ACC1 configuration file

#
sysname ACC1
#
vlan batch 20 50
#
0100-0000-0002
#
#
eth-trunk 30
#
eth-trunk 30
#


stp edged-port enable
#
#
return
#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
sysname ACC2
#
vlan batch 20 60
#
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return
6.3 Native AC + Policy Association Solution: Core

Switches Function as the Authentication Point for
Wired and Wireless Users

● Policy association is deployed between core switches and access switches. The
core switches function as control devices to centrally authenticate users and
manage user access policies, and access devices only need to execute user
access policies. This function not only controls network access rights of users,
but also simplifies the configuration and management of access devices.
authentication.
wireless users
Server zone CORE

Core XGE1/2/0/1 CSS
layer
DNS server Authentication XGE1/1/0/1 XGE XGE2/1/0/1
server 1 0/2
/1/ /1/
0/2 E2
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point



configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
1 Configure AAA on core switches that Core switches (CORE)

function as control devices, including
configuring a RADIUS server template,
AAA schemes, and authentication
domains to enable user authentication,
authorization, and accounting through
RADIUS, as well as configuring
parameters for interconnection between
2 Configure a pre-authentication domain, Core switches (CORE)

a post-authentication domain, and the
escape function, so that users have
corresponding rights before and after
being authenticated as well as when
Agile Controller-Campus is faulty.
3 Configure the policy association Core switches (CORE)

function on core and access switches. and access switches
(ACC1 and ACC2)

employees. and access switches
(ACC1 and ACC2)

5 Configure MAC address-prioritized Core switches (CORE)

Portal authentication for guests. and access switches
(ACC1 and ACC2)

and ACC2)
7 Log in to Agile Controller-Campus, Agile Controller-Campus

configure parameters for
parameters.
Data Plan


APs

wireless users
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

with servers

Item Data
AP group ap-group1



Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Item Data
Post-authentication domains ● Employees: service server and

Internet
● Guests: Internet
The IP addresses of the service server
and campus egress device are
192.168.11.3 and 172.16.3.1,
respectively.

Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:

Internet
● Employees and guests cannot

● In this example, Huawei's Agile Controller-Campus in V100R003C50 functions
as the Portal server and RADIUS server.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● For details about the devices that can function as control and access devices
in a policy association scenario and other precautions, see "Licensing
Requirements and Limitations for Policy Association" in S12700 Series Agile
Switches Product Use Precautions.
Procedure

Authentication Mode



[CORE] wlan
[CORE-wlan-view] security-profile name sec1

security policy in security profile sec2 as follows (the default security policy is
open):
[CORE-wlan-sec-prof-sec1] quit


accounting servers.
[CORE] radius-server authorization 192.168.11.1 shared-key cipher Admin@123

[CORE] aaa
[CORE-aaa] quit
DNS server and CAPWAP management network segment to pass through.
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
Step 4 Configure the policy association function on core and access switches.
# Configure Eth-Trunk 10 and Eth-Trunk 20 on CORE as control points.
[CORE-Eth-Trunk10] authentication control-point
[CORE-Eth-Trunk20] authentication control-point
# Configure GE0/0/3 on ACC1 as the access point. The configuration of ACC2 is

similar to that of ACC1.
<ACC1> system-view
[ACC1-GigabitEthernet0/0/3] authentication access-point
# Configure ACLs and ACL rules for user authorization on CORE. Specifically,
configure ACL 3001 and ACL 3002 to control the network access rights of
employees and guests, respectively.
[CORE] acl 3001 //Configure an ACL for authorization of employees, so that they can access the Internet
and service server after being authenticated.

[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255

[CORE-acl-adv-3001] rule 3 deny ip destination any
[CORE-acl-adv-3001] quit
[CORE] acl 3002 //Configure an ACL for authorization of guests, so that they can access the Internet after
being authenticated.
# Set the access switch login authentication mode to none authentication on

CORE.
[CORE] as-auth
[CORE-as-auth] auth-mode none
[CORE-as-auth] quit
# Configure the source interface of the CAPWAP tunnel on CORE.

[CORE] capwap source interface vlanif 20
# Configure the source interface for establishing a CAPWAP tunnel on each access
switch. The following uses ACC1 as an example. The configuration of ACC2 is
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on CORE
# Enable access switches to allow packets destined for the DNS server to pass
through. The following uses ACC1 as an example. The configuration of ACC2 is
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.2 mask 24
[ACC1-free-rule-default_free_rule] quit
Step 5 On CORE, configure 802.1X authentication for employees and MAC address-
prioritized Portal authentication for guests.
Configure 802.1X authentication for employees.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.


forcible domain.




vap1.
[CORE] wlan
Configure MAC address-prioritized Portal authentication for guests.

[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1 //Configure the IP address of the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher Admin@123 //Configure a shared key used by
CORE to exchange information with the Portal server, which must be the same as that configured on Agile
Controller-Campus.
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal //Configure a URL for the Portal
server.
[CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
Enable the Portal server detection function so that you can learn the Portal server status in real time and
users can still access the network even if the Portal server is faulty. Note that the value of interval must be
greater than or equal to 15, in seconds; the recommended value is 100.



forcible domain.

profile vap2.
[CORE] wlan
Step 6 Configure 802.1X authentication for employees on access switches. The following
uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.


[ACC1] dot1x-access-profile name d1
[ACC1-dot1x-access-profile-d1] quit

[ACC1] authentication-profile name p1
[ACC1-authen-profile-p1] dot1x-access-profile d1
[ACC1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on the downlink

interface GE0/0/3.
[ACC1] interface GigabitEthernet 0/0/3
[ACC1-GigabitEthernet0/0/3] authentication-profile p1
Step 7 Configure transparent transmission of 802.1X packets on both aggregation

switches (AGG1 and AGG2) and access switches (ACC1 and ACC2).
# Configure aggregation switches. The following uses AGG1 as an example. The
configuration of AGG2 is similar to that of AGG1.
[AGG1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[AGG1] interface eth-trunk 10
[AGG1-Eth-Trunk10] l2protocol-tunnel user-defined-protocol 802.1x enable
[AGG1-Eth-Trunk10] quit
[AGG1] interface eth-trunk 30
[AGG1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
# Configure access switches. The following uses ACC1 as an example. The

configuration of ACC2 is similar to that of ACC1.
0100-0000-0002

1. Log in to Agile Controller-Campus.
Open a browser, enter the access address of Agile Controller-Campus in the
address box, and press Enter.
The following table describes addresses for accessing Agile Controller-
Campus.
Access Address Description
https://Agile Controller- Agile Controller-Campus-IP indicates the IP

Campus-IP:8443 address of Agile Controller-Campus.

Access Address Description
IP address of Agile If port 80 is enabled during installation, you

Controller-Campus can access Agile Controller-Campus by
simply entering its IP address without the
port number. In this case, the Agile
Controller-Campus URL will automatically
change to https://Agile Controller-Campus-
IP:8443.
If you log in to Agile Controller-Campus for the first time, use the super
administrator user name admin and password Changeme123. Change the
password immediately after the first login. Otherwise, Agile Controller-
Campus cannot be used.
2. Add switches so that they can communicate with Agile Controller-Campus.
Choose Resource > Device > Device Management, click Add, and configure
device information and authentication parameters.
Table 6-12 RADIUS and Portal parameters
Parameter Value Description
Name CORE -
IP address 192.168.11.254 IP address of a switch's interface that can

communicate with the service controller.
Authenticati Admin@123 Same as the shared key of the RADIUS

on/ server configured on the switch.
Accounting
key
Authorizatio Admin@123 Same as the authorization key of the

n key RADIUS server configured on the switch.
Real-time 15 Same as that configured on the switch.

accounting
interval
(minute)
Port 2000 Port used by the switch to communicate

with the Portal server. Use the default
value.
Portal key Admin@123 Same as that configured on the switch.
Enable Selected Only when Enable heartbeat between

heartbeat access device and Portal server is
between selected and the Portal server IP address is
access added to the Portal server IP address list,
device and the Portal server can periodically send
Portal server heartbeat packets to CORE, based on

Parameter Value Description
Portal server 192.168.11.1 which CORE determines the Portal server

IP address status. This configuration corresponds to
list the server-detect command configured in
the Portal server template view on CORE.
3. Create user groups and accounts. The following describes how to configure
the user group employee. The configuration of the user group guest is
similar.

a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
employee.
Figure 6-15 Adding a user group
c. Click Add in the operation area on the right, and add an account.

d. Click Transfer in the operation area on the right, and add the account to
the user group employee.

Figure 6-17 Adding an account to a user group

Access Management.

5. Configure authorization. End users will match authorization rules based on

specified conditions. The following describes how to configure authorization
for employees. The configuration for guests is similar.
a. Choose Policy > Permission Control > Authentication & Authorization>
Authorization Result, and configure a post-authentication domain for
employees.

Figure 6-19 Adding an authorization result
b. Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24 and
172.16.60.0/24.

Figure 6-20 Adding an IP address range
c. Choose Policy > Permission Control > Authentication & Authorization

> Authorization Rule, and configure authorization rules for employees
and guests according to the following tables. The following describes how
to configure authorization rules for employees. The configuration for
guests is similar.

Table 6-13 Authorization rule for wired access of employees

Name User Group Terminal IP Authorization
Address Range Result
wire_employee_ employee wire employee_dom

auth_rule ain
Table 6-14 Authorization rule for wireless access of employees

Name User Group SSID Authorization
Result
wireless_employ employee test01 employee_dom

ee_auth_rule ain
Table 6-15 Authorization rule for guests

Name User Group SSID Authorization
Result
guest_auth_rule guest test02 guest_domain

Figure 6-22 Authorization rule for wired access of employees


Figure 6-23 Authorization rule for wireless access of employees

----End

Check Expected Result
Item
Employee ● An employee can use the 802.1X client on a wired terminal to

authenticat complete 802.1X authentication.
ion ● The employee can use a mobile terminal to associate with the
SSID test01 and complete 802.1X authentication to access the
Wi-Fi network.
● After the employee is authenticated, you can run the display
access-user username user1 detail command on CORE to
check the online, authentication, and authorization information
of the employee account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
employee account.


Item
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
of the guest account.
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
Basic:
User ID : 115871
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User access Interface : Eth-Trunk10 //Interface on which the user goes online
User access time : 2019/08/13 10:02:31
User accounting session ID : CORE00210000000050ab****030449f
User access type : 802.1x //User access type
AS ID :0 //ID of the access device
AS name : acc1 //Name of the access device
AS IP : 192.168.20.56 //IP address of the access device IP
AS MAC : 000b-099d-eb3b //MAC address of the access device MAC
AS Interface : GigabitEthernet0/0/2 //Access point
Dynamic ACL ID(Effective) : 3001 //Authorization ACL
Dynamic service scheme : test //Service scheme
AAA:
User authentication type : 802.1x authentication //Authentication mode
------------------------------------------------------------------------------

Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
#
dhcp enable
#
#
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
free-rule 2 source vlan 20
#
server-ip 192.168.11.1
port 50200
url http://192.168.11.1:8080/portal
server-detect interval 100 max-times 5 action log
#
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa

domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
authentication control-point
#
#
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10
#
#

wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
as-auth
auth-mode none
#
#
#
return

#
sysname AGG1
#
vlan batch 20 50
#
0100-0000-0002
#

#
#
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 30
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 20
#
eth-trunk 40
#
eth-trunk 20
#
eth-trunk 40
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
0100-0000-0002
#
as access interface vlanif 20
as access controller ip-address 192.168.20.1

#
#
interface Vlanif20
ip address dhcp-alloc
#
#
eth-trunk 30
#
eth-trunk 30
#
authentication access-point
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
#
0100-0000-0002
#
#
#
interface Vlanif20
#
#
eth-trunk 40
#
eth-trunk 40
#

#
#
#
return
6.4 Native AC + NAC Solution: Core Switches Function

as the Authentication Point for Wired and Wireless
Users
authentication.
● The authentication server delivers authorization ACLs to control network
access rights of different users.

wireless users
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
1 Configure AAA, including configuring a Core switches (CORE)

RADIUS server template, AAA schemes, and
authentication domains to enable user
authentication, authorization, and
accounting through RADIUS, as well as
configuring parameters for interconnection
between switches and the RADIUS server.
2 Configure a pre-authentication domain, a Core switches (CORE)

post-authentication domain, and the escape
function, so that users have corresponding
rights before and after being authenticated
as well as when Agile Controller-Campus is
faulty.

employees.
4 Configure MAC address-prioritized Portal Core switches (CORE)

authentication for guests.

and ACC2)
6 Log in to Agile Controller-Campus, add users, Agile Controller-Campus

and configure parameters for
interconnection with CORE, RADIUS and
Portal parameters, as well as the
authentication and authorization functions.
Data Plan


APs

wireless users
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)


with servers

Item Data
AP group ap-group1


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

Item Data

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Internet
192.168.11.3 and 172.16.3.1,
respectively.
Escape function (RADIUS server Down ● Status: enabled

and Portal server Down) ● Network access rights: same as
those in the post-authentication
domain

Item Data

switches
keys: Admin@123
minutes

Item Data

172.16.30.0/24, 172.16.40.0/24
Accounts Employee:
Guest:
● In this example, Huawei's Agile Controller-Campus in V100R001 functions as
the Portal server and RADIUS server. In addition to V100R001, Agile
Controller-Campus can also run V100R002 or V100R003.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
For other precautions, see "Licensing Requirements and Limitations for NAC Unified Mode"
in the S12700 Series Agile Switches Product Use Precautions.
Procedure


Authentication Mode




security policy in security profile sec2 as follows (the default security policy is
open):
accounting servers.
<CSS> system-view
[CSS] sysname CORE


[CORE] aaa
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain, a post-authentication domain, and the

escape function on CORE.

# Configure a pre-authentication domain to allow packets destined for the DNS

server to pass through before users are authenticated.
# Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to

control the network access rights of employees and guests, respectively.
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[CORE] aaa
[CORE-aaa] service-scheme s1 //Configure service scheme s1 for authorization of employees if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s1] acl-id 3001
[CORE-aaa-service-s1] quit
[CORE-aaa] service-scheme s2 //Configure service scheme s1 for authorization of guests if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s2] acl-id 3002
[CORE-aaa-service-s2] quit
[CORE-aaa] quit
Step 4 Configure 802.1X authentication for employees on CORE.

By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.

forcible domain.
[CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
s1 //Enable the switch to grant network access rights to users if the authentication server is faulty.
[CORE-authen-profile-p1] authentication event authen-server-up action re-authen



vap1.
[CORE] wlan
Step 5 Configure MAC address-prioritized Portal authentication for guests on CORE.

[CORE-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //

[CORE-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the authentication server is faulty.
[CORE-portal-acces-profile-web1] authentication event portal-server-up action re-authen


forcible domain.
[CORE-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
[CORE-authen-profile-p1] authentication event authen-server-up action re-authen

profile vap2.
[CORE] wlan

Step 6 Configure transparent transmission of 802.1X packets on both aggregation and

access switches. The following uses access switch ACC1 (S5720-SI) as an example.
The configuration of other switches is similar to that of ACC1.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
0100-0000-0002


on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


on Agile on Agile
Campus Campus


IPv4 list 40

which CORE determines the Portal server
Portal server 192.168.11.1 status. This configuration corresponds to
IP address the server-detect command configured in
list the Portal server template view on CORE.


the user group Employee. The configuration of the user group Guest is
similar.
Employee.


the user group Employee.


Access Management.


employees.

b. Configure authorization rules for employees and guests according to

Table 6-21. The following describes how to configure authorization rules
for wired access of employees. The configuration for guests is similar.
Table 6-21 Authorization rules for employees and guests

Name User Terminal IP SSID Authorizati
Group Address on Result
Range
Wired Employee wire - Employees_

employees post-
authorizatio authenticat
n rule ion_domain
Wireless Employee - test01 Employees_

employees post-
n rule ion_domain


Range
Guests Guest - test02 Guests_post

authorizatio -
n rule authenticat
ion_domain
▪ Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24
and 172.16.60.0/24.
▪ Choose Policy > Permission Control > Authentication &

Authorization > Authorization Rule.

Figure 6-32 Adding an authorization rule

----End

Item
Employee ● An employee can use the 802.1X client on a wired terminal to

authenticat complete 802.1X authentication.
ion ● The employee can use a mobile terminal to associate with the
Wi-Fi network.
guest account.


Item
guest account.
Basic:
User ID : 118293
User access Interface : Eth-Trunk20 //Interface on which the user goes online
User access time : 2019/08/05 03:15:16
User accounting session ID : CORE00220000000060ad****0304e15
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
------------------------------------------------------------------------------
Configuration Files
#
sysname CORE

#
vlan batch 20 30 40 50 60 1000
#
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
#
dhcp enable
#
#
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
#
vlan 30
vlan 40
vlan 50
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2

acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
#
#
interface GigabitEthernet1/1/0/1
eth-trunk 10
#
eth-trunk 20
#
#
eth-trunk 20
#
eth-trunk 10
#
#
#
wlan


user-isolate l2
user-isolate l2
ssid test01
ssid test02
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
#
return

#
sysname AGG1
#
vlan batch 20 50
#
0100-0000-0002
#
#


#
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
#
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname ACC1

#
vlan batch 20 50
#
0100-0000-0002
#
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
sysname ACC2
#
vlan batch 20 60
#
#
eth-trunk 40
#
eth-trunk 40
#
#


#
return
6.5 Native AC + Policy Association Solution:

Aggregation Switches Function as the Authentication
Points for Wired and Wireless Users
of data. Aggregation switches set up stacks to implement device-level backup and
increase the interface density and forwarding bandwidth. In addition, aggregation
switches are configured with the native AC function to manage APs and transmit
wireless service traffic on the entire network, implementing wired and wireless
convergence.
In this example, aggregation switches function as the gateways and
authentication points for wired and wireless users on the entire network. These
authentication.
● Policy association is deployed between aggregation switches and access
switches. The aggregation switches function as control devices to centrally
authenticate users and manage user access policies, and access devices only
need to execute user access policies. This function not only controls network
access rights of users, but also simplifies the configuration and management
of access devices.

Figure 6-33 Aggregation switches functioning as authentication points for wired

and wireless users
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication CSS
DNS server XGE1/2/0/1
Core layer
server
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
Service server Special server Eth-Trunk 10 0/2 E2 Eth-Trunk 20
XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller- Agile Controller- V100R003C60SPC20

ation Campus running Campus 6
server V100R001,
V100R002, or
V100R003
Core layer - S12700E V200R019C10
Aggregati Modular switches S5731-H

on layer equipped with X
series cards or Layer
3 fixed switches that
support native AC
function
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap
Configu 1. Enable campus network connectivity. All switches

re
switches 2. Configure AAA, including configuring a Aggregation switches
. RADIUS server template, AAA schemes, (AGG1 and AGG2)
and authentication domains, as well as
configuring parameters for
interconnection between switches and the
RADIUS server.
3. Configure policy association. Aggregation switches

(AGG1 and AGG2) and
and ACC2)
4. Configure resources accessible to users Aggregation switches

before they are authenticated (referred to (AGG1 and AGG2) and
as authentication-free resources), post- access switches (ACC1
authentication domains, and escape and ACC2)
function, so that users have corresponding
network access rights in different
authentication phases.
5. Configure 802.1X authentication for Aggregation switches

employees. (AGG1 and AGG2) and
and ACC2)
6. Configure MAC address-prioritized Aggregation switches

Portal authentication for guests. (AGG1 and AGG2)
7. Configure Layer 2 transparent Access switches (ACC1

transmission for 802.1X authentication and ACC2)
packets.
Configu 8. Add devices that need to communicate -

re Agile with Agile Controller-Campus, and
Controll configure RADIUS and Portal
er- authentication parameters.
Campus.
9. Add user groups and user accounts.
10. Enable MAC address-prioritized Portal

authentication.
11. Configure network access rights for

successfully authenticated employees and
guests.

Data Plan
Network segment for - 172.16.3.0/24

connecting to the
Internet
Network segment for VLAN 70 172.16.70.0/24

communication with
AGG1

communication with
AGG2

communication with
servers
Table 6-23 Service data plan for aggregation switches
Device Item VLAN ID Network Segment
AGG1 Management VLAN 20 192.168.20.0/24

VLAN for access
devices and APs
Service VLANs VLAN 30 172.16.30.0/24

for wireless users (employee)
VLAN 31 (guest) 172.16.31.0/24
Service VLAN for VLAN 50 172.16.50.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for access
devices and APs

VLAN 41 (guest) 172.16.41.0/24

wired users

Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE
Table 6-24 Wireless service data plan for aggregation switches

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation

and Layer 3 communication.
Security profiles sec1: WPA/WPA2-802.1X sec2: open system

authentication authentication (default
security policy)
SSID profiles ssid1 ssid2
AP groups ap-group1 (AGG1) and ap-group2 (AGG2)
Regulatory domain domain1 (AGG1) and domain2 (AGG2)

profiles
Service data forwarding Tunnel forwarding

mode
Service VLANs VLAN 30 and VLAN 40 VLAN 31 and VLAN 41
VAP profiles vap1 vap2
Table 6-25 Authentication service data plan for aggregation switches

Item Data
AAA schemes ● auth: authentication scheme for RADIUS

authentication
● acco: accounting scheme for RADIUS accounting
RADIUS server ● RADIUS server template name: tem_rad

● IP addresses of the authentication, accounting,
and authorization servers: 192.168.100.10
● Port number of the authentication server: 1812
● Port number of the accounting server: 1813
● Authentication and accounting keys: Admin@123

Item Data
Portal server ● Portal server template name: tem_portal

● IP address of the Portal server: 192.168.100.10
● Shared key of the Portal server: Admin@123

Authentication-free DNS server: 192.168.100.2

resources
Post-authentication ● Employees: service server, Internet, and network

domains segments of employees
● Guests: Internet and network segments of guests
The IP addresses of the service server, special server,
and campus egress device are 192.168.100.3,
192.168.100.100, and 172.16.3.1, respectively.
Escape function Same network access rights as those in post-

authentication domains
Table 6-26 Policy association data plan

Item Data
Control points ● Eth-Trunk 30 on AGG1

● Eth-Trunk 40 on AGG2
Access points ● GE0/0/3 on ACC1

● GE0/0/3 on ACC2

Item Data
User accounts (user name/password) ● Employees: user1/Huawei@123,

user2/Huawei@456
● Guest: guest4/Guest@123
IP addresses of aggregation switches ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2

Item Data
RADIUS authentication parameters ● Device series: Huawei S series

switches
keys: Admin@123
minutes
Portal authentication parameters ● Portal key: Admin@123

● IP address list of access terminals
(AGG1): 172.16.30.0/24,
172.16.31.0/24
(AGG2): 172.16.40.0/24,
172.16.41.0/24
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] ip address 172.16.3.1 24

[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
Step 2 Configure AAA parameters.

# Configure the RADIUS server template tem_rad, and configure the parameters
for interconnection between aggregation switches and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
# Configure a RADIUS authorization server and an authorization key.

[AGG1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123
# Configure an AAA authentication scheme and an AAA accounting scheme, set

the authentication and accounting modes to RADIUS, and set the accounting
interval to 15 minutes.
[AGG1] aaa
[AGG1-aaa] authentication-scheme auth
[AGG1-aaa-authen-auth] authentication-mode radius
[AGG1-aaa-authen-auth] quit
[AGG1-aaa] accounting-scheme acco
[AGG1-aaa-accounting-acco] accounting-mode radius
[AGG1-aaa-accounting-acco] accounting realtime 15
[AGG1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
Step 3 Configure policy association.

# Configure Eth-Trunk 30 on the control device AGG1 as a control point.
[AGG1] interface Eth-Trunk 30
[AGG1-Eth-Trunk30] authentication control-point
# Enable access devices to establish CAPWAP tunnels with the control device
without authentication.
[AGG1] as-auth
[AGG1-as-auth] auth-mode none
Warning: None authentication is configured, which has security risks. Continue? [Y/N]:y
[AGG1-as-auth] quit
# Configure the source interface used by the control device to establish a CAPWAP
tunnel.
[AGG1] capwap source interface vlanif 20
# Configure GE0/0/3 on the access device ACC1 as an access point.

<ACC1> system-view

[ACC1-GigabitEthernet0/0/3] authentication access-point

# Configure the source interface used by the access device to establish a CAPWAP
tunnel, and specify the IP address of the control device.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on AGG1
Step 4 Configure authentication-free resources, post-authentication domains, and the

escape function.
# On the control device, configure authentication-free resources to allow packets

destined for the DNS server and packets in the management VLAN for policy
association to pass through.
[AGG1] free-rule-template name default_free_rule
[AGG1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20
[AGG1-free-rule-default_free_rule] quit
# Configure authentication-free resources on the access device so that it can send

all user packets to the control devices for processing.
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 1 destination any source any
[ACC1-free-rule-default_free_rule] quit

ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
DNS server after being authenticated.
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
[AGG1-acl-adv-3001] rule 8 deny ip destination any
[AGG1-acl-adv-3001] quit
[AGG1] acl 3002
[AGG1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the
[AGG1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate
with each other.
with each other.

[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa] quit
Step 5 Configure 802.1X authentication for employees.

# Configure an 802.1X access profile on the control device. By default, an 802.1X
access profile uses EAP authentication. Ensure that the RADIUS server supports
EAP; otherwise, the RADIUS server cannot process 802.1X authentication requests.
[AGG1] dot1x-access-profile name d1
[AGG1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the control device.

[AGG1] authentication-profile name p1
[AGG1-authen-profile-p1] dot1x-access-profile d1
[AGG1-authen-profile-p1] free-rule-template default_free_rule
[AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[AGG1-authen-profile-p1] authentication event authen-server-down action authorize service-scheme
[AGG1-authen-profile-p1] authentication event authen-server-up action re-authen //Configure the
switch to re-authenticate employees after the authentication server recovers.
[AGG1-authen-profile-p1] quit

interface Eth-Trunk 30 of the control device.
[AGG1-Eth-Trunk30] authentication-profile p1
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
User Wireless Security Policy Remarks

Role User
Authenticati
on Mode
Emplo 802.1X WPA/WPA2-802.1X In this example, WPA2

yee authenticatio authentication authentication is used.
n
Guest MAC address- Open system The default security policy is

prioritized authentication open system authentication.
Portal Therefore, you do not need to
authenticatio configure a security policy for
n guests.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1

[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes

Warning: This action may cause service interruption. Continue?[Y/N]y
[AGG1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
[AGG1-wlan-view] vap-profile name vap1
[AGG1-wlan-vap-prof-vap1] authentication-profile p1
[AGG1-wlan-vap-prof-vap1] quit
[AGG1-wlan-view] quit
# Configure an 802.1X access profile on the access device.

[ACC1] dot1x-access-profile name d1
[ACC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees on the access device.

[ACC1] authentication-profile name p1
[ACC1-authen-profile-p1] dot1x-access-profile d1
[ACC1-authen-profile-p1] quit

interface GE0/0/3 of the access device.
[ACC1] interface GigabitEthernet 0/0/3
[ACC1-GigabitEthernet0/0/3] authentication-profile p1
Step 6 Configure MAC address-prioritized Portal authentication for guests.

interconnection between aggregation switches and the Portal server. The
parameters include the IP address, port number, and shared key of the Portal
server, as well as the URL of the Portal page.
[AGG1] web-auth-server tem_portal
[AGG1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG1-web-auth-server-tem_portal] port 50200
[AGG1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
[AGG1-web-auth-server-tem_portal] quit

[AGG1] portal-access-profile name web1
[AGG1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG1-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the Portal server is faulty.
[AGG1-portal-acces-profile-web1] authentication event portal-server-up action re-authen //Configure
the switch to re-authenticate guests after the Portal server recovers.
[AGG1-portal-acces-profile-web1] quit

[AGG1] mac-access-profile name mac1
[AGG1-mac-access-profile-mac1] quit

[AGG1-authen-profile-p2] portal-access-profile web1
[AGG1-authen-profile-p2] mac-access-profile mac1
forcible domain.

switch to re-authenticate guests after the authentication server recovers.


profile vap2.
[AGG1] wlan
Step 7 Configure Layer 2 transparent transmission for 802.1X authentication packets on

the access device. This function needs to be configured on all interfaces through
which 802.1X authentication packets pass. If a switch does not support the bpdu
enable command, you only need to run the l2protocol-tunnel user-defined-
protocol 802.1x enable command on its interface.
<ACC1> system-view
0100-0000-0002
[ACC1] interface Eth-Trunk 30
Step 8 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-28, and click OK.
Table 6-28 Parameter settings on Agile Controller-Campus and AGG1

Parameter on Configuration Configuration on AGG1
Agile on Agile
Campus Campus
Name AGG1 -
IP address 172.16.70.2 IP address of VLANIF 70, which is used by

AGG1 to communicate with Agile Controller-
Campus


Agile on Agile
Campus Campus
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)

Series
Authentication Admin@123 [AGG1-radius-tem_rad] radius-server shared-key cipher

Admin@123
/Accounting
key
Authorization Admin@123 [AGG1] radius-server authorization 192.168.100.10

shared-key cipher Admin@123
key
Real-time 15 [AGG1-aaa-accounting-acco] accounting realtime 15

accounting
interval
(minute)
Enable Portal Selected -

(mandatory
for Portal
authentication
)
Portal protocol HUAWEI portal -

type protocol
Portal key Admin@123 [AGG1-web-auth-server-tem_portal] shared-key cipher

Admin@123
Access 172.16.30.0/24; List of IP addresses used by employees and

terminal IPv4 172.16.31.0/24 guests for accessing the network in wireless
list mode

heartbeat access device and Portal server is selected
between and the Portal server IP address is added to
access device the Portal server IP address list, the Portal
and Portal server can periodically send heartbeat
server packets to AGG1, based on which AGG1
determines the Portal server status. This
configuration corresponds to the server-


Agile on Agile
Campus Campus
Portal server 192.168.100.10 detect command configured in the Portal

IP address list server template view on AGG1.


Step 9 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.

Step 10 Enable MAC address-prioritized Portal authentication.

# Choose System > Terminal Configuration > Global Parameters > Access
Management. On the Configure MAC Address-Prioritized Portal
Authentication tab page, enable MAC address-prioritized Portal authentication,
set Validity period of MAC address (min) to 60, and click OK.

Step 11 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-29, and click OK. Here, the employee
authorization result is used as an example.

Table 6-29 Authorization results for employees and guests

Name Authorization Parameter: ACL
Number/AAA User Group
Employee authorization result 3001
Guest authorization result 3002
# Configure authorization rules. Choose Policy > Permission Control >

Authentication & Authorization > Authorization Rule, click Add, set parameters
according to Table 6-30, and click OK. Here, the employee authorization rule is
used as an example.


Name Authorization Authorization Result
Condition: User Group
Employee authorization Employee Employee authorization

rule result
Guest authorization rule Guest Guest authorization

result
----End
Expected Results
1. Access devices can go online on the control device.

2. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
3. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
4. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
5. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.

1. Verify that access devices can go online on the control device.
# Run the display as all command on the control device. The command
output shows that the access device is online.
[AGG1] display as all
Total: 1, Normal: 1, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5735-L 000b-099d-eb3b 192.168.20.220 normal acc1
--------------------------------------------------------------------------------
2. Verify that the employees and guest can access only the authentication-free
resources, but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication. The following uses wired
access of an employee as an example.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on AGG1 to view information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC

Status
------------------------------------------------------------------------------------------------------
49208 user1 172.16.50.172 001b-21c4-820f Pre-

authen
------------------------------------------------------------------------------------------------------

# On PC1, ping an authentication-free resource, for example, the DNS server

with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
Pinging 192.168.100.2 with 32 bytes of data:

Reply from 192.168.100.2: bytes=32 time<1ms TTL=252
Ping statistics for 192.168.100.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\*******>
# On PC1, ping a resource in the post-authentication domain, for example,
the campus egress device with IP address 172.16.3.1. The ping operation fails.
C:\Users\*******>ping 172.16.3.1

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
3. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
49208 user1 172.16.50.172 001b-21c4-820f

Success
49212 user2 172.16.30.81 38ca-da5e-441a
Success
49216 guest4 172.16.31.153 64b0-a6a3-f913 Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on AGG1 to
view the authentication, authorization, and access location (GE0/0/3 on
ACC1) information of user1.
[AGG1] display access-user username user1 detail
Basic:
User ID : 49208
User name : user1

User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access time : 2019/09/03
17:16:16
User accounting session ID : LSW5-
AG0001800000005061****0300038
AS ID :0
AS name : acc1
AS IP : 192.168.20.220
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/3
Dynamic ACL ID(Effective) : 3001
Dynamic service scheme :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current accounting method :
RADIUS
------------------------------------------------------------------------------

view the authentication, authorization, and access location (AP area_1)
information of user2.
Basic:
User ID : 49212
User name : user2
User MAC : 38ca-da5e-441a
User access Interface : Wlan-
Dbss2177
17:16:38
AG000180000000308a****030003e
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 251(s)


AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username guest4 detail command on AGG1
to view the authentication, authorization, and access location (AP area_1)
information of guest4.
[AGG1] display access-user username guest4 detail
Basic:
User ID : 49216
User name : guest4
User MAC : 64b0-a6a3-f913
Dbss2180
17:37:22
AG0001800000003172****0300040
AP name : area_1
Radio ID :1
SSID : Guest
Web-server IP address :
192.168.100.10
AAA:
User authentication type : WEB
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
4. Verify that the successfully authenticated employees and guest can access
domains. The following uses wired access of an employee as an example.


C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

the campus egress device with IP address 172.16.3.1. The ping operation
succeeds.
C:\Users\*******>ping 172.16.3.1
Pinging 172.16.3.1 with 32 bytes of dataa:


C:\Users\*******>
# On PC1, ping a resource denied in the post-authentication domain, for

example, the special server with IP address 192.168.100.100. The ping
operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
5. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81

Reply from 172.16.30.81: bytes=32 time=106ms TTL=63


C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
description connect to AGG1
port trunk allow-pass vlan 70
mode lacp
#
mode lacp
#
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
#

eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
# AGG1 configuration file

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#QM@-!k^FcW*pZR2\4y93zY`;XY`TG356P_:6g7*O%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#S"vi.B|D80}JJgD*N%h&6+AUO7X-T/l0V
$;|PU$A%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10

port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 30
vlan 31
vlan 50
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#

mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
wlan
traffic-profile name traff
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
traffic-profile traff
forward-mode tunnel
ssid-profile ssid2
regulatory-domain-profile name domain1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
as-auth

auth-mode none
#
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#fax3=MV"r//"O"5FMI;5&H_R7f2k$Tfj6[1Xa0$5%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#3xW1/X3Dv=QAh^+{A2SA<g5cJ#]\5B:|
Jl)|;GB2%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
#

#
vlan 40
vlan 41
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40

#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
as-auth
auth-mode none
#
#
#
return
# ACC1 configuration file

#
sysname ACC1
#
vlan batch 20 50
#
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
#
free-rule 1 destination any source any
#
interface Vlanif20
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
#
#
free-rule 1 destination any source any
#
interface Vlanif21

#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
#
return
6.6 Native AC + NAC Solution: Aggregation Switches

Function as the Authentication Points for Wired and
Wireless Users
of data. Aggregation switches set up stacks to implement device-level backup and
increase the interface density and forwarding bandwidth. In addition, aggregation
switches are configured with the native AC function to manage APs and transmit
wireless service traffic on the entire network, implementing wired and wireless
convergence.
In this example, aggregation switches function as the gateways and
authentication points for wired and wireless users on the entire network. These
authentication.

● Agile Controller-Campus delivers ACLs for authorization of successfully

authenticated users to control network access rights of these users of
different roles.
● Port isolation needs to be configured on access switches to control Layer 2
traffic of users.
Figure 6-34 Aggregation switches functioning as authentication points for wired

and wireless users
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication
DNS server
server XGE1/2/0/1 CSS
Core layer
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
Service server Special server
E1
/1/ /1/0/
0/2 E2 Eth-Trunk 20
Eth-Trunk 10 XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller- Agile Controller- V100R003C60SPC20

ation Campus running Campus 6
server V100R001,
V100R002, or
V100R003
Aggregati Modular switches S5731-H

on layer equipped with X
series cards or Layer
3 fixed switches that
support native AC
function


Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices
Involved
Configure 1. Enable campus network connectivity. All switches

switches.
2. Configure AAA, including configuring a RADIUS Aggregation
server template, AAA schemes, and authentication switches
domains, as well as configuring parameters for (AGG1 and
interconnection between switches and the RADIUS AGG2)
server.
3. Configure resources accessible to users before Aggregation

they are authenticated (referred to as switches
authentication-free resources), post- (AGG1 and
authentication domains, and escape function, so AGG2)
that users have corresponding network access
rights in different authentication phases.
4. Configure 802.1X authentication for employees. Aggregation

switches
(AGG1 and
AGG2)
5. Configure MAC address-prioritized Portal Aggregation

authentication for guests. switches
(AGG1 and
AGG2)
6. Configure Layer 2 transparent transmission for Access switches

802.1X authentication packets. (ACC1 and
ACC2)
Configure 7. Add devices that need to communicate with -

Agile Agile Controller-Campus, and configure RADIUS
Controlle and Portal authentication parameters.
r-
Campus. 8. Add user groups and user accounts.
9. Enable MAC address-prioritized Portal

authentication.
10. Configure network access rights for

successfully authenticated employees and guests.

Data Plan


connecting to the
Internet

communication with
AGG1

communication with
AGG2

communication with
servers


VLAN for APs

VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for APs

VLAN 41 (guest) 172.16.41.0/24

wired users

Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE
Table 6-33 Wireless service data plan for aggregation switches

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation

and Layer 3 communication.
Security profiles sec1: WPA/WPA2-802.1X sec2: open system

authentication authentication (default
security policy)
AP groups ap-group1 (AGG1) and ap-group2 (AGG2)
Regulatory domain domain1 (AGG1) and domain2 (AGG2)

profiles
Service data forwarding Tunnel forwarding

mode
Service VLANs VLAN 30 and VLAN 40 VLAN 31 and VLAN 41
Table 6-34 Authentication service data plan for aggregation switches

Item Data

authentication
● acco: accounting scheme for RADIUS accounting

● Authentication and accounting keys: Admin@123

Item Data



resources
Post-authentication ● Employees: service server, Internet, and network

domains segments of employees
● Guests: Internet and network segments of guests
The IP addresses of the service server, special server,
and campus egress device are 192.168.100.3,
192.168.100.100, and 172.16.3.1, respectively.
Escape function Same network access rights as those in post-

authentication domains

Item Data
User accounts (user name/password) ● Employees: user1/Huawei@123,

user2/Huawei@456
IP addresses of aggregation switches ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2
RADIUS authentication parameters ● Device series: Huawei S series

switches
keys: Admin@123
minutes

Item Data
Portal authentication parameters ● Portal key: Admin@123

(AGG1): 172.16.30.0/24,
172.16.31.0/24
(AGG2): 172.16.40.0/24,
172.16.41.0/24
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE-Eth-Trunk30] description connect to Internet
[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] quit
Step 2 Configure AAA parameters.

# Configure the RADIUS server template tem_rad, and configure the parameters
for interconnection between aggregation switches and the RADIUS server,

including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view

# Configure an AAA authentication scheme and an AAA accounting scheme, set

the authentication and accounting modes to RADIUS, and set the accounting
interval to 15 minutes.
[AGG1] aaa
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] quit
Step 3 Configure authentication-free resources, post-authentication domains, and the

escape function.
# Configure authentication-free resources to allow packets destined for the DNS
server to pass through.

control the network access rights of successfully authenticated employees and
guests, respectively.
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
service server after being authenticated.


[AGG1] acl 3002
with each other.
with each other.
[AGG1] aaa
s1 to employees if Agile Controller-Campus is faulty.
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa] quit
Step 4 Configure 802.1X authentication for employees.

# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP
authentication. Ensure that the RADIUS server supports EAP; otherwise, the
RADIUS server cannot process 802.1X authentication requests.

forcible domain.
switch to re-authenticate employees after the authentication server recovers.

interface Eth-Trunk 30.
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.

User Wireless Security Policy Remarks

Role User
Authenticati
on Mode
Emplo 802.1X WPA/WPA2-802.1X In this example, WPA2

yee authenticatio authentication authentication is used.
n
Guest MAC address- Open system The default security policy is

prioritized authentication open system authentication.
Portal Therefore, you do not need to
authenticatio configure a security policy for
n guests.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes
[AGG1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees in VAP profile

vap1.
Step 5 Configure MAC address-prioritized Portal authentication for guests.

interconnection between aggregation switches and the Portal server. The
parameters include the IP address, port number, and shared key of the Portal
server, as well as the URL of the Portal page.
[AGG1] web-auth-server tem_portal
[AGG1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG1-web-auth-server-tem_portal] port 50200
[AGG1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0 action log //
[AGG1-web-auth-server-tem_portal] quit

[AGG1] portal-access-profile name web1
[AGG1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG1-portal-acces-profile-web1] authentication event portal-server-down action authorize service-
scheme s2 //Enable the switch to grant network access rights to users if the Portal server is faulty.
[AGG1-portal-acces-profile-web1] authentication event portal-server-up action re-authen //Configure
the switch to re-authenticate guests after the Portal server recovers.
[AGG1-portal-acces-profile-web1] quit

[AGG1] mac-access-profile name mac1
[AGG1-mac-access-profile-mac1] quit


[AGG1-authen-profile-p2] portal-access-profile web1
[AGG1-authen-profile-p2] mac-access-profile mac1
forcible domain.
switch to re-authenticate guests after the authentication server recovers.

profile vap2.
[AGG1] wlan

the access switch. This function needs to be configured on all interfaces through
which 802.1X authentication packets pass. If a switch does not support the bpdu
enable command, you only need to run the l2protocol-tunnel user-defined-
protocol 802.1x enable command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.
Table 6-36 Parameter settings on Agile Controller-Campus and AGG1

Agile on Agile
Campus Campus
Name AGG1 -
IP address 172.16.70.2 IP address of VLANIF 70, which is used by

AGG1 to communicate with Agile Controller-
Campus


Agile on Agile
Campus Campus
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)

Series
Authentication Admin@123 [AGG1-radius-tem_rad] radius-server shared-key cipher

Admin@123
/Accounting
key
Authorization Admin@123 [AGG1] radius-server authorization 192.168.100.10

shared-key cipher Admin@123
key
Real-time 15 [AGG1-aaa-accounting-acco] accounting realtime 15

accounting
interval
(minute)
Enable Portal Selected -

(mandatory
for Portal
authentication
)
Portal protocol HUAWEI portal -

type protocol
Portal key Admin@123 [AGG1-web-auth-server-tem_portal] shared-key cipher

Admin@123
Access 172.16.30.0/24; List of IP addresses used by employees and

terminal IPv4 172.16.31.0/24 guests for accessing the network in wireless
list mode

heartbeat access device and Portal server is selected
between and the Portal server IP address is added to
access device the Portal server IP address list, the Portal
and Portal server can periodically send heartbeat
server packets to AGG1, based on which AGG1
determines the Portal server status. This
configuration corresponds to the server-


Agile on Agile
Campus Campus
Portal server 192.168.100.10 detect command configured in the Portal

IP address list server template view on AGG1.





guests.



used as an example.



rule result

result
----End
Expected Results

domains.
4. The employees can communicate with each other, but cannot communicate
with the guest.

access-user command on AGG1 to view information about online users. The
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------------------------------
49175 user1 172.16.50.230 001b-21c4-820f Pre-authen
------------------------------------------------------------------------------------------------------

C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

C:\Users\*******>ping 172.16.3.1

Request time out.

Request time out.

Request time out.
Request time out.

C:\Users\*******>
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
49175 user1 172.16.50.172 001b-21c4-820f

Success
49176 user2 172.16.30.81 38ca-da5e-441a Success
49177 guest4 172.16.31.153 64b0-a6a3-f913 Success
------------------------------------------------------------------------------------------------------

check the authentication and authorization information of user1.
Basic:
User ID : 49175
User name : user1
9FE9:95F9:C499
9FE9:95F9:C499
17:14:30
User accounting session ID :
AG00018000000050ce****0300017
AAA:
authentication
RADIUS


RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>

C:\Users\*******>ping 172.16.30.81


C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp

#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#QM@-!k^FcW*pZR2\4y93zY`;XY`TG356P_:6g7*O%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#S"vi.B|D80}JJgD*N%h&6+AUO7X-T/l0V
$;|PU$A%^%#
#
acl number 3001


rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 30
vlan 31
vlan 50
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#

interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#fax3=MV"r//"O"5FMI;5&H_R7f2k$Tfj6[1Xa0$5%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#3xW1/X3Dv=QAh^+{A2SA<g5cJ#]\5B:|
Jl)|;GB2%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#

server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
#
#
vlan 40
vlan 41
vlan 60
#
aaa
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#


mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#

#
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#


#
#
return
6.7 Native AC + Free Mobility Solution: Parent (Core

Switches) in an SVF System Functions as the
Authentication Point
implementing wired and wireless convergence.
Aggregation switches set up stacks to implement device-level backup and increase
the interface density and forwarding bandwidth.
There are a large number of wired and wireless access devices that are widely
distributed. To implement unified management and configuration and reduce
management costs, SVF is deployed on the network. Core, aggregation, and access
switches set up an SVF system. In the SVF system, the CSS of core switches
functions as the parent, and aggregation and access switches function as ASs. The
parent manages and configures ASs in a unified manner.
In this example, core switches set up an SVF system, which functions as the
gateway and authentication point for wired and wireless users on the entire
network. These users can access the network only after being authenticated. The
specific requirements are as follows:
● Users include employees and guests. Wired users use combined 802.1X + MAC
+ Portal authentication, and wireless users use 802.1X authentication and
MAC address-prioritized Portal authentication.
● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.

Figure 6-35 Parent (core switches) in an SVF system functioning as the

authentication point
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
2
E1
/1 /1/0/
/0/ E2
Eth-Trunk 10 2 XG Eth-Trunk 20
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation
AGG1 AGG2
layer Level-1 ASs
as-layer1-1 as-layer1-2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access ACC1 ACC2
layer as-layer2-1 Level-2 ASs as-layer2-2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point
Group policy
enforcement point


configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00

Deployment Roadmap

RADIUS server template, AAA schemes,
and authentication domains to enable
user authentication, authorization, and
interconnection between switches and
the RADIUS server.
2 Configure a pre-authentication domain, Core switches (CORE)

a post-authentication domain, and the
escape function, so that users have
corresponding rights before and after
being authenticated as well as when
Agile Controller-Campus is faulty.
3 Configure combined 802.1X + MAC + Core switches (CORE)

Portal authentication for wired users.
4 Configure 802.1X authentication and Core switches (CORE)

MAC address-prioritized Portal
authentication for wireless users.
5 Enable the free mobility function and Core switches (CORE)

configure XMPP parameters for
interconnection with Agile Controller-
Campus.
6 Log in to Agile Controller-Campus and Agile Controller-Campus

perform the following operations:
1. Configure parameters for
parameters.
2. Configure security groups and inter-
group policies.
Data Plan
Management VLAN VLAN 20 192.168.20.0/24

wireless users (AP1)
VLAN 40 172.16.40.0/24


user (PC1)

user (PC2)

communication with
servers

Item Data
AP group ap-group
Regulatory domain profile domain
SSID profiles ssid1, ssid2

Table 6-41 Data plan for the SVF system

Item Data
Parent CSS of two S12700E switches
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
MAC addresses of ASs and APs as-layer1-1: 00e0-0001-0011

as-layer1-2: 00e0-0001-0022
as-layer2-1: 00e0-0001-0033
as-layer2-2: 00e0-0001-0044
Management VLAN of the SVF VLAN 20

system
IP address of the management 192.168.20.1/24

VLANIF interface
Parent's interfaces connected to GE1/1/0/1 and GE2/1/0/2

as-layer1-1 Add the interfaces to Eth-Trunk 10 and bind
them to fabric port 1.

Item Data

as-layer1-1's interfaces GE0/0/3 and GE1/0/3

connected to as-layer2-1 Add the interfaces to Eth-Trunk 30 and bind

as-layer2-1's interface connected GE0/0/4

to AP1 Add the interface to an AP port group.

AS authentication mode Whitelist authentication
Service configuration of an AS Administrator profile admin_profile, in

administrator profile which the administrator user name and
password are configured
AS group admin_group, which includes all
ASs
Bind the administrator profile
admin_profile to the AS group
admin_group.

Item Data
Service configuration of AS Network basic profile basic_profile_1, in

network basic profiles which VLAN 50 is configured as the VLAN
from which packets are allowed to pass
through
Network basic profile basic_profile_2, in
which VLAN 60 is configured as the VLAN
through
through
through
Port group port_group_1, which includes all
downlink interfaces of as-layer1-1
downlink interfaces (except GigabitEthernet
0/0/4 connected to an AP) of as-layer2-1
Bind network basic profile basic_profile_1
to port group port_group_1.


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2. Employees and guests
can send domain names to the DNS
server for resolution before being
authenticated.


Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:
Security group ● employee_group

● guest_group
● Email server: 192.168.11.100
● Video server: 192.168.11.110
Post-authentication domains ● Employees can access the mail and

video servers after being
authenticated.
● Guests cannot access the mail or
video server even after they are
authenticated.
● Employees and guests can
● For service security purposes, users
from unknown sources are not
allowed to access any resources.


Sour Destination Destination Destinati Destinatio Destinatio
ce Group Group on Group n Group n Group
Secu email_server video_server Any employee_ guest_gro
rity group up
Grou
p
empl Permit Permit Permit N/A Permit

oyee_
grou
p
guest Deny Permit Permit Permit N/A

_grou
p
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.

Authentication Mode


For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
For users who use MAC address-prioritized Portal authentication, configure a


accounting servers.
<CORE> system-view




[CORE] aaa
[CORE-aaa] quit
Step 4 Configure combined 802.1X + MAC + Portal authentication for wired users on
CORE.





# Configure an authentication profile for wired users, and bind the 802.1X access
profile, MAC access profile, and Portal access profile to the authentication profile.
forcible domain.
# Configure combined 802.1X + MAC + Portal authentication for wired users.

[CORE] uni-mng
[CORE-um] user-access-profile name test01 //Configure a user access profile, which needs to be
bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1
[CORE-um-user-access-test01] quit
[CORE-um] port-group name port_group_3 //Configure a port group, which needs to be bound to
the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_1] user-access-profile test01
[CORE-um-portgroup-port_group_1] as name as-layer2-1 interface gigabitEthernet 0/0/2
gigabitEthernet 0/0/4 to 0/0/24
[CORE-um-portgroup-port_group_1] quit
[CORE-um] commit as all //Commit the configuration. Configurations in service profiles
then are delivered to ASs.
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
[CORE-um] quit
Step 5 On CORE, configure 802.1X authentication and MAC address-prioritized Portal

# Configure an authentication profile for wireless users, and set the authentication
mode to MAC address-prioritized Portal authentication.
forcible domain.
mode to 802.1X authentication.


forcible domain.
# Configure 802.1X authentication for wireless users in VAP profile vap1.

[CORE] wlan
# Configure MAC address-prioritized Portal authentication for wireless users in the

VAP profile vap2.
[CORE] wlan
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.

1. Add CORE.

on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


on Agile on Agile
Campus Campus

Access 172.16.30.0/24; IP address lists of fixed and mobile

terminal 172.16.40.0/24; terminals, corresponding to the interface
IPv4 list 172.16.50.0/24; address pools on VLANIF 30, VLANIF 40,
172.16.60.0/24 VLANIF 50, and VLANIF 60
XMPP Admin@123 group-policy controller 192.168.11.1

password password Admin@123 src-ip
192.168.11.254
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.


b. Click the XMPP tab and set XMPP parameters.

Figure 6-37 XMPP
c. Click OK. The communication status of the switch becomes , and the
synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1

Access Management.


3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.

4. Configure security groups employee_group and guest_group to represent

users, as well as security groups email_server and video_server to represent
resources.
a. Choose Policy > Permission Control > Security Group > Dynamic
Security Group Management.
Click Add and create security group employee_group.

Figure 6-40 Adding dynamic security group employee_group
b. Click Add and create security group guest_group.
Figure 6-41 Adding dynamic security group guest_group

c. Choose Static Security Group Management, click Add, and create

security group email_server.
Figure 6-42 Adding static security group mail_server
d. Click Add and create security group video_server.

Figure 6-43 Adding static security group video_server
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. The following
describes how to add employee user1 to employee_group. The procedure of
adding guest user2 to guest_group is similar.
Figure 6-44 Add employee user1 to employee_group.
6. Configure access control policies and perform global deployment.

a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-46.

Sour Destination Destination Destinat Destinati Destinati
ce Group Group ion on Group on Group
Secu email_server video_serve Group employe guest_gr
rity r Any e_group oup
Gro
up
emp Permit Permit Permit N/A Deny

loye
e_gr
oup
gues Deny Permit Permit Deny N/A

t_gr
oup
Figure 6-45 Adding network access rights
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
▪ display ucl-group all: checks security groups.

[CORE] display ucl-group all
ID UCL group

name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
▪ display acl all: checks access control policies.

[CORE] display acl
all
Total nonempty ACL number is
2
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0

rule
Acl's step is
5

rules
Acl's step is
5
rule 1 deny ip source ucl-group 2 destination 192.168.11.100
0
0
1
2

rules
Acl's step is
5
0
0
2
1
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0

rule
Acl's step is 5
a. Save the configuration of CORE.

Choose Resource > Device > Device Management and click to save
the configuration.

The save operation on Agile Controller-Campus is equivalent to running the save

command on the device, which saves all the device configurations (including
security groups and access control policies configured on Agile Controller-
Campus) to the configuration file.
When security groups and access right control policies are saved to the
configuration file of a device, these configurations can be restored from the
configuration file after the device is restarted, without the need to request
configurations from Agile Controller-Campus. If these configurations are not
saved to the configuration file, user authentication will fail because such
configurations are unavailable after the device is restarted.
----End
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
#
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
#
drop-profile default
#

vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
port link-type hybrid
port hybrid tagged vlan 1 20 50
stp root-protection
stp edged-port disable
mode lacp
loop-detection disable
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 20
#
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
#
wlan
user-isolate l2
traffic-profile name default

security-profile name default

security-profile name default-wds
security-profile name default-mesh
ssid test01
ssid test02
ssid-profile name default
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
radio 0
radio 1
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#
as-auth
undo auth-mode
whitelist mac-address 0200-0000-0011
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011
down-direction fabric-port 1 member-group interface Eth-Trunk 30
port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3


interface fabric-port 1
port member-group interface Eth-Trunk 10
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
network-basic-profile name basic_profile_1
pass-vlan 50
pass-vlan 60
pass-vlan 50
pass-vlan 60
user-access-profile name test01
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface all
as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
user-access-profile test01
port-group connect-ap name ap
as name as-layer2-1 interface GigabitEthernet 0/0/3
#
#
return
6.8 Native AC + NAC Solution: Parent (Core Switches)

in an SVF System Functions as the Authentication
Point
implementing wired and wireless convergence.


There are a large number of wired and wireless access devices that are widely
distributed. To implement unified management and configuration and reduce
management costs, SVF is deployed on the network. Core, aggregation, and access
switches set up an SVF system. In the SVF system, the CSS of core switches
functions as the parent, and aggregation and access switches function as ASs. The
parent manages and configures ASs in a unified manner.
In this example, core switches set up an SVF system, which functions as the
gateway and authentication point for wired and wireless users on the entire
network. These users can access the network only after being authenticated. The
● Users include employees and guests. Wired users use combined 802.1X +
Portal authentication, and wireless users use 802.1X authentication and MAC
address-prioritized Portal authentication.
● The authentication server delivers authorization ACLs to control network
access rights of different users.
Figure 6-46 Parent (core switches) in an SVF system functioning as the

authentication point
Server zone
(including RADIUS
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

Aggregation AGG1 AGG2
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point



configured with X
series cards
● Layer 3 fixed
switches that
support the
native AC
function, such as
S5731-H switches
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap

RADIUS server template, AAA schemes,
and authentication domains to enable
user authentication, authorization, and
interconnection between switches and
the RADIUS server.
2 Configure a pre-authentication domain Core switches (CORE)

and a post-authentication domain.
3 Configure combined 802.1X + Portal Core switches (CORE)

authentication for wired users. In an SVF
system, the authentication mode of
wired users needs to be defined in a
user access profile.
4 Configure 802.1X authentication and Core switches (CORE)

MAC address-prioritized Portal

6 Log in to Agile Controller-Campus, add Agile Controller-Campus

users, and configure parameters for
interconnection with CORE, RADIUS and
Portal parameters, as well as the
authentication and authorization
functions.
Data Plan
Management VLAN VLAN 20 192.168.20.0/24

wireless users (AP1)
VLAN 40 172.16.40.0/24

user (PC1)

user (PC2)

communication with
servers
Item Data
AP group ap-group
Regulatory domain profile domain
SSID profiles ssid1, ssid2

Table 6-49 Data plan for the SVF system
Item Data
Parent CSS of two S12700E switches

Item Data
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
MAC addresses of ASs and APs as-layer1-1: 00e0-0001-0011

as-layer1-2: 00e0-0001-0022
as-layer2-1: 00e0-0001-0033
as-layer2-2: 00e0-0001-0044
Management VLAN of the SVF VLAN 20

system
IP address of the management 192.168.20.1/24

VLANIF interface






AS authentication mode Whitelist authentication
Service configuration of an AS Administrator profile admin_profile, in

administrator profile which the administrator user name and
password are configured
AS group admin_group, which includes all
ASs
Bind the administrator profile
admin_profile to the AS group
admin_group.

Item Data
Service configuration of AS Network basic profile basic_profile_1, in

network basic profiles which VLAN 50 is configured as the VLAN
through
through
through
through


Item Data

● Name: auth
Accounting scheme:
● Name: acco

tem_rad
server: 192.168.11.1
server: 1812
192.168.11.1
server: 1813
keys: Admin@123

tem_portal
● IP address: 192.168.11.1


192.168.11.2

Internet
192.168.11.3 and 172.16.3.1,
respectively.


Item Data

switches
keys: Admin@123
minutes

Wireless: 192.168.13.0/24
Wired: 192.168.14.0/24
Accounts Employee:
Guest:
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.

Authentication Mode



For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
For users who use MAC address-prioritized Portal authentication, configure a


accounting servers.
<CORE> system-view


[CORE] aaa
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain and a post-authentication domain on

CORE.
# Configure a pre-authentication domain to allow packets destined for the DNS
server to pass through before users are authenticated.



Step 4 Configure combined 802.1X + Portal authentication for wired users on CORE.



# Configure an authentication profile for wired users, and bind the 802.1X access
profile and Portal access profile to the authentication profile.
forcible domain.
# Configure combined 802.1X + Portal authentication for wired users.

[CORE] uni-mng
[CORE-um] user-access-profile name test01 //Configure a user access profile, which needs to be
bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1
[CORE-um-user-access-test01] quit


[CORE-um] commit as all //Commit the configuration. Configurations in service profiles
then are delivered to ASs.
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
[CORE-um] quit
Step 5 On CORE, configure 802.1X authentication and MAC address-prioritized Portal

mode to MAC address-prioritized Portal authentication.
forcible domain.
mode to 802.1X authentication.
forcible domain.
# Configure 802.1X authentication for wireless users in VAP profile vap1.

[CORE] wlan
# Configure MAC address-prioritized Portal authentication for wireless users in the

VAP profile vap2.
[CORE] wlan



on Agile on Agile
Campus Campus
Name CORE -

Controller-Campus

Series

on/ Admin@123
Accounting
key


accounting
interval
(minute)


IPv4 list 40

which CORE determines the Portal server
Portal server 192.168.11.1 status. This configuration corresponds to
IP address the server-detect command configured in
list the Portal server template view on CORE.


the user group Employee. The configuration of the user group Guest is
similar.
Employee.


the user group Employee.


Access Management.


employees.

b. Configure authorization rules for employees and guests according to

Table 6-53. The following describes how to configure authorization rules
for wired access of employees. The configuration for guests is similar.

Range
Wired Employee wire - Employees_

employees post-
n rule ion_domain
Wireless Employee - test01 Employees_

employees post-
n rule ion_domain


Range
Guests Guest - test02 Guests_post

authorizatio -
n rule authenticat
ion_domain
▪ Choose Resource> User > IP Address Range, set the name of an IP

address range to wire, and add IP address segments 172.16.50.0/24
and 172.16.60.0/24.
▪ Choose Policy > Permission Control > Authentication &

Authorization > Authorization Rule.

Figure 6-54 Adding an authorization rule

----End

Item
Employee ● The employee can complete 802.1X authentication using the

authenticat 802.1X client on a wired terminal. The employee can also
ion complete Portal authentication after entering http://
192.168.11.1:8080/portal in the address box of a browser and
entering the user name and password on the redirection page.
● The employee can use a mobile terminal to associate with the
Wi-Fi network.
employee account.


Item
guest account.
Basic:
User ID : 81564
User access time : 2019/10/22 02:00:03
User accounting session ID : LSW900210000000050ad****0203e9c
AS ID :1
AS name : as-layer2-1 //AS on which the user goes online
AS IP : 192.168.20.212
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/10 //AS interface on which the user goes online
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
------------------------------------------------------------------------------

Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
acl number 3001
rule 3 deny ip
acl number 3002
rule 2 deny ip
#
#
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
#
drop-profile default
#
vlan 30
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0


#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
port link-type hybrid
port hybrid tagged vlan 1 20 50
stp root-protection
stp edged-port disable
mode lacp
loop-detection disable
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 20
#
#
#
wlan
user-isolate l2
traffic-profile name default
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid test01
ssid test02
ssid-profile name default
forward-mode tunnel
ssid-profile ssid1

forward-mode tunnel
ssid-profile ssid2
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
radio 0
radio 1
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#
as-auth
undo auth-mode
#
uni-mng
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#

pass-vlan 50
pass-vlan 60
pass-vlan 50
pass-vlan 60
user-access-profile name test01
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group connect-ap name ap
#
#
return
6.9 Standalone AC + NAC Solution: Core Switches and

ACs Function as the Authentication Points for Wired
and Wireless Users Respectively
of data. A standalone AC is deployed in off-path mode. It functions as a gateway
to assign IP addresses to APs and wireless users, and centrally manages APs and
wireless users on the entire network.

authentication point for wired users, and standalone ACs in a hot standby (HSB)
group functions as the gateway and authentication point for wireless users. The
wired and wireless users can access the network only after being authenticated.
The specific requirements are as follows:

authentication.
different roles.
● Port isolation needs to be configured on access and aggregation switches to
control Layer 2 traffic of users.
Figure 6-55 Core switches and standalone ACs functioning as the authentication
points for wired and wireless users respectively
CORE-AC1 CORE-AC2
Server zone HSB
Eth-Trunk 2
Authentication
DNS server XGE1/2/0/1 CSS
server Core layer
CORE
XGE1/1/0/1 XG XGE2/1/0/1
E1 /2
/1/ / 1/0
Service server Special server 0/2 E2
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Location Device Requirement Device Used in Version Used in
This Example This Example
Authentic Agile Controller-Campus Agile Controller- V100R003C60SP

ation running V100R001, Campus C206
server V100R002, or V100R003
Aggregati - S5731-H
on layer


Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 3.11 Standalone AC Solution: Core

network Switches and ACs Function as the Gateways for Wired
connectivity. and Wireless Users Respectively.
Configure core 2. Configure AAA, including configuring a RADIUS server

switches and ACs. template, AAA schemes, and authentication domains, as
well as configuring parameters for interconnection between
switches and the RADIUS server and between ACs and the
RADIUS server.
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
4. Configure 802.1X authentication for employees.
5. Configure MAC address-prioritized Portal authentication

for guests only on ACs.
Configure 6. Configure Layer 2 transparent transmission for 802.1X

aggregation and authentication packets.
access switches.
Configure Agile 7. Add devices that need to communicate with Agile

Controller- Controller-Campus, and configure RADIUS and Portal
Campus. authentication parameters.
10. Configure network access rights for successfully

authenticated employees and guests.

Data Plan
Table 6-54 Data plan for campus network connectivity
VLANs for VLAN 20 (management 192.168.20.0/24

communication between VLAN for APs)
core switches and ACs
VLAN 30 (service VLAN 172.16.30.0/24
for wireless access of
employees)
VLAN 40 (service VLAN 172.16.40.0/24

for guests)
Service VLAN for wired VLAN 50 172.16.50.0/24

users (on AGG1)
Service VLAN for wired VLAN 60 172.16.60.0/24

users (on AGG2)

between CORE-AC1 and
CORE-AC2

between core switches
and servers
Table 6-55 Wireless service data plan for ACs
Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)
AP group ap-group1
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
Service VLANs VLAN 30 VLAN 40

Table 6-56 Authentication service data plan for core switches and ACs
Item Data

authentication
● acco: accounting scheme for RADIUS
accounting

● Authentication and accounting keys:
Admin@123



resources
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.


Item Data
User accounts (user name/ ● Employees: user1/Huawei@123, user2/

password) Huawei@456
Device IP addresses ● Core switch: 192.168.100.1

● AC: 192.168.20.1 (IP address of the backup AC:
192.168.20.2)
RADIUS authentication ● Device series: Huawei S series switches

parameters ● Authentication and accounting keys:
Admin@123
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: Admin@123

parameters ● IP address list of access terminals:
172.16.30.0/24, 172.16.40.0/24
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the

master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.11 Standalone AC
Solution: Core Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively.
# Configure the network segment for CORE to connect to the Internet.

<CORE> system-view
[CORE-Eth-Trunk30] description con to Internet
Step 2 Configure the authentication service on CORE.

1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.

[CORE] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

# Configure an AAA authentication scheme and an AAA accounting scheme,

set the authentication and accounting modes to RADIUS, and set the
accounting interval to 15 minutes.
[CORE] aaa
# Configure the authentication domain huawei.com and bind AAA schemes

and RADIUS server template to this domain.
[CORE-aaa] quit
2. Configure authentication-free resources and network access rights for

successfully authenticated employees.
# Configure authentication-free resources to allow packets destined for the
DNS server and packets from the AP management VLAN to pass through.
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
# Configure network access rights for successfully authenticated employees to

allow them to access the Internet, DNS server, and service server and to
[CORE] acl 3001
[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to
access the Internet after being authenticated.
access the DNS server after being authenticated.
access the service server after being authenticated.

# Configure an 802.1X access profile. By default, an 802.1X access profile uses
EAP authentication. Ensure that the RADIUS server supports EAP; otherwise,
the RADIUS server cannot process 802.1X authentication requests.

[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.

interfaces.


Step 3 Configure the authentication service on ACs. The following uses CORE-AC1 as an
example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<CORE-AC1> system-view
[CORE-AC1] radius-server template tem_rad
[CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-AC1-radius-tem_rad] quit

[CORE-AC1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

[CORE-AC1] aaa
[CORE-AC1-aaa] authentication-scheme auth
[CORE-AC1-aaa-authen-auth] authentication-mode radius
[CORE-AC1-aaa-authen-auth] quit
[CORE-AC1-aaa-accounting-acco] accounting-mode radius
[CORE-AC1-aaa-accounting-acco] accounting realtime 15
[CORE-AC1-aaa-accounting-acco] quit

successfully authenticated users.
[CORE-AC1] free-rule-template name default_free_rule
[CORE-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[CORE-AC1-free-rule-default_free_rule] quit

ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[CORE-AC1] acl 3001
[CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 7 deny ip destination any
[CORE-AC1-acl-adv-3001] quit

# Configure network access rights for successfully authenticated guests to

allow them to access the Internet and DNS server and to communicate with
each other.
[CORE-AC1] acl 3002
[CORE-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to
[CORE-AC1-acl-adv-3002] rule 4 deny ip destination any
[CORE-AC1-acl-adv-3002] quit

[CORE-AC1] dot1x-access-profile name d1
[CORE-AC1-dot1x-access-profile-d1] quit

[CORE-AC1] authentication-profile name p1
[CORE-AC1-authen-profile-p1] dot1x-access-profile d1
[CORE-AC1-authen-profile-p1] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p1] authentication-scheme auth
[CORE-AC1-authen-profile-p1] accounting-scheme acco
[CORE-AC1-authen-profile-p1] radius-server tem_rad
[CORE-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[CORE-AC1] wlan
[CORE-AC1-wlan] security-profile name sec1
[CORE-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
[CORE-AC1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees.

[CORE-AC1-wlan-view] vap-profile name vap1
[CORE-AC1-wlan-vap-prof-vap1] authentication-profile p1
[CORE-AC1-wlan-vap-prof-vap1] quit
[CORE-AC1-wlan-view] quit
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for
interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.
[CORE-AC1] web-auth-server tem_portal
[CORE-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[CORE-AC1-web-auth-server-tem_portal] port 50200
[CORE-AC1-web-auth-server-tem_portal] shared-key cipher Admin@123
[CORE-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[CORE-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[CORE-AC1-web-auth-server-tem_portal] quit

[CORE-AC1] portal-access-profile name web1
[CORE-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-AC1-portal-acces-profile-web1] quit

[CORE-AC1] mac-access-profile name mac1
[CORE-AC1-mac-access-profile-mac1] quit

[CORE-AC1] authentication-profile name p2

[CORE-AC1-authen-profile-p2] portal-access-profile web1
[CORE-AC1-authen-profile-p2] mac-access-profile mac1
[CORE-AC1-authen-profile-p2] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p2] authentication-scheme auth
[CORE-AC1-authen-profile-p2] accounting-scheme acco
[CORE-AC1-authen-profile-p2] radius-server tem_rad
[CORE-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.

[CORE-AC1] wlan
[CORE-AC1-wlan-view] vap-profile name vap2
[CORE-AC1-wlan-vap-prof-vap2] authentication-profile p2
[CORE-AC1-wlan-vap-prof-vap2] quit
[CORE-AC1-wlan-view] quit

access and aggregation switches. The following uses ACC1 as an example. The
configurations of other switches are similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication

packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.
Table 6-58 Parameter settings for adding core switches and ACs on Agile
Controller-Campus
Parameter on Agile Setting for Core Setting for ACs

Controller-Campus Switches
Name CORE AC
IP address 192.168.100.1 192.168.20.1
Enable RADIUS Selected

(mandatory for 802.1X,
Portal, and MAC address
authentication, Free
Mobility, and Service
Chain)

Parameter on Agile Setting for Core Setting for ACs

Controller-Campus Switches
Standby device IP address - 192.168.20.2
Device series Huawei S Series
Authentication/Accounting Admin@123
key
Authorization key Admin@123
Real-time accounting 15
interval (minute)
Enable Portal (mandatory - Selected

for Portal authentication)
Portal protocol type HUAWEI portal protocol
Portal key Admin@123
Access terminal IPv4 list 172.16.30.0/24;172.16.40.0/2

4
Enable heartbeat between Selected

access device and Portal
server
Portal server IP address list 192.168.100.10



guests.



used as an example.



rule result

result
----End
Expected Results

domains.
4. Employees can communicate with each other, but cannot communicate with
the guest.

access-user command on CORE to view information about online users. The
[CORE] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
114337 user1 172.16.50.110 001b-21c4-820f Pre-

authen
------------------------------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>


C:\Users\*******>ping 172.16.3.1

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on CORE and CORE-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[CORE] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
115318 user1 172.16.50.110 001b-21c4-820f

Success
------------------------------------------------------------------------------------------------------
[CORE-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
16401 guest4 172.16.40.210 64b0-a6a3-f913

Success
32788 user2 172.16.30.165 38ca-da5e-441a
Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on CORE to

view detailed authentication and authorization information of user1.
Basic:
User ID : 115318
User name : user1


9FE9:95F9:C499
9FE9:95F9:C499
11:08:16
CORE002100000000506e****0304276
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on CORE-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[CORE-AC1] display access-user username user2 detail
Basic:
User ID : 32788
User name : user2
Dbss17496
21:22:53
User accounting session ID : CORE-
AC00000000000030f0****0200014
User accounting mult session ID :
AC853DA6A42038CADA5E441A5DDD9****690329A
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Employee
User Group Priority :0
AAA:
authentication
RADIUS

RADIUS
------------------------------------------------------------------------------
[CORE-AC1] display access-user username guest4 detail
Basic:
User ID : 16401
User name : guest4
Dbss17497
21:25:05
User accounting session ID : CORE-
AC000000000000401c****0100011
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Guest
192.168.100.10
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2



C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
C:\Users\*******>ping 172.16.30.165



C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.40.210

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^
%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%#
#
acl number 3001
rule 7 deny ip
#
#
vlan 50
vlan 60
#
aaa

domain huawei.com
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
description con to CORE-AC1
port trunk allow-pass vlan 20 30 40
mode lacp
#
description con to CORE-AC2
mode lacp
#
mode lacp
#
mode lacp
#
description con to Internet
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#

eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
#
return
● CORE-AC1 configuration file

#
sysname CORE-AC1
#
vrrp recover-delay 60
#
vlan batch 20 30 40 100
#
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M

%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp server excluded-ip-address 192.168.20.2
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#

#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316

ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
#
#
return
● CORE-AC2 configuration file

#
sysname CORE-AC2
#
#
vlan batch 20 30 40 100
#
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#

#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#

hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^
%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
#
#
return

#
sysname AGG1

#
vlan batch 20 50
#
0100-0000-0002
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
eth-trunk 20
#

eth-trunk 20
#
return

#
sysname ACC1
#
vlan batch 20 50
#
0100-0000-0002
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 20 60
#
0100-0000-0002
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#


#
#
return
6.10 Standalone AC + NAC Solution: Aggregation

Switches and ACs Function as the Authentication
Points for Wired and Wireless Users Respectively
of data.
the interface density and forwarding bandwidth. A standalone AC is deployed in
off-path mode. It centrally manages APs on the entire network.
In this example, aggregation switches function as the gateways for wired and
wireless users and also function the authentication points for wired users.
Standalone ACs function as the authentication points for wireless users. The wired
and wireless users can access the network only after being authenticated. The
authentication.
different roles.
● Port isolation needs to be configured on access switches to control Layer 2
traffic of users.

Figure 6-56 Aggregation switches and standalone ACs functioning as the

authentication points for wired and wireless users respectively
Server zone
Authentication Eth-Trunk 30
DNS server
server
XGE1/1/0/5 XGE2/1/0/5
XGE1/2/0/1 CSS
Core layer
Service server Special server
XGE1/1/0/1 XG CORE XGE2/1/0/1
AGG-AC2 AGG-AC1 E1/1 0/2
/0/ 2/1/ AGG-AC3 AGG-AC4
Eth-Trunk 10 E Eth-Trunk 20
HSB 2 XG HSB
XG
/0/
GE0/0/1
GE0/0/1
E
GE0
E0
0/
/0/1 GE0/0/4 GE0/0/4 /0/1
GE0
0/
XG
XGE1/0/1 XGE1/0/1
1
AGG1 AGG2
Aggregation GE0/0/5 GE0/0/5
layer GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
PC1 AP1 PC2 AP2
Access point

Authentic Agile Controller-Campus Agile Controller- V100R003C60SP

ation running V100R001, Campus C206
server V100R002, or V100R003
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00

Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 3.10 Standalone AC Solution:

network Aggregation Switches Function as Gateways for Wired
connectivity. and Wireless Users.
Configure 2. Configure AAA, including configuring a RADIUS server

aggregation template, AAA schemes, and authentication domains, as
switches and ACs. well as configuring parameters for interconnection between
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
5. Configure MAC address-prioritized Portal authentication

for guests only on ACs.
Configure access 6. Configure Layer 2 transparent transmission for 802.1X

switches. authentication packets.
Configure Agile 7. Add devices that need to communicate with Agile

Controller- Controller-Campus, and configure RADIUS and Portal
Campus. authentication parameters.
10. Configure network access rights for successfully

authenticated employees and guests.
Data Plan

connecting to the
Internet

communication with
AGG1

communication with
AGG2


communication with
servers


VLAN for APs

VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE

VLAN for APs

VLAN 41 (guest) 172.16.41.0/24

wired users
Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE
Table 6-63 Wireless service data plan for ACs

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)

Item Employee Guest
AP groups ap-group1, ap-group2
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
Table 6-64 Authentication service data plan for aggregation switches and ACs
Item Data

authentication
● acco: accounting scheme for RADIUS
accounting

● Authentication and accounting keys:
Admin@123



resources

Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.

Item Data
User accounts (user name/ ● Employees: user1/Huawei@123, user2/

password) Huawei@456
Device IP addresses ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2
● AGG-AC1: 192.168.20.1 (IP address of the
backup AC: 192.168.20.2)
● AGG-AC3: 192.168.21.1 (IP address of the
backup AC: 192.168.21.2)
RADIUS authentication ● Device series: Huawei S series switches

parameters ● Authentication and accounting keys:
Admin@123
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: Admin@123

parameters ● IP address list of access terminals (AGG-AC1):
172.16.30.0/24, 172.16.31.0/24
● IP address list of access terminals (AGG-AC3):
172.16.40.0/24, 172.16.41.0/24
Configuration Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions

may occur. If a VLAN is configured as both the management VLAN and

service VLAN, and the interface connecting a switch to an AP has the
management VLAN ID as the PVID, downstream packets in the service VLAN
are terminated when going out from the switch. In this case, services are
interrupted.
● In direct forwarding mode, service packets from APs are not encapsulated in
CAPWAP tunnels, but are directly forwarded to the upper-layer network.
Service packets and management packets can be transmitted properly only if
the network between APs and the upper-layer network is added to the service
VLAN and the network between ACs and APs is added to the management
VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.10 Standalone AC
Solution: Aggregation Switches Function as Gateways for Wired and Wireless
Users.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE-Eth-Trunk30] description con to Internet
[CORE] ospf

[CORE-ospf-1] quit
Step 2 Configure the authentication service on aggregation switches. The following uses
AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.
<AGG1> system-view


[AGG1] aaa
# Configure the authentication domain huawei.com and bind AAA schemes

and RADIUS server template to this domain.
[AGG1-aaa] quit

successfully authenticated employees.
DNS server and packets from the AP management VLAN to pass through.
[AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20

[AGG1] acl 3001
access the service server after being authenticated.




[AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.

interfaces.
Step 3 Configure the authentication service on ACs. The following uses AGG-AC1 as an
example. The configurations of other ACs are similar to that of AGG-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<AGG-AC1> system-view
[AGG-AC1] radius-server template tem_rad
[AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG-AC1-radius-tem_rad] quit

[AGG-AC1] radius-server authorization 192.168.100.10 shared-key cipher Admin@123

[AGG-AC1] aaa
[AGG-AC1-aaa] authentication-scheme auth
[AGG-AC1-aaa-authen-auth] authentication-mode radius
[AGG-AC1-aaa-authen-auth] quit
[AGG-AC1-aaa] accounting-scheme acco
[AGG-AC1-aaa-accounting-acco] accounting-mode radius
[AGG-AC1-aaa-accounting-acco] accounting realtime 15
[AGG-AC1-aaa-accounting-acco] quit

successfully authenticated users.
[AGG-AC1] free-rule-template name default_free_rule
[AGG-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG-AC1-free-rule-default_free_rule] quit


ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[AGG-AC1] acl 3001
[AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 8 deny ip destination any
[AGG-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to

allow them to access the Internet and DNS server and to communicate with
each other.
[AGG-AC1] acl 3002
[AGG-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access
the Internet after being authenticated.
[AGG-AC1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to
[AGG-AC1-acl-adv-3002] rule 5 deny ip destination any
[AGG-AC1-acl-adv-3002] quit

[AGG-AC1] dot1x-access-profile name d1
[AGG-AC1-dot1x-access-profile-d1] quit

[AGG-AC1] authentication-profile name p1
[AGG-AC1-authen-profile-p1] dot1x-access-profile d1
[AGG-AC1-authen-profile-p1] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p1] authentication-scheme auth
[AGG-AC1-authen-profile-p1] accounting-scheme acco
[AGG-AC1-authen-profile-p1] radius-server tem_rad
[AGG-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[AGG-AC1] wlan
[AGG-AC1-wlan] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
[AGG-AC1-wlan-sec-prof-sec1] quit
#Configure 802.1X authentication for wireless access of employees.

[AGG-AC1-wlan-view] vap-profile name vap1
[AGG-AC1-wlan-vap-prof-vap1] authentication-profile p1
[AGG-AC1-wlan-vap-prof-vap1] quit
[AGG-AC1-wlan-view] quit
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for

interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.
[AGG-AC1] web-auth-server tem_portal
[AGG-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG-AC1-web-auth-server-tem_portal] port 50200
[AGG-AC1-web-auth-server-tem_portal] shared-key cipher Admin@123
[AGG-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[AGG-AC1-web-auth-server-tem_portal] quit
[AGG-AC1] portal-access-profile name web1
[AGG-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG-AC1-portal-acces-profile-web1] quit
[AGG-AC1] mac-access-profile name mac1
[AGG-AC1-mac-access-profile-mac1] quit
[AGG-AC1] authentication-profile name p2
[AGG-AC1-authen-profile-p2] portal-access-profile web1
[AGG-AC1-authen-profile-p2] mac-access-profile mac1
[AGG-AC1-authen-profile-p2] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p2] authentication-scheme auth
[AGG-AC1-authen-profile-p2] accounting-scheme acco
[AGG-AC1-authen-profile-p2] radius-server tem_rad
[AGG-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] vap-profile name vap2
[AGG-AC1-wlan-vap-prof-vap2] authentication-profile p2
[AGG-AC1-wlan-vap-prof-vap2] quit
[AGG-AC1-wlan-view] quit

the access switch. The following uses ACC1 as an example. The configuration of
ACC2 is similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication
packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
0100-0000-0002
parameters.

Table 6-66 Parameter settings for adding aggregation switches and ACs on Agile
Controller-Campus
Parameter on Agile Setting for Setting for ACs

Controller-Campus Aggregation
Switches
Names and IP ● AGG1: ● AGG-AC1: 192.168.20.1 (IP

addresses 172.168.70.2 address of the backup AC:
● AGG2: 192.168.20.2)
172.168.80.2 ● AGG-AC3: 192.168.21.1 (IP
address of the backup AC:
192.168.21.2)
Enable RADIUS Selected

(mandatory for
802.1X, Portal, and
MAC address
authentication, Free
Mobility, and Service
Chain)
Device series Huawei S Series
Authentication/ Admin@123
Accounting key
Authorization key Admin@123
Real-time accounting 15
interval (minute)
Enable Portal - Selected

(mandatory for Portal
authentication)
Portal protocol type HUAWEI portal protocol
Portal key Admin@123
Access terminal IPv4 ● AGG-AC1:

list 172.16.30.0/24;172.16.31.0/24
● AGG-AC3:
172.16.40.0/24;172.16.41.0/24
Enable heartbeat Selected

between access device
and Portal server
Portal server IP 192.168.100.10

address list



guests.



used as an example.



rule result

result
----End
Expected Results


domains.
3. Employees can communicate with each other, but cannot communicate with
the guest.

# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on AGG1 and AGG-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
32792 user1 172.16.50.216 001b-21c4-820f

Success
------------------------------------------------------------------------------------------------------
[AGG-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
16434 user2 172.16.30.97 38ca-da5e-441a

Success
32809 guest4 172.16.31.165 64b0-a6a3-f913
Success
------------------------------------------------------------------------------------------------------

view detailed authentication and authorization information of user1.

Basic:
User ID : 32792
User name : user1
9FE9:95F9:C499
9FE9:95F9:C499
10:01:33
AGG00018000000050ef****0200018
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on AGG-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[AGG-AC1] display access-user username user2 detail
Basic:
User ID : 16434
User name : user2
Dbss17498
10:02:55
AC2000000000000308d****0100032
AC853DA6A42038CADA5E441A5E09C****B2526E4
AP name : area_1
Radio ID :1
SSID : Employee

AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
[AGG-AC1] display access-user username guest4 detail
Basic:
User ID : 32809
User name : guest4
Dbss17497
09:52:57
AC200000000000031dd****0200029
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
AP name : area_1
Radio ID :0
SSID : Guest
192.168.100.10
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
C:\Users\*******>ping 192.168.100.2



C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>

succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>

operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>

C:\Users\*******>ping 172.16.30.97


C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.31.165

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
Configuration Files
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10

#
eth-trunk 20
#
eth-trunk 30
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return

#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#
acl number 3001
rule 8 deny ip
#

#
vlan 50
#
aaa
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
description con to AC
port trunk allow-pass vlan 20 30 to 31
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 30
#
eth-trunk 1
#
#
eth-trunk 1
#
eth-trunk 30
#

eth-trunk 10
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
return

#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#
acl number 3001
rule 8 deny ip
#
#
vlan 60
#
aaa
domain huawei.com
#

interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.3 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
description con to AC
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
eth-trunk 2
#
eth-trunk 2
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255

#
#
return
# AGG-AC1 configuration file

#
sysname AGG-AC1
#
#
vlan batch 20 30 to 31 200
#
#
dhcp enable
#
#
vlan 30
vlan 31
#
radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%#
url http://192.168.100.10:8080/portal
#


#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return

#
sysname AGG-AC2
#
#
#

#
dhcp enable
#
#
vlan 30
vlan 31
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0


#
interface Vlanif31
ip address 172.16.31.2 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.2 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1


forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return

#
sysname AGG-AC3
#
#
#
#
dhcp enable
#
#
vlan 40
vlan 41
#
$3F)3K]ar/O%^%#
#
acl number 3001


rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal
#
#
aaa
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1

#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2

provision-ap
#
#
#
return

#
sysname AGG-AC4
#
#
#
#
dhcp enable
#
#
vlan 40
vlan 41
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
url http://192.168.100.10:8080/portal


#
#
aaa
#
interface Vlanif21
ip address 192.168.21.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.2 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.2 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#

#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
provision-ap
#
#
#
return

#
sysname ACC1
#
vlan batch 20 50
#
#
mode lacp
#

eth-trunk 30
#
eth-trunk 30
#
#
#
return

#
sysname ACC2
#
vlan batch 21 60
#
#
mode lacp
#
eth-trunk 40
#
eth-trunk 40
#
#
#
return

01-06 Wired and Wireless User Access Authentication Deployment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-06 Wired and Wireless User Access Authentication Deployment

Uploaded by

Copyright:

Available Formats

6 Wired and Wireless User Access Authentication

Campus Networks Typical Configuration Examples Deployment

6 Wired and Wireless User Access

6.1 Key Points of User Access Authentication Deployment

6.1 Key Points of User Access Authentication

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 311

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 312

Figure 6-1 Authentication points and access points

Access layer ACC1 ACC2

PC1 AP1 PC2 AP2

6.2 Native AC + Free Mobility Solution: Core Switches

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 313

XGE0/0/1 XGE1/0/1 XGE1/0/1 XGE0/0/1

GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3

PC1 AP1 PC2 AP2

Device Requirements and Versions

Core layer ● Modular switches S12700E V200R019C10

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 314

1 Configure authentication, authorization, Core switches (CORE)

2 Configure a pre-authentication domain Core switches (CORE)

3 Configure 802.1X authentication for Core switches (CORE)

4 Configure MAC address-prioritized Core switches (CORE)

5 Enable the free mobility function and Core switches (CORE)

6 Configure transparent transmission for Aggregation switches

7 Log in to Agile Controller-Campus and Agile Controller-Campus

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 315

Table 6-1 Service data plan for core switches

Management VLAN for VLAN 20 192.168.20.0/24

Service VLANs for VLAN 30 172.16.30.0/24

Service VLAN for a wired VLAN 50 172.16.50.0/24

Service VLAN for a wired VLAN 60 172.16.60.0/24

VLAN for communication VLAN 1000 192.168.11.254/24

Table 6-2 Wireless service data plan for core switches

Regulatory domain profile domain1

SSID profiles test01, test02

VAP profiles vap1, vap2 (The data forwarding mode in

Table 6-3 Authentication service data plan for core switches

AAA schemes Authentication scheme:

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 316

RADIUS server ● RADIUS server template name:

Portal server ● Portal server template name:

802.1X access profile ● Name: d1

Portal access profile Name: web1

MAC access profile Name: mac1

Pre-authentication domain IP address of the DNS server:

Table 6-4 Service data plan for Agile Controller-Campus

IP address of CORE 192.168.11.254

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 317

RADIUS parameters ● Device series: Huawei S series

Portal parameters ● Port number: 2000

XMPP password Admin@123

Security groups ● employee_group

Post-authentication domains ● Employees can access the mail and

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 318

User Access Security Policy

MAC address authentication Open system authentication

802.1X authentication WPA/WPA2-802.1X authentication. WPA2

For employees who use 802.1X authentication, configure a security policy in

For guests who use MAC address-prioritized Portal authentication, configure a

Step 2 Configure AAA on CORE.

# Configure a RADIUS authorization server.

# Configure AAA schemes, set the authentication, authorization, and accounting

Issue 01 (2020-06-04) Copyright © Huawei Technologies Co., Ltd. 319

[CORE-aaa-domain-huawei.com] radius-server tem_rad