Professional Documents
Culture Documents
● Authentication point location: The devices that function as user gateways are
typically configured as authentication points. As described in 3 Campus
Network Connectivity Deployment, when the native AC solution is used, you
are advised to deploy a switch that supports the native AC function as the
gateway for both wired and wireless users. When the standalone AC or ACU2
solution is used, you can deploy both wired and wireless gateways on a
switch, or deploy the wired gateway on a switch and the wireless gateway on
a standalone AC or an ACU2. In the examples where the standalone AC
solution is used, the gateway and authentication point for wireless users are
both deployed on a standalone AC or an ACU2.
● Policy-based control solutions: include Network Admission Control (NAC), free
mobility, and policy association. In the policy association solution, aggregation
or core switches are typically deployed as authentication points and access
switches as access points. This solution prevents users connected to the same
access device from communicating with each other before they are
authenticated, and allows administrators to easily obtain online user
information such as the interfaces on which users go online and the VLANs to
which users belong. A standalone AC or an ACU2 does not support the free
mobility solution for wireless users.
● In the following examples, Agile Controller-Campus functions as both the
access authentication server and user data source server.
User access authentication aims to implement user authentication and policy-
based control, which involves the following key nodes:
● Authentication point: a device or node responsible for user access
authentication.
● Access point: a device or node that determines whether a terminal is allowed
to access the network.
● Group policy enforcement point: a device or node that executes group policies
used in free mobility.
Figure 6-1 shows the positions of authentication points and access points when
core switches function as the authentication points for wired and wireless users.
Server zone
(including RADIUS
and DNS servers) CORE
Core CSS
layer
Aggregation
layer AGG1 AGG2
Authentication point
Access point
● The free mobility solution is adopted, and security groups and inter-group
policies are configured on Agile Controller-Campus to control user access
rights.
Figure 6-2 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1/1 0 /2
/0/ /1/
2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Group policy
enforcement point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● Free mobility is supported only in NAC unified mode.
● In this example, Agile Controller-Campus runs V100R003C50.
For details about other precautions, see "Licensing Requirements and Limitations for Free
Mobility" in the Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface eth-trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/4] quit
Name CORE -
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.
c. Click OK, select CORE, and click Synchronize. The communication status
of the switch becomes , and the synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address:
192.168.11.1
Controller port: 5222
Backup controller IP address:
-
Backup controller port:
-
Source IP address:
192.168.11.254
State: working
Connected controller:
master
Device protocol version:
2
Controller protocol version: 2
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. According to the
following table, bind employees to employee_group and click OK. Then bind
guests to guest_group and click OK.
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
1
2
--------------------------------------------------------------------------------
Total : 2
----End
Basic:
User ID : 49523
User name : user1
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.30.133
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5111
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/08/08 08:45:00
User accounting session ID : CORE00220000000030aa****0104173
User access type : 802.1x
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test01
Online time : 43(s)
Dynamic group index(Effective) : 1
Service Scheme Priority :0
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Basic:
User ID : 115814
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.60.133
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20
User vlan event : Success
QinQVlan/UserVlan : 0/60
User vlan source : user request
User access time : 2019/08/08 08:12:29
User accounting session ID : CORE002200000000604e****0304466
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic group index(Effective) : 1
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 2, printed: 2
[CORE] display access-user username user2 detail
Basic:
User ID : 52993
User name : user2
Domain-name : huawei.com
User MAC : dc72-9b7e-70a2
User IP address : 172.16.40.9
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-Dbss5112
User vlan event : Success
QinQVlan/UserVlan : 0/40
User vlan source : user request
User access time : 2019/08/08 08:57:47
User accounting session ID : CORE0022000000004005****0104f01
User access type : WEB
AP name : area_2
Radio ID :1
AP MAC : 4cfa-cafe-e060
SSID : test02
Online time : 23(s)
Web-server IP address : 192.168.100.10
Dynamic group index(Effective) : 2
Service Scheme Priority :0
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method :-
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
● Choose Resource > User > Online User Management on Agile Controller-
Campus to check the user login information and the security groups to which
users belong.
● Verify that you can access the mail and video servers using the employee
account after passing 802.1X authentication, no matter where the terminals
are located.
Verify that you can access only the video server using the guest account after
passing MAC address-prioritized Portal authentication, no matter where the
terminal is located.
Verify that the employee and guest can communicate with each other.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
ucl-group 1
ucl-group 2
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
eth-trunk 10
#
return
of data. In addition, core switches are configured with the native AC function to
manage APs and transmit wireless service traffic on the entire network,
implementing wired and wireless convergence. Aggregation switches set up stacks
to implement device-level backup and increase the interface density and
forwarding bandwidth.
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired and wireless users on the entire network. These
users can access the network only after being authenticated. The specific
requirements are as follows:
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Policy association is deployed between core switches and access switches. The
core switches function as control devices to centrally authenticate users and
manage user access policies, and access devices only need to execute user
access policies. This function not only controls network access rights of users,
but also simplifies the configuration and management of access devices.
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
Figure 6-13 Core switches functioning as the authentication point for wired and
wireless users
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● In this example, Huawei's Agile Controller-Campus in V100R003C50 functions
as the Portal server and RADIUS server.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● For details about the devices that can function as control and access devices
in a policy association scenario and other precautions, see "Licensing
Requirements and Limitations for Policy Association" in S12700 Series Agile
Switches Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server and CAPWAP management network segment to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 24
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
[CORE-free-rule-default_free_rule] quit
Step 4 Configure the policy association function on core and access switches.
# Configure Eth-Trunk 10 and Eth-Trunk 20 on CORE as control points.
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] authentication control-point
[CORE-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] authentication control-point
[CORE-Eth-Trunk20] quit
# Configure ACLs and ACL rules for user authorization on CORE. Specifically,
configure ACL 3001 and ACL 3002 to control the network access rights of
employees and guests, respectively.
[CORE] acl 3001 //Configure an ACL for authorization of employees, so that they can access the Internet
and service server after being authenticated.
# Configure the source interface for establishing a CAPWAP tunnel on each access
switch. The following uses ACC1 as an example. The configuration of ACC2 is
similar to that of ACC1.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on CORE
# Enable access switches to allow packets destined for the DNS server to pass
through. The following uses ACC1 as an example. The configuration of ACC2 is
similar to that of ACC1.
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.2 mask 24
[ACC1-free-rule-default_free_rule] quit
Step 5 On CORE, configure 802.1X authentication for employees and MAC address-
prioritized Portal authentication for guests.
Configure 802.1X authentication for employees.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
Step 6 Configure 802.1X authentication for employees on access switches. The following
uses ACC1 as an example. The configuration of ACC2 is similar to that of ACC1.
If you log in to Agile Controller-Campus for the first time, use the super
administrator user name admin and password Changeme123. Change the
password immediately after the first login. Otherwise, Agile Controller-
Campus cannot be used.
2. Add switches so that they can communicate with Agile Controller-Campus.
Choose Resource > Device > Device Management, click Add, and configure
device information and authentication parameters.
Name CORE -
3. Create user groups and accounts. The following describes how to configure
the user group employee. The configuration of the user group guest is
similar.
b. Click in the operation area on the left, and create the user group
employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 115871
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 172.16.50.161
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk10 //Interface on which the user goes online
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/08/13 10:02:31
User accounting session ID : CORE00210000000050ab****030449f
User access type : 802.1x //User access type
AS ID :0 //ID of the access device
AS name : acc1 //Name of the access device
AS IP : 192.168.20.56 //IP address of the access device IP
AS MAC : 000b-099d-eb3b //MAC address of the access device MAC
AS Interface : GigabitEthernet0/0/2 //Access point
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization ACL
Dynamic service scheme : test //Service scheme
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.0.0
free-rule 2 source vlan 20
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.11.1:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
port trunk allow-pass vlan 20 50
authentication control-point
authentication-profile p1
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
port trunk allow-pass vlan 20 60
authentication control-point
authentication-profile p1
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name traff2
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid test01
ssid-profile name ssid2
ssid test02
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
interface Eth-Trunk30
port link-type trunk
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
return
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.0
#
interface Vlanif20
ip address dhcp-alloc
#
interface Eth-Trunk30
port link-type trunk
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
authentication access-point
authentication-profile p1
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
authentication access-point
authentication-profile p1
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
Figure 6-24 Core switches functioning as the authentication point for wired and
wireless users
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG XGE2/1/0/1
E1 0/2
/1/ /1/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group1
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Deployment Precautions
● In this example, Huawei's Agile Controller-Campus in V100R001 functions as
the Portal server and RADIUS server. In addition to V100R001, Agile
Controller-Campus can also run V100R002 or V100R003.
● The RADIUS authentication key, RADIUS accounting key, and Portal key
configured on Agile Controller-Campus must be the same as those configured
on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● When NAC is enabled on an Eth-Trunk interface, ensure that member
interfaces of the Eth-Trunk interface reside on cards of the same type.
Otherwise, users may fail to go online or services are affected after they go
online.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
For other precautions, see "Licensing Requirements and Limitations for NAC Unified Mode"
in the S12700 Series Agile Switches Product Use Precautions.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.5 Native AC Solution:
Core Switches Function as the Gateway for Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
# Configure the RADIUS server template tem_rad and configure parameters for
interconnection between CORE and the RADIUS server. The parameters include the
IP addresses, port numbers, and shared keys of the RADIUS authentication and
accounting servers.
<CSS> system-view
[CSS] sysname CORE
[CORE] radius-server template tem_rad
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813
[CORE-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-radius-tem_rad] quit
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[CORE] aaa
[CORE-aaa] service-scheme s1 //Configure service scheme s1 for authorization of employees if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s1] acl-id 3001
[CORE-aaa-service-s1] quit
[CORE-aaa] service-scheme s2 //Configure service scheme s1 for authorization of guests if Agile
Controller-Campus is faulty.
[CORE-aaa-service-s2] acl-id 3002
[CORE-aaa-service-s2] quit
[CORE-aaa] quit
By default, the unified mode is used. You can run the display authentication mode
command to check the current NAC mode on a switch. The switch will restart automatically
after the NAC mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
[CORE-wlan-vap-prof-vap2] authentication-profile p2
[CORE-wlan-vap-prof-vap2] quit
[CORE-wlan-view] quit
If a switch supports the bpdu enable command, run both the bpdu enable and
l2protocol-tunnel user-defined-protocol 802.1x enable commands on an
interface of the switch.
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface eth-trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-Eth-Trunk30] quit
[ACC1] interface gigabitethernet 0/0/3
[ACC1-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/3] quit
[ACC1] interface gigabitethernet 0/0/4
[ACC1-GigabitEthernet0/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet0/0/4] quit
Name CORE -
2. Create user groups and accounts. The following describes how to configure
the user group Employee. The configuration of the user group Guest is
similar.
a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
Employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group Employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 118293
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 172.16.60.133
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk20 //Interface on which the user goes online
User vlan event : Success
QinQVlan/UserVlan : 0/60
User vlan source : user request
User access time : 2019/08/05 03:15:16
User accounting session ID : CORE00220000000060ad****0304e15
User access type : 802.1x //User access type
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s1
authentication event authen-server-up action re-authen
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication event authen-server-down action authorize service-scheme s2
authentication event authen-server-up action re-authen
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#3^oCZ#^K<9>lUH"Mg_%U3aNI>aQqK!^:syMdU*&S%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^%#gRHYK,u,HU'@T$~SK\IK'%P".ySe/
6;4[4'HJ(/<%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#}czkQj/H4NTr~B$84qB."XQ(;1'$}:;L4z;K~c]P%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
port trunk allow-pass vlan 20 50
authentication-profile p1
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
port trunk allow-pass vlan 20 60
authentication-profile p1
#
interface GigabitEthernet1/1/0/1
eth-trunk 10
#
interface GigabitEthernet1/1/0/2
eth-trunk 20
#
interface GigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface GigabitEthernet2/1/0/1
eth-trunk 20
#
interface GigabitEthernet2/1/0/2
eth-trunk 10
#
#
capwap source interface vlanif20
#
wlan
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
return
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication CSS
DNS server XGE1/2/0/1
Core layer
server
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
E1
/1/ /1 /0/
Service server Special server Eth-Trunk 10 0/2 E2 Eth-Trunk 20
XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
Authentication point
Access point
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
Item Data
Deployment Precautions
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.6 Native AC Solution:
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/3
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
# Enable access devices to establish CAPWAP tunnels with the control device
without authentication.
[AGG1] as-auth
[AGG1-as-auth] auth-mode none
Warning: None authentication is configured, which has security risks. Continue? [Y/N]:y
[AGG1-as-auth] quit
# Configure the source interface used by the control device to establish a CAPWAP
tunnel.
[AGG1] capwap source interface vlanif 20
# Configure the source interface used by the access device to establish a CAPWAP
tunnel, and specify the IP address of the control device.
[ACC1] interface vlanif 20
[ACC1-Vlanif20] ip address dhcp-alloc
[ACC1-Vlanif20] quit
[ACC1] as access interface vlanif 20
[ACC1] as access controller ip-address 192.168.20.1 //IP address of VLANIF 20 on AGG1
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
[AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the
DNS server after being authenticated.
[AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 8 deny ip destination any
[AGG1-acl-adv-3001] quit
[AGG1] acl 3002
[AGG1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access the
Internet after being authenticated.
[AGG1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to access the
DNS server after being authenticated.
[AGG1-acl-adv-3002] rule 3 permit ip destination 172.16.31.0 0.0.0.255 //Allow guests to communicate
with each other.
[AGG1-acl-adv-3002] rule 4 permit ip destination 172.16.41.0 0.0.0.255 //Allow guests to communicate
with each other.
[AGG1-acl-adv-3002] rule 5 deny ip destination any
[AGG1-acl-adv-3002] quit
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
[AGG1-aaa] service-scheme s2 //Enable the switch to grant the network access rights in service scheme
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s2] acl-id 3002
[AGG1-aaa-service-s2] quit
[AGG1-aaa] quit
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
Step 8 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-28, and click OK.
Name AGG1 -
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)
Step 9 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 11 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-29, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. Access devices can go online on the control device.
2. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
3. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
4. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
5. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
2. Verify that the employees and guest can access only the authentication-free
resources, but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication. The following uses wired
access of an employee as an example.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on AGG1 to view information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
C:\Users\*******>
# On PC1, ping a resource in the post-authentication domain, for example,
the campus egress device with IP address 172.16.3.1. The ping operation fails.
C:\Users\*******>ping 172.16.3.1
C:\Users\*******>
3. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 3, printed: 3
# Run the display access-user username user1 detail command on AGG1 to
view the authentication, authorization, and access location (GE0/0/3 on
ACC1) information of user1.
[AGG1] display access-user username user1 detail
Basic:
User ID : 49208
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.172
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk30
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/09/03
17:16:16
User accounting session ID : LSW5-
AG0001800000005061****0300038
User access type : 802.1x
AS ID :0
AS name : acc1
AS IP : 192.168.20.220
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/3
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
Dynamic service scheme :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Basic:
User ID : 49212
User name : user2
Domain-name : huawei.com
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.81
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss2177
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/09/03
17:16:38
User accounting session ID : LSW5-
AG000180000000308a****030003e
User access type : 802.1x
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 251(s)
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username guest4 detail command on AGG1
to view the authentication, authorization, and access location (AP area_1)
information of guest4.
[AGG1] display access-user username guest4 detail
Basic:
User ID : 49216
User name : guest4
Domain-name : huawei.com
User MAC : 64b0-a6a3-f913
User IP address : 172.16.31.153
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss2180
User vlan event : Success
QinQVlan/UserVlan : 0/31
User vlan source : user request
User access time : 2019/09/03
17:37:22
User accounting session ID : LSW5-
AG0001800000003172****0300040
User access type : WEB
AP name : area_1
Radio ID :1
AP MAC : ac85-3da6-a420
SSID : Guest
Online time : 1148(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
Dynamic service scheme :-
Service Scheme Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
4. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
5. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81
C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 30
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
port 50200
shared-key cipher %^%#4~o~~(mF^~L=JK5Pd94Y$[Rq<"AL$Kt1!1Q+W5r@%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
vlan 50
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication control-point
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
vlan 40
dhcp snooping enable
vlan 41
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk20
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
authentication control-point
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
capwap source interface vlanif21
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain2
ap-group name ap-group2
regulatory-domain-profile domain2
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac 4cfa-cafe-e060 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
#
as-auth
auth-mode none
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
sysname ACC1
#
vlan batch 20 50
#
authentication-profile name p1
dot1x-access-profile d1
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
as access interface vlanif 20
as access controller ip-address 192.168.20.1
#
free-rule-template name default_free_rule
free-rule 1 destination any source any
#
interface Vlanif20
ip address dhcp-alloc
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
authentication access-point
authentication-profile p1
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
ip address dhcp-alloc
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface GigabitEthernet0/0/1
eth-trunk 40
#
interface GigabitEthernet0/0/2
eth-trunk 40
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
stp edged-port enable
authentication access-point
authentication-profile p1
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 21
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
dot1x-access-profile name d1
#
return
Server zone
Eth-Trunk 30
XGE1/1/0/3 XGE2/1/0/3
Authentication
DNS server
server XGE1/2/0/1 CSS
Core layer
CORE
XGE1/1/0/1 XG 2 XGE2/1/0/1
Service server Special server
E1
/1/ /1/0/
0/2 E2 Eth-Trunk 20
Eth-Trunk 10 XG
XGE0/0/1 XGE0/0/1
Aggregation XGE1/0/1 XGE1/0/1
layer AGG1 AGG2
Authentication point
Access point
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices
Involved
Data Plan
Item Data
Item Data
Deployment Precautions
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
● The following describes only the configurations of AGG1 and ACC1. The
configuration of AGG2 is similar to that of AGG1, and the configuration of
ACC2 is similar to that of ACC1. For details about the configurations, see
Configuration Files in this section.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.6 Native AC Solution:
Aggregation Switches Function as Gateways for Wired and Wireless Users.
# Configure the network segment for CORE to connect to the Internet, and
advertise the network segment using the Open Shortest Path First (OSPF)
protocol.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] description connect to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/3
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/3
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
including the IP addresses, port numbers, authentication key, and accounting key
of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit network
segments of wireless users and all the network segments that wireless users can access.
Otherwise, all packets of wireless users are discarded on APs even if the users are
successfully authenticated.
[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to access the
Internet after being authenticated.
[AGG1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow employees to access the
DNS server after being authenticated.
[AGG1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0 //Allow employees to access the
service server after being authenticated.
[AGG1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255 //Allow employees to
communicate with each other.
[AGG1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255 //Allow employees to
communicate with each other.
# Configure the escape function, so that network access rights of employees and
guests are not affected if Agile Controller-Campus is faulty.
[AGG1] aaa
[AGG1-aaa] service-scheme s1 //Enable the switch to grant the network access rights in service scheme
s1 to employees if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s1] acl-id 3001
[AGG1-aaa-service-s1] quit
[AGG1-aaa] service-scheme s2 //Enable the switch to grant the network access rights in service scheme
s2 to guests if Agile Controller-Campus is faulty.
[AGG1-aaa-service-s2] acl-id 3002
[AGG1-aaa-service-s2] quit
[AGG1-aaa] quit
# Configure a security policy for wireless users. The security policies for wireless
users vary according to authentication modes. For employees who use 802.1X
authentication, configure a security policy in security profile sec1 as follows.
[AGG1] wlan
[AGG1-wlan] security-profile name sec1
[AGG1-wlan-sec-prof-sec1] security wpa2 dot1x aes
Warning: This action may cause service interruption. Continue?[Y/N]y
[AGG1-wlan-sec-prof-sec1] quit
Step 7 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-36, and click OK.
Name AGG1 -
Enable Selected -
RADIUS
(mandatory
for 802.1X,
Portal, and
MAC address
authentication
, Free Mobility,
and Service
Chain)
Step 8 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 10 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-37, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
3. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
4. The employees can communicate with each other, but cannot communicate
with the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
C:\Users\*******>
C:\Users\*******>
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
# Enter the correct user name and password of the wired employee user on
PC1, connect to the WLANs Employee and Guest using wireless user
accounts, and then run the display access-user command on AGG1 to view
information about online users. The command output shows that both the
employee and guest users are in Success state.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 3, printed: 3
Basic:
User ID : 49175
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.172
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk30
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/09/02
17:14:30
User accounting session ID :
AG00018000000050ce****0300017
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
3. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
4. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.81
C:\Users\*******>
# On PC1, ping the IP address of the terminal used by guest4. The ping
operation fails.
C:\Users\*******>ping 172.16.31.153
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 30
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#7#CV~W{9N'1()yUYlP(BhQ&AMk(xTU;)]yCTa5mG%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
authentication event portal-server-down action authorize service-scheme s2
authentication event portal-server-up action re-authen
web-auth-server tem_portal direct
#
vlan 40
dhcp snooping enable
vlan 41
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
service-scheme s1
acl-id 3001
service-scheme s2
acl-id 3002
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk20
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent XGE2/1/0/1
2
E1
/1 /1/0/
/0/ E2
Eth-Trunk 10 2 XG Eth-Trunk 20
Authentication point
Access point
Group policy
enforcement point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
AP group ap-group
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
Item Data
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 3 Configure a pre-authentication domain on CORE to allow packets destined for the
DNS server to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32
[CORE-free-rule-default_free_rule] quit
Step 4 Configure combined 802.1X + MAC + Portal authentication for wired users on
CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for wired users, and bind the 802.1X access
profile, MAC access profile, and Portal access profile to the authentication profile.
[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] mac-access-profile mac1
[CORE-authen-profile-p1] portal-access-profile web1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure an authentication profile for wireless users, and set the authentication
mode to 802.1X authentication.
[CORE] authentication-profile name p3
[CORE-authen-profile-p3] dot1x-access-profile d1
Step 6 Enable the free mobility function and configure XMPP parameters for
interconnection with Agile Controller-Campus.
[CORE] group-policy controller 192.168.11.1 password Admin@123 src-ip 192.168.11.254 //Set scr-ip
to the IP address of VLANIF 1000.
Name CORE -
a. Choose Resource > Device > Device Management, click Add, and
configure device information and authentication parameters.
c. Click OK. The communication status of the switch becomes , and the
synchronization status is Success.
d. Check the communication status between Agile Controller-Campus and
CORE.
[CORE] display group-policy status
Controller IP address: 192.168.11.1
Controller port: 5222
Backup controller IP address: -
Backup controller port: -
Source IP address: 192.168.11.254
State: working
Connected controller: master
Device protocol version: 1
Controller protocol version: 1
3. Create employee and guest accounts. The following uses the employee
account user1 as an example. The procedure for creating a guest account is
similar to that for creating an employee account.
Choose Resource > User > User Management. Click Add and create
employee account user1.
e. Click Global Deployment. You can view the deployment result on the
deployment details page.
5. Bind employee_group to employees and guest_group to guests through
quick authorization. After being authenticated, employees are added to
employee_group and guests are added to guest_group.
Choose Policy > Permission Control > Quick Authorization. The following
describes how to add employee user1 to employee_group. The procedure of
adding guest user2 to guest_group is similar.
a. Choose System > Terminal Configuration > Global Parameters > Free
Mobility, and set Free mobility configuration mode to All devices.
b. Choose Policy > Free Mobility > Policy Configuration > Permission
Control, and add common policies. The following figure shows the
configuration for allowing users in employee_group to access the email
and video servers. Configure other policies in a similar way according to
Table 6-46.
c. Click OK and then Global Deployment. You can view the deployment
result on the deployment details page.
After successful deployment, you can run the following commands on
CORE to check the deployment information.
name
--------------------------------------------------------------------------------
1
2
--------------------------------------------------------------------------------
Total : 2
----End
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
dot1x-access-profile d1
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p3
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
dhcp select interface
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
dhcp select interface
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
dhcp select interface
#
interface Vlanif1000
ip address 192.168.11.254 255.255.255.0
dhcp select interface
#
interface Eth-Trunk10
port link-type hybrid
port hybrid tagged vlan 1 20 50
stp root-protection
stp edged-port disable
mode lacp
loop-detection disable
mad relay
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
group-policy controller 192.168.11.1 password %^%#XGq,C@c*6=1\8d)="S(&r>iERYpE"@|0X!RThfz$%^
%# src-ip 192.168.11.254
#
capwap source interface vlanif20
#
wlan
traffic-profile name traff1
user-isolate l2
traffic-profile name default
security-profile name sec1
security wpa2 dot1x aes
Server zone
(including RADIUS
and DNS servers) CORE
Core XGE1/2/0/1 CSS
layer
XGE1/1/0/1 XG Parent 2 XGE2/1/0/1
E1
/1/ /1 /0/
0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap Devices Involved
Data Plan
Item Data
AP group ap-group
Item Data
Item Data
Parent's cards connected to ASs X1E cards of the same type in slot 1 of the
two CSS member switches
Item Data
Accounts Employee:
● User name: user1
● Password: Huawei@123
Guest:
● User name: user2
● Password: Guest@123
Procedure
Step 1 Enable campus network connectivity. For details, see 3.7 Native AC + SVF
Solution: the Parent Containing Core Switches Functions as the Gateway for
Wired and Wireless Users.
For wireless users, the security policies in security profiles vary according to access
authentication modes.
For users who use 802.1X authentication, configure a security policy in security
profile sec1 as follows:
[CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes
# Configure the domain huawei.com and bind AAA schemes and RADIUS server
template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
Step 4 Configure combined 802.1X + Portal authentication for wired users on CORE.
# Change the NAC mode to unified.
By default, the unified mode is used. The switch will restart automatically after the NAC
mode is changed between common and unified modes.
[CORE] authentication unified-mode
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for wired users, and bind the 802.1X access
profile and Portal access profile to the authentication profile.
[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] portal-access-profile web1
[CORE-authen-profile-p1] free-rule-template default_free_rule
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p1] quit
# Configure an authentication profile for wireless users, and set the authentication
mode to 802.1X authentication.
[CORE] authentication-profile name p3
[CORE-authen-profile-p3] dot1x-access-profile d1
[CORE-authen-profile-p3] free-rule-template default_free_rule
[CORE-authen-profile-p3] access-domain huawei.com force //Configure the domain huawei.com as a
forcible domain.
[CORE-authen-profile-p3] quit
Name CORE -
2. Create user groups and accounts. The following describes how to configure
the user group Employee. The configuration of the user group Guest is
similar.
a. Choose Resource > User > User Management.
b. Click in the operation area on the left, and create the user group
Employee.
c. Click Add in the operation area on the right, and add an account.
d. Click Transfer in the operation area on the right, and add the account to
the user group Employee.
----End
Guest ● A guest can use a mobile terminal to associate with the SSID
authenticat test02, enter http://192.168.11.1:8080/portal in the address
ion box of a browser, and enter the user name and password on
the redirection page to complete Portal authentication and
access the Wi-Fi network.
After disconnecting from the Wi-Fi network, the guest can
access the Internet again by associating with the SSID test02,
without the need to enter the user name and password.
● After the guest is authenticated, you can run the display
access-user username user2 detail command on CORE to
check the online, authentication, and authorization information
of the guest account.
● On Agile Controller-Campus, you can choose Resource > User
> RADIUS Log to check RADIUS authentication logs of the
guest account.
The following uses the employee account user1 as an example. Run the display
access-user username user1 detail command on CORE to check the online,
authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
User ID : 81564
User name : user1 //User name
Domain-name : huawei.com //Authentication domain
User MAC : 001b-21c4-820f
User IP address : 192.168.50.111
User vpn-instance :-
User IPv6 address : FE80::E9AA:9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:9FE9:95F9:C499
User access Interface : Eth-Trunk10
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/10/22 02:00:03
User accounting session ID : LSW900210000000050ad****0203e9c
User access type : 802.1x //User access type
AS ID :1
AS name : as-layer2-1 //AS on which the user goes online
AS IP : 192.168.20.212
AS MAC : 000b-099d-eb3b
AS Interface : GigabitEthernet0/0/10 //AS interface on which the user goes online
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001 //Authorization information
AAA:
User authentication type : 802.1x authentication //Authentication mode
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
Choose Resource > User > RADIUS Log on Agile Controller-Campus to check
RADIUS authentication logs of the employee account.
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
dot1x-access-profile d1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p2
mac-access-profile mac1
portal-access-profile web1
free-rule-template default_free_rule
access-domain huawei.com force
authentication-profile name p3
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
radius-server authentication 192.168.11.1 1812 weight 80
radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-
z\z_1{_|r~%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.11.3 0
rule 3 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.11.1
port 50200
shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
dhcp snooping enable
vlan 40
dhcp snooping enable
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
authentication-profile p3
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff2
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name domain
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name ap-group
regulatory-domain-profile domain
ap-group name ap-group1
radio 0
vap-profile vap1 wlan 1
radio 1
vap-profile vap1 wlan 1
ap-id 1 type-id 30 ap-mac ac85-3da6-a420 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group
provision-ap
wlan work-group default
#
as-auth
undo auth-mode
whitelist mac-address 0200-0000-0011
whitelist mac-address 0200-0000-0022
whitelist mac-address 0200-0000-0033
whitelist mac-address 0200-0000-0044
#
uni-mng
as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0011
down-direction fabric-port 1 member-group interface Eth-Trunk 30
port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0022
down-direction fabric-port 1 member-group interface Eth-Trunk 40
port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4
as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0033
as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-0001-0044
interface fabric-port 1
port member-group interface Eth-Trunk 10
interface fabric-port 2
port member-group interface Eth-Trunk 20
interface fabric-port 3
port member-group interface Eth-Trunk 30
interface fabric-port 4
port member-group interface Eth-Trunk 40
as-admin-profile name admin_profile
user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
network-basic-profile name basic_profile_1
pass-vlan 50
network-basic-profile name basic_profile_2
pass-vlan 60
network-basic-profile name basic_profile_3
pass-vlan 50
network-basic-profile name basic_profile_4
pass-vlan 60
user-access-profile name test01
authentication-profile p1
as-group name admin_group
as-admin-profile admin_profile
as name as-layer1-1
as name as-layer1-2
as name as-layer2-1
as name as-layer2-2
port-group name port_group_1
network-basic-profile basic_profile_1
as name as-layer1-1 interface all
port-group name port_group_2
network-basic-profile basic_profile_2
as name as-layer1-2 interface all
port-group name port_group_3
network-basic-profile basic_profile_3
as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
user-access-profile test01
port-group name port_group_4
network-basic-profile basic_profile_4
as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
user-access-profile test01
port-group connect-ap name ap
as name as-layer2-1 interface GigabitEthernet 0/0/3
as name as-layer2-2 interface GigabitEthernet 0/0/3
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
return
In this example, core switches set up a CSS, which functions as the gateway and
authentication point for wired users, and standalone ACs in a hot standby (HSB)
group functions as the gateway and authentication point for wireless users. The
wired and wireless users can access the network only after being authenticated.
The specific requirements are as follows:
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
● Agile Controller-Campus functions as both the access authentication server
and user data source server.
● Agile Controller-Campus delivers ACLs for authorization of successfully
authenticated users to control network access rights of these users of
different roles.
● Port isolation needs to be configured on access and aggregation switches to
control Layer 2 traffic of users.
Figure 6-55 Core switches and standalone ACs functioning as the authentication
points for wired and wireless users respectively
CORE-AC1 CORE-AC2
Server zone HSB
Eth-Trunk 30 Eth-Trunk 1
Eth-Trunk 2
Authentication
DNS server XGE1/2/0/1 CSS
server Core layer
CORE
XGE1/1/0/1 XG XGE2/1/0/1
E1 /2
/1/ / 1/0
Service server Special server 0/2 E2
Eth-Trunk 10 XG Eth-Trunk 20
XGE0/0/1 XGE0/0/1
XGE1/0/1 XGE1/0/1
Aggregation
AGG1 AGG2
layer
GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
AP group ap-group1
Table 6-56 Authentication service data plan for core switches and ACs
Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.
Deployment Precautions
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Allow an interface to transparently transmit packets
from a VLAN based on actual service requirements. Do not allow an interface
to transparently transmit packets from all VLANs.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP and HSB are
configured, note the following:
– In versions earlier than V200R019C00, the DHCP server-enabled interface
must be the interface on which a VRRP group is created. Otherwise, the
master and backup ACs will allocate IP addresses at the same time. In
V200R019C00 and later versions, there is no restriction on the DHCP
server-enabled interface. Only the master AC allocates IP addresses. IP
address allocation information on the master AC will be synchronized to
the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– You need to run the hsb-service-type dhcp hsb-group group-index
command to bind the DHCP service to the HSB group. Otherwise, IP
address allocation information on the master and backup ACs cannot be
backed up.
● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on Agile Controller-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure any authentication-free rule for
these packets on switches.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
Procedure
Step 1 Enable campus network connectivity. For details, see 3.11 Standalone AC
Solution: Core Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively.
Step 3 Configure the authentication service on ACs. The following uses CORE-AC1 as an
example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<CORE-AC1> system-view
[CORE-AC1] radius-server template tem_rad
[CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[CORE-AC1-radius-tem_rad] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[CORE-AC1] acl 3001
[CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0
[CORE-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0
[CORE-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.50.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.60.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 7 deny ip destination any
[CORE-AC1-acl-adv-3001] quit
Step 5 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-58, and click OK.
Table 6-58 Parameter settings for adding core switches and ACs on Agile
Controller-Campus
Name CORE AC
Authentication/Accounting Admin@123
key
Real-time accounting 15
interval (minute)
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 8 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-59, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
3. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
4. Employees can communicate with each other, but cannot communicate with
the guest.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
C:\Users\*******>
2. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on CORE and CORE-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[CORE] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
[CORE-AC1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 115318
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.110
User vpn-instance :-
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on CORE-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[CORE-AC1] display access-user username user2 detail
Basic:
User ID : 32788
User name : user2
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.165
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17496
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/11/26
21:22:53
User accounting session ID : CORE-
AC00000000000030f0****0200014
User accounting mult session ID :
AC853DA6A42038CADA5E441A5DDD9****690329A
User access type : 802.1x
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Employee
Online time : 494(s)
Dynamic ACL ID(Effective) : 3001
User Group Priority :0
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
[CORE-AC1] display access-user username guest4 detail
Basic:
User ID : 16401
User name : guest4
User MAC : 64b0-a6a3-f913
User IP address : 172.16.40.210
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/40
User vlan source : user request
User access time : 2019/11/26
21:25:05
User accounting session ID : CORE-
AC000000000000401c****0100011
User accounting mult session ID :
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : ac85-3d95-d801
SSID : Guest
Online time : 421(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
User Group Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
3. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
4. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.165
C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.40.210
C:\Users\*******>
Configuration Files
● CORE configuration file
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^
%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.50.0 0.0.0.255
rule 6 permit ip destination 172.16.60.0 0.0.0.255
rule 7 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
free-rule 2 source vlan 20
#
vlan 50
dhcp snooping enable
vlan 60
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk1
description con to CORE-AC1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface Eth-Trunk2
description con to CORE-AC2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface Eth-Trunk10
description con to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
#
interface Eth-Trunk20
description con to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 60
authentication-profile p1
mode lacp
#
interface Eth-Trunk30
description con to Internet
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/3
eth-trunk 1
#
interface XGigabitEthernet1/1/0/4
eth-trunk 2
#
interface XGigabitEthernet1/1/0/5
eth-trunk 30
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/3
eth-trunk 1
#
interface XGigabitEthernet2/1/0/4
eth-trunk 2
#
interface XGigabitEthernet2/1/0/5
eth-trunk 30
#
dot1x-access-profile name d1
#
return
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.50.0 0.0.0.255
rule 6 permit ip destination 172.16.60.0 0.0.0.255
rule 7 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 172.16.40.0 0.0.0.255
rule 4 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp select interface
dhcp server excluded-ip-address 192.168.20.2
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.40.2 172.16.40.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface XGigabitEthernet0/0/21
eth-trunk 1
#
interface XGigabitEthernet0/0/22
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 192.168.20.1
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.1
dhcp server excluded-ip-address 172.16.30.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.40.1
dhcp server excluded-ip-address 172.16.40.3
dhcp server dns-list 192.168.100.2
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
interface Eth-Trunk2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 40
mode lacp
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
interface XGigabitEthernet0/0/21
eth-trunk 2
#
interface XGigabitEthernet0/0/22
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0
service-ip-port local-ip 172.16.100.2 peer-ip 172.16.100.1 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^
%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
return
interface XGigabitEthernet1/0/1
eth-trunk 20
#
return
Server zone
Authentication Eth-Trunk 30
DNS server
server
XGE1/1/0/5 XGE2/1/0/5
XGE1/2/0/1 CSS
Core layer
Service server Special server
XGE1/1/0/1 XG CORE XGE2/1/0/1
AGG-AC2 AGG-AC1 E1/1 0/2
/0/ 2/1/ AGG-AC3 AGG-AC4
Eth-Trunk 10 E Eth-Trunk 20
HSB 2 XG HSB
XG
/0/
GE0/0/1
GE0/0/1
E
GE0
E0
0/
/0/1 GE0/0/4 GE0/0/4 /0/1
GE0
0/
XG
XGE1/0/1 XGE1/0/1
1
Eth-Trunk 1 Eth-Trunk 2
AGG1 AGG2
Aggregation GE0/0/5 GE0/0/5
layer GE0/0/3 GE1/0/3 GE0/0/3 GE1/0/3
Eth-Trunk 30 Eth-Trunk 40
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Access layer ACC1 ACC2
GE0/0/3 GE0/0/4 GE0/0/3 GE0/0/4
Authentication point
Access point
Aggregati - S5731-H
on layer
Access - S5735-L
layer
AC - AC6605
AP - AP6050DN V200R019C00
Deployment Roadmap
Step Deployment Roadmap
Data Plan
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Table 6-64 Authentication service data plan for aggregation switches and ACs
Item Data
Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.
Configuration Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Allow an interface to
transparently transmit packets from a VLAN based on actual service
requirements. Do not allow an interface to transparently transmit packets
from all VLANs.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. Otherwise, service interruptions
Procedure
Step 1 Enable campus network connectivity. For details, see 3.10 Standalone AC
Solution: Aggregation Switches Function as Gateways for Wired and Wireless
Users.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] description con to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/5
[CORE-Eth-Trunk30] trunkport xgigabitethernet 2/1/0/5
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
[CORE-Eth-Trunk30] quit
[CORE] ospf
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
Step 2 Configure the authentication service on aggregation switches. The following uses
AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG1-radius-tem_rad] quit
Step 3 Configure the authentication service on ACs. The following uses AGG-AC1 as an
example. The configurations of other ACs are similar to that of AGG-AC1.
1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<AGG-AC1> system-view
[AGG-AC1] radius-server template tem_rad
[AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG-AC1-radius-tem_rad] radius-server shared-key cipher Admin@123
[AGG-AC1-radius-tem_rad] quit
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[AGG-AC1] acl 3001
[AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 2 permit ip destination 192.168.100.2 0.0.0.0
[AGG-AC1-acl-adv-3001] rule 3 permit ip destination 192.168.100.3 0.0.0.0
[AGG-AC1-acl-adv-3001] rule 4 permit ip destination 172.16.30.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 5 permit ip destination 172.16.40.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 6 permit ip destination 172.16.50.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 7 permit ip destination 172.16.60.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 8 deny ip destination any
[AGG-AC1-acl-adv-3001] quit
Step 5 Log in to Agile Controller-Campus, add devices that need to communicate with
Agile Controller-Campus, and configure RADIUS and Portal authentication
parameters.
# Choose Resource > Device > Device Management, click Add, set parameters
according to Table 6-64, and click OK.
Table 6-66 Parameter settings for adding aggregation switches and ACs on Agile
Controller-Campus
Authentication/ Admin@123
Accounting key
Real-time accounting 15
interval (minute)
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
# Choose Resource > User > User Management. Click in the operation area
on the left, add a user group named Employee, and click OK. Click Add in the
operation area on the right, and add an employee account.
Step 8 Configure network access rights for successfully authenticated employees and
guests.
# Configure authorization results. Choose Policy > Permission Control >
Authentication & Authorization > Authorization Result, click Add, set
parameters according to Table 6-67, and click OK. Here, the employee
authorization result is used as an example.
----End
Expected Results
1. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
[AGG-AC1] display access-user
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------
Total: 2, printed: 2
Basic:
User ID : 32792
User name : user1
Domain-name : huawei.com
User MAC : 001b-21c4-820f
User IP address : 172.16.50.216
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk10
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/12/30
10:01:33
User accounting session ID :
AGG00018000000050ef****0200018
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on AGG-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[AGG-AC1] display access-user username user2 detail
Basic:
User ID : 16434
User name : user2
User MAC : 38ca-da5e-441a
User IP address : 172.16.30.97
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17498
User vlan event : Success
QinQVlan/UserVlan : 0/30
User vlan source : user request
User access time : 2019/12/30
10:02:55
User accounting session ID :
AC2000000000000308d****0100032
User accounting mult session ID :
AC853DA6A42038CADA5E441A5E09C****B2526E4
User access type : 802.1x
AP name : area_1
Radio ID :1
AP MAC : ac85-3da6-a420
SSID : Employee
Online time : 115(s)
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
[AGG-AC1] display access-user username guest4 detail
Basic:
User ID : 32809
User name : guest4
User MAC : 64b0-a6a3-f913
User IP address : 172.16.31.165
User vpn-instance :-
User IPv6 address :-
User access Interface : Wlan-
Dbss17497
User vlan event : Success
QinQVlan/UserVlan : 0/31
User vlan source : user request
User access time : 2019/12/30
09:52:57
User accounting session ID :
AC200000000000031dd****0200029
User accounting mult session ID :
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : ac85-3da6-a420
SSID : Guest
Online time : 764(s)
Web-server IP address :
192.168.100.10
Dynamic ACL ID(Effective) : 3002
User Group Priority :0
AAA:
User authentication type : WEB
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
Total: 1, printed: 1
2. Verify that the successfully authenticated employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains. The following uses wired access of an employee as an example.
# On PC1, ping an authentication-free resource, for example, the DNS server
with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2
C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3
C:\Users\*******>
C:\Users\*******>
C:\Users\*******>
3. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.97
C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.31.165
C:\Users\*******>
Configuration Files
# CORE configuration file
#
sysname CORE
#
vlan batch 70 80 1000
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk10
description connect to AGG1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk20
description connect to AGG2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk30
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
eth-trunk 20
#
interface XGigabitEthernet1/1/0/5
eth-trunk 30
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface XGigabitEthernet1/2/0/1
port link-type access
port default vlan 1000
#
interface XGigabitEthernet2/1/0/1
eth-trunk 20
#
interface XGigabitEthernet2/1/0/2
eth-trunk 10
#
interface XGigabitEthernet2/1/0/5
eth-trunk 30
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
#
vlan 50
dhcp snooping enable
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
interface Eth-Trunk1
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30 to 31
mode lacp
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 70
mode lacp
#
interface Eth-Trunk30
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 50
authentication-profile p1
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 30
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 30
#
interface XGigabitEthernet0/0/1
eth-trunk 10
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
dot1x-access-profile name d1
#
return
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.3 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.100.2
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
interface Eth-Trunk2
description con to AC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 40 to 41
mode lacp
#
interface Eth-Trunk10
description connect to CORE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 80
mode lacp
#
interface Eth-Trunk40
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 21 60
authentication-profile p1
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 40
#
interface GigabitEthernet0/0/4
eth-trunk 2
#
interface GigabitEthernet0/0/5
eth-trunk 2
#
interface GigabitEthernet0/0/10
mad detect mode direct
#
interface GigabitEthernet1/0/3
eth-trunk 40
#
interface GigabitEthernet1/0/10
mad detect mode direct
#
interface XGigabitEthernet0/0/1
eth-trunk 20
#
interface XGigabitEthernet1/0/1
eth-trunk 20
#
ospf 1 router-id 7.7.7.7
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
dot1x-access-profile name d1
#
return
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 31
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 1 type-id 30 ap-mac ac85-3d95-d801 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
authentication-scheme auth
accounting-scheme acco
radius-server tem_rad
#
dhcp enable
#
dhcp snooping enable
#
vlan 30
dhcp snooping enable
vlan 31
dhcp snooping enable
#
radius-server template tem_rad
radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 192.168.100.3 0
rule 4 permit ip destination 172.16.30.0 0.0.0.255
rule 5 permit ip destination 172.16.40.0 0.0.0.255
rule 6 permit ip destination 172.16.50.0 0.0.0.255
rule 7 permit ip destination 172.16.60.0 0.0.0.255
rule 8 deny ip
acl number 3002
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0
rule 3 permit ip destination 172.16.31.0 0.0.0.255
rule 4 permit ip destination 172.16.41.0 0.0.0.255
rule 5 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
dhcp select interface
dhcp server excluded-ip-address 192.168.20.1
dhcp server excluded-ip-address 192.168.20.20
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server excluded-ip-address 172.16.30.1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
capwap source interface vlanif21
#
hsb-service 0
service-ip-port local-ip 172.16.201.1 peer-ip 172.16.201.2 local-data-port 10241 peer-data-port 10241
#
hsb-group 0
track vrrp vrid 1 interface Vlanif21
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff
user-isolate l2
security-profile name sec1
security wpa2 dot1x aes
security-profile name sec2
ssid-profile name ssid1
ssid Employee
ssid-profile name ssid2
ssid Guest
vap-profile name vap1
forward-mode tunnel
service-vlan vlan-id 40
ssid-profile ssid1
security-profile sec1
traffic-profile traff
authentication-profile p1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
vap-profile name vap2
forward-mode tunnel
service-vlan vlan-id 41
ssid-profile ssid2
security-profile sec2
traffic-profile traff
authentication-profile p2
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
regulatory-domain-profile name domain1
ap-group name ap-group2
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
radio 1
vap-profile vap1 wlan 1
vap-profile vap2 wlan 2
ap-id 2 type-id 56 ap-mac ac85-3d95-d802 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group2
provision-ap
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
#
return
interface GigabitEthernet0/0/1
eth-trunk 30
#
interface GigabitEthernet0/0/2
eth-trunk 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
stp edged-port enable
l2protocol-tunnel user-defined-protocol 802.1x enable
port-isolate enable group 1
#
return