国家 / 地区

10-WLAN漫游配置指导

03-802.11r配置

本章节下载  (332.58 KB)

docurl=/cn/Service/Document_Software/Document_Center/Home/Wlan/00-Public/Configure/Operation_Manual/H3C_WAC_WiNet_WX2500H-LI_WX3500H-LI_CG-6W101/10/202004/1281699_30005_0.htm

03-802.11r配置


1 802.11r

1.1? 802.11r简介

802.11r协议中定义的FT(Fast BSS Transition,快速BSS切换)功能用来减少客户端在漫游过程中的时间延迟,从而降低连接中断概率、提高漫游服务质量。

1.1.1? FT实现方式

FT支持两种实现方式:

·     Over-the-Air:客户端直接与目标AP通信,进行漫游前的认证。

·     Over-the-DS:客户端通过当前AP与目标AP通信,进行漫游前的认证。

1. AC内over-the-air方式漫游

图1-1 AC内over-the-air方式漫游示意图

 

图1-1所示,客户端在连接至同一AC的AP间(AP 1到AP 2)漫游时,信息交互过程如下:

(1)     客户端已经与AP 1连接并且要漫游到AP 2;

(2)     客户端向AP 2发送认证请求;

(3)     客户端收到AP 2的认证请求回应;

(4)     客户端向AP 2发送重关联请求;

(5)     客户端收到AP 2的重关联请求回应;

(6)     客户端完成从AP 1到AP 2的漫游。

2. AC间over-the-air方式漫游

图1-2 AC间over-the-air方式漫游示意图

 

图1-2所示,AP 1和AP 2分别连接AC 1和AC 2,在同一移动域内漫游的信息交互过程如下:

(1)     客户端与AP 1建立连接;

(2)     AC 1同步客户端漫游信息(PMK、VLAN等信息)到AC 2;

(3)     客户端准备漫游,发送FT认证请求到AP 2;

(4)     客户端收到AP 2发送的FT认证回复;

(5)     客户端向AP 2发送重关联请求;

(6)     客户端收到AP 2的重关联请求回应;

(7)     客户端完成从AP 1到AP 2的漫游。

3. AC内over-the-ds方式漫游

图1-3 AC内over-the-ds方式漫游示意图

 

图1-3所示,客户端在连接至同一AC的AP间(AP 1到AP 2)漫游时,信息交互过程如下:

(1)     客户端与AP 1建立连接;

(2)     AC生成、同步、保存客户端的漫游表项;

(3)     客户端准备漫游,向AP 1发送FT认证请求;

(4)     客户端收到AP 1的FT认证回复;

(5)     客户端向AP 2发送重关联请求;

(6)     客户端收到AP 2的重关联请求回应;

(7)     客户端完成从AP 1到AP 2的漫游。

4. AC间over-the-ds方式漫游

图1-4 AC间over-the-ds方式漫游示意图

 

图1-4所示,AP 1和AP 2分别连接AC 1和AC 2,在同一移动域内漫游的信息交互过程如下

(1)     客户端与AP 1建立连接;

(2)     AC 1同步客户端漫游信息(PMK、VLAN等信息)到AC 2;

(3)     客户端准备漫游,发送FT认证请求到AP 1;

(4)     客户端收到AP 1的FT认证回复;

(5)     客户端向AP 2发送重关联请求;

(6)     客户端收到AP 2的重关联请求回应;

(7)     客户端完成从AP 1到AP 2的漫游。

1.1.2? 协议规范

与802.11r相关的协议规范有:

802.11r IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

1.2? 802.11r配置限制和指导

配置802.11r的FT功能,需要注意的是:

·     如果有客户端无法关联使能了FT功能的服务,可能是由于客户端的型号较早而不支持FT协议。此时可以创建两个SSID相同的服务,一个使能FT功能,另一个不使能FT功能,而其它配置均相同,以便客户端可以正常使用网络服务。

·     不建议在服务模板下同时开启FT功能和802.1X周期性重认证功能,否则会导致客户端在每次重认证时间间隔到达时重新上线。关于802.1X周期性重认证功能的介绍和配置请参见“用户接入与认证配置指导”中的“WLAN用户接入认证”。

·     快速BSS切换协商成功的客户端,不支持PTK更新。关于PTK更新的介绍和配置请参见“WLAN安全配置指导”中的“WLAN用户安全”。

1.3? 配置802.11r

(1)     进入系统视图。

system-view

(2)     配置WLAN服务模板。

wlan service-template service-template-name

(3)     开启FT功能。

ft enable

缺省情况下,FT功能处于关闭状态。

(4)     (可选)配置FT方式。

ft method { over-the-air | over-the-ds }

缺省情况下,FT方式为over-the-air。

(5)     (可选)配置重关联超时时间。

ft reassociation-timeout timeout

缺省情况下,重关联超时时间为20秒。

重关联超时时间指的是,客户端在完成认证后,客户端发起重关联请求的最大时间间隔。如果在此时间内客户端没有发起重关联,则会终止此次漫游。

1.4? 802.11r典型配置举例

说明

本手册中的AP型号和序列号仅为举例,具体支持的AP型号和序列号请以设备的实际情况为准。

 

1.4.1? FT Over-the-DS方式PSK模式配置举例

1. 组网需求

图1-5所示,客户端在同一AC内的不同AP间进行漫游,使用Over-the-DS方式,通过PSK模式对客户端进行身份认证与密钥管理。

2. 组网图

图1-5 FT Over-the-DS方式PSK身份认证与密钥管理模式配置组网图

 

3. 配置步骤

# 创建无线服务模板acstname。

<AC> system-view

[AC] wlan service-template acstname

# 配置无线服务的SSID为service。

[AC-wlan-st-acstname] ssid service

# 配置身份认证与密钥管理的模式是PSK模式,配置使用明文字符串12345678作为PSK密钥。

[AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# 配置AES-CCMP加密套件,配置在AP发送信标和探查响应帧时携带RSN IE。

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# 开启FT功能。

[AC-wlan-st-acstname] ft enable

# 配置重关联超时时间为50秒。

[AC-wlan-st-acstname] ft reassociation-timeout 50

# 配置FT方式为Over-the-DS。

[AC-wlan-st-acstname] ft method over-the-ds

# 使能无线服务。

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# 创建AP,名称为1,并将无线服务模板acstname绑定到AP 1的Radio1上。

[AC] wlan ap 1 model WA4320i-ACN

[AC-wlan-ap-1] serial-id 210235A1BSC123000050

[AC-wlan-ap-1] radio 1

[AC-wlan-ap-1-radio-1] service-template acstname

[AC-wlan-ap-1-radio-1] radio enable

[AC-wlan-ap-1-radio-1] quit

[AC-wlan-ap-1] quit

# 创建AP,名称为2,并将无线服务模板acstname绑定到AP 2的Radio1上。

[AC] wlan ap 2 model WA4320i-ACN

[AC-wlan-ap-2] serial-id 210235A1BSC123000055

[AC-wlan-ap-2] radio 1

[AC-wlan-ap-2-radio-1] service-template acstname

[AC-wlan-ap-2-radio-1] radio enable

[AC-wlan-ap-2-radio-1] quit

[AC-wlan-ap-2] quit

4. 验证配置

# 在AC上通过display wlan service-template命令可以查看服务模板的配置情况。

[AC] display wlan service-template acstname verbose

Service template name??????? : acstname

Description????????????????? : Not configured

SSID???????????????????????? : service

SSID-hide??????????????????? : Disabled

User-isolation???????????? ??: Disabled

Service template status????? : Enabled

Maximum clients per BSS????? : Not configured

Frame format???????????????? : Dot3

Seamless-roam status??????? ?: Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap??? ???: 20

VLAN ID????????????????????? : 1

AKM mode???????????????????? : PSK

Security IE????????????????? : RSN

Cipher suite???????????????? : CCMP

TKIP countermeasure time???? : 0 sec

PTK lifetime???????????????? : 43200 sec

GTK rekey??????????????????? : Enabled

GTK rekey method???????????? : Time-based

GTK rekey time?????????????? : 86400 sec

GTK rekey client-offline???? : Disabled

User authentication mode???? : Bypass

Intrusion protection???????? : Disabled

Intrusion protection mode??? : Temporary-block

Temporary block time???????? : 180 sec

Temporary service stop time? : 20 sec

Fail VLAN ID???????????????? : Not configured

802.1X handshake???????????? : Disabled

802.1X handshake secure????? : Disabled

802.1X domain??????????????? : Not configured

MAC-auth domain????????????? : Not configured

Max 802.1X users???????????? : 4096

Max MAC-auth users?????????? : 4096

802.1X re-authenticate?????? : Disabled

Authorization fail mode????? : Online

Accounting fail mode???????? : Online

Authorization??????????????? : Permitted

Key derivation?????????????? : SHA1

PMF status?????????????????? : Disabled

Hotspot policy number??????? : Not configured

Forwarding policy status???? : Disabled

Forwarding policy name?????? : Not configured

Forwarder??????????????????? : AC

FT Status??????????????????? : Enable

FT Method??????????????????? : over-the-ds

FT Reassociation Deadline??? : 50 sec

QoS trust?????????????????? ?: Port

QoS priority??????????????? ?: 0

# 客户端上线后,在AC上通过display wlan client verbose命令可以查看客户端的详细信息。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID????????????????????? ??????????: 1

AP ID????????????????????????????? : 1

AP name??????????????????????????? : 1

Radio ID?????????????????????????? : 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e266-7788

VLAN ID???????????????????? ???????: 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz?????? ??????????: Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method????????? ????: Open system

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: PSK

Encryption cipher??????????????? ??: CCMP

User authentication mode?????????? : Bypass

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status??????????????????????? : N/A

Key derivation?????????????? ??????: SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 1minutes 13seconds

FT status???????????????????? ?????: Active

# 客户端漫游成功后,在AC上通过display wlan client verbose命令,可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username????????????????????? ?????: N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 2

AP name??????????????????????????? : 2

Radio ID?????????????????????????? : 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e211-2233

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????? ????????: Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

?????????????????? ??????????????????8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method????????? ????: FT

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: PSK

Encryption cipher??????????????? ??: CCMP

User authentication mode?????????? : Bypass

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: Intra-AC roam

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 5minutes 13seconds

FT status?????????????????? ???????: Active

1.4.2? FT Over-the-Air方式PSK模式配置举例

1. 组网需求

图1-5所示,客户端在同一AC内的不同AP间进行漫游,使用Over-the-Air方式,通过PSK模式对客户端进行身份认证与密钥管理。

2. 配置步骤

# 创建无线服务模板acstname。

<AC> system-view

[AC] wlan service-template acstname

# 配置无线服务的SSID为service。

[AC-wlan-st-acstname] ssid service

# 配置身份认证与密钥管理的模式是PSK模式,配置使用明文字符串12345678作为PSK密钥。

[AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# 配置AES-CCMP加密套件,配置在AP发送信标和探查响应帧时携带RSN IE。

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# 开启FT功能。

[AC-wlan-st-acstname] ft enable

# 配置重关联超时时间为50秒。

[AC-wlan-st-acstname] ft reassociation-timeout 50

# 使能无线服务模板。

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# 创建AP,名称为1,并将无线服务模板acstname绑定到AP 1的Radio1上。

[AC] wlan ap 1 model WA4320i-ACN

[AC-wlan-ap-1] serial-id 210235A1BSC123000050

[AC-wlan-ap-1] radio 1

[AC-wlan-ap-1-radio-1] service-template acstname

[AC-wlan-ap-1-radio-1] radio enable

[AC-wlan-ap-1-radio-1] quit

[AC-wlan-ap-1] quit

# 创建AP,名称为2,并将无线服务模板acstname绑定到AP 2的Radio1上。

[AC] wlan ap 2 model WA4320i-ACN

[AC-wlan-ap-2] serial-id 210235A1BSC123000055

[AC-wlan-ap-2] radio 1

[AC-wlan-ap-2-radio-1] service-template acstname

[AC-wlan-ap-2-radio-1] radio enable

[AC-wlan-ap-2-radio-1] quit

[AC-wlan-ap-2] quit

3. 验证配置

# 客户端上线后,在AC通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 1

AP name??????????????????????????? : 1

Radio ID?????????????????????????? : 1

SSID????????????? ?????????????????: service

BSSID????????????????????????????? : 000f-e266-7788

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method ?????????????: Open system

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: PSK

Encryption cipher??????????????? ??: CCMP

User authentication mode?????????? : Bypass

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: N/A

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 1minutes 13seconds

FT status??????????????????????? ??: Active

# 客户端漫游成功后,在AC上通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address ??????????????????????: 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 2

AP name??????????????????????????? : 2

Radio ID????????????? ?????????????: 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e211-2233

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate??????????????????? ?????: 130/11

Authentication method????????? ????: FT

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: PSK

Encryption cipher??????????????? ??: CCMP

User authentication mode?????????? : Bypass

Authorization ACL ID????????????? ?: 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: Intra-AC roam

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 5minutes 13seconds

FT status??????????????????????? ??: Active

1.4.3? FT Over-the-DS方式802.1X模式配置举例

1. 组网需求

图1-5所示,客户端在同一AC内的不同AP间进行漫游,使用Over-the-DS方式,通过802.1X模式对客户端进行身份认证与密钥管理。

2. 配置步骤

# 创建无线服务模板stname。

<AC> system-view

[AC] wlan service-template stname

# 配置无线服务的SSID为service。

[AC-wlan-st-stname] ssid service

# 配置身份认证与密钥管理的模式是802.1X模式。

[AC-wlan-st-stname] akm mode dot1x

# 配置AES-CCMP加密套件,配置在AP发送信标和探查响应帧时携带RSN IE。

[AC-wlan-st-stname] cipher-suite ccmp

[AC-wlan-st-stname] security-ie rsn

# 配置客户端安全认证方式为802.1X。

[AC-wlan-st-stname] client-security authentication-mode dot1x

[AC-wlan-st-stname] dot1x domain imc

# 开启FT功能。

[AC-wlan-st-stname] ft enable

# 配置FT方法为Over-the-DS。

[AC-wlan-st-stname] ft method over-the-ds

# 使能无线服务。

[AC-wlan-st-stname] service-template enable

[AC-wlan-st-stname] quit

# 配置802.1X认证方式为EAP。

[AC] dot1x authentication-method eap

# 创建RADIUS方案imcc。配置主认证服务器的IP地址为10.1.1.3,与认证服务器交互报文时的共享密钥为明文12345678。配置主计费服务器的IP地址为10.1.1.3,与计费服务器交互报文时的共享密钥为明文12345678。配置发送给RADIUS服务器的用户名不带ISP域名。

[AC] radius scheme imcc

[AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# 创建认证域并配置使用RADIUS方案进行认证、授权、计费。

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

# 创建AP,名称为1,并将无线服务模板acstname绑定到AP 1的Radio1上。

[AC] wlan ap 1 model WA4320i-ACN

[AC-wlan-ap-1] serial-id 210235A1BSC123000050

[AC-wlan-ap-1] radio 1

[AC-wlan-ap-1-radio-1] service-template acstname

[AC-wlan-ap-1-radio-1] radio enable

[AC-wlan-ap-1-radio-1] quit

[AC-wlan-ap-1] quit

# 创建AP,名称为2,并将无线服务模板acstname绑定到AP 2的Radio1上。

[AC] wlan ap 2 model WA4320i-ACN

[AC-wlan-ap-2] serial-id 210235A1BSC123000055

[AC-wlan-ap-2] radio 1

[AC-wlan-ap-2-radio-1] service-template acstname

[AC-wlan-ap-2-radio-1] radio enable

[AC-wlan-ap-2-radio-1] quit

[AC-wlan-ap-2] quit

3. 验证配置

# 在AC上通过display wlan service-template命令可以查看服务模板的配置情况。

[AC] display wlan service-template stname verbose

Service template name????? ??: stname

Description????????????????? : Not configured

SSID???????????????????????? : service

SSID-hide??????????????????? : Disabled

User-isolation???????????? ??: Disabled

Service template status????? : Enabled

Maximum clients per BSS????? : Not configured

Frame format???????????????? : Dot3

Seamless-roam status???????? : Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap??? ???: 20

VLAN ID????????????????????? : 1

AKM mode???????????????????? : 802.1X

Security IE????????????????? : RSN

Cipher suite???????????????? : CCMP

TKIP countermeasure time???? : 0 sec

PTK lifetime???????????????? : 43200 sec

GTK rekey??????????????????? : Enabled

GTK rekey method???????????? : Time-based

GTK rekey time?????????????? : 86400 sec

GTK rekey client-offline???? : Disabled

User authentication mode???? : 802.1X

Intrusion protection???????? : Disabled

Intrusion protection mode??? : Temporary-block

Temporary block time???????? : 180 sec

Temporary service stop time? : 20 sec

Fail VLAN ID??????????? ?????: Not configured

802.1X handshake???????????? : Disabled

802.1X handshake secure????? : Disabled

802.1X domain??????????????? : imc

MAC-auth domain????????????? : Not configured

Max 802.1X users???????????? : 4096

Max MAC-auth users?????????? : 4096

802.1X re-authenticate?????? : Disabled

Authorization fail mode????? : Online

Accounting fail mode???????? : Online

Authorization??????????????? : Permitted

Key derivation?????????????? : SHA1

PMF status?????????????????? : Disabled

Hotspot policy number?? ?????: Not configured

Forwarding policy status???? : Disabled

Forwarding policy name?????? : Not configured

Forwarder??????????????????? : AC

FT Status??????????????????? : Enable

FT Method??????????????????? : over-the-ds

FT Reassociation Deadline??? : 20 sec

QoS trust?????????????????? ?: Port

QoS priority??????????????? ?: 0

# 客户端上线后,在AC上通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?? ????????????????????: 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 1

AP name??????????????????????????? : 1

Radio ID??????????????? ???????????: 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e266-7788

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth ?????????????????: 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate???????????????? ????????: 130/11

Authentication method?????????? ???: Open system

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: 802.1X

Encryption cipher??????????????? ??: CCMP

User authentication mode???????? ??: 802.1X

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: N/A

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 1minutes 13seconds

FT status??????????????????????? ??: Active

# 客户端漫游成功后,在AC上通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 2

AP name??? ????????????????????????: 2

Radio ID?????????????????????????? : 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e211-2233

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????? ????????????????: 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method?????? ???????: FT

Security mode????????????????? ????: RSN

AKM mode??????????????????????? ???: 802.1X

Encryption cipher?????????????? ???: CCMP

User authentication mode??????? ???: 802.1X

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: Intra-AC roam

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 5minutes 13seconds

FT status??????????????????????? ??: Active

1.4.4? FT Over-the-Air方式802.1X模式配置举例

1. 组网需求

图1-5所示,客户端在同一AC内的不同AP间进行漫游,使用Over-the-Air方式,通过802.1X模式对客户端进行身份认证与密钥管理。

2. 配置步骤

# 创建无线服务模板stname。

<AC> system-view

[AC] wlan service-template stname

# 配置无线服务的SSID为service。

[AC-wlan-st-stname] ssid service

# 配置身份认证与密钥管理的模式是802.1X模式。

[AC-wlan-st-stname] akm mode dot1x

# 配置AES-CCMP加密套件,配置在AP发送信标和探查响应帧时携带RSN IE。

[AC-wlan-st-stname] cipher-suite ccmp

[AC-wlan-st-stname] security-ie rsn

# 配置客户端安全认证方式为802.1X。

[AC-wlan-st-stname] client-security authentication-mode dot1x

[AC-wlan-st-stname] dot1x domain imc

# 开启FT功能。

[AC-wlan-st-stname] ft enable

# 使能无线服务。

[AC-wlan-st-stname] service-template enable

[AC-wlan-st-stname] quit

# 配置802.1X认证方式为EAP。

[AC] dot1x authentication-method eap

# 创建RADIUS方案imcc。配置主认证服务器的IP地址为10.1.1.3,与认证服务器交互报文时的共享密钥为明文12345678。配置主计费服务器的IP地址为10.1.1.3,与计费服务器交互报文时的共享密钥为明文12345678。配置发送给RADIUS服务器的用户名不带ISP域名。

[AC] radius scheme imcc

[AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# 创建认证域并配置使用RADIUS方案进行认证、授权、计费。

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

# 创建AP,名称为1,并将无线服务模板acstname绑定到AP 1的Radio1上。

[AC] wlan ap 1 model WA4320i-ACN

[AC-wlan-ap-1] serial-id 210235A1BSC123000050

[AC-wlan-ap-1] radio 1

[AC-wlan-ap-1-radio-1] service-template acstname

[AC-wlan-ap-1-radio-1] radio enable

[AC-wlan-ap-1-radio-1] quit

[AC-wlan-ap-1] quit

# 创建AP,名称为2,并将无线服务模板acstname绑定到AP 2的Radio1上。

[AC] wlan ap 2 model WA4320i-ACN

[AC-wlan-ap-2] serial-id 210235A1BSC123000055

[AC-wlan-ap-2] radio 1

[AC-wlan-ap-2-radio-1] service-template acstname

[AC-wlan-ap-2-radio-1] radio enable

[AC-wlan-ap-2-radio-1] quit

[AC-wlan-ap-2] quit

3. 验证配置

# 客户端上线后,在AC上通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID????????????????????????????? : 1

AP name??????????????????????????? : 1

Radio ID ??????????????????????????: 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e266-7788

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

???????????????????????????????????? 15, 16, 17, 18, 19, 20,

?? ??????????????????????????????????21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI????????????????? ?????????????: 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method?????????? ???: Open system

Security mode??????????????????? ??: RSN

AKM mode???????????????????????? ??: 802.1X

Encryption cipher??????????????? ??: CCMP

User authentication mode???????? ??: 802.1X

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: N/A

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 1minutes 13seconds

FT status??????????????????????? ??: Active

# 客户端漫游成功后,在AC上通过display wlan client verbose命令可以看到结果如下。

[AC] display wlan client verbose

Total number of clients: 1

 

MAC address??? ????????????????????: fc25-3f03-8361

IPv4 address?????????????????????? : 10.1.1.114

IPv6 address?????????????????????? : N/A

Username?????????????????????????? : N/A

AID??????????????????????????????? : 1

AP ID? ????????????????????????????: 2

AP name??????????????????????????? : 2

Radio ID?????????????????????????? : 1

SSID?????????????????????????????? : service

BSSID????????????????????????????? : 000f-e211-2233

VLAN ID??????????????????????????? : 1

Sleep count??????????????????????? : 242

Wireless mode????????????????????? : 802.11ac

Channel bandwidth????????????????? : 80MHz

SM power save????????????????????? : Enabled

SM power save mode???????????????? : Dynamic

Short GI for 20MHz???????????????? : Supported

Short GI for 40MHz???????????????? : Supported

Short GI for 80MHz???????????????? : Supported

Short GI for 160/80+80MHz????? ????: Not supported

STBC RX capability?????????????? ??: Not supported

STBC TX capability?????????????? ??: Not supported

LDPC RX capability?????????????? ??: Not supported

SU beamformee capability???????? ??: Not supported

MU beamformee capability???????? ??: Not supported

Beamformee STS capability??????? ??: N/A

Block Ack????????????????????????? : TID 0 In

Supported VHT-MCS set??????????? ??: NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

??????????????????????????????????? ?NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set?????????????? : 0, 1, 2, 3, 4, 5, 6, 7,

???????????????????????????????????? 8, 9, 10, 11, 12, 13, 14,

????????? ???????????????????????????15, 16, 17, 18, 19, 20,

???????????????????????????????????? 21, 22, 23

Supported rates??????????????????? : 6, 9, 12, 18, 24, 36,

???????????????????????????????????? 48, 54 Mbps

QoS mode?????????????????????????? : WMM

Listen interval ???????????????????: 10

RSSI?????????????????????????????? : 62

Rx/Tx rate???????????????????????? : 130/11

Authentication method????? ????????: FT

Security mode??????????????? ??????: RSN

AKM mode????????????????????? ?????: 802.1X

Encryption cipher????????????? ????: CCMP

User authentication mode??????? ???: 802.1X

Authorization ACL ID?????????????? : 3001(Not effective)

Authorization user profile???????? : N/A

Roam status?????????????????? ?????: Intra-AC roam

Key derivation???????????????????? : SHA1

PMF status???????????????????????? : Enabled

Forward policy name???????????? ???: Not configured

Online time??????????????????????? : 0days 0hours 5minutes 13seconds

FT status??????????????????????? ??: Active

 

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!